Feature/az id field (#808)

* adding id property for matching azure network security policies * changes for matching rules(siac & terrascan): 1. add id param 2. update category 3. update severity * updated indentation to use 4 spaces instead of 2 * removing id field from unmatched policies
tenable · Jun 1, 2021 · 37cef51 · 37cef51
1 parent b012204
commit 37cef51
Show file tree

Hide file tree

Showing 128 changed files with 259 additions and 131 deletions.
diff --git a/pkg/policies/opa/rego/azure/azurerm_application_gateway/accurics.azure.NS.147.json b/pkg/policies/opa/rego/azure/azurerm_application_gateway/accurics.azure.NS.147.json
@@ -10,5 +10,6 @@
     "description": "Ensure Azure Application Gateway Web application firewall (WAF) is enabled",
     "reference_id": "accurics.azure.NS.147",
     "category": "Infrastructure Security",
-    "version": 2
+    "version": 2,
+    "id": "AC_AZURE_0189"
 }
diff --git a/pkg/policies/opa/rego/azure/azurerm_container_registry/accurics.azure.AKS.3.json b/pkg/policies/opa/rego/azure/azurerm_container_registry/accurics.azure.AKS.3.json
@@ -10,5 +10,6 @@
     "description": "Ensure Container Registry has locks",
     "reference_id": "accurics.azure.AKS.3",
     "category": "Resilience",
-    "version": 2
+    "version": 2,
+    "id": "AC_AZURE_0185"
 }
diff --git a/pkg/policies/opa/rego/azure/azurerm_container_registry/accurics.azure.EKM.164.json b/pkg/policies/opa/rego/azure/azurerm_container_registry/accurics.azure.EKM.164.json
@@ -10,5 +10,6 @@
     "description": "Ensure that admin user is disabled for Container Registry",
     "reference_id": "accurics.azure.EKM.164",
     "category": "Identity and Access Management",
-    "version": 2
+    "version": 2,
+    "id": "AC_AZURE_0186"
 }
diff --git a/pkg/policies/opa/rego/azure/azurerm_cosmosdb_account/accurics.azure.CAM.162.json b/pkg/policies/opa/rego/azure/azurerm_cosmosdb_account/accurics.azure.CAM.162.json
@@ -10,5 +10,6 @@
     "description": "Ensure that Cosmos DB Account has an associated tag",
     "reference_id": "accurics.azure.CAM.162",
     "category": "Compliance Validation",
-    "version": 2
+    "version": 2,
+    "id": "AC_AZURE_0277"
 }
diff --git a/pkg/policies/opa/rego/azure/azurerm_cosmosdb_account/accurics.azure.NS.32.json b/pkg/policies/opa/rego/azure/azurerm_cosmosdb_account/accurics.azure.NS.32.json
@@ -10,5 +10,6 @@
     "description": "Ensure to filter source Ips for Cosmos DB Account",
     "reference_id": "accurics.azure.NS.32",
     "category": "Infrastructure Security",
-    "version": 2
+    "version": 2,
+    "id": "AC_AZURE_0184"
 }
diff --git a/pkg/policies/opa/rego/azure/azurerm_key_vault/accurics.azure.EKM.164.json b/pkg/policies/opa/rego/azure/azurerm_key_vault/accurics.azure.EKM.164.json
@@ -10,5 +10,6 @@
     "description": "Ensure the key vault is recoverable - enable \"Soft Delete\" setting for a Key Vault",
     "reference_id": "accurics.azure.EKM.164",
     "category": "Data Protection",
-    "version": 2
+    "version": 2,
+    "id": "AC_AZURE_0170"
 }
diff --git a/pkg/policies/opa/rego/azure/azurerm_key_vault/accurics.azure.EKM.20.json b/pkg/policies/opa/rego/azure/azurerm_key_vault/accurics.azure.EKM.20.json
@@ -10,5 +10,6 @@
     "description": "Ensure that logging for Azure KeyVault is 'Enabled'",
     "reference_id": "accurics.azure.EKM.20",
     "category": "Logging and Monitoring",
-    "version": 2
+    "version": 2,
+    "id": "AC_AZURE_0169"
 }
diff --git a/pkg/policies/opa/rego/azure/azurerm_key_vault_key/accurics.azure.EKM.25.json b/pkg/policies/opa/rego/azure/azurerm_key_vault_key/accurics.azure.EKM.25.json
@@ -10,5 +10,6 @@
     "description": "Ensure that the expiration date is set on all keys",
     "reference_id": "accurics.azure.EKM.25",
     "category": "Data Protection",
