forked from flexera-public/policy_templates
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathmysql_ssl.pt
167 lines (149 loc) · 4.83 KB
/
mysql_ssl.pt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
name "Azure Ensure MySQL Servers Enforce SSL Connections"
rs_pt_ver 20180301
type "policy"
short_description "Report if any MySQL server instances do not enforce SSL connections. \n See the [README](https://github.com/flexera-public/policy_templates/tree/master/security/azure/mysql_ssl/) and [docs.rightscale.com/policies](https://docs.rightscale.com/policies/) to learn more."
long_description ""
category "Security"
severity "high"
default_frequency "daily"
info(
version: "2.1",
provider: "Azure",
service: "MySQL",
policy_set: "CIS",
cce_id: "",
benchmark_control: "4.4.1",
benchmark_version: "1.4.0",
cis_controls: "[\"13.10v8\", \"14.4v7\"]",
nist: "SC-8"
)
###############################################################################
# Parameters
###############################################################################
parameter "param_email" do
type "list"
label "Email addresses of the recipients you wish to notify"
end
parameter "param_azure_endpoint" do
type "string"
label "Azure Endpoint"
allowed_values "management.azure.com", "management.chinacloudapi.cn"
default "management.azure.com"
end
###############################################################################
# Authentication
###############################################################################
credentials "azure_auth" do
schemes "oauth2"
label "Azure"
description "Select the Azure Resource Manager Credential from the list."
tags "provider=azure_rm"
end
###############################################################################
# Pagination
###############################################################################
pagination "azure_pagination" do
get_page_marker do
body_path "nextLink"
end
set_page_marker do
uri true
end
end
###############################################################################
# Datasources
###############################################################################
datasource "ds_subscriptions" do
request do
auth $azure_auth
pagination $azure_pagination
host $param_azure_endpoint
path "/subscriptions/"
query "api-version","2019-06-01"
header "User-Agent", "RS Policies"
end
result do
encoding "json"
collect jmes_path(response, "value[*]") do
field "subscriptionId", jmes_path(col_item,"subscriptionId")
field "subscriptionName", jmes_path(col_item,"displayName")
end
end
end
datasource "ds_mysql_servers" do
iterate $ds_subscriptions
request do
auth $azure_auth
pagination $azure_pagination
host $param_azure_endpoint
path join(["/subscriptions/", val(iter_item, "subscriptionId"), "/providers/Microsoft.DBforMySQL/servers"])
query "api-version", "2017-12-01"
header "User-Agent", "RS Policies"
end
result do
encoding "json"
collect jmes_path(response, "value[*]") do
field "id", jmes_path(col_item, "id")
field "name", jmes_path(col_item, "name")
field "sku", jmes_path(col_item, "sku")
field "location", jmes_path(col_item, "location")
field "properties", jmes_path(col_item, "properties")
field "subscriptionId", val(iter_item, "subscriptionId")
field "subscriptionName", val(iter_item, "subscriptionName")
end
end
end
datasource "ds_bad_mysql_servers" do
run_script $js_bad_mysql_servers, $ds_mysql_servers
end
###############################################################################
# Scripts
###############################################################################
script "js_bad_mysql_servers", type: "javascript" do
parameters "ds_mysql_servers"
result "result"
code <<-EOS
result = []
_.each(ds_mysql_servers, function(server) {
if (server['properties']['sslEnforcement'] != "Enabled") {
result.push(server)
}
})
EOS
end
###############################################################################
# Policy
###############################################################################
policy "policy_mysql_ssl" do
validate $ds_bad_mysql_servers do
summary_template "{{ rs_project_name }} (Account ID: {{ rs_project_id }}): {{ len data }} Azure MySQL Server(s) Found Without Enforced SSL Connections"
escalate $esc_email
check eq(size(data),0)
export do
field "name" do
label "Name"
end
field "location" do
label "Location"
end
field "subscriptionId" do
label "Subscription ID"
end
field "subscriptionName" do
label "Subscription Name"
end
field "id" do
label "Resource ID"
end
end
end
end
###############################################################################
# Escalations
###############################################################################
escalation "esc_email" do
automatic true
label "Send Email"
description "Send incident email"
email $param_email
end