New Policies for Azure & Category Updates. (#580)

* add new categories for all azure policies * rule reference ids updated for azure policies * rule reference ids updated: azure network security rules * post review rule reference id fix
tenable · Mar 9, 2021 · 02d312e · 02d312e
1 parent cca6d2f
commit 02d312e
Show file tree

Hide file tree

Showing 325 changed files with 1,412 additions and 1,700 deletions.
diff --git a/...cation_gateway/accurics.azure.NS.147.json → ...plication_gateway/AC-AZ-IS-AG-M-0008.json b/...cation_gateway/accurics.azure.NS.147.json → ...plication_gateway/AC-AZ-IS-AG-M-0008.json
@@ -6,7 +6,7 @@
     },
     "severity": "MEDIUM",
     "description": "Ensure Azure Application Gateway Web application firewall (WAF) is enabled",
-    "reference_id": "accurics.azure.NS.147",
-    "category": "Network Security",
+    "reference_id": "AC-AZ-IS-AG-M-0008",
+    "category": "Infrastructure Security",
     "version": 2
 }
diff --git a/...iner_registry/accurics.azure.EKM.164.json → ...ontainer_registry/AC-AZ-IA-CR-M-0010.json b/...iner_registry/accurics.azure.EKM.164.json → ...ontainer_registry/AC-AZ-IA-CR-M-0010.json
@@ -6,7 +6,7 @@
     },
     "severity": "MEDIUM",
     "description": "Ensure that admin user is disabled for Container Registry",
-    "reference_id": "accurics.azure.EKM.164",
-    "category": "Encryption and Key Management",
+    "reference_id": "AC-AZ-IA-CR-M-0010",
+    "category": "Identity and Access Management",
     "version": 2
 }
diff --git a/...tainer_registry/accurics.azure.AKS.3.json → ...ontainer_registry/AC-AZ-RE-CR-H-0011.json b/...tainer_registry/accurics.azure.AKS.3.json → ...ontainer_registry/AC-AZ-RE-CR-H-0011.json
@@ -6,7 +6,7 @@
     },
     "severity": "HIGH",
     "description": "Ensure Container Registry has locks",
-    "reference_id": "accurics.azure.AKS.3",
-    "category": "Azure Container Services",
+    "reference_id": "AC-AZ-RE-CR-H-0011",
+    "category": "Resilience",
     "version": 2
 }
diff --git a/...mosdb_account/accurics.azure.CAM.162.json → ..._cosmosdb_account/AC-AZ-CV-CA-M-0013.json b/...mosdb_account/accurics.azure.CAM.162.json → ..._cosmosdb_account/AC-AZ-CV-CA-M-0013.json
@@ -6,7 +6,7 @@
     },
     "severity": "MEDIUM",
     "description": "Ensure that Cosmos DB Account has an associated tag",
-    "reference_id": "accurics.azure.CAM.162",
-    "category": "Cloud Assets Management",
+    "reference_id": "AC-AZ-CV-CA-M-0013",
+    "category": "Compliance Validation",
     "version": 2
 }
diff --git a/...osmosdb_account/accurics.azure.NS.32.json → ..._cosmosdb_account/AC-AZ-IS-CA-H-0012.json b/...osmosdb_account/accurics.azure.NS.32.json → ..._cosmosdb_account/AC-AZ-IS-CA-H-0012.json
@@ -6,7 +6,7 @@
     },
     "severity": "HIGH",
     "description": "Ensure to filter source Ips for Cosmos DB Account",
-    "reference_id": "accurics.azure.NS.32",
-    "category": "Network Security",
+    "reference_id": "AC-AZ-IS-CA-H-0012",
+    "category": "Infrastructure Security",
     "version": 2
 }
diff --git a/...erm_key_vault/accurics.azure.EKM.164.json → ...azurerm_key_vault/AC-AZ-DP-KV-M-0026.json b/...erm_key_vault/accurics.azure.EKM.164.json → ...azurerm_key_vault/AC-AZ-DP-KV-M-0026.json
@@ -6,7 +6,7 @@
     },
     "severity": "MEDIUM",
     "description": "Ensure the key vault is recoverable - enable \"Soft Delete\" setting for a Key Vault",