-    "version": 2
+    "version": 2,
+    "id": "AC_AZURE_0164"
 }
diff --git a/pkg/policies/opa/rego/azure/azurerm_key_vault_secret/accurics.azure.EKM.26.json b/pkg/policies/opa/rego/azure/azurerm_key_vault_secret/accurics.azure.EKM.26.json
@@ -10,5 +10,6 @@
     "description": "Ensure that the expiration date is set on all secrets",
     "reference_id": "accurics.azure.EKM.26",
     "category": "Data Protection",
-    "version": 2
+    "version": 2,
+    "id": "AC_AZURE_0163"
 }
diff --git a/pkg/policies/opa/rego/azure/azurerm_kubernetes_cluster/accurics.azure.NS.382.json b/pkg/policies/opa/rego/azure/azurerm_kubernetes_cluster/accurics.azure.NS.382.json
@@ -8,5 +8,6 @@
     "description": "Ensure AKS cluster has Network Policy configured.",
     "reference_id": "accurics.azure.NS.382",
     "category": "Infrastructure Security",
-    "version": 1
+    "version": 1,
+    "id": "AC_AZURE_0158"
 }
diff --git a/pkg/policies/opa/rego/azure/azurerm_kubernetes_cluster/accurics.azure.NS.383.json b/pkg/policies/opa/rego/azure/azurerm_kubernetes_cluster/accurics.azure.NS.383.json
@@ -8,5 +8,6 @@
     "description": "Ensure Kube Dashboard is disabled",
     "reference_id": "accurics.azure.NS.383",
     "category": "Infrastructure Security",
-    "version": 1
+    "version": 1,
+    "id": "AC_AZURE_0161"
 }
diff --git a/pkg/policies/opa/rego/azure/azurerm_mssql_server/accurics.azure.LOG.357.json b/pkg/policies/opa/rego/azure/azurerm_mssql_server/accurics.azure.LOG.357.json
@@ -11,5 +11,6 @@
     "description": "Ensure that 'Auditing' Retention is 'greater than 90 days' for MSSQL servers.",
     "reference_id": "accurics.azure.LOG.357",
     "category": "Logging and Monitoring",
-    "version": 1
+    "version": 1,
+    "id": "AC_AZURE_0136"
 }
diff --git a/pkg/policies/opa/rego/azure/azurerm_mssql_server/accurics.azure.MON.355.json b/pkg/policies/opa/rego/azure/azurerm_mssql_server/accurics.azure.MON.355.json
@@ -11,5 +11,6 @@
     "description": "Ensure that 'Auditing' is set to 'On' for MSSQL servers",
     "reference_id": "accurics.azure.MON.355",
     "category": "Logging and Monitoring",
-    "version": 1
+    "version": 1,
+    "id": "AC_AZURE_0137"
 }
diff --git a/pkg/policies/opa/rego/azure/azurerm_mysql_server/accurics.azure.NS.361.json b/pkg/policies/opa/rego/azure/azurerm_mysql_server/accurics.azure.NS.361.json
@@ -8,5 +8,6 @@
     "description": "Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server.",
     "reference_id": "accurics.azure.NS.361",
     "category": "Infrastructure Security",
-    "version": 1
+    "version": 1,
+    "id": "AC_AZURE_0131"
 }
diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/accurics.azure.NPS.101.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/accurics.azure.NPS.101.json
@@ -16,5 +16,6 @@
     "description": "Puppet Master (TCP:8140) is exposed to entire Public network",
     "reference_id": "accurics.azure.NPS.101",
     "category": "Infrastructure Security",
-    "version": 2
+    "version": 2,
+    "id": "AC_AZURE_0451"
 }
diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/accurics.azure.NPS.103.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/accurics.azure.NPS.103.json
@@ -16,5 +16,6 @@
     "description": "SMTP (TCP:25) is exposed to entire Public network",
     "reference_id": "accurics.azure.NPS.103",
     "category": "Infrastructure Security",
-    "version": 2
+    "version": 2,
+    "id": "AC_AZURE_0448"
 }
diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/accurics.azure.NPS.105.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/accurics.azure.NPS.105.json
@@ -16,5 +16,6 @@
     "description": "SNMP (UDP:161) is exposed to entire Public network",
     "reference_id": "accurics.azure.NPS.105",
     "category": "Infrastructure Security",
-    "version": 2
