From 8cd6ee14a5052871f1943d25bf870fb848674c05 Mon Sep 17 00:00:00 2001 From: Harkirat Bhardwaj Date: Thu, 19 Aug 2021 15:08:37 +1000 Subject: [PATCH] updated with new resource_type format (#33) --- .../AWS.API Gateway.Logging.Medium.0567.json | 3 +- .../AWS.CloudFormation.Medium.0605.json | 3 +- .../AWS.CloudTrail.Logging.Low.009.json | 3 +- .../AWS.CloudTrail.Logging.Medium.008.json | 3 +- .../AWS.Config.Logging.Medium.0590.json | 3 +- ....EncryptionandKeyManagement.High.0632.json | 3 +- .../AWS.CloudWatch.Logging.Medium.0631.json | 3 +- .../AWS.EBS.EKM.Medium.0682.json | 3 +- .../aws/aws_instance/AC-AW-IA-IN-H-0442.json | 4 +- .../aws/aws_instance/AC-AW-IS-IN-H-0443.json | 6 +- .../aws/aws_security_group/AC_AWS_0227.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0228.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0229.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0230.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0231.json | 37 +++--- .../aws/aws_security_group/AC_AWS_0232.json | 35 +++--- .../aws/aws_security_group/AC_AWS_0233.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0234.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0235.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0236.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0237.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0238.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0239.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0240.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0241.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0242.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0243.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0244.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0245.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0246.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0247.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0248.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0249.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0250.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0251.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0252.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0253.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0254.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0255.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0256.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0257.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0258.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0259.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0260.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0261.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0262.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0263.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0264.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0265.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0266.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0267.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0268.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0269.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0270.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0271.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0272.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0273.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0274.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0275.json | 35 +++--- .../aws/aws_security_group/AC_AWS_0276.json | 115 +++++++++--------- .../aws/aws_security_group/AC_AWS_0277.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0278.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0279.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0280.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0281.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0282.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0283.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0284.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0285.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0286.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0287.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0288.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0289.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0290.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0291.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0292.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0293.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0294.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0295.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0296.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0297.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0298.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0299.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0300.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0301.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0302.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0303.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0304.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0305.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0306.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0307.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0308.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0309.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0310.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0311.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0312.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0313.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0314.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0315.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0316.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0317.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0318.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0319.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0320.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0321.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0322.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0323.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0324.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0325.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0326.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0327.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0328.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0329.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0330.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0331.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0332.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0333.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0334.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0335.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0336.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0337.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0338.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0339.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0340.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0341.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0342.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0343.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0344.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0345.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0346.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0347.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0348.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0349.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0350.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0351.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0352.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0353.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0354.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0355.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0356.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0357.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0358.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0359.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0360.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0361.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0362.json | 41 ++++--- .../aws/aws_security_group/AC_AWS_0363.json | 41 ++++--- .../aws_vpc/AWS.VPC.Logging.Medium.0470.json | 3 +- .../accurics.azure.AKS.3.json | 3 +- .../accurics.azure.EKM.164.json | 3 +- .../AC_AZURE_0270.json | 41 ++++--- .../AC_AZURE_0271.json | 41 ++++--- .../AC_AZURE_0272.json | 41 ++++--- .../AC_AZURE_0273.json | 41 ++++--- .../AC_AZURE_0274.json | 41 ++++--- .../AC_AZURE_0275.json | 41 ++++--- .../AC_AZURE_0276.json | 41 ++++--- .../AC_AZURE_0285.json | 41 ++++--- .../AC_AZURE_0286.json | 41 ++++--- .../AC_AZURE_0287.json | 41 ++++--- .../AC_AZURE_0342.json | 41 ++++--- .../AC_AZURE_0357.json | 41 ++++--- .../AC_AZURE_0421.json | 35 +++--- .../AC_AZURE_0422.json | 41 ++++--- .../AC_AZURE_0423.json | 41 ++++--- .../AC_AZURE_0424.json | 41 ++++--- .../AC_AZURE_0425.json | 41 ++++--- .../AC_AZURE_0426.json | 41 ++++--- .../AC_AZURE_0427.json | 41 ++++--- .../AC_AZURE_0428.json | 41 ++++--- .../AC_AZURE_0429.json | 41 ++++--- .../AC_AZURE_0430.json | 41 ++++--- .../AC_AZURE_0431.json | 41 ++++--- .../AC_AZURE_0432.json | 41 ++++--- .../AC_AZURE_0433.json | 41 ++++--- .../AC_AZURE_0434.json | 41 ++++--- .../AC_AZURE_0435.json | 41 ++++--- .../AC_AZURE_0436.json | 41 ++++--- .../AC_AZURE_0437.json | 41 ++++--- .../AC_AZURE_0438.json | 41 ++++--- .../AC_AZURE_0439.json | 41 ++++--- .../AC_AZURE_0440.json | 41 ++++--- .../AC_AZURE_0441.json | 41 ++++--- .../AC_AZURE_0442.json | 41 ++++--- .../AC_AZURE_0443.json | 41 ++++--- .../AC_AZURE_0444.json | 41 ++++--- .../AC_AZURE_0445.json | 41 ++++--- .../AC_AZURE_0446.json | 41 ++++--- .../AC_AZURE_0447.json | 41 ++++--- .../AC_AZURE_0448.json | 41 ++++--- .../AC_AZURE_0449.json | 41 ++++--- .../AC_AZURE_0450.json | 41 ++++--- .../AC_AZURE_0451.json | 41 ++++--- .../AC_AZURE_0452.json | 41 ++++--- .../AC_AZURE_0453.json | 41 ++++--- .../AC_AZURE_0454.json | 41 ++++--- .../AC_AZURE_0455.json | 41 ++++--- .../AC_AZURE_0456.json | 41 ++++--- .../AC_AZURE_0457.json | 41 ++++--- .../AC_AZURE_0458.json | 41 ++++--- .../AC_AZURE_0459.json | 41 ++++--- .../AC_AZURE_0460.json | 41 ++++--- .../AC_AZURE_0461.json | 41 ++++--- .../AC_AZURE_0462.json | 41 ++++--- .../AC_AZURE_0463.json | 41 ++++--- .../AC_AZURE_0464.json | 41 ++++--- .../AC_AZURE_0465.json | 41 ++++--- .../AC_AZURE_0466.json | 41 ++++--- .../AC_AZURE_0467.json | 41 ++++--- .../AC_AZURE_0468.json | 41 ++++--- .../AC_AZURE_0469.json | 41 ++++--- .../AC_AZURE_0470.json | 41 ++++--- .../AC_AZURE_0471.json | 41 ++++--- .../AC_AZURE_0472.json | 41 ++++--- .../AC_AZURE_0473.json | 41 ++++--- .../AC_AZURE_0474.json | 41 ++++--- .../AC_AZURE_0475.json | 41 ++++--- .../AC_AZURE_0476.json | 41 ++++--- .../AC_AZURE_0477.json | 41 ++++--- .../AC_AZURE_0478.json | 41 ++++--- .../AC_AZURE_0479.json | 41 ++++--- .../AC_AZURE_0480.json | 41 ++++--- .../AC_AZURE_0481.json | 41 ++++--- .../AC_AZURE_0482.json | 41 ++++--- .../AC_AZURE_0483.json | 41 ++++--- .../AC_AZURE_0484.json | 41 ++++--- .../AC_AZURE_0485.json | 41 ++++--- .../AC_AZURE_0486.json | 41 ++++--- .../AC_AZURE_0487.json | 41 ++++--- .../AC_AZURE_0488.json | 41 ++++--- .../AC_AZURE_0489.json | 41 ++++--- .../AC_AZURE_0490.json | 41 ++++--- .../AC_AZURE_0491.json | 41 ++++--- .../AC_AZURE_0492.json | 41 ++++--- .../AC_AZURE_0493.json | 41 ++++--- .../AC_AZURE_0494.json | 41 ++++--- .../AC_AZURE_0495.json | 41 ++++--- .../AC_AZURE_0496.json | 41 ++++--- .../AC_AZURE_0497.json | 41 ++++--- .../AC_AZURE_0498.json | 41 ++++--- .../AC_AZURE_0499.json | 41 ++++--- .../AC_AZURE_0500.json | 41 ++++--- .../AC_AZURE_0501.json | 41 ++++--- .../AC_AZURE_0502.json | 41 ++++--- .../AC_AZURE_0503.json | 41 ++++--- .../AC_AZURE_0504.json | 41 ++++--- .../AC_AZURE_0505.json | 41 ++++--- .../AC_AZURE_0506.json | 41 ++++--- .../AC_AZURE_0507.json | 41 ++++--- .../AC_AZURE_0508.json | 41 ++++--- .../AC_AZURE_0509.json | 41 ++++--- .../AC_AZURE_0510.json | 41 ++++--- .../AC_AZURE_0511.json | 41 ++++--- .../AC_AZURE_0512.json | 41 ++++--- .../AC_AZURE_0513.json | 41 ++++--- .../AC_AZURE_0514.json | 41 ++++--- .../AC_AZURE_0515.json | 41 ++++--- .../AC_AZURE_0516.json | 41 ++++--- .../AC_AZURE_0517.json | 41 ++++--- .../AC_AZURE_0518.json | 41 ++++--- .../AC_AZURE_0519.json | 41 ++++--- .../AC_AZURE_0520.json | 41 ++++--- .../AC_AZURE_0521.json | 41 ++++--- .../AC_AZURE_0522.json | 41 ++++--- .../AC_AZURE_0523.json | 41 ++++--- .../AC_AZURE_0524.json | 41 ++++--- .../AC_AZURE_0525.json | 41 ++++--- .../AC_AZURE_0526.json | 41 ++++--- .../AC_AZURE_0527.json | 41 ++++--- .../AC_AZURE_0528.json | 41 ++++--- .../AC_AZURE_0529.json | 41 ++++--- .../AC_AZURE_0530.json | 41 ++++--- .../AC_AZURE_0531.json | 41 ++++--- .../AC_AZURE_0532.json | 41 ++++--- .../AC_AZURE_0533.json | 41 ++++--- .../AC_AZURE_0534.json | 41 ++++--- .../AC_AZURE_0535.json | 41 ++++--- .../AC_AZURE_0536.json | 41 ++++--- .../AC_AZURE_0537.json | 41 ++++--- .../accurics.azure.NS.30.json | 3 +- .../accurics.azure.NS.31.json | 3 +- .../accurics.azure.NS.272.json | 3 +- .../accurics.azure.IAM.138.json | 4 +- .../accurics.gcp.EKM.132.json | 4 +- .../accurics.gcp.NS.126.json | 3 +- .../accurics.gcp.NS.129.json | 3 +- .../AC-K8-OE-NS-L-0128.json | 5 +- .../kubernetes_pod/AC-K8-CA-PO-H-0165.json | 7 +- .../kubernetes_pod/AC-K8-DS-PO-M-0143.json | 7 +- .../kubernetes_pod/AC-K8-DS-PO-M-0176.json | 7 +- .../kubernetes_pod/AC-K8-DS-PO-M-0177.json | 7 +- .../kubernetes_pod/AC-K8-IA-PO-H-0106.json | 7 +- .../kubernetes_pod/AC-K8-IA-PO-H-0137.json | 7 +- .../kubernetes_pod/AC-K8-IA-PO-H-0138.json | 7 +- .../kubernetes_pod/AC-K8-IA-PO-H-0168.json | 7 +- .../kubernetes_pod/AC-K8-IA-PO-M-0105.json | 7 +- .../kubernetes_pod/AC-K8-IA-PO-M-0135.json | 7 +- .../kubernetes_pod/AC-K8-IA-PO-M-0139.json | 7 +- .../kubernetes_pod/AC-K8-IA-PO-M-0140.json | 7 +- .../kubernetes_pod/AC-K8-IA-PO-M-0141.json | 7 +- .../kubernetes_pod/AC-K8-IA-PO-M-0143.json | 7 +- .../kubernetes_pod/AC-K8-IA-PO-M-0162.json | 7 +- .../kubernetes_pod/AC-K8-IA-PS-M-0112.json | 7 +- .../kubernetes_pod/AC-K8-NS-PO-H-0117.json | 7 +- .../kubernetes_pod/AC-K8-NS-PO-H-0170.json | 7 +- .../kubernetes_pod/AC-K8-NS-PO-M-0122.json | 7 +- .../kubernetes_pod/AC-K8-NS-PO-M-0133.json | 7 +- .../kubernetes_pod/AC-K8-NS-PO-M-0163.json | 7 +- .../kubernetes_pod/AC-K8-NS-PO-M-0164.json | 7 +- .../kubernetes_pod/AC-K8-NS-PO-M-0171.json | 7 +- .../kubernetes_pod/AC-K8-NS-PO-M-0182.json | 7 +- .../kubernetes_pod/AC-K8-OE-PK-M-0034.json | 7 +- .../kubernetes_pod/AC-K8-OE-PK-M-0155.json | 7 +- .../kubernetes_pod/AC-K8-OE-PK-M-0156.json | 7 +- .../kubernetes_pod/AC-K8-OE-PK-M-0157.json | 7 +- .../kubernetes_pod/AC-K8-OE-PK-M-0158.json | 7 +- .../kubernetes_pod/AC-K8-OE-PO-L-0129.json | 7 +- .../kubernetes_pod/AC-K8-OE-PO-L-0130.json | 7 +- .../kubernetes_pod/AC-K8-OE-PO-L-0134.json | 7 +- .../kubernetes_pod/AC-K8-OE-PO-M-0166.json | 7 +- .../kubernetes_role/AC-K8-IA-RO-H-0104.json | 4 +- .../cve_2020_8554/ensurePrivateIP.rego | 2 +- 322 files changed, 5864 insertions(+), 5402 deletions(-) diff --git a/pkg/policies/opa/rego/aws/aws_api_gateway_stage/AWS.API Gateway.Logging.Medium.0567.json b/pkg/policies/opa/rego/aws/aws_api_gateway_stage/AWS.API Gateway.Logging.Medium.0567.json index 2d31ed1e9..8ae7db123 100755 --- a/pkg/policies/opa/rego/aws/aws_api_gateway_stage/AWS.API Gateway.Logging.Medium.0567.json +++ b/pkg/policies/opa/rego/aws/aws_api_gateway_stage/AWS.API Gateway.Logging.Medium.0567.json @@ -3,7 +3,8 @@ "file": "apiGatewayName.rego", "policy_type": "aws", "resource_type": { - "aws_api_gateway_stage": true + "aws_api_gateway_stage": true, + "aws_cloudwatch_log_group": true }, "template_args": null, "severity": "MEDIUM", diff --git a/pkg/policies/opa/rego/aws/aws_cloudformation_stack/AWS.CloudFormation.Medium.0605.json b/pkg/policies/opa/rego/aws/aws_cloudformation_stack/AWS.CloudFormation.Medium.0605.json index 29cfff968..210eba4ed 100755 --- a/pkg/policies/opa/rego/aws/aws_cloudformation_stack/AWS.CloudFormation.Medium.0605.json +++ b/pkg/policies/opa/rego/aws/aws_cloudformation_stack/AWS.CloudFormation.Medium.0605.json @@ -3,7 +3,8 @@ "file": "cloudFormationTerminationProtection.rego", "policy_type": "aws", "resource_type": { - "aws_cloudformation_stack": true + "aws_cloudformation_stack": true, + "aws_cloudformation_stack_set_instance": true }, "template_args": null, "severity": "MEDIUM", diff --git a/pkg/policies/opa/rego/aws/aws_cloudtrail/AWS.CloudTrail.Logging.Low.009.json b/pkg/policies/opa/rego/aws/aws_cloudtrail/AWS.CloudTrail.Logging.Low.009.json index bc468b7ef..764960a2c 100644 --- a/pkg/policies/opa/rego/aws/aws_cloudtrail/AWS.CloudTrail.Logging.Low.009.json +++ b/pkg/policies/opa/rego/aws/aws_cloudtrail/AWS.CloudTrail.Logging.Low.009.json @@ -3,7 +3,8 @@ "file": "ecr_make_tags_immutable.rego", "policy_type": "aws", "resource_type": { - "aws_cloudtrail": true + "aws_cloudtrail": true, + "aws_ecr_repository": true }, "template_args": { "prefix": "" diff --git a/pkg/policies/opa/rego/aws/aws_cloudtrail/AWS.CloudTrail.Logging.Medium.008.json b/pkg/policies/opa/rego/aws/aws_cloudtrail/AWS.CloudTrail.Logging.Medium.008.json index 0f79183d7..3593e9f85 100644 --- a/pkg/policies/opa/rego/aws/aws_cloudtrail/AWS.CloudTrail.Logging.Medium.008.json +++ b/pkg/policies/opa/rego/aws/aws_cloudtrail/AWS.CloudTrail.Logging.Medium.008.json @@ -3,7 +3,8 @@ "file": "ec2_ebs_not_optimized.rego", "policy_type": "aws", "resource_type": { - "aws_cloudtrail": true + "aws_cloudtrail": true, + "aws_instance": true }, "template_args": { "prefix": "" diff --git a/pkg/policies/opa/rego/aws/aws_cloudtrail/AWS.Config.Logging.Medium.0590.json b/pkg/policies/opa/rego/aws/aws_cloudtrail/AWS.Config.Logging.Medium.0590.json index 64baac2d2..f773aada7 100644 --- a/pkg/policies/opa/rego/aws/aws_cloudtrail/AWS.Config.Logging.Medium.0590.json +++ b/pkg/policies/opa/rego/aws/aws_cloudtrail/AWS.Config.Logging.Medium.0590.json @@ -3,7 +3,8 @@ "file": "configEnabled.rego", "policy_type": "aws", "resource_type": { - "aws_cloudtrail": true + "aws_cloudtrail": true, + "aws_config_configuration_aggregator": true }, "template_args": { "prefix": "" diff --git a/pkg/policies/opa/rego/aws/aws_cloudwatch/AWS.CloudWatch.EncryptionandKeyManagement.High.0632.json b/pkg/policies/opa/rego/aws/aws_cloudwatch/AWS.CloudWatch.EncryptionandKeyManagement.High.0632.json index b1ee1ed12..b4b4bd4bf 100644 --- a/pkg/policies/opa/rego/aws/aws_cloudwatch/AWS.CloudWatch.EncryptionandKeyManagement.High.0632.json +++ b/pkg/policies/opa/rego/aws/aws_cloudwatch/AWS.CloudWatch.EncryptionandKeyManagement.High.0632.json @@ -3,7 +3,8 @@ "file": "logGroupNotEncryptedWithKms.rego", "policy_type": "aws", "resource_type": { - "aws_cloudwatch": true + "aws_cloudwatch": true, + "aws_cloudwatch_log_group": true }, "template_args": null, "severity": "HIGH", diff --git a/pkg/policies/opa/rego/aws/aws_cloudwatch/AWS.CloudWatch.Logging.Medium.0631.json b/pkg/policies/opa/rego/aws/aws_cloudwatch/AWS.CloudWatch.Logging.Medium.0631.json index 620a3d8bf..e75f91792 100755 --- a/pkg/policies/opa/rego/aws/aws_cloudwatch/AWS.CloudWatch.Logging.Medium.0631.json +++ b/pkg/policies/opa/rego/aws/aws_cloudwatch/AWS.CloudWatch.Logging.Medium.0631.json @@ -3,7 +3,8 @@ "file": "awsCloudWatchRetentionPreiod.rego", "policy_type": "aws", "resource_type": { - "aws_cloudwatch": true + "aws_cloudwatch": true, + "aws_cloudwatch_log_group": true }, "template_args": null, "severity": "MEDIUM", diff --git a/pkg/policies/opa/rego/aws/aws_ebs_volume/AWS.EBS.EKM.Medium.0682.json b/pkg/policies/opa/rego/aws/aws_ebs_volume/AWS.EBS.EKM.Medium.0682.json index bc9c07657..f97ac6864 100755 --- a/pkg/policies/opa/rego/aws/aws_ebs_volume/AWS.EBS.EKM.Medium.0682.json +++ b/pkg/policies/opa/rego/aws/aws_ebs_volume/AWS.EBS.EKM.Medium.0682.json @@ -3,7 +3,8 @@ "file": "ebsSnapshot.rego", "policy_type": "aws", "resource_type": { - "aws_ebs_volume": true + "aws_ebs_volume": true, + "aws_ebs_snapshot": true }, "template_args": { "name": "ebsSnapshotDisabled", diff --git a/pkg/policies/opa/rego/aws/aws_instance/AC-AW-IA-IN-H-0442.json b/pkg/policies/opa/rego/aws/aws_instance/AC-AW-IA-IN-H-0442.json index 1edaac9dd..6f85f7af8 100644 --- a/pkg/policies/opa/rego/aws/aws_instance/AC-AW-IA-IN-H-0442.json +++ b/pkg/policies/opa/rego/aws/aws_instance/AC-AW-IA-IN-H-0442.json @@ -3,7 +3,9 @@ "file": "overlyPermissiveInstance.rego", "policy_type": "aws", "resource_type": { - "aws_instance": true + "aws_instance": true, + "aws_iam_role_policy_attachment": true, + "aws_iam_policy": true }, "template_args": { "prefix": "" diff --git a/pkg/policies/opa/rego/aws/aws_instance/AC-AW-IS-IN-H-0443.json b/pkg/policies/opa/rego/aws/aws_instance/AC-AW-IS-IN-H-0443.json index 1eeffb945..96694d653 100644 --- a/pkg/policies/opa/rego/aws/aws_instance/AC-AW-IS-IN-H-0443.json +++ b/pkg/policies/opa/rego/aws/aws_instance/AC-AW-IS-IN-H-0443.json @@ -3,7 +3,11 @@ "file": "instanceExposedToInternet.rego", "policy_type": "aws", "resource_type": { - "aws_instance": true + "aws_instance": true, + "aws_security_group": true, + "aws_route_table": true, + "aws_subnet": true, + "aws_route_table_association": true }, "template_args": { "prefix": "" diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0227.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0227.json index 119561f37..9b45661c7 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0227.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0227.json @@ -1,22 +1,23 @@ { - "name": "port22OpenToInternet", - "file": "portOpenToInternet.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "port22OpenToInternet", - "portNumber": 22, - "prefix": "", - "protocol": "tcp", - "suffix": "" - }, - "severity": "HIGH", - "description": "Security Groups - Unrestricted Specific Ports - (SSH,22)", - "reference_id": "AC_AWS_0227", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0227" + "name": "port22OpenToInternet", + "file": "portOpenToInternet.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "port22OpenToInternet", + "portNumber": 22, + "prefix": "", + "protocol": "tcp", + "suffix": "" + }, + "severity": "HIGH", + "description": "Security Groups - Unrestricted Specific Ports - (SSH,22)", + "reference_id": "AC_AWS_0227", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0227" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0228.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0228.json index d0c583f8d..b8795d09e 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0228.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0228.json @@ -1,22 +1,23 @@ { - "name": "port80OpenToInternet", - "file": "portOpenToInternet.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "port80OpenToInternet", - "portNumber": 80, - "prefix": "", - "protocol": "tcp", - "suffix": "" - }, - "severity": "HIGH", - "description": "Security Groups - Unrestricted Specific Ports - (HTTP,80)", - "reference_id": "AC_AWS_0228", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0228" + "name": "port80OpenToInternet", + "file": "portOpenToInternet.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "port80OpenToInternet", + "portNumber": 80, + "prefix": "", + "protocol": "tcp", + "suffix": "" + }, + "severity": "HIGH", + "description": "Security Groups - Unrestricted Specific Ports - (HTTP,80)", + "reference_id": "AC_AWS_0228", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0228" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0229.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0229.json index d237d95f4..c48bfd6b7 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0229.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0229.json @@ -1,22 +1,23 @@ { - "name": "port443OpenToInternet", - "file": "portOpenToInternet.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "port443OpenToInternet", - "portNumber": 443, - "prefix": "", - "protocol": "tcp", - "suffix": "" - }, - "severity": "LOW", - "description": "Security Groups - Unrestricted Specific Ports - (HTTPS,443)", - "reference_id": "AC_AWS_0229", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0229" + "name": "port443OpenToInternet", + "file": "portOpenToInternet.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "port443OpenToInternet", + "portNumber": 443, + "prefix": "", + "protocol": "tcp", + "suffix": "" + }, + "severity": "LOW", + "description": "Security Groups - Unrestricted Specific Ports - (HTTPS,443)", + "reference_id": "AC_AWS_0229", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0229" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0230.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0230.json index 8d905be03..1b12b844d 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0230.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0230.json @@ -1,22 +1,23 @@ { - "name": "port3389OpenToInternet", - "file": "portOpenToInternet.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "port3389OpenToInternet", - "portNumber": 3389, - "prefix": "", - "protocol": "tcp", - "suffix": "" - }, - "severity": "HIGH", - "description": "Security Groups - Unrestricted Specific Ports - remote desktop port (TCP,3389)", - "reference_id": "AC_AWS_0230", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0230" + "name": "port3389OpenToInternet", + "file": "portOpenToInternet.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "port3389OpenToInternet", + "portNumber": 3389, + "prefix": "", + "protocol": "tcp", + "suffix": "" + }, + "severity": "HIGH", + "description": "Security Groups - Unrestricted Specific Ports - remote desktop port (TCP,3389)", + "reference_id": "AC_AWS_0230", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0230" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0231.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0231.json index ca7b4f38e..12c7040ca 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0231.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0231.json @@ -1,20 +1,21 @@ { - "name": "unrestrictedIngressAccess", - "file": "unrestrictedIngressAccess.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "unrestrictedIngressAccess", - "prefix": "", - "suffix": "" - }, - "severity": "HIGH", - "description": "Ensure no security groups allow ingress from 0.0.0.0/0 to ALL ports and protocols", - "reference_id": "AC_AWS_0231", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0231" + "name": "unrestrictedIngressAccess", + "file": "unrestrictedIngressAccess.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "unrestrictedIngressAccess", + "prefix": "", + "suffix": "" + }, + "severity": "HIGH", + "description": "Ensure no security groups allow ingress from 0.0.0.0/0 to ALL ports and protocols", + "reference_id": "AC_AWS_0231", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0231" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0232.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0232.json index 4960699e5..8ff7dd051 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0232.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0232.json @@ -1,19 +1,20 @@ { - "name": "defaultSGNotRestrictsAllTraffic", - "file": "defaultSGNotRestrictsAllTraffic.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "name": "defaultSGNotRestrictsAllTraffic", - "prefix": "", - "suffix": "" - }, - "severity": "HIGH", - "description": "Ensure no default security groups are used as they allow ingress from 0.0.0.0/0 to ALL ports and protocols", - "reference_id": "AC_AWS_0232", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0232" + "name": "defaultSGNotRestrictsAllTraffic", + "file": "defaultSGNotRestrictsAllTraffic.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "name": "defaultSGNotRestrictsAllTraffic", + "prefix": "", + "suffix": "" + }, + "severity": "HIGH", + "description": "Ensure no default security groups are used as they allow ingress from 0.0.0.0/0 to ALL ports and protocols", + "reference_id": "AC_AWS_0232", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0232" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0233.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0233.json index 236943f3d..4037995af 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0233.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0233.json @@ -1,22 +1,23 @@ { - "name": "port4505AlbNetworkPortSecurity", - "file": "portOpenToInternet.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "port4505AlbNetworkPortSecurity", - "portNumber": 4505, - "prefix": "", - "protocol": "tcp", - "suffix": "" - }, - "severity": "HIGH", - "description": "Security Groups - Unrestricted Specific Ports - SaltStack Master (TCP,4505)", - "reference_id": "AC_AWS_0233", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0233" + "name": "port4505AlbNetworkPortSecurity", + "file": "portOpenToInternet.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "port4505AlbNetworkPortSecurity", + "portNumber": 4505, + "prefix": "", + "protocol": "tcp", + "suffix": "" + }, + "severity": "HIGH", + "description": "Security Groups - Unrestricted Specific Ports - SaltStack Master (TCP,4505)", + "reference_id": "AC_AWS_0233", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0233" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0234.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0234.json index c91ab1561..c206c3a43 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0234.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0234.json @@ -1,22 +1,23 @@ { - "name": "port9200AlbNetworkPortSecurity", - "file": "portOpenToInternet.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "port9200AlbNetworkPortSecurity", - "portNumber": 9200, - "prefix": "", - "protocol": "tcp", - "suffix": "" - }, - "severity": "HIGH", - "description": "Security Groups - Unrestricted Specific Ports - Elasticsearch (TCP,9200)", - "reference_id": "AC_AWS_0234", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0234" + "name": "port9200AlbNetworkPortSecurity", + "file": "portOpenToInternet.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "port9200AlbNetworkPortSecurity", + "portNumber": 9200, + "prefix": "", + "protocol": "tcp", + "suffix": "" + }, + "severity": "HIGH", + "description": "Security Groups - Unrestricted Specific Ports - Elasticsearch (TCP,9200)", + "reference_id": "AC_AWS_0234", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0234" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0235.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0235.json index c870ab183..beb804f5e 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0235.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0235.json @@ -1,22 +1,23 @@ { - "name": "port9300AlbNetworkPortSecurity", - "file": "portOpenToInternet.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "port9300AlbNetworkPortSecurity", - "portNumber": 9300, - "prefix": "", - "protocol": "tcp", - "suffix": "" - }, - "severity": "HIGH", - "description": "Security Groups - Unrestricted Specific Ports - Elasticsearch (TCP,9300)", - "reference_id": "AC_AWS_0235", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0235" + "name": "port9300AlbNetworkPortSecurity", + "file": "portOpenToInternet.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "port9300AlbNetworkPortSecurity", + "portNumber": 9300, + "prefix": "", + "protocol": "tcp", + "suffix": "" + }, + "severity": "HIGH", + "description": "Security Groups - Unrestricted Specific Ports - Elasticsearch (TCP,9300)", + "reference_id": "AC_AWS_0235", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0235" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0236.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0236.json index 9d928f2e7..a8f48d705 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0236.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0236.json @@ -1,22 +1,23 @@ { - "name": "port4506AlbNetworkPortSecurity", - "file": "portOpenToInternet.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "port4506AlbNetworkPortSecurity", - "portNumber": 4506, - "prefix": "", - "protocol": "tcp", - "suffix": "" - }, - "severity": "HIGH", - "description": "Security Groups - Unrestricted Specific Ports - SaltStack Master (TCP,4506)", - "reference_id": "AC_AWS_0236", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0236" + "name": "port4506AlbNetworkPortSecurity", + "file": "portOpenToInternet.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "port4506AlbNetworkPortSecurity", + "portNumber": 4506, + "prefix": "", + "protocol": "tcp", + "suffix": "" + }, + "severity": "HIGH", + "description": "Security Groups - Unrestricted Specific Ports - SaltStack Master (TCP,4506)", + "reference_id": "AC_AWS_0236", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0236" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0237.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0237.json index b38a772cc..9e53db7b9 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0237.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0237.json @@ -1,22 +1,23 @@ { - "name": "port3020AlbNetworkPortSecurity", - "file": "portOpenToInternet.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "port3020AlbNetworkPortSecurity", - "portNumber": 3020, - "prefix": "", - "protocol": "tcp", - "suffix": "" - }, - "severity": "HIGH", - "description": "Security Groups - Unrestricted Specific Ports - CIFS / SMB (TCP,3020)", - "reference_id": "AC_AWS_0237", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0237" + "name": "port3020AlbNetworkPortSecurity", + "file": "portOpenToInternet.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "port3020AlbNetworkPortSecurity", + "portNumber": 3020, + "prefix": "", + "protocol": "tcp", + "suffix": "" + }, + "severity": "HIGH", + "description": "Security Groups - Unrestricted Specific Ports - CIFS / SMB (TCP,3020)", + "reference_id": "AC_AWS_0237", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0237" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0238.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0238.json index e1d8d6455..e636ab215 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0238.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0238.json @@ -1,22 +1,23 @@ { - "name": "port61621AlbNetworkPortSecurity", - "file": "portOpenToInternet.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "port61621AlbNetworkPortSecurity", - "portNumber": 61621, - "prefix": "", - "protocol": "tcp", - "suffix": "" - }, - "severity": "HIGH", - "description": "Security Groups - Unrestricted Specific Ports - Cassandra OpsCenter agent (TCP,61621)", - "reference_id": "AC_AWS_0238", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0238" + "name": "port61621AlbNetworkPortSecurity", + "file": "portOpenToInternet.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "port61621AlbNetworkPortSecurity", + "portNumber": 61621, + "prefix": "", + "protocol": "tcp", + "suffix": "" + }, + "severity": "HIGH", + "description": "Security Groups - Unrestricted Specific Ports - Cassandra OpsCenter agent (TCP,61621)", + "reference_id": "AC_AWS_0238", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0238" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0239.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0239.json index 15bc9e701..8334c2253 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0239.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0239.json @@ -1,22 +1,23 @@ { - "name": "port7001AlbNetworkPortSecurity", - "file": "portOpenToInternet.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "port7001AlbNetworkPortSecurity", - "portNumber": 7001, - "prefix": "", - "protocol": "tcp", - "suffix": "" - }, - "severity": "HIGH", - "description": "Security Groups - Unrestricted Specific Ports - Cassandra (TCP,7001)", - "reference_id": "AC_AWS_0239", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0239" + "name": "port7001AlbNetworkPortSecurity", + "file": "portOpenToInternet.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "port7001AlbNetworkPortSecurity", + "portNumber": 7001, + "prefix": "", + "protocol": "tcp", + "suffix": "" + }, + "severity": "HIGH", + "description": "Security Groups - Unrestricted Specific Ports - Cassandra (TCP,7001)", + "reference_id": "AC_AWS_0239", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0239" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0240.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0240.json index f416b3adf..de1af0cc2 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0240.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0240.json @@ -1,22 +1,23 @@ { - "name": "port9000AlbNetworkPortSecurity", - "file": "portOpenToInternet.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "port9000AlbNetworkPortSecurity", - "portNumber": 9000, - "prefix": "", - "protocol": "tcp", - "suffix": "" - }, - "severity": "HIGH", - "description": "Security Groups - Unrestricted Specific Ports - Hadoop Name Node (TCP,9000)", - "reference_id": "AC_AWS_0240", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0240" + "name": "port9000AlbNetworkPortSecurity", + "file": "portOpenToInternet.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "port9000AlbNetworkPortSecurity", + "portNumber": 9000, + "prefix": "", + "protocol": "tcp", + "suffix": "" + }, + "severity": "HIGH", + "description": "Security Groups - Unrestricted Specific Ports - Hadoop Name Node (TCP,9000)", + "reference_id": "AC_AWS_0240", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0240" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0241.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0241.json index 6bfafb83b..0ad6e2114 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0241.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0241.json @@ -1,22 +1,23 @@ { - "name": "port8000AlbNetworkPortSecurity", - "file": "portOpenToInternet.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "port8000AlbNetworkPortSecurity", - "portNumber": 8000, - "prefix": "", - "protocol": "tcp", - "suffix": "" - }, - "severity": "HIGH", - "description": "Security Groups - Unrestricted Specific Ports - Known internal web port (TCP,8000)", - "reference_id": "AC_AWS_0241", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0241" + "name": "port8000AlbNetworkPortSecurity", + "file": "portOpenToInternet.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "port8000AlbNetworkPortSecurity", + "portNumber": 8000, + "prefix": "", + "protocol": "tcp", + "suffix": "" + }, + "severity": "HIGH", + "description": "Security Groups - Unrestricted Specific Ports - Known internal web port (TCP,8000)", + "reference_id": "AC_AWS_0241", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0241" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0242.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0242.json index c4a4fd8b7..e0394a1ee 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0242.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0242.json @@ -1,22 +1,23 @@ { - "name": "port8080AlbNetworkPortSecurity", - "file": "portOpenToInternet.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "port8080AlbNetworkPortSecurity", - "portNumber": 8080, - "prefix": "", - "protocol": "tcp", - "suffix": "" - }, - "severity": "HIGH", - "description": "Security Groups - Unrestricted Specific Ports - Known internal web port (TCP,8080)", - "reference_id": "AC_AWS_0242", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0242" + "name": "port8080AlbNetworkPortSecurity", + "file": "portOpenToInternet.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "port8080AlbNetworkPortSecurity", + "portNumber": 8080, + "prefix": "", + "protocol": "tcp", + "suffix": "" + }, + "severity": "HIGH", + "description": "Security Groups - Unrestricted Specific Ports - Known internal web port (TCP,8080)", + "reference_id": "AC_AWS_0242", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0242" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0243.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0243.json index bc881de79..6965a3862 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0243.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0243.json @@ -1,22 +1,23 @@ { - "name": "port636AlbNetworkPortSecurity", - "file": "portOpenToInternet.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "port636AlbNetworkPortSecurity", - "portNumber": 636, - "prefix": "", - "protocol": "tcp", - "suffix": "" - }, - "severity": "HIGH", - "description": "Security Groups - Unrestricted Specific Ports - LDAP SSL (TCP,636)", - "reference_id": "AC_AWS_0243", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0243" + "name": "port636AlbNetworkPortSecurity", + "file": "portOpenToInternet.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "port636AlbNetworkPortSecurity", + "portNumber": 636, + "prefix": "", + "protocol": "tcp", + "suffix": "" + }, + "severity": "HIGH", + "description": "Security Groups - Unrestricted Specific Ports - LDAP SSL (TCP,636)", + "reference_id": "AC_AWS_0243", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0243" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0244.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0244.json index 34cafc939..b1d6d1511 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0244.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0244.json @@ -1,22 +1,23 @@ { - "name": "port1434AlbNetworkPortSecurity", - "file": "portOpenToInternet.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "port1434AlbNetworkPortSecurity", - "portNumber": 1434, - "prefix": "", - "protocol": "tcp", - "suffix": "" - }, - "severity": "HIGH", - "description": "Security Groups - Unrestricted Specific Ports - MSSQL Admin (TCP,1434)", - "reference_id": "AC_AWS_0244", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0244" + "name": "port1434AlbNetworkPortSecurity", + "file": "portOpenToInternet.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "port1434AlbNetworkPortSecurity", + "portNumber": 1434, + "prefix": "", + "protocol": "tcp", + "suffix": "" + }, + "severity": "HIGH", + "description": "Security Groups - Unrestricted Specific Ports - MSSQL Admin (TCP,1434)", + "reference_id": "AC_AWS_0244", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0244" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0245.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0245.json index e30d4cb0c..542498099 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0245.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0245.json @@ -1,22 +1,23 @@ { - "name": "port1434UdpAlbNetworkPortSecurity", - "file": "portOpenToInternet.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "port1434UdpAlbNetworkPortSecurity", - "portNumber": 1434, - "prefix": "", - "protocol": "udp", - "suffix": "" - }, - "severity": "HIGH", - "description": "Security Groups - Unrestricted Specific Ports - MSSQL Browser Service (UDP,1434)", - "reference_id": "AC_AWS_0245", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0245" + "name": "port1434UdpAlbNetworkPortSecurity", + "file": "portOpenToInternet.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "port1434UdpAlbNetworkPortSecurity", + "portNumber": 1434, + "prefix": "", + "protocol": "udp", + "suffix": "" + }, + "severity": "HIGH", + "description": "Security Groups - Unrestricted Specific Ports - MSSQL Browser Service (UDP,1434)", + "reference_id": "AC_AWS_0245", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0245" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0246.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0246.json index 9d8e9fbaf..69aaa8bc8 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0246.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0246.json @@ -1,22 +1,23 @@ { - "name": "port135AlbNetworkPortSecurity", - "file": "portOpenToInternet.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "port135AlbNetworkPortSecurity", - "portNumber": 135, - "prefix": "", - "protocol": "tcp", - "suffix": "" - }, - "severity": "HIGH", - "description": "Security Groups - Unrestricted Specific Ports - MSSQL Debugger (TCP,135)", - "reference_id": "AC_AWS_0246", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0246" + "name": "port135AlbNetworkPortSecurity", + "file": "portOpenToInternet.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "port135AlbNetworkPortSecurity", + "portNumber": 135, + "prefix": "", + "protocol": "tcp", + "suffix": "" + }, + "severity": "HIGH", + "description": "Security Groups - Unrestricted Specific Ports - MSSQL Debugger (TCP,135)", + "reference_id": "AC_AWS_0246", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0246" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0247.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0247.json index c8ff88570..1aea890c5 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0247.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0247.json @@ -1,22 +1,23 @@ { - "name": "port1433AlbNetworkPortSecurity", - "file": "portOpenToInternet.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "port1433AlbNetworkPortSecurity", - "portNumber": 1433, - "prefix": "", - "protocol": "tcp", - "suffix": "" - }, - "severity": "HIGH", - "description": "Security Groups - Unrestricted Specific Ports - MSSQL Server (TCP,1433)", - "reference_id": "AC_AWS_0247", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0247" + "name": "port1433AlbNetworkPortSecurity", + "file": "portOpenToInternet.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "port1433AlbNetworkPortSecurity", + "portNumber": 1433, + "prefix": "", + "protocol": "tcp", + "suffix": "" + }, + "severity": "HIGH", + "description": "Security Groups - Unrestricted Specific Ports - MSSQL Server (TCP,1433)", + "reference_id": "AC_AWS_0247", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0247" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0248.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0248.json index 1b22e51df..9623aeed8 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0248.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0248.json @@ -1,22 +1,23 @@ { - "name": "port11214AlbNetworkPortSecurity", - "file": "portOpenToInternet.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "port11214AlbNetworkPortSecurity", - "portNumber": 11214, - "prefix": "", - "protocol": "tcp", - "suffix": "" - }, - "severity": "HIGH", - "description": "Security Groups - Unrestricted Specific Ports - Memcached SSL (TCP,11214)", - "reference_id": "AC_AWS_0248", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0248" + "name": "port11214AlbNetworkPortSecurity", + "file": "portOpenToInternet.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "port11214AlbNetworkPortSecurity", + "portNumber": 11214, + "prefix": "", + "protocol": "tcp", + "suffix": "" + }, + "severity": "HIGH", + "description": "Security Groups - Unrestricted Specific Ports - Memcached SSL (TCP,11214)", + "reference_id": "AC_AWS_0248", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0248" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0249.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0249.json index ac4911a2e..4614ef93a 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0249.