[BUG] Description for TA-000026 misleading #299
Labels
bug
Something isn't working
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
Rule TA-000026's description is "Service Fabric clusters should only use Azure Active Directory for client authentication". However, the actual rule evaluation specifically just evaluates whether AAD client auth is enabled. It does not evaluate whether other types of client auth are disabled. Service Fabric clusters also have client certificate auth in addition to AAD client auth (see docs).
Is the original intent of the rule to just check whether AAD client auth is enabled or whether AAD client auth is the only client auth enabled?
Expected behavior
Based off the current description, the rule should also validate that client certificate authentication is not enabled in addition to AAD client auth being enabled. Otherwise, the description should be updated to reflect the functionality of the rule's evaluation and simply state that the rule checks whether AAD client auth is enabled.
Reproduction Steps
N/A
Environment
N/A
The text was updated successfully, but these errors were encountered: