kics
kics copied to clipboard
Published
20 hours ago •
Checkmarx
Checkmarx
KICS Auto Remediation: support for Azure Resource Manager queries
Description
At the moment, KICS provides auto remediation for simple replacements and simple additions in a single line in Terraform queries. It would be great if this feature was also implemented for Azure Resource Manager queries.
Steps
- Add
remediationandremediation_typein the following queries:
| QUERY NAME | QUERY ID | REMEDIATION TYPE |
|---|---|---|
| Account Admins Not Notified By Email | a8852cc0-fd4b-4fc7-9372-1e43fad0732e | Replacement Addition |
| AKS Cluster RBAC Disabled | 9307a2ed-35c2-413d-94de-a1a0682c2158 | Replacement Addition |
| AKS Dashboard Is Enabled | c62d3b92-9a11-4ffd-b7b7-6faaae83faed | Replacement |
| AKS Logging To Azure Monitoring Is Disabled | 9b09dee1-f09b-4013-91d2-158fa4695f4b | Replacement |
| App Service Authentication Is Not Set | 83130a07-235b-4a80-918b-a370e53f0bd9 | Replacement |
| Azure Instance Using Basic Authentication | 6797f581-0433-4768-ae3e-7ceb2f8b138e | Replacement |
| Azure Managed Disk Without Encryption | 350f3955-b5be-436f-afaa-3d2be2fa6cdd | Replacement |
| Email Notifications Disabled | 79c2c2c0-eb00-47c0-ac16-f8b0e2c81c92 | Replacement Addition |
| Key Vault Not Recoverable | 7c25f361-7c66-44bf-9b69-022acd5eb4bd | Replacement Addition |
| MySQL Server SSL Enforcement Disabled | 90120147-f2e7-4fda-bb21-6fa9109afd63 | Replacement Addition |
| PostgresSQL Database Server Connection Throttling Disabled | a6d774b6-d9ea-4bf4-8433-217bf15d2fb8 | Replacement |
| PostgreSQL Database Server Log Checkpoints Disabled | f9112910-c7bb-4864-9f5e-2059ba413bb7 | Replacement Addition |
| PostgreSQL Database Server Log Connections Disabled | e69bda39-e1e2-47ca-b9ee-b6531b23aedd | Replacement Addition |
| PostgreSQL Database Server SSL Disabled | bf500309-da53-4dd3-bcf7-95f7974545a5 | Replacement Addition |
| SQL Server Database With Unrecommended Retention Days | c09cdac2-7670-458a-bf6c-efad6880973a | Replacement Addition |
| Standard Price Is Not Selected | 2081c7d6-2851-4cce-bda5-cb49d462da42 | Replacement |
| Storage Account Allows Default Network Access | 9073f073-5d60-4b46-b569-0d6baa80ed95 | Replacement |
| Storage Account Allows Unsecure Transfer | 1367dd13-2c90-4020-80b7-e4339a3dc2c4 | Replacement |
| Storage Blob Service Container With Public Access | a0ab985d-660b-41f7-ac81-70957ee8e627 | Replacement |
| Storage Logging For Read Write And Delete Requests Disabled | 43f6e60c-9cdb-4e77-864d-a66595d26518 | Replacement Addition |
| Unrecommended Log Profile Retention Policy | 25684eac-daaa-4c2c-94b4-8d2dbb627909 | Replacement |
| Unrecommended Network Watcher Flow Log Retention Policy | 564b70f8-41cd-4690-aff8-bb53add86bc9 | Replacement |
| Web App Not Using TLS Last Version | b5c851d5-00f1-43dc-a8de-3218fd6f71be | Replacement |
| Website Azure Active Directory Disabled | e9c133e5-c2dd-4b7b-8fff-40f2de367b56 | Replacement |
| Website Not Forcing HTTPS | 488847ff-6031-487c-bf42-98fd6ac5c9a0 | Replacement Addition |
| Website with Client Certificate Auth Disabled | 92302b47-b0cc-46cb-a28f-5610ecda140b | Replacement Addition |
| Website with 'Http20Enabled' Disabled | 70111098-7f85-48f0-b1b4-e4261cf5f61b | Replacement Addition |
-
Change
test/queries_test.go(line 262) andpkg/remediation/utils.go(line 37) -
Test through
go test ./test --timeout 1500s -v