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0249.json @@ -1,22 +1,23 @@ { - "name": "port11215AlbNetworkPortSecurity", - "file": "portOpenToInternet.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "port11215AlbNetworkPortSecurity", - "portNumber": 11215, - "prefix": "", - "protocol": "tcp", - "suffix": "" - }, - "severity": "HIGH", - "description": "Security Groups - Unrestricted Specific Ports - Memcached SSL (TCP,11215)", - "reference_id": "AC_AWS_0249", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0249" + "name": "port11215AlbNetworkPortSecurity", + "file": "portOpenToInternet.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "port11215AlbNetworkPortSecurity", + "portNumber": 11215, + "prefix": "", + "protocol": "tcp", + "suffix": "" + }, + "severity": "HIGH", + "description": "Security Groups - Unrestricted Specific Ports - Memcached SSL (TCP,11215)", + "reference_id": "AC_AWS_0249", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0249" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0250.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0250.json index 5f9958da6..9c7654935 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0250.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0250.json @@ -1,22 +1,23 @@ { - "name": "port11214UdpAlbNetworkPortSecurity", - "file": "portOpenToInternet.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "port11214UdpAlbNetworkPortSecurity", - "portNumber": 11214, - "prefix": "", - "protocol": "udp", - "suffix": "" - }, - "severity": "HIGH", - "description": "Security Groups - Unrestricted Specific Ports - Memcached SSL (UDP,11214)", - "reference_id": "AC_AWS_0250", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0250" + "name": "port11214UdpAlbNetworkPortSecurity", + "file": "portOpenToInternet.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "port11214UdpAlbNetworkPortSecurity", + "portNumber": 11214, + "prefix": "", + "protocol": "udp", + "suffix": "" + }, + "severity": "HIGH", + "description": "Security Groups - Unrestricted Specific Ports - Memcached SSL (UDP,11214)", + "reference_id": "AC_AWS_0250", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0250" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0251.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0251.json index 66fd79f8a..cbb6b48e8 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0251.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0251.json @@ -1,22 +1,23 @@ { - "name": "port11215UdpAlbNetworkPortSecurity", - "file": "portOpenToInternet.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "port11215UdpAlbNetworkPortSecurity", - "portNumber": 11215, - "prefix": "", - "protocol": "udp", - "suffix": "" - }, - "severity": "HIGH", - "description": "Security Groups - Unrestricted Specific Ports - Memcached SSL (UDP,11215)", - "reference_id": "AC_AWS_0251", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0251" + "name": "port11215UdpAlbNetworkPortSecurity", + "file": "portOpenToInternet.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "port11215UdpAlbNetworkPortSecurity", + "portNumber": 11215, + "prefix": "", + "protocol": "udp", + "suffix": "" + }, + "severity": "HIGH", + "description": "Security Groups - Unrestricted Specific Ports - Memcached SSL (UDP,11215)", + "reference_id": "AC_AWS_0251", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0251" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0252.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0252.json index 98d736a2b..e0f4c1a28 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0252.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0252.json @@ -1,22 +1,23 @@ { - "name": "port27018AlbNetworkPortSecurity", - "file": "portOpenToInternet.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "port27018AlbNetworkPortSecurity", - "portNumber": 27018, - "prefix": "", - "protocol": "tcp", - "suffix": "" - }, - "severity": "HIGH", - "description": "Security Groups - Unrestricted Specific Ports - Mongo Web Portal (TCP,27018)", - "reference_id": "AC_AWS_0252", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0252" + "name": "port27018AlbNetworkPortSecurity", + "file": "portOpenToInternet.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "port27018AlbNetworkPortSecurity", + "portNumber": 27018, + "prefix": "", + "protocol": "tcp", + "suffix": "" + }, + "severity": "HIGH", + "description": "Security Groups - Unrestricted Specific Ports - Mongo Web Portal (TCP,27018)", + "reference_id": "AC_AWS_0252", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0252" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0253.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0253.json index 74e270b35..7de09cf56 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0253.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0253.json @@ -1,22 +1,23 @@ { - "name": "port3306AlbNetworkPortSecurity", - "file": "portOpenToInternet.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "port3306AlbNetworkPortSecurity", - "portNumber": 3306, - "prefix": "", - "protocol": "tcp", - "suffix": "" - }, - "severity": "HIGH", - "description": "Security Groups - Unrestricted Specific Ports - MySQL (TCP,3306)", - "reference_id": "AC_AWS_0253", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0253" + "name": "port3306AlbNetworkPortSecurity", + "file": "portOpenToInternet.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "port3306AlbNetworkPortSecurity", + "portNumber": 3306, + "prefix": "", + "protocol": "tcp", + "suffix": "" + }, + "severity": "HIGH", + "description": "Security Groups - Unrestricted Specific Ports - MySQL (TCP,3306)", + "reference_id": "AC_AWS_0253", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0253" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0254.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0254.json index 3c6c45f52..708472d69 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0254.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0254.json @@ -1,22 +1,23 @@ { - "name": "port137AlbNetworkPortSecurity", - "file": "portOpenToInternet.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "port137AlbNetworkPortSecurity", - "portNumber": 137, - "prefix": "", - "protocol": "tcp", - "suffix": "" - }, - "severity": "HIGH", - "description": "Security Groups - Unrestricted Specific Ports - NetBIOS Name Service (TCP,137)", - "reference_id": "AC_AWS_0254", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0254" + "name": "port137AlbNetworkPortSecurity", + "file": "portOpenToInternet.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "port137AlbNetworkPortSecurity", + "portNumber": 137, + "prefix": "", + "protocol": "tcp", + "suffix": "" + }, + "severity": "HIGH", + "description": "Security Groups - Unrestricted Specific Ports - NetBIOS Name Service (TCP,137)", + "reference_id": "AC_AWS_0254", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0254" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0255.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0255.json index 982f0dd54..a97f85a07 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0255.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0255.json @@ -1,22 +1,23 @@ { - "name": "port137UdpAlbNetworkPortSecurity", - "file": "portOpenToInternet.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "port137UdpAlbNetworkPortSecurity", - "portNumber": 137, - "prefix": "", - "protocol": "udp", - "suffix": "" - }, - "severity": "HIGH", - "description": "Security Groups - Unrestricted Specific Ports - NetBIOS Name Service (UDP,137)", - "reference_id": "AC_AWS_0255", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0255" + "name": "port137UdpAlbNetworkPortSecurity", + "file": "portOpenToInternet.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "port137UdpAlbNetworkPortSecurity", + "portNumber": 137, + "prefix": "", + "protocol": "udp", + "suffix": "" + }, + "severity": "HIGH", + "description": "Security Groups - Unrestricted Specific Ports - NetBIOS Name Service (UDP,137)", + "reference_id": "AC_AWS_0255", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0255" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0256.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0256.json index 3bd29669e..69d78b657 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0256.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0256.json @@ -1,22 +1,23 @@ { - "name": "port138AlbNetworkPortSecurity", - "file": "portOpenToInternet.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "port138AlbNetworkPortSecurity", - "portNumber": 138, - "prefix": "", - "protocol": "tcp", - "suffix": "" - }, - "severity": "HIGH", - "description": "Security Groups - Unrestricted Specific Ports - NetBIOS Datagram Service (TCP,138)", - "reference_id": "AC_AWS_0256", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0256" + "name": "port138AlbNetworkPortSecurity", + "file": "portOpenToInternet.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "port138AlbNetworkPortSecurity", + "portNumber": 138, + "prefix": "", + "protocol": "tcp", + "suffix": "" + }, + "severity": "HIGH", + "description": "Security Groups - Unrestricted Specific Ports - NetBIOS Datagram Service (TCP,138)", + "reference_id": "AC_AWS_0256", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0256" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0257.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0257.json index f81a93052..61f078f6c 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0257.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0257.json @@ -1,22 +1,23 @@ { - "name": "port138UdpAlbNetworkPortSecurity", - "file": "portOpenToInternet.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "port138UdpAlbNetworkPortSecurity", - "portNumber": 138, - "prefix": "", - "protocol": "udp", - "suffix": "" - }, - "severity": "HIGH", - "description": "Security Groups - Unrestricted Specific Ports - NetBIOS Datagram Service (UDP,138)", - "reference_id": "AC_AWS_0257", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0257" + "name": "port138UdpAlbNetworkPortSecurity", + "file": "portOpenToInternet.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "port138UdpAlbNetworkPortSecurity", + "portNumber": 138, + "prefix": "", + "protocol": "udp", + "suffix": "" + }, + "severity": "HIGH", + "description": "Security Groups - Unrestricted Specific Ports - NetBIOS Datagram Service (UDP,138)", + "reference_id": "AC_AWS_0257", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0257" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0258.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0258.json index 174a475d9..68259eb6a 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0258.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0258.json @@ -1,22 +1,23 @@ { - "name": "port139AlbNetworkPortSecurity", - "file": "portOpenToInternet.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "port139AlbNetworkPortSecurity", - "portNumber": 139, - "prefix": "", - "protocol": "tcp", - "suffix": "" - }, - "severity": "HIGH", - "description": "Security Groups - Unrestricted Specific Ports - NetBIOS Session Service (TCP,139)", - "reference_id": "AC_AWS_0258", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0258" + "name": "port139AlbNetworkPortSecurity", + "file": "portOpenToInternet.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "port139AlbNetworkPortSecurity", + "portNumber": 139, + "prefix": "", + "protocol": "tcp", + "suffix": "" + }, + "severity": "HIGH", + "description": "Security Groups - Unrestricted Specific Ports - NetBIOS Session Service (TCP,139)", + "reference_id": "AC_AWS_0258", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0258" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0259.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0259.json index 6ad38cb27..c6debcffb 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0259.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0259.json @@ -1,22 +1,23 @@ { - "name": "port139UdpAlbNetworkPortSecurity", - "file": "portOpenToInternet.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "port139UdpAlbNetworkPortSecurity", - "portNumber": 139, - "prefix": "", - "protocol": "udp", - "suffix": "" - }, - "severity": "HIGH", - "description": "Security Groups - Unrestricted Specific Ports - NetBIOS Session Service (UDP,139)", - "reference_id": "AC_AWS_0259", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0259" + "name": "port139UdpAlbNetworkPortSecurity", + "file": "portOpenToInternet.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "port139UdpAlbNetworkPortSecurity", + "portNumber": 139, + "prefix": "", + "protocol": "udp", + "suffix": "" + }, + "severity": "HIGH", + "description": "Security Groups - Unrestricted Specific Ports - NetBIOS Session Service (UDP,139)", + "reference_id": "AC_AWS_0259", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0259" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0260.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0260.json index d8c3aaf1a..61b0b563d 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0260.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0260.json @@ -1,22 +1,23 @@ { - "name": "port2484AlbNetworkPortSecurity", - "file": "portOpenToInternet.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "port2484AlbNetworkPortSecurity", - "portNumber": 2484, - "prefix": "", - "protocol": "tcp", - "suffix": "" - }, - "severity": "HIGH", - "description": "Security Groups - Unrestricted Specific Ports - Oracle DB SSL (TCP,2484)", - "reference_id": "AC_AWS_0260", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0260" + "name": "port2484AlbNetworkPortSecurity", + "file": "portOpenToInternet.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "port2484AlbNetworkPortSecurity", + "portNumber": 2484, + "prefix": "", + "protocol": "tcp", + "suffix": "" + }, + "severity": "HIGH", + "description": "Security Groups - Unrestricted Specific Ports - Oracle DB SSL (TCP,2484)", + "reference_id": "AC_AWS_0260", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0260" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0261.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0261.json index 7f7dc23ff..10bfbac55 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0261.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0261.json @@ -1,22 +1,23 @@ { - "name": "port2484UdpAlbNetworkPortSecurity", - "file": "portOpenToInternet.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "port2484UdpAlbNetworkPortSecurity", - "portNumber": 2484, - "prefix": "", - "protocol": "udp", - "suffix": "" - }, - "severity": "HIGH", - "description": "Security Groups - Unrestricted Specific Ports - Oracle DB SSL (UDP,2484)", - "reference_id": "AC_AWS_0261", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0261" + "name": "port2484UdpAlbNetworkPortSecurity", + "file": "portOpenToInternet.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "port2484UdpAlbNetworkPortSecurity", + "portNumber": 2484, + "prefix": "", + "protocol": "udp", + "suffix": "" + }, + "severity": "HIGH", + "description": "Security Groups - Unrestricted Specific Ports - Oracle DB SSL (UDP,2484)", + "reference_id": "AC_AWS_0261", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0261" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0262.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0262.json index 408f436a5..f4d207960 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0262.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0262.json @@ -1,22 +1,23 @@ { - "name": "port5432AlbNetworkPortSecurity", - "file": "portOpenToInternet.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "port5432AlbNetworkPortSecurity", - "portNumber": 5432, - "prefix": "", - "protocol": "tcp", - "suffix": "" - }, - "severity": "HIGH", - "description": "Security Groups - Unrestricted Specific Ports - Postgres SQL (TCP,5432)", - "reference_id": "AC_AWS_0262", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0262" + "name": "port5432AlbNetworkPortSecurity", + "file": "portOpenToInternet.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "port5432AlbNetworkPortSecurity", + "portNumber": 5432, + "prefix": "", + "protocol": "tcp", + "suffix": "" + }, + "severity": "HIGH", + "description": "Security Groups - Unrestricted Specific Ports - Postgres SQL (TCP,5432)", + "reference_id": "AC_AWS_0262", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0262" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0263.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0263.json index 6dadf213a..592348d57 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0263.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0263.json @@ -1,22 +1,23 @@ { - "name": "port5432UdpAlbNetworkPortSecurity", - "file": "portOpenToInternet.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "port5432UdpAlbNetworkPortSecurity", - "portNumber": 5432, - "prefix": "", - "protocol": "udp", - "suffix": "" - }, - "severity": "HIGH", - "description": "Security Groups - Unrestricted Specific Ports - Postgres SQL (UDP,5432)", - "reference_id": "AC_AWS_0263", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0263" + "name": "port5432UdpAlbNetworkPortSecurity", + "file": "portOpenToInternet.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "port5432UdpAlbNetworkPortSecurity", + "portNumber": 5432, + "prefix": "", + "protocol": "udp", + "suffix": "" + }, + "severity": "HIGH", + "description": "Security Groups - Unrestricted Specific Ports - Postgres SQL (UDP,5432)", + "reference_id": "AC_AWS_0263", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0263" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0264.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0264.json index 727760991..54acb4751 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0264.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0264.json @@ -1,22 +1,23 @@ { - "name": "port3000AlbNetworkPortSecurity", - "file": "portOpenToInternet.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "port3000AlbNetworkPortSecurity", - "portNumber": 3000, - "prefix": "", - "protocol": "tcp", - "suffix": "" - }, - "severity": "HIGH", - "description": "Security Groups - Unrestricted Specific Ports - Prevalent known internal port (TCP,3000)", - "reference_id": "AC_AWS_0264", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0264" + "name": "port3000AlbNetworkPortSecurity", + "file": "portOpenToInternet.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "port3000AlbNetworkPortSecurity", + "portNumber": 3000, + "prefix": "", + "protocol": "tcp", + "suffix": "" + }, + "severity": "HIGH", + "description": "Security Groups - Unrestricted Specific Ports - Prevalent known internal port (TCP,3000)", + "reference_id": "AC_AWS_0264", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0264" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0265.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0265.json index 9c41990d8..8f4034cd5 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0265.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0265.json @@ -1,22 +1,23 @@ { - "name": "port8140AlbNetworkPortSecurity", - "file": "portOpenToInternet.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "port8140AlbNetworkPortSecurity", - "portNumber": 8140, - "prefix": "", - "protocol": "tcp", - "suffix": "" - }, - "severity": "HIGH", - "description": "Security Groups - Unrestricted Specific Ports - Puppet Master (TCP,8140)", - "reference_id": "AC_AWS_0265", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0265" + "name": "port8140AlbNetworkPortSecurity", + "file": "portOpenToInternet.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "port8140AlbNetworkPortSecurity", + "portNumber": 8140, + "prefix": "", + "protocol": "tcp", + "suffix": "" + }, + "severity": "HIGH", + "description": "Security Groups - Unrestricted Specific Ports - Puppet Master (TCP,8140)", + "reference_id": "AC_AWS_0265", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0265" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0266.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0266.json index b0fcc1601..9b138be31 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0266.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0266.json @@ -1,22 +1,23 @@ { - "name": "port161UdpAlbNetworkPortSecurity", - "file": "portOpenToInternet.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "port161UdpAlbNetworkPortSecurity", - "portNumber": 161, - "prefix": "", - "protocol": "udp", - "suffix": "" - }, - "severity": "HIGH", - "description": "Security Groups - Unrestricted Specific Ports - SNMP (UDP,161)", - "reference_id": "AC_AWS_0266", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0266" + "name": "port161UdpAlbNetworkPortSecurity", + "file": "portOpenToInternet.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "port161UdpAlbNetworkPortSecurity", + "portNumber": 161, + "prefix": "", + "protocol": "udp", + "suffix": "" + }, + "severity": "HIGH", + "description": "Security Groups - Unrestricted Specific Ports - SNMP (UDP,161)", + "reference_id": "AC_AWS_0266", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0266" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0267.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0267.json index 2600a7e31..2020c4369 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0267.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0267.json @@ -1,22 +1,23 @@ { - "name": "port2382AlbNetworkPortSecurity", - "file": "portOpenToInternet.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "port2382AlbNetworkPortSecurity", - "portNumber": 2382, - "prefix": "", - "protocol": "tcp", - "suffix": "" - }, - "severity": "HIGH", - "description": "Security Groups - Unrestricted Specific Ports - SQL Server Analysis Service browser (TCP,2382)", - "reference_id": "AC_AWS_0267", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0267" + "name": "port2382AlbNetworkPortSecurity", + "file": "portOpenToInternet.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "port2382AlbNetworkPortSecurity", + "portNumber": 2382, + "prefix": "", + "protocol": "tcp", + "suffix": "" + }, + "severity": "HIGH", + "description": "Security Groups - Unrestricted Specific Ports - SQL Server Analysis Service browser (TCP,2382)", + "reference_id": "AC_AWS_0267", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0267" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0268.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0268.json index b5ab6f06f..e9d3e941e 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0268.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0268.json @@ -1,22 +1,23 @@ { - "name": "port2383AlbNetworkPortSecurity", - "file": "portOpenToInternet.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "port2383AlbNetworkPortSecurity", - "portNumber": 2383, - "prefix": "", - "protocol": "tcp", - "suffix": "" - }, - "severity": "HIGH", - "description": "Security Groups - Unrestricted Specific Ports - SQL Server Analysis Services (TCP,2383)", - "reference_id": "AC_AWS_0268", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0268" + "name": "port2383AlbNetworkPortSecurity", + "file": "portOpenToInternet.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "port2383AlbNetworkPortSecurity", + "portNumber": 2383, + "prefix": "", + "protocol": "tcp", + "suffix": "" + }, + "severity": "HIGH", + "description": "Security Groups - Unrestricted Specific Ports - SQL Server Analysis Services (TCP,2383)", + "reference_id": "AC_AWS_0268", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0268" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0269.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0269.json index 7fab7b103..1f8e2ec0f 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0269.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0269.json @@ -1,22 +1,23 @@ { - "name": "port4505AlbNetworkPortSecurity", - "file": "portOpenToInternet.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "port4505AlbNetworkPortSecurity", - "portNumber": 4505, - "prefix": "", - "protocol": "tcp", - "suffix": "" - }, - "severity": "HIGH", - "description": "Security Groups - Unrestricted Specific Ports - SaltStack Master (TCP,4505)", - "reference_id": "AC_AWS_0269", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0269" + "name": "port4505AlbNetworkPortSecurity", + "file": "portOpenToInternet.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "port4505AlbNetworkPortSecurity", + "portNumber": 4505, + "prefix": "", + "protocol": "tcp", + "suffix": "" + }, + "severity": "HIGH", + "description": "Security Groups - Unrestricted Specific Ports - SaltStack Master (TCP,4505)", + "reference_id": "AC_AWS_0269", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0269" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0270.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0270.json index dc5fb2b44..b95ddad1c 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0270.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0270.json @@ -1,22 +1,23 @@ { - "name": "port1521AlbNetworkPortSecurity", - "file": "portOpenToInternet.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "port1521AlbNetworkPortSecurity", - "portNumber": 1521, - "prefix": "", - "protocol": "tcp", - "suffix": "" - }, - "severity": "HIGH", - "description": "Security Groups - Unrestricted Specific Ports - Oracle Database Server (TCP,1521)", - "reference_id": "AC_AWS_0270", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0270" + "name": "port1521AlbNetworkPortSecurity", + "file": "portOpenToInternet.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "port1521AlbNetworkPortSecurity", + "portNumber": 1521, + "prefix": "", + "protocol": "tcp", + "suffix": "" + }, + "severity": "HIGH", + "description": "Security Groups - Unrestricted Specific Ports - Oracle Database Server (TCP,1521)", + "reference_id": "AC_AWS_0270", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0270" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0271.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0271.json index e60181583..ca802ee49 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0271.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0271.json @@ -1,22 +1,23 @@ { - "name": "port23AlbNetworkPortSecurity", - "file": "portOpenToInternet.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "port23AlbNetworkPortSecurity", - "portNumber": 23, - "prefix": "", - "protocol": "tcp", - "suffix": "" - }, - "severity": "HIGH", - "description": "Security Groups - Unrestricted Specific Ports - Telnet (TCP,23)", - "reference_id": "AC_AWS_0271", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0271" + "name": "port23AlbNetworkPortSecurity", + "file": "portOpenToInternet.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "port23AlbNetworkPortSecurity", + "portNumber": 23, + "prefix": "", + "protocol": "tcp", + "suffix": "" + }, + "severity": "HIGH", + "description": "Security Groups - Unrestricted Specific Ports - Telnet (TCP,23)", + "reference_id": "AC_AWS_0271", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0271" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0272.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0272.json index 72a0d0597..f47a90b11 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0272.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0272.json @@ -1,22 +1,23 @@ { - "name": "port25AlbNetworkPortSecurity", - "file": "portOpenToInternet.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "port25AlbNetworkPortSecurity", - "portNumber": 25, - "prefix": "", - "protocol": "tcp", - "suffix": "" - }, - "severity": "HIGH", - "description": "Security Groups - Unrestricted Specific Ports - SMTP (TCP,25)", - "reference_id": "AC_AWS_0272", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0272" + "name": "port25AlbNetworkPortSecurity", + "file": "portOpenToInternet.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "port25AlbNetworkPortSecurity", + "portNumber": 25, + "prefix": "", + "protocol": "tcp", + "suffix": "" + }, + "severity": "HIGH", + "description": "Security Groups - Unrestricted Specific Ports - SMTP (TCP,25)", + "reference_id": "AC_AWS_0272", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0272" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0273.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0273.json index 00b8c4486..dfc248273 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0273.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0273.json @@ -1,22 +1,23 @@ { - "name": "port445AlbNetworkPortSecurity", - "file": "portOpenToInternet.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "port445AlbNetworkPortSecurity", - "portNumber": 445, - "prefix": "", - "protocol": "tcp", - "suffix": "" - }, - "severity": "HIGH", - "description": "Security Groups - Unrestricted Specific Ports - CIFS for file/printer (TCP,445)", - "reference_id": "AC_AWS_0273", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0273" + "name": "port445AlbNetworkPortSecurity", + "file": "portOpenToInternet.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "port445AlbNetworkPortSecurity", + "portNumber": 445, + "prefix": "", + "protocol": "tcp", + "suffix": "" + }, + "severity": "HIGH", + "description": "Security Groups - Unrestricted Specific Ports - CIFS for file/printer (TCP,445)", + "reference_id": "AC_AWS_0273", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0273" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0274.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0274.json index 31cececa9..4b9f62d0e 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0274.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0274.json @@ -1,22 +1,23 @@ { - "name": "port27017AlbNetworkPortSecurity", - "file": "portOpenToInternet.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "port27017AlbNetworkPortSecurity", - "portNumber": 27017, - "prefix": "", - "protocol": "tcp", - "suffix": "" - }, - "severity": "HIGH", - "description": "Security Groups - Unrestricted Specific Ports - MongoDB (TCP,27017)", - "reference_id": "AC_AWS_0274", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0274" + "name": "port27017AlbNetworkPortSecurity", + "file": "portOpenToInternet.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "port27017AlbNetworkPortSecurity", + "portNumber": 27017, + "prefix": "", + "protocol": "tcp", + "suffix": "" + }, + "severity": "HIGH", + "description": "Security Groups - Unrestricted Specific Ports - MongoDB (TCP,27017)", + "reference_id": "AC_AWS_0274", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0274" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0275.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0275.json index f460645e0..1fbfb8e5b 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0275.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0275.json @@ -1,19 +1,20 @@ { - "name": "portWideOpenToPublic", - "file": "portWideOpenToPublic.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "name": "portWideOpenToPublic", - "prefix": "", - "suffix": "" - }, - "severity": "HIGH", - "description": "Ensure no security groups is wide open to public, that is, allows traffic from 0.0.0.0/0 to ALL ports and protocols", - "reference_id": "AC_AWS_0275", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0275" + "name": "portWideOpenToPublic", + "file": "portWideOpenToPublic.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "name": "portWideOpenToPublic", + "prefix": "", + "suffix": "" + }, + "severity": "HIGH", + "description": "Ensure no security groups is wide open to public, that is, allows traffic from 0.0.0.0/0 to ALL ports and protocols", + "reference_id": "AC_AWS_0275", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0275" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0276.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0276.json index 104101b10..f5a85756c 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0276.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0276.json @@ -1,59 +1,60 @@ { - "name": "unknownPortOpenToInternet", - "file": "unknownPortOpenToInternet.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "known_ports": [ - "0", - "22", - "23", - "25", - "80", - "443", - "445", - "3389", - "4505", - "4506", - "3020", - "61621", - "7001", - "9000", - "8000", - "8080", - "636", - "1434", - "135", - "1433", - "11214", - "11215", - "27017", - "27018", - "3306", - "137", - "138", - "139", - "2484", - "5432", - "3000", - "8140", - "161", - "2382", - "2383", - "9300", - "9200" - ], - "name": "unknownPortOpenToInternet", - "prefix": "", - "suffix": "" - }, - "severity": "HIGH", - "description": "Ensure Unknown Port is not exposed to the entire internet", - "reference_id": "AC_AWS_0276", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0276" + "name": "unknownPortOpenToInternet", + "file": "unknownPortOpenToInternet.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "known_ports": [ + "0", + "22", + "23", + "25", + "80", + "443", + "445", + "3389", + "4505", + "4506", + "3020", + "61621", + "7001", + "9000", + "8000", + "8080", + "636", + "1434", + "135", + "1433", + "11214", + "11215", + "27017", + "27018", + "3306", + "137", + "138", + "139", + "2484", + "5432", + "3000", + "8140", + "161", + "2382", + "2383", + "9300", + "9200" + ], + "name": "unknownPortOpenToInternet", + "prefix": "", + "suffix": "" + }, + "severity": "HIGH", + "description": "Ensure Unknown Port is not exposed to the entire internet", + "reference_id": "AC_AWS_0276", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0276" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0277.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0277.json index b11848f7e..033b8914a 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0277.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0277.json @@ -1,22 +1,23 @@ { - "name": "port4505AlbNetworkPortSecurityPublicScope", - "file": "portsAlbNetworkPortSecurityPublicScope.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "port4505AlbNetworkPortSecurityPublicScope", - "portNumber": 4505, - "prefix": "", - "protocol": "tcp", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Ensure SaltStack Master (TCP,4505) is not accessible by a public CIDR block range", - "reference_id": "AC_AWS_0277", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0277" + "name": "port4505AlbNetworkPortSecurityPublicScope", + "file": "portsAlbNetworkPortSecurityPublicScope.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "port4505AlbNetworkPortSecurityPublicScope", + "portNumber": 4505, + "prefix": "", + "protocol": "tcp", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Ensure SaltStack Master (TCP,4505) is not accessible by a public CIDR block range", + "reference_id": "AC_AWS_0277", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0277" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0278.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0278.json index 32cc44f66..31e09e93e 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0278.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0278.json @@ -1,22 +1,23 @@ { - "name": "port4506AlbNetworkPortSecurityPublicScope", - "file": "portsAlbNetworkPortSecurityPublicScope.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "port4506AlbNetworkPortSecurityPublicScope", - "portNumber": 4506, - "prefix": "", - "protocol": "tcp", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Ensure SaltStack Master (TCP,4506) is not accessible by a public CIDR block range", - "reference_id": "AC_AWS_0278", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0278" + "name": "port4506AlbNetworkPortSecurityPublicScope", + "file": "portsAlbNetworkPortSecurityPublicScope.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "port4506AlbNetworkPortSecurityPublicScope", + "portNumber": 4506, + "prefix": "", + "protocol": "tcp", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Ensure SaltStack Master (TCP,4506) is not accessible by a public CIDR block range", + "reference_id": "AC_AWS_0278", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0278" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0279.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0279.json index 0b17914d9..4f3ae3e43 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0279.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0279.json @@ -1,22 +1,23 @@ { - "name": "port3020AlbNetworkPortSecurityPublicScope", - "file": "portsAlbNetworkPortSecurityPublicScope.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "port3020AlbNetworkPortSecurityPublicScope", - "portNumber": 3020, - "prefix": "", - "protocol": "tcp", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Ensure CIFS / SMB (TCP,3020) is not accessible by a public CIDR block range", - "reference_id": "AC_AWS_0279", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0279" + "name": "port3020AlbNetworkPortSecurityPublicScope", + "file": "portsAlbNetworkPortSecurityPublicScope.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "port3020AlbNetworkPortSecurityPublicScope", + "portNumber": 3020, + "prefix": "", + "protocol": "tcp", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Ensure CIFS / SMB (TCP,3020) is not accessible by a public CIDR block range", + "reference_id": "AC_AWS_0279", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0279" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0280.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0280.json index 1db7ae4d6..aa9d44cda 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0280.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0280.json @@ -1,22 +1,23 @@ { - "name": "port61621AlbNetworkPortSecurityPublicScope", - "file": "portsAlbNetworkPortSecurityPublicScope.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "port61621AlbNetworkPortSecurityPublicScope", - "portNumber": 61621, - "prefix": "", - "protocol": "tcp", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Ensure Cassandra OpsCenter agent port (TCP,61621) is not accessible by a public CIDR block range", - "reference_id": "AC_AWS_0280", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0280" + "name": "port61621AlbNetworkPortSecurityPublicScope", + "file": "portsAlbNetworkPortSecurityPublicScope.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "port61621AlbNetworkPortSecurityPublicScope", + "portNumber": 61621, + "prefix": "", + "protocol": "tcp", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Ensure Cassandra OpsCenter agent port (TCP,61621) is not accessible by a public CIDR block range", + "reference_id": "AC_AWS_0280", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0280" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0281.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0281.json index d76a4e731..81116e051 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0281.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0281.json @@ -1,22 +1,23 @@ { - "name": "port7001AlbNetworkPortSecurityPublicScope", - "file": "portsAlbNetworkPortSecurityPublicScope.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "port7001AlbNetworkPortSecurityPublicScope", - "portNumber": 7001, - "prefix": "", - "protocol": "tcp", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Ensure Cassandra (TCP,7001) is not accessible by a public CIDR block range", - "reference_id": "AC_AWS_0281", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0281" + "name": "port7001AlbNetworkPortSecurityPublicScope", + "file": "portsAlbNetworkPortSecurityPublicScope.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "port7001AlbNetworkPortSecurityPublicScope", + "portNumber": 7001, + "prefix": "", + "protocol": "tcp", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Ensure Cassandra (TCP,7001) is not accessible by a public CIDR block range", + "reference_id": "AC_AWS_0281", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0281" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0282.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0282.json index 43cd160d7..54676c1c4 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0282.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0282.json @@ -1,22 +1,23 @@ { - "name": "port9000AlbNetworkPortSecurityPublicScope", - "file": "portsAlbNetworkPortSecurityPublicScope.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "port9000AlbNetworkPortSecurityPublicScope", - "portNumber": 9000, - "prefix": "", - "protocol": "tcp", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Ensure Hadoop Name Node (TCP,9000) is not accessible by a public CIDR block range", - "reference_id": "AC_AWS_0282", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0282" + "name": "port9000AlbNetworkPortSecurityPublicScope", + "file": "portsAlbNetworkPortSecurityPublicScope.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "port9000AlbNetworkPortSecurityPublicScope", + "portNumber": 9000, + "prefix": "", + "protocol": "tcp", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Ensure Hadoop Name Node (TCP,9000) is not accessible by a public CIDR block range", + "reference_id": "AC_AWS_0282", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0282" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0283.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0283.json index dbfafd20c..7c6f9e398 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0283.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0283.json @@ -1,22 +1,23 @@ { - "name": "port8000AlbNetworkPortSecurityPublicScope", - "file": "portsAlbNetworkPortSecurityPublicScope.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "port8000AlbNetworkPortSecurityPublicScope", - "portNumber": 8000, - "prefix": "", - "protocol": "tcp", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Ensure Known internal web port (TCP,8000) is not accessible by a public CIDR block range", - "reference_id": "AC_AWS_0283", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0283" + "name": "port8000AlbNetworkPortSecurityPublicScope", + "file": "portsAlbNetworkPortSecurityPublicScope.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "port8000AlbNetworkPortSecurityPublicScope", + "portNumber": 8000, + "prefix": "", + "protocol": "tcp", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Ensure Known internal web port (TCP,8000) is not accessible by a public CIDR block range", + "reference_id": "AC_AWS_0283", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0283" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0284.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0284.json index a47c6b7d8..1763a5cf7 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0284.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0284.json @@ -1,22 +1,23 @@ { - "name": "port8080AlbNetworkPortSecurityPublicScope", - "file": "portsAlbNetworkPortSecurityPublicScope.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "port8080AlbNetworkPortSecurityPublicScope", - "portNumber": 8080, - "prefix": "", - "protocol": "tcp", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Ensure Known internal web port (TCP,8080) is not accessible by a CIDR block range", - "reference_id": "AC_AWS_0284", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0284" + "name": "port8080AlbNetworkPortSecurityPublicScope", + "file": "portsAlbNetworkPortSecurityPublicScope.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "port8080AlbNetworkPortSecurityPublicScope", + "portNumber": 8080, + "prefix": "", + "protocol": "tcp", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Ensure Known internal web port (TCP,8080) is not accessible by a CIDR block range", + "reference_id": "AC_AWS_0284", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0284" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0285.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0285.json index e4d07d3a7..d5ad100b3 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0285.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0285.json @@ -1,22 +1,23 @@ { - "name": "port636AlbNetworkPortSecurityPublicScope", - "file": "portsAlbNetworkPortSecurityPublicScope.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "port636AlbNetworkPortSecurityPublicScope", - "portNumber": 636, - "prefix": "", - "protocol": "tcp", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Ensure LDAP SSL (TCP,636) is not accessible by a public CIDR block range", - "reference_id": "AC_AWS_0285", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0285" + "name": "port636AlbNetworkPortSecurityPublicScope", + "file": "portsAlbNetworkPortSecurityPublicScope.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "port636AlbNetworkPortSecurityPublicScope", + "portNumber": 636, + "prefix": "", + "protocol": "tcp", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Ensure LDAP SSL (TCP,636) is not accessible by a public CIDR block range", + "reference_id": "AC_AWS_0285", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0285" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0286.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0286.json index eb947fc1f..3c4a3dfb8 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0286.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0286.json @@ -1,22 +1,23 @@ { - "name": "port1434AlbNetworkPortSecurityPublicScope", - "file": "portsAlbNetworkPortSecurityPublicScope.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "port1434AlbNetworkPortSecurityPublicScope", - "portNumber": 1434, - "prefix": "", - "protocol": "tcp", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Ensure MSSQL Admin (TCP,1434) is not accessible by a public CIDR block range", - "reference_id": "AC_AWS_0286", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0286" + "name": "port1434AlbNetworkPortSecurityPublicScope", + "file": "portsAlbNetworkPortSecurityPublicScope.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "port1434AlbNetworkPortSecurityPublicScope", + "portNumber": 1434, + "prefix": "", + "protocol": "tcp", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Ensure MSSQL Admin (TCP,1434) is not accessible by a public CIDR block range", + "reference_id": "AC_AWS_0286", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0286" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0287.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0287.json index 523cf122c..972f9663f 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0287.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0287.json @@ -1,22 +1,23 @@ { - "name": "port1434UdpAlbNetworkPortSecurityPublicScope", - "file": "portsAlbNetworkPortSecurityPublicScope.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "port1434UdpAlbNetworkPortSecurityPublicScope", - "portNumber": 1434, - "prefix": "", - "protocol": "udp", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Ensure MSSQL Browser Service (UDP,1434) is not accessible by a public CIDR block range", - "reference_id": "AC_AWS_0287", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0287" + "name": "port1434UdpAlbNetworkPortSecurityPublicScope", + "file": "portsAlbNetworkPortSecurityPublicScope.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "port1434UdpAlbNetworkPortSecurityPublicScope", + "portNumber": 1434, + "prefix": "", + "protocol": "udp", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Ensure MSSQL Browser Service (UDP,1434) is not accessible by a public CIDR block range", + "reference_id": "AC_AWS_0287", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0287" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0288.