ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S6382/terraform/rule.adoc

159 lines
4.9 KiB
Plaintext
Raw Normal View History

Create rule S6382[terraform]: Disabling certificate-based authentication is security-sensitive (#594) * Create rule S6382 * Create rule S6382[terraform]: Disabling certificate-based authentication is security-sensitive * Update rules/S6382/terraform/metadata.json * Update rules/S6382/terraform/metadata.json Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> * Update rules/S6382/terraform/rule.adoc Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> * improved the rule after recos and S6380 recos * reworked the sentence for clarity * Update rules/S6382/terraform/rule.adoc * Update rules/S6382/terraform/rule.adoc * Update rules/S6382/terraform/rule.adoc * Update rules/S6382/terraform/rule.adoc * Update rules/S6382/terraform/rule.adoc Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> * Update rules/S6382/terraform/rule.adoc Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> * Update rules/S6382/terraform/rule.adoc Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> * Update rules/S6382/terraform/rule.adoc Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> * Update rules/S6382/terraform/rule.adoc Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> * Update rules/S6382/terraform/metadata.json Co-authored-by: loris-s-sonarsource <loris-s-sonarsource@users.noreply.github.com> Co-authored-by: Loris Sierra <loris.sierra@sonarsource.com> Co-authored-by: Loris S <91723853+loris-s-sonarsource@users.noreply.github.com> Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> Co-authored-by: Nils Werner <64034005+nils-werner-sonarsource@users.noreply.github.com>
2022-01-03 15:47:06 +00:00
Disabling certificate-based authentication can reduce an organization's ability to react against attacks on its critical functions and data if any.
Azure offers various authentication options to access resources: Anonymous connections, Basic authentication, password-based authentication, and certificate-based authentication.
Choosing certificate-based authentication helps bring client/host trust by allowing the host to verify the client and vice versa.
In case of a security incident, certificates help bring investigators traceability and allow security operations teams to react faster (by massively revoking certificates, for example).
== Ask Yourself Whether
* This Azure resource is essential for the information system infrastructure.
* This Azure resource is essential for mission-critical functions.
* Compliance policies require access to this resource to be authenticated with certificates.
There is a risk if you answered yes to any of those questions.
== Recommended Secure Coding Practices
Enable certificate-based authentication.
== Sensitive Code Example
For https://azure.microsoft.com/en-us/services/app-service/[App Service]:
----
resource "azurerm_app_service" "example" {
client_cert_enabled = false # Sensitive
}
----
For https://azure.microsoft.com/en-us/services/logic-apps/[Logic App Standards] and https://azure.microsoft.com/en-us/services/functions/[Function Apps]:
----
resource "azurerm_function_app" "example" {
client_cert_mode = "Optional" # Sensitive
}
----
For https://azure.microsoft.com/en-us/services/data-factory/[Data Factory Linked Services]:
----
resource "azurerm_data_factory_linked_service_web" "example" {
authentication_type = "Basic" # Sensitive
}
----
For https://azure.microsoft.com/en-us/services/api-management/[API Management]:
----
resource "azurerm_api_management" "example" {
sku_name = "Consumption_1"
client_certificate_mode = "Optional" # Sensitive
}
----
For https://azure.microsoft.com/fr-fr/services/app-service/containers/[Linux and Windows Web Apps]:
----
resource "azurerm_linux_web_app" "example" {
client_cert_enabled = false # Sensitive
}
resource "azurerm_linux_web_app" "exemple2" {
client_cert_enabled = true
client_cert_mode = "Optional" # Sensitive
}
----
== Compliant Solution
For https://azure.microsoft.com/en-us/services/app-service/[App Service]:
RULEAPI-661: Add syntax coloring
2022-02-04 17:28:24 +01:00
[source,terraform]
