-
Notifications
You must be signed in to change notification settings - Fork 1.1k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat(arm): add CKV_AZURE_178 to ensure that linux VM enables SSH with…
… keys for secure communication (#6486) * added a new arm policy for resource: LinuxVMUsesSSH * update arm policy for resource: LinuxVMUsesSSH --------- Co-authored-by: AdamDev <[email protected]>
- Loading branch information
1 parent
5492ef5
commit 7bf9456
Showing
4 changed files
with
523 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
from checkov.common.models.enums import CheckCategories | ||
from checkov.arm.base_resource_value_check import BaseResourceValueCheck | ||
from typing import Any | ||
from checkov.common.models.consts import ANY_VALUE | ||
|
||
|
||
class LinuxVMUsesSSH(BaseResourceValueCheck): | ||
def __init__(self) -> None: | ||
name = "Ensure linux VM enables SSH with keys for secure communication" | ||
id = "CKV_AZURE_178" | ||
supported_resources = ("Microsoft.Compute/virtualMachines", "Microsoft.Compute/virtualMachineScaleSets") | ||
categories = (CheckCategories.GENERAL_SECURITY,) | ||
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources,) | ||
|
||
def get_inspected_key(self) -> str: | ||
if self.entity_type == "Microsoft.Compute/virtualMachineScaleSets": | ||
return "properties/virtualMachineProfile/osProfile/linuxConfiguration/ssh/publicKeys/[0]/path" | ||
return "properties/osProfile/linuxConfiguration/ssh/publicKeys/[0]/path" | ||
|
||
def get_expected_value(self) -> Any: | ||
return ANY_VALUE | ||
|
||
|
||
check = LinuxVMUsesSSH() |
227 changes: 227 additions & 0 deletions
227
tests/arm/checks/resource/example_LinuxVMUsesSSH/fail.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,227 @@ | ||
{ | ||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", | ||
"contentVersion": "1.0.0.0", | ||
"parameters": { | ||
"adminUsername": { | ||
"type": "string", | ||
"defaultValue": "azureuser", | ||
"metadata": { | ||
"description": "User name for the Virtual Machine." | ||
} | ||
}, | ||
"sshKeyData": { | ||
"type": "string", | ||
"metadata": { | ||
"description": "SSH rsa public key file as a string." | ||
} | ||
}, | ||
"vmName": { | ||
"type": "string", | ||
"defaultValue": "multinicvm", | ||
"metadata": { | ||
"description": "Name of the VM" | ||
} | ||
}, | ||
"vmSize": { | ||
"defaultValue": "Standard_D2_v3", | ||
"metadata": { | ||
"description": "Size of the VM" | ||
}, | ||
"type": "string" | ||
}, | ||
"ubuntuOSVersion": { | ||
"type": "string", | ||
"defaultValue": "18.04-LTS", | ||
"allowedValues": [ | ||
"12.04.5-LTS", | ||
"14.04.4-LTS", | ||
"15.10", | ||
"18.04-LTS" | ||
], | ||
"metadata": { | ||
"description": "The Ubuntu version for the VM. This will pick a fully patched image of this given Ubuntu version. Allowed values: 12.04.5-LTS, 14.04.4-LTS, 15.10, 18.04-LTS." | ||
} | ||
}, | ||
"location": { | ||
"type": "string", | ||
"defaultValue": "[resourceGroup().location]", | ||
"metadata": { | ||
"description": "description" | ||
} | ||
} | ||
}, | ||
"variables": { | ||
"storageAccountName": "[concat(uniquestring(resourceGroup().id), 'samultinic')]", | ||
"storageAccountType": "Standard_LRS", | ||
"imagePublisher": "Canonical", | ||
"imageOffer": "UbuntuServer", | ||
"sshKeyPath": "[concat('/home/',parameters('adminUsername'),'/.ssh/authorized_keys')]", | ||
"nic1Name": "nic1", | ||
"nic2Name": "nic2", | ||
"vnetName": "vnet", | ||
"vnetId": "[resourceId('Microsoft.Network/virtualNetworks', variables('vnetName'))]", | ||
"addressPrefix": "10.0.0.0/16", | ||
"subnet1Name": "Frontend", | ||
"subnet1Id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', variables('vnetName'), variables('subnet1Name'))]", | ||
"subnet1Prefix": "10.0.1.0/24", | ||
"subnet1PrivateAddress": "10.0.1.5", | ||
"subnet2Name": "Web", | ||
"subnet2Id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', variables('vnetName'), variables('subnet2Name'))]", | ||
"subnet2Prefix": "10.0.2.0/24", | ||
"subnet2PrivateAddress": "10.0.2.5", | ||
"publicIPAddressName": "[concat(uniquestring(resourceGroup().id), 'PublicIp')]", | ||
"publicIPAddressType": "Dynamic", | ||
"publicIPAddressId": "[resourceId('Microsoft.Network/publicIPAddresses', variables('publicIPAddressName'))]", | ||
"networkSecurityGroupName": "default-NSG" | ||
}, | ||
"resources": [ | ||
|
||
{ | ||
"type": "Microsoft.Compute/virtualMachines", | ||
"apiVersion": "2020-06-01", | ||
"dependsOn": [ | ||
"[resourceId('Microsoft.Storage/storageAccounts/', variables('storageAccountName'))]", | ||
"[resourceId('Microsoft.Network/networkInterfaces/', variables('nic1Name'))]", | ||
"[resourceId('Microsoft.Network/networkInterfaces/', variables('nic2Name'))]" | ||
], | ||
"location": "[parameters('location')]", | ||
"name": "fail", | ||
"properties": { | ||
"diagnosticsProfile": { | ||
"bootDiagnostics": { | ||
"enabled": true, | ||
"storageUri": "[reference(resourceId('Microsoft.Storage/storageAccounts/', variables('storageAccountName')), '2019-06-01').primaryEndpoints.blob]" | ||
} | ||
}, | ||
"hardwareProfile": { | ||
"vmSize": "[parameters('vmSize')]" | ||
}, | ||
"networkProfile": { | ||
"networkInterfaces": [ | ||
{ | ||
"id": "[resourceId('Microsoft.Network/networkInterfaces', variables('nic1Name'))]", | ||
"properties": { | ||
"primary": true | ||
} | ||
}, | ||
{ | ||
"id": "[resourceId('Microsoft.Network/networkInterfaces', variables('nic2Name'))]", | ||
"properties": { | ||
"primary": false | ||
} | ||
} | ||
] | ||
}, | ||
"osProfile": { | ||
"computerName": "[parameters('vmName')]", | ||
"adminUsername": "[parameters('adminUsername')]", | ||
"linuxConfiguration": { | ||
"disablePasswordAuthentication": true, | ||
"ssh": { | ||
"publicKeys": [ | ||
{ | ||
|
||
} | ||
] | ||
} | ||
} | ||
}, | ||
"storageProfile": { | ||
"imageReference": { | ||
"publisher": "[variables('imagePublisher')]", | ||
"offer": "[variables('imageOffer')]", | ||
"sku": "[parameters('ubuntuOSVersion')]", | ||
"version": "latest" | ||
}, | ||
"osDisk": { | ||
"createOption": "FromImage" | ||
} | ||
} | ||
} | ||
}, | ||
{ | ||
"type": "Microsoft.Compute/virtualMachineScaleSets", | ||
"name": "fail", | ||
"location": "[parameters('location')]", | ||
"apiVersion": "2019-12-01", | ||
"dependsOn": [ | ||
"[resourceId('Microsoft.Network/loadBalancers', variables('loadBalancerName'))]" | ||
], | ||
"sku": { | ||
"name": "[parameters('vmSku')]", | ||
"capacity": "[parameters('instanceCount')]" | ||
}, | ||
"properties": { | ||
"overprovision": true, | ||
"upgradePolicy": { | ||
"mode": "Manual" | ||
}, | ||
"virtualMachineProfile": { | ||
"storageProfile": { | ||
"osDisk": { | ||
"createOption": "FromImage", | ||
"caching": "ReadWrite" | ||
}, | ||
"imageReference": { | ||
"publisher": "Canonical", | ||
"offer": "UbuntuServer", | ||
"sku": "16.04-LTS", | ||
"version": "latest" | ||
} | ||
}, | ||
"osProfile": { | ||
"computerNamePrefix": "[parameters('vmssName')]", | ||
"adminUsername": "[parameters('adminUsername')]", | ||
"adminPassword": "[parameters('adminPasswordOrKey')]", | ||
"linuxConfiguration": { | ||
"disablePasswordAuthentication": true, | ||
"ssh": { | ||
"publicKeys": [ | ||
{ | ||
|
||
} | ||
] | ||
} | ||
} | ||
}, | ||
"networkProfile": { | ||
"networkInterfaceConfigurations": [ | ||
{ | ||
"name": "nic", | ||
"properties": { | ||
"primary": true, | ||
"ipConfigurations": [ | ||
{ | ||
"name": "ipconfig", | ||
"properties": { | ||
"subnet": { | ||
"id": "[resourceId(parameters('existingVnetResourceGroupName'), 'Microsoft.Network/virtualNetworks/subnets', parameters('existingVnetName'), parameters('existingSubNetName'))]" | ||
}, | ||
"loadBalancerBackendAddressPools": [ | ||
{ | ||
"id": "[resourceId('Microsoft.Network/loadBalancers/backendAddressPools', variables('loadBalancerName'), variables('loadBalancerBackEndName'))]" | ||
} | ||
], | ||
"loadBalancerInboundNatPools": [ | ||
{ | ||
"id": "[resourceId('Microsoft.Network/loadBalancers/inboundNatPools', variables('loadBalancerName'), variables('loadBalancerNatPoolName'))]" | ||
} | ||
] | ||
} | ||
} | ||
] | ||
} | ||
} | ||
] | ||
} | ||
} | ||
} | ||
} | ||
], | ||
"outputs": { | ||
"sshCommand": { | ||
"type": "string", | ||
"value": "[concat('ssh ', parameters('adminUsername'), '@', parameters('vmName'), '.', parameters('location'), '.cloudapp.azure.com')]" | ||
} | ||
} | ||
} |
Oops, something went wrong.