diff --git a/checks/cloud/aws/ec2/no_public_egress_sgr.rego b/checks/cloud/aws/ec2/no_public_egress_sgr.rego index f81d1f25..9029d22c 100644 --- a/checks/cloud/aws/ec2/no_public_egress_sgr.rego +++ b/checks/cloud/aws/ec2/no_public_egress_sgr.rego @@ -35,11 +35,12 @@ package builtin.aws.ec2.aws0104 import rego.v1 +import data.lib.net + deny contains res if { some rule in input.aws.ec2.securitygroups[_].egressrules some block in rule.cidrs - cidr.is_public(block.value) - cidr.count_addresses(block.value) > 1 + net.cidr_allows_all_ips(block.value) res := result.new( "Security group rule allows egress to multiple public internet addresses.", block, diff --git a/checks/cloud/aws/ec2/no_public_egress_sgr_test.rego b/checks/cloud/aws/ec2/no_public_egress_sgr_test.rego index f8d3df17..eca08c49 100644 --- a/checks/cloud/aws/ec2/no_public_egress_sgr_test.rego +++ b/checks/cloud/aws/ec2/no_public_egress_sgr_test.rego @@ -12,7 +12,11 @@ test_deny_sg_with_public_egress if { } test_allow_sg_without_private_egress if { - inp := {"aws": {"ec2": {"securitygroups": [{"egressrules": [{"cidrs": [{"value": "10.0.0.0/16"}]}]}]}}} + inp := {"aws": {"ec2": {"securitygroups": [{"egressrules": [{"cidrs": [ + {"value": "10.0.0.0/8"}, + {"value": "192.168.164.0/23"}, + {"value": "22.0.0.0/8"}, + ]}]}]}}} test.assert_empty(check.deny) with input as inp } diff --git a/checks/cloud/azure/network/no_public_egress.rego b/checks/cloud/azure/network/no_public_egress.rego index 6e095282..ae5bb707 100644 --- a/checks/cloud/azure/network/no_public_egress.rego +++ b/checks/cloud/azure/network/no_public_egress.rego @@ -31,12 +31,14 @@ package builtin.azure.network.azure0051 import rego.v1 +import data.lib.net + deny contains res if { some group in input.azure.network.securitygroups some rule in group.rules rule.outbound.value rule.allow.value some addr in rule.destinationaddresses - cidr.is_public(addr.value) + net.cidr_allows_all_ips(addr.value) res := result.new("Security group rule allows egress to public internet.", addr) } diff --git a/checks/cloud/azure/network/no_public_egress_test.rego b/checks/cloud/azure/network/no_public_egress_test.rego index cb61d036..32f5c782 100644 --- a/checks/cloud/azure/network/no_public_egress_test.rego +++ b/checks/cloud/azure/network/no_public_egress_test.rego @@ -16,6 +16,17 @@ test_deny_outbound_rule_with_wildcard_destination_address if { count(res) == 1 } +test_deny_outbound_rule_with_public_destination_address if { + inp := {"azure": {"network": {"securitygroups": [{"rules": [{ + "allow": {"value": true}, + "outbound": {"value": true}, + "destinationaddresses": [{"value": "0.0.0.0/0"}], + }]}]}}} + + res := check.deny with input as inp + count(res) == 1 +} + test_allow_outbound_rule_with_private_destination_address if { inp := {"azure": {"network": {"securitygroups": [{"rules": [{ "allow": {"value": true}, diff --git a/checks/cloud/google/compute/no_public_egress.rego b/checks/cloud/google/compute/no_public_egress.rego index 8e76f1b9..4df0a403 100644 --- a/checks/cloud/google/compute/no_public_egress.rego +++ b/checks/cloud/google/compute/no_public_egress.rego @@ -31,14 +31,15 @@ package builtin.google.compute.google0035 import rego.v1 +import data.lib.net + deny contains res if { some network in input.google.compute.networks some rule in network.firewall.egressrules rule.firewallrule.isallow.value rule.firewallrule.enforced.value some destination in rule.destinationranges - cidr.is_public(destination.value) - cidr.count_addresses(destination.value) > 1 + net.cidr_allows_all_ips(destination.value) res := result.new( "Firewall rule allows egress traffic to multiple addresses on the public internet.", destination, diff --git a/checks/cloud/google/compute/no_public_egress_test.rego b/checks/cloud/google/compute/no_public_egress_test.rego index c7020430..478ad3d4 100644 --- a/checks/cloud/google/compute/no_public_egress_test.rego +++ b/checks/cloud/google/compute/no_public_egress_test.rego @@ -21,7 +21,7 @@ test_deny_egress_rule_with_multiple_public_destinations if { count(res) == 1 } -test_allow_egress_rule_with_public_destination if { +test_allow_egress_rule_with_private_destination if { inp := {"google": {"compute": {"networks": [{"firewall": {"egressrules": [{ "firewallrule": { "isallow": {"value": true}, diff --git a/lib/cloud/net.rego b/lib/cloud/net.rego index 38c01aa7..6746468e 100644 --- a/lib/cloud/net.rego +++ b/lib/cloud/net.rego @@ -12,7 +12,7 @@ ssh_port := 22 rdp_port := 3389 -all_ips := {"0.0.0.0/0", "0000:0000:0000:0000:0000:0000:0000:0000/0", "::/0"} +all_ips := {"0.0.0.0/0", "0000:0000:0000:0000:0000:0000:0000:0000/0", "::/0", "*"} # "-1" or "all" equivalent to all protocols # https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AuthorizeSecurityGroupIngress.html