nuclei-templates/cloud/azure/postgresql/azure-postgresql-ssl-enforc...

id: azure-postgresql-ssl-enforcement
info:
  name: Azure PostgreSQL SSL Enforcement Not Enabled
  author: princechaddha
  severity: high
  description: |
    Ensure that Microsoft Azure PostgreSQL server data is encrypted in transit in order to meet security and compliance requirements. In-transit encryption helps prevent unauthorized users from getting access to critical data available in your Azure PostgreSQL databases.
  impact: |
    Failure to enable SSL enforcement for PostgreSQL servers can lead to data being intercepted and read by unauthorized parties during transit, posing significant security and compliance risks.
  remediation: |
    Enable SSL enforcement on all Azure PostgreSQL servers to ensure that data is encrypted in transit and protected from unauthorized access.
  reference:
    - https://docs.microsoft.com/en-us/azure/postgresql/concepts-ssl-connection-security
  tags: cloud,devops,azure,microsoft,postgresql,azure-cloud-config

flow: |
  code(1);
  for (let ServerData of iterate(template.serverList)) {
    ServerData = JSON.parse(ServerData);
    set("name", ServerData.Name);
    set("resourceGroup", ServerData.ResourceGroup);
    code(2);
  }

self-contained: true
code:
  - engine:
      - sh
      - bash
    source: |
      az postgres server list --output json --query '[*].{"Name":name,"ResourceGroup":resourceGroup}'

    extractors:
      - type: json
        name: serverList
        internal: true
        json:
          - '.[]'

  - engine:
      - sh
      - bash
    source: |
      az postgres server show --name "$name" --resource-group "$resourceGroup" --query sslEnforcement

    matchers:
      - type: word
        words:
          - '"Disabled"'

    extractors:
      - type: dsl
        dsl:
          - 'name + " in " + resourceGroup + " has SSL disabled"'
# digest: 4a0a00473045022069e317bde082a7e438c99bc1b9ac9a5bc40f4c13d29ffd07229025e5c7efdd470221009366d3c7bd716c2faa3a9de022031d87557d872cb484af42889e3816e1332d92:922c64590222798bb761d5b6d8e72950
added postgresql + redis + search + securitycenter + servicebus + tags templates 2024-09-07 09:36:05 +00:00			`id: azure-postgresql-ssl-enforcement`
			`info:`
			`name: Azure PostgreSQL SSL Enforcement Not Enabled`
			`author: princechaddha`
			`severity: high`
			`description: \|`
			`Ensure that Microsoft Azure PostgreSQL server data is encrypted in transit in order to meet security and compliance requirements. In-transit encryption helps prevent unauthorized users from getting access to critical data available in your Azure PostgreSQL databases.`
			`impact: \|`
			`Failure to enable SSL enforcement for PostgreSQL servers can lead to data being intercepted and read by unauthorized parties during transit, posing significant security and compliance risks.`
			`remediation: \|`
			`Enable SSL enforcement on all Azure PostgreSQL servers to ensure that data is encrypted in transit and protected from unauthorized access.`
			`reference:`
			`- https://docs.microsoft.com/en-us/azure/postgresql/concepts-ssl-connection-security`
			`tags: cloud,devops,azure,microsoft,postgresql,azure-cloud-config`

			`flow: \|`
			`code(1);`
			`for (let ServerData of iterate(template.serverList)) {`
			`ServerData = JSON.parse(ServerData);`
			`set("name", ServerData.Name);`
			`set("resourceGroup", ServerData.ResourceGroup);`
			`code(2);`
			`}`

			`self-contained: true`
			`code:`
			`- engine:`
			`- sh`
			`- bash`
			`source: \|`
			`az postgres server list --output json --query '[*].{"Name":name,"ResourceGroup":resourceGroup}'`

			`extractors:`
			`- type: json`
			`name: serverList`
			`internal: true`
			`json:`
			`- '.[]'`

			`- engine:`
			`- sh`
			`- bash`
			`source: \|`
			`az postgres server show --name "$name" --resource-group "$resourceGroup" --query sslEnforcement`

			`matchers:`
			`- type: word`
			`words:`
			`- '"Disabled"'`

			`extractors:`
			`- type: dsl`
			`dsl:`
			`- 'name + " in " + resourceGroup + " has SSL disabled"'`
chore: sign templates 🤖 2024-09-12 05:59:14 +00:00			`# digest: 4a0a00473045022069e317bde082a7e438c99bc1b9ac9a5bc40f4c13d29ffd07229025e5c7efdd470221009366d3c7bd716c2faa3a9de022031d87557d872cb484af42889e3816e1332d92:922c64590222798bb761d5b6d8e72950`