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0288.json index d9137922b..7fa80bf44 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0288.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0288.json @@ -1,22 +1,23 @@ { - "name": "port135AlbNetworkPortSecurityPublicScope", - "file": "portsAlbNetworkPortSecurityPublicScope.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "port135AlbNetworkPortSecurityPublicScope", - "portNumber": 135, - "prefix": "", - "protocol": "tcp", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Ensure MSSQL Debugger (TCP,135) is not accessible by a public CIDR block range", - "reference_id": "AC_AWS_0288", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0288" + "name": "port135AlbNetworkPortSecurityPublicScope", + "file": "portsAlbNetworkPortSecurityPublicScope.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "port135AlbNetworkPortSecurityPublicScope", + "portNumber": 135, + "prefix": "", + "protocol": "tcp", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Ensure MSSQL Debugger (TCP,135) is not accessible by a public CIDR block range", + "reference_id": "AC_AWS_0288", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0288" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0289.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0289.json index f8e5e1e3a..32e6703eb 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0289.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0289.json @@ -1,22 +1,23 @@ { - "name": "port1433AlbNetworkPortSecurityPublicScope", - "file": "portsAlbNetworkPortSecurityPublicScope.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "port1433AlbNetworkPortSecurityPublicScope", - "portNumber": 1433, - "prefix": "", - "protocol": "tcp", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Ensure MSSQL Server (TCP,1433) is not accessible by a public CIDR block range", - "reference_id": "AC_AWS_0289", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0289" + "name": "port1433AlbNetworkPortSecurityPublicScope", + "file": "portsAlbNetworkPortSecurityPublicScope.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "port1433AlbNetworkPortSecurityPublicScope", + "portNumber": 1433, + "prefix": "", + "protocol": "tcp", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Ensure MSSQL Server (TCP,1433) is not accessible by a public CIDR block range", + "reference_id": "AC_AWS_0289", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0289" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0290.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0290.json index ea05a60bd..5b51128ad 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0290.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0290.json @@ -1,22 +1,23 @@ { - "name": "port11214AlbNetworkPortSecurityPublicScope", - "file": "portsAlbNetworkPortSecurityPublicScope.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "port11214AlbNetworkPortSecurityPublicScope", - "portNumber": 11214, - "prefix": "", - "protocol": "tcp", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Ensure Memcached SSL (TCP,11214) is not accessible by a public CIDR block range", - "reference_id": "AC_AWS_0290", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0290" + "name": "port11214AlbNetworkPortSecurityPublicScope", + "file": "portsAlbNetworkPortSecurityPublicScope.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "port11214AlbNetworkPortSecurityPublicScope", + "portNumber": 11214, + "prefix": "", + "protocol": "tcp", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Ensure Memcached SSL (TCP,11214) is not accessible by a public CIDR block range", + "reference_id": "AC_AWS_0290", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0290" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0291.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0291.json index f80ab84f4..fc7a40734 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0291.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0291.json @@ -1,22 +1,23 @@ { - "name": "port11215AlbNetworkPortSecurityPublicScope", - "file": "portsAlbNetworkPortSecurityPublicScope.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "port11215AlbNetworkPortSecurityPublicScope", - "portNumber": 11215, - "prefix": "", - "protocol": "tcp", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Ensure Memcached SSL (TCP,11215) is not accessible by a public CIDR block range", - "reference_id": "AC_AWS_0291", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0291" + "name": "port11215AlbNetworkPortSecurityPublicScope", + "file": "portsAlbNetworkPortSecurityPublicScope.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "port11215AlbNetworkPortSecurityPublicScope", + "portNumber": 11215, + "prefix": "", + "protocol": "tcp", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Ensure Memcached SSL (TCP,11215) is not accessible by a public CIDR block range", + "reference_id": "AC_AWS_0291", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0291" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0292.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0292.json index 14a428fd4..1f14f81aa 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0292.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0292.json @@ -1,22 +1,23 @@ { - "name": "port11214UdpAlbNetworkPortSecurityPublicScope", - "file": "portsAlbNetworkPortSecurityPublicScope.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "port11214UdpAlbNetworkPortSecurityPublicScope", - "portNumber": 11214, - "prefix": "", - "protocol": "udp", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Ensure Memcached SSL (UDP,11214) is not accessible by a public CIDR block range", - "reference_id": "AC_AWS_0292", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0292" + "name": "port11214UdpAlbNetworkPortSecurityPublicScope", + "file": "portsAlbNetworkPortSecurityPublicScope.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "port11214UdpAlbNetworkPortSecurityPublicScope", + "portNumber": 11214, + "prefix": "", + "protocol": "udp", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Ensure Memcached SSL (UDP,11214) is not accessible by a public CIDR block range", + "reference_id": "AC_AWS_0292", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0292" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0293.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0293.json index a8a2671e2..841d9472c 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0293.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0293.json @@ -1,22 +1,23 @@ { - "name": "port11215UdpAlbNetworkPortSecurityPublicScope", - "file": "portsAlbNetworkPortSecurityPublicScope.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "port11215UdpAlbNetworkPortSecurityPublicScope", - "portNumber": 11215, - "prefix": "", - "protocol": "udp", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Ensure Memcached SSL (UDP,11215) is not accessible by a public CIDR block range", - "reference_id": "AC_AWS_0293", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0293" + "name": "port11215UdpAlbNetworkPortSecurityPublicScope", + "file": "portsAlbNetworkPortSecurityPublicScope.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "port11215UdpAlbNetworkPortSecurityPublicScope", + "portNumber": 11215, + "prefix": "", + "protocol": "udp", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Ensure Memcached SSL (UDP,11215) is not accessible by a public CIDR block range", + "reference_id": "AC_AWS_0293", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0293" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0294.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0294.json index f7f801af3..0cbb839a6 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0294.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0294.json @@ -1,22 +1,23 @@ { - "name": "port27018AlbNetworkPortSecurityPublicScope", - "file": "portsAlbNetworkPortSecurityPublicScope.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "port27018AlbNetworkPortSecurityPublicScope", - "portNumber": 27018, - "prefix": "", - "protocol": "tcp", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Ensure Mongo Web Portal (TCP,27018) is not accessible by a public CIDR block range", - "reference_id": "AC_AWS_0294", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0294" + "name": "port27018AlbNetworkPortSecurityPublicScope", + "file": "portsAlbNetworkPortSecurityPublicScope.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "port27018AlbNetworkPortSecurityPublicScope", + "portNumber": 27018, + "prefix": "", + "protocol": "tcp", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Ensure Mongo Web Portal (TCP,27018) is not accessible by a public CIDR block range", + "reference_id": "AC_AWS_0294", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0294" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0295.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0295.json index 5648e3707..56cb815e6 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0295.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0295.json @@ -1,22 +1,23 @@ { - "name": "port3306AlbNetworkPortSecurityPublicScope", - "file": "portsAlbNetworkPortSecurityPublicScope.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "port3306AlbNetworkPortSecurityPublicScope", - "portNumber": 3306, - "prefix": "", - "protocol": "tcp", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Ensure MySQL (TCP,3306) is not accessible by a public CIDR block range", - "reference_id": "AC_AWS_0295", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0295" + "name": "port3306AlbNetworkPortSecurityPublicScope", + "file": "portsAlbNetworkPortSecurityPublicScope.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "port3306AlbNetworkPortSecurityPublicScope", + "portNumber": 3306, + "prefix": "", + "protocol": "tcp", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Ensure MySQL (TCP,3306) is not accessible by a public CIDR block range", + "reference_id": "AC_AWS_0295", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0295" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0296.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0296.json index 5693ee6d5..629555171 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0296.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0296.json @@ -1,22 +1,23 @@ { - "name": "port137AlbNetworkPortSecurityPublicScope", - "file": "portsAlbNetworkPortSecurityPublicScope.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "port137AlbNetworkPortSecurityPublicScope", - "portNumber": 137, - "prefix": "", - "protocol": "tcp", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Ensure NetBIOS Name Service (TCP,137) is not accessible by a public CIDR block range", - "reference_id": "AC_AWS_0296", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0296" + "name": "port137AlbNetworkPortSecurityPublicScope", + "file": "portsAlbNetworkPortSecurityPublicScope.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "port137AlbNetworkPortSecurityPublicScope", + "portNumber": 137, + "prefix": "", + "protocol": "tcp", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Ensure NetBIOS Name Service (TCP,137) is not accessible by a public CIDR block range", + "reference_id": "AC_AWS_0296", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0296" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0297.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0297.json index ea97cccb3..5f9aef860 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0297.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0297.json @@ -1,22 +1,23 @@ { - "name": "port137UdpAlbNetworkPortSecurityPublicScope", - "file": "portsAlbNetworkPortSecurityPublicScope.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "port137UdpAlbNetworkPortSecurityPublicScope", - "portNumber": 137, - "prefix": "", - "protocol": "udp", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Ensure NetBIOS Name Service (UDP,137) is not accessible by a public CIDR block range", - "reference_id": "AC_AWS_0297", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0297" + "name": "port137UdpAlbNetworkPortSecurityPublicScope", + "file": "portsAlbNetworkPortSecurityPublicScope.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "port137UdpAlbNetworkPortSecurityPublicScope", + "portNumber": 137, + "prefix": "", + "protocol": "udp", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Ensure NetBIOS Name Service (UDP,137) is not accessible by a public CIDR block range", + "reference_id": "AC_AWS_0297", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0297" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0298.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0298.json index 55e27936a..1ddeb7989 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0298.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0298.json @@ -1,22 +1,23 @@ { - "name": "port138AlbNetworkPortSecurityPublicScope", - "file": "portsAlbNetworkPortSecurityPublicScope.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "port138AlbNetworkPortSecurityPublicScope", - "portNumber": 138, - "prefix": "", - "protocol": "tcp", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Ensure NetBios Datagram Service (TCP,138) is not accessible by a public CIDR block range", - "reference_id": "AC_AWS_0298", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0298" + "name": "port138AlbNetworkPortSecurityPublicScope", + "file": "portsAlbNetworkPortSecurityPublicScope.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "port138AlbNetworkPortSecurityPublicScope", + "portNumber": 138, + "prefix": "", + "protocol": "tcp", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Ensure NetBios Datagram Service (TCP,138) is not accessible by a public CIDR block range", + "reference_id": "AC_AWS_0298", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0298" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0299.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0299.json index b4e53e1f2..a984bb423 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0299.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0299.json @@ -1,22 +1,23 @@ { - "name": "port138UdpAlbNetworkPortSecurityPublicScope", - "file": "portsAlbNetworkPortSecurityPublicScope.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "port138UdpAlbNetworkPortSecurityPublicScope", - "portNumber": 138, - "prefix": "", - "protocol": "udp", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Ensure NetBios Datagram Service (UDP,138) is not accessible by a public CIDR block range", - "reference_id": "AC_AWS_0299", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0299" + "name": "port138UdpAlbNetworkPortSecurityPublicScope", + "file": "portsAlbNetworkPortSecurityPublicScope.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "port138UdpAlbNetworkPortSecurityPublicScope", + "portNumber": 138, + "prefix": "", + "protocol": "udp", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Ensure NetBios Datagram Service (UDP,138) is not accessible by a public CIDR block range", + "reference_id": "AC_AWS_0299", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0299" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0300.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0300.json index 567e23ce5..be44e24aa 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0300.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0300.json @@ -1,22 +1,23 @@ { - "name": "port139AlbNetworkPortSecurityPublicScope", - "file": "portsAlbNetworkPortSecurityPublicScope.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "port139AlbNetworkPortSecurityPublicScope", - "portNumber": 139, - "prefix": "", - "protocol": "tcp", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Ensure NetBios Session Service (TCP,139) is not accessible by a CIDR block range", - "reference_id": "AC_AWS_0300", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0300" + "name": "port139AlbNetworkPortSecurityPublicScope", + "file": "portsAlbNetworkPortSecurityPublicScope.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "port139AlbNetworkPortSecurityPublicScope", + "portNumber": 139, + "prefix": "", + "protocol": "tcp", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Ensure NetBios Session Service (TCP,139) is not accessible by a CIDR block range", + "reference_id": "AC_AWS_0300", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0300" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0301.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0301.json index cef70f6e9..5c7655e59 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0301.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0301.json @@ -1,22 +1,23 @@ { - "name": "port139UdpAlbNetworkPortSecurityPublicScope", - "file": "portsAlbNetworkPortSecurityPublicScope.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "port139UdpAlbNetworkPortSecurityPublicScope", - "portNumber": 139, - "prefix": "", - "protocol": "udp", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Ensure NetBios Session Service (UDP,139) is not accessible by a CIDR block range", - "reference_id": "AC_AWS_0301", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0301" + "name": "port139UdpAlbNetworkPortSecurityPublicScope", + "file": "portsAlbNetworkPortSecurityPublicScope.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "port139UdpAlbNetworkPortSecurityPublicScope", + "portNumber": 139, + "prefix": "", + "protocol": "udp", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Ensure NetBios Session Service (UDP,139) is not accessible by a CIDR block range", + "reference_id": "AC_AWS_0301", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0301" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0302.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0302.json index 735de6397..6dbbb1432 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0302.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0302.json @@ -1,22 +1,23 @@ { - "name": "port2484AlbNetworkPortSecurityPublicScope", - "file": "portsAlbNetworkPortSecurityPublicScope.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "port2484AlbNetworkPortSecurityPublicScope", - "portNumber": 2484, - "prefix": "", - "protocol": "tcp", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Ensure Oracle DB SSL (TCP,2484) is not accessible by a public CIDR block range", - "reference_id": "AC_AWS_0302", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0302" + "name": "port2484AlbNetworkPortSecurityPublicScope", + "file": "portsAlbNetworkPortSecurityPublicScope.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "port2484AlbNetworkPortSecurityPublicScope", + "portNumber": 2484, + "prefix": "", + "protocol": "tcp", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Ensure Oracle DB SSL (TCP,2484) is not accessible by a public CIDR block range", + "reference_id": "AC_AWS_0302", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0302" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0303.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0303.json index c6895dff3..4cda03fe2 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0303.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0303.json @@ -1,22 +1,23 @@ { - "name": "port2484UdpAlbNetworkPortSecurityPublicScope", - "file": "portsAlbNetworkPortSecurityPublicScope.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "port2484UdpAlbNetworkPortSecurityPublicScope", - "portNumber": 2484, - "prefix": "", - "protocol": "udp", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Ensure Oracle DB SSL (UDP,2484) is not accessible by a public CIDR block range", - "reference_id": "AC_AWS_0303", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0303" + "name": "port2484UdpAlbNetworkPortSecurityPublicScope", + "file": "portsAlbNetworkPortSecurityPublicScope.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "port2484UdpAlbNetworkPortSecurityPublicScope", + "portNumber": 2484, + "prefix": "", + "protocol": "udp", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Ensure Oracle DB SSL (UDP,2484) is not accessible by a public CIDR block range", + "reference_id": "AC_AWS_0303", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0303" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0304.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0304.json index cdc0b642c..cb7d50db6 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0304.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0304.json @@ -1,22 +1,23 @@ { - "name": "port5432AlbNetworkPortSecurityPublicScope", - "file": "portsAlbNetworkPortSecurityPublicScope.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "port5432AlbNetworkPortSecurityPublicScope", - "portNumber": 5432, - "prefix": "", - "protocol": "tcp", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Ensure Postgres SQL (TCP,5432) is not accessible by a public CIDR block range", - "reference_id": "AC_AWS_0304", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0304" + "name": "port5432AlbNetworkPortSecurityPublicScope", + "file": "portsAlbNetworkPortSecurityPublicScope.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "port5432AlbNetworkPortSecurityPublicScope", + "portNumber": 5432, + "prefix": "", + "protocol": "tcp", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Ensure Postgres SQL (TCP,5432) is not accessible by a public CIDR block range", + "reference_id": "AC_AWS_0304", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0304" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0305.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0305.json index dccc26ea9..90aa8201f 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0305.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0305.json @@ -1,22 +1,23 @@ { - "name": "port5432UdpAlbNetworkPortSecurityPublicScope", - "file": "portsAlbNetworkPortSecurityPublicScope.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "port5432UdpAlbNetworkPortSecurityPublicScope", - "portNumber": 5432, - "prefix": "", - "protocol": "udp", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Ensure Postgres SQL (UDP,5432) is not accessible by a CIDR block range", - "reference_id": "AC_AWS_0305", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0305" + "name": "port5432UdpAlbNetworkPortSecurityPublicScope", + "file": "portsAlbNetworkPortSecurityPublicScope.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "port5432UdpAlbNetworkPortSecurityPublicScope", + "portNumber": 5432, + "prefix": "", + "protocol": "udp", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Ensure Postgres SQL (UDP,5432) is not accessible by a CIDR block range", + "reference_id": "AC_AWS_0305", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0305" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0306.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0306.json index fe898ee39..2fa57636b 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0306.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0306.json @@ -1,22 +1,23 @@ { - "name": "port3000AlbNetworkPortSecurityPublicScope", - "file": "portsAlbNetworkPortSecurityPublicScope.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "port3000AlbNetworkPortSecurityPublicScope", - "portNumber": 3000, - "prefix": "", - "protocol": "tcp", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Ensure Prevalent known internal port (TCP,3000) is not accessible by a public CIDR block range", - "reference_id": "AC_AWS_0306", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0306" + "name": "port3000AlbNetworkPortSecurityPublicScope", + "file": "portsAlbNetworkPortSecurityPublicScope.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "port3000AlbNetworkPortSecurityPublicScope", + "portNumber": 3000, + "prefix": "", + "protocol": "tcp", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Ensure Prevalent known internal port (TCP,3000) is not accessible by a public CIDR block range", + "reference_id": "AC_AWS_0306", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0306" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0307.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0307.json index 10f1cb083..1b784ef2f 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0307.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0307.json @@ -1,22 +1,23 @@ { - "name": "port8140AlbNetworkPortSecurityPublicScope", - "file": "portsAlbNetworkPortSecurityPublicScope.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "port8140AlbNetworkPortSecurityPublicScope", - "portNumber": 8140, - "prefix": "", - "protocol": "tcp", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Ensure Puppet Master (TCP:8140) is not accessible by a public CIDR block range", - "reference_id": "AC_AWS_0307", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0307" + "name": "port8140AlbNetworkPortSecurityPublicScope", + "file": "portsAlbNetworkPortSecurityPublicScope.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "port8140AlbNetworkPortSecurityPublicScope", + "portNumber": 8140, + "prefix": "", + "protocol": "tcp", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Ensure Puppet Master (TCP:8140) is not accessible by a public CIDR block range", + "reference_id": "AC_AWS_0307", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0307" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0308.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0308.json index 312897cbd..eebe76f64 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0308.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0308.json @@ -1,22 +1,23 @@ { - "name": "port161UdpAlbNetworkPortSecurityPublicScope", - "file": "portsAlbNetworkPortSecurityPublicScope.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "port161UdpAlbNetworkPortSecurityPublicScope", - "portNumber": 161, - "prefix": "", - "protocol": "udp", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Ensure SNMP (UDP,161) is not accessible by a public CIDR block range", - "reference_id": "AC_AWS_0308", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0308" + "name": "port161UdpAlbNetworkPortSecurityPublicScope", + "file": "portsAlbNetworkPortSecurityPublicScope.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "port161UdpAlbNetworkPortSecurityPublicScope", + "portNumber": 161, + "prefix": "", + "protocol": "udp", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Ensure SNMP (UDP,161) is not accessible by a public CIDR block range", + "reference_id": "AC_AWS_0308", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0308" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0309.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0309.json index 49491fd03..39bf2cf42 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0309.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0309.json @@ -1,22 +1,23 @@ { - "name": "port2382AlbNetworkPortSecurityPublicScope", - "file": "portsAlbNetworkPortSecurityPublicScope.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "port2382AlbNetworkPortSecurityPublicScope", - "portNumber": 2382, - "prefix": "", - "protocol": "tcp", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Ensure SQL Server Analysis Service browser (TCP,2382) is not accessible by a public CIDR block range", - "reference_id": "AC_AWS_0309", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0309" + "name": "port2382AlbNetworkPortSecurityPublicScope", + "file": "portsAlbNetworkPortSecurityPublicScope.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "port2382AlbNetworkPortSecurityPublicScope", + "portNumber": 2382, + "prefix": "", + "protocol": "tcp", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Ensure SQL Server Analysis Service browser (TCP,2382) is not accessible by a public CIDR block range", + "reference_id": "AC_AWS_0309", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0309" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0310.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0310.json index 0579fe39b..5bb905c30 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0310.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0310.json @@ -1,22 +1,23 @@ { - "name": "port2383AlbNetworkPortSecurityPublicScope", - "file": "portsAlbNetworkPortSecurityPublicScope.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "port2383AlbNetworkPortSecurityPublicScope", - "portNumber": 2383, - "prefix": "", - "protocol": "tcp", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Ensure SQL Server Analysis Services (TCP,2383) is not accessible by a public CIDR block range", - "reference_id": "AC_AWS_0310", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0310" + "name": "port2383AlbNetworkPortSecurityPublicScope", + "file": "portsAlbNetworkPortSecurityPublicScope.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "port2383AlbNetworkPortSecurityPublicScope", + "portNumber": 2383, + "prefix": "", + "protocol": "tcp", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Ensure SQL Server Analysis Services (TCP,2383) is not accessible by a public CIDR block range", + "reference_id": "AC_AWS_0310", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0310" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0311.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0311.json index 0c92aab4f..9492bc0cd 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0311.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0311.json @@ -1,22 +1,23 @@ { - "name": "port4505AlbNetworkPortSecurityPublicScope", - "file": "portsAlbNetworkPortSecurityPublicScope.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "port4505AlbNetworkPortSecurityPublicScope", - "portNumber": 4505, - "prefix": "", - "protocol": "tcp", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Ensure SaltStack Master (TCP,4505) is not accessible by a public CIDR block range", - "reference_id": "AC_AWS_0311", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0311" + "name": "port4505AlbNetworkPortSecurityPublicScope", + "file": "portsAlbNetworkPortSecurityPublicScope.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "port4505AlbNetworkPortSecurityPublicScope", + "portNumber": 4505, + "prefix": "", + "protocol": "tcp", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Ensure SaltStack Master (TCP,4505) is not accessible by a public CIDR block range", + "reference_id": "AC_AWS_0311", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0311" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0312.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0312.json index c02b99501..601bb3160 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0312.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0312.json @@ -1,22 +1,23 @@ { - "name": "port1521AlbNetworkPortSecurityPublicScope", - "file": "portsAlbNetworkPortSecurityPublicScope.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "port1521AlbNetworkPortSecurityPublicScope", - "portNumber": 1521, - "prefix": "", - "protocol": "tcp", - "suffix": "" - }, - "severity": "HIGH", - "description": "Ensure Oracle Database Server (TCP,1521) is not accessible by a public CIDR block range", - "reference_id": "AC_AWS_0312", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0312" + "name": "port1521AlbNetworkPortSecurityPublicScope", + "file": "portsAlbNetworkPortSecurityPublicScope.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "port1521AlbNetworkPortSecurityPublicScope", + "portNumber": 1521, + "prefix": "", + "protocol": "tcp", + "suffix": "" + }, + "severity": "HIGH", + "description": "Ensure Oracle Database Server (TCP,1521) is not accessible by a public CIDR block range", + "reference_id": "AC_AWS_0312", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0312" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0313.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0313.json index 548566db4..51fbf3274 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0313.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0313.json @@ -1,22 +1,23 @@ { - "name": "port23AlbNetworkPortSecurityPublicScope", - "file": "portsAlbNetworkPortSecurityPublicScope.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "port23AlbNetworkPortSecurityPublicScope", - "portNumber": 23, - "prefix": "", - "protocol": "tcp", - "suffix": "" - }, - "severity": "HIGH", - "description": "Ensure Telnet (TCP,23) is not accessible by a public CIDR block range", - "reference_id": "AC_AWS_0313", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0313" + "name": "port23AlbNetworkPortSecurityPublicScope", + "file": "portsAlbNetworkPortSecurityPublicScope.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "port23AlbNetworkPortSecurityPublicScope", + "portNumber": 23, + "prefix": "", + "protocol": "tcp", + "suffix": "" + }, + "severity": "HIGH", + "description": "Ensure Telnet (TCP,23) is not accessible by a public CIDR block range", + "reference_id": "AC_AWS_0313", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0313" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0314.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0314.json index 53c82aa11..bda92c1f5 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0314.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0314.json @@ -1,22 +1,23 @@ { - "name": "port25AlbNetworkPortSecurityPublicScope", - "file": "portsAlbNetworkPortSecurityPublicScope.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "port25AlbNetworkPortSecurityPublicScope", - "portNumber": 25, - "prefix": "", - "protocol": "tcp", - "suffix": "" - }, - "severity": "HIGH", - "description": "Ensure SMTP (TCP,25) is not accessible by a public CIDR block range", - "reference_id": "AC_AWS_0314", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0314" + "name": "port25AlbNetworkPortSecurityPublicScope", + "file": "portsAlbNetworkPortSecurityPublicScope.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "port25AlbNetworkPortSecurityPublicScope", + "portNumber": 25, + "prefix": "", + "protocol": "tcp", + "suffix": "" + }, + "severity": "HIGH", + "description": "Ensure SMTP (TCP,25) is not accessible by a public CIDR block range", + "reference_id": "AC_AWS_0314", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0314" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0315.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0315.json index 3e9109734..4c8b3b760 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0315.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0315.json @@ -1,22 +1,23 @@ { - "name": "port445AlbNetworkPortSecurityPublicScope", - "file": "portsAlbNetworkPortSecurityPublicScope.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "port445AlbNetworkPortSecurityPublicScope", - "portNumber": 445, - "prefix": "", - "protocol": "tcp", - "suffix": "" - }, - "severity": "HIGH", - "description": "Ensure CIFS for file/printer (TCP,445) is not accessible by a public CIDR block range", - "reference_id": "AC_AWS_0315", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0315" + "name": "port445AlbNetworkPortSecurityPublicScope", + "file": "portsAlbNetworkPortSecurityPublicScope.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "port445AlbNetworkPortSecurityPublicScope", + "portNumber": 445, + "prefix": "", + "protocol": "tcp", + "suffix": "" + }, + "severity": "HIGH", + "description": "Ensure CIFS for file/printer (TCP,445) is not accessible by a public CIDR block range", + "reference_id": "AC_AWS_0315", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0315" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0316.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0316.json index f9a3c278e..ce3cb55b7 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0316.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0316.json @@ -1,22 +1,23 @@ { - "name": "port27017AlbNetworkPortSecurityPublicScope", - "file": "portsAlbNetworkPortSecurityPublicScope.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "port27017AlbNetworkPortSecurityPublicScope", - "portNumber": 27017, - "prefix": "", - "protocol": "tcp", - "suffix": "" - }, - "severity": "HIGH", - "description": "Ensure MongoDB (TCP,27017) is not accessible by a public CIDR block range", - "reference_id": "AC_AWS_0316", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0316" + "name": "port27017AlbNetworkPortSecurityPublicScope", + "file": "portsAlbNetworkPortSecurityPublicScope.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "port27017AlbNetworkPortSecurityPublicScope", + "portNumber": 27017, + "prefix": "", + "protocol": "tcp", + "suffix": "" + }, + "severity": "HIGH", + "description": "Ensure MongoDB (TCP,27017) is not accessible by a public CIDR block range", + "reference_id": "AC_AWS_0316", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0316" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0317.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0317.json index 1cdcc8127..05c2a9c07 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0317.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0317.json @@ -1,22 +1,23 @@ { - "name": "port9200AlbNetworkPortSecurityPublicScope", - "file": "portsAlbNetworkPortSecurityPublicScope.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "port9200AlbNetworkPortSecurityPublicScope", - "portNumber": 9200, - "prefix": "", - "protocol": "tcp", - "suffix": "" - }, - "severity": "HIGH", - "description": "Ensure Elasticsearch (TCP,9200) is not accessible by a public CIDR block range", - "reference_id": "AC_AWS_0317", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0317" + "name": "port9200AlbNetworkPortSecurityPublicScope", + "file": "portsAlbNetworkPortSecurityPublicScope.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "port9200AlbNetworkPortSecurityPublicScope", + "portNumber": 9200, + "prefix": "", + "protocol": "tcp", + "suffix": "" + }, + "severity": "HIGH", + "description": "Ensure Elasticsearch (TCP,9200) is not accessible by a public CIDR block range", + "reference_id": "AC_AWS_0317", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0317" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0318.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0318.json index fbfbfaca6..b60e3d428 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0318.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0318.json @@ -1,22 +1,23 @@ { - "name": "port9300AlbNetworkPortSecurityPublicScope", - "file": "portsAlbNetworkPortSecurityPublicScope.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "port9300AlbNetworkPortSecurityPublicScope", - "portNumber": 9300, - "prefix": "", - "protocol": "tcp", - "suffix": "" - }, - "severity": "HIGH", - "description": "Ensure Elasticsearch (TCP,9300) is not accessible by a public CIDR block range", - "reference_id": "AC_AWS_0318", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0318" + "name": "port9300AlbNetworkPortSecurityPublicScope", + "file": "portsAlbNetworkPortSecurityPublicScope.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "port9300AlbNetworkPortSecurityPublicScope", + "portNumber": 9300, + "prefix": "", + "protocol": "tcp", + "suffix": "" + }, + "severity": "HIGH", + "description": "Ensure Elasticsearch (TCP,9300) is not accessible by a public CIDR block range", + "reference_id": "AC_AWS_0318", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0318" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0319.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0319.json index e609e2809..47413232e 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0319.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0319.json @@ -1,22 +1,23 @@ { - "name": "port22AlbNetworkPortSecurityPublicScope", - "file": "portsAlbNetworkPortSecurityPublicScope.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "port22AlbNetworkPortSecurityPublicScope", - "portNumber": 22, - "prefix": "", - "protocol": "tcp", - "suffix": "" - }, - "severity": "LOW", - "description": "Ensure SSH (TCP,22) is not accessible by a public CIDR block range", - "reference_id": "AC_AWS_0319", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0319" + "name": "port22AlbNetworkPortSecurityPublicScope", + "file": "portsAlbNetworkPortSecurityPublicScope.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "port22AlbNetworkPortSecurityPublicScope", + "portNumber": 22, + "prefix": "", + "protocol": "tcp", + "suffix": "" + }, + "severity": "LOW", + "description": "Ensure SSH (TCP,22) is not accessible by a public CIDR block range", + "reference_id": "AC_AWS_0319", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0319" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0320.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0320.json index 96a4b3ffc..b3261f369 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0320.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0320.json @@ -1,22 +1,23 @@ { - "name": "networkPort22ExposedToprivate", - "file": "networkPortExposedToPrivate.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort22ExposedToprivate", - "portNumber": 22, - "prefix": "", - "protocol": "tcp", - "suffix": "" - }, - "severity": "LOW", - "description": "Ensure Security Groups Unrestricted Specific Ports SSH (TCP,22) is not exposed to private hosts more than 32", - "reference_id": "AC_AWS_0320", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0320" + "name": "networkPort22ExposedToprivate", + "file": "networkPortExposedToPrivate.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort22ExposedToprivate", + "portNumber": 22, + "prefix": "", + "protocol": "tcp", + "suffix": "" + }, + "severity": "LOW", + "description": "Ensure Security Groups Unrestricted Specific Ports SSH (TCP,22) is not exposed to private hosts more than 32", + "reference_id": "AC_AWS_0320", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0320" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0321.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0321.json index c481d96c2..0cd50a00f 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0321.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0321.json @@ -1,22 +1,23 @@ { - "name": "networkPort80ExposedToprivate", - "file": "networkPortExposedToPrivate.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort80ExposedToprivate", - "portNumber": 80, - "prefix": "", - "protocol": "tcp", - "suffix": "" - }, - "severity": "LOW", - "description": "Ensure Security Groups Unrestricted Specific Ports http (TCP,80) is not exposed to private hosts more than 32", - "reference_id": "AC_AWS_0321", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0321" + "name": "networkPort80ExposedToprivate", + "file": "networkPortExposedToPrivate.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort80ExposedToprivate", + "portNumber": 80, + "prefix": "", + "protocol": "tcp", + "suffix": "" + }, + "severity": "LOW", + "description": "Ensure Security Groups Unrestricted Specific Ports http (TCP,80) is not exposed to private hosts more than 32", + "reference_id": "AC_AWS_0321", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0321" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0322.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0322.json index a35f03525..b432142ee 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0322.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0322.json @@ -1,22 +1,23 @@ { - "name": "networkPort443ExposedToprivate", - "file": "networkPortExposedToPrivate.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort443ExposedToprivate", - "portNumber": 443, - "prefix": "", - "protocol": "tcp", - "suffix": "" - }, - "severity": "LOW", - "description": "Ensure Security Groups Unrestricted Specific Ports https (TCP,443) is not exposed to private hosts more than 32", - "reference_id": "AC_AWS_0322", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0322" + "name": "networkPort443ExposedToprivate", + "file": "networkPortExposedToPrivate.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort443ExposedToprivate", + "portNumber": 443, + "prefix": "", + "protocol": "tcp", + "suffix": "" + }, + "severity": "LOW", + "description": "Ensure Security Groups Unrestricted Specific Ports https (TCP,443) is not exposed to private hosts more than 32", + "reference_id": "AC_AWS_0322", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0322" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0323.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0323.json index 31b90e1e4..e2579f5ec 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0323.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0323.json @@ -1,22 +1,23 @@ { - "name": "networkPort3389ExposedToprivate", - "file": "networkPortExposedToPrivate.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort3389ExposedToprivate", - "portNumber": 3389, - "prefix": "", - "protocol": "tcp", - "suffix": "" - }, - "severity": "LOW", - "description": "Ensure Security Groups Unrestricted Specific Ports remote desktop port (TCP,3389) is not exposed to private hosts more than 32", - "reference_id": "AC_AWS_0323", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0323" + "name": "networkPort3389ExposedToprivate", + "file": "networkPortExposedToPrivate.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort3389ExposedToprivate", + "portNumber": 3389, + "prefix": "", + "protocol": "tcp", + "suffix": "" + }, + "severity": "LOW", + "description": "Ensure Security Groups Unrestricted Specific Ports remote desktop port (TCP,3389) is not exposed to private hosts more than 32", + "reference_id": "AC_AWS_0323", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0323" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0324.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0324.json index af1553f7d..1f78ad2ef 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0324.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0324.json @@ -1,22 +1,23 @@ { - "name": "networkPort9200ExposedToprivate", - "file": "networkPortExposedToPrivate.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort9200ExposedToprivate", - "portNumber": 9200, - "prefix": "", - "protocol": "tcp", - "suffix": "" - }, - "severity": "LOW", - "description": "Ensure Security Groups Unrestricted Specific Ports Elasticsearch (TCP,9200) is not exposed to private hosts more than 32", - "reference_id": "AC_AWS_0324", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0324" + "name": "networkPort9200ExposedToprivate", + "file": "networkPortExposedToPrivate.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort9200ExposedToprivate", + "portNumber": 9200, + "prefix": "", + "protocol": "tcp", + "suffix": "" + }, + "severity": "LOW", + "description": "Ensure Security Groups Unrestricted Specific Ports Elasticsearch (TCP,9200) is not exposed to private hosts more than 32", + "reference_id": "AC_AWS_0324", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0324" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0325.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0325.json index ff94a39d0..9e71e3a81 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0325.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0325.json @@ -1,22 +1,23 @@ { - "name": "networkPort4506ExposedToprivate", - "file": "networkPortExposedToPrivate.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort4506ExposedToprivate", - "portNumber": 4506, - "prefix": "", - "protocol": "tcp", - "suffix": "" - }, - "severity": "LOW", - "description": "Ensure Security Groups Unrestricted Specific Ports SaltStackMaster (TCP,4506) is not exposed to private hosts more than 32", - "reference_id": "AC_AWS_0325", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0325" + "name": "networkPort4506ExposedToprivate", + "file": "networkPortExposedToPrivate.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort4506ExposedToprivate", + "portNumber": 4506, + "prefix": "", + "protocol": "tcp", + "suffix": "" + }, + "severity": "LOW", + "description": "Ensure Security Groups Unrestricted Specific Ports SaltStackMaster (TCP,4506) is not exposed to private hosts more than 32", + "reference_id": "AC_AWS_0325", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0325" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0326.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0326.json index be990e4c3..59c355569 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0326.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0326.json @@ -1,22 +1,23 @@ { - "name": "networkPort61621ExposedToprivate", - "file": "networkPortExposedToPrivate.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort61621ExposedToprivate", - "portNumber": 61621, - "prefix": "", - "protocol": "tcp", - "suffix": "" - }, - "severity": "LOW", - "description": "Ensure Security Groups Unrestricted Specific Ports CassandraOpsCenteragent (TCP,61621) is not exposed to private hosts more than 32", - "reference_id": "AC_AWS_0326", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0326" + "name": "networkPort61621ExposedToprivate", + "file": "networkPortExposedToPrivate.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort61621ExposedToprivate", + "portNumber": 61621, + "prefix": "", + "protocol": "tcp", + "suffix": "" + }, + "severity": "LOW", + "description": "Ensure Security Groups Unrestricted Specific Ports CassandraOpsCenteragent (TCP,61621) is not exposed to private hosts more than 32", + "reference_id": "AC_AWS_0326", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0326" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0327.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0327.json index c9b04fb06..7e5876638 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0327.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0327.json @@ -1,22 +1,23 @@ { - "name": "networkPort8080ExposedToprivate", - "file": "networkPortExposedToPrivate.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort8080ExposedToprivate", - "portNumber": 8080, - "prefix": "", - "protocol": "tcp", - "suffix": "" - }, - "severity": "LOW", - "description": "Ensure Security Groups Unrestricted Specific Ports Knowninternalwebport (TCP,8080) is not exposed to private hosts more than 32", - "reference_id": "AC_AWS_0327", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0327" + "name": "networkPort8080ExposedToprivate", + "file": "networkPortExposedToPrivate.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort8080ExposedToprivate", + "portNumber": 8080, + "prefix": "", + "protocol": "tcp", + "suffix": "" + }, + "severity": "LOW", + "description": "Ensure Security Groups Unrestricted Specific Ports Knowninternalwebport (TCP,8080) is not exposed to private hosts more than 32", + "reference_id": "AC_AWS_0327", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0327" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0328.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0328.json index cdb6f4ed1..7fc908291 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0328.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0328.json @@ -1,22 +1,23 @@ { - "name": "networkPort1434ExposedToprivate", - "file": "networkPortExposedToPrivate.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort1434ExposedToprivate", - "portNumber": 1434, - "prefix": "", - "protocol": "tcp", - "suffix": "" - }, - "severity": "LOW", - "description": "Ensure Security Groups Unrestricted Specific Ports MSSQLAdmin (TCP,1434) is not exposed to private hosts more than 32", - "reference_id": "AC_AWS_0328", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0328" + "name": "networkPort1434ExposedToprivate", + "file": "networkPortExposedToPrivate.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort1434ExposedToprivate", + "portNumber": 1434, + "prefix": "", + "protocol": "tcp", + "suffix": "" + }, + "severity": "LOW", + "description": "Ensure Security Groups Unrestricted Specific Ports MSSQLAdmin (TCP,1434) is not exposed to private hosts more than 32", + "reference_id": "AC_AWS_0328", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0328" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0329.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0329.json index 2c0e3f8b3..925e019cb 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0329.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0329.json @@ -1,22 +1,23 @@ { - "name": "networkPort1434ExposedToprivateU", - "file": "networkPortExposedToPrivate.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort1434ExposedToprivateU", - "portNumber": 1434, - "prefix": "", - "protocol": "udp", - "suffix": "" - }, - "severity": "LOW", - "description": "Ensure Security Groups Unrestricted Specific Ports MSSQLBrowserService (UDP,1434) is not exposed to private hosts more than 32", - "reference_id": "AC_AWS_0329", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0329" + "name": "networkPort1434ExposedToprivateU", + "file": "networkPortExposedToPrivate.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort1434ExposedToprivateU", + "portNumber": 1434, + "prefix": "", + "protocol": "udp", + "suffix": "" + }, + "severity": "LOW", + "description": "Ensure Security Groups Unrestricted Specific Ports MSSQLBrowserService (UDP,1434) is not exposed to private hosts more than 32", + "reference_id": "AC_AWS_0329", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0329" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0330.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0330.json index 56dcefc6a..feb4fca8f 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0330.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0330.json @@ -1,22 +1,23 @@ { - "name": "networkPort135ExposedToprivate", - "file": "networkPortExposedToPrivate.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort135ExposedToprivate", - "portNumber": 135, - "prefix": "", - "protocol": "tcp", - "suffix": "" - }, - "severity": "LOW", - "description": "Ensure Security Groups Unrestricted Specific Ports MSSQLDebugger (TCP,135) is not exposed to private hosts more than 32", - "reference_id": "AC_AWS_0330", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0330" + "name": "networkPort135ExposedToprivate", + "file": "networkPortExposedToPrivate.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort135ExposedToprivate", + "portNumber": 135, + "prefix": "", + "protocol": "tcp", + "suffix": "" + }, + "severity": "LOW", + "description": "Ensure Security Groups Unrestricted Specific Ports MSSQLDebugger (TCP,135) is not exposed to private hosts more than 32", + "reference_id": "AC_AWS_0330", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0330" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0331.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0331.json index fba68da69..708fd4b39 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0331.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0331.json @@ -1,22 +1,23 @@ { - "name": "networkPort1433ExposedToprivate", - "file": "networkPortExposedToPrivate.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort1433ExposedToprivate", - "portNumber": 1433, - "prefix": "", - "protocol": "tcp", - "suffix": "" - }, - "severity": "LOW", - "description": "Ensure Security Groups Unrestricted Specific Ports MSSQLServer (TCP,1433) is not exposed to private hosts more than 32", - "reference_id": "AC_AWS_0331", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0331" + "name": "networkPort1433ExposedToprivate", + "file": "networkPortExposedToPrivate.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort1433ExposedToprivate", + "portNumber": 1433, + "prefix": "", + "protocol": "tcp", + "suffix": "" + }, + "severity": "LOW", + "description": "Ensure Security Groups Unrestricted Specific Ports MSSQLServer (TCP,1433) is not exposed to private hosts more than 32", + "reference_id": "AC_AWS_0331", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0331" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0332.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0332.json index d9762c352..b7788b648 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0332.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0332.json @@ -1,22 +1,23 @@ { - "name": "networkPort11214ExposedToprivate", - "file": "networkPortExposedToPrivate.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort11214ExposedToprivate", - "portNumber": 11214, - "prefix": "", - "protocol": "tcp", - "suffix": "" - }, - "severity": "LOW", - "description": "Ensure Security Groups Unrestricted Specific Ports MemcachedSSL (TCP,11214) is not exposed to private hosts more than 32", - "reference_id": "AC_AWS_0332", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0332" + "name": "networkPort11214ExposedToprivate", + "file": "networkPortExposedToPrivate.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort11214ExposedToprivate", + "portNumber": 11214, + "prefix": "", + "protocol": "tcp", + "suffix": "" + }, + "severity": "LOW", + "description": "Ensure Security Groups Unrestricted Specific Ports MemcachedSSL (TCP,11214) is not exposed to private hosts more than 32", + "reference_id": "AC_AWS_0332", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0332" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0333.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0333.json index 1cc2ae4d6..14a8951cb 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0333.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0333.json @@ -1,22 +1,23 @@ { - "name": "networkPort11215ExposedToprivate", - "file": "networkPortExposedToPrivate.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort11215ExposedToprivate", - "portNumber": 11215, - "prefix": "", - "protocol": "tcp", - "suffix": "" - }, - "severity": "LOW", - "description": "Ensure Security Groups Unrestricted Specific Ports MemcachedSSL (TCP,11215) is not exposed to private hosts more than 32", - "reference_id": "AC_AWS_0333", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0333" + "name": "networkPort11215ExposedToprivate", + "file": "networkPortExposedToPrivate.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort11215ExposedToprivate", + "portNumber": 11215, + "prefix": "", + "protocol": "tcp", + "suffix": "" + }, + "severity": "LOW", + "description": "Ensure Security Groups Unrestricted Specific Ports MemcachedSSL (TCP,11215) is not exposed to private hosts more than 32", + "reference_id": "AC_AWS_0333", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0333" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0334.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0334.json index 3edb19127..72c750da6 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0334.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0334.json @@ -1,22 +1,23 @@ { - "name": "networkPort11214ExposedToprivateU", - "file": "networkPortExposedToPrivate.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort11214ExposedToprivateU", - "portNumber": 11214, - "prefix": "", - "protocol": "udp", - "suffix": "" - }, - "severity": "LOW", - "description": "Ensure Security Groups Unrestricted Specific Ports MemcachedSSL (UDP,11214) is not exposed to private hosts more than 32", - "reference_id": "AC_AWS_0334", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0334" + "name": "networkPort11214ExposedToprivateU", + "file": "networkPortExposedToPrivate.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort11214ExposedToprivateU", + "portNumber": 11214, + "prefix": "", + "protocol": "udp", + "suffix": "" + }, + "severity": "LOW", + "description": "Ensure Security Groups Unrestricted Specific Ports MemcachedSSL (UDP,11214) is not exposed to private hosts more than 32", + "reference_id": "AC_AWS_0334", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0334" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0335.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0335.json index 4cf5deab2..e9c5e43e3 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0335.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0335.json @@ -1,22 +1,23 @@ { - "name": "networkPort11215ExposedToprivateU", - "file": "networkPortExposedToPrivate.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort11215ExposedToprivateU", - "portNumber": 11215, - "prefix": "", - "protocol": "udp", - "suffix": "" - }, - "severity": "LOW", - "description": "Ensure Security Groups Unrestricted Specific Ports MemcachedSSL (UDP,11215) is not exposed to private hosts more than 32", - "reference_id": "AC_AWS_0335", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0335" + "name": "networkPort11215ExposedToprivateU", + "file": "networkPortExposedToPrivate.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort11215ExposedToprivateU", + "portNumber": 11215, + "prefix": "", + "protocol": "udp", + "suffix": "" + }, + "severity": "LOW", + "description": "Ensure Security Groups Unrestricted Specific Ports MemcachedSSL (UDP,11215) is not exposed to private hosts more than 32", + "reference_id": "AC_AWS_0335", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0335" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0336.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0336.json index e6ed7a8b0..7438e75a6 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0336.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0336.json @@ -1,22 +1,23 @@ { - "name": "networkPort3306ExposedToprivate", - "file": "networkPortExposedToPrivate.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort3306ExposedToprivate", - "portNumber": 3306, - "prefix": "", - "protocol": "tcp", - "suffix": "" - }, - "severity": "LOW", - "description": "Ensure Security Groups Unrestricted Specific Ports MySQL (TCP,3306) is not exposed to private hosts more than 32", - "reference_id": "AC_AWS_0336", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0336" + "name": "networkPort3306ExposedToprivate", + "file": "networkPortExposedToPrivate.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort3306ExposedToprivate", + "portNumber": 3306, + "prefix": "", + "protocol": "tcp", + "suffix": "" + }, + "severity": "LOW", + "description": "Ensure Security Groups Unrestricted Specific Ports MySQL (TCP,3306) is not exposed to private hosts more than 32", + "reference_id": "AC_AWS_0336", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0336" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0337.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0337.json index a4c94fdd8..7c9716577 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0337.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0337.json @@ -1,22 +1,23 @@ { - "name": "networkPort3020ExposedToprivate", - "file": "networkPortExposedToPrivate.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort3020ExposedToprivate", - "portNumber": 3020, - "prefix": "", - "protocol": "tcp", - "suffix": "" - }, - "severity": "LOW", - "description": "Ensure CIFS/SMB' (TCP,3020) is not exposed to private hosts more than 32", - "reference_id": "AC_AWS_0337", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0337" + "name": "networkPort3020ExposedToprivate", + "file": "networkPortExposedToPrivate.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort3020ExposedToprivate", + "portNumber": 3020, + "prefix": "", + "protocol": "tcp", + "suffix": "" + }, + "severity": "LOW", + "description": "Ensure CIFS/SMB' (TCP,3020) is not exposed to private hosts more than 32", + "reference_id": "AC_AWS_0337", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0337" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0338.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0338.json index a5ec1c556..81395a574 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0338.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0338.json @@ -1,22 +1,23 @@ { - "name": "networkPort7001ExposedToprivate", - "file": "networkPortExposedToPrivate.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort7001ExposedToprivate", - "portNumber": 7001, - "prefix": "", - "protocol": "tcp", - "suffix": "" - }, - "severity": "LOW", - "description": "Ensure Cassandra' (TCP,7001) is not exposed to private hosts more than 32", - "reference_id": "AC_AWS_0338", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0338" + "name": "networkPort7001ExposedToprivate", + "file": "networkPortExposedToPrivate.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort7001ExposedToprivate", + "portNumber": 7001, + "prefix": "", + "protocol": "tcp", + "suffix": "" + }, + "severity": "LOW", + "description": "Ensure Cassandra' (TCP,7001) is not exposed to private hosts more than 32", + "reference_id": "AC_AWS_0338", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0338" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0339.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0339.json index c9a2a274c..6c46696a2 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0339.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0339.json @@ -1,22 +1,23 @@ { - "name": "networkPort9000ExposedToprivate", - "file": "networkPortExposedToPrivate.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort9000ExposedToprivate", - "portNumber": 9000, - "prefix": "", - "protocol": "tcp", - "suffix": "" - }, - "severity": "LOW", - "description": "Ensure HadoopNameNode' (TCP,9000) is not exposed to private hosts more than 32", - "reference_id": "AC_AWS_0339", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0339" + "name": "networkPort9000ExposedToprivate", + "file": "networkPortExposedToPrivate.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort9000ExposedToprivate", + "portNumber": 9000, + "prefix": "", + "protocol": "tcp", + "suffix": "" + }, + "severity": "LOW", + "description": "Ensure HadoopNameNode' (TCP,9000) is not exposed to private hosts more than 32", + "reference_id": "AC_AWS_0339", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0339" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0340.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0340.json index 66376a803..23ed84bfd 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0340.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0340.json @@ -1,22 +1,23 @@ { - "name": "networkPort8000ExposedToprivate", - "file": "networkPortExposedToPrivate.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort8000ExposedToprivate", - "portNumber": 8000, - "prefix": "", - "protocol": "tcp", - "suffix": "" - }, - "severity": "LOW", - "description": "Ensure Knowninternalwebport' (TCP,8000) not exposed to private hosts more than 32", - "reference_id": "AC_AWS_0340", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0340" + "name": "networkPort8000ExposedToprivate", + "file": "networkPortExposedToPrivate.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort8000ExposedToprivate", + "portNumber": 8000, + "prefix": "", + "protocol": "tcp", + "suffix": "" + }, + "severity": "LOW", + "description": "Ensure Knowninternalwebport' (TCP,8000) not exposed to private hosts more than 32", + "reference_id": "AC_AWS_0340", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0340" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0341.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0341.json index a5d71e811..54b08da57 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0341.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0341.json @@ -1,22 +1,23 @@ { - "name": "networkPort636ExposedToprivate", - "file": "networkPortExposedToPrivate.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort636ExposedToprivate", - "portNumber": 636, - "prefix": "", - "protocol": "tcp", - "suffix": "" - }, - "severity": "LOW", - "description": "Ensure LDAPSSL' (TCP,636) is not exposed to private hosts more than 32", - "reference_id": "AC_AWS_0341", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0341" + "name": "networkPort636ExposedToprivate", + "file": "networkPortExposedToPrivate.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort636ExposedToprivate", + "portNumber": 636, + "prefix": "", + "protocol": "tcp", + "suffix": "" + }, + "severity": "LOW", + "description": "Ensure LDAPSSL' (TCP,636) is not exposed to private hosts more than 32", + "reference_id": "AC_AWS_0341", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0341" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0342.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0342.json index 817251920..52dfaa402 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0342.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0342.json @@ -1,22 +1,23 @@ { - "name": "networkPort27018ExposedToprivate", - "file": "networkPortExposedToPrivate.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort27018ExposedToprivate", - "portNumber": 27018, - "prefix": "", - "protocol": "tcp", - "suffix": "" - }, - "severity": "LOW", - "description": "Ensure MongoWebPortal' (TCP,27018) is not exposed to private hosts more than 32", - "reference_id": "AC_AWS_0342", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0342" + "name": "networkPort27018ExposedToprivate", + "file": "networkPortExposedToPrivate.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort27018ExposedToprivate", + "portNumber": 27018, + "prefix": "", + "protocol": "tcp", + "suffix": "" + }, + "severity": "LOW", + "description": "Ensure MongoWebPortal' (TCP,27018) is not exposed to private hosts more than 32", + "reference_id": "AC_AWS_0342", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0342" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0343.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0343.json index 492cb4f2f..d0ddbc752 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0343.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0343.json @@ -1,22 +1,23 @@ { - "name": "networkPort137ExposedToprivate", - "file": "networkPortExposedToPrivate.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort137ExposedToprivate", - "portNumber": 137, - "prefix": "", - "protocol": "tcp", - "suffix": "" - }, - "severity": "LOW", - "description": "Ensure NetBIOSNameService' (TCP,137) is not exposed to private hosts more than 32", - "reference_id": "AC_AWS_0343", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0343" + "name": "networkPort137ExposedToprivate", + "file": "networkPortExposedToPrivate.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort137ExposedToprivate", + "portNumber": 137, + "prefix": "", + "protocol": "tcp", + "suffix": "" + }, + "severity": "LOW", + "description": "Ensure NetBIOSNameService' (TCP,137) is not exposed to private hosts more than 32", + "reference_id": "AC_AWS_0343", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0343" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0344.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0344.json index 44e1286b3..cf97ba458 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0344.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0344.json @@ -1,22 +1,23 @@ { - "name": "networkPort137ExposedToprivateU", - "file": "networkPortExposedToPrivate.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort137ExposedToprivateU", - "portNumber": 137, - "prefix": "", - "protocol": "udp", - "suffix": "" - }, - "severity": "LOW", - "description": "Ensure NetBIOSNameService' (UDP,137) is not exposed to private hosts more than 32", - "reference_id": "AC_AWS_0344", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0344" + "name": "networkPort137ExposedToprivateU", + "file": "networkPortExposedToPrivate.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort137ExposedToprivateU", + "portNumber": 137, + "prefix": "", + "protocol": "udp", + "suffix": "" + }, + "severity": "LOW", + "description": "Ensure NetBIOSNameService' (UDP,137) is not exposed to private hosts more than 32", + "reference_id": "AC_AWS_0344", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0344" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0345.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0345.json index b7ece9eba..aff70c34f 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0345.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0345.json @@ -1,22 +1,23 @@ { - "name": "networkPort138ExposedToprivate", - "file": "networkPortExposedToPrivate.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort138ExposedToprivate", - "portNumber": 138, - "prefix": "", - "protocol": "tcp", - "suffix": "" - }, - "severity": "LOW", - "description": "Ensure NetBIOSNameService' (UDP,137) is not exposed to private hosts more than 32", - "reference_id": "AC_AWS_0345", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0345" + "name": "networkPort138ExposedToprivate", + "file": "networkPortExposedToPrivate.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort138ExposedToprivate", + "portNumber": 138, + "prefix": "", + "protocol": "tcp", + "suffix": "" + }, + "severity": "LOW", + "description": "Ensure NetBIOSNameService' (UDP,137) is not exposed to private hosts more than 32", + "reference_id": "AC_AWS_0345", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0345" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0346.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0346.json index 3edd5c6f5..9ea3ed66c 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0346.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0346.json @@ -1,22 +1,23 @@ { - "name": "networkPort138ExposedToprivateU", - "file": "networkPortExposedToPrivate.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort138ExposedToprivateU", - "portNumber": 138, - "prefix": "", - "protocol": "udp", - "suffix": "" - }, - "severity": "LOW", - "description": "Ensure NetBIOSDatagramService' (UDP,138) is not exposed to private hosts more than 32", - "reference_id": "AC_AWS_0346", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0346" + "name": "networkPort138ExposedToprivateU", + "file": "networkPortExposedToPrivate.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort138ExposedToprivateU", + "portNumber": 138, + "prefix": "", + "protocol": "udp", + "suffix": "" + }, + "severity": "LOW", + "description": "Ensure NetBIOSDatagramService' (UDP,138) is not exposed to private hosts more than 32", + "reference_id": "AC_AWS_0346", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0346" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0347.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0347.json index c17b3133c..c5de2e8ee 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0347.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0347.json @@ -1,22 +1,23 @@ { - "name": "networkPort139ExposedToprivate", - "file": "networkPortExposedToPrivate.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort139ExposedToprivate", - "portNumber": 139, - "prefix": "", - "protocol": "tcp", - "suffix": "" - }, - "severity": "LOW", - "description": "Ensure NetBIOSSessionService' (TCP,139) is not exposed to private hosts more than 32", - "reference_id": "AC_AWS_0347", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0347" + "name": "networkPort139ExposedToprivate", + "file": "networkPortExposedToPrivate.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort139ExposedToprivate", + "portNumber": 139, + "prefix": "", + "protocol": "tcp", + "suffix": "" + }, + "severity": "LOW", + "description": "Ensure NetBIOSSessionService' (TCP,139) is not exposed to private hosts more than 32", + "reference_id": "AC_AWS_0347", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0347" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0348.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0348.json index 235d4b643..f26f01a4d 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0348.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0348.json @@ -1,22 +1,23 @@ { - "name": "networkPort139ExposedToprivateU", - "file": "networkPortExposedToPrivate.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort139ExposedToprivateU", - "portNumber": 139, - "prefix": "", - "protocol": "udp", - "suffix": "" - }, - "severity": "LOW", - "description": "Ensure NetBIOSSessionService' (UDP,139) is not exposed to private hosts more than 32", - "reference_id": "AC_AWS_0348", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0348" + "name": "networkPort139ExposedToprivateU", + "file": "networkPortExposedToPrivate.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort139ExposedToprivateU", + "portNumber": 139, + "prefix": "", + "protocol": "udp", + "suffix": "" + }, + "severity": "LOW", + "description": "Ensure NetBIOSSessionService' (UDP,139) is not exposed to private hosts more than 32", + "reference_id": "AC_AWS_0348", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0348" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0349.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0349.json index 09c030e66..df08f8b4e 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0349.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0349.json @@ -1,22 +1,23 @@ { - "name": "networkPort2484ExposedToprivate", - "file": "networkPortExposedToPrivate.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort2484ExposedToprivate", - "portNumber": 2484, - "prefix": "", - "protocol": "tcp", - "suffix": "" - }, - "severity": "LOW", - "description": "Ensure OracleDBSSL' (TCP,2484) is not exposed to private hosts more than 32", - "reference_id": "AC_AWS_0349", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0349" + "name": "networkPort2484ExposedToprivate", + "file": "networkPortExposedToPrivate.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort2484ExposedToprivate", + "portNumber": 2484, + "prefix": "", + "protocol": "tcp", + "suffix": "" + }, + "severity": "LOW", + "description": "Ensure OracleDBSSL' (TCP,2484) is not exposed to private hosts more than 32", + "reference_id": "AC_AWS_0349", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0349" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0350.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0350.json index a72b4f2d4..cb8c01df4 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0350.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0350.json @@ -1,22 +1,23 @@ { - "name": "networkPort2484ExposedToprivateU", - "file": "networkPortExposedToPrivate.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort2484ExposedToprivateU", - "portNumber": 2484, - "prefix": "", - "protocol": "udp", - "suffix": "" - }, - "severity": "LOW", - "description": "Ensure OracleDBSSL' (UDP,2484) is not exposed to private hosts more than 32", - "reference_id": "AC_AWS_0350", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0350" + "name": "networkPort2484ExposedToprivateU", + "file": "networkPortExposedToPrivate.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort2484ExposedToprivateU", + "portNumber": 2484, + "prefix": "", + "protocol": "udp", + "suffix": "" + }, + "severity": "LOW", + "description": "Ensure OracleDBSSL' (UDP,2484) is not exposed to private hosts more than 32", + "reference_id": "AC_AWS_0350", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0350" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0351.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0351.json index 0bb59d2de..afae9a1dc 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0351.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0351.json @@ -1,22 +1,23 @@ { - "name": "networkPort5432ExposedToprivate", - "file": "networkPortExposedToPrivate.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort5432ExposedToprivate", - "portNumber": 5432, - "prefix": "", - "protocol": "tcp", - "suffix": "" - }, - "severity": "LOW", - "description": "Ensure PostgresSQL' (TCP,5432) is not exposed to private hosts more than 32", - "reference_id": "AC_AWS_0351", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0351" + "name": "networkPort5432ExposedToprivate", + "file": "networkPortExposedToPrivate.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort5432ExposedToprivate", + "portNumber": 5432, + "prefix": "", + "protocol": "tcp", + "suffix": "" + }, + "severity": "LOW", + "description": "Ensure PostgresSQL' (TCP,5432) is not exposed to private hosts more than 32", + "reference_id": "AC_AWS_0351", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0351" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0352.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0352.json index 08a5b7f4c..28a4e4e7e 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0352.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0352.json @@ -1,22 +1,23 @@ { - "name": "networkPort5432ExposedToprivateU", - "file": "networkPortExposedToPrivate.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort5432ExposedToprivateU", - "portNumber": 5432, - "prefix": "", - "protocol": "udp", - "suffix": "" - }, - "severity": "LOW", - "description": "Ensure PostgresSQL' (UDP,5432) is not exposed to private hosts more than 32", - "reference_id": "AC_AWS_0352", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0352" + "name": "networkPort5432ExposedToprivateU", + "file": "networkPortExposedToPrivate.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort5432ExposedToprivateU", + "portNumber": 5432, + "prefix": "", + "protocol": "udp", + "suffix": "" + }, + "severity": "LOW", + "description": "Ensure PostgresSQL' (UDP,5432) is not exposed to private hosts more than 32", + "reference_id": "AC_AWS_0352", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0352" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0353.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0353.json index a4bc401d3..89535b90d 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0353.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0353.json @@ -1,22 +1,23 @@ { - "name": "networkPort3000ExposedToprivate", - "file": "networkPortExposedToPrivate.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort3000ExposedToprivate", - "portNumber": 3000, - "prefix": "", - "protocol": "tcp", - "suffix": "" - }, - "severity": "LOW", - "description": "Ensure Prevalentknowninternalport' (TCP,3000) is not exposed to private hosts more than 32", - "reference_id": "AC_AWS_0353", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0353" + "name": "networkPort3000ExposedToprivate", + "file": "networkPortExposedToPrivate.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort3000ExposedToprivate", + "portNumber": 3000, + "prefix": "", + "protocol": "tcp", + "suffix": "" + }, + "severity": "LOW", + "description": "Ensure Prevalentknowninternalport' (TCP,3000) is not exposed to private hosts more than 32", + "reference_id": "AC_AWS_0353", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0353" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0354.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0354.json index 54a6b901d..1fbf850d7 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0354.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0354.json @@ -1,22 +1,23 @@ { - "name": "networkPort8140ExposedToprivate", - "file": "networkPortExposedToPrivate.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort8140ExposedToprivate", - "portNumber": 8140, - "prefix": "", - "protocol": "tcp", - "suffix": "" - }, - "severity": "LOW", - "description": "Ensure PuppetMaster' (TCP,8140) is not exposed to private hosts more than 32", - "reference_id": "AC_AWS_0354", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0354" + "name": "networkPort8140ExposedToprivate", + "file": "networkPortExposedToPrivate.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort8140ExposedToprivate", + "portNumber": 8140, + "prefix": "", + "protocol": "tcp", + "suffix": "" + }, + "severity": "LOW", + "description": "Ensure PuppetMaster' (TCP,8140) is not exposed to private hosts more than 32", + "reference_id": "AC_AWS_0354", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0354" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0355.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0355.json index 92643e2b1..b9b654d75 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0355.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0355.json @@ -1,22 +1,23 @@ { - "name": "networkPort161ExposedToprivateU", - "file": "networkPortExposedToPrivate.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort161ExposedToprivateU", - "portNumber": 161, - "prefix": "", - "protocol": "udp", - "suffix": "" - }, - "severity": "LOW", - "description": "Ensure SNMP' (UDP,161) is not exposed to private hosts more than 32", - "reference_id": "AC_AWS_0355", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0355" + "name": "networkPort161ExposedToprivateU", + "file": "networkPortExposedToPrivate.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort161ExposedToprivateU", + "portNumber": 161, + "prefix": "", + "protocol": "udp", + "suffix": "" + }, + "severity": "LOW", + "description": "Ensure SNMP' (UDP,161) is not exposed to private hosts more than 32", + "reference_id": "AC_AWS_0355", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0355" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0356.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0356.json index 10cc1b4de..272238bb3 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0356.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0356.json @@ -1,22 +1,23 @@ { - "name": "networkPort2382ExposedToprivate", - "file": "networkPortExposedToPrivate.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort2382ExposedToprivate", - "portNumber": 2382, - "prefix": "", - "protocol": "tcp", - "suffix": "" - }, - "severity": "LOW", - "description": "Ensure SQLServerAnalysisServicebrowser' (TCP,2382) is not exposed to private hosts more than 32", - "reference_id": "AC_AWS_0356", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0356" + "name": "networkPort2382ExposedToprivate", + "file": "networkPortExposedToPrivate.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort2382ExposedToprivate", + "portNumber": 2382, + "prefix": "", + "protocol": "tcp", + "suffix": "" + }, + "severity": "LOW", + "description": "Ensure SQLServerAnalysisServicebrowser' (TCP,2382) is not exposed to private hosts more than 32", + "reference_id": "AC_AWS_0356", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0356" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0357.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0357.json index 5a9aa2df4..d1f98c9b5 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0357.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0357.json @@ -1,22 +1,23 @@ { - "name": "networkPort2383ExposedToprivate", - "file": "networkPortExposedToPrivate.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort2383ExposedToprivate", - "portNumber": 2383, - "prefix": "", - "protocol": "tcp", - "suffix": "" - }, - "severity": "LOW", - "description": "Ensure SQLServerAnalysisServices' (TCP,2383) is not exposed to private hosts more than 32", - "reference_id": "AC_AWS_0357", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0357" + "name": "networkPort2383ExposedToprivate", + "file": "networkPortExposedToPrivate.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort2383ExposedToprivate", + "portNumber": 2383, + "prefix": "", + "protocol": "tcp", + "suffix": "" + }, + "severity": "LOW", + "description": "Ensure SQLServerAnalysisServices' (TCP,2383) is not exposed to private hosts more than 32", + "reference_id": "AC_AWS_0357", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0357" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0358.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0358.json index f60097586..00a0192f9 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0358.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0358.json @@ -1,22 +1,23 @@ { - "name": "networkPort1521ExposedToprivate", - "file": "networkPortExposedToPrivate.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort1521ExposedToprivate", - "portNumber": 1521, - "prefix": "", - "protocol": "tcp", - "suffix": "" - }, - "severity": "LOW", - "description": "Ensure OracleDatabaseServer' (TCP,521) is not exposed to private hosts more than 32", - "reference_id": "AC_AWS_0358", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0358" + "name": "networkPort1521ExposedToprivate", + "file": "networkPortExposedToPrivate.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort1521ExposedToprivate", + "portNumber": 1521, + "prefix": "", + "protocol": "tcp", + "suffix": "" + }, + "severity": "LOW", + "description": "Ensure OracleDatabaseServer' (TCP,521) is not exposed to private hosts more than 32", + "reference_id": "AC_AWS_0358", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0358" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0359.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0359.json index d97055560..68e95c6c4 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0359.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0359.json @@ -1,22 +1,23 @@ { - "name": "networkPort23ExposedToprivate", - "file": "networkPortExposedToPrivate.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort23ExposedToprivate", - "portNumber": 23, - "prefix": "", - "protocol": "tcp", - "suffix": "" - }, - "severity": "LOW", - "description": "Ensure Telnet' (TCP,23) is not exposed to private hosts more than 32", - "reference_id": "AC_AWS_0359", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0359" + "name": "networkPort23ExposedToprivate", + "file": "networkPortExposedToPrivate.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort23ExposedToprivate", + "portNumber": 23, + "prefix": "", + "protocol": "tcp", + "suffix": "" + }, + "severity": "LOW", + "description": "Ensure Telnet' (TCP,23) is not exposed to private hosts more than 32", + "reference_id": "AC_AWS_0359", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0359" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0360.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0360.json index fea6db8ca..68808b982 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0360.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0360.json @@ -1,22 +1,23 @@ { - "name": "networkPort25ExposedToprivate", - "file": "networkPortExposedToPrivate.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort25ExposedToprivate", - "portNumber": 25, - "prefix": "", - "protocol": "tcp", - "suffix": "" - }, - "severity": "LOW", - "description": "Ensure SMTP' (TCP,25) is not exposed to private hosts more than 32", - "reference_id": "AC_AWS_0360", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0360" + "name": "networkPort25ExposedToprivate", + "file": "networkPortExposedToPrivate.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort25ExposedToprivate", + "portNumber": 25, + "prefix": "", + "protocol": "tcp", + "suffix": "" + }, + "severity": "LOW", + "description": "Ensure SMTP' (TCP,25) is not exposed to private hosts more than 32", + "reference_id": "AC_AWS_0360", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0360" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0361.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0361.json index c88d1cd41..c6e4ad5ca 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0361.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0361.json @@ -1,22 +1,23 @@ { - "name": "networkPort445ExposedToprivate", - "file": "networkPortExposedToPrivate.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort445ExposedToprivate", - "portNumber": 445, - "prefix": "", - "protocol": "tcp", - "suffix": "" - }, - "severity": "LOW", - "description": "Ensure CIFSforfile/printer' (TCP,445) is not exposed to private hosts more than 32", - "reference_id": "AC_AWS_0361", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0361" + "name": "networkPort445ExposedToprivate", + "file": "networkPortExposedToPrivate.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort445ExposedToprivate", + "portNumber": 445, + "prefix": "", + "protocol": "tcp", + "suffix": "" + }, + "severity": "LOW", + "description": "Ensure CIFSforfile/printer' (TCP,445) is not exposed to private hosts more than 32", + "reference_id": "AC_AWS_0361", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0361" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0362.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0362.json index 36ab26512..6fd7456e1 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0362.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0362.json @@ -1,22 +1,23 @@ { - "name": "networkPort27017ExposedToprivate", - "file": "networkPortExposedToPrivate.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort27017ExposedToprivate", - "portNumber": 27017, - "prefix": "", - "protocol": "tcp", - "suffix": "" - }, - "severity": "LOW", - "description": "Ensure MongoDB' (TCP,27017) is not exposed to private hosts more than 32", - "reference_id": "AC_AWS_0362", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0362" + "name": "networkPort27017ExposedToprivate", + "file": "networkPortExposedToPrivate.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort27017ExposedToprivate", + "portNumber": 27017, + "prefix": "", + "protocol": "tcp", + "suffix": "" + }, + "severity": "LOW", + "description": "Ensure MongoDB' (TCP,27017) is not exposed to private hosts more than 32", + "reference_id": "AC_AWS_0362", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0362" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0363.json b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0363.json index 7b03681a7..74f53092a 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0363.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0363.json @@ -1,22 +1,23 @@ { - "name": "networkPort9300ExposedToprivate", - "file": "networkPortExposedToPrivate.rego", - "policy_type": "aws", - "resource_type": { - "aws_security_group": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort9300ExposedToprivate", - "portNumber": 9300, - "prefix": "", - "protocol": "tcp", - "suffix": "" - }, - "severity": "LOW", - "description": "Ensure Elasticsearch' (TCP,9300) is not exposed to private hosts more than 32", - "reference_id": "AC_AWS_0363", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AWS_0363" + "name": "networkPort9300ExposedToprivate", + "file": "networkPortExposedToPrivate.rego", + "policy_type": "aws", + "resource_type": { + "aws_security_group": true, + "aws_security_group_rule": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort9300ExposedToprivate", + "portNumber": 9300, + "prefix": "", + "protocol": "tcp", + "suffix": "" + }, + "severity": "LOW", + "description": "Ensure Elasticsearch' (TCP,9300) is not exposed to private hosts more than 32", + "reference_id": "AC_AWS_0363", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AWS_0363" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_vpc/AWS.VPC.Logging.Medium.0470.json b/pkg/policies/opa/rego/aws/aws_vpc/AWS.VPC.Logging.Medium.0470.json index 61d6262bd..5a0157486 100755 --- a/pkg/policies/opa/rego/aws/aws_vpc/AWS.VPC.Logging.Medium.0470.json +++ b/pkg/policies/opa/rego/aws/aws_vpc/AWS.VPC.Logging.Medium.0470.json @@ -3,7 +3,8 @@ "file": "vpcFlowLogsNotEnabled.rego", "policy_type": "aws", "resource_type": { - "aws_vpc": true + "aws_vpc": true, + "aws_flow_log": true }, "template_args": { "prefix": "" diff --git a/pkg/policies/opa/rego/azure/azurerm_container_registry/accurics.azure.AKS.3.json b/pkg/policies/opa/rego/azure/azurerm_container_registry/accurics.azure.AKS.3.json index 30e56c799..37e1e331d 100755 --- a/pkg/policies/opa/rego/azure/azurerm_container_registry/accurics.azure.AKS.3.json +++ b/pkg/policies/opa/rego/azure/azurerm_container_registry/accurics.azure.AKS.3.json @@ -3,7 +3,8 @@ "file": "containerRegistryResourceLock.rego", "policy_type": "azure", "resource_type": { - "azurerm_container_registry": true + "azurerm_container_registry": true, + "azurerm_management_lock": true }, "template_args": { "prefix": "reme_" diff --git a/pkg/policies/opa/rego/azure/azurerm_key_vault/accurics.azure.EKM.164.json b/pkg/policies/opa/rego/azure/azurerm_key_vault/accurics.azure.EKM.164.json index 27d92331a..6bd75ede6 100755 --- a/pkg/policies/opa/rego/azure/azurerm_key_vault/accurics.azure.EKM.164.json +++ b/pkg/policies/opa/rego/azure/azurerm_key_vault/accurics.azure.EKM.164.json @@ -3,7 +3,8 @@ "file": "keyVaultSoftDeleteEnabled.rego", "policy_type": "azure", "resource_type": { - "azurerm_key_vault": true + "azurerm_key_vault": true, + "azurerm_monitor_diagnostic_setting": true }, "template_args": { "prefix": "reme_" diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0270.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0270.json index bbe5ea15c..95c6a7c63 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0270.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0270.json @@ -1,22 +1,23 @@ { - "name": "networkPort3020ExposedToInternetAz", - "file": "networkPortExposedToInternetAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort3020ExposedToInternetAz", - "portNumber": 3020, - "prefix": "", - "protocol": "Tcp", - "suffix": "" - }, - "severity": "HIGH", - "description": "Ensure CIFS / SMB (Tcp:3020) is not exposed to entire internet for Azure Network Security Rule", - "reference_id": "AC_AZURE_0270", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0270" + "name": "networkPort3020ExposedToInternetAz", + "file": "networkPortExposedToInternetAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort3020ExposedToInternetAz", + "portNumber": 3020, + "prefix": "", + "protocol": "Tcp", + "suffix": "" + }, + "severity": "HIGH", + "description": "Ensure CIFS / SMB (Tcp:3020) is not exposed to entire internet for Azure Network Security Rule", + "reference_id": "AC_AZURE_0270", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0270" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0271.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0271.json index 373884a99..c66a9890b 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0271.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0271.json @@ -1,22 +1,23 @@ { - "name": "networkPort3020ExposedToPublicAz", - "file": "networkPortExposedToPublicAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort3020ExposedToPublicAz", - "portNumber": 3020, - "prefix": "", - "protocol": "Tcp", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Ensure CIFS / SMB (Tcp:3020) is not exposed to public for Azure Network Security Rule", - "reference_id": "AC_AZURE_0271", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0271" + "name": "networkPort3020ExposedToPublicAz", + "file": "networkPortExposedToPublicAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort3020ExposedToPublicAz", + "portNumber": 3020, + "prefix": "", + "protocol": "Tcp", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Ensure CIFS / SMB (Tcp:3020) is not exposed to public for Azure Network Security Rule", + "reference_id": "AC_AZURE_0271", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0271" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0272.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0272.json index 6202d49fa..eb66f5006 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0272.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0272.json @@ -1,22 +1,23 @@ { - "name": "networkPort3020ExposedToPrivateAz", - "file": "networkPortExposedToPrivateAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort3020ExposedToPrivateAz", - "portNumber": 3020, - "prefix": "", - "protocol": "Tcp", - "suffix": "" - }, - "severity": "LOW", - "description": "Ensure CIFS / SMB (Tcp:3020) is not exposed to private hosts more than 32 for Azure Network Security Rule", - "reference_id": "AC_AZURE_0272", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0272" + "name": "networkPort3020ExposedToPrivateAz", + "file": "networkPortExposedToPrivateAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort3020ExposedToPrivateAz", + "portNumber": 3020, + "prefix": "", + "protocol": "Tcp", + "suffix": "" + }, + "severity": "LOW", + "description": "Ensure CIFS / SMB (Tcp:3020) is not exposed to private hosts more than 32 for Azure Network Security Rule", + "reference_id": "AC_AZURE_0272", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0272" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0273.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0273.json index f865445e8..2602ef9ac 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0273.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0273.json @@ -1,22 +1,23 @@ { - "name": "networkPort7001ExposedToInternetAz", - "file": "networkPortExposedToInternetAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort7001ExposedToInternetAz", - "portNumber": 7001, - "prefix": "", - "protocol": "Tcp", - "suffix": "" - }, - "severity": "HIGH", - "description": "Ensure Cassandra (Tcp:7001) is not exposed to entire internet for Azure Network Security Rule", - "reference_id": "AC_AZURE_0273", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0273" + "name": "networkPort7001ExposedToInternetAz", + "file": "networkPortExposedToInternetAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort7001ExposedToInternetAz", + "portNumber": 7001, + "prefix": "", + "protocol": "Tcp", + "suffix": "" + }, + "severity": "HIGH", + "description": "Ensure Cassandra (Tcp:7001) is not exposed to entire internet for Azure Network Security Rule", + "reference_id": "AC_AZURE_0273", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0273" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0274.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0274.json index 0430c04b8..aaa5b21a2 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0274.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0274.json @@ -1,22 +1,23 @@ { - "name": "networkPort7001ExposedToPublicAz", - "file": "networkPortExposedToPublicAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort7001ExposedToPublicAz", - "portNumber": 7001, - "prefix": "", - "protocol": "Tcp", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Ensure Cassandra (Tcp:7001) is not exposed to public for Azure Network Security Rule", - "reference_id": "AC_AZURE_0274", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0274" + "name": "networkPort7001ExposedToPublicAz", + "file": "networkPortExposedToPublicAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort7001ExposedToPublicAz", + "portNumber": 7001, + "prefix": "", + "protocol": "Tcp", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Ensure Cassandra (Tcp:7001) is not exposed to public for Azure Network Security Rule", + "reference_id": "AC_AZURE_0274", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0274" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0275.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0275.json index dba34c2b1..fc43a6cd4 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0275.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0275.json @@ -1,22 +1,23 @@ { - "name": "networkPort7001ExposedToPrivateAz", - "file": "networkPortExposedToPrivateAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort7001ExposedToPrivateAz", - "portNumber": 7001, - "prefix": "", - "protocol": "Tcp", - "suffix": "" - }, - "severity": "LOW", - "description": "Ensure Cassandra (Tcp:7001) is not exposed to private hosts more than 32 for Azure Network Security Rule", - "reference_id": "AC_AZURE_0275", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0275" + "name": "networkPort7001ExposedToPrivateAz", + "file": "networkPortExposedToPrivateAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort7001ExposedToPrivateAz", + "portNumber": 7001, + "prefix": "", + "protocol": "Tcp", + "suffix": "" + }, + "severity": "LOW", + "description": "Ensure Cassandra (Tcp:7001) is not exposed to private hosts more than 32 for Azure Network Security Rule", + "reference_id": "AC_AZURE_0275", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0275" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0276.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0276.json index 692b60f0e..5ff15b0db 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0276.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0276.json @@ -1,22 +1,23 @@ { - "name": "networkPort61621ExposedToInternetAz", - "file": "networkPortExposedToInternetAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort61621ExposedToInternetAz", - "portNumber": 61621, - "prefix": "", - "protocol": "Tcp", - "suffix": "" - }, - "severity": "HIGH", - "description": "Ensure Cassandra OpsCenter (Tcp:61621) is not exposed to entire internet for Azure Network Security Rule", - "reference_id": "AC_AZURE_0276", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0276" + "name": "networkPort61621ExposedToInternetAz", + "file": "networkPortExposedToInternetAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort61621ExposedToInternetAz", + "portNumber": 61621, + "prefix": "", + "protocol": "Tcp", + "suffix": "" + }, + "severity": "HIGH", + "description": "Ensure Cassandra OpsCenter (Tcp:61621) is not exposed to entire internet for Azure Network Security Rule", + "reference_id": "AC_AZURE_0276", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0276" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0285.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0285.json index 42d5ce279..8169499e5 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0285.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0285.json @@ -1,22 +1,23 @@ { - "name": "networkPort22ExposedToInternetAz", - "file": "networkPortExposedToInternetAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort22ExposedToInternetAz", - "portNumber": 22, - "prefix": "", - "protocol": "Tcp", - "suffix": "" - }, - "severity": "HIGH", - "description": "Ensure SSH (Tcp:22) is not exposed to entire internet for Azure Network Security Rule", - "reference_id": "AC_AZURE_0285", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0285" + "name": "networkPort22ExposedToInternetAz", + "file": "networkPortExposedToInternetAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort22ExposedToInternetAz", + "portNumber": 22, + "prefix": "", + "protocol": "Tcp", + "suffix": "" + }, + "severity": "HIGH", + "description": "Ensure SSH (Tcp:22) is not exposed to entire internet for Azure Network Security Rule", + "reference_id": "AC_AZURE_0285", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0285" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0286.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0286.json index a11b0541d..37c5d42d4 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0286.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0286.json @@ -1,22 +1,23 @@ { - "name": "networkPort22ExposedToPublicAz", - "file": "networkPortExposedToPublicAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort22ExposedToPublicAz", - "portNumber": 22, - "prefix": "", - "protocol": "Tcp", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Ensure SSH (Tcp:22) is not exposed to public for Azure Network Security Rule", - "reference_id": "AC_AZURE_0286", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0286" + "name": "networkPort22ExposedToPublicAz", + "file": "networkPortExposedToPublicAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort22ExposedToPublicAz", + "portNumber": 22, + "prefix": "", + "protocol": "Tcp", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Ensure SSH (Tcp:22) is not exposed to public for Azure Network Security Rule", + "reference_id": "AC_AZURE_0286", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0286" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0287.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0287.json index 68c834c71..b8b0e5488 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0287.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0287.json @@ -1,22 +1,23 @@ { - "name": "networkPort22ExposedToPrivateAz", - "file": "networkPortExposedToPrivateAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort22ExposedToPrivateAz", - "portNumber": 22, - "prefix": "", - "protocol": "Tcp", - "suffix": "" - }, - "severity": "LOW", - "description": "Ensure SSH (Tcp:22) is not exposed to private hosts more than 32 for Azure Network Security Rule", - "reference_id": "AC_AZURE_0287", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0287" + "name": "networkPort22ExposedToPrivateAz", + "file": "networkPortExposedToPrivateAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort22ExposedToPrivateAz", + "portNumber": 22, + "prefix": "", + "protocol": "Tcp", + "suffix": "" + }, + "severity": "LOW", + "description": "Ensure SSH (Tcp:22) is not exposed to private hosts more than 32 for Azure Network Security Rule", + "reference_id": "AC_AZURE_0287", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0287" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0342.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0342.json index 93b2a8549..e3b954d80 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0342.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0342.json @@ -1,22 +1,23 @@ { - "name": "networkPort3389ExposedToInternetAz", - "file": "networkPortExposedToInternetAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort3389ExposedToInternetAz", - "portNumber": 3389, - "prefix": "", - "protocol": "Tcp", - "suffix": "" - }, - "severity": "HIGH", - "description": "Ensure that RDP access is restricted from the internet for Azure Network Security Rule", - "reference_id": "AC_AZURE_0342", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0342" + "name": "networkPort3389ExposedToInternetAz", + "file": "networkPortExposedToInternetAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort3389ExposedToInternetAz", + "portNumber": 3389, + "prefix": "", + "protocol": "Tcp", + "suffix": "" + }, + "severity": "HIGH", + "description": "Ensure that RDP access is restricted from the internet for Azure Network Security Rule", + "reference_id": "AC_AZURE_0342", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0342" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0357.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0357.json index f44de422f..cdc733dcd 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0357.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0357.json @@ -1,22 +1,23 @@ { - "name": "networkPortAllExposedToInternetAz", - "file": "networkPortExposedToInternetAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPortAllExposedToInternetAz", - "portNumber": "*", - "prefix": "", - "protocol": "*", - "suffix": "" - }, - "severity": "HIGH", - "description": "Ensure that request initiated from all ports (*) for all destination ports (*) is restricted from the internet for Azure Network Security Rule", - "reference_id": "AC_AZURE_0357", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0357" + "name": "networkPortAllExposedToInternetAz", + "file": "networkPortExposedToInternetAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPortAllExposedToInternetAz", + "portNumber": "*", + "prefix": "", + "protocol": "*", + "suffix": "" + }, + "severity": "HIGH", + "description": "Ensure that request initiated from all ports (*) for all destination ports (*) is restricted from the internet for Azure Network Security Rule", + "reference_id": "AC_AZURE_0357", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0357" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0421.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0421.json index af41760a4..fcd839392 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0421.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0421.json @@ -1,19 +1,20 @@ { - "name": "tooOpenPrivateIPs", - "file": "tooOpenPrivateIPs.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "name": "tooOpenPrivateIPs", - "prefix": "", - "suffix": "" - }, - "severity": "LOW", - "description": "Ensure server is not exposed to private hosts more than 32 for Azure Network Security Rule", - "reference_id": "AC_AZURE_0421", - "category": "Infrastructure Security", - "version": 1, - "id": "AC_AZURE_0421" + "name": "tooOpenPrivateIPs", + "file": "tooOpenPrivateIPs.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "name": "tooOpenPrivateIPs", + "prefix": "", + "suffix": "" + }, + "severity": "LOW", + "description": "Ensure server is not exposed to private hosts more than 32 for Azure Network Security Rule", + "reference_id": "AC_AZURE_0421", + "category": "Infrastructure Security", + "version": 1, + "id": "AC_AZURE_0421" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0422.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0422.json index 88a803908..c23bfe17a 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0422.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0422.json @@ -1,22 +1,23 @@ { - "name": "networkPort5900ExposedToPrivateAz", - "file": "networkPortExposedToPrivateAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort5900ExposedToPrivateAz", - "portNumber": 5900, - "prefix": "", - "protocol": "Tcp", - "suffix": "" - }, - "severity": "LOW", - "description": "Ensure VNC Server (Tcp:5900) is not exposed to private hosts more than 32 for Azure Network Security Rule", - "reference_id": "AC_AZURE_0422", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0422" + "name": "networkPort5900ExposedToPrivateAz", + "file": "networkPortExposedToPrivateAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort5900ExposedToPrivateAz", + "portNumber": 5900, + "prefix": "", + "protocol": "Tcp", + "suffix": "" + }, + "severity": "LOW", + "description": "Ensure VNC Server (Tcp:5900) is not exposed to private hosts more than 32 for Azure Network Security Rule", + "reference_id": "AC_AZURE_0422", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0422" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0423.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0423.json index 610398293..64b7af40d 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0423.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0423.json @@ -1,22 +1,23 @@ { - "name": "networkPort5900ExposedToPublicAz", - "file": "networkPortExposedToPublicAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort5900ExposedToPublicAz", - "portNumber": 5900, - "prefix": "", - "protocol": "Tcp", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Ensure VNC Server (Tcp:5900) is not exposed to public for Azure Network Security Rule", - "reference_id": "AC_AZURE_0423", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0423" + "name": "networkPort5900ExposedToPublicAz", + "file": "networkPortExposedToPublicAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort5900ExposedToPublicAz", + "portNumber": 5900, + "prefix": "", + "protocol": "Tcp", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Ensure VNC Server (Tcp:5900) is not exposed to public for Azure Network Security Rule", + "reference_id": "AC_AZURE_0423", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0423" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0424.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0424.json index be9e5159b..99065bad6 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0424.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0424.json @@ -1,22 +1,23 @@ { - "name": "networkPort5900ExposedToInternetAz", - "file": "networkPortExposedToInternetAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort5900ExposedToInternetAz", - "portNumber": 5900, - "prefix": "", - "protocol": "Tcp", - "suffix": "" - }, - "severity": "HIGH", - "description": "Ensure VNC Server (Tcp:5900) is not exposed to entire internet for Azure Network Security Rule", - "reference_id": "AC_AZURE_0424", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0424" + "name": "networkPort5900ExposedToInternetAz", + "file": "networkPortExposedToInternetAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort5900ExposedToInternetAz", + "portNumber": 5900, + "prefix": "", + "protocol": "Tcp", + "suffix": "" + }, + "severity": "HIGH", + "description": "Ensure VNC Server (Tcp:5900) is not exposed to entire internet for Azure Network Security Rule", + "reference_id": "AC_AZURE_0424", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0424" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0425.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0425.json index 4873d4cb8..22f63888a 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0425.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0425.json @@ -1,22 +1,23 @@ { - "name": "networkPort5500ExposedToPrivateAz", - "file": "networkPortExposedToPrivateAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort5500ExposedToPrivateAz", - "portNumber": 5500, - "prefix": "", - "protocol": "Tcp", - "suffix": "" - }, - "severity": "LOW", - "description": "Ensure VNC Listener (Tcp:5500) is not exposed to private hosts more than 32 for Azure Network Security Rule", - "reference_id": "AC_AZURE_0425", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0425" + "name": "networkPort5500ExposedToPrivateAz", + "file": "networkPortExposedToPrivateAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort5500ExposedToPrivateAz", + "portNumber": 5500, + "prefix": "", + "protocol": "Tcp", + "suffix": "" + }, + "severity": "LOW", + "description": "Ensure VNC Listener (Tcp:5500) is not exposed to private hosts more than 32 for Azure Network Security Rule", + "reference_id": "AC_AZURE_0425", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0425" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0426.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0426.json index b334edb26..7bf6c209f 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0426.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0426.json @@ -1,22 +1,23 @@ { - "name": "networkPort5500ExposedToPublicAz", - "file": "networkPortExposedToPublicAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort5500ExposedToPublicAz", - "portNumber": 5500, - "prefix": "", - "protocol": "Tcp", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Ensure VNC Listener (Tcp:5500) is not exposed to public for Azure Network Security Rule", - "reference_id": "AC_AZURE_0426", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0426" + "name": "networkPort5500ExposedToPublicAz", + "file": "networkPortExposedToPublicAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort5500ExposedToPublicAz", + "portNumber": 5500, + "prefix": "", + "protocol": "Tcp", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Ensure VNC Listener (Tcp:5500) is not exposed to public for Azure Network Security Rule", + "reference_id": "AC_AZURE_0426", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0426" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0427.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0427.json index 4868bc9a6..8e125fd84 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0427.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0427.json @@ -1,22 +1,23 @@ { - "name": "networkPort5500ExposedToInternetAz", - "file": "networkPortExposedToInternetAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort5500ExposedToInternetAz", - "portNumber": 5500, - "prefix": "", - "protocol": "Tcp", - "suffix": "" - }, - "severity": "HIGH", - "description": "Ensure VNC Listener (Tcp:5500) is not exposed to entire internet for Azure Network Security Rule", - "reference_id": "AC_AZURE_0427", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0427" + "name": "networkPort5500ExposedToInternetAz", + "file": "networkPortExposedToInternetAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort5500ExposedToInternetAz", + "portNumber": 5500, + "prefix": "", + "protocol": "Tcp", + "suffix": "" + }, + "severity": "HIGH", + "description": "Ensure VNC Listener (Tcp:5500) is not exposed to entire internet for Azure Network Security Rule", + "reference_id": "AC_AZURE_0427", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0427" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0428.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0428.json index a4d00dfc5..b1db5e7ee 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0428.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0428.json @@ -1,22 +1,23 @@ { - "name": "networkPort23ExposedToPrivateAz", - "file": "networkPortExposedToPrivateAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort23ExposedToPrivateAz", - "portNumber": 23, - "prefix": "", - "protocol": "Tcp", - "suffix": "" - }, - "severity": "LOW", - "description": "Ensure Telnet (Tcp:23) is not exposed to private hosts more than 32 for Azure Network Security Rule", - "reference_id": "AC_AZURE_0428", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0428" + "name": "networkPort23ExposedToPrivateAz", + "file": "networkPortExposedToPrivateAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort23ExposedToPrivateAz", + "portNumber": 23, + "prefix": "", + "protocol": "Tcp", + "suffix": "" + }, + "severity": "LOW", + "description": "Ensure Telnet (Tcp:23) is not exposed to private hosts more than 32 for Azure Network Security Rule", + "reference_id": "AC_AZURE_0428", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0428" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0429.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0429.json index 92d86a26b..0949cc3ca 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0429.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0429.json @@ -1,22 +1,23 @@ { - "name": "networkPort23ExposedToPublicAz", - "file": "networkPortExposedToPublicAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort23ExposedToPublicAz", - "portNumber": 23, - "prefix": "", - "protocol": "Tcp", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Ensure Telnet (Tcp:23) is not exposed to public for Azure Network Security Rule", - "reference_id": "AC_AZURE_0429", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0429" + "name": "networkPort23ExposedToPublicAz", + "file": "networkPortExposedToPublicAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort23ExposedToPublicAz", + "portNumber": 23, + "prefix": "", + "protocol": "Tcp", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Ensure Telnet (Tcp:23) is not exposed to public for Azure Network Security Rule", + "reference_id": "AC_AZURE_0429", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0429" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0430.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0430.json index 52df9632b..03ed21ee8 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0430.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0430.json @@ -1,22 +1,23 @@ { - "name": "networkPort23ExposedToInternetAz", - "file": "networkPortExposedToInternetAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort23ExposedToInternetAz", - "portNumber": 23, - "prefix": "", - "protocol": "Tcp", - "suffix": "" - }, - "severity": "HIGH", - "description": "Ensure Telnet (Tcp:23) is not exposed to entire internet for Azure Network Security Rule", - "reference_id": "AC_AZURE_0430", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0430" + "name": "networkPort23ExposedToInternetAz", + "file": "networkPortExposedToInternetAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort23ExposedToInternetAz", + "portNumber": 23, + "prefix": "", + "protocol": "Tcp", + "suffix": "" + }, + "severity": "HIGH", + "description": "Ensure Telnet (Tcp:23) is not exposed to entire internet for Azure Network Security Rule", + "reference_id": "AC_AZURE_0430", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0430" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0431.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0431.json index 797838c29..e4842efeb 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0431.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0431.json @@ -1,22 +1,23 @@ { - "name": "networkPort4506ExposedToPrivateAz", - "file": "networkPortExposedToPrivateAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort4506ExposedToPrivateAz", - "portNumber": 4506, - "prefix": "", - "protocol": "Tcp", - "suffix": "" - }, - "severity": "LOW", - "description": "Ensure SaltStack Master (Tcp:4506) is not exposed to private hosts more than 32 for Azure Network Security Rule", - "reference_id": "AC_AZURE_0431", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0431" + "name": "networkPort4506ExposedToPrivateAz", + "file": "networkPortExposedToPrivateAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort4506ExposedToPrivateAz", + "portNumber": 4506, + "prefix": "", + "protocol": "Tcp", + "suffix": "" + }, + "severity": "LOW", + "description": "Ensure SaltStack Master (Tcp:4506) is not exposed to private hosts more than 32 for Azure Network Security Rule", + "reference_id": "AC_AZURE_0431", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0431" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0432.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0432.json index 5844fe9b0..7a7d0a61c 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0432.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0432.json @@ -1,22 +1,23 @@ { - "name": "networkPort4506ExposedToPublicAz", - "file": "networkPortExposedToPublicAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort4506ExposedToPublicAz", - "portNumber": 4506, - "prefix": "", - "protocol": "Tcp", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Ensure SaltStack Master (Tcp:4506) is not exposed to public for Azure Network Security Rule", - "reference_id": "AC_AZURE_0432", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0432" + "name": "networkPort4506ExposedToPublicAz", + "file": "networkPortExposedToPublicAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort4506ExposedToPublicAz", + "portNumber": 4506, + "prefix": "", + "protocol": "Tcp", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Ensure SaltStack Master (Tcp:4506) is not exposed to public for Azure Network Security Rule", + "reference_id": "AC_AZURE_0432", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0432" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0433.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0433.json index 3deb40843..d68a905b0 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0433.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0433.json @@ -1,22 +1,23 @@ { - "name": "networkPort4506ExposedToInternetAz", - "file": "networkPortExposedToInternetAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort4506ExposedToInternetAz", - "portNumber": 4506, - "prefix": "", - "protocol": "Tcp", - "suffix": "" - }, - "severity": "HIGH", - "description": "Ensure SaltStack Master (Tcp:4506) is not exposed to entire internet for Azure Network Security Rule", - "reference_id": "AC_AZURE_0433", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0433" + "name": "networkPort4506ExposedToInternetAz", + "file": "networkPortExposedToInternetAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort4506ExposedToInternetAz", + "portNumber": 4506, + "prefix": "", + "protocol": "Tcp", + "suffix": "" + }, + "severity": "HIGH", + "description": "Ensure SaltStack Master (Tcp:4506) is not exposed to entire internet for Azure Network Security Rule", + "reference_id": "AC_AZURE_0433", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0433" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0434.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0434.json index c245f425b..05781250a 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0434.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0434.json @@ -1,22 +1,23 @@ { - "name": "networkPort4505ExposedToPrivateAz", - "file": "networkPortExposedToPrivateAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort4505ExposedToPrivateAz", - "portNumber": 4505, - "prefix": "", - "protocol": "Tcp", - "suffix": "" - }, - "severity": "LOW", - "description": "Ensure SaltStack Master (Tcp:4505) is not exposed to private hosts more than 32 for Azure Network Security Rule", - "reference_id": "AC_AZURE_0434", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0434" + "name": "networkPort4505ExposedToPrivateAz", + "file": "networkPortExposedToPrivateAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort4505ExposedToPrivateAz", + "portNumber": 4505, + "prefix": "", + "protocol": "Tcp", + "suffix": "" + }, + "severity": "LOW", + "description": "Ensure SaltStack Master (Tcp:4505) is not exposed to private hosts more than 32 for Azure Network Security Rule", + "reference_id": "AC_AZURE_0434", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0434" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0435.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0435.json index f3f810a1d..8402c6bdd 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0435.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0435.json @@ -1,22 +1,23 @@ { - "name": "networkPort4505ExposedToPublicAz", - "file": "networkPortExposedToPublicAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort4505ExposedToPublicAz", - "portNumber": 4505, - "prefix": "", - "protocol": "Tcp", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Ensure SaltStack Master (Tcp:4505) is not exposed to public for Azure Network Security Rule", - "reference_id": "AC_AZURE_0435", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0435" + "name": "networkPort4505ExposedToPublicAz", + "file": "networkPortExposedToPublicAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort4505ExposedToPublicAz", + "portNumber": 4505, + "prefix": "", + "protocol": "Tcp", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Ensure SaltStack Master (Tcp:4505) is not exposed to public for Azure Network Security Rule", + "reference_id": "AC_AZURE_0435", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0435" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0436.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0436.json index 9827e3294..23ef0876f 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0436.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0436.json @@ -1,22 +1,23 @@ { - "name": "networkPort4505ExposedToInternetAz", - "file": "networkPortExposedToInternetAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort4505ExposedToInternetAz", - "portNumber": 4505, - "prefix": "", - "protocol": "Tcp", - "suffix": "" - }, - "severity": "HIGH", - "description": "Ensure SaltStack Master (Tcp:4505) is not exposed to entire internet for Azure Network Security Rule", - "reference_id": "AC_AZURE_0436", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0436" + "name": "networkPort4505ExposedToInternetAz", + "file": "networkPortExposedToInternetAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort4505ExposedToInternetAz", + "portNumber": 4505, + "prefix": "", + "protocol": "Tcp", + "suffix": "" + }, + "severity": "HIGH", + "description": "Ensure SaltStack Master (Tcp:4505) is not exposed to entire internet for Azure Network Security Rule", + "reference_id": "AC_AZURE_0436", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0436" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0437.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0437.json index 0391d8c82..7efe4b4fa 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0437.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0437.json @@ -1,22 +1,23 @@ { - "name": "networkPort2383ExposedToPrivateAz", - "file": "networkPortExposedToPrivateAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort2383ExposedToPrivateAz", - "portNumber": 2383, - "prefix": "", - "protocol": "Tcp", - "suffix": "" - }, - "severity": "LOW", - "description": "Ensure SQL Server Analysis (Tcp:2383) is not exposed to private hosts more than 32 for Azure Network Security Rule", - "reference_id": "AC_AZURE_0437", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0437" + "name": "networkPort2383ExposedToPrivateAz", + "file": "networkPortExposedToPrivateAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort2383ExposedToPrivateAz", + "portNumber": 2383, + "prefix": "", + "protocol": "Tcp", + "suffix": "" + }, + "severity": "LOW", + "description": "Ensure SQL Server Analysis (Tcp:2383) is not exposed to private hosts more than 32 for Azure Network Security Rule", + "reference_id": "AC_AZURE_0437", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0437" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0438.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0438.json index d105db7de..4f3132c9c 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0438.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0438.json @@ -1,22 +1,23 @@ { - "name": "networkPort2383ExposedToPublicAz", - "file": "networkPortExposedToPublicAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort2383ExposedToPublicAz", - "portNumber": 2383, - "prefix": "", - "protocol": "Tcp", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Ensure SQL Server Analysis (Tcp:2383) is not exposed to public for Azure Network Security Rule", - "reference_id": "AC_AZURE_0438", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0438" + "name": "networkPort2383ExposedToPublicAz", + "file": "networkPortExposedToPublicAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort2383ExposedToPublicAz", + "portNumber": 2383, + "prefix": "", + "protocol": "Tcp", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Ensure SQL Server Analysis (Tcp:2383) is not exposed to public for Azure Network Security Rule", + "reference_id": "AC_AZURE_0438", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0438" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0439.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0439.json index c5d5f9321..435ff9372 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0439.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0439.json @@ -1,22 +1,23 @@ { - "name": "networkPort2383ExposedToInternetAz", - "file": "networkPortExposedToInternetAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort2383ExposedToInternetAz", - "portNumber": 2383, - "prefix": "", - "protocol": "Tcp", - "suffix": "" - }, - "severity": "HIGH", - "description": "Ensure SQL Server Analysis (Tcp:2383) is not exposed to entire internet for Azure Network Security Rule", - "reference_id": "AC_AZURE_0439", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0439" + "name": "networkPort2383ExposedToInternetAz", + "file": "networkPortExposedToInternetAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort2383ExposedToInternetAz", + "portNumber": 2383, + "prefix": "", + "protocol": "Tcp", + "suffix": "" + }, + "severity": "HIGH", + "description": "Ensure SQL Server Analysis (Tcp:2383) is not exposed to entire internet for Azure Network Security Rule", + "reference_id": "AC_AZURE_0439", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0439" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0440.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0440.json index ba4f1bd9b..a73d15b62 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0440.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0440.json @@ -1,22 +1,23 @@ { - "name": "networkPort2382ExposedToPrivateAz", - "file": "networkPortExposedToPrivateAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort2382ExposedToPrivateAz", - "portNumber": 2382, - "prefix": "", - "protocol": "Tcp", - "suffix": "" - }, - "severity": "LOW", - "description": "Ensure SQL Server Analysis (Tcp:2382) is not exposed to private hosts more than 32 for Azure Network Security Rule", - "reference_id": "AC_AZURE_0440", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0440" + "name": "networkPort2382ExposedToPrivateAz", + "file": "networkPortExposedToPrivateAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort2382ExposedToPrivateAz", + "portNumber": 2382, + "prefix": "", + "protocol": "Tcp", + "suffix": "" + }, + "severity": "LOW", + "description": "Ensure SQL Server Analysis (Tcp:2382) is not exposed to private hosts more than 32 for Azure Network Security Rule", + "reference_id": "AC_AZURE_0440", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0440" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0441.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0441.json index 98eec85ac..ea8281387 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0441.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0441.json @@ -1,22 +1,23 @@ { - "name": "networkPort2382ExposedToPublicAz", - "file": "networkPortExposedToPublicAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort2382ExposedToPublicAz", - "portNumber": 2382, - "prefix": "", - "protocol": "Tcp", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Ensure SQL Server Analysis (Tcp:2382) is not exposed to public for Azure Network Security Rule", - "reference_id": "AC_AZURE_0441", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0441" + "name": "networkPort2382ExposedToPublicAz", + "file": "networkPortExposedToPublicAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort2382ExposedToPublicAz", + "portNumber": 2382, + "prefix": "", + "protocol": "Tcp", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Ensure SQL Server Analysis (Tcp:2382) is not exposed to public for Azure Network Security Rule", + "reference_id": "AC_AZURE_0441", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0441" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0442.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0442.json index e2eb251df..b68225b4e 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0442.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0442.json @@ -1,22 +1,23 @@ { - "name": "networkPort2382ExposedToInternetAz", - "file": "networkPortExposedToInternetAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort2382ExposedToInternetAz", - "portNumber": 2382, - "prefix": "", - "protocol": "Tcp", - "suffix": "" - }, - "severity": "HIGH", - "description": "Ensure SQL Server Analysis (Tcp:2382) is not exposed to entire internet for Azure Network Security Rule", - "reference_id": "AC_AZURE_0442", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0442" + "name": "networkPort2382ExposedToInternetAz", + "file": "networkPortExposedToInternetAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort2382ExposedToInternetAz", + "portNumber": 2382, + "prefix": "", + "protocol": "Tcp", + "suffix": "" + }, + "severity": "HIGH", + "description": "Ensure SQL Server Analysis (Tcp:2382) is not exposed to entire internet for Azure Network Security Rule", + "reference_id": "AC_AZURE_0442", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0442" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0443.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0443.json index 46e6beaec..3b5eda919 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0443.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0443.json @@ -1,22 +1,23 @@ { - "name": "networkPort161ExposedToPrivateUAz", - "file": "networkPortExposedToPrivateAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort161ExposedToPrivateUAz", - "portNumber": 161, - "prefix": "", - "protocol": "Udp", - "suffix": "" - }, - "severity": "LOW", - "description": "Ensure SNMP (Udp:161) is not exposed to private hosts more than 32 for Azure Network Security Rule", - "reference_id": "AC_AZURE_0443", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0443" + "name": "networkPort161ExposedToPrivateUAz", + "file": "networkPortExposedToPrivateAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort161ExposedToPrivateUAz", + "portNumber": 161, + "prefix": "", + "protocol": "Udp", + "suffix": "" + }, + "severity": "LOW", + "description": "Ensure SNMP (Udp:161) is not exposed to private hosts more than 32 for Azure Network Security Rule", + "reference_id": "AC_AZURE_0443", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0443" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0444.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0444.json index fc2fb8ed6..cb32b9c9e 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0444.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0444.json @@ -1,22 +1,23 @@ { - "name": "networkPort161ExposedToPublicUAz", - "file": "networkPortExposedToPublicAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort161ExposedToPublicUAz", - "portNumber": 161, - "prefix": "", - "protocol": "Udp", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Ensure SNMP (Udp:161) is not exposed to public for Azure Network Security Rule", - "reference_id": "AC_AZURE_0444", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0444" + "name": "networkPort161ExposedToPublicUAz", + "file": "networkPortExposedToPublicAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort161ExposedToPublicUAz", + "portNumber": 161, + "prefix": "", + "protocol": "Udp", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Ensure SNMP (Udp:161) is not exposed to public for Azure Network Security Rule", + "reference_id": "AC_AZURE_0444", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0444" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0445.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0445.json index 4e461c0d4..56e0804a2 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0445.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0445.json @@ -1,22 +1,23 @@ { - "name": "networkPort161ExposedToInternetUAz", - "file": "networkPortExposedToInternetAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort161ExposedToInternetUAz", - "portNumber": 161, - "prefix": "", - "protocol": "Udp", - "suffix": "" - }, - "severity": "HIGH", - "description": "Ensure SNMP (Udp:161) is not exposed to entire internet for Azure Network Security Rule", - "reference_id": "AC_AZURE_0445", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0445" + "name": "networkPort161ExposedToInternetUAz", + "file": "networkPortExposedToInternetAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort161ExposedToInternetUAz", + "portNumber": 161, + "prefix": "", + "protocol": "Udp", + "suffix": "" + }, + "severity": "HIGH", + "description": "Ensure SNMP (Udp:161) is not exposed to entire internet for Azure Network Security Rule", + "reference_id": "AC_AZURE_0445", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0445" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0446.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0446.json index 9d3ff3d9f..1f2ba88d9 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0446.