Skip to content

Commit

Permalink
Merge pull request #226 from turbot/release/v0.37
Browse files Browse the repository at this point in the history 
Release/v0.37
  • Loading branch information
@madhushreeray30
madhushreeray30 authored Nov 3, 2023
2 parents 50e6ba0 + efce3f8 commit c79c7cc
Show file tree
Hide file tree
Showing 3 changed files with 84 additions and 27 deletions.
10 changes: 10 additions & 0 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,13 @@
## v0.37 [2023-11-03]

_Breaking changes_

- Updated the plugin dependency section of the mod to use `min_version` instead of `version`. ([#222](https://github.com/turbot/steampipe-mod-azure-compliance/pull/222))

_Bug fixes_

- Fixed the `compute_vm_tcp_udp_access_restricted_internet` query to ensure internet-facing virtual machines are protected with network security groups. ([#224](https://github.com/turbot/steampipe-mod-azure-compliance/pull/224))

## v0.36 [2023-10-20]

_Bug fixes_
Expand Down
4 changes: 2 additions & 2 deletions mod.sp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -87,10 +87,10 @@ mod "azure_compliance" {

require {
plugin "azure" {
version = "0.46.0"
min_version = "0.46.0"
}
plugin "azuread" {
version = "0.0.3"
min_version = "0.0.3"
}
}
}
97 changes: 72 additions & 25 deletions regulatory_compliance/compute.sp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -975,29 +975,47 @@ query "compute_vm_tcp_udp_access_restricted_internet" {
sql = <<-EOQ
with network_sg as (
select
distinct name as sg_name,
distinct id as sg_id,
subscription_id,
network_interfaces
from
azure_network_security_group as nsg,
jsonb_array_elements(security_rules) as sg,
jsonb_array_elements_text(sg -> 'properties' -> 'destinationPortRanges' || (sg -> 'properties' -> 'destinationPortRange') :: jsonb) as dport,
jsonb_array_elements_text(sg -> 'properties' -> 'sourceAddressPrefixes' || (sg -> 'properties' -> 'sourceAddressPrefix') :: jsonb) as sip
jsonb_array_elements_text(
sg -> 'properties' -> 'destinationPortRanges' || (sg -> 'properties' -> 'destinationPortRange') :: jsonb
) as dport,
jsonb_array_elements_text(
sg -> 'properties' -> 'sourceAddressPrefixes' || (sg -> 'properties' -> 'sourceAddressPrefix') :: jsonb
) as sip
where
sg -> 'properties' ->> 'access' = 'Allow'
and sg -> 'properties' ->> 'direction' = 'Inbound'
and sg -> 'properties' ->> 'protocol' in ('TCP', 'UDP')
and sip in ('*', '0.0.0.0', '0.0.0.0/0', 'Internet', 'any', '<nw>/0', '/0')
and sip in (
'*',
'0.0.0.0',
'0.0.0.0/0',
'Internet',
'any',
'<nw>/0',
'/0'
)
and (
dport in ('22', '3389', '*')
or (
dport like '%-%'
and (
(
53 between split_part(dport, '-', 1) :: integer and split_part(dport, '-', 2) :: integer
or 123 between split_part(dport, '-', 1) :: integer and split_part(dport, '-', 2) :: integer
or 161 between split_part(dport, '-', 1) :: integer and split_part(dport, '-', 2) :: integer
or 389 between split_part(dport, '-', 1) :: integer and split_part(dport, '-', 2) :: integer
or 1900 between split_part(dport, '-', 1) :: integer and split_part(dport, '-', 2) :: integer
53 between split_part(dport, '-', 1) :: integer
and split_part(dport, '-', 2) :: integer
or 123 between split_part(dport, '-', 1) :: integer
and split_part(dport, '-', 2) :: integer
or 161 between split_part(dport, '-', 1) :: integer
and split_part(dport, '-', 2) :: integer
or 389 between split_part(dport, '-', 1) :: integer
and split_part(dport, '-', 2) :: integer
or 1900 between split_part(dport, '-', 1) :: integer
and split_part(dport, '-', 2) :: integer
)
or (
split_part(dport, '-', 1) :: integer <= 3389
Expand All @@ -1010,24 +1028,53 @@ query "compute_vm_tcp_udp_access_restricted_internet" {
)
)
)
)
), network_security_group_subnets as (
select
vm.vm_id as resource,
case
when sg.sg_name is null then 'ok'
else 'alarm'
end as status,
case
when sg.sg_name is null then vm.title || ' restricts remote access from internet.'
else vm.title || ' allows remote access from internet.'
end as reason
${local.tag_dimensions_sql}
${replace(local.common_dimensions_qualifier_sql, "__QUALIFIER__", "vm.")}
${replace(local.common_dimensions_qualifier_subscription_sql, "__QUALIFIER__", "sub.")}
nsg.id as nsg_id,
sub ->> 'id' as subnet_id
from
azure_compute_virtual_machine as vm
left join network_sg as sg on sg.network_interfaces @> vm.network_interfaces
join azure_subscription as sub on sub.subscription_id = vm.subscription_id;
azure_network_security_group as nsg,
jsonb_array_elements(nsg.subnets) as sub
where
nsg.id in (select sg_id from network_sg )
),
virtual_machines_with_access as (
select
nic.virtual_machine_id as virtual_machine_id
from
azure_network_interface as nic,
jsonb_array_elements(nic.ip_configurations) as config
left join network_security_group_subnets as sub on config -> 'properties' -> 'subnet' ->> 'id' = sub.subnet_id
where
nic.virtual_machine_id is not null
and sub.nsg_id is not null
union
select
n.virtual_machine_id as virtual_machine_id
from
network_sg as nsg,
jsonb_array_elements(network_interfaces) as vm_nic
left join azure_network_interface as n on n.id = vm_nic ->> 'id'
)
select
vm.id as resource,
case
when m.virtual_machine_id is not null then 'alarm'
else 'ok'
end as status,
case
when m.virtual_machine_id is not null then vm.title || ' restricts remote access from internet.'
else vm.title || ' allows remote access from internet.'
end as reason,
vm.resource_group as resource_group,
sub.display_name as subscription
${local.tag_dimensions_sql}
${replace(local.common_dimensions_qualifier_sql, "__QUALIFIER__", "vm.")}
${replace(local.common_dimensions_qualifier_subscription_sql, "__QUALIFIER__", "sub.")}
from
azure_compute_virtual_machine as vm
left join virtual_machines_with_access as m on lower(m.virtual_machine_id) = lower(vm.id)
join azure_subscription as sub on sub.subscription_id = vm.subscription_id;
EOQ
}

Expand Down

0 comments on commit c79c7cc

Please sign in to comment.