+    "version": 2,
+    "id": "AC_AZURE_0445"
 }
diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/accurics.azure.NPS.107.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/accurics.azure.NPS.107.json
@@ -16,5 +16,6 @@
     "description": "SQL Server Analysis (TCP:2382) is exposed to entire Public network",
     "reference_id": "accurics.azure.NPS.107",
     "category": "Infrastructure Security",
-    "version": 2
+    "version": 2,
+    "id": "AC_AZURE_0442"
 }
diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/accurics.azure.NPS.109.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/accurics.azure.NPS.109.json
@@ -16,5 +16,6 @@
     "description": "SQL Server Analysis (TCP:2383) is exposed to entire Public network",
     "reference_id": "accurics.azure.NPS.109",
     "category": "Infrastructure Security",
-    "version": 2
+    "version": 2,
+    "id": "AC_AZURE_0439"
 }
diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/accurics.azure.NPS.111.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/accurics.azure.NPS.111.json
@@ -16,5 +16,6 @@
     "description": "SaltStack Master (TCP:4505) is exposed to entire Public network",
     "reference_id": "accurics.azure.NPS.111",
     "category": "Infrastructure Security",
-    "version": 2
+    "version": 2,
+    "id": "AC_AZURE_0436"
 }
diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/accurics.azure.NPS.113.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/accurics.azure.NPS.113.json
@@ -16,5 +16,6 @@
     "description": "SaltStack Master (TCP:4506) is exposed to entire Public network",
     "reference_id": "accurics.azure.NPS.113",
     "category": "Infrastructure Security",
-    "version": 2
+    "version": 2,
+    "id": "AC_AZURE_0433"
 }
diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/accurics.azure.NPS.115.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/accurics.azure.NPS.115.json
@@ -16,5 +16,6 @@
     "description": "Telnet (TCP:23) is exposed to entire Public network",
     "reference_id": "accurics.azure.NPS.115",
     "category": "Infrastructure Security",
-    "version": 2
+    "version": 2,
+    "id": "AC_AZURE_0430"
 }
diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/accurics.azure.NPS.117.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/accurics.azure.NPS.117.json
@@ -16,5 +16,6 @@
     "description": "VNC Listener (TCP:5500) is exposed to entire Public network",
     "reference_id": "accurics.azure.NPS.117",
     "category": "Infrastructure Security",
-    "version": 2
+    "version": 2,
+    "id": "AC_AZURE_0427"
 }
diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/accurics.azure.NPS.119.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/accurics.azure.NPS.119.json
@@ -16,5 +16,6 @@
     "description": "VNC Server (TCP:5900) is exposed to entire Public network",
     "reference_id": "accurics.azure.NPS.119",
     "category": "Infrastructure Security",
-    "version": 2
+    "version": 2,
+    "id": "AC_AZURE_0424"
 }
diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/accurics.azure.NPS.171.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/accurics.azure.NPS.171.json
@@ -16,5 +16,6 @@
     "description": "Remote Desktop (TCP:3389) is exposed to the entire public internet",
     "reference_id": "accurics.azure.NPS.171",
     "category": "Infrastructure Security",
-    "version": 2
+    "version": 2,
+    "id": "AC_AZURE_0342"
 }
diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/accurics.azure.NPS.172.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/accurics.azure.NPS.172.json
@@ -16,5 +16,6 @@
     "description": "SSH (TCP:22) is exposed to the entire public internet",
     "reference_id": "accurics.azure.NPS.172",
     "category": "Infrastructure Security",
-    "version": 2
+    "version": 2,
+    "id": "AC_AZURE_0285"
 }
diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/accurics.azure.NPS.174.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/accurics.azure.NPS.174.json
@@ -16,5 +16,6 @@
     "description": "CIFS / SMB (TCP:3020) is exposed to wide Private network",
     "reference_id": "accurics.azure.NPS.174",
     "category": "Infrastructure Security",
-    "version": 2
+    "version": 2,
+    "id": "AC_AZURE_0272"
 }
diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/accurics.azure.NPS.176.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/accurics.azure.NPS.176.json
@@ -16,5 +16,6 @@
     "description": "Cassandra (TCP:7001) is exposed to wide Private network",
     "reference_id": "accurics.azure.NPS.176",
     "category": "Infrastructure Security",
-    "version": 2
+    "version": 2,
+    "id": "AC_AZURE_0275"
 }
diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/accurics.azure.NPS.178.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/accurics.azure.NPS.178.json
@@ -16,5 +16,6 @@
     "description": "Cassandra OpsCenter (TCP:61621) is exposed to wide Private network",
     "reference_id": "accurics.azure.NPS.178",
     "category": "Infrastructure Security",
-    "version": 2
+    "version": 2,
+    "id": "AC_AZURE_0536"
 }
diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/accurics.azure.NPS.180.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/accurics.azure.NPS.180.json
@@ -16,5 +16,6 @@
     "description": "DNS (UDP:53) is exposed to wide Private network",
     "reference_id": "accurics.azure.NPS.180",
     "category": "Infrastructure Security",
-    "version": 2
+    "version": 2,
+    "id": "AC_AZURE_0533"
 }
diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/accurics.azure.NPS.182.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/accurics.azure.NPS.182.json
@@ -16,5 +16,6 @@
     "description": "Hadoop Name Node (TCP:9000) is exposed to wide Private network",
     "reference_id": "accurics.azure.NPS.182",
     "category": "Infrastructure Security",
-    "version": 2
+    "version": 2,
+    "id": "AC_AZURE_0530"
 }
diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/accurics.azure.NPS.184.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/accurics.azure.NPS.184.json
@@ -16,5 +16,6 @@
     "description": " Known internal web port (TCP:8000) is exposed to wide Private network",
     "reference_id": "accurics.azure.NPS.184",
     "category": "Infrastructure Security",
-    "version": 2
+    "version": 2,
+    "id": "AC_AZURE_0527"
 }
diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/accurics.azure.NPS.186.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/accurics.azure.NPS.186.json
@@ -16,5 +16,6 @@
     "description": " Known internal web port (TCP:8080) is exposed to wide Private network",
     "reference_id": "accurics.azure.NPS.186",
     "category": "Infrastructure Security",
-    "version": 2
+    "version": 2,
+    "id": "AC_AZURE_0524"
 }
diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/accurics.azure.NPS.188.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/accurics.azure.NPS.188.json
@@ -16,5 +16,6 @@
     "description": "LDAP SSL (TCP:636) is exposed to wide Private network",
     "reference_id": "accurics.azure.NPS.188",
     "category": "Infrastructure Security",
-    "version": 2
+    "version": 2,
+    "id": "AC_AZURE_0521"
 }
diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/accurics.azure.NPS.190.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/accurics.azure.NPS.190.json
@@ -16,5 +16,6 @@
     "description": "MSSQL Admin (TCP:1434) is exposed to wide Private network",
     "reference_id": "accurics.azure.NPS.190",
     "category": "Infrastructure Security",
-    "version": 2
+    "version": 2,