Create rule S6382[terraform]: Disabling certificate-based authentication is security-sensitive (#594) * Create rule S6382 * Create rule S6382[terraform]: Disabling certificate-based authentication is security-sensitive * Update rules/S6382/terraform/metadata.json * Update rules/S6382/terraform/metadata.json Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> * Update rules/S6382/terraform/rule.adoc Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> * improved the rule after recos and S6380 recos * reworked the sentence for clarity * Update rules/S6382/terraform/rule.adoc * Update rules/S6382/terraform/rule.adoc * Update rules/S6382/terraform/rule.adoc * Update rules/S6382/terraform/rule.adoc * Update rules/S6382/terraform/rule.adoc Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> * Update rules/S6382/terraform/rule.adoc Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> * Update rules/S6382/terraform/rule.adoc Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> * Update rules/S6382/terraform/rule.adoc Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> * Update rules/S6382/terraform/rule.adoc Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> * Update rules/S6382/terraform/metadata.json Co-authored-by: loris-s-sonarsource <loris-s-sonarsource@users.noreply.github.com> Co-authored-by: Loris Sierra <loris.sierra@sonarsource.com> Co-authored-by: Loris S <91723853+loris-s-sonarsource@users.noreply.github.com> Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> Co-authored-by: Nils Werner <64034005+nils-werner-sonarsource@users.noreply.github.com>
2022-01-03 15:47:06 +00:00
----
resource "azurerm_app_service" "example" {
client_cert_enabled = true
}
----
For https://azure.microsoft.com/en-us/services/logic-apps/[Logic App Standards] and https://azure.microsoft.com/en-us/services/functions/[Function Apps]:
RULEAPI-661: Add syntax coloring
2022-02-04 17:28:24 +01:00
[source,terraform]
Create rule S6382[terraform]: Disabling certificate-based authentication is security-sensitive (#594) * Create rule S6382 * Create rule S6382[terraform]: Disabling certificate-based authentication is security-sensitive * Update rules/S6382/terraform/metadata.json * Update rules/S6382/terraform/metadata.json Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> * Update rules/S6382/terraform/rule.adoc Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> * improved the rule after recos and S6380 recos * reworked the sentence for clarity * Update rules/S6382/terraform/rule.adoc * Update rules/S6382/terraform/rule.adoc * Update rules/S6382/terraform/rule.adoc * Update rules/S6382/terraform/rule.adoc * Update rules/S6382/terraform/rule.adoc Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> * Update rules/S6382/terraform/rule.adoc Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> * Update rules/S6382/terraform/rule.adoc Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> * Update rules/S6382/terraform/rule.adoc Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> * Update rules/S6382/terraform/rule.adoc Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> * Update rules/S6382/terraform/metadata.json Co-authored-by: loris-s-sonarsource <loris-s-sonarsource@users.noreply.github.com> Co-authored-by: Loris Sierra <loris.sierra@sonarsource.com> Co-authored-by: Loris S <91723853+loris-s-sonarsource@users.noreply.github.com> Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> Co-authored-by: Nils Werner <64034005+nils-werner-sonarsource@users.noreply.github.com>
2022-01-03 15:47:06 +00:00
----
resource "azurerm_function_app" "example" {
client_cert_mode = "Required"
}
----
For https://azure.microsoft.com/en-us/services/data-factory/[Data Factory Linked Services]:
RULEAPI-661: Add syntax coloring
2022-02-04 17:28:24 +01:00
[source,terraform]