-    "reference_id": "accurics.azure.EKM.164",
-    "category": "Encryption and Key Management",
+    "reference_id": "AC-AZ-DP-KV-M-0026",
+    "category": "Data Protection",
     "version": 2
 }
diff --git a/...rerm_key_vault/accurics.azure.EKM.20.json → ...azurerm_key_vault/AC-AZ-LM-KV-H-0027.json b/...rerm_key_vault/accurics.azure.EKM.20.json → ...azurerm_key_vault/AC-AZ-LM-KV-H-0027.json
@@ -6,7 +6,7 @@
     },
     "severity": "HIGH",
     "description": "Ensure that logging for Azure KeyVault is 'Enabled'",
-    "reference_id": "accurics.azure.EKM.20",
-    "category": "Encryption and Key Management",
+    "reference_id": "AC-AZ-LM-KV-H-0027",
+    "category": "Logging and Monitoring",
     "version": 2
 }
diff --git a/..._key_vault_key/accurics.azure.EKM.25.json → ...erm_key_vault_key/AC-AZ-DP-KK-H-0032.json b/..._key_vault_key/accurics.azure.EKM.25.json → ...erm_key_vault_key/AC-AZ-DP-KK-H-0032.json
@@ -6,7 +6,7 @@
     },
     "severity": "HIGH",
     "description": "Ensure that the expiration date is set on all keys",
-    "reference_id": "accurics.azure.EKM.25",
-    "category": "Key Management",
+    "reference_id": "AC-AZ-DP-KK-H-0032",
+    "category": "Data Protection",
     "version": 2
 }
diff --git a/...y_vault_secret/accurics.azure.EKM.26.json → ..._key_vault_secret/AC-AZ-DP-VS-H-0033.json b/...y_vault_secret/accurics.azure.EKM.26.json → ..._key_vault_secret/AC-AZ-DP-VS-H-0033.json
@@ -6,7 +6,7 @@
     },
     "severity": "HIGH",
     "description": "Ensure that the expiration date is set on all secrets",
-    "reference_id": "accurics.azure.EKM.26",
-    "category": "Key Management",
+    "reference_id": "AC-AZ-DP-VS-H-0033",
+    "category": "Data Protection",
     "version": 2
 }
diff --git a/...rnetes_cluster/accurics.azure.NS.383.json → ...ubernetes_cluster/AC-AZ-IS-KC-M-0037.json b/...rnetes_cluster/accurics.azure.NS.383.json → ...ubernetes_cluster/AC-AZ-IS-KC-M-0037.json
@@ -4,7 +4,7 @@
     "template_args": null,
     "severity": "MEDIUM",
     "description": "Ensure Kube Dashboard is disabled",
-    "reference_id": "accurics.azure.NS.383",
-    "category": "Network Security",
+    "reference_id": "AC-AZ-IS-KC-M-0037",
+    "category": "Infrastructure Security",
     "version": 1
 }
diff --git a/...rnetes_cluster/accurics.azure.NS.382.json → ...ubernetes_cluster/AC-AZ-IS-KC-M-0038.json b/...rnetes_cluster/accurics.azure.NS.382.json → ...ubernetes_cluster/AC-AZ-IS-KC-M-0038.json
@@ -4,7 +4,7 @@
     "template_args": null,
     "severity": "MEDIUM",
     "description": "Ensure AKS cluster has Network Policy configured.",
-    "reference_id": "accurics.azure.NS.382",
-    "category": "Network Security",
+    "reference_id": "AC-AZ-IS-KC-M-0038",
+    "category": "Infrastructure Security",
     "version": 1
 }
diff --git a/..._managed_disk/accurics.azure.EKM.156.json → ...rerm_managed_disk/AC-AZ-DP-MD-M-0050.json b/..._managed_disk/accurics.azure.EKM.156.json → ...rerm_managed_disk/AC-AZ-DP-MD-M-0050.json
@@ -6,7 +6,7 @@
     },
     "severity": "MEDIUM",
     "description": "Ensure that 'OS disk' are encrypted",
-    "reference_id": "accurics.azure.EKM.156",
-    "category": "Encryption and Key Management",
+    "reference_id": "AC-AZ-DP-MD-M-0050",
+    "category": "Data Protection",
     "version": 2
 }
diff --git a/..._mssql_server/accurics.azure.MON.355.json → ...rerm_mssql_server/AC-AZ-LM-MS-M-0055.json b/..._mssql_server/accurics.azure.MON.355.json → ...rerm_mssql_server/AC-AZ-LM-MS-M-0055.json
@@ -7,7 +7,7 @@
     },
     "severity": "MEDIUM",
     "description": "Ensure that 'Auditing' is set to 'On' for MSSQL servers",
-    "reference_id": "accurics.azure.MON.355",
-    "category": "Monitoring",
+    "reference_id": "AC-AZ-LM-MS-M-0055",
+    "category": "Logging and Monitoring",
     "version": 1
 }
diff --git a/..._mssql_server/accurics.azure.LOG.357.json → ...rerm_mssql_server/AC-AZ-LM-MS-M-0056.json b/..._mssql_server/accurics.azure.LOG.357.json → ...rerm_mssql_server/AC-AZ-LM-MS-M-0056.json
@@ -7,7 +7,7 @@
     },
     "severity": "MEDIUM",
     "description": "Ensure that 'Auditing' Retention is 'greater than 90 days' for MSSQL servers.",
-    "reference_id": "accurics.azure.LOG.357",
-    "category": "Monitoring",
+    "reference_id": "AC-AZ-LM-MS-M-0056",
+    "category": "Logging and Monitoring",
     "version": 1
 }
diff --git a/...m_mysql_server/accurics.azure.NS.361.json → ...rerm_mysql_server/AC-AZ-IS-MY-H-0061.json b/...m_mysql_server/accurics.azure.NS.361.json → ...rerm_mysql_server/AC-AZ-IS-MY-H-0061.json
@@ -4,7 +4,7 @@
     "template_args": null,
     "severity": "HIGH",
     "description": "Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server.",
-    "reference_id": "accurics.azure.NS.361",
-    "category": "Network Security",
+    "reference_id": "AC-AZ-IS-MY-H-0061",
+    "category": "Infrastructure Security",
     "version": 1
 }
diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC-AZ-IS-NS-H-0069.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC-AZ-IS-NS-H-0069.json
@@ -0,0 +1,18 @@
+{
+  "name": "reme_networkPort3020ExposedPublicEntire",
+  "file": "networkPortExposedPublic.rego",
+  "template_args": {
+    "endLimit": 0,
+    "evalHosts": true,
+    "name": "networkPort3020ExposedPublicEntire",
+    "numberOfHosts": 1,
+    "portNumber": 3020,
+    "prefix": "reme_",
+    "protocol": "TCP"
+  },
+  "severity": "High",
+  "description": "CIFS / SMB (TCP:3020) is exposed to entire Public network",
+  "reference_id": "AC-AZ-IS-NS-H-0069",
+  "category": "Infrastructure Security",
+  "version": 2
+}
diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC-AZ-IS-NS-H-0072.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC-AZ-IS-NS-H-0072.json
@@ -0,0 +1,18 @@
+{
+  "name": "reme_networkPort7001ExposedPublicEntire",
+  "file": "networkPortExposedPublic.rego",
+  "template_args": {
+    "endLimit": 0,
+    "evalHosts": true,
+    "name": "networkPort7001ExposedPublicEntire",
+    "numberOfHosts": 1,
+    "portNumber": 7001,
+    "prefix": "reme_",
+    "protocol": "TCP"
+  },
+  "severity": "High",
+  "description": "Cassandra (TCP:7001) is exposed to entire Public network",
+  "reference_id": "AC-AZ-IS-NS-H-0072",
+  "category": "Infrastructure Security",
+  "version": 2
+}
diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC-AZ-IS-NS-H-0075.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC-AZ-IS-NS-H-0075.json
@@ -0,0 +1,18 @@
+{
+  "name": "reme_networkPort61621ExposedPublicEntire",
+  "file": "networkPortExposedPublic.rego",
+  "template_args": {
+    "endLimit": 0,
+    "evalHosts": true,