+    "id": "AC_AZURE_0518"
 }
diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/accurics.azure.NPS.192.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/accurics.azure.NPS.192.json
@@ -16,5 +16,6 @@
     "description": "MSSQL Browser (UDP:1434) is exposed to wide Private network",
     "reference_id": "accurics.azure.NPS.192",
     "category": "Infrastructure Security",
-    "version": 2
+    "version": 2,
+    "id": "AC_AZURE_0518"
 }
diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/accurics.azure.NPS.194.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/accurics.azure.NPS.194.json
@@ -16,5 +16,6 @@
     "description": "MSSQL Debugger (TCP:135) is exposed to wide Private network",
     "reference_id": "accurics.azure.NPS.194",
     "category": "Infrastructure Security",
-    "version": 2
+    "version": 2,
+    "id": "AC_AZURE_0512"
 }
diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/accurics.azure.NPS.196.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/accurics.azure.NPS.196.json
@@ -16,5 +16,6 @@
     "description": "MSSQL Server (TCP:1433) is exposed to wide Private network",
     "reference_id": "accurics.azure.NPS.196",
     "category": "Infrastructure Security",
-    "version": 2
+    "version": 2,
+    "id": "AC_AZURE_0509"
 }
diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/accurics.azure.NPS.198.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/accurics.azure.NPS.198.json
@@ -16,5 +16,6 @@
     "description": "Memcached SSL (TCP:11214) is exposed to wide Private network",
     "reference_id": "accurics.azure.NPS.198",
     "category": "Infrastructure Security",
-    "version": 2
+    "version": 2,
+    "id": "AC_AZURE_0506"
 }
diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/accurics.azure.NPS.200.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/accurics.azure.NPS.200.json
@@ -16,5 +16,6 @@
     "description": "Memcached SSL (TCP:11215) is exposed to wide Private network",
     "reference_id": "accurics.azure.NPS.200",
     "category": "Infrastructure Security",
-    "version": 2
+    "version": 2,
+    "id": "AC_AZURE_0503"
 }
diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/accurics.azure.NPS.202.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/accurics.azure.NPS.202.json
@@ -16,5 +16,6 @@
     "description": "Memcached SSL (UDP:11214) is exposed to wide Private network",
     "reference_id": "accurics.azure.NPS.202",
     "category": "Infrastructure Security",
-    "version": 2
+    "version": 2,
+    "id": "AC_AZURE_0506"
 }
diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/accurics.azure.NPS.204.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/accurics.azure.NPS.204.json
@@ -16,5 +16,6 @@
     "description": "Memcached SSL (UDP:11215) is exposed to wide Private network",
     "reference_id": "accurics.azure.NPS.204",
     "category": "Infrastructure Security",
-    "version": 2
+    "version": 2,
+    "id": "AC_AZURE_0503"
 }
diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/accurics.azure.NPS.206.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/accurics.azure.NPS.206.json
@@ -16,5 +16,6 @@
     "description": "Microsoft-DS (TCP:445) is exposed to wide Private network",
     "reference_id": "accurics.azure.NPS.206",
     "category": "Infrastructure Security",
-    "version": 2
+    "version": 2,
+    "id": "AC_AZURE_0494"
 }
diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/accurics.azure.NPS.208.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/accurics.azure.NPS.208.json
@@ -16,5 +16,6 @@
     "description": "Mongo Web Portal (TCP:27018) is exposed to wide Private network",
     "reference_id": "accurics.azure.NPS.208",
     "category": "Infrastructure Security",
-    "version": 2
+    "version": 2,
+    "id": "AC_AZURE_0491"
 }