この記事は公開されてから1年以上経過しています。情報が古い可能性がありますので、ご注意ください。
いわさです。
先日、以下の記事で Snyk IaC で IaC テンプレートの静的解析が出来ることを知りました。
そして、Snyk IaC のページを見てみると、どうやら Azure にも対応しているようです。
そこで本日は Azure 環境向けの ARM テンプレートに対して Snyk IaC を使ってセキュリティチェックを実施してみました。
テンプレートの用意
ARM テンプレートについては、VNET と仮想マシンをデプロイするだけのシンプルなものです。
ただし Linux 仮想マシンでパスワード認証を有効にしていたり、パブリックアクセス設定もオープンな状態にしてあります。
Azure の場合は、ポータルで作成したものをそのままテンプレートでダウンロードすることが出来るので、ここではテンプレートの掲載は割愛します。
Snyk CLI でのみサポートされている。
さて一点重要な点なのですが、本日時点で ARM テンプレートは Snyk CLI 経由のスキャンのみがサポートされています。
Scan ARM configuration files - Snyk User Docs
こちらどういうことかというと、例えば CloudFormation などの場合は WebUI から連携した GitHub リポジトリを指定するだけで以下のようにすぐにスキャンを行うことが出来ます。
しかし、ARM テンプレートなリポジトリの場合はテンプレートファイルがサポートされている言語として扱われません。
Job started: 08 August 2022, 10:39:57
Processed Tak1wa/hogehogehoge from GitHub
- No supported target files detected. Please see our documentation for supported languages and target files.
0 projects created
Job completed: 08 August 2022, 10:39:59Snyk CLI で実行してみる
よって本日は Snyk CLI からテンプレートのスキャンを行って、スキャン結果を Web へ取り込む形をとってみましょう。
% snyk iac test ./ExportedTemplate-20200808/template.json --report
Snyk Infrastructure as Code
✔ Test completed.
Issues
Low Severity Issues: 1
[Low] Virtual Network DDoS protection plan disabled
Info: Virtual Network DDoS protection plan disabled. Services deployed in the network will not benefit from advanced DDoS protection features such as attack alerting and analytics
Rule: https://snyk.io/security-rules/SNYK-CC-AZURE-516
Path: resources[2] > properties > enableDdosProtection
File: ./ExportedTemplate-20200808/template.json
Resolve: Set `properties.enableDdosProtection` to `true`
Medium Severity Issues: 11
[Medium] Linux VM scale set encryption at host disabled
Info: Linux VM scale set encryption at host disabled. Storage devices attached to the VM will not be encrypted at rest
Rule: https://snyk.io/security-rules/SNYK-CC-AZURE-475
Path: resources[3] > properties > securityProfile > encryptionAtHost
File: ./ExportedTemplate-20200808/template.json
Resolve: Set `properties.securityProfile.encryptionAtHost` attribute to `true`
[Medium] Ensure that RDP access is restricted from the internet
Info: Ensure that RDP access is restricted from the internet. Using RDP over internet leaves your Azure Virtual Machines vulnerable to brute force attacks
Rule: https://snyk.io/security-rules/SNYK-CC-AZURE-676
Path: resources[0] > properties > securityRules[3] > properties > destinationPortRange
File: ./ExportedTemplate-20200808/template.json
Resolve: Remove `3389`, `*`, or any port range that covers `3389` from `properties.securityRules[].properties.destinationPortRange(s)` when 'properties.securityRules[].properties.access' is set to `allow`
[Medium] Ensure that SSH access is restricted from the internet
Info: Ensure that SSH access is restricted from the internet. Using SSH over internet leaves your Azure Virtual Machines vulnerable to brute force attacks
Rule: https://snyk.io/security-rules/SNYK-CC-AZURE-677
Path: resources[0] > properties > securityRules[0] > properties > destinationPortRange
File: ./ExportedTemplate-20200808/template.json
Resolve: Remove `22`, `*`, or any port range that covers `22` from `properties.securityRules[].properties.destinationPortRange(s)` when 'properties.securityRules[].properties.access' is set to `allow`
[Medium] Azure Network Security Group allows public access
Info: Azure Network Security Group allows public access. Public access to all resources behind the network security group
Rule: https://snyk.io/security-rules/SNYK-CC-TF-33
Path: resources[0] > properties > securityRules[3] > properties > sourceAddressPrefix
File: ./ExportedTemplate-20200808/template.json
Resolve: Set `properties.sourceAddressPrefix` attribute to specific IP range only, e.g. `192.168.1.0/24`
[Medium] Azure Network Security Group allows public access
Info: Azure Network Security Group allows public access. Public access to all resources behind the network security group
Rule: https://snyk.io/security-rules/SNYK-CC-TF-33
Path: resources[0] > properties > securityRules[2] > properties > sourceAddressPrefix
File: ./ExportedTemplate-20200808/template.json
Resolve: Set `properties.sourceAddressPrefix` attribute to specific IP range only, e.g. `192.168.1.0/24`
[Medium] Azure Network Security Group allows public access
Info: Azure Network Security Group allows public access. Public access to all resources behind the network security group
Rule: https://snyk.io/security-rules/SNYK-CC-TF-33
Path: resources[0] > properties > securityRules[1] > properties > sourceAddressPrefix
File: ./ExportedTemplate-20200808/template.json
Resolve: Set `properties.sourceAddressPrefix` attribute to specific IP range only, e.g. `192.168.1.0/24`
[Medium] Azure Network Security Group allows public access
Info: Azure Network Security Group allows public access. Public access to all resources behind the network security group
Rule: https://snyk.io/security-rules/SNYK-CC-TF-33
Path: resources[0] > properties > securityRules[0] > properties > sourceAddressPrefix
File: ./ExportedTemplate-20200808/template.json
Resolve: Set `properties.sourceAddressPrefix` attribute to specific IP range only, e.g. `192.168.1.0/24`
[Medium] Azure Network Security Rule allows public access
Info: That inbound traffic is allowed to a resource from any source instead of a restricted range. That potentially everyone can access your resource
Rule: https://snyk.io/security-rules/SNYK-CC-TF-35
Path: resources[0] > properties > securityRules[3] > properties > sourceAddressPrefix
File: ./ExportedTemplate-20200808/template.json
Resolve: Set `properties.sourceAddressPrefix` to specific IP range only, e.g. `192.168.1.0/24`
[Medium] Azure Network Security Rule allows public access
Info: That inbound traffic is allowed to a resource from any source instead of a restricted range. That potentially everyone can access your resource
Rule: https://snyk.io/security-rules/SNYK-CC-TF-35
Path: resources[0] > properties > securityRules[2] > properties > sourceAddressPrefix
File: ./ExportedTemplate-20200808/template.json
Resolve: Set `properties.sourceAddressPrefix` to specific IP range only, e.g. `192.168.1.0/24`
[Medium] Azure Network Security Rule allows public access
Info: That inbound traffic is allowed to a resource from any source instead of a restricted range. That potentially everyone can access your resource
Rule: https://snyk.io/security-rules/SNYK-CC-TF-35
Path: resources[0] > properties > securityRules[1] > properties > sourceAddressPrefix
File: ./ExportedTemplate-20200808/template.json
Resolve: Set `properties.sourceAddressPrefix` to specific IP range only, e.g. `192.168.1.0/24`
[Medium] Azure Network Security Rule allows public access
Info: That inbound traffic is allowed to a resource from any source instead of a restricted range. That potentially everyone can access your resource
Rule: https://snyk.io/security-rules/SNYK-CC-TF-35
Path: resources[0] > properties > securityRules[0] > properties > sourceAddressPrefix
File: ./ExportedTemplate-20200808/template.json
Resolve: Set `properties.sourceAddressPrefix` to specific IP range only, e.g. `192.168.1.0/24`
High Severity Issues: 1
[High] Linux virtual machine has password authentication enabled
Info: Linux virtual machine has password authentication enabled. Password authentication is less resistant to brute force and educated guess attacks then SSH public key authentication
Rule: https://snyk.io/security-rules/SNYK-CC-TF-79
Path: resources[3] > properties > osProfile > linuxConfiguration > disablePasswordAuthentication
File: ./ExportedTemplate-20200808/template.json
Resolve: Set `properties.osProfile.linuxConfiguration.disablePasswordAuthentication` attribute to `true` or remove the attribute
-------------------------------------------------------
Test Summary
Organization: hoge
Project name: hoge0808snyk
✔ Files without issues: 0
✗ Files with issues: 1
Ignored issues: 0
Total issues: 13 [ 0 critical, 1 high, 11 medium, 1 low ]
-------------------------------------------------------
Report Complete
Your test results are available at: https://snyk.io/org/hoge/projects
under the name: hoge0808snyk先程挙げていた、Linux パスワード認証やパブリックアクセスの他に、VNET DDoS 保護など他にもいくつか警告を確認することが出来ます。
Web UI 上から取り込みは出来ませんでしたが、Snyk CLI からのレポート取り込みについては対応されています。
Bicep
さて ARM テンプレートを使っている方はやはり Bicep 形式でも使えるのかという点が気になるかもしれません。
こちらは以下のように紹介されていて、一度 Json 形式へビルドする必要があり直接はスキャン出来ません。
You can also scan Bicep format files by converting the configuration files to JSON using the Bicep CLI.
