PostgreSQL Server Threat Detection Policy Disabled
- Query id: c407c3cf-c409-4b29-b590-db5f4138d332
- Query name: PostgreSQL Server Threat Detection Policy Disabled
- Platform: Terraform
- Severity: High
- Category: Resource Management
- URL: Github
Description¶
PostgreSQL Server Threat Detection Policy should be enabled
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "azurerm_postgresql_server" "positive1" {
name = "example-psqlserver"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
administrator_login = "psqladminun"
administrator_login_password = "H@Sh1CoR3!"
sku_name = "GP_Gen5_4"
version = "9.6"
storage_mb = 640000
backup_retention_days = 7
geo_redundant_backup_enabled = true
auto_grow_enabled = true
public_network_access_enabled = false
ssl_enforcement_enabled = true
ssl_minimal_tls_version_