daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
nuclei-templates/cloud/azure/virtualmachines/azure-vmss-public-ip-disabl...

56 lines
2.0 KiB
YAML
Raw Blame History

id: azure-vmss-public-ip-disabled
info:
name: Azure VMSS Public IP Not Assigned
author: princechaddha
severity: high
description: |
Ensure that instances running within your Microsoft Azure virtual machine scale set (VMSS) are not configured with public IP addresses. Assigning public IP addresses to individual VMSS instances increases attack surface, making it harder to manage and secure the environment.
impact: |
Instances with public IP addresses are more exposed to potential external attacks, increasing the security risks for the Azure environment.
remediation: |
Configure your VMSS to disable public IP address assignments to its instances. Ensure that all networking is handled through internal networking resources.
reference:
- https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-networking
tags: cloud,devops,azure,microsoft,vmss,azure-cloud-config
flow: |
code(1);
for (let InstanceData of iterate(template.vmssList)) {
InstanceData = JSON.parse(InstanceData);
set("name", InstanceData.name);
set("resourceGroup", InstanceData.resourceGroup);
code(2);
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
az vmss list --output json --query '[*].{"name":name,"resourceGroup":resourceGroup}'
extractors:
- type: json
name: vmssList
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
az vmss list-instance-public-ips --name "$name" --resource-group "$resourceGroup" --query '[*].ipAddress'
matchers-condition: and
matchers:
- type: word
words:
- '[]'
extractors:
- type: dsl
dsl:
- 'name + " in " + resourceGroup + " has no public IP addresses assigned."'
# digest: 4b0a00483046022100e473013237d6e8c38648a9a040c14868a74481466f9dcd3246d4b493b1d029fb02210098461ed0bfb4edccd56cf0c5d412da17c987a31c3f47150b299d756e95a1fb09:922c64590222798bb761d5b6d8e72950
Reference in New Issue View Git Blame Copy Permalink