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0446.json @@ -1,22 +1,23 @@ { - "name": "networkPort25ExposedToPrivateAz", - "file": "networkPortExposedToPrivateAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort25ExposedToPrivateAz", - "portNumber": 25, - "prefix": "", - "protocol": "Tcp", - "suffix": "" - }, - "severity": "LOW", - "description": "Ensure SMTP (Tcp:25) is not exposed to private hosts more than 32 for Azure Network Security Rule", - "reference_id": "AC_AZURE_0446", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0446" + "name": "networkPort25ExposedToPrivateAz", + "file": "networkPortExposedToPrivateAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort25ExposedToPrivateAz", + "portNumber": 25, + "prefix": "", + "protocol": "Tcp", + "suffix": "" + }, + "severity": "LOW", + "description": "Ensure SMTP (Tcp:25) is not exposed to private hosts more than 32 for Azure Network Security Rule", + "reference_id": "AC_AZURE_0446", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0446" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0447.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0447.json index f20dc4e0f..d13e6a54c 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0447.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0447.json @@ -1,22 +1,23 @@ { - "name": "networkPort25ExposedToPublicAz", - "file": "networkPortExposedToPublicAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort25ExposedToPublicAz", - "portNumber": 25, - "prefix": "", - "protocol": "Tcp", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Ensure SMTP (Tcp:25) is not exposed to public for Azure Network Security Rule", - "reference_id": "AC_AZURE_0447", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0447" + "name": "networkPort25ExposedToPublicAz", + "file": "networkPortExposedToPublicAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort25ExposedToPublicAz", + "portNumber": 25, + "prefix": "", + "protocol": "Tcp", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Ensure SMTP (Tcp:25) is not exposed to public for Azure Network Security Rule", + "reference_id": "AC_AZURE_0447", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0447" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0448.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0448.json index 701d35907..d12875e6f 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0448.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0448.json @@ -1,22 +1,23 @@ { - "name": "networkPort25ExposedToInternetAz", - "file": "networkPortExposedToInternetAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort25ExposedToInternetAz", - "portNumber": 25, - "prefix": "", - "protocol": "Tcp", - "suffix": "" - }, - "severity": "HIGH", - "description": "Ensure SMTP (Tcp:25) is not exposed to entire internet for Azure Network Security Rule", - "reference_id": "AC_AZURE_0448", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0448" + "name": "networkPort25ExposedToInternetAz", + "file": "networkPortExposedToInternetAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort25ExposedToInternetAz", + "portNumber": 25, + "prefix": "", + "protocol": "Tcp", + "suffix": "" + }, + "severity": "HIGH", + "description": "Ensure SMTP (Tcp:25) is not exposed to entire internet for Azure Network Security Rule", + "reference_id": "AC_AZURE_0448", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0448" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0449.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0449.json index c5943d14b..679c86d21 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0449.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0449.json @@ -1,22 +1,23 @@ { - "name": "networkPort8140ExposedToPrivateAz", - "file": "networkPortExposedToPrivateAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort8140ExposedToPrivateAz", - "portNumber": 8140, - "prefix": "", - "protocol": "Tcp", - "suffix": "" - }, - "severity": "LOW", - "description": "Ensure Puppet Master (Tcp:8140) is not exposed to private hosts more than 32 for Azure Network Security Rule", - "reference_id": "AC_AZURE_0449", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0449" + "name": "networkPort8140ExposedToPrivateAz", + "file": "networkPortExposedToPrivateAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort8140ExposedToPrivateAz", + "portNumber": 8140, + "prefix": "", + "protocol": "Tcp", + "suffix": "" + }, + "severity": "LOW", + "description": "Ensure Puppet Master (Tcp:8140) is not exposed to private hosts more than 32 for Azure Network Security Rule", + "reference_id": "AC_AZURE_0449", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0449" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0450.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0450.json index 9c5fa7a3f..b8f18b5e8 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0450.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0450.json @@ -1,22 +1,23 @@ { - "name": "networkPort8140ExposedToPublicAz", - "file": "networkPortExposedToPublicAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort8140ExposedToPublicAz", - "portNumber": 8140, - "prefix": "", - "protocol": "Tcp", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Ensure Puppet Master (Tcp:8140) is not exposed to public for Azure Network Security Rule", - "reference_id": "AC_AZURE_0450", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0450" + "name": "networkPort8140ExposedToPublicAz", + "file": "networkPortExposedToPublicAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort8140ExposedToPublicAz", + "portNumber": 8140, + "prefix": "", + "protocol": "Tcp", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Ensure Puppet Master (Tcp:8140) is not exposed to public for Azure Network Security Rule", + "reference_id": "AC_AZURE_0450", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0450" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0451.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0451.json index 98d785be2..61bf0bdc8 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0451.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0451.json @@ -1,22 +1,23 @@ { - "name": "networkPort8140ExposedToInternetAz", - "file": "networkPortExposedToInternetAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort8140ExposedToInternetAz", - "portNumber": 8140, - "prefix": "", - "protocol": "Tcp", - "suffix": "" - }, - "severity": "HIGH", - "description": "Ensure Puppet Master (Tcp:8140) is not exposed to entire internet for Azure Network Security Rule", - "reference_id": "AC_AZURE_0451", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0451" + "name": "networkPort8140ExposedToInternetAz", + "file": "networkPortExposedToInternetAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort8140ExposedToInternetAz", + "portNumber": 8140, + "prefix": "", + "protocol": "Tcp", + "suffix": "" + }, + "severity": "HIGH", + "description": "Ensure Puppet Master (Tcp:8140) is not exposed to entire internet for Azure Network Security Rule", + "reference_id": "AC_AZURE_0451", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0451" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0452.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0452.json index 6fd0192ed..ee500be07 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0452.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0452.json @@ -1,22 +1,23 @@ { - "name": "networkPort3000ExposedToPrivateAz", - "file": "networkPortExposedToPrivateAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort3000ExposedToPrivateAz", - "portNumber": 3000, - "prefix": "", - "protocol": "Tcp", - "suffix": "" - }, - "severity": "LOW", - "description": "Ensure Prevalent known internal port (Tcp:3000) is not exposed to private hosts more than 32 for Azure Network Security Rule", - "reference_id": "AC_AZURE_0452", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0452" + "name": "networkPort3000ExposedToPrivateAz", + "file": "networkPortExposedToPrivateAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort3000ExposedToPrivateAz", + "portNumber": 3000, + "prefix": "", + "protocol": "Tcp", + "suffix": "" + }, + "severity": "LOW", + "description": "Ensure Prevalent known internal port (Tcp:3000) is not exposed to private hosts more than 32 for Azure Network Security Rule", + "reference_id": "AC_AZURE_0452", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0452" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0453.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0453.json index 047773ef5..3ccfc6c60 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0453.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0453.json @@ -1,22 +1,23 @@ { - "name": "networkPort3000ExposedToPublicAz", - "file": "networkPortExposedToPublicAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort3000ExposedToPublicAz", - "portNumber": 3000, - "prefix": "", - "protocol": "Tcp", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Ensure Prevalent known internal port (Tcp:3000) is not exposed to public for Azure Network Security Rule", - "reference_id": "AC_AZURE_0453", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0453" + "name": "networkPort3000ExposedToPublicAz", + "file": "networkPortExposedToPublicAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort3000ExposedToPublicAz", + "portNumber": 3000, + "prefix": "", + "protocol": "Tcp", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Ensure Prevalent known internal port (Tcp:3000) is not exposed to public for Azure Network Security Rule", + "reference_id": "AC_AZURE_0453", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0453" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0454.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0454.json index e9fa8521c..7d52dcdd4 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0454.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0454.json @@ -1,22 +1,23 @@ { - "name": "networkPort3000ExposedToInternetAz", - "file": "networkPortExposedToInternetAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort3000ExposedToInternetAz", - "portNumber": 3000, - "prefix": "", - "protocol": "Tcp", - "suffix": "" - }, - "severity": "HIGH", - "description": "Ensure Prevalent known internal port (Tcp:3000) is not exposed to entire internet for Azure Network Security Rule", - "reference_id": "AC_AZURE_0454", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0454" + "name": "networkPort3000ExposedToInternetAz", + "file": "networkPortExposedToInternetAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort3000ExposedToInternetAz", + "portNumber": 3000, + "prefix": "", + "protocol": "Tcp", + "suffix": "" + }, + "severity": "HIGH", + "description": "Ensure Prevalent known internal port (Tcp:3000) is not exposed to entire internet for Azure Network Security Rule", + "reference_id": "AC_AZURE_0454", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0454" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0455.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0455.json index 660109885..edd59e411 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0455.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0455.json @@ -1,22 +1,23 @@ { - "name": "networkPort5432ExposedToPrivateUAz", - "file": "networkPortExposedToPrivateAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort5432ExposedToPrivateUAz", - "portNumber": 5432, - "prefix": "", - "protocol": "Udp", - "suffix": "" - }, - "severity": "LOW", - "description": "Ensure PostgreSQL (Udp:5432) is not exposed to private hosts more than 32 for Azure Network Security Rule", - "reference_id": "AC_AZURE_0455", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0455" + "name": "networkPort5432ExposedToPrivateUAz", + "file": "networkPortExposedToPrivateAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort5432ExposedToPrivateUAz", + "portNumber": 5432, + "prefix": "", + "protocol": "Udp", + "suffix": "" + }, + "severity": "LOW", + "description": "Ensure PostgreSQL (Udp:5432) is not exposed to private hosts more than 32 for Azure Network Security Rule", + "reference_id": "AC_AZURE_0455", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0455" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0456.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0456.json index 2b6df6935..dea462341 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0456.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0456.json @@ -1,22 +1,23 @@ { - "name": "networkPort5432ExposedToPublicUAz", - "file": "networkPortExposedToPublicAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort5432ExposedToPublicUAz", - "portNumber": 5432, - "prefix": "", - "protocol": "Udp", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Ensure PostgreSQL (Udp:5432) is not exposed to public for Azure Network Security Rule", - "reference_id": "AC_AZURE_0456", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0456" + "name": "networkPort5432ExposedToPublicUAz", + "file": "networkPortExposedToPublicAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort5432ExposedToPublicUAz", + "portNumber": 5432, + "prefix": "", + "protocol": "Udp", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Ensure PostgreSQL (Udp:5432) is not exposed to public for Azure Network Security Rule", + "reference_id": "AC_AZURE_0456", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0456" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0457.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0457.json index 06de83c4b..1fdca063d 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0457.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0457.json @@ -1,22 +1,23 @@ { - "name": "networkPort5432ExposedToInternetUAz", - "file": "networkPortExposedToInternetAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort5432ExposedToInternetUAz", - "portNumber": 5432, - "prefix": "", - "protocol": "Udp", - "suffix": "" - }, - "severity": "HIGH", - "description": "Ensure PostgreSQL (Udp:5432) is not exposed to entire internet for Azure Network Security Rule", - "reference_id": "AC_AZURE_0457", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0457" + "name": "networkPort5432ExposedToInternetUAz", + "file": "networkPortExposedToInternetAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort5432ExposedToInternetUAz", + "portNumber": 5432, + "prefix": "", + "protocol": "Udp", + "suffix": "" + }, + "severity": "HIGH", + "description": "Ensure PostgreSQL (Udp:5432) is not exposed to entire internet for Azure Network Security Rule", + "reference_id": "AC_AZURE_0457", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0457" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0458.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0458.json index 3a3583fde..4cae65754 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0458.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0458.json @@ -1,22 +1,23 @@ { - "name": "networkPort5432ExposedToPrivateAz", - "file": "networkPortExposedToPrivateAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort5432ExposedToPrivateAz", - "portNumber": 5432, - "prefix": "", - "protocol": "Tcp", - "suffix": "" - }, - "severity": "LOW", - "description": "Ensure PostgreSQL (Tcp:5432) is not exposed to private hosts more than 32 for Azure Network Security Rule", - "reference_id": "AC_AZURE_0458", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0458" + "name": "networkPort5432ExposedToPrivateAz", + "file": "networkPortExposedToPrivateAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort5432ExposedToPrivateAz", + "portNumber": 5432, + "prefix": "", + "protocol": "Tcp", + "suffix": "" + }, + "severity": "LOW", + "description": "Ensure PostgreSQL (Tcp:5432) is not exposed to private hosts more than 32 for Azure Network Security Rule", + "reference_id": "AC_AZURE_0458", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0458" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0459.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0459.json index fa2052c25..0e5e9c4fa 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0459.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0459.json @@ -1,22 +1,23 @@ { - "name": "networkPort5432ExposedToPublicAz", - "file": "networkPortExposedToPublicAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort5432ExposedToPublicAz", - "portNumber": 5432, - "prefix": "", - "protocol": "Tcp", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Ensure PostgreSQL (Tcp:5432) is not exposed to public for Azure Network Security Rule", - "reference_id": "AC_AZURE_0459", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0459" + "name": "networkPort5432ExposedToPublicAz", + "file": "networkPortExposedToPublicAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort5432ExposedToPublicAz", + "portNumber": 5432, + "prefix": "", + "protocol": "Tcp", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Ensure PostgreSQL (Tcp:5432) is not exposed to public for Azure Network Security Rule", + "reference_id": "AC_AZURE_0459", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0459" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0460.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0460.json index cf93e94b5..b338024f7 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0460.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0460.json @@ -1,22 +1,23 @@ { - "name": "networkPort5432ExposedToInternetAz", - "file": "networkPortExposedToInternetAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort5432ExposedToInternetAz", - "portNumber": 5432, - "prefix": "", - "protocol": "Tcp", - "suffix": "" - }, - "severity": "HIGH", - "description": "Ensure PostgreSQL (Tcp:5432) is not exposed to entire internet for Azure Network Security Rule", - "reference_id": "AC_AZURE_0460", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0460" + "name": "networkPort5432ExposedToInternetAz", + "file": "networkPortExposedToInternetAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort5432ExposedToInternetAz", + "portNumber": 5432, + "prefix": "", + "protocol": "Tcp", + "suffix": "" + }, + "severity": "HIGH", + "description": "Ensure PostgreSQL (Tcp:5432) is not exposed to entire internet for Azure Network Security Rule", + "reference_id": "AC_AZURE_0460", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0460" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0461.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0461.json index f641640aa..b6d63a1a2 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0461.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0461.json @@ -1,22 +1,23 @@ { - "name": "networkPort110ExposedToPrivateAz", - "file": "networkPortExposedToPrivateAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort110ExposedToPrivateAz", - "portNumber": 110, - "prefix": "", - "protocol": "Tcp", - "suffix": "" - }, - "severity": "LOW", - "description": "Ensure POP3 (Tcp:110) is not exposed to private hosts more than 32 for Azure Network Security Rule", - "reference_id": "AC_AZURE_0461", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0461" + "name": "networkPort110ExposedToPrivateAz", + "file": "networkPortExposedToPrivateAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort110ExposedToPrivateAz", + "portNumber": 110, + "prefix": "", + "protocol": "Tcp", + "suffix": "" + }, + "severity": "LOW", + "description": "Ensure POP3 (Tcp:110) is not exposed to private hosts more than 32 for Azure Network Security Rule", + "reference_id": "AC_AZURE_0461", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0461" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0462.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0462.json index 2d2ddedd8..c0a873ff8 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0462.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0462.json @@ -1,22 +1,23 @@ { - "name": "networkPort110ExposedToPublicAz", - "file": "networkPortExposedToPublicAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort110ExposedToPublicAz", - "portNumber": 110, - "prefix": "", - "protocol": "Tcp", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Ensure POP3 (Tcp:110) is not exposed to public for Azure Network Security Rule", - "reference_id": "AC_AZURE_0462", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0462" + "name": "networkPort110ExposedToPublicAz", + "file": "networkPortExposedToPublicAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort110ExposedToPublicAz", + "portNumber": 110, + "prefix": "", + "protocol": "Tcp", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Ensure POP3 (Tcp:110) is not exposed to public for Azure Network Security Rule", + "reference_id": "AC_AZURE_0462", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0462" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0463.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0463.json index 7776d6783..983d61e51 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0463.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0463.json @@ -1,22 +1,23 @@ { - "name": "networkPort110ExposedToInternetAz", - "file": "networkPortExposedToInternetAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort110ExposedToInternetAz", - "portNumber": 110, - "prefix": "", - "protocol": "Tcp", - "suffix": "" - }, - "severity": "HIGH", - "description": "Ensure POP3 (Tcp:110) is not exposed to entire internet for Azure Network Security Rule", - "reference_id": "AC_AZURE_0463", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0463" + "name": "networkPort110ExposedToInternetAz", + "file": "networkPortExposedToInternetAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort110ExposedToInternetAz", + "portNumber": 110, + "prefix": "", + "protocol": "Tcp", + "suffix": "" + }, + "severity": "HIGH", + "description": "Ensure POP3 (Tcp:110) is not exposed to entire internet for Azure Network Security Rule", + "reference_id": "AC_AZURE_0463", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0463" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0464.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0464.json index bc1649301..ab546bff1 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0464.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0464.json @@ -1,22 +1,23 @@ { - "name": "networkPort2484ExposedToPrivateUAz", - "file": "networkPortExposedToPrivateAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort2484ExposedToPrivateUAz", - "portNumber": 2484, - "prefix": "", - "protocol": "Udp", - "suffix": "" - }, - "severity": "LOW", - "description": "Ensure Oracle DB SSL (Udp:2484) is not exposed to private hosts more than 32 for Azure Network Security Rule", - "reference_id": "AC_AZURE_0464", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0464" + "name": "networkPort2484ExposedToPrivateUAz", + "file": "networkPortExposedToPrivateAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort2484ExposedToPrivateUAz", + "portNumber": 2484, + "prefix": "", + "protocol": "Udp", + "suffix": "" + }, + "severity": "LOW", + "description": "Ensure Oracle DB SSL (Udp:2484) is not exposed to private hosts more than 32 for Azure Network Security Rule", + "reference_id": "AC_AZURE_0464", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0464" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0465.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0465.json index 7623c1ffe..2bde99354 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0465.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0465.json @@ -1,22 +1,23 @@ { - "name": "networkPort2484ExposedToPublicUAz", - "file": "networkPortExposedToPublicAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort2484ExposedToPublicUAz", - "portNumber": 2484, - "prefix": "", - "protocol": "Udp", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Ensure Oracle DB SSL (Udp:2484) is not exposed to public for Azure Network Security Rule", - "reference_id": "AC_AZURE_0465", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0465" + "name": "networkPort2484ExposedToPublicUAz", + "file": "networkPortExposedToPublicAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort2484ExposedToPublicUAz", + "portNumber": 2484, + "prefix": "", + "protocol": "Udp", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Ensure Oracle DB SSL (Udp:2484) is not exposed to public for Azure Network Security Rule", + "reference_id": "AC_AZURE_0465", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0465" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0466.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0466.json index 6172c54e5..f58ae9927 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0466.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0466.json @@ -1,22 +1,23 @@ { - "name": "networkPort2484ExposedToInternetUAz", - "file": "networkPortExposedToInternetAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort2484ExposedToInternetUAz", - "portNumber": 2484, - "prefix": "", - "protocol": "Udp", - "suffix": "" - }, - "severity": "HIGH", - "description": "Ensure Oracle DB SSL (Udp:2484) is not exposed to entire internet for Azure Network Security Rule", - "reference_id": "AC_AZURE_0466", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0466" + "name": "networkPort2484ExposedToInternetUAz", + "file": "networkPortExposedToInternetAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort2484ExposedToInternetUAz", + "portNumber": 2484, + "prefix": "", + "protocol": "Udp", + "suffix": "" + }, + "severity": "HIGH", + "description": "Ensure Oracle DB SSL (Udp:2484) is not exposed to entire internet for Azure Network Security Rule", + "reference_id": "AC_AZURE_0466", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0466" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0467.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0467.json index 40747c148..6ae3d34c0 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0467.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0467.json @@ -1,22 +1,23 @@ { - "name": "networkPort2484ExposedToPrivateAz", - "file": "networkPortExposedToPrivateAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort2484ExposedToPrivateAz", - "portNumber": 2484, - "prefix": "", - "protocol": "Tcp", - "suffix": "" - }, - "severity": "LOW", - "description": "Ensure Oracle DB SSL (Tcp:2484) is not exposed to private hosts more than 32 for Azure Network Security Rule", - "reference_id": "AC_AZURE_0467", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0467" + "name": "networkPort2484ExposedToPrivateAz", + "file": "networkPortExposedToPrivateAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort2484ExposedToPrivateAz", + "portNumber": 2484, + "prefix": "", + "protocol": "Tcp", + "suffix": "" + }, + "severity": "LOW", + "description": "Ensure Oracle DB SSL (Tcp:2484) is not exposed to private hosts more than 32 for Azure Network Security Rule", + "reference_id": "AC_AZURE_0467", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0467" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0468.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0468.json index 451c97e0a..798d18f31 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0468.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0468.json @@ -1,22 +1,23 @@ { - "name": "networkPort2484ExposedToPublicAz", - "file": "networkPortExposedToPublicAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort2484ExposedToPublicAz", - "portNumber": 2484, - "prefix": "", - "protocol": "Tcp", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Ensure Oracle DB SSL (Tcp:2484) is not exposed to public for Azure Network Security Rule", - "reference_id": "AC_AZURE_0468", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0468" + "name": "networkPort2484ExposedToPublicAz", + "file": "networkPortExposedToPublicAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort2484ExposedToPublicAz", + "portNumber": 2484, + "prefix": "", + "protocol": "Tcp", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Ensure Oracle DB SSL (Tcp:2484) is not exposed to public for Azure Network Security Rule", + "reference_id": "AC_AZURE_0468", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0468" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0469.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0469.json index 662f8c4c0..dee4d2753 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0469.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0469.json @@ -1,22 +1,23 @@ { - "name": "networkPort2484ExposedToInternetAz", - "file": "networkPortExposedToInternetAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort2484ExposedToInternetAz", - "portNumber": 2484, - "prefix": "", - "protocol": "Tcp", - "suffix": "" - }, - "severity": "HIGH", - "description": "Ensure Oracle DB SSL (Tcp:2484) is not exposed to entire internet for Azure Network Security Rule", - "reference_id": "AC_AZURE_0469", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0469" + "name": "networkPort2484ExposedToInternetAz", + "file": "networkPortExposedToInternetAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort2484ExposedToInternetAz", + "portNumber": 2484, + "prefix": "", + "protocol": "Tcp", + "suffix": "" + }, + "severity": "HIGH", + "description": "Ensure Oracle DB SSL (Tcp:2484) is not exposed to entire internet for Azure Network Security Rule", + "reference_id": "AC_AZURE_0469", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0469" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0470.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0470.json index d5c8594bd..78f263982 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0470.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0470.json @@ -1,22 +1,23 @@ { - "name": "networkPort139ExposedToPrivateUAz", - "file": "networkPortExposedToPrivateAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort139ExposedToPrivateUAz", - "portNumber": 139, - "prefix": "", - "protocol": "Udp", - "suffix": "" - }, - "severity": "LOW", - "description": "Ensure NetBIOS Session Service (Udp:139) is not exposed to private hosts more than 32 for Azure Network Security Rule", - "reference_id": "AC_AZURE_0470", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0470" + "name": "networkPort139ExposedToPrivateUAz", + "file": "networkPortExposedToPrivateAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort139ExposedToPrivateUAz", + "portNumber": 139, + "prefix": "", + "protocol": "Udp", + "suffix": "" + }, + "severity": "LOW", + "description": "Ensure NetBIOS Session Service (Udp:139) is not exposed to private hosts more than 32 for Azure Network Security Rule", + "reference_id": "AC_AZURE_0470", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0470" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0471.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0471.json index edcad2d7e..f4508efe8 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0471.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0471.json @@ -1,22 +1,23 @@ { - "name": "networkPort139ExposedToPublicUAz", - "file": "networkPortExposedToPublicAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort139ExposedToPublicUAz", - "portNumber": 139, - "prefix": "", - "protocol": "Udp", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Ensure NetBIOS Session Service (Udp:139) is not exposed to public for Azure Network Security Rule", - "reference_id": "AC_AZURE_0471", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0471" + "name": "networkPort139ExposedToPublicUAz", + "file": "networkPortExposedToPublicAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort139ExposedToPublicUAz", + "portNumber": 139, + "prefix": "", + "protocol": "Udp", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Ensure NetBIOS Session Service (Udp:139) is not exposed to public for Azure Network Security Rule", + "reference_id": "AC_AZURE_0471", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0471" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0472.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0472.json index 808d958f5..783593601 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0472.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0472.json @@ -1,22 +1,23 @@ { - "name": "networkPort139ExposedToInternetUAz", - "file": "networkPortExposedToInternetAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort139ExposedToInternetUAz", - "portNumber": 139, - "prefix": "", - "protocol": "Udp", - "suffix": "" - }, - "severity": "HIGH", - "description": "Ensure NetBIOS Session Service (Udp:139) is not exposed to entire internet for Azure Network Security Rule", - "reference_id": "AC_AZURE_0472", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0472" + "name": "networkPort139ExposedToInternetUAz", + "file": "networkPortExposedToInternetAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort139ExposedToInternetUAz", + "portNumber": 139, + "prefix": "", + "protocol": "Udp", + "suffix": "" + }, + "severity": "HIGH", + "description": "Ensure NetBIOS Session Service (Udp:139) is not exposed to entire internet for Azure Network Security Rule", + "reference_id": "AC_AZURE_0472", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0472" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0473.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0473.json index d71fcb627..4ddee8db6 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0473.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0473.json @@ -1,22 +1,23 @@ { - "name": "networkPort139ExposedToPrivateAz", - "file": "networkPortExposedToPrivateAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort139ExposedToPrivateAz", - "portNumber": 139, - "prefix": "", - "protocol": "Tcp", - "suffix": "" - }, - "severity": "LOW", - "description": "Ensure NetBIOS Session Service (Tcp:139) is not exposed to private hosts more than 32 for Azure Network Security Rule", - "reference_id": "AC_AZURE_0473", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0473" + "name": "networkPort139ExposedToPrivateAz", + "file": "networkPortExposedToPrivateAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort139ExposedToPrivateAz", + "portNumber": 139, + "prefix": "", + "protocol": "Tcp", + "suffix": "" + }, + "severity": "LOW", + "description": "Ensure NetBIOS Session Service (Tcp:139) is not exposed to private hosts more than 32 for Azure Network Security Rule", + "reference_id": "AC_AZURE_0473", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0473" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0474.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0474.json index 5f2532cf4..5c3b6be47 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0474.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0474.json @@ -1,22 +1,23 @@ { - "name": "networkPort139ExposedToPublicAz", - "file": "networkPortExposedToPublicAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort139ExposedToPublicAz", - "portNumber": 139, - "prefix": "", - "protocol": "Tcp", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Ensure NetBIOS Session Service (Tcp:139) is not exposed to public for Azure Network Security Rule", - "reference_id": "AC_AZURE_0474", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0474" + "name": "networkPort139ExposedToPublicAz", + "file": "networkPortExposedToPublicAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort139ExposedToPublicAz", + "portNumber": 139, + "prefix": "", + "protocol": "Tcp", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Ensure NetBIOS Session Service (Tcp:139) is not exposed to public for Azure Network Security Rule", + "reference_id": "AC_AZURE_0474", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0474" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0475.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0475.json index c35942812..1522948d4 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0475.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0475.json @@ -1,22 +1,23 @@ { - "name": "networkPort139ExposedToInternetAz", - "file": "networkPortExposedToInternetAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort139ExposedToInternetAz", - "portNumber": 139, - "prefix": "", - "protocol": "Tcp", - "suffix": "" - }, - "severity": "HIGH", - "description": "Ensure NetBIOS Session Service (Tcp:139) is not exposed to entire internet for Azure Network Security Rule", - "reference_id": "AC_AZURE_0475", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0475" + "name": "networkPort139ExposedToInternetAz", + "file": "networkPortExposedToInternetAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort139ExposedToInternetAz", + "portNumber": 139, + "prefix": "", + "protocol": "Tcp", + "suffix": "" + }, + "severity": "HIGH", + "description": "Ensure NetBIOS Session Service (Tcp:139) is not exposed to entire internet for Azure Network Security Rule", + "reference_id": "AC_AZURE_0475", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0475" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0476.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0476.json index e6066da5b..8cb192d6c 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0476.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0476.json @@ -1,22 +1,23 @@ { - "name": "networkPort138ExposedToPrivateUAz", - "file": "networkPortExposedToPrivateAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort138ExposedToPrivateUAz", - "portNumber": 138, - "prefix": "", - "protocol": "Udp", - "suffix": "" - }, - "severity": "LOW", - "description": "Ensure NetBIOS Datagram Service (Udp:138) is not exposed to private hosts more than 32 for Azure Network Security Rule", - "reference_id": "AC_AZURE_0476", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0476" + "name": "networkPort138ExposedToPrivateUAz", + "file": "networkPortExposedToPrivateAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort138ExposedToPrivateUAz", + "portNumber": 138, + "prefix": "", + "protocol": "Udp", + "suffix": "" + }, + "severity": "LOW", + "description": "Ensure NetBIOS Datagram Service (Udp:138) is not exposed to private hosts more than 32 for Azure Network Security Rule", + "reference_id": "AC_AZURE_0476", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0476" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0477.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0477.json index df555fffc..6a3947623 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0477.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0477.json @@ -1,22 +1,23 @@ { - "name": "networkPort138ExposedToPublicUAz", - "file": "networkPortExposedToPublicAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort138ExposedToPublicUAz", - "portNumber": 138, - "prefix": "", - "protocol": "Udp", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Ensure NetBIOS Datagram Service (Udp:138) is not exposed to public for Azure Network Security Rule", - "reference_id": "AC_AZURE_0477", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0477" + "name": "networkPort138ExposedToPublicUAz", + "file": "networkPortExposedToPublicAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort138ExposedToPublicUAz", + "portNumber": 138, + "prefix": "", + "protocol": "Udp", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Ensure NetBIOS Datagram Service (Udp:138) is not exposed to public for Azure Network Security Rule", + "reference_id": "AC_AZURE_0477", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0477" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0478.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0478.json index c440c55be..b964ddbd2 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0478.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0478.json @@ -1,22 +1,23 @@ { - "name": "networkPort138ExposedToInternetUAz", - "file": "networkPortExposedToInternetAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort138ExposedToInternetUAz", - "portNumber": 138, - "prefix": "", - "protocol": "Udp", - "suffix": "" - }, - "severity": "HIGH", - "description": "Ensure NetBIOS Datagram Service (Udp:138) is not exposed to entire internet for Azure Network Security Rule", - "reference_id": "AC_AZURE_0478", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0478" + "name": "networkPort138ExposedToInternetUAz", + "file": "networkPortExposedToInternetAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort138ExposedToInternetUAz", + "portNumber": 138, + "prefix": "", + "protocol": "Udp", + "suffix": "" + }, + "severity": "HIGH", + "description": "Ensure NetBIOS Datagram Service (Udp:138) is not exposed to entire internet for Azure Network Security Rule", + "reference_id": "AC_AZURE_0478", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0478" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0479.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0479.json index 9416da5dd..cf3cc86ab 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0479.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0479.json @@ -1,22 +1,23 @@ { - "name": "networkPort138ExposedToPrivateAz", - "file": "networkPortExposedToPrivateAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort138ExposedToPrivateAz", - "portNumber": 138, - "prefix": "", - "protocol": "Tcp", - "suffix": "" - }, - "severity": "LOW", - "description": "Ensure NetBIOS Datagram Service (Tcp:138) is not exposed to private hosts more than 32 for Azure Network Security Rule", - "reference_id": "AC_AZURE_0479", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0479" + "name": "networkPort138ExposedToPrivateAz", + "file": "networkPortExposedToPrivateAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort138ExposedToPrivateAz", + "portNumber": 138, + "prefix": "", + "protocol": "Tcp", + "suffix": "" + }, + "severity": "LOW", + "description": "Ensure NetBIOS Datagram Service (Tcp:138) is not exposed to private hosts more than 32 for Azure Network Security Rule", + "reference_id": "AC_AZURE_0479", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0479" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0480.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0480.json index fe0dbb48e..45036febf 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0480.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0480.json @@ -1,22 +1,23 @@ { - "name": "networkPort138ExposedToPublicAz", - "file": "networkPortExposedToPublicAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort138ExposedToPublicAz", - "portNumber": 138, - "prefix": "", - "protocol": "Tcp", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Ensure NetBIOS Datagram Service (Tcp:138) is not exposed to public for Azure Network Security Rule", - "reference_id": "AC_AZURE_0480", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0480" + "name": "networkPort138ExposedToPublicAz", + "file": "networkPortExposedToPublicAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort138ExposedToPublicAz", + "portNumber": 138, + "prefix": "", + "protocol": "Tcp", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Ensure NetBIOS Datagram Service (Tcp:138) is not exposed to public for Azure Network Security Rule", + "reference_id": "AC_AZURE_0480", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0480" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0481.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0481.json index a22aa1af8..aabb0c129 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0481.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0481.json @@ -1,22 +1,23 @@ { - "name": "networkPort138ExposedToInternetAz", - "file": "networkPortExposedToInternetAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort138ExposedToInternetAz", - "portNumber": 138, - "prefix": "", - "protocol": "Tcp", - "suffix": "" - }, - "severity": "HIGH", - "description": "Ensure NetBIOS Datagram Service (Tcp:138) is not exposed to entire internet for Azure Network Security Rule", - "reference_id": "AC_AZURE_0481", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0481" + "name": "networkPort138ExposedToInternetAz", + "file": "networkPortExposedToInternetAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort138ExposedToInternetAz", + "portNumber": 138, + "prefix": "", + "protocol": "Tcp", + "suffix": "" + }, + "severity": "HIGH", + "description": "Ensure NetBIOS Datagram Service (Tcp:138) is not exposed to entire internet for Azure Network Security Rule", + "reference_id": "AC_AZURE_0481", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0481" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0482.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0482.json index 35e716846..76a4a056b 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0482.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0482.json @@ -1,22 +1,23 @@ { - "name": "networkPort137ExposedToPrivateUAz", - "file": "networkPortExposedToPrivateAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort137ExposedToPrivateUAz", - "portNumber": 137, - "prefix": "", - "protocol": "Udp", - "suffix": "" - }, - "severity": "LOW", - "description": "Ensure NetBIOS Name Service (Udp:137) is not exposed to private hosts more than 32 for Azure Network Security Rule", - "reference_id": "AC_AZURE_0482", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0482" + "name": "networkPort137ExposedToPrivateUAz", + "file": "networkPortExposedToPrivateAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort137ExposedToPrivateUAz", + "portNumber": 137, + "prefix": "", + "protocol": "Udp", + "suffix": "" + }, + "severity": "LOW", + "description": "Ensure NetBIOS Name Service (Udp:137) is not exposed to private hosts more than 32 for Azure Network Security Rule", + "reference_id": "AC_AZURE_0482", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0482" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0483.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0483.json index a80f1623e..978492371 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0483.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0483.json @@ -1,22 +1,23 @@ { - "name": "networkPort137ExposedToPublicUAz", - "file": "networkPortExposedToPublicAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort137ExposedToPublicUAz", - "portNumber": 137, - "prefix": "", - "protocol": "Udp", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Ensure NetBIOS Name Service (Udp:137) is not exposed to public for Azure Network Security Rule", - "reference_id": "AC_AZURE_0483", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0483" + "name": "networkPort137ExposedToPublicUAz", + "file": "networkPortExposedToPublicAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort137ExposedToPublicUAz", + "portNumber": 137, + "prefix": "", + "protocol": "Udp", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Ensure NetBIOS Name Service (Udp:137) is not exposed to public for Azure Network Security Rule", + "reference_id": "AC_AZURE_0483", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0483" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0484.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0484.json index 485d97588..214a06c23 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0484.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0484.json @@ -1,22 +1,23 @@ { - "name": "networkPort137ExposedToInternetUAz", - "file": "networkPortExposedToInternetAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort137ExposedToInternetUAz", - "portNumber": 137, - "prefix": "", - "protocol": "Udp", - "suffix": "" - }, - "severity": "HIGH", - "description": "Ensure NetBIOS Name Service (Udp:137) is not exposed to entire internet for Azure Network Security Rule", - "reference_id": "AC_AZURE_0484", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0484" + "name": "networkPort137ExposedToInternetUAz", + "file": "networkPortExposedToInternetAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort137ExposedToInternetUAz", + "portNumber": 137, + "prefix": "", + "protocol": "Udp", + "suffix": "" + }, + "severity": "HIGH", + "description": "Ensure NetBIOS Name Service (Udp:137) is not exposed to entire internet for Azure Network Security Rule", + "reference_id": "AC_AZURE_0484", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0484" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0485.