Unrestricted SQL Server Access
- Query id: 3f23c96c-f9f5-488d-9b17-605b8da5842f
- Query name: Unrestricted SQL Server Access
- Platform: Ansible
- Severity: Medium
- Category: Networking and Firewall
- URL: Github
Description¶
Azure SQL Server Accessibility should be set to a minimal address range to grant the principle of least privileges, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' should be less than 256. Additionally, both ips should be different from '0.0.0.0'
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
#this is a problematic code where the query should report a result(s)
- name: Create (or update) Firewall Rule1
azure_rm_sqlfirewallrule:
resource_group: myResourceGroup1
server_name: firewallrulecrudtest-6285
name: firewallrulecrudtest-5370
start_ip_address: 0.0.0.0
end_ip_address: 172.28.11.138
- name: Create (or update) Firewall Rule2
azure_rm_sqlfirewallrule:
resource_group: myResourceGroup2
server_name: firewallrulecrudtest-6285
name: firewallrulecrudtest-5370
start_ip_address: 172.28.10.136
end_ip_address: 172.28.11.138
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
#this code is a correct code for which the query should not find any result
- name: Create (or update) Firewall Rule
azure_rm_sqlfirewallrule:
resource_group: myResourceGroup
server_name: firewallrulecrudtest-6285
name: firewallrulecrudtest-5370
start_ip_address: 172.28.10.136
end_ip_address: 172.28.10.138