feat(query): 6 new Beta queries and fixes for "Azure Instance Using Basic Authentication" - terraform/azure

[cx-andre-pereira]

Reason for Proposed Changes

• The current implementation of the "Azure Instance Using Basic Authentication" has a few issues:

  • Incorrect "IssueType"
  • Incorrect "searchKey" values
  • Excessive amount of lines of code
  • Missing support for the "azurerm_linux_virtual_machine_scale_set" resource.
  • Missing support for the (legacy) "azurerm_virtual_machine_scale_set" resource.

• Four new queries were asked to be implemented, all related to VM resources. The list of target resources is as follows:

  • azurerm_linux_virtual_machine
  • azurerm_linux_virtual_machine_scale_set
  • azurerm_windows_virtual_machine
  • azurerm_windows_virtual_machine_scale_set

• The legacy "azurerm_virtual_machine" resource did not, from my research, apply to any of the queries. My findings will be documented below on a per query basis.

• Finally 2 other queries targeting the "azurerm_managed_disk" disk encryption fields and the "azurerm_key_vault_key" "key_type" field, respectively, were implemented.

Proposed Changes

• Fixed all issues and added "searchLine" values for the "Azure Instance Using Basic Authentication" query.

New queries :

• 1 Beta - VM Without Admin SSH Public Key Set

  • This query targets the "admin_ssh_key.public_key" field of the "azurerm_linux_virtual_machine" and "azurerm_linux_virtual_machine_scale_set" resources. It will flag if there isn't at least one public_key set inside a admin_ssh_key block. The query takes into account the scenario of the admin_ssh_key block(s) not declaring a public_key even though the field is technically required.

  • The legacy "azurerm_virtual_machine" has the "os_profile_linux_config.ssh_keys" field which seems analog to this but, since there is already a query to enforce "os_profile_linux_config.disable_password_authentication" to be set to true, consequently making the "ssh_keys" field required, i did not find this to be worth including in the query. (said query is the one fixed by this PR - "Azure Instance Using Basic Authentication")

• 2 Beta - VM With Extension Operations Enabled

• This query was found to be applicable to all 4 VM resources, but the target field has different names depending on the resource.

• For "azurerm_windows_virtual_machine" and "azurerm_linux_virtual_machine" the target field is named "allow_extension_operations". For the other 2 "scale_set" resources the target field is "extension_operations_enabled".

• We must ensure the field is explicitly set to false since enabling extension operations is a security liability; it can lead to processes executing with unnecessary administrative privileges on the vm.

• Note that this query will likely become outdated relatively soon if a single naming convention is adopted for the 4 resources rather than keeping the 2 distinct field names.

• 3 Beta - VM With Automatic Updates Disabled

  • This query is applicable only to windows based vm resources. It targets the "enable_automatic_updates" field and the "automatic_updates_enabled" field; the latter is the new name that replaces "enable_automatic_updates" for the "azurerm_windows_virtual_machine". This change was extremely recent as of writing (less than 2 months ago - last version to support old field was 4.48), the "azurerm_windows_virtual_machine_scale_set" still uses the "enable_automatic_updates" field but it wouldn't be surprising if it changed to the new naming scheme soon.

  • Both fields are supported by the implementation. Additionally if the scale-set resource goes through the change the query will still work regardless ensuring future proofing for the query.

  • NOTE - the query targets automatic "updates", not to be confused with the automatic "upgrade" which exists in all resources including legacy ones.

• 4 Beta - Disk Encryption On Managed Disk Disabled

  • This query simply ensures that a "disk_encryption_set_id" or a "secure_vm_disk_encryption_set_id" field (mutually exclusive fields) is set for "azurerm_managed_disk" resources. This is done to ensure improved overall security for managed disks's data through extra encryption.

• 5 Beta - Key Vault Without HSM Protection

  • This query targets the "key_type" field of "azurerm_key_vault_key" resources to ensure it is set to a value that sets up encryption dependent on a HSM for overall stronger cryptography.

• 6 Beta - VM Without Encryption At Host

  • The sixth and final query applies to all 4 VM resources once again. For this one all resources set the exact same field: "encryption_at_host_enabled".

  • Although not explicitly stated it seems the default value for the field is false; with this the query ensures that the encryption_at_host_enabled field is set to true. Like other queries in this PR this is meant to improve encryption standards by ensuring all files are encrypted before they leave the physical host machine.

I submit this contribution under the Apache-2.0 license.

[github-actions]

KICS version: v2.1.13

Category Results CRITICAL 0 HIGH 0 MEDIUM 0 LOW 0 INFO 0 TRACE 0 TOTAL 0	Metric Values Files scanned 1 Files parsed 1 Files failed to scan 0 Total executed queries 47 Queries failed to execute 0 Execution time 0