kics icon indicating copy to clipboard operation
kics copied to clipboard
verified publisher icon Checkmarx

KICS Auto Remediation: support for Ansible [AZURE] queries

Open rafaela-soares opened this issue 3 years ago • 0 comments

Description

At the moment, KICS provides auto remediation for simple replacements and simple additions in a single line in Terraform queries. It would be great if this feature was also implemented for Ansible [AZURE] queries.

Steps

  1. Add remediation and remediation_type in the following queries:
QUERY NAME QUERY ID REMEDIATION
Admin User Enabled For Container Registry 29f35127-98e6-43af-8ec1-201b79f99604 Replacement
AKS Monitoring Logging Disabled d5e83b32-56dd-4247-8c2e-074f43b38a5e Replacement
AKS RBAC Disabled 149fa56c-4404-4f90-9e25-d34b676d5b39 Replacement Addition
Default Network Access is Allowed 974e6fe7-63fd-4fa4-aa72-77b21a4a959d Replacement
Firewall Rule Allows Too Many Hosts To Access Redis Cache 69f72007-502e-457b-bd2d-5012e31ac049 Replacement
Key Vault Soft Delete Is Disabled 881696a8-68c5-4073-85bc-7c38a3deb854 Replacement Addition
Log Retention Is Not Set 0461b4fd-21ef-4687-929e-484ee4796785 Replacement
Monitoring Log Profile Without All Activities 89f84a1e-75f8-47c5-83b5-bee8e2de4168 Replacement
MySQL SSL Connection Disabled 2a901825-0f3b-4655-a0fe-e0470e50f8e6 Replacement Addition
PostgreSQL Log Checkpoints Disabled 7ab33ac0-e4a3-418f-a673-50da4e34df21 Replacement
PostgreSQL Log Connections Not Set 7b47138f-ec0e-47dc-8516-e7728fe3cc17 Replacement
PostgreSQL Log Duration Not Set 729ebb15-8060-40f7-9017-cb72676a5487 Replacement
PostgreSQL Server Without Connection Throttling a9becca7-892a-4af7-b9e1-44bf20a4cd9a Replacement
PostgreSQL Log Disconnections Not Set 054d07b5-941b-4c28-8eef-18989dc62323 Replacement
Public Storage Account 35e2f133-a395-40de-a79d-b260d973d1bd Replacement
Redis Cache Allows Non SSL Connections 869e7fb4-30f0-4bdb-b360-ad548f337f2f Replacement
Small Activity Log Retention Period 37fafbea-dedb-4e0d-852e-d16ee0589326 Replacement Addition
SSL Enforce Disabled 961ce567-a16d-4d7d-9027-f0ec2628a555 Replacement Addicion
Storage Account Not Forcing HTTPS 2c99a474-2a3c-4c17-8294-53ffa5ed0522 Replacement Addition
Storage Account Not Using Latest TLS Encryption Version c62746cf-92d5-4649-9acf-7d48d086f2ee Replacement Addition
Web App Accepting Traffic Other Than HTTPS eb8c2560-8bee-4248-9d0d-e80c8641dd91 Replacement Addition

  1. Change test/queries_test.go (line 262) and pkg/remediation/utils.go (line 37)

  2. Test through go test ./test --timeout 1500s -v

Documentation

KICS AR docs

PR KICS AR support

rafaela-soares avatar Oct 03 '22 15:10 rafaela-soares