Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

RESOURCE-507 Attribute Enhancement in Azure Network Security Group Resource #680

Merged
merged 7 commits into from
Nov 8, 2022
Merged

RESOURCE-507 Attribute Enhancement in Azure Network Security Group Resource #680

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
76b6d4e
RESOURCE-507 added additional attribute for attribute
Oct 25, 2022
d992908
RESOURCE-507 attribute-enhancement-in-azure-network-security-group-re…
sa-progress Oct 26, 2022
0e385f6
RESOURCE-507 attribute-enhancement-in-azure-network-security-group-re…
sa-progress Oct 26, 2022
ca0b3b7
RESOURCE-507 attribute-enhancement-in-azure-network-security-group-re…
sa-progress Oct 26, 2022
7d3b7d9
RESOURCE-507 retention policy
sa-progress Nov 2, 2022
3c0564e
RESOURCE-507 retention policy
sa-progress Nov 2, 2022
a040e41
Update docs-chef-io/content/inspec/resources/azure_network_security_g…
soumyo13 Nov 2, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 13 additions & 0 deletions docs-chef-io/content/inspec/resources/azure_network_security_group.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -203,7 +203,20 @@ describe azure_network_security_group(resource_group: 'RESOURCE_GROUP', name: 'G
it { should_not exist }
end
```
### Test that a Network Security group should not allow UDP from the internet

```ruby
describe azure_network_security_group(resource_group: 'RESOURCE_GROUP', name: 'GROUP_NAME') do
it { should_not allow_udp_from_internet }
end
```
### Validating Number of days to retain flow log records.

```ruby
describe azure_network_security_group(resource_group: 'RESOURCE_GROUP', name: 'GROUP_NAME') do
its('flow_log_retention_period') { should eq 0 }
end
```
## Azure Permissions

{{% azure_permissions_service_principal role="reader" %}}
19 changes: 19 additions & 0 deletions libraries/azure_network_security_group.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -131,6 +131,9 @@ def security_rules
@security_rules ||= properties.securityRules
end

def flow_log_retention_period
!properties.include?(:retentionPolicy) ? 0 : properties.retentionPolicy
end
def default_security_rules
return unless exists?
@default_security_rules ||= properties.defaultSecurityRules
Expand All @@ -148,6 +151,20 @@ def allow_rdp_from_internet?
end
RSpec::Matchers.alias_matcher :allow_rdp_from_internet, :be_allow_rdp_from_internet

def allow_udp_from_internet?
return unless exists?
allow_port_from_internet?('53')
end
RSpec::Matchers.alias_matcher :allow_udp_from_internet, :be_allow_udp_from_internet

SPECIFIC_CRITERIA = %i(specific_port access_allow direction_inbound source_open not_icmp).freeze

def allow_http_from_internet?
return unless exists?
allow_port_from_internet?('80') || allow_port_from_internet?('443')
end
RSpec::Matchers.alias_matcher :allow_http_from_internet, :be_allow_http_from_internet

SPECIFIC_CRITERIA = %i(specific_port access_allow direction_inbound source_open not_icmp).freeze
def allow_port_from_internet?(specific_port)
return unless exists?
Expand All @@ -156,6 +173,8 @@ def allow_port_from_internet?(specific_port)
end
RSpec::Matchers.alias_matcher :allow_port_from_internet, :be_allow_port_from_internet



private

def security_rules_properties
Expand Down
2 changes: 2 additions & 0 deletions test/integration/verify/controls/azurerm_network_security_group.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -70,6 +70,8 @@

describe azure_network_security_group(resource_group: resource_group, name: nsg_insecure) do
it { should allow_in(ip_range: '0.0.0.0', port: '22') }
it { should_not allow_udp_from_internet }
its('flow_log_retention_period') { should eq 0 }
it { should allow(source_ip_range: '0.0.0.0', destination_port: '22', direction: 'inbound') }
it { should allow_in(service_tag: 'Internet', port: %w{1433-1434 1521 4300-4350 5000-6000}) }
it { should allow(source_service_tag: 'Internet', destination_port: %w{1433-1434 1521 4300-4350 5000-6000}, direction: 'inbound') }
Expand Down