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0485.json index 733e507f5..549cc5e24 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0485.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0485.json @@ -1,22 +1,23 @@ { - "name": "networkPort137ExposedToPrivateAz", - "file": "networkPortExposedToPrivateAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort137ExposedToPrivateAz", - "portNumber": 137, - "prefix": "", - "protocol": "Tcp", - "suffix": "" - }, - "severity": "LOW", - "description": "Ensure NetBIOS Name Service (Tcp:137) is not exposed to private hosts more than 32 for Azure Network Security Rule", - "reference_id": "AC_AZURE_0485", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0485" + "name": "networkPort137ExposedToPrivateAz", + "file": "networkPortExposedToPrivateAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort137ExposedToPrivateAz", + "portNumber": 137, + "prefix": "", + "protocol": "Tcp", + "suffix": "" + }, + "severity": "LOW", + "description": "Ensure NetBIOS Name Service (Tcp:137) is not exposed to private hosts more than 32 for Azure Network Security Rule", + "reference_id": "AC_AZURE_0485", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0485" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0486.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0486.json index 1fbe973cd..e45e48616 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0486.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0486.json @@ -1,22 +1,23 @@ { - "name": "networkPort137ExposedToPublicAz", - "file": "networkPortExposedToPublicAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort137ExposedToPublicAz", - "portNumber": 137, - "prefix": "", - "protocol": "Tcp", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Ensure NetBIOS Name Service (Tcp:137) is not exposed to public for Azure Network Security Rule", - "reference_id": "AC_AZURE_0486", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0486" + "name": "networkPort137ExposedToPublicAz", + "file": "networkPortExposedToPublicAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort137ExposedToPublicAz", + "portNumber": 137, + "prefix": "", + "protocol": "Tcp", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Ensure NetBIOS Name Service (Tcp:137) is not exposed to public for Azure Network Security Rule", + "reference_id": "AC_AZURE_0486", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0486" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0487.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0487.json index eacd9fc3b..05c85fc4a 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0487.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0487.json @@ -1,22 +1,23 @@ { - "name": "networkPort137ExposedToInternetAz", - "file": "networkPortExposedToInternetAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort137ExposedToInternetAz", - "portNumber": 137, - "prefix": "", - "protocol": "Tcp", - "suffix": "" - }, - "severity": "HIGH", - "description": "Ensure NetBIOS Name Service (Tcp:137) is not exposed to entire internet for Azure Network Security Rule", - "reference_id": "AC_AZURE_0487", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0487" + "name": "networkPort137ExposedToInternetAz", + "file": "networkPortExposedToInternetAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort137ExposedToInternetAz", + "portNumber": 137, + "prefix": "", + "protocol": "Tcp", + "suffix": "" + }, + "severity": "HIGH", + "description": "Ensure NetBIOS Name Service (Tcp:137) is not exposed to entire internet for Azure Network Security Rule", + "reference_id": "AC_AZURE_0487", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0487" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0488.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0488.json index 2f43708c5..8d2df0369 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0488.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0488.json @@ -1,22 +1,23 @@ { - "name": "networkPort3306ExposedToPrivateAz", - "file": "networkPortExposedToPrivateAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort3306ExposedToPrivateAz", - "portNumber": 3306, - "prefix": "", - "protocol": "Tcp", - "suffix": "" - }, - "severity": "LOW", - "description": "Ensure MySQL (Tcp:3306) is not exposed to private hosts more than 32 for Azure Network Security Rule", - "reference_id": "AC_AZURE_0488", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0488" + "name": "networkPort3306ExposedToPrivateAz", + "file": "networkPortExposedToPrivateAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort3306ExposedToPrivateAz", + "portNumber": 3306, + "prefix": "", + "protocol": "Tcp", + "suffix": "" + }, + "severity": "LOW", + "description": "Ensure MySQL (Tcp:3306) is not exposed to private hosts more than 32 for Azure Network Security Rule", + "reference_id": "AC_AZURE_0488", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0488" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0489.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0489.json index f62532b38..66db52ac1 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0489.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0489.json @@ -1,22 +1,23 @@ { - "name": "networkPort3306ExposedToPublicAz", - "file": "networkPortExposedToPublicAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort3306ExposedToPublicAz", - "portNumber": 3306, - "prefix": "", - "protocol": "Tcp", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Ensure MySQL (Tcp:3306) is not exposed to public for Azure Network Security Rule", - "reference_id": "AC_AZURE_0489", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0489" + "name": "networkPort3306ExposedToPublicAz", + "file": "networkPortExposedToPublicAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort3306ExposedToPublicAz", + "portNumber": 3306, + "prefix": "", + "protocol": "Tcp", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Ensure MySQL (Tcp:3306) is not exposed to public for Azure Network Security Rule", + "reference_id": "AC_AZURE_0489", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0489" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0490.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0490.json index 7b9f53328..dc8902e57 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0490.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0490.json @@ -1,22 +1,23 @@ { - "name": "networkPort3306ExposedToInternetAz", - "file": "networkPortExposedToInternetAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort3306ExposedToInternetAz", - "portNumber": 3306, - "prefix": "", - "protocol": "Tcp", - "suffix": "" - }, - "severity": "HIGH", - "description": "Ensure MySQL (Tcp:3306) is not exposed to entire internet for Azure Network Security Rule", - "reference_id": "AC_AZURE_0490", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0490" + "name": "networkPort3306ExposedToInternetAz", + "file": "networkPortExposedToInternetAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort3306ExposedToInternetAz", + "portNumber": 3306, + "prefix": "", + "protocol": "Tcp", + "suffix": "" + }, + "severity": "HIGH", + "description": "Ensure MySQL (Tcp:3306) is not exposed to entire internet for Azure Network Security Rule", + "reference_id": "AC_AZURE_0490", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0490" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0491.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0491.json index 0f1595d8f..a32537a03 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0491.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0491.json @@ -1,22 +1,23 @@ { - "name": "networkPort27018ExposedToPrivateAz", - "file": "networkPortExposedToPrivateAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort27018ExposedToPrivateAz", - "portNumber": 27018, - "prefix": "", - "protocol": "Tcp", - "suffix": "" - }, - "severity": "LOW", - "description": "Ensure Mongo Web Portal (Tcp:27018) is not exposed to private hosts more than 32 for Azure Network Security Rule", - "reference_id": "AC_AZURE_0491", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0491" + "name": "networkPort27018ExposedToPrivateAz", + "file": "networkPortExposedToPrivateAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort27018ExposedToPrivateAz", + "portNumber": 27018, + "prefix": "", + "protocol": "Tcp", + "suffix": "" + }, + "severity": "LOW", + "description": "Ensure Mongo Web Portal (Tcp:27018) is not exposed to private hosts more than 32 for Azure Network Security Rule", + "reference_id": "AC_AZURE_0491", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0491" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0492.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0492.json index 9f6033c88..c0b2756a7 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0492.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0492.json @@ -1,22 +1,23 @@ { - "name": "networkPort27018ExposedToPublicAz", - "file": "networkPortExposedToPublicAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort27018ExposedToPublicAz", - "portNumber": 27018, - "prefix": "", - "protocol": "Tcp", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Ensure Mongo Web Portal (Tcp:27018) is not exposed to public for Azure Network Security Rule", - "reference_id": "AC_AZURE_0492", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0492" + "name": "networkPort27018ExposedToPublicAz", + "file": "networkPortExposedToPublicAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort27018ExposedToPublicAz", + "portNumber": 27018, + "prefix": "", + "protocol": "Tcp", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Ensure Mongo Web Portal (Tcp:27018) is not exposed to public for Azure Network Security Rule", + "reference_id": "AC_AZURE_0492", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0492" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0493.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0493.json index 217345f67..f3a885bb8 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0493.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0493.json @@ -1,22 +1,23 @@ { - "name": "networkPort27018ExposedToInternetAz", - "file": "networkPortExposedToInternetAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort27018ExposedToInternetAz", - "portNumber": 27018, - "prefix": "", - "protocol": "Tcp", - "suffix": "" - }, - "severity": "HIGH", - "description": "Ensure Mongo Web Portal (Tcp:27018) is not exposed to entire internet for Azure Network Security Rule", - "reference_id": "AC_AZURE_0493", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0493" + "name": "networkPort27018ExposedToInternetAz", + "file": "networkPortExposedToInternetAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort27018ExposedToInternetAz", + "portNumber": 27018, + "prefix": "", + "protocol": "Tcp", + "suffix": "" + }, + "severity": "HIGH", + "description": "Ensure Mongo Web Portal (Tcp:27018) is not exposed to entire internet for Azure Network Security Rule", + "reference_id": "AC_AZURE_0493", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0493" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0494.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0494.json index a8e512f30..d7f6be68a 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0494.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0494.json @@ -1,22 +1,23 @@ { - "name": "networkPort445ExposedToPrivateAz", - "file": "networkPortExposedToPrivateAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort445ExposedToPrivateAz", - "portNumber": 445, - "prefix": "", - "protocol": "Tcp", - "suffix": "" - }, - "severity": "LOW", - "description": "Ensure Microsoft-DS (Tcp:445) is not exposed to private hosts more than 32 for Azure Network Security Rule", - "reference_id": "AC_AZURE_0494", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0494" + "name": "networkPort445ExposedToPrivateAz", + "file": "networkPortExposedToPrivateAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort445ExposedToPrivateAz", + "portNumber": 445, + "prefix": "", + "protocol": "Tcp", + "suffix": "" + }, + "severity": "LOW", + "description": "Ensure Microsoft-DS (Tcp:445) is not exposed to private hosts more than 32 for Azure Network Security Rule", + "reference_id": "AC_AZURE_0494", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0494" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0495.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0495.json index 4e4865925..244674681 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0495.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0495.json @@ -1,22 +1,23 @@ { - "name": "networkPort445ExposedToPublicAz", - "file": "networkPortExposedToPublicAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort445ExposedToPublicAz", - "portNumber": 445, - "prefix": "", - "protocol": "Tcp", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Ensure Microsoft-DS (Tcp:445) is not exposed to public for Azure Network Security Rule", - "reference_id": "AC_AZURE_0495", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0495" + "name": "networkPort445ExposedToPublicAz", + "file": "networkPortExposedToPublicAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort445ExposedToPublicAz", + "portNumber": 445, + "prefix": "", + "protocol": "Tcp", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Ensure Microsoft-DS (Tcp:445) is not exposed to public for Azure Network Security Rule", + "reference_id": "AC_AZURE_0495", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0495" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0496.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0496.json index 7f184be4e..85f99c3ee 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0496.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0496.json @@ -1,22 +1,23 @@ { - "name": "networkPort445ExposedToInternetAz", - "file": "networkPortExposedToInternetAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort445ExposedToInternetAz", - "portNumber": 445, - "prefix": "", - "protocol": "Tcp", - "suffix": "" - }, - "severity": "HIGH", - "description": "Ensure Microsoft-DS (Tcp:445) is not exposed to entire internet for Azure Network Security Rule", - "reference_id": "AC_AZURE_0496", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0496" + "name": "networkPort445ExposedToInternetAz", + "file": "networkPortExposedToInternetAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort445ExposedToInternetAz", + "portNumber": 445, + "prefix": "", + "protocol": "Tcp", + "suffix": "" + }, + "severity": "HIGH", + "description": "Ensure Microsoft-DS (Tcp:445) is not exposed to entire internet for Azure Network Security Rule", + "reference_id": "AC_AZURE_0496", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0496" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0497.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0497.json index b59bbb8f2..06c5610bf 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0497.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0497.json @@ -1,22 +1,23 @@ { - "name": "networkPort11215ExposedToPrivateUAz", - "file": "networkPortExposedToPrivateAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort11215ExposedToPrivateUAz", - "portNumber": 11215, - "prefix": "", - "protocol": "Udp", - "suffix": "" - }, - "severity": "LOW", - "description": "Ensure Memcached SSL (Udp:11215) is not exposed to private hosts more than 32 for Azure Network Security Rule", - "reference_id": "AC_AZURE_0497", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0497" + "name": "networkPort11215ExposedToPrivateUAz", + "file": "networkPortExposedToPrivateAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort11215ExposedToPrivateUAz", + "portNumber": 11215, + "prefix": "", + "protocol": "Udp", + "suffix": "" + }, + "severity": "LOW", + "description": "Ensure Memcached SSL (Udp:11215) is not exposed to private hosts more than 32 for Azure Network Security Rule", + "reference_id": "AC_AZURE_0497", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0497" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0498.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0498.json index 8f5efd9e9..a621f2671 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0498.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0498.json @@ -1,22 +1,23 @@ { - "name": "networkPort11215ExposedToPublicUAz", - "file": "networkPortExposedToPublicAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort11215ExposedToPublicUAz", - "portNumber": 11215, - "prefix": "", - "protocol": "Udp", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Ensure Memcached SSL (Udp:11215) is not exposed to public for Azure Network Security Rule", - "reference_id": "AC_AZURE_0498", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0498" + "name": "networkPort11215ExposedToPublicUAz", + "file": "networkPortExposedToPublicAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort11215ExposedToPublicUAz", + "portNumber": 11215, + "prefix": "", + "protocol": "Udp", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Ensure Memcached SSL (Udp:11215) is not exposed to public for Azure Network Security Rule", + "reference_id": "AC_AZURE_0498", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0498" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0499.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0499.json index 5fdd9d4ac..520abac85 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0499.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0499.json @@ -1,22 +1,23 @@ { - "name": "networkPort11215ExposedToInternetUAz", - "file": "networkPortExposedToInternetAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort11215ExposedToInternetUAz", - "portNumber": 11215, - "prefix": "", - "protocol": "Udp", - "suffix": "" - }, - "severity": "HIGH", - "description": "Ensure Memcached SSL (Udp:11215) is not exposed to entire internet for Azure Network Security Rule", - "reference_id": "AC_AZURE_0499", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0499" + "name": "networkPort11215ExposedToInternetUAz", + "file": "networkPortExposedToInternetAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort11215ExposedToInternetUAz", + "portNumber": 11215, + "prefix": "", + "protocol": "Udp", + "suffix": "" + }, + "severity": "HIGH", + "description": "Ensure Memcached SSL (Udp:11215) is not exposed to entire internet for Azure Network Security Rule", + "reference_id": "AC_AZURE_0499", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0499" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0500.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0500.json index 8f4199baf..b58e2e231 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0500.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0500.json @@ -1,22 +1,23 @@ { - "name": "networkPort11214ExposedToPrivateUAz", - "file": "networkPortExposedToPrivateAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort11214ExposedToPrivateUAz", - "portNumber": 11214, - "prefix": "", - "protocol": "Udp", - "suffix": "" - }, - "severity": "LOW", - "description": "Ensure Memcached SSL (Udp:11214) is not exposed to private hosts more than 32 for Azure Network Security Rule", - "reference_id": "AC_AZURE_0500", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0500" + "name": "networkPort11214ExposedToPrivateUAz", + "file": "networkPortExposedToPrivateAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort11214ExposedToPrivateUAz", + "portNumber": 11214, + "prefix": "", + "protocol": "Udp", + "suffix": "" + }, + "severity": "LOW", + "description": "Ensure Memcached SSL (Udp:11214) is not exposed to private hosts more than 32 for Azure Network Security Rule", + "reference_id": "AC_AZURE_0500", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0500" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0501.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0501.json index f3098f807..9bd00eb7a 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0501.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0501.json @@ -1,22 +1,23 @@ { - "name": "networkPort11214ExposedToPublicUAz", - "file": "networkPortExposedToPublicAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort11214ExposedToPublicUAz", - "portNumber": 11214, - "prefix": "", - "protocol": "Udp", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Ensure Memcached SSL (Udp:11214) is not exposed to public for Azure Network Security Rule", - "reference_id": "AC_AZURE_0501", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0501" + "name": "networkPort11214ExposedToPublicUAz", + "file": "networkPortExposedToPublicAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort11214ExposedToPublicUAz", + "portNumber": 11214, + "prefix": "", + "protocol": "Udp", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Ensure Memcached SSL (Udp:11214) is not exposed to public for Azure Network Security Rule", + "reference_id": "AC_AZURE_0501", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0501" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0502.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0502.json index 181aa5bfa..1aa3354ad 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0502.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0502.json @@ -1,22 +1,23 @@ { - "name": "networkPort11214ExposedToInternetUAz", - "file": "networkPortExposedToInternetAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort11214ExposedToInternetUAz", - "portNumber": 11214, - "prefix": "", - "protocol": "Udp", - "suffix": "" - }, - "severity": "HIGH", - "description": "Ensure Memcached SSL (Udp:11214) is not exposed to entire internet for Azure Network Security Rule", - "reference_id": "AC_AZURE_0502", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0502" + "name": "networkPort11214ExposedToInternetUAz", + "file": "networkPortExposedToInternetAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort11214ExposedToInternetUAz", + "portNumber": 11214, + "prefix": "", + "protocol": "Udp", + "suffix": "" + }, + "severity": "HIGH", + "description": "Ensure Memcached SSL (Udp:11214) is not exposed to entire internet for Azure Network Security Rule", + "reference_id": "AC_AZURE_0502", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0502" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0503.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0503.json index f8b8a3763..2623907a9 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0503.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0503.json @@ -1,22 +1,23 @@ { - "name": "networkPort11215ExposedToPrivateAz", - "file": "networkPortExposedToPrivateAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort11215ExposedToPrivateAz", - "portNumber": 11215, - "prefix": "", - "protocol": "Tcp", - "suffix": "" - }, - "severity": "LOW", - "description": "Ensure Memcached SSL (Tcp:11215) is not exposed to private hosts more than 32 for Azure Network Security Rule", - "reference_id": "AC_AZURE_0503", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0503" + "name": "networkPort11215ExposedToPrivateAz", + "file": "networkPortExposedToPrivateAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort11215ExposedToPrivateAz", + "portNumber": 11215, + "prefix": "", + "protocol": "Tcp", + "suffix": "" + }, + "severity": "LOW", + "description": "Ensure Memcached SSL (Tcp:11215) is not exposed to private hosts more than 32 for Azure Network Security Rule", + "reference_id": "AC_AZURE_0503", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0503" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0504.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0504.json index 78ed88f5c..c1b9fbf9c 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0504.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0504.json @@ -1,22 +1,23 @@ { - "name": "networkPort11215ExposedToPublicAz", - "file": "networkPortExposedToPublicAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort11215ExposedToPublicAz", - "portNumber": 11215, - "prefix": "", - "protocol": "Tcp", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Ensure Memcached SSL (Tcp:11215) is not exposed to public for Azure Network Security Rule", - "reference_id": "AC_AZURE_0504", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0504" + "name": "networkPort11215ExposedToPublicAz", + "file": "networkPortExposedToPublicAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort11215ExposedToPublicAz", + "portNumber": 11215, + "prefix": "", + "protocol": "Tcp", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Ensure Memcached SSL (Tcp:11215) is not exposed to public for Azure Network Security Rule", + "reference_id": "AC_AZURE_0504", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0504" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0505.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0505.json index 6927d87ad..4e6e850e2 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0505.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0505.json @@ -1,22 +1,23 @@ { - "name": "networkPort11215ExposedToInternetAz", - "file": "networkPortExposedToInternetAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort11215ExposedToInternetAz", - "portNumber": 11215, - "prefix": "", - "protocol": "Tcp", - "suffix": "" - }, - "severity": "HIGH", - "description": "Ensure Memcached SSL (Tcp:11215) is not exposed to entire internet for Azure Network Security Rule", - "reference_id": "AC_AZURE_0505", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0505" + "name": "networkPort11215ExposedToInternetAz", + "file": "networkPortExposedToInternetAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort11215ExposedToInternetAz", + "portNumber": 11215, + "prefix": "", + "protocol": "Tcp", + "suffix": "" + }, + "severity": "HIGH", + "description": "Ensure Memcached SSL (Tcp:11215) is not exposed to entire internet for Azure Network Security Rule", + "reference_id": "AC_AZURE_0505", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0505" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0506.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0506.json index 896006720..ca746dfee 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0506.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0506.json @@ -1,22 +1,23 @@ { - "name": "networkPort11214ExposedToPrivateAz", - "file": "networkPortExposedToPrivateAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort11214ExposedToPrivateAz", - "portNumber": 11214, - "prefix": "", - "protocol": "Tcp", - "suffix": "" - }, - "severity": "LOW", - "description": "Ensure Memcached SSL (Tcp:11214) is not exposed to private hosts more than 32 for Azure Network Security Rule", - "reference_id": "AC_AZURE_0506", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0506" + "name": "networkPort11214ExposedToPrivateAz", + "file": "networkPortExposedToPrivateAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort11214ExposedToPrivateAz", + "portNumber": 11214, + "prefix": "", + "protocol": "Tcp", + "suffix": "" + }, + "severity": "LOW", + "description": "Ensure Memcached SSL (Tcp:11214) is not exposed to private hosts more than 32 for Azure Network Security Rule", + "reference_id": "AC_AZURE_0506", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0506" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0507.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0507.json index 813bafe7d..c2fbbb01e 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0507.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0507.json @@ -1,22 +1,23 @@ { - "name": "networkPort11214ExposedToPublicAz", - "file": "networkPortExposedToPublicAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort11214ExposedToPublicAz", - "portNumber": 11214, - "prefix": "", - "protocol": "Tcp", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Ensure Memcached SSL (Tcp:11214) is not exposed to public for Azure Network Security Rule", - "reference_id": "AC_AZURE_0507", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0507" + "name": "networkPort11214ExposedToPublicAz", + "file": "networkPortExposedToPublicAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort11214ExposedToPublicAz", + "portNumber": 11214, + "prefix": "", + "protocol": "Tcp", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Ensure Memcached SSL (Tcp:11214) is not exposed to public for Azure Network Security Rule", + "reference_id": "AC_AZURE_0507", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0507" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0508.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0508.json index b5f48a529..7ab565fe2 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0508.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0508.json @@ -1,22 +1,23 @@ { - "name": "networkPort11214ExposedToInternetAz", - "file": "networkPortExposedToInternetAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort11214ExposedToInternetAz", - "portNumber": 11214, - "prefix": "", - "protocol": "Tcp", - "suffix": "" - }, - "severity": "HIGH", - "description": "Ensure Memcached SSL (Tcp:11214) is not exposed to entire internet for Azure Network Security Rule", - "reference_id": "AC_AZURE_0508", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0508" + "name": "networkPort11214ExposedToInternetAz", + "file": "networkPortExposedToInternetAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort11214ExposedToInternetAz", + "portNumber": 11214, + "prefix": "", + "protocol": "Tcp", + "suffix": "" + }, + "severity": "HIGH", + "description": "Ensure Memcached SSL (Tcp:11214) is not exposed to entire internet for Azure Network Security Rule", + "reference_id": "AC_AZURE_0508", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0508" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0509.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0509.json index 02e3566e9..8ef04d9e9 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0509.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0509.json @@ -1,22 +1,23 @@ { - "name": "networkPort1433ExposedToPrivateAz", - "file": "networkPortExposedToPrivateAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort1433ExposedToPrivateAz", - "portNumber": 1433, - "prefix": "", - "protocol": "Tcp", - "suffix": "" - }, - "severity": "LOW", - "description": "Ensure MSSQL Server (Tcp:1433) is not exposed to private hosts more than 32 for Azure Network Security Rule", - "reference_id": "AC_AZURE_0509", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0509" + "name": "networkPort1433ExposedToPrivateAz", + "file": "networkPortExposedToPrivateAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort1433ExposedToPrivateAz", + "portNumber": 1433, + "prefix": "", + "protocol": "Tcp", + "suffix": "" + }, + "severity": "LOW", + "description": "Ensure MSSQL Server (Tcp:1433) is not exposed to private hosts more than 32 for Azure Network Security Rule", + "reference_id": "AC_AZURE_0509", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0509" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0510.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0510.json index 21a127960..50aeed206 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0510.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0510.json @@ -1,22 +1,23 @@ { - "name": "networkPort1433ExposedToPublicAz", - "file": "networkPortExposedToPublicAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort1433ExposedToPublicAz", - "portNumber": 1433, - "prefix": "", - "protocol": "Tcp", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Ensure MSSQL Server (Tcp:1433) is not exposed to public for Azure Network Security Rule", - "reference_id": "AC_AZURE_0510", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0510" + "name": "networkPort1433ExposedToPublicAz", + "file": "networkPortExposedToPublicAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort1433ExposedToPublicAz", + "portNumber": 1433, + "prefix": "", + "protocol": "Tcp", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Ensure MSSQL Server (Tcp:1433) is not exposed to public for Azure Network Security Rule", + "reference_id": "AC_AZURE_0510", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0510" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0511.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0511.json index 44ddcd7c7..00711dc3c 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0511.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0511.json @@ -1,22 +1,23 @@ { - "name": "networkPort1433ExposedToInternetAz", - "file": "networkPortExposedToInternetAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort1433ExposedToInternetAz", - "portNumber": 1433, - "prefix": "", - "protocol": "Tcp", - "suffix": "" - }, - "severity": "HIGH", - "description": "Ensure MSSQL Server (Tcp:1433) is not exposed to entire internet for Azure Network Security Rule", - "reference_id": "AC_AZURE_0511", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0511" + "name": "networkPort1433ExposedToInternetAz", + "file": "networkPortExposedToInternetAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort1433ExposedToInternetAz", + "portNumber": 1433, + "prefix": "", + "protocol": "Tcp", + "suffix": "" + }, + "severity": "HIGH", + "description": "Ensure MSSQL Server (Tcp:1433) is not exposed to entire internet for Azure Network Security Rule", + "reference_id": "AC_AZURE_0511", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0511" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0512.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0512.json index 91768e1a2..d9b680611 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0512.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0512.json @@ -1,22 +1,23 @@ { - "name": "networkPort135ExposedToPrivateAz", - "file": "networkPortExposedToPrivateAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort135ExposedToPrivateAz", - "portNumber": 135, - "prefix": "", - "protocol": "Tcp", - "suffix": "" - }, - "severity": "LOW", - "description": "Ensure MSSQL Debugger (Tcp:135) is not exposed to private hosts more than 32 for Azure Network Security Rule", - "reference_id": "AC_AZURE_0512", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0512" + "name": "networkPort135ExposedToPrivateAz", + "file": "networkPortExposedToPrivateAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort135ExposedToPrivateAz", + "portNumber": 135, + "prefix": "", + "protocol": "Tcp", + "suffix": "" + }, + "severity": "LOW", + "description": "Ensure MSSQL Debugger (Tcp:135) is not exposed to private hosts more than 32 for Azure Network Security Rule", + "reference_id": "AC_AZURE_0512", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0512" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0513.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0513.json index 7d8cc9542..9a9664152 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0513.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0513.json @@ -1,22 +1,23 @@ { - "name": "networkPort135ExposedToPublicAz", - "file": "networkPortExposedToPublicAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort135ExposedToPublicAz", - "portNumber": 135, - "prefix": "", - "protocol": "Tcp", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Ensure MSSQL Debugger (Tcp:135) is not exposed to public for Azure Network Security Rule", - "reference_id": "AC_AZURE_0513", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0513" + "name": "networkPort135ExposedToPublicAz", + "file": "networkPortExposedToPublicAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort135ExposedToPublicAz", + "portNumber": 135, + "prefix": "", + "protocol": "Tcp", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Ensure MSSQL Debugger (Tcp:135) is not exposed to public for Azure Network Security Rule", + "reference_id": "AC_AZURE_0513", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0513" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0514.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0514.json index 8610b4f75..dc2e2c6d3 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0514.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0514.json @@ -1,22 +1,23 @@ { - "name": "networkPort135ExposedToInternetAz", - "file": "networkPortExposedToInternetAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort135ExposedToInternetAz", - "portNumber": 135, - "prefix": "", - "protocol": "Tcp", - "suffix": "" - }, - "severity": "HIGH", - "description": "Ensure MSSQL Debugger (Tcp:135) is not exposed to entire internet for Azure Network Security Rule", - "reference_id": "AC_AZURE_0514", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0514" + "name": "networkPort135ExposedToInternetAz", + "file": "networkPortExposedToInternetAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort135ExposedToInternetAz", + "portNumber": 135, + "prefix": "", + "protocol": "Tcp", + "suffix": "" + }, + "severity": "HIGH", + "description": "Ensure MSSQL Debugger (Tcp:135) is not exposed to entire internet for Azure Network Security Rule", + "reference_id": "AC_AZURE_0514", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0514" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0515.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0515.json index 696b7996a..3eb1017d8 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0515.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0515.json @@ -1,22 +1,23 @@ { - "name": "networkPort1434ExposedToPrivateUAz", - "file": "networkPortExposedToPrivateAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort1434ExposedToPrivateUAz", - "portNumber": 1434, - "prefix": "", - "protocol": "Udp", - "suffix": "" - }, - "severity": "LOW", - "description": "Ensure MSSQL Browser (Udp:1434) is not exposed to private hosts more than 32 for Azure Network Security Rule", - "reference_id": "AC_AZURE_0515", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0515" + "name": "networkPort1434ExposedToPrivateUAz", + "file": "networkPortExposedToPrivateAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort1434ExposedToPrivateUAz", + "portNumber": 1434, + "prefix": "", + "protocol": "Udp", + "suffix": "" + }, + "severity": "LOW", + "description": "Ensure MSSQL Browser (Udp:1434) is not exposed to private hosts more than 32 for Azure Network Security Rule", + "reference_id": "AC_AZURE_0515", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0515" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0516.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0516.json index d83963f32..b4381c4dc 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0516.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0516.json @@ -1,22 +1,23 @@ { - "name": "networkPort1434ExposedToPublicUAz", - "file": "networkPortExposedToPublicAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort1434ExposedToPublicUAz", - "portNumber": 1434, - "prefix": "", - "protocol": "Udp", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Ensure MSSQL Browser (Udp:1434) is not exposed to public for Azure Network Security Rule", - "reference_id": "AC_AZURE_0516", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0516" + "name": "networkPort1434ExposedToPublicUAz", + "file": "networkPortExposedToPublicAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort1434ExposedToPublicUAz", + "portNumber": 1434, + "prefix": "", + "protocol": "Udp", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Ensure MSSQL Browser (Udp:1434) is not exposed to public for Azure Network Security Rule", + "reference_id": "AC_AZURE_0516", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0516" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0517.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0517.json index 975ce5d6a..6f005c11b 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0517.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0517.json @@ -1,22 +1,23 @@ { - "name": "networkPort1434ExposedToInternetUAz", - "file": "networkPortExposedToInternetAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort1434ExposedToInternetUAz", - "portNumber": 1434, - "prefix": "", - "protocol": "Udp", - "suffix": "" - }, - "severity": "HIGH", - "description": "Ensure MSSQL Browser (Udp:1434) is not exposed to entire internet for Azure Network Security Rule", - "reference_id": "AC_AZURE_0517", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0517" + "name": "networkPort1434ExposedToInternetUAz", + "file": "networkPortExposedToInternetAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort1434ExposedToInternetUAz", + "portNumber": 1434, + "prefix": "", + "protocol": "Udp", + "suffix": "" + }, + "severity": "HIGH", + "description": "Ensure MSSQL Browser (Udp:1434) is not exposed to entire internet for Azure Network Security Rule", + "reference_id": "AC_AZURE_0517", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0517" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0518.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0518.json index a32d57ea6..40412c3d6 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0518.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0518.json @@ -1,22 +1,23 @@ { - "name": "networkPort1434ExposedToPrivateAz", - "file": "networkPortExposedToPrivateAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort1434ExposedToPrivateAz", - "portNumber": 1434, - "prefix": "", - "protocol": "Tcp", - "suffix": "" - }, - "severity": "LOW", - "description": "Ensure MSSQL Admin (Tcp:1434) is not exposed to private hosts more than 32 for Azure Network Security Rule", - "reference_id": "AC_AZURE_0518", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0518" + "name": "networkPort1434ExposedToPrivateAz", + "file": "networkPortExposedToPrivateAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort1434ExposedToPrivateAz", + "portNumber": 1434, + "prefix": "", + "protocol": "Tcp", + "suffix": "" + }, + "severity": "LOW", + "description": "Ensure MSSQL Admin (Tcp:1434) is not exposed to private hosts more than 32 for Azure Network Security Rule", + "reference_id": "AC_AZURE_0518", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0518" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0519.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0519.json index d6ec2b1ef..b0debd437 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0519.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0519.json @@ -1,22 +1,23 @@ { - "name": "networkPort1434ExposedToPublicAz", - "file": "networkPortExposedToPublicAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort1434ExposedToPublicAz", - "portNumber": 1434, - "prefix": "", - "protocol": "Tcp", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Ensure MSSQL Admin (Tcp:1434) is not exposed to public for Azure Network Security Rule", - "reference_id": "AC_AZURE_0519", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0519" + "name": "networkPort1434ExposedToPublicAz", + "file": "networkPortExposedToPublicAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort1434ExposedToPublicAz", + "portNumber": 1434, + "prefix": "", + "protocol": "Tcp", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Ensure MSSQL Admin (Tcp:1434) is not exposed to public for Azure Network Security Rule", + "reference_id": "AC_AZURE_0519", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0519" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0520.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0520.json index 019a8fc70..5733e09b7 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0520.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0520.json @@ -1,22 +1,23 @@ { - "name": "networkPort1434ExposedToInternetAz", - "file": "networkPortExposedToInternetAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort1434ExposedToInternetAz", - "portNumber": 1434, - "prefix": "", - "protocol": "Tcp", - "suffix": "" - }, - "severity": "HIGH", - "description": "Ensure MSSQL Admin (Tcp:1434) is not exposed to entire internet for Azure Network Security Rule", - "reference_id": "AC_AZURE_0520", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0520" + "name": "networkPort1434ExposedToInternetAz", + "file": "networkPortExposedToInternetAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort1434ExposedToInternetAz", + "portNumber": 1434, + "prefix": "", + "protocol": "Tcp", + "suffix": "" + }, + "severity": "HIGH", + "description": "Ensure MSSQL Admin (Tcp:1434) is not exposed to entire internet for Azure Network Security Rule", + "reference_id": "AC_AZURE_0520", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0520" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0521.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0521.json index 54afa78ad..904be4ddb 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0521.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0521.json @@ -1,22 +1,23 @@ { - "name": "networkPort636ExposedToPrivateAz", - "file": "networkPortExposedToPrivateAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort636ExposedToPrivateAz", - "portNumber": 636, - "prefix": "", - "protocol": "Tcp", - "suffix": "" - }, - "severity": "LOW", - "description": "Ensure LDAP SSL (Tcp:636) is not exposed to private hosts more than 32 for Azure Network Security Rule", - "reference_id": "AC_AZURE_0521", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0521" + "name": "networkPort636ExposedToPrivateAz", + "file": "networkPortExposedToPrivateAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort636ExposedToPrivateAz", + "portNumber": 636, + "prefix": "", + "protocol": "Tcp", + "suffix": "" + }, + "severity": "LOW", + "description": "Ensure LDAP SSL (Tcp:636) is not exposed to private hosts more than 32 for Azure Network Security Rule", + "reference_id": "AC_AZURE_0521", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0521" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0522.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0522.json index e2956c103..e2c77b724 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0522.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0522.json @@ -1,22 +1,23 @@ { - "name": "networkPort636ExposedToPublicAz", - "file": "networkPortExposedToPublicAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort636ExposedToPublicAz", - "portNumber": 636, - "prefix": "", - "protocol": "Tcp", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Ensure LDAP SSL (Tcp:636) is not exposed to public for Azure Network Security Rule", - "reference_id": "AC_AZURE_0522", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0522" + "name": "networkPort636ExposedToPublicAz", + "file": "networkPortExposedToPublicAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort636ExposedToPublicAz", + "portNumber": 636, + "prefix": "", + "protocol": "Tcp", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Ensure LDAP SSL (Tcp:636) is not exposed to public for Azure Network Security Rule", + "reference_id": "AC_AZURE_0522", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0522" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0523.