From 8f8aafa86d628caafaef1f40de80fe5c26e78cf5 Mon Sep 17 00:00:00 2001 From: Jason Nichols Date: Wed, 24 Jan 2024 16:20:44 -0500 Subject: [PATCH] Shortened rule names and constrained to a single line of text --- resources/rules/gcp-database-sql-cross-db-flag.yaml | 2 ++ resources/rules/gcp-iam-and-security-iam-project-roles.yaml | 3 +-- ...nces-behind-iap-only-allow-traffic-from-gclb-addresses.yaml | 3 +-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/resources/rules/gcp-database-sql-cross-db-flag.yaml b/resources/rules/gcp-database-sql-cross-db-flag.yaml index ffd25d74..b0645794 100644 --- a/resources/rules/gcp-database-sql-cross-db-flag.yaml +++ b/resources/rules/gcp-database-sql-cross-db-flag.yaml @@ -2,6 +2,8 @@ id: b986202a-4007-45d1-9d53-07e3640be33e refId: gcp-database-sql-cross-db-flag type: asset name: > + Cross DB ownership chaining opens up attack vectors +description: > The "cross db ownership chaining" configuration flag allows you to control cross-database ownership chaining at the SQL Server database level or to allow cross-database ownership chaining for all SQL Server databases. Enabling "cross db ownership chaining" flag is not recommended unless all of the databases hosted by the SQL Server need to participate in cross-database ownership chaining and you are fully aware of the security implications of this configuration setting. severity: medium diff --git a/resources/rules/gcp-iam-and-security-iam-project-roles.yaml b/resources/rules/gcp-iam-and-security-iam-project-roles.yaml index 14078749..439872fe 100644 --- a/resources/rules/gcp-iam-and-security-iam-project-roles.yaml +++ b/resources/rules/gcp-iam-and-security-iam-project-roles.yaml @@ -2,8 +2,7 @@ id: 3111574f-4af8-4fac-bd68-839f9f8d6477 refId: gcp-iam-and-security-iam-project-roles type: asset name: > - IAM users are assigned the Service Account User or - Service Account Token Creator roles at project level + IAM users are assigned the Service Account User or Service Account Token Creator roles at project level description: > It is recommended to assign the Service Account User (iam.serviceAccountUser) and Service Account Token Creator (iam.serviceAccountTokenCreator) roles to a user for diff --git a/resources/rules/gcp-network-and-content-delivery-ensure-firewall-rules-for-instances-behind-iap-only-allow-traffic-from-gclb-addresses.yaml b/resources/rules/gcp-network-and-content-delivery-ensure-firewall-rules-for-instances-behind-iap-only-allow-traffic-from-gclb-addresses.yaml index ab57c4f1..c9e37d3c 100644 --- a/resources/rules/gcp-network-and-content-delivery-ensure-firewall-rules-for-instances-behind-iap-only-allow-traffic-from-gclb-addresses.yaml +++ b/resources/rules/gcp-network-and-content-delivery-ensure-firewall-rules-for-instances-behind-iap-only-allow-traffic-from-gclb-addresses.yaml @@ -3,8 +3,7 @@ id: 0b2fda2b-4fc5-485e-97c4-0ab05e846749 refId: gcp-network-and-content-delivery-ensure-firewall-rules-for-instances-behind-iap-only-allow-traffic-from-gclb-addresses type: asset name: > - Ensure Firewall Rules for instances behind Identity Aware Proxy (IAP) - only allow the traffic from Google Cloud Loadbalancer (GCLB) Health Check and Proxy Addresses + Firewall rules for Identity Aware Proxy are overly permissive description: > IAP ensure that access to VMs is controlled by authenticating incoming requests. However if the VM is still accessible from IP addresses other than the IAP it may still be possible to send unauthenticated requests to the instance.