55 lines
2.0 KiB
YAML
55 lines
2.0 KiB
YAML
id: azure-postgresql-ssl-enforcement
|
|
info:
|
|
name: Azure PostgreSQL SSL Enforcement Not Enabled
|
|
author: princechaddha
|
|
severity: high
|
|
description: |
|
|
Ensure that Microsoft Azure PostgreSQL server data is encrypted in transit in order to meet security and compliance requirements. In-transit encryption helps prevent unauthorized users from getting access to critical data available in your Azure PostgreSQL databases.
|
|
impact: |
|
|
Failure to enable SSL enforcement for PostgreSQL servers can lead to data being intercepted and read by unauthorized parties during transit, posing significant security and compliance risks.
|
|
remediation: |
|
|
Enable SSL enforcement on all Azure PostgreSQL servers to ensure that data is encrypted in transit and protected from unauthorized access.
|
|
reference:
|
|
- https://docs.microsoft.com/en-us/azure/postgresql/concepts-ssl-connection-security
|
|
tags: cloud,devops,azure,microsoft,postgresql,azure-cloud-config
|
|
|
|
flow: |
|
|
code(1);
|
|
for (let ServerData of iterate(template.serverList)) {
|
|
ServerData = JSON.parse(ServerData);
|
|
set("name", ServerData.Name);
|
|
set("resourceGroup", ServerData.ResourceGroup);
|
|
code(2);
|
|
}
|
|
|
|
self-contained: true
|
|
code:
|
|
- engine:
|
|
- sh
|
|
- bash
|
|
source: |
|
|
az postgres server list --output json --query '[*].{"Name":name,"ResourceGroup":resourceGroup}'
|
|
|
|
extractors:
|
|
- type: json
|
|
name: serverList
|
|
internal: true
|
|
json:
|
|
- '.[]'
|
|
|
|
- engine:
|
|
- sh
|
|
- bash
|
|
source: |
|
|
az postgres server show --name "$name" --resource-group "$resourceGroup" --query sslEnforcement
|
|
|
|
matchers:
|
|
- type: word
|
|
words:
|
|
- '"Disabled"'
|
|
|
|
extractors:
|
|
- type: dsl
|
|
dsl:
|
|
- 'name + " in " + resourceGroup + " has SSL disabled"'
|
|
# digest: 4a0a00473045022069e317bde082a7e438c99bc1b9ac9a5bc40f4c13d29ffd07229025e5c7efdd470221009366d3c7bd716c2faa3a9de022031d87557d872cb484af42889e3816e1332d92:922c64590222798bb761d5b6d8e72950 |