/
section_6.sp
107 lines (93 loc) · 3.35 KB
/
section_6.sp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
locals {
cis_v140_6_common_tags = merge(local.cis_v140_common_tags, {
cis_section_id = "6"
})
}
benchmark "cis_v140_6" {
title = "6 Networking"
documentation = file("./cis_v140/docs/cis_v140_6.md")
children = [
control.cis_v140_6_1,
control.cis_v140_6_2,
control.cis_v140_6_3,
control.cis_v140_6_4,
control.cis_v140_6_5,
control.cis_v140_6_6
]
tags = merge(local.cis_v140_6_common_tags, {
type = "Benchmark"
service = "Azure/Network"
})
}
control "cis_v140_6_1" {
title = "6.1 Ensure that RDP access is restricted from the internet"
description = "Disable RDP access on network security groups from the Internet."
query = query.network_security_group_rdp_access_restricted
documentation = file("./cis_v140/docs/cis_v140_6_1.md")
tags = merge(local.cis_v140_6_common_tags, {
cis_item_id = "6.1"
cis_level = "1"
cis_type = "automated"
service = "Azure/Network"
})
}
control "cis_v140_6_2" {
title = "6.2 Ensure that SSH access is restricted from the internet"
description = "Disable SSH access on network security groups from the Internet."
query = query.network_security_group_ssh_access_restricted
documentation = file("./cis_v140/docs/cis_v140_6_2.md")
tags = merge(local.cis_v140_6_common_tags, {
cis_item_id = "6.2"
cis_level = "1"
cis_type = "automated"
service = "Azure/Network"
})
}
control "cis_v140_6_3" {
title = "6.3 Ensure no SQL Databases allow ingress 0.0.0.0/0 (ANY IP)"
description = "Ensure that no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)."
query = query.sql_database_allow_internet_access
documentation = file("./cis_v140/docs/cis_v140_6_3.md")
tags = merge(local.cis_v140_6_common_tags, {
cis_item_id = "6.3"
cis_level = "1"
cis_type = "automated"
service = "Azure/Network"
})
}
control "cis_v140_6_4" {
title = "6.4 Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'"
description = "Network Security Group Flow Logs should be enabled and the retention period is set to greater than or equal to 90 days."
query = query.network_sg_flowlog_retention_period_greater_than_90
documentation = file("./cis_v140/docs/cis_v140_6_4.md")
tags = merge(local.cis_v140_6_common_tags, {
cis_item_id = "6.4"
cis_level = "2"
cis_type = "automated"
service = "Azure/Network"
})
}
control "cis_v140_6_5" {
title = "6.5 Ensure that Network Watcher is 'Enabled'"
description = "Enable Network Watcher for Azure subscriptions."
query = query.network_watcher_enabled
documentation = file("./cis_v140/docs/cis_v140_6_5.md")
tags = merge(local.cis_v140_6_common_tags, {
cis_item_id = "6.5"
cis_level = "1"
cis_type = "manual"
service = "Azure/Network"
})
}
control "cis_v140_6_6" {
title = "6.6 Ensure that UDP Services are restricted from the Internet"
description = "Disable Internet exposed UDP ports on network security groups."
query = query.network_security_group_udp_service_restricted
documentation = file("./cis_v140/docs/cis_v140_6_6.md")
tags = merge(local.cis_v140_6_common_tags, {
cis_item_id = "6.6"
cis_level = "1"
cis_type = "automated"
service = "Azure/Network"
})
}