Skip to content

fix(scanner): improve AZ-NET-008 with SOC2 mapping and azure_client abstraction #108

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
aav-wh wants to merge 1 commit into
base: dev
Choose a base branch
from
+14 −13
Open

fix(scanner): improve AZ-NET-008 with SOC2 mapping and azure_client abstraction #108

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions scanner/azure_client.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -270,6 +270,14 @@ def get_vnet_peerings(self, resource_group: str, vnet_name: str) -> List[Any]:
except Exception as exc:
logger.error("get_vnet_peerings(%s) failed: %s", vnet_name, exc)
return []
def get_load_balancers(self) -> List[Any]:
"""List all load balancers in the subscription."""
try:
client = NetworkManagementClient(self.credential, self.subscription_id)
return list(client.load_balancers.list_all())
except Exception as exc:
logger.error("get_load_balancers failed: %s", exc)
return []

def get_dns_zones(self) -> List[Any]:
"""List all DNS zones in the subscription."""
Expand Down
19 changes: 6 additions & 13 deletions scanner/rules/az_net_008.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@
RULE_NAME = "Load balancer with no backend pool configured"
SEVERITY = "LOW"
CATEGORY = "Network"
FRAMEWORKS = {"CIS": "9.1", "NIST": "CM-7", "ISO27001": "A.13.1.1"}
FRAMEWORKS = {"CIS": "9.1", "NIST": "CM-7", "ISO27001": "A.13.1.1", "SOC2": "CC8.1"}
DESCRIPTION = (
"A load balancer exists in the subscription but has no backend pool "
"configured. A load balancer with no backend pool is either misconfigured "
Expand All @@ -28,19 +28,11 @@ def scan(azure_client: Any, subscription_id: str) -> List[Dict[str, Any]]:
"""Detect load balancers with no backend pool configured."""
findings: List[Dict[str, Any]] = []

try:
from azure.mgmt.network import NetworkManagementClient
client = NetworkManagementClient(
azure_client.credential, azure_client.subscription_id
)
load_balancers = list(client.load_balancers.list_all())
except Exception as exc:
logger.error("Failed to list load balancers: %s", exc)
return findings

for lb in load_balancers:
for lb in azure_client.get_load_balancers():
backend_pools = getattr(lb, "backend_address_pools", []) or []
if len(backend_pools) == 0:
parsed = azure_client.parse_resource_id(getattr(lb, "id", ""))
resource_group = parsed.get("resource_group", "")
findings.append({
"rule_id": RULE_ID,
"rule_name": RULE_NAME,
Expand All @@ -56,7 +48,8 @@ def scan(azure_client: Any, subscription_id: str) -> List[Dict[str, Any]]:
"metadata": {
"location": getattr(lb, "location", ""),
"backend_pool_count": len(backend_pools),
"resource_group": resource_group,
},
})

return findings
return findings
Loading