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0523.json index bdcd67c0a..1917eba36 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0523.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0523.json @@ -1,22 +1,23 @@ { - "name": "networkPort636ExposedToInternetAz", - "file": "networkPortExposedToInternetAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort636ExposedToInternetAz", - "portNumber": 636, - "prefix": "", - "protocol": "Tcp", - "suffix": "" - }, - "severity": "HIGH", - "description": "Ensure LDAP SSL (Tcp:636) is not exposed to entire internet for Azure Network Security Rule", - "reference_id": "AC_AZURE_0523", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0523" + "name": "networkPort636ExposedToInternetAz", + "file": "networkPortExposedToInternetAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort636ExposedToInternetAz", + "portNumber": 636, + "prefix": "", + "protocol": "Tcp", + "suffix": "" + }, + "severity": "HIGH", + "description": "Ensure LDAP SSL (Tcp:636) is not exposed to entire internet for Azure Network Security Rule", + "reference_id": "AC_AZURE_0523", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0523" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0524.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0524.json index b64f3ec77..839a5d9a2 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0524.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0524.json @@ -1,22 +1,23 @@ { - "name": "networkPort8080ExposedToPrivateAz", - "file": "networkPortExposedToPrivateAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort8080ExposedToPrivateAz", - "portNumber": 8080, - "prefix": "", - "protocol": "Tcp", - "suffix": "" - }, - "severity": "LOW", - "description": "Ensure Known internal web port (Tcp:8080) is not exposed to private hosts more than 32 for Azure Network Security Rule", - "reference_id": "AC_AZURE_0524", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0524" + "name": "networkPort8080ExposedToPrivateAz", + "file": "networkPortExposedToPrivateAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort8080ExposedToPrivateAz", + "portNumber": 8080, + "prefix": "", + "protocol": "Tcp", + "suffix": "" + }, + "severity": "LOW", + "description": "Ensure Known internal web port (Tcp:8080) is not exposed to private hosts more than 32 for Azure Network Security Rule", + "reference_id": "AC_AZURE_0524", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0524" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0525.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0525.json index 47cc8e212..18509e509 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0525.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0525.json @@ -1,22 +1,23 @@ { - "name": "networkPort8080ExposedToPublicAz", - "file": "networkPortExposedToPublicAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort8080ExposedToPublicAz", - "portNumber": 8080, - "prefix": "", - "protocol": "Tcp", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Ensure Known internal web port (Tcp:8080) is not exposed to public for Azure Network Security Rule", - "reference_id": "AC_AZURE_0525", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0525" + "name": "networkPort8080ExposedToPublicAz", + "file": "networkPortExposedToPublicAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort8080ExposedToPublicAz", + "portNumber": 8080, + "prefix": "", + "protocol": "Tcp", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Ensure Known internal web port (Tcp:8080) is not exposed to public for Azure Network Security Rule", + "reference_id": "AC_AZURE_0525", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0525" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0526.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0526.json index 830df5566..b27bd0865 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0526.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0526.json @@ -1,22 +1,23 @@ { - "name": "networkPort8080ExposedToInternetAz", - "file": "networkPortExposedToInternetAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort8080ExposedToInternetAz", - "portNumber": 8080, - "prefix": "", - "protocol": "Tcp", - "suffix": "" - }, - "severity": "HIGH", - "description": "Ensure Known internal web port (Tcp:8080) is not exposed to entire internet for Azure Network Security Rule", - "reference_id": "AC_AZURE_0526", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0526" + "name": "networkPort8080ExposedToInternetAz", + "file": "networkPortExposedToInternetAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort8080ExposedToInternetAz", + "portNumber": 8080, + "prefix": "", + "protocol": "Tcp", + "suffix": "" + }, + "severity": "HIGH", + "description": "Ensure Known internal web port (Tcp:8080) is not exposed to entire internet for Azure Network Security Rule", + "reference_id": "AC_AZURE_0526", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0526" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0527.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0527.json index 6540f9964..84006ff6b 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0527.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0527.json @@ -1,22 +1,23 @@ { - "name": "networkPort8000ExposedToPrivateAz", - "file": "networkPortExposedToPrivateAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort8000ExposedToPrivateAz", - "portNumber": 8000, - "prefix": "", - "protocol": "Tcp", - "suffix": "" - }, - "severity": "LOW", - "description": "Ensure Known internal web port (Tcp:8000) is not exposed to private hosts more than 32 for Azure Network Security Rule", - "reference_id": "AC_AZURE_0527", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0527" + "name": "networkPort8000ExposedToPrivateAz", + "file": "networkPortExposedToPrivateAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort8000ExposedToPrivateAz", + "portNumber": 8000, + "prefix": "", + "protocol": "Tcp", + "suffix": "" + }, + "severity": "LOW", + "description": "Ensure Known internal web port (Tcp:8000) is not exposed to private hosts more than 32 for Azure Network Security Rule", + "reference_id": "AC_AZURE_0527", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0527" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0528.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0528.json index 07247e5f0..6a435562d 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0528.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0528.json @@ -1,22 +1,23 @@ { - "name": "networkPort8000ExposedToPublicAz", - "file": "networkPortExposedToPublicAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort8000ExposedToPublicAz", - "portNumber": 8000, - "prefix": "", - "protocol": "Tcp", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Ensure Known internal web port (Tcp:8000) is not exposed to public for Azure Network Security Rule", - "reference_id": "AC_AZURE_0528", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0528" + "name": "networkPort8000ExposedToPublicAz", + "file": "networkPortExposedToPublicAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort8000ExposedToPublicAz", + "portNumber": 8000, + "prefix": "", + "protocol": "Tcp", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Ensure Known internal web port (Tcp:8000) is not exposed to public for Azure Network Security Rule", + "reference_id": "AC_AZURE_0528", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0528" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0529.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0529.json index b48e1fb76..c6d7a3c4d 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0529.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0529.json @@ -1,22 +1,23 @@ { - "name": "networkPort8000ExposedToInternetAz", - "file": "networkPortExposedToInternetAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort8000ExposedToInternetAz", - "portNumber": 8000, - "prefix": "", - "protocol": "Tcp", - "suffix": "" - }, - "severity": "HIGH", - "description": "Ensure Known internal web port (Tcp:8000) is not exposed to entire internet for Azure Network Security Rule", - "reference_id": "AC_AZURE_0529", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0529" + "name": "networkPort8000ExposedToInternetAz", + "file": "networkPortExposedToInternetAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort8000ExposedToInternetAz", + "portNumber": 8000, + "prefix": "", + "protocol": "Tcp", + "suffix": "" + }, + "severity": "HIGH", + "description": "Ensure Known internal web port (Tcp:8000) is not exposed to entire internet for Azure Network Security Rule", + "reference_id": "AC_AZURE_0529", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0529" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0530.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0530.json index d998f307e..cecb57eac 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0530.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0530.json @@ -1,22 +1,23 @@ { - "name": "networkPort9000ExposedToPrivateAz", - "file": "networkPortExposedToPrivateAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort9000ExposedToPrivateAz", - "portNumber": 9000, - "prefix": "", - "protocol": "Tcp", - "suffix": "" - }, - "severity": "LOW", - "description": "Ensure Hadoop Name Node (Tcp:9000) is not exposed to private hosts more than 32 for Azure Network Security Rule", - "reference_id": "AC_AZURE_0530", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0530" + "name": "networkPort9000ExposedToPrivateAz", + "file": "networkPortExposedToPrivateAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort9000ExposedToPrivateAz", + "portNumber": 9000, + "prefix": "", + "protocol": "Tcp", + "suffix": "" + }, + "severity": "LOW", + "description": "Ensure Hadoop Name Node (Tcp:9000) is not exposed to private hosts more than 32 for Azure Network Security Rule", + "reference_id": "AC_AZURE_0530", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0530" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0531.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0531.json index cee557254..bdf3300a8 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0531.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0531.json @@ -1,22 +1,23 @@ { - "name": "networkPort9000ExposedToPublicAz", - "file": "networkPortExposedToPublicAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort9000ExposedToPublicAz", - "portNumber": 9000, - "prefix": "", - "protocol": "Tcp", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Ensure Hadoop Name Node (Tcp:9000) is not exposed to public for Azure Network Security Rule", - "reference_id": "AC_AZURE_0531", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0531" + "name": "networkPort9000ExposedToPublicAz", + "file": "networkPortExposedToPublicAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort9000ExposedToPublicAz", + "portNumber": 9000, + "prefix": "", + "protocol": "Tcp", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Ensure Hadoop Name Node (Tcp:9000) is not exposed to public for Azure Network Security Rule", + "reference_id": "AC_AZURE_0531", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0531" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0532.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0532.json index 60f92a5f8..5618e3fb4 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0532.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0532.json @@ -1,22 +1,23 @@ { - "name": "networkPort9000ExposedToInternetAz", - "file": "networkPortExposedToInternetAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort9000ExposedToInternetAz", - "portNumber": 9000, - "prefix": "", - "protocol": "Tcp", - "suffix": "" - }, - "severity": "HIGH", - "description": "Ensure Hadoop Name Node (Tcp:9000) is not exposed to entire internet for Azure Network Security Rule", - "reference_id": "AC_AZURE_0532", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0532" + "name": "networkPort9000ExposedToInternetAz", + "file": "networkPortExposedToInternetAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort9000ExposedToInternetAz", + "portNumber": 9000, + "prefix": "", + "protocol": "Tcp", + "suffix": "" + }, + "severity": "HIGH", + "description": "Ensure Hadoop Name Node (Tcp:9000) is not exposed to entire internet for Azure Network Security Rule", + "reference_id": "AC_AZURE_0532", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0532" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0533.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0533.json index 73cef2c28..0bad887c4 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0533.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0533.json @@ -1,22 +1,23 @@ { - "name": "networkPort53ExposedToPrivateUAz", - "file": "networkPortExposedToPrivateAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort53ExposedToPrivateUAz", - "portNumber": 53, - "prefix": "", - "protocol": "Udp", - "suffix": "" - }, - "severity": "LOW", - "description": "Ensure DNS (Udp:53) is not exposed to private hosts more than 32 for Azure Network Security Rule", - "reference_id": "AC_AZURE_0533", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0533" + "name": "networkPort53ExposedToPrivateUAz", + "file": "networkPortExposedToPrivateAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort53ExposedToPrivateUAz", + "portNumber": 53, + "prefix": "", + "protocol": "Udp", + "suffix": "" + }, + "severity": "LOW", + "description": "Ensure DNS (Udp:53) is not exposed to private hosts more than 32 for Azure Network Security Rule", + "reference_id": "AC_AZURE_0533", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0533" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0534.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0534.json index f1e47caf4..28b846711 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0534.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0534.json @@ -1,22 +1,23 @@ { - "name": "networkPort53ExposedToPublicUAz", - "file": "networkPortExposedToPublicAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort53ExposedToPublicUAz", - "portNumber": 53, - "prefix": "", - "protocol": "Udp", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Ensure DNS (Udp:53) is not exposed to public for Azure Network Security Rule", - "reference_id": "AC_AZURE_0534", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0534" + "name": "networkPort53ExposedToPublicUAz", + "file": "networkPortExposedToPublicAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort53ExposedToPublicUAz", + "portNumber": 53, + "prefix": "", + "protocol": "Udp", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Ensure DNS (Udp:53) is not exposed to public for Azure Network Security Rule", + "reference_id": "AC_AZURE_0534", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0534" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0535.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0535.json index 45d03b6fa..8218e61a8 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0535.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0535.json @@ -1,22 +1,23 @@ { - "name": "networkPort53ExposedToInternetUAz", - "file": "networkPortExposedToInternetAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort53ExposedToInternetUAz", - "portNumber": 53, - "prefix": "", - "protocol": "Udp", - "suffix": "" - }, - "severity": "HIGH", - "description": "Ensure DNS (Udp:53) is not exposed to entire internet for Azure Network Security Rule", - "reference_id": "AC_AZURE_0535", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0535" + "name": "networkPort53ExposedToInternetUAz", + "file": "networkPortExposedToInternetAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort53ExposedToInternetUAz", + "portNumber": 53, + "prefix": "", + "protocol": "Udp", + "suffix": "" + }, + "severity": "HIGH", + "description": "Ensure DNS (Udp:53) is not exposed to entire internet for Azure Network Security Rule", + "reference_id": "AC_AZURE_0535", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0535" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0536.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0536.json index 8afecfc2c..52eee5ff2 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0536.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0536.json @@ -1,22 +1,23 @@ { - "name": "networkPort61621ExposedToPrivateAz", - "file": "networkPortExposedToPrivateAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort61621ExposedToPrivateAz", - "portNumber": 61621, - "prefix": "", - "protocol": "Tcp", - "suffix": "" - }, - "severity": "LOW", - "description": "Ensure Cassandra OpsCenter (Tcp:61621) is not exposed to private hosts more than 32 for Azure Network Security Rule", - "reference_id": "AC_AZURE_0536", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0536" + "name": "networkPort61621ExposedToPrivateAz", + "file": "networkPortExposedToPrivateAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort61621ExposedToPrivateAz", + "portNumber": 61621, + "prefix": "", + "protocol": "Tcp", + "suffix": "" + }, + "severity": "LOW", + "description": "Ensure Cassandra OpsCenter (Tcp:61621) is not exposed to private hosts more than 32 for Azure Network Security Rule", + "reference_id": "AC_AZURE_0536", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0536" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0537.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0537.json index 371cd6a36..0d6d8e4dc 100644 --- a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0537.json +++ b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC_AZURE_0537.json @@ -1,22 +1,23 @@ { - "name": "networkPort61621ExposedToPublicAz", - "file": "networkPortExposedToPublicAz.rego", - "policy_type": "azure", - "resource_type": { - "azurerm_network_security_rule": true - }, - "template_args": { - "defaultValue": "", - "name": "networkPort61621ExposedToPublicAz", - "portNumber": 61621, - "prefix": "", - "protocol": "Tcp", - "suffix": "" - }, - "severity": "MEDIUM", - "description": "Ensure Cassandra OpsCenter (Tcp:61621) is not exposed to public for Azure Network Security Rule", - "reference_id": "AC_AZURE_0537", - "category": "Infrastructure Security", - "version": 2, - "id": "AC_AZURE_0537" + "name": "networkPort61621ExposedToPublicAz", + "file": "networkPortExposedToPublicAz.rego", + "policy_type": "azure", + "resource_type": { + "azurerm_network_security_rule": true, + "azurerm_network_security_group": true + }, + "template_args": { + "defaultValue": "", + "name": "networkPort61621ExposedToPublicAz", + "portNumber": 61621, + "prefix": "", + "protocol": "Tcp", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Ensure Cassandra OpsCenter (Tcp:61621) is not exposed to public for Azure Network Security Rule", + "reference_id": "AC_AZURE_0537", + "category": "Infrastructure Security", + "version": 2, + "id": "AC_AZURE_0537" } \ No newline at end of file diff --git a/pkg/policies/opa/rego/azure/azurerm_redis_cache/accurics.azure.NS.30.json b/pkg/policies/opa/rego/azure/azurerm_redis_cache/accurics.azure.NS.30.json index 495355e99..f557fc25c 100755 --- a/pkg/policies/opa/rego/azure/azurerm_redis_cache/accurics.azure.NS.30.json +++ b/pkg/policies/opa/rego/azure/azurerm_redis_cache/accurics.azure.NS.30.json @@ -3,7 +3,8 @@ "file": "publiclyAccessible.rego", "policy_type": "azure", "resource_type": { - "azurerm_redis_cache": true + "azurerm_redis_cache": true, + "azurerm_redis_firewall_rule": true }, "template_args": { "isEntire": true, diff --git a/pkg/policies/opa/rego/azure/azurerm_redis_cache/accurics.azure.NS.31.json b/pkg/policies/opa/rego/azure/azurerm_redis_cache/accurics.azure.NS.31.json index bb3b9eaae..82f7f44d0 100755 --- a/pkg/policies/opa/rego/azure/azurerm_redis_cache/accurics.azure.NS.31.json +++ b/pkg/policies/opa/rego/azure/azurerm_redis_cache/accurics.azure.NS.31.json @@ -3,7 +3,8 @@ "file": "publiclyAccessible.rego", "policy_type": "azure", "resource_type": { - "azurerm_redis_cache": true + "azurerm_redis_cache": true, + "azurerm_redis_firewall_rule": true }, "template_args": { "isEntire": false, diff --git a/pkg/policies/opa/rego/azure/azurerm_resource_group/accurics.azure.NS.272.json b/pkg/policies/opa/rego/azure/azurerm_resource_group/accurics.azure.NS.272.json index f0d4c41e2..71dde6d95 100755 --- a/pkg/policies/opa/rego/azure/azurerm_resource_group/accurics.azure.NS.272.json +++ b/pkg/policies/opa/rego/azure/azurerm_resource_group/accurics.azure.NS.272.json @@ -3,7 +3,8 @@ "file": "resourceGroupLock.rego", "policy_type": "azure", "resource_type": { - "azurerm_resource_group": true + "azurerm_resource_group": true, + "azurerm_management_lock": true }, "template_args": { "prefix": "reme_" diff --git a/pkg/policies/opa/rego/azure/azurerm_sql_server/accurics.azure.IAM.138.json b/pkg/policies/opa/rego/azure/azurerm_sql_server/accurics.azure.IAM.138.json index b631fff88..0b0db8982 100755 --- a/pkg/policies/opa/rego/azure/azurerm_sql_server/accurics.azure.IAM.138.json +++ b/pkg/policies/opa/rego/azure/azurerm_sql_server/accurics.azure.IAM.138.json @@ -3,7 +3,9 @@ "file": "sqlServerPredictableAccount.rego", "policy_type": "azure", "resource_type": { - "azurerm_sql_server": true + "azurerm_sql_server": true, + "azurerm_mysql_server": true, + "azurerm_postgresql_server": true }, "template_args": { "prefix": "reme_" diff --git a/pkg/policies/opa/rego/gcp/google_compute_instance/accurics.gcp.EKM.132.json b/pkg/policies/opa/rego/gcp/google_compute_instance/accurics.gcp.EKM.132.json index 99d1bb58b..a0f067964 100755 --- a/pkg/policies/opa/rego/gcp/google_compute_instance/accurics.gcp.EKM.132.json +++ b/pkg/policies/opa/rego/gcp/google_compute_instance/accurics.gcp.EKM.132.json @@ -3,7 +3,9 @@ "file": "encryptedwithCsek.rego", "policy_type": "gcp", "resource_type": { - "google_compute_instance": true + "google_compute_instance": true, + "google_compute_disk": true, + "google_compute_attached_disk": true }, "template_args": null, "severity": "MEDIUM", diff --git a/pkg/policies/opa/rego/gcp/google_compute_instance/accurics.gcp.NS.126.json b/pkg/policies/opa/rego/gcp/google_compute_instance/accurics.gcp.NS.126.json index 40cc6ecae..eab4da445 100755 --- a/pkg/policies/opa/rego/gcp/google_compute_instance/accurics.gcp.NS.126.json +++ b/pkg/policies/opa/rego/gcp/google_compute_instance/accurics.gcp.NS.126.json @@ -3,7 +3,8 @@ "file": "metadataDisabled.rego", "policy_type": "gcp", "resource_type": { - "google_compute_instance": true + "google_compute_instance": true, + "google_compute_project_metadata": true }, "template_args": { "metaKey": "block-project-ssh-keys", diff --git a/pkg/policies/opa/rego/gcp/google_compute_instance/accurics.gcp.NS.129.json b/pkg/policies/opa/rego/gcp/google_compute_instance/accurics.gcp.NS.129.json index 5a48be6d4..b4c2fe788 100755 --- a/pkg/policies/opa/rego/gcp/google_compute_instance/accurics.gcp.NS.129.json +++ b/pkg/policies/opa/rego/gcp/google_compute_instance/accurics.gcp.NS.129.json @@ -3,7 +3,8 @@ "file": "metadataDisabled.rego", "policy_type": "gcp", "resource_type": { - "google_compute_instance": true + "google_compute_instance": true, + "google_compute_project_metadata": true }, "template_args": { "metaKey": "serial-port-enable", diff --git a/pkg/policies/opa/rego/k8s/kubernetes_namespace/AC-K8-OE-NS-L-0128.json b/pkg/policies/opa/rego/k8s/kubernetes_namespace/AC-K8-OE-NS-L-0128.json index 255e1b322..c4ae926a7 100644 --- a/pkg/policies/opa/rego/k8s/kubernetes_namespace/AC-K8-OE-NS-L-0128.json +++ b/pkg/policies/opa/rego/k8s/kubernetes_namespace/AC-K8-OE-NS-L-0128.json @@ -3,7 +3,10 @@ "file": "noOwnerLabel.rego", "policy_type": "k8s", "resource_type": { - "kubernetes_namespace": true + "kubernetes_namespace": true, + "kubernetes_deployment": true, + "kubernetes_pod": true, + "kubernetes_job": true }, "template_args": { "name": "noOwnerLabel", diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-CA-PO-H-0165.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-CA-PO-H-0165.json index 19d9c0b8d..e3f0d0597 100644 --- a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-CA-PO-H-0165.json +++ b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-CA-PO-H-0165.json @@ -3,7 +3,12 @@ "file": "securityContextCheck.rego", "policy_type": "k8s", "resource_type": { - "kubernetes_pod": true + "kubernetes_pod": true, + "kubernetes_deployment": true, + "kubernetes_replica_set": true, + "kubernetes_job": true, + "kubernetes_replication_controller": true, + "kubernetes_stateful_set": true }, "template_args": { "allowed": "false", diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-DS-PO-M-0143.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-DS-PO-M-0143.json index b5556ca6c..5b89a1ba4 100644 --- a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-DS-PO-M-0143.json +++ b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-DS-PO-M-0143.json @@ -3,7 +3,12 @@ "file": "disAllowedVolumes.rego", "policy_type": "k8s", "resource_type": { - "kubernetes_pod": true + "kubernetes_pod": true, + "kubernetes_deployment": true, + "kubernetes_replica_set": true, + "kubernetes_job": true, + "kubernetes_replication_controller": true, + "kubernetes_stateful_set": true }, "template_args": { "name": "disAllowedVolumes", diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-DS-PO-M-0176.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-DS-PO-M-0176.json index 799961989..ee31bea12 100644 --- a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-DS-PO-M-0176.json +++ b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-DS-PO-M-0176.json @@ -3,7 +3,12 @@ "file": "kubeDashboardEnabled.rego", "policy_type": "k8s", "resource_type": { - "kubernetes_pod": true + "kubernetes_pod": true, + "kubernetes_deployment": true, + "kubernetes_replica_set": true, + "kubernetes_job": true, + "kubernetes_replication_controller": true, + "kubernetes_stateful_set": true }, "template_args": { "name": "kubeDashboardEnabled", diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-DS-PO-M-0177.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-DS-PO-M-0177.json index a011f7ed7..db313318a 100644 --- a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-DS-PO-M-0177.json +++ b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-DS-PO-M-0177.json @@ -3,7 +3,12 @@ "file": "tillerDeployed.rego", "policy_type": "k8s", "resource_type": { - "kubernetes_pod": true + "kubernetes_pod": true, + "kubernetes_deployment": true, + "kubernetes_replica_set": true, + "kubernetes_job": true, + "kubernetes_replication_controller": true, + "kubernetes_stateful_set": true }, "template_args": { "name": "tillerDeployed", diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-H-0106.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-H-0106.json index f177c3573..40b83bd17 100755 --- a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-H-0106.json +++ b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-H-0106.json @@ -3,7 +3,12 @@ "file": "priviledgedContainersEnabled.rego", "policy_type": "k8s", "resource_type": { - "kubernetes_pod": true + "kubernetes_pod": true, + "kubernetes_deployment": true, + "kubernetes_replica_set": true, + "kubernetes_job": true, + "kubernetes_replication_controller": true, + "kubernetes_stateful_set": true }, "template_args": { "name": "priviledgedContainersEnabled", diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-H-0137.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-H-0137.json index b7b31c98b..ee540735d 100755 --- a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-H-0137.json +++ b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-H-0137.json @@ -3,7 +3,12 @@ "file": "disallowedSysCalls.rego", "policy_type": "k8s", "resource_type": { - "kubernetes_pod": true + "kubernetes_pod": true, + "kubernetes_deployment": true, + "kubernetes_replica_set": true, + "kubernetes_job": true, + "kubernetes_replication_controller": true, + "kubernetes_stateful_set": true }, "template_args": { "name": "disallowedSysCalls", diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-H-0138.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-H-0138.json index 158432bd0..861bab5d9 100755 --- a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-H-0138.json +++ b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-H-0138.json @@ -3,7 +3,12 @@ "file": "allowedHostPath.rego", "policy_type": "k8s", "resource_type": { - "kubernetes_pod": true + "kubernetes_pod": true, + "kubernetes_deployment": true, + "kubernetes_replica_set": true, + "kubernetes_job": true, + "kubernetes_replication_controller": true, + "kubernetes_stateful_set": true }, "template_args": { "name": "allowedHostPath", diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-H-0168.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-H-0168.json index 4fb0eef6e..3f662464a 100755 --- a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-H-0168.json +++ b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-H-0168.json @@ -3,7 +3,12 @@ "file": "securityContextCheck.rego", "policy_type": "k8s", "resource_type": { - "kubernetes_pod": true + "kubernetes_pod": true, + "kubernetes_deployment": true, + "kubernetes_replica_set": true, + "kubernetes_job": true, + "kubernetes_replication_controller": true, + "kubernetes_stateful_set": true }, "template_args": { "allowed": "false", diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-M-0105.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-M-0105.json index b68f0beaa..4856fe82d 100755 --- a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-M-0105.json +++ b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-M-0105.json @@ -3,7 +3,12 @@ "file": "autoMountTokenEnabled.rego", "policy_type": "k8s", "resource_type": { - "kubernetes_pod": true + "kubernetes_pod": true, + "kubernetes_deployment": true, + "kubernetes_replica_set": true, + "kubernetes_job": true, + "kubernetes_replication_controller": true, + "kubernetes_stateful_set": true }, "template_args": { "name": "autoMountTokenEnabled", diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-M-0135.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-M-0135.json index fb820df60..3639f4b45 100755 --- a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-M-0135.json +++ b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-M-0135.json @@ -3,7 +3,12 @@ "file": "appArmorProfile.rego", "policy_type": "k8s", "resource_type": { - "kubernetes_pod": true + "kubernetes_pod": true, + "kubernetes_deployment": true, + "kubernetes_replica_set": true, + "kubernetes_job": true, + "kubernetes_replication_controller": true, + "kubernetes_stateful_set": true }, "template_args": { "name": "appArmorProfile", diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-M-0139.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-M-0139.json index 0c599774c..971bbbc50 100755 --- a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-M-0139.json +++ b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-M-0139.json @@ -3,7 +3,12 @@ "file": "allowedProcMount.rego", "policy_type": "k8s", "resource_type": { - "kubernetes_pod": true + "kubernetes_pod": true, + "kubernetes_deployment": true, + "kubernetes_replica_set": true, + "kubernetes_job": true, + "kubernetes_replication_controller": true, + "kubernetes_stateful_set": true }, "template_args": { "name": "allowedProcMount", diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-M-0140.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-M-0140.json index 99d4daa0d..a25ab7a59 100755 --- a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-M-0140.json +++ b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-M-0140.json @@ -3,7 +3,12 @@ "file": "securityContextCheck.rego", "policy_type": "k8s", "resource_type": { - "kubernetes_pod": true + "kubernetes_pod": true, + "kubernetes_deployment": true, + "kubernetes_replica_set": true, + "kubernetes_job": true, + "kubernetes_replication_controller": true, + "kubernetes_stateful_set": true }, "template_args": { "allowed": "false", diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-M-0141.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-M-0141.json index 7b7603e83..dd6ff541f 100755 --- a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-M-0141.json +++ b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-M-0141.json @@ -3,7 +3,12 @@ "file": "secCompProfile.rego", "policy_type": "k8s", "resource_type": { - "kubernetes_pod": true + "kubernetes_pod": true, + "kubernetes_deployment": true, + "kubernetes_replica_set": true, + "kubernetes_job": true, + "kubernetes_replication_controller": true, + "kubernetes_stateful_set": true }, "template_args": { "name": "secCompProfile", diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-M-0143.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-M-0143.json index bb9b546fa..57a39c213 100755 --- a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-M-0143.json +++ b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-M-0143.json @@ -3,7 +3,12 @@ "file": "allowedVolumes.rego", "policy_type": "k8s", "resource_type": { - "kubernetes_pod": true + "kubernetes_pod": true, + "kubernetes_deployment": true, + "kubernetes_replica_set": true, + "kubernetes_job": true, + "kubernetes_replication_controller": true, + "kubernetes_stateful_set": true }, "template_args": { "name": "allowedVolumes", diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-M-0162.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-M-0162.json index 27c2e1fde..731d81d0a 100755 --- a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-M-0162.json +++ b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PO-M-0162.json @@ -3,7 +3,12 @@ "file": "specBoolCheck.rego", "policy_type": "k8s", "resource_type": { - "kubernetes_pod": true + "kubernetes_pod": true, + "kubernetes_deployment": true, + "kubernetes_replica_set": true, + "kubernetes_job": true, + "kubernetes_replication_controller": true, + "kubernetes_stateful_set": true }, "template_args": { "name": "falseHostPID", diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PS-M-0112.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PS-M-0112.json index 5dd958909..cac856a29 100755 --- a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PS-M-0112.json +++ b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-IA-PS-M-0112.json @@ -3,7 +3,12 @@ "file": "capabilityUsed.rego", "policy_type": "k8s", "resource_type": { - "kubernetes_pod": true + "kubernetes_pod": true, + "kubernetes_deployment": true, + "kubernetes_replica_set": true, + "kubernetes_job": true, + "kubernetes_replication_controller": true, + "kubernetes_stateful_set": true }, "template_args": { "attribute": "requiredDropCapabilities", diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-H-0117.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-H-0117.json index bbcc98b08..cbff19011 100644 --- a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-H-0117.json +++ b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-H-0117.json @@ -3,7 +3,12 @@ "file": "secretsAsEnvVariables.rego", "policy_type": "k8s", "resource_type": { - "kubernetes_pod": true + "kubernetes_pod": true, + "kubernetes_deployment": true, + "kubernetes_replica_set": true, + "kubernetes_job": true, + "kubernetes_replication_controller": true, + "kubernetes_stateful_set": true }, "template_args": { "name": "secretsAsEnvVariables", diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-H-0170.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-H-0170.json index 0d758c52c..593badf45 100644 --- a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-H-0170.json +++ b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-H-0170.json @@ -3,7 +3,12 @@ "file": "capSysAdminUsed.rego", "policy_type": "k8s", "resource_type": { - "kubernetes_pod": true + "kubernetes_pod": true, + "kubernetes_deployment": true, + "kubernetes_replica_set": true, + "kubernetes_job": true, + "kubernetes_replication_controller": true, + "kubernetes_stateful_set": true }, "template_args": { "name": "capSysAdminUsed", diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-M-0122.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-M-0122.json index f7402f164..ba9fd61c2 100644 --- a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-M-0122.json +++ b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-M-0122.json @@ -3,7 +3,12 @@ "file": "securityContextUsed.rego", "policy_type": "k8s", "resource_type": { - "kubernetes_pod": true + "kubernetes_pod": true, + "kubernetes_deployment": true, + "kubernetes_replica_set": true, + "kubernetes_job": true, + "kubernetes_replication_controller": true, + "kubernetes_stateful_set": true }, "template_args": { "name": "securityContextUsed", diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-M-0133.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-M-0133.json index b2f56c4b6..f1de41260 100644 --- a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-M-0133.json +++ b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-M-0133.json @@ -3,7 +3,12 @@ "file": "imageWithoutDigest.rego", "policy_type": "k8s", "resource_type": { - "kubernetes_pod": true + "kubernetes_pod": true, + "kubernetes_deployment": true, + "kubernetes_replica_set": true, + "kubernetes_job": true, + "kubernetes_replication_controller": true, + "kubernetes_stateful_set": true }, "template_args": { "name": "imageWithoutDigest", diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-M-0163.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-M-0163.json index 529457203..a9283016b 100644 --- a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-M-0163.json +++ b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-M-0163.json @@ -3,7 +3,12 @@ "file": "specBoolCheck.rego", "policy_type": "k8s", "resource_type": { - "kubernetes_pod": true + "kubernetes_pod": true, + "kubernetes_deployment": true, + "kubernetes_replica_set": true, + "kubernetes_job": true, + "kubernetes_replication_controller": true, + "kubernetes_stateful_set": true }, "template_args": { "name": "falseHostIPC", diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-M-0164.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-M-0164.json index a30b2a8a0..fea0dd18f 100644 --- a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-M-0164.json +++ b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-M-0164.json @@ -3,7 +3,12 @@ "file": "specBoolCheck.rego", "policy_type": "k8s", "resource_type": { - "kubernetes_pod": true + "kubernetes_pod": true, + "kubernetes_deployment": true, + "kubernetes_replica_set": true, + "kubernetes_job": true, + "kubernetes_replication_controller": true, + "kubernetes_stateful_set": true }, "template_args": { "name": "falseHostNetwork", diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-M-0171.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-M-0171.json index 157ebdcea..ff54f1f26 100644 --- a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-M-0171.json +++ b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-M-0171.json @@ -3,7 +3,12 @@ "file": "dockerSockCheck.rego", "policy_type": "k8s", "resource_type": { - "kubernetes_pod": true + "kubernetes_pod": true, + "kubernetes_deployment": true, + "kubernetes_replica_set": true, + "kubernetes_job": true, + "kubernetes_replication_controller": true, + "kubernetes_stateful_set": true }, "template_args": { "attrib": "spec.volumes[_].hostPath", diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-M-0182.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-M-0182.json index 3f50f94b8..6989dc9b5 100644 --- a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-M-0182.json +++ b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-NS-PO-M-0182.json @@ -3,7 +3,12 @@ "file": "containersAsHighUID.rego", "policy_type": "k8s", "resource_type": { - "kubernetes_pod": true + "kubernetes_pod": true, + "kubernetes_deployment": true, + "kubernetes_replica_set": true, + "kubernetes_job": true, + "kubernetes_replication_controller": true, + "kubernetes_stateful_set": true }, "template_args": { "name": "containersAsHighUID", diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PK-M-0034.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PK-M-0034.json index 29a6c146b..4cf206059 100644 --- a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PK-M-0034.json +++ b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PK-M-0034.json @@ -3,7 +3,12 @@ "file": "commandCheck.rego", "policy_type": "k8s", "resource_type": { - "kubernetes_pod": true + "kubernetes_pod": true, + "kubernetes_deployment": true, + "kubernetes_replica_set": true, + "kubernetes_job": true, + "kubernetes_replication_controller": true, + "kubernetes_stateful_set": true }, "template_args": { "argument": "--enable-admission-plugins", diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PK-M-0155.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PK-M-0155.json index 24576f858..c29aa53df 100644 --- a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PK-M-0155.json +++ b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PK-M-0155.json @@ -3,7 +3,12 @@ "file": "securityContextCheck.rego", "policy_type": "k8s", "resource_type": { - "kubernetes_pod": true + "kubernetes_pod": true, + "kubernetes_deployment": true, + "kubernetes_replica_set": true, + "kubernetes_job": true, + "kubernetes_replication_controller": true, + "kubernetes_stateful_set": true }, "template_args": { "allowed": "true", diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PK-M-0156.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PK-M-0156.json index 8c8b8456f..58828735d 100644 --- a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PK-M-0156.json +++ b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PK-M-0156.json @@ -3,7 +3,12 @@ "file": "securityContextCheck.rego", "policy_type": "k8s", "resource_type": { - "kubernetes_pod": true + "kubernetes_pod": true, + "kubernetes_deployment": true, + "kubernetes_replica_set": true, + "kubernetes_job": true, + "kubernetes_replication_controller": true, + "kubernetes_stateful_set": true }, "template_args": { "allowed": "true", diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PK-M-0157.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PK-M-0157.json index 953b8f616..d7d9a851a 100644 --- a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PK-M-0157.json +++ b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PK-M-0157.json @@ -3,7 +3,12 @@ "file": "securityContextCheck.rego", "policy_type": "k8s", "resource_type": { - "kubernetes_pod": true + "kubernetes_pod": true, + "kubernetes_deployment": true, + "kubernetes_replica_set": true, + "kubernetes_job": true, + "kubernetes_replication_controller": true, + "kubernetes_stateful_set": true }, "template_args": { "allowed": "true", diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PK-M-0158.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PK-M-0158.json index f588773de..d7ad78b01 100644 --- a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PK-M-0158.json +++ b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PK-M-0158.json @@ -3,7 +3,12 @@ "file": "securityContextCheck.rego", "policy_type": "k8s", "resource_type": { - "kubernetes_pod": true + "kubernetes_pod": true, + "kubernetes_deployment": true, + "kubernetes_replica_set": true, + "kubernetes_job": true, + "kubernetes_replication_controller": true, + "kubernetes_stateful_set": true }, "template_args": { "allowed": "true", diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PO-L-0129.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PO-L-0129.json index 96799c143..3932e19cf 100644 --- a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PO-L-0129.json +++ b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PO-L-0129.json @@ -3,7 +3,12 @@ "file": "probeCheck.rego", "policy_type": "k8s", "resource_type": { - "kubernetes_pod": true + "kubernetes_pod": true, + "kubernetes_deployment": true, + "kubernetes_replica_set": true, + "kubernetes_job": true, + "kubernetes_replication_controller": true, + "kubernetes_stateful_set": true }, "template_args": { "argument": "livenessProbe", diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PO-L-0130.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PO-L-0130.json index c53ecd114..219975845 100644 --- a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PO-L-0130.json +++ b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PO-L-0130.json @@ -3,7 +3,12 @@ "file": "probeCheck.rego", "policy_type": "k8s", "resource_type": { - "kubernetes_pod": true + "kubernetes_pod": true, + "kubernetes_deployment": true, + "kubernetes_replica_set": true, + "kubernetes_job": true, + "kubernetes_replication_controller": true, + "kubernetes_stateful_set": true }, "template_args": { "argument": "readinessProbe", diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PO-L-0134.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PO-L-0134.json index aaa1fbbdf..53096b472 100644 --- a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PO-L-0134.json +++ b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PO-L-0134.json @@ -3,7 +3,12 @@ "file": "imageWithLatestTag.rego", "policy_type": "k8s", "resource_type": { - "kubernetes_pod": true + "kubernetes_pod": true, + "kubernetes_deployment": true, + "kubernetes_replica_set": true, + "kubernetes_job": true, + "kubernetes_replication_controller": true, + "kubernetes_stateful_set": true }, "template_args": { "name": "imageWithLatestTag", diff --git a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PO-M-0166.json b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PO-M-0166.json index 59f722121..7f72c2f61 100644 --- a/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PO-M-0166.json +++ b/pkg/policies/opa/rego/k8s/kubernetes_pod/AC-K8-OE-PO-M-0166.json @@ -3,7 +3,12 @@ "file": "otherNamespace.rego", "policy_type": "k8s", "resource_type": { - "kubernetes_pod": true + "kubernetes_pod": true, + "kubernetes_deployment": true, + "kubernetes_replica_set": true, + "kubernetes_job": true, + "kubernetes_replication_controller": true, + "kubernetes_stateful_set": true }, "template_args": { "name": "otherNamespace", diff --git a/pkg/policies/opa/rego/k8s/kubernetes_role/AC-K8-IA-RO-H-0104.json b/pkg/policies/opa/rego/k8s/kubernetes_role/AC-K8-IA-RO-H-0104.json index 24035024a..cbec63c5d 100755 --- a/pkg/policies/opa/rego/k8s/kubernetes_role/AC-K8-IA-RO-H-0104.json +++ b/pkg/policies/opa/rego/k8s/kubernetes_role/AC-K8-IA-RO-H-0104.json @@ -3,7 +3,9 @@ "file": "defaultServiceAccountUsed.rego", "policy_type": "k8s", "resource_type": { - "kubernetes_role": true + "kubernetes_role": true, + "kubernetes_cluster_role": true, + "kubernetes_role_binding": true }, "template_args": { "name": "defaultServiceAccountUsed", diff --git a/pkg/policies/opa/rego/k8s/kubernetes_service/cve_2020_8554/ensurePrivateIP.rego b/pkg/policies/opa/rego/k8s/kubernetes_service/cve_2020_8554/ensurePrivateIP.rego index e195b2885..0d274a67a 100644 --- a/pkg/policies/opa/rego/k8s/kubernetes_service/cve_2020_8554/ensurePrivateIP.rego +++ b/pkg/policies/opa/rego/k8s/kubernetes_service/cve_2020_8554/ensurePrivateIP.rego @@ -1,7 +1,7 @@ package accurics {{.prefix}}{{.name}}{{.suffix}}[service.id] { - service := input.{{.resource_type}}[_] + service := input.kubernetes_service[_] type_check(service.config.spec) object.get(service.config.spec, "externalIPs", "undefined") != "undefined" }