Skip to content

Commit

Permalink
Update Policy Library (automated) (#572)
Browse files Browse the repository at this point in the history
Co-authored-by: github-actions <action@github.com>
Co-authored-by: Jack Tracey <41163455+jtracey93@users.noreply.github.com>
  • Loading branch information
3 people authored Jul 12, 2023
1 parent 529cd8f commit 366d48e
Show file tree
Hide file tree
Showing 7 changed files with 334 additions and 69 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -477,6 +477,10 @@ var varCustomPolicyDefinitionsArray = [
name: 'Deploy-Sql-Tde'
libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Sql-Tde.json')
}
{
name: 'Deploy-Sql-vulnerabilityAssessments_20230706'
libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Sql-vulnerabilityAssessments_20230706.json')
}
{
name: 'Deploy-Sql-vulnerabilityAssessments'
libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Sql-vulnerabilityAssessments.json')
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -462,6 +462,10 @@
name: 'Deploy-Sql-Tde'
libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Sql-Tde.json')
}
{
name: 'Deploy-Sql-vulnerabilityAssessments_20230706'
libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Sql-vulnerabilityAssessments_20230706.json')
}
{
name: 'Deploy-Sql-vulnerabilityAssessments'
libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Sql-vulnerabilityAssessments.json')
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@
"version": "1.0.0-deprecated",
"category": "Machine Learning",
"source": "https://github.com/Azure/Enterprise-Scale/",
"deprecated": true,
"alzCloudEnvironments": [
"AzureCloud"
]
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@
"displayName": "Management port access from the Internet should be blocked",
"description": "This policy denies any network security rule that allows management port access from the Internet",
"metadata": {
"version": "2.0.0",
"version": "2.1.0",
"category": "Network",
"source": "https://github.com/Azure/Enterprise-Scale/",
"alzCloudEnvironments": [
Expand Down Expand Up @@ -46,95 +46,201 @@
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Network/networkSecurityGroups/securityRules"
},
"anyOf": [
{
"allOf": [
{
"field": "Microsoft.Network/networkSecurityGroups/securityRules/access",
"equals": "Allow"
"field": "type",
"equals": "Microsoft.Network/networkSecurityGroups/securityRules"
},
{
"field": "Microsoft.Network/networkSecurityGroups/securityRules/direction",
"equals": "Inbound"
},
{
"anyOf": [
"allOf": [
{
"field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange",
"equals": "*"
"field": "Microsoft.Network/networkSecurityGroups/securityRules/access",
"equals": "Allow"
},
{
"field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange",
"in": "[parameters('ports')]"
"field": "Microsoft.Network/networkSecurityGroups/securityRules/direction",
"equals": "Inbound"
},
{
"count": {
"value": "[parameters('ports')]",
"where": {
"value": "[if(and(not(empty(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'))), contains(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'),'-')), and(lessOrEquals(int(first(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'), '-'))),int(current())),greaterOrEquals(int(last(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'), '-'))),int(current()))), 'false')]",
"equals": "true"
}
},
"greater": 0
},
{
"count": {
"value": "[parameters('ports')]",
"name": "ports",
"where": {
"anyOf": [
{
"field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange",
"equals": "*"
},
{
"field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange",
"in": "[parameters('ports')]"
},
{
"count": {
"field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]",
"value": "[parameters('ports')]",
"where": {
"value": "[if(and(not(empty(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')))), contains(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')),'-')), and(lessOrEquals(int(first(split(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')), '-'))),int(current('ports'))),greaterOrEquals(int(last(split(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')), '-'))),int(current('ports')))) , 'false')]",
"value": "[if(and(not(empty(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'))), contains(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'),'-')), and(lessOrEquals(int(first(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'), '-'))),int(current())),greaterOrEquals(int(last(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'), '-'))),int(current()))), 'false')]",
"equals": "true"
}
},
"greater": 0
},
{
"count": {
"value": "[parameters('ports')]",
"name": "ports",
"where": {
"count": {
"field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]",
"where": {
"value": "[if(and(not(empty(current('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'))), contains(current('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'),'-')), and(lessOrEquals(int(first(split(current('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'), '-'))),int(current('ports'))),greaterOrEquals(int(last(split(current('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'), '-'))),int(current('ports')))) , 'false')]",
"equals": "true"
}
},
"greater": 0
}
},
"greater": 0
},
{
"not": {
"field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]",
"notEquals": "*"
}
},
{
"not": {
"field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]",
"notIn": "[parameters('ports')]"
}
}
},
"greater": 0
},
{
"not": {
"field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]",
"notEquals": "*"
}
]
},
{
"not": {
"field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]",
"notIn": "[parameters('ports')]"
}
"anyOf": [
{
"field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix",
"equals": "*"
},
{
"field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix",
"equals": "Internet"
},
{
"not": {
"field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]",
"notEquals": "*"
}
},
{
"not": {
"field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]",
"notEquals": "Internet"
}
}
]
}
]
}
]
},
{
"allOf": [
{
"field": "type",
"equals": "Microsoft.Network/networkSecurityGroups"
},
{
"anyOf": [
{
"field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix",
"equals": "*"
},
{
"field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix",
"equals": "Internet"
},
{
"not": {
"field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]",
"notEquals": "*"
}
},
{
"not": {
"field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]",
"notEquals": "Internet"
}
"count": {
"field": "Microsoft.Network/networkSecurityGroups/securityRules[*]",
"where": {
"allOf": [
{
"field": "Microsoft.Network/networkSecurityGroups/securityRules[*].access",
"equals": "Allow"
},
{
"field": "Microsoft.Network/networkSecurityGroups/securityRules[*].direction",
"equals": "Inbound"
},
{
"anyOf": [
{
"field": "Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRange",
"equals": "*"
},
{
"field": "Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRange",
"in": "[parameters('ports')]"
},
{
"count": {
"value": "[parameters('ports')]",
"name": "ports",
"where": {
"value": "[if(and(not(empty(current('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRange'))), contains(current('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRange'),'-')), and(lessOrEquals(int(first(split(current('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRange'), '-'))),int(current('ports'))),greaterOrEquals(int(last(split(current('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRange'), '-'))),int(current('ports')))), 'false')]",
"equals": "true"
}
},
"greater": 0
},
{
"count": {
"value": "[parameters('ports')]",
"name": "ports",
"where": {
"count": {
"field": "Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRanges[*]",
"where": {
"value": "[if(and(not(empty(current('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRanges[*]'))), contains(current('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRanges[*]'),'-')), and(lessOrEquals(int(first(split(current('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRanges[*]'), '-'))),int(current('ports'))),greaterOrEquals(int(last(split(current('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRanges[*]'), '-'))),int(current('ports')))) , 'false')]",
"equals": "true"
}
},
"greater": 0
}
},
"greater": 0
},
{
"not": {
"field": "Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRanges[*]",
"notEquals": "*"
}
},
{
"not": {
"field": "Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRanges[*]",
"notIn": "[parameters('ports')]"
}
}
]
},
{
"anyOf": [
{
"field": "Microsoft.Network/networkSecurityGroups/securityRules[*].sourceAddressPrefix",
"equals": "*"
},
{
"field": "Microsoft.Network/networkSecurityGroups/securityRules[*].sourceAddressPrefix",
"equals": "Internet"
},
{
"not": {
"field": "Microsoft.Network/networkSecurityGroups/securityRules[*].sourceAddressPrefixes[*]",
"notEquals": "*"
}
},
{
"not": {
"field": "Microsoft.Network/networkSecurityGroups/securityRules[*].sourceAddressPrefixes[*]",
"notEquals": "Internet"
}
}
]
}
]
}
]
},
"greater": 0
}
]
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@
"version": "1.0.0-deprecated",
"category": "SQL",
"source": "https://github.com/Azure/Enterprise-Scale/",
"deprecated": true,
"alzCloudEnvironments": [
"AzureCloud",
"AzureChinaCloud",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -6,12 +6,14 @@
"properties": {
"policyType": "Custom",
"mode": "Indexed",
"displayName": "Deploy SQL Database vulnerability Assessments",
"description": "Deploy SQL Database vulnerability Assessments when it not exist in the deployment. To the specific storage account in the parameters",
"displayName": "[Deprecated]: Deploy SQL Database vulnerability Assessments",
"description": "Deploy SQL Database vulnerability Assessments when it not exist in the deployment. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/Deploy-Sql-vulnerabilityAssessments_20230706.html",
"metadata": {
"version": "1.0.1",
"version": "1.0.1-deprecated",
"category": "SQL",
"source": "https://github.com/Azure/Enterprise-Scale/",
"deprecated": true,
"supersededBy": "Deploy-Sql-vulnerabilityAssessments_20230706",
"alzCloudEnvironments": [
"AzureCloud",
"AzureChinaCloud",
Expand Down
Loading

0 comments on commit 366d48e

Please sign in to comment.