Comments (1)
gabrielvachon
commented on September 24, 2024
Resolved.
The problem was between the exported ARM template and the REGO file associated with the network_security_group_with_unrestricted_access_to_ssh query.
In the ARM template, the securityRules property has the protocol field written as "TCP" :
"properties": {
"protocol": "TCP", <--------------------
"sourcePortRange": "*",
"destinationPortRange": "22",
"sourceAddressPrefix": "*",
"destinationAddressPrefix": "*",
"access": "Allow",
"priority": 300,
"direction": "Inbound",
"sourcePortRanges": [],
"destinationPortRanges": [],
"sourceAddressPrefixes": [],
"destinationAddressPrefixes": []
}
Therefore, KICS is looking for this field with "Tcp". Knowing that REGO is case-sensitive, changing "Tcp" to "TCP" solved the issue, the SSH vulnerabilities are now showing in the KICS JSON report. Here are the changes applied to {...}/kics/assets/queries/azureResourceManager/network_security_group_with_unrestricted_access_to_ssh/query,rego :
package Cx
import data.generic.azureresourcemanager as arm_lib
import data.generic.common as common_lib
CxPolicy[result] {
doc := input.document[i]
[path, value] = walk(doc)
value.type == "Microsoft.Network/networkSecurityGroups"
properties := value.properties.securityRules[x].properties
properties.access == "Allow"
properties.protocol == "Tcp" <-------------------------------- Change to "TCP"
properties.direction == "Inbound"
arm_lib.contains_port(properties, 22)
arm_lib.source_address_prefix_is_open(properties)
result := {
"documentId": input.document[i].id,
"resourceType": value.type,
"resourceName": value.name,
"searchKey": sprintf("%s.name={{%s}}.properties.securityRules", [common_lib.concat_path(path), value.name]),
"issueType": "IncorrectValue",
"keyExpectedValue": sprintf("resource with type '%s' restricts access to SSH", [value.type]),
"keyActualValue": sprintf("resource with type '%s' does not restrict access to SSH", [value.type]),
"searchLine": common_lib.build_search_line(path, ["properties", "securityRules", x, "properties"]),
}
}
CxPolicy[result] {
doc := input.document[i]
[path, value] = walk(doc)
typeInfo := arm_lib.get_sg_info(value)
properties := typeInfo.properties
properties.access == "Allow"
properties.protocol == "Tcp" <-------------------------------- Change to "TCP"
properties.direction == "Inbound"
arm_lib.contains_port(properties, 22)
arm_lib.source_address_prefix_is_open(properties)
result := {
"documentId": input.document[i].id,
"resourceType": value.type,
"resourceName": value.name,
"searchKey": sprintf("%s", [typeInfo.path]),
"issueType": "IncorrectValue",
"keyExpectedValue": sprintf("resource with type '%s' restricts access to SSH", [typeInfo.type]),
"keyActualValue": sprintf("resource with type '%s' does not restrict access to SSH", [typeInfo.type]),
"searchLine": common_lib.build_search_line(path, typeInfo.sl),
}
}
from kics.
Related Issues (20)
- bug(terraform): scan results differ between .tf and respective .tfplan file
- feat(Accuracy Benchmark): update the KICS Accuracy Benchmark results for v2.x HOT 1
- bug(assets/queries/terraform/azure/ssh_is_exposed_to_the_internet/metadata.json): Grammar of Title and Description could be more specific. HOT 2
- bug(contributionguide): removal of deprecated golint HOT 1
- bug(docs): download of queries not providing all details HOT 8
- bug(chown): chown flag is checked for non-executable files
- bug(helm): rendering errors on valid charts HOT 1
- bug(terraform): cloudwatch log without kms key with plan file
- bug(terraform): merge with object changes input for kics HOT 1
- bug(cloudformation): false positive for "ECS Cluster Not Encrypted At Rest" when using task definition ref HOT 1
- bug(query): security groups not used query with false positive if security group added in a list HOT 1
- bug(terraform): a deadlock in filesystem.go since v1.7.13 HOT 1
- bug(scan): gitignore applied to absolute path leading to wrong exclusion HOT 1
- query(kubernetes): containers_run_with_low_uid >= 1000 instead of 10000
- bug(docker): pip_install_keeping_cached_packages misses `--no-cache`
- bug(terraform): param enable_https_traffic_only now renamed to https_traffic_only_enabled HOT 1
- feat(cli): add setting to suppress ASCII logo in CLI output
- query(terraform): wanting to exclude Keyvault References
- bug(terraform): false positive of "CloudWatch Without Retention Period Specified" HOT 1
- bug(docker): oom when scanning a dockerfile with multi-line commands and comments HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from kics.