search

prancer-io / prancer-compliance-test

This repository includes cloud security policies for IaC and live resources.
https://www.prancer.io
39 stars 11 forks source link

Test evidence of PR: https://github.com/prancer-io/prancer-compliance-test/pull/547 #546

Closed rezoan closed 1 year ago

rezoan commented 1 year ago

Template url:

rezoan commented 1 year ago

Failed case scenario of PR-AZR-ARM-SQL-076 image

rezoan commented 1 year ago

Pass case scenario of PR-AZR-ARM-SQL-076 image

rezoan commented 1 year ago

pass case scenario of PR-AZR-ARM-SQL-077 image

rezoan commented 1 year ago

Failed case scenario of PR-AZR-ARM-SQL-077 image

rezoan commented 1 year ago

Failed case scenario of PR-AZR-ARM-SQL-078 image

rezoan commented 1 year ago

Pass case scenario of PR-AZR-ARM-SQL-078 image

rezoan commented 1 year ago

Failed case scenario of PR-AZR-ARM-SQL-079 image

rezoan commented 1 year ago

pass case scenario of PR-AZR-ARM-SQL-079 image

rezoan commented 1 year ago

Pass case scenario of PR-AZR-CLD-SQL-076:

image

rezoan commented 1 year ago

failed case scenario of PR-AZR-CLD-SQL-076:

image

rezoan commented 1 year ago

failed case scenario of PR-AZR-CLD-SQL-077:

image

rezoan commented 1 year ago

passed case scenario of PR-AZR-CLD-SQL-077: image

rezoan commented 1 year ago

passed case scenario of PR-AZR-CLD-SQL-078: image

rezoan commented 1 year ago

failed case scenario of PR-AZR-CLD-SQL-078: image

rezoan commented 1 year ago

passed case scenario of PR-AZR-CLD-SQL-079: image

rezoan commented 1 year ago

failed case scenario of PR-AZR-CLD-SQL-079: image

rezoan commented 1 year ago

Failed case scenario of PR-AZR-TRF-SQL-076:

image

rezoan commented 1 year ago

Pass case scenario of PR-AZR-TRF-SQL-076: image

rezoan commented 1 year ago

Pass case scenario of PR-AZR-TRF-SQL-077:

image

rezoan commented 1 year ago

Failed case scenario of PR-AZR-TRF-SQL-077: image

rezoan commented 1 year ago

Failed case scenario of PR-AZR-TRF-SQL-078: image

rezoan commented 1 year ago

Pass case scenario of PR-AZR-TRF-SQL-078: image

rezoan commented 1 year ago

Failed case scenario of PR-AZR-TRF-SQL-079: image

rezoan commented 1 year ago

Passed case scenario of PR-AZR-TRF-SQL-079: image

rezoan commented 1 year ago

Prancer CLI test output for Azure ARM policies:

2023-02-10 03:48:41,725 - SNAPSHOTS COMPLETE:
2023-02-10 03:48:42,276 -   TESTID: PR-AZR-ARM-SQL-076
2023-02-10 03:48:42,276 -       SNAPSHOTID: ARM_TEMPLATE_SNAPSHOTBJjra2
2023-02-10 03:48:42,277 -       PATHS: 
2023-02-10 03:48:42,277 -            /SQL/sql-encryption-protector-byok/azuredeploy.json
2023-02-10 03:48:42,277 -            /SQL/sql-encryption-protector-byok/azuredeploy.parameters.json
2023-02-10 03:48:42,277 -       TITLE: Azure SQL Server should have private endpoints configured
2023-02-10 03:48:42,277 -       DESCRIPTION: Private endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Server.
2023-02-10 03:48:42,277 -       RULE: file(sql_servers.rego)
2023-02-10 03:48:42,277 -       ERROR: Azure Container registries currently dont have private endpoints configured
2023-02-10 03:48:42,277 -       REMEDIATION: In Resource of type 'microsoft.sql/servers/privateendpointconnections' make sure properties.privateLinkServiceConnectionState.status exists and has value 'Approved'.<br>Please visit <a href='https://learn.microsoft.com/en-us/azure/templates/microsoft.sql/servers/privateendpointconnections?pivots=deployment-language-arm-template' target='_blank'>here</a> for more details.
2023-02-10 03:48:42,277 -       RESULT: failed
2023-02-10 03:48:42,458 -   TESTID: PR-AZR-ARM-SQL-076
2023-02-10 03:48:42,459 -       SNAPSHOTID: ARM_TEMPLATE_SNAPSHOTBJjra4
2023-02-10 03:48:42,459 -       PATHS: 
2023-02-10 03:48:42,459 -            /SQL/SQL-Server/sql.azuredeploy.json
2023-02-10 03:48:42,459 -            /SQL/SQL-Server/sql.azuredeploy.parameters.json
2023-02-10 03:48:42,459 -       TITLE: Azure SQL Server should have private endpoints configured
2023-02-10 03:48:42,459 -       DESCRIPTION: Private endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Server.
2023-02-10 03:48:42,460 -       RULE: file(sql_servers.rego)
2023-02-10 03:48:42,460 -       ERROR: Azure Container registries currently dont have private endpoints configured
2023-02-10 03:48:42,460 -       REMEDIATION: In Resource of type 'microsoft.sql/servers/privateendpointconnections' make sure properties.privateLinkServiceConnectionState.status exists and has value 'Approved'.<br>Please visit <a href='https://learn.microsoft.com/en-us/azure/templates/microsoft.sql/servers/privateendpointconnections?pivots=deployment-language-arm-template' target='_blank'>here</a> for more details.
2023-02-10 03:48:42,460 -       RESULT: failed
2023-02-10 03:48:42,669 -   TESTID: PR-AZR-ARM-SQL-077
2023-02-10 03:48:42,669 -       SNAPSHOTID: ARM_TEMPLATE_SNAPSHOTBJjra2
2023-02-10 03:48:42,669 -       PATHS: 
2023-02-10 03:48:42,670 -            /SQL/sql-encryption-protector-byok/azuredeploy.json
2023-02-10 03:48:42,670 -            /SQL/sql-encryption-protector-byok/azuredeploy.parameters.json
2023-02-10 03:48:42,670 -       TITLE: Ensure SQL Server AD and SQL authentication is enabled
2023-02-10 03:48:42,670 -       RULE: file(sql_servers.rego)
2023-02-10 03:48:42,670 -       RESULT: passed
2023-02-10 03:48:42,837 -   TESTID: PR-AZR-ARM-SQL-077
2023-02-10 03:48:42,838 -       SNAPSHOTID: ARM_TEMPLATE_SNAPSHOTBJjra4
2023-02-10 03:48:42,838 -       PATHS: 
2023-02-10 03:48:42,840 -            /SQL/SQL-Server/sql.azuredeploy.json
2023-02-10 03:48:42,840 -            /SQL/SQL-Server/sql.azuredeploy.parameters.json
2023-02-10 03:48:42,841 -       TITLE: Ensure SQL Server AD and SQL authentication is enabled
2023-02-10 03:48:42,842 -       RULE: file(sql_servers.rego)
2023-02-10 03:48:42,843 -       RESULT: passed
2023-02-10 03:48:42,964 -   TESTID: PR-AZR-ARM-SQL-078
2023-02-10 03:48:42,965 -       SNAPSHOTID: ARM_TEMPLATE_SNAPSHOTBJjra1
2023-02-10 03:48:42,965 -       PATHS: 
2023-02-10 03:48:42,965 -            /SQL/SQL-DB/sqldb.azuredeploy.json
2023-02-10 03:48:42,965 -            /SQL/SQL-DB/sqldb.azuredeploy.parameters.json
2023-02-10 03:48:42,965 -       TITLE: Azure SQL Server Database backup storage redundancy should configure to use locally redundant backup storage
2023-02-10 03:48:42,965 -       DESCRIPTION: This policy will identify Azure SQL Server database which is not configured to use locally redundant backup storage for backup storage redundancy
2023-02-10 03:48:42,965 -       RULE: file(sql_database.rego)
2023-02-10 03:48:42,965 -       ERROR: Azure SQL databases attribute 'requestedBackupStorageRedundancy' is missing from the resource. make sure to the value is set to 'Local'
2023-02-10 03:48:42,965 -       REMEDIATION: In Resource of type 'microsoft.sql/servers/databases' make sure properties.requestedBackupStorageRedundancy exists and has value set to 'Local'.<br>Please visit <a href='https://learn.microsoft.com/en-us/azure/templates/microsoft.sql/servers/databases?pivots=deployment-language-arm-template' target='_blank'>here</a> for more details.
2023-02-10 03:48:42,966 -       RESULT: failed
2023-02-10 03:48:43,082 -   TESTID: PR-AZR-ARM-SQL-079
2023-02-10 03:48:43,082 -       SNAPSHOTID: ARM_TEMPLATE_SNAPSHOTBJjra1
2023-02-10 03:48:43,082 -       PATHS: 
2023-02-10 03:48:43,082 -            /SQL/SQL-DB/sqldb.azuredeploy.json
2023-02-10 03:48:43,083 -            /SQL/SQL-DB/sqldb.azuredeploy.parameters.json
2023-02-10 03:48:43,083 -       TITLE: Azure SQL Server Database Point in time restore retention configuration should be set for minimum 35 days
2023-02-10 03:48:43,083 -       DESCRIPTION: This policy checks Azure SQL Databases whose Point in time restore retention configuration is not configured for minimum 35 days.
2023-02-10 03:48:43,083 -       RULE: file(sql_database.rego)
2023-02-10 03:48:43,083 -       ERROR: Azure SQL Database backupshorttermretentionpolicies attribute 'retentionDays' is missing
2023-02-10 03:48:43,085 -       REMEDIATION: In Resource of type 'microsoft.sql/servers/databases/backupshorttermretentionpolicies' make sure properties.retentionDays exists and has value set to '35'.<br>Please visit <a href='https://learn.microsoft.com/en-us/azure/templates/microsoft.sql/servers/databases/backupshorttermretentionpolicies?pivots=deployment-language-arm-template' target='_blank'>here</a> for more details.
2023-02-10 03:48:43,085 -       RESULT: failed
2023-02-10 03:48:43,093 - VALIDATION COMPLETE:
2023-02-10 03:48:43,116 -  Run Stats: {
  "start": "2023-02-10 03:48:22",
  "end": "2023-02-10 03:48:43",
  "remote": false,
  "errors": [],
  "host": "ubuntu",
  "timestamp": "2023-02-10 03:48:22",
  "jsonsource": false,
  "database": 0,
  "container": "scenario-arm-remote",
  "INCLUDESNAPSHOTS": false,
  "SNAPHSHOTIDS": [],
  "INCLUDETESTS": true,
  "TESTIDS": [
    "PR-AZR-ARM-SQL-076",
    "PR-AZR-ARM-SQL-077",
    "PR-AZR-ARM-SQL-078",
    "PR-AZR-ARM-SQL-079"
  ],
  "ONLYSNAPSHOTS": false,
  "ONLYSNAPSHOTIDS": [],
  "session_id": "session_1676058502943",
  "run_type": "CRAWL_AND_COMPLIANCE",
  "log": null,
  "duration": "20 seconds"
}
rezoan commented 1 year ago

Prancer CLI test output for azure terraform policies:

2023-02-10 04:05:45,155 - SNAPSHOTS COMPLETE:
2023-02-10 04:05:45,480 -   TESTID: PR-AZR-TRF-SQL-076
2023-02-10 04:05:45,482 -       SNAPSHOTID: TRF_TEMPLATE_SNAPSHOTnpBBz38
2023-02-10 04:05:45,482 -       PATHS: 
2023-02-10 04:05:45,482 -            /azure/mssql_servers/terraform.tfvars
2023-02-10 04:05:45,482 -            /azure/mssql_servers/vars.tf
2023-02-10 04:05:45,482 -            /azure/mssql_servers/provider.tf
2023-02-10 04:05:45,483 -            /azure/mssql_servers/main.tf
2023-02-10 04:05:45,483 -       TITLE: Azure SQL Server should have private endpoints configured
2023-02-10 04:05:45,484 -       DESCRIPTION: Private endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Server.
2023-02-10 04:05:45,484 -       RULE: file(sql_servers.rego)
2023-02-10 04:05:45,485 -       ERROR: azurerm_mssql_server should have link with azurerm_private_endpoint and azurerm_private_endpoint's private_service_connection either need to have 'private_connection_resource_id' or 'private_connection_resource_alias' property. Seems there is no link established or mentioed properties are missing.
2023-02-10 04:05:45,485 -       REMEDIATION: In 'azurerm_private_endpoint' resource, make sure properties.private_service_connection.private_connection_resource_id contains id of target azurerm_mssql_server to fix the issue. please visit <a href='https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_endpoint' target='_blank'>here</a> for details.
2023-02-10 04:05:45,485 -       RESULT: failed
2023-02-10 04:05:45,621 -   TESTID: PR-AZR-TRF-SQL-077
2023-02-10 04:05:45,623 -       SNAPSHOTID: TRF_TEMPLATE_SNAPSHOTnpBBz38
2023-02-10 04:05:45,625 -       PATHS: 
2023-02-10 04:05:45,626 -            /azure/mssql_servers/terraform.tfvars
2023-02-10 04:05:45,627 -            /azure/mssql_servers/vars.tf
2023-02-10 04:05:45,628 -            /azure/mssql_servers/provider.tf
2023-02-10 04:05:45,628 -            /azure/mssql_servers/main.tf
2023-02-10 04:05:45,628 -       TITLE: Ensure SQL Server AD and SQL authentication is enabled
2023-02-10 04:05:45,629 -       RULE: file(dbadministrators.rego)
2023-02-10 04:05:45,629 -       RESULT: passed
2023-02-10 04:05:45,794 -   TESTID: PR-AZR-TRF-SQL-078
2023-02-10 04:05:45,797 -       SNAPSHOTID: TRF_TEMPLATE_SNAPSHOTnpBBz38
2023-02-10 04:05:45,797 -       PATHS: 
2023-02-10 04:05:45,799 -            /azure/mssql_servers/terraform.tfvars
2023-02-10 04:05:45,800 -            /azure/mssql_servers/vars.tf
2023-02-10 04:05:45,802 -            /azure/mssql_servers/provider.tf
2023-02-10 04:05:45,803 -            /azure/mssql_servers/main.tf
2023-02-10 04:05:45,804 -       TITLE: Azure SQL Server Database backup storage redundancy should configure to use locally redundant backup storage