Create rule S6382[terraform]: Disabling certificate-based authentication is security-sensitive (#594) * Create rule S6382 * Create rule S6382[terraform]: Disabling certificate-based authentication is security-sensitive * Update rules/S6382/terraform/metadata.json * Update rules/S6382/terraform/metadata.json Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> * Update rules/S6382/terraform/rule.adoc Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> * improved the rule after recos and S6380 recos * reworked the sentence for clarity * Update rules/S6382/terraform/rule.adoc * Update rules/S6382/terraform/rule.adoc * Update rules/S6382/terraform/rule.adoc * Update rules/S6382/terraform/rule.adoc * Update rules/S6382/terraform/rule.adoc Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> * Update rules/S6382/terraform/rule.adoc Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> * Update rules/S6382/terraform/rule.adoc Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> * Update rules/S6382/terraform/rule.adoc Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> * Update rules/S6382/terraform/rule.adoc Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> * Update rules/S6382/terraform/metadata.json Co-authored-by: loris-s-sonarsource <loris-s-sonarsource@users.noreply.github.com> Co-authored-by: Loris Sierra <loris.sierra@sonarsource.com> Co-authored-by: Loris S <91723853+loris-s-sonarsource@users.noreply.github.com> Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> Co-authored-by: Nils Werner <64034005+nils-werner-sonarsource@users.noreply.github.com>
2022-01-03 15:47:06 +00:00
----
resource "azurerm_data_factory_linked_service_web" "example" {
authentication_type = "ClientCertificate"
}
----
For https://azure.microsoft.com/en-us/services/api-management/[API Management]:
RULEAPI-661: Add syntax coloring
2022-02-04 17:28:24 +01:00
[source,terraform]
Create rule S6382[terraform]: Disabling certificate-based authentication is security-sensitive (#594) * Create rule S6382 * Create rule S6382[terraform]: Disabling certificate-based authentication is security-sensitive * Update rules/S6382/terraform/metadata.json * Update rules/S6382/terraform/metadata.json Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> * Update rules/S6382/terraform/rule.adoc Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> * improved the rule after recos and S6380 recos * reworked the sentence for clarity * Update rules/S6382/terraform/rule.adoc * Update rules/S6382/terraform/rule.adoc * Update rules/S6382/terraform/rule.adoc * Update rules/S6382/terraform/rule.adoc * Update rules/S6382/terraform/rule.adoc Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> * Update rules/S6382/terraform/rule.adoc Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> * Update rules/S6382/terraform/rule.adoc Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> * Update rules/S6382/terraform/rule.adoc Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> * Update rules/S6382/terraform/rule.adoc Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> * Update rules/S6382/terraform/metadata.json Co-authored-by: loris-s-sonarsource <loris-s-sonarsource@users.noreply.github.com> Co-authored-by: Loris Sierra <loris.sierra@sonarsource.com> Co-authored-by: Loris S <91723853+loris-s-sonarsource@users.noreply.github.com> Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> Co-authored-by: Nils Werner <64034005+nils-werner-sonarsource@users.noreply.github.com>
2022-01-03 15:47:06 +00:00
----
resource "azurerm_api_management" "example" {
sku_name = "Consumption_1"
client_certificate_mode = "Required"
}
----
For https://azure.microsoft.com/fr-fr/services/app-service/containers/[Linux and Windows Web Apps]:
RULEAPI-661: Add syntax coloring
2022-02-04 17:28:24 +01:00
[source,terraform]
Create rule S6382[terraform]: Disabling certificate-based authentication is security-sensitive (#594) * Create rule S6382 * Create rule S6382[terraform]: Disabling certificate-based authentication is security-sensitive * Update rules/S6382/terraform/metadata.json * Update rules/S6382/terraform/metadata.json Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> * Update rules/S6382/terraform/rule.adoc Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> * improved the rule after recos and S6380 recos * reworked the sentence for clarity * Update rules/S6382/terraform/rule.adoc * Update rules/S6382/terraform/rule.adoc * Update rules/S6382/terraform/rule.adoc * Update rules/S6382/terraform/rule.adoc * Update rules/S6382/terraform/rule.adoc Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> * Update rules/S6382/terraform/rule.adoc Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> * Update rules/S6382/terraform/rule.adoc Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> * Update rules/S6382/terraform/rule.adoc Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> * Update rules/S6382/terraform/rule.adoc Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> * Update rules/S6382/terraform/metadata.json Co-authored-by: loris-s-sonarsource <loris-s-sonarsource@users.noreply.github.com> Co-authored-by: Loris Sierra <loris.sierra@sonarsource.com> Co-authored-by: Loris S <91723853+loris-s-sonarsource@users.noreply.github.com> Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> Co-authored-by: Nils Werner <64034005+nils-werner-sonarsource@users.noreply.github.com>
2022-01-03 15:47:06 +00:00
----
resource "azurerm_linux_web_app" "exemple" {
client_cert_enabled = true
client_cert_mode = "Required"
}
----
== See
* https://owasp.org/Top10/A01_2021-Broken_Access_Control/[OWASP Top 10 2021 Category A1] - Boken Access Control
Fix typo in OWASP links from the See section (#807) * Fix typos in OWASP Top 10 2017 links * Fixing wrong URI in OWASP Top 10 2021 A4 links
2022-02-10 09:11:45 +01:00
* https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[OWASP Top 10 2017 Category A5] - Broken Access Control
RULEAPI-755 Update CWE URLs by removing .html suffix and update with https protocol (#926) * Change affects only see.adoc and rule.adoc files, not comments-and-links.adoc files
2022-04-07 08:53:59 -05:00
* https://cwe.mitre.org/data/definitions/668[MITRE, CWE-668] - Exposure of Resource to Wrong Sphere
Create rule S6382[terraform]: Disabling certificate-based authentication is security-sensitive (#594) * Create rule S6382 * Create rule S6382[terraform]: Disabling certificate-based authentication is security-sensitive * Update rules/S6382/terraform/metadata.json * Update rules/S6382/terraform/metadata.json Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> * Update rules/S6382/terraform/rule.adoc Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> * improved the rule after recos and S6380 recos * reworked the sentence for clarity * Update rules/S6382/terraform/rule.adoc * Update rules/S6382/terraform/rule.adoc * Update rules/S6382/terraform/rule.adoc * Update rules/S6382/terraform/rule.adoc * Update rules/S6382/terraform/rule.adoc Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> * Update rules/S6382/terraform/rule.adoc Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> * Update rules/S6382/terraform/rule.adoc Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> * Update rules/S6382/terraform/rule.adoc Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> * Update rules/S6382/terraform/rule.adoc Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> * Update rules/S6382/terraform/metadata.json Co-authored-by: loris-s-sonarsource <loris-s-sonarsource@users.noreply.github.com> Co-authored-by: Loris Sierra <loris.sierra@sonarsource.com> Co-authored-by: Loris S <91723853+loris-s-sonarsource@users.noreply.github.com> Co-authored-by: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> Co-authored-by: Nils Werner <64034005+nils-werner-sonarsource@users.noreply.github.com>
2022-01-03 15:47:06 +00:00
ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)
=== Message
For these resources:
* `api_management`:
* `app_service`
* `data_factory_linked_service_sftp`
* `data_factory_linked_service_web`
* `linux_web_app`
* `windows_web_app` (if both parameters are non-compliant, flag `client_cert_enabled` first)
These messages apply:
* If an assignment is missing: Omitting {property_name} disables certificate-based authentication. Make sure it is safe here.
* If the assignment is security-sensitive: Make sure that disabling certificate-based authentication is safe here.
* For `function_app` and `logic_app_standard`:
** Omitting `client_cert_mode` makes certificate-based authentication optional. Make sure it is safe here.
** Make sure that setting certificate-based authentication as optional is safe here.
Make sure that disabling certificate-based authentication is safe here.
=== Highlighting
* If one (out of one) assignement is missing: Highlight the resource
* If an assignement is security-sensitive: Highlight the assignement
* For `linux_web_app` and `windows_web_app`:
** If both assignements are present and security-sensitive: Highlight `client_cert_enabled = false`
endif::env-github,rspecator-view[]
Reference in New Issue Copy Permalink