Added and fixed DisableLocalAuth rules

Azure · Jul 21, 2023 · 3d36c1d · 3d36c1d
1 parent 792bd87
commit 3d36c1d
Show file tree

Hide file tree

Showing 6 changed files with 51 additions and 4 deletions.
diff --git a/internal/scanners/appcs/rules.go b/internal/scanners/appcs/rules.go
@@ -103,7 +103,8 @@ func (a *AppConfigurationScanner) GetRules() map[string]scanners.AzureRule {
 			Severity:    scanners.SeverityMedium,
 			Eval: func(target interface{}, scanContext *scanners.ScanContext) (bool, string) {
 				c := target.(*armappconfiguration.ConfigurationStore)
-				return c.Properties.DisableLocalAuth != nil && !*c.Properties.DisableLocalAuth, ""
+				localAuth := c.Properties.DisableLocalAuth != nil && *c.Properties.DisableLocalAuth
+				return !localAuth, ""
 			},
 			Url: "https://learn.microsoft.com/en-us/azure/azure-app-configuration/howto-disable-access-key-authentication?tabs=portal#disable-access-key-authentication",
 		},

diff --git a/internal/scanners/cog/rules.go b/internal/scanners/cog/rules.go
@@ -87,5 +87,18 @@ func (a *CognitiveScanner) GetRules() map[string]scanners.AzureRule {
 			},
 			Url: "https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json",
 		},
+		"cog-008": {
+			Id:          "cog-008",
+			Category:    scanners.RulesCategorySecurity,
+			Subcategory: scanners.RulesSubcategorySecurityIdentity,
+			Description: "Cognitive Service Account should have local authentication disabled",
+			Severity:    scanners.SeverityMedium,
+			Eval: func(target interface{}, scanContext *scanners.ScanContext) (bool, string) {
+				c := target.(*armcognitiveservices.Account)
+				localAuth := c.Properties.DisableLocalAuth != nil && *c.Properties.DisableLocalAuth
+				return !localAuth, ""
+			},
+			Url: "https://learn.microsoft.com/en-us/azure/ai-services/policy-reference#azure-ai-services",
+		},
 	}
 }
diff --git a/internal/scanners/cog/rules_test.go b/internal/scanners/cog/rules_test.go
@@ -107,6 +107,36 @@ func TestCognitiveScanner_Rules(t *testing.T) {
 				result: "",
 			},
 		},
+		{
+			name: "CognitiveScanner DisableLocalAuth nil",
+			fields: fields{
+				rule: "cog-008",
+				target: &armcognitiveservices.Account{
+					Properties: &armcognitiveservices.AccountProperties{},
+				},
+				scanContext: &scanners.ScanContext{},
+			},
+			want: want{
+				broken: true,
+				result: "",
+			},
+		},
+		{
+			name: "CognitiveScanner DisableLocalAuth true",
+			fields: fields{
+				rule: "cog-008",
+				target: &armcognitiveservices.Account{
+					Properties: &armcognitiveservices.AccountProperties{
+						DisableLocalAuth: to.BoolPtr(true),
+					},
+				},
+				scanContext: &scanners.ScanContext{},
+			},
+			want: want{
+				broken: false,
+				result: "",
+			},
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {

diff --git a/internal/scanners/evgd/rules.go b/internal/scanners/evgd/rules.go
@@ -94,7 +94,8 @@ func (a *EventGridScanner) GetRules() map[string]scanners.AzureRule {
 			Severity:    scanners.SeverityMedium,
 			Eval: func(target interface{}, scanContext *scanners.ScanContext) (bool, string) {
 				c := target.(*armeventgrid.Domain)
-				return c.Properties.DisableLocalAuth != nil && !*c.Properties.DisableLocalAuth, ""
+				localAuth := c.Properties.DisableLocalAuth != nil && *c.Properties.DisableLocalAuth
+				return !localAuth, ""
 			},
 			Url: "https://learn.microsoft.com/en-us/azure/event-grid/authenticate-with-access-keys-shared-access-signatures",
 		},

diff --git a/internal/scanners/evh/rules.go b/internal/scanners/evh/rules.go
@@ -114,7 +114,8 @@ func (a *EventHubScanner) GetRules() map[string]scanners.AzureRule {
 			Severity:    scanners.SeverityMedium,
 			Eval: func(target interface{}, scanContext *scanners.ScanContext) (bool, string) {
 				c := target.(*armeventhub.EHNamespace)
-				return c.Properties.DisableLocalAuth != nil && !*c.Properties.DisableLocalAuth, ""
+				localAuth := c.Properties.DisableLocalAuth != nil && *c.Properties.DisableLocalAuth
+				return !localAuth, ""
 			},
 			Url: "https://learn.microsoft.com/en-us/azure/event-hubs/authorize-access-event-hubs#shared-access-signatures",
 		},

diff --git a/internal/scanners/sb/rules.go b/internal/scanners/sb/rules.go
@@ -115,7 +115,8 @@ func (a *ServiceBusScanner) GetRules() map[string]scanners.AzureRule {
 			Severity:    scanners.SeverityMedium,
 			Eval: func(target interface{}, scanContext *scanners.ScanContext) (bool, string) {
 				c := target.(*armservicebus.SBNamespace)
-				return c.Properties.DisableLocalAuth != nil && !*c.Properties.DisableLocalAuth, ""
+				localAuth := c.Properties.DisableLocalAuth != nil && *c.Properties.DisableLocalAuth
+				return !localAuth, ""
 			},
 			Url: "https://learn.microsoft.com/en-us/azure/service-bus-messaging/service-bus-sas",
 		},