2023-02-10 04:05:45,804 -       DESCRIPTION: This policy will identify Azure SQL Server database which is not configured to use locally redundant backup storage for backup storage redundancy
2023-02-10 04:05:45,804 -       RULE: file(sql_database.rego)
2023-02-10 04:05:45,805 -       ERROR: Azure SQL databases attribute 'storage_account_type' is missing from the resource. make sure to the value is set to 'Local'
2023-02-10 04:05:45,805 -       REMEDIATION: In 'azurerm_mssql_database' resource, make sure properties.storage_account_type has value 'Local' to fix the issue. please visit <a href='https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/mssql_database#storage_account_type' target='_blank'>here</a> for details.
2023-02-10 04:05:45,805 -       RESULT: failed
2023-02-10 04:05:45,932 -   TESTID: PR-AZR-TRF-SQL-079
2023-02-10 04:05:45,933 -       SNAPSHOTID: TRF_TEMPLATE_SNAPSHOTnpBBz38
2023-02-10 04:05:45,933 -       PATHS: 
2023-02-10 04:05:45,933 -            /azure/mssql_servers/terraform.tfvars
2023-02-10 04:05:45,933 -            /azure/mssql_servers/vars.tf
2023-02-10 04:05:45,934 -            /azure/mssql_servers/provider.tf
2023-02-10 04:05:45,934 -            /azure/mssql_servers/main.tf
2023-02-10 04:05:45,934 -       TITLE: Azure SQL Server Database Point in time restore retention configuration should be set for minimum 35 days
2023-02-10 04:05:45,934 -       DESCRIPTION: This policy checks Azure SQL Databases whose Point in time restore retention configuration is not configured for minimum 35 days.
2023-02-10 04:05:45,937 -       RULE: file(sql_database.rego)
2023-02-10 04:05:45,937 -       ERROR: Azure SQL Database attribute 'short_term_retention_policy.retention_days' is missing
2023-02-10 04:05:45,938 -       REMEDIATION: In 'azurerm_mssql_database' resource, make sure properties.short_term_retention_policy.retention_days has value '35' to fix the issue. please visit <a href='https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/mssql_database#retention_days' target='_blank'>here</a> for details.
2023-02-10 04:05:45,938 -       RESULT: failed
2023-02-10 04:05:45,948 - VALIDATION COMPLETE:
2023-02-10 04:05:45,988 -  Run Stats: {
  "start": "2023-02-10 04:03:18",
  "end": "2023-02-10 04:05:45",
  "remote": false,
  "errors": [],
  "host": "ubuntu",
  "timestamp": "2023-02-10 04:03:18",
  "jsonsource": false,
  "database": 0,
  "container": "scenario-terraform-azure",
  "INCLUDESNAPSHOTS": false,
  "SNAPHSHOTIDS": [],
  "INCLUDETESTS": true,
  "TESTIDS": [
    "PR-AZR-TRF-SQL-076",
    "PR-AZR-TRF-SQL-077",
    "PR-AZR-TRF-SQL-078",
    "PR-AZR-TRF-SQL-079"
  ],
  "ONLYSNAPSHOTS": false,
  "ONLYSNAPSHOTIDS": [],
  "session_id": "session_1676059398297",
  "run_type": "CRAWL_AND_COMPLIANCE",
  "log": null,
  "duration": "147 seconds"
}
rezoan commented 1 year ago