% az bicep build -f Bicep/template.bicep
/Users/iwasa.takahito/work/hoge0808snyk/Bicep/template.bicep(9,13) : Warning no-hardcoded-location: A resource location should not use a hard-coded string or variable value. Please use a parameter value, an expression, or the string 'global'. Found: 'japaneast' [https://aka.ms/bicep/linter/no-hardcoded-location]
/Users/iwasa.takahito/work/hoge0808snyk/Bicep/template.bicep(86,13) : Warning no-hardcoded-location: A resource location should not use a hard-coded string or variable value. Please use a parameter value, an expression, or the string 'global'. Found: 'japaneast' [https://aka.ms/bicep/linter/no-hardcoded-location]
/Users/iwasa.takahito/work/hoge0808snyk/Bicep/template.bicep(102,13) : Warning no-hardcoded-location: A resource location should not use a hard-coded string or variable value. Please use a parameter value, an expression, or the string 'global'. Found: 'japaneast' [https://aka.ms/bicep/linter/no-hardcoded-location]
/Users/iwasa.takahito/work/hoge0808snyk/Bicep/template.bicep(127,13) : Warning no-hardcoded-location: A resource location should not use a hard-coded string or variable value. Please use a parameter value, an expression, or the string 'global'. Found: 'japaneast' [https://aka.ms/bicep/linter/no-hardcoded-location]
/Users/iwasa.takahito/work/hoge0808snyk/Bicep/template.bicep(155,22) : Warning adminusername-should-not-be-literal: Property 'adminUserName' should not use a literal value. Use a param instead. Found literal string value "iwasa" [https://aka.ms/bicep/linter/adminusername-should-not-be-literal]
/Users/iwasa.takahito/work/hoge0808snyk/Bicep/template.bicep(270,13) : Warning no-hardcoded-location: A resource location should not use a hard-coded string or variable value. Please use a parameter value, an expression, or the string 'global'. Found: 'japaneast' [https://aka.ms/bicep/linter/no-hardcoded-location]
% snyk iac test Bicep/template.json --report
Snyk Infrastructure as Code
✔ Test completed.
Issues
Low Severity Issues: 1
[Low] Virtual Network DDoS protection plan disabled
Info: Virtual Network DDoS protection plan disabled. Services deployed in the network will not benefit from advanced DDoS protection features such as attack alerting and analytics
Rule: https://snyk.io/security-rules/SNYK-CC-AZURE-516
Path: resources[2] > properties > enableDdosProtection
File: Bicep/template.json
Resolve: Set `properties.enableDdosProtection` to `true`
Medium Severity Issues: 11
:
High Severity Issues: 1
[High] Linux virtual machine has password authentication enabled
Info: Linux virtual machine has password authentication enabled. Password authentication is less resistant to brute force and educated guess attacks then SSH public key authentication
Rule: https://snyk.io/security-rules/SNYK-CC-TF-79
Path: resources[3] > properties > osProfile > linuxConfiguration > disablePasswordAuthentication
File: Bicep/template.json
Resolve: Set `properties.osProfile.linuxConfiguration.disablePasswordAuthentication` attribute to `true` or remove the attribute
-------------------------------------------------------
Test Summary
Organization: hoge
Project name: hoge0808snyk
✔ Files without issues: 0
✗ Files with issues: 1
Ignored issues: 0
Total issues: 13 [ 0 critical, 1 high, 11 medium, 1 low ]
-------------------------------------------------------
Report Complete
Your test results are available at: https://snyk.io/org/hoge/projects
under the name: hoge0808snykさいごに
本日は Snyk IaC で Azure Resource Manager テンプレートを解析してみました。
Snyk CLI からのみの利用になるなど、少し制限はありますが AWS CloudFormation などと同様に無料プランから利用が出来ました。
Snyk はリポジトリとしても Azure DevOps がサポートされているので是非使ってみてください。
3
