Make CIS findings public and add their CIS id to their rationale attr…

…ibute.
0xa08ab242 · Feb 3, 2019 · 6a2adf8 · 6a2adf8
1 parent 45eac68
commit 6a2adf8
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 0 deletions.
diff --git a/ScoutSuite/providers/azure/rules/findings/storageaccount-account-allowing-clear-text.json b/ScoutSuite/providers/azure/rules/findings/storageaccount-account-allowing-clear-text.json
@@ -1,6 +1,7 @@
 {
     "description": "HTTPS Not Enforced",
     "path": "storageaccounts.storage_accounts.id",
+    "rationale": "You should ensure that secure transfer is required to access your storage accounts. See CIS 3.1.",
     "dashboard_name": "Accounts",
     "conditions": [ "and",
         [ "storageaccounts.storage_accounts.id.https_traffic_enabled", "false", "" ]

diff --git a/ScoutSuite/providers/azure/rules/findings/storageaccount-public-blob-container.json b/ScoutSuite/providers/azure/rules/findings/storageaccount-public-blob-container.json
@@ -0,0 +1,11 @@
+{
+    "dashboard_name": "Storage Accounts",
+    "description": "Public Blob Container",
+    "rationale": "Your blob containers should be private. See CIS 3.7.",
+    "path": "storageaccounts.storage_accounts.id.blob_containers.id",
+    "display_path": "storageaccounts.storage_accounts.id",
+    "conditions": [ "and",
+        [ "storageaccounts.storage_accounts.id.blob_containers.id.public_access_allowed", "true", "" ]
+    ],
+    "id_suffix": "public_access_allowed"
+}
diff --git a/ScoutSuite/providers/azure/rules/rulesets/default.json b/ScoutSuite/providers/azure/rules/rulesets/default.json
@@ -6,6 +6,18 @@
         "enabled": true,
         "level": "warning"
       }
+    ],
+    "storageaccount-public-blob-container.json": [
+      {
+        "enabled": true,
+        "level": "danger"
+      }
+    ],
+    "storageaccount-access-keys-not-rotated.json": [
+      {
+        "enabled": true,
+        "level": "warning"
+      }
     ]
   }
 }