Prancer CLI output for Cloud policies:

2023-02-10 04:38:55,007 - SNAPSHOTS COMPLETE:
2023-02-10 04:38:55,233 -   TESTID: PR-AZR-CLD-SQL-076
2023-02-10 04:38:55,234 -       SNAPSHOTID: AZRSNP_400121
2023-02-10 04:38:55,235 -       PATHS: 
2023-02-10 04:38:55,235 -       ERROR: have problem in running opa binary
2023-02-10 04:38:55,236 -         undefined function has_property
2023-02-10 04:38:55,236 -         location : azure/cloud/sql_servers.rego
2023-02-10 04:38:55,237 -         row : 502
2023-02-10 04:38:55,237 -         col : 5
2023-02-10 04:38:55,238 -   TESTID: PR-AZR-CLD-SQL-076
2023-02-10 04:38:55,238 -       SNAPSHOTID: AZRSNP_400121
2023-02-10 04:38:55,239 -       PATHS: 
2023-02-10 04:38:55,239 -       TITLE: Azure SQL Server should have private endpoints configured
2023-02-10 04:38:55,239 -       DESCRIPTION: Private endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Server.
2023-02-10 04:38:55,240 -       RULE: file(sql_servers.rego)
2023-02-10 04:38:55,240 -       ERROR: [OrderedDict([('message', 'undefined function has_property'), ('code', 'rego_type_error'), ('location', OrderedDict([('file', '/tmp/tmpse6ysacg/azure/cloud/sql_servers.rego'), ('row', 502), ('col', 5)]))])]
2023-02-10 04:38:55,240 -       REMEDIATION: 
2023-02-10 04:38:55,241 -       RESULT: FAILED
2023-02-10 04:38:55,339 -   TESTID: PR-AZR-CLD-SQL-077
2023-02-10 04:38:55,341 -       SNAPSHOTID: AZRSNP_400121
2023-02-10 04:38:55,341 -       PATHS: 
2023-02-10 04:38:55,341 -       ERROR: have problem in running opa binary
2023-02-10 04:38:55,341 -         undefined function has_property
2023-02-10 04:38:55,342 -         location : azure/cloud/sql_servers.rego
2023-02-10 04:38:55,342 -         row : 502
2023-02-10 04:38:55,342 -         col : 5
2023-02-10 04:38:55,342 -   TESTID: PR-AZR-CLD-SQL-077
2023-02-10 04:38:55,343 -       SNAPSHOTID: AZRSNP_400121
2023-02-10 04:38:55,343 -       PATHS: 
2023-02-10 04:38:55,343 -       TITLE: Ensure SQL Server AD and SQL authentication is enabled
2023-02-10 04:38:55,343 -       DESCRIPTION: This policy will identify Azure SQL Server which does not support both Azure Active Directory and Sql Authentication
2023-02-10 04:38:55,343 -       RULE: file(sql_servers.rego)
2023-02-10 04:38:55,343 -       ERROR: [OrderedDict([('message', 'undefined function has_property'), ('code', 'rego_type_error'), ('location', OrderedDict([('file', '/tmp/tmpse6ysacg/azure/cloud/sql_servers.rego'), ('row', 502), ('col', 5)]))])]
2023-02-10 04:38:55,344 -       REMEDIATION: 
2023-02-10 04:38:55,344 -       RESULT: FAILED
2023-02-10 04:38:55,438 -   TESTID: PR-AZR-CLD-SQL-078
2023-02-10 04:38:55,439 -       SNAPSHOTID: AZRSNP_264122
2023-02-10 04:38:55,440 -       PATHS: 
2023-02-10 04:38:55,440 -       TITLE: Azure SQL Server Database backup storage redundancy should configure to use locally redundant backup storage
2023-02-10 04:38:55,440 -       RULE: file(sql_database.rego)
2023-02-10 04:38:55,441 -       RESULT: passed
2023-02-10 04:38:55,534 -   TESTID: PR-AZR-CLD-SQL-079
2023-02-10 04:38:55,534 -       SNAPSHOTID: AZRSNP_264122
2023-02-10 04:38:55,534 -       PATHS: 
2023-02-10 04:38:55,534 -       TITLE: Azure SQL Server Database Point in time restore retention configuration should be set for minimum 35 days
2023-02-10 04:38:55,534 -       DESCRIPTION: This policy checks Azure SQL Databases whose Point in time restore retention configuration is not configured for minimum 35 days.
2023-02-10 04:38:55,535 -       RULE: file(sql_database.rego)
2023-02-10 04:38:55,535 -       ERROR: Azure SQL Database backupshorttermretentionpolicies attribute 'retentionDays' is missing
2023-02-10 04:38:55,535 -       REMEDIATION: 01. From Azure portal, go to Azure SQL server configuration and click on Backups.<br>02. Select the database and configured policies.<br>03. Move the slider to increase the PITR value to 35 days.
2023-02-10 04:38:55,535 -       RESULT: failed
2023-02-10 04:38:55,539 - VALIDATION COMPLETE:
2023-02-10 04:38:55,543 -  Run Stats: {
  "start": "2023-02-10 04:00:14",
  "end": "2023-02-10 04:38:55",
  "remote": false,
  "errors": [],
  "host": "ubuntu",
  "timestamp": "2023-02-10 04:00:14",
  "jsonsource": false,
  "database": 0,
  "container": "scenario-azure",
  "CLEANING_REPOS": [],
  "INCLUDESNAPSHOTS": false,
  "SNAPHSHOTIDS": [],
  "INCLUDETESTS": true,
  "TESTIDS": [
    "PR-AZR-CLD-SQL-076",
    "PR-AZR-CLD-SQL-077",
    "PR-AZR-CLD-SQL-078",
    "PR-AZR-CLD-SQL-079"
  ],
  "ONLYSNAPSHOTS": false,
  "ONLYSNAPSHOTIDS": [],
  "session_id": "session_1676059214886",
  "run_type": "CRAWL_AND_COMPLIANCE",
  "log": null,
  "duration": "2320 seconds"
}