+    "name": "networkPort61621ExposedPublicEntire",
+    "numberOfHosts": 1,
+    "portNumber": 61621,
+    "prefix": "reme_",
+    "protocol": "TCP"
+  },
+  "severity": "High",
+  "description": "Cassandra OpsCenter (TCP:61621) is exposed to entire Public network",
+  "reference_id": "AC-AZ-IS-NS-H-0075",
+  "category": "Infrastructure Security",
+  "version": 2
+}
diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC-AZ-IS-NS-H-0078.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC-AZ-IS-NS-H-0078.json
@@ -0,0 +1,18 @@
+{
+  "name": "reme_networkPort53ExposedPublicEntireUdp",
+  "file": "networkPortExposedPublic.rego",
+  "template_args": {
+    "endLimit": 0,
+    "evalHosts": true,
+    "name": "networkPort53ExposedPublicEntireUdp",
+    "numberOfHosts": 1,
+    "portNumber": 53,
+    "prefix": "reme_",
+    "protocol": "UDP"
+  },
+  "severity": "High",
+  "description": "DNS (UDP:53) is exposed to entire Public network",
+  "reference_id": "AC-AZ-IS-NS-H-0078",
+  "category": "Infrastructure Security",
+  "version": 2
+}
diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC-AZ-IS-NS-H-0081.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC-AZ-IS-NS-H-0081.json
@@ -0,0 +1,18 @@
+{
+  "name": "reme_networkPort9000ExposedPublicEntire",
+  "file": "networkPortExposedPublic.rego",
+  "template_args": {
+    "endLimit": 0,
+    "evalHosts": true,
+    "name": "networkPort9000ExposedPublicEntire",
+    "numberOfHosts": 1,
+    "portNumber": 9000,
+    "prefix": "reme_",
+    "protocol": "TCP"
+  },
+  "severity": "High",
+  "description": "Hadoop Name Node (TCP:9000) is exposed to entire Public network",
+  "reference_id": "AC-AZ-IS-NS-H-0081",
+  "category": "Infrastructure Security",
+  "version": 2
+}
diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC-AZ-IS-NS-H-0084.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC-AZ-IS-NS-H-0084.json
@@ -0,0 +1,18 @@
+{
+  "name": "reme_networkPort8000ExposedPublicEntire",
+  "file": "networkPortExposedPublic.rego",
+  "template_args": {
+    "endLimit": 0,
+    "evalHosts": true,
+    "name": "networkPort8000ExposedPublicEntire",
+    "numberOfHosts": 1,
+    "portNumber": 8000,
+    "prefix": "reme_",
+    "protocol": "TCP"
+  },
+  "severity": "High",
+  "description": " Known internal web port (TCP:8000) is exposed to entire Public network",
+  "reference_id": "AC-AZ-IS-NS-H-0084",
+  "category": "Infrastructure Security",
+  "version": 2
+}
diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC-AZ-IS-NS-H-0087.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC-AZ-IS-NS-H-0087.json
@@ -0,0 +1,18 @@
+{
+  "name": "reme_networkPort8080ExposedPublicEntire",
+  "file": "networkPortExposedPublic.rego",
+  "template_args": {
+    "endLimit": 0,
+    "evalHosts": true,
+    "name": "networkPort8080ExposedPublicEntire",
+    "numberOfHosts": 1,
+    "portNumber": 8080,
+    "prefix": "reme_",
+    "protocol": "TCP"
+  },
+  "severity": "High",
+  "description": " Known internal web port (TCP:8080) is exposed to entire Public network",
+  "reference_id": "AC-AZ-IS-NS-H-0087",
+  "category": "Infrastructure Security",
+  "version": 2
+}
diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC-AZ-IS-NS-H-0090.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC-AZ-IS-NS-H-0090.json
@@ -0,0 +1,18 @@
+{
+  "name": "reme_networkPort636ExposedPublicEntire",
+  "file": "networkPortExposedPublic.rego",
+  "template_args": {
+    "endLimit": 0,
+    "evalHosts": true,
+    "name": "networkPort636ExposedPublicEntire",
+    "numberOfHosts": 1,
+    "portNumber": 636,
+    "prefix": "reme_",
+    "protocol": "TCP"
+  },
+  "severity": "High",
+  "description": "LDAP SSL (TCP:636) is exposed to entire Public network",
+  "reference_id": "AC-AZ-IS-NS-H-0090",
+  "category": "Infrastructure Security",
+  "version": 2
+}
diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC-AZ-IS-NS-H-0096.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC-AZ-IS-NS-H-0096.json
@@ -0,0 +1,18 @@
+{
+  "name": "reme_networkPort1434ExposedPublicEntireUdp",
+  "file": "networkPortExposedPublic.rego",
+  "template_args": {
+    "endLimit": 0,
+    "evalHosts": true,
+    "name": "networkPort1434ExposedPublicEntireUdp",
+    "numberOfHosts": 1,
+    "portNumber": 1434,
+    "prefix": "reme_",
+    "protocol": "UDP"
+  },
+  "severity": "High",
+  "description": "MSSQL Browser (UDP:1434) is exposed to entire Public network",
+  "reference_id": "AC-AZ-IS-NS-H-0096",
+  "category": "Infrastructure Security",
+  "version": 2
+}
diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC-AZ-IS-NS-H-0099.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC-AZ-IS-NS-H-0099.json
@@ -0,0 +1,18 @@
+{
+  "name": "reme_networkPort135ExposedPublicEntire",
+  "file": "networkPortExposedPublic.rego",
+  "template_args": {
+    "endLimit": 0,
+    "evalHosts": true,
+    "name": "networkPort135ExposedPublicEntire",
+    "numberOfHosts": 1,
+    "portNumber": 135,
+    "prefix": "reme_",
+    "protocol": "TCP"
+  },
+  "severity": "High",
+  "description": "MSSQL Debugger (TCP:135) is exposed to entire Public network",
+  "reference_id": "AC-AZ-IS-NS-H-0099",
+  "category": "Infrastructure Security",
+  "version": 2
+}
diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC-AZ-IS-NS-H-0102.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC-AZ-IS-NS-H-0102.json
@@ -0,0 +1,18 @@
+{
+  "name": "reme_networkPort1433ExposedPublicEntire",
+  "file": "networkPortExposedPublic.rego",
+  "template_args": {
+    "endLimit": 0,
+    "evalHosts": true,
+    "name": "networkPort1433ExposedPublicEntire",
+    "numberOfHosts": 1,
+    "portNumber": 1433,
+    "prefix": "reme_",
+    "protocol": "TCP"
+  },
+  "severity": "High",
+  "description": "MSSQL Server (TCP:1433) is exposed to entire Public network",
+  "reference_id": "AC-AZ-IS-NS-H-0102",
+  "category": "Infrastructure Security",
+  "version": 2
+}
diff --git a/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC-AZ-IS-NS-H-0111.json b/pkg/policies/opa/rego/azure/azurerm_network_security_rule/AC-AZ-IS-NS-H-0111.json
@@ -0,0 +1,18 @@
+{
+  "name": "reme_networkPort11214ExposedPublicEntireUdp",
+  "file": "networkPortExposedPublic.rego",
+  "template_args": {
+    "endLimit": 0,
+    "evalHosts": true,
+    "name": "networkPort11214ExposedPublicEntireUdp",
+    "numberOfHosts": 1,
+    "portNumber": 11214,
+    "prefix": "reme_",
+    "protocol": "UDP"
+  },
+  "severity": "High",
+  "description": "Memcached SSL (UDP:11214) is exposed to entire Public network",
+  "reference_id": "AC-AZ-IS-NS-H-0111",
+  "category": "Infrastructure Security",
+  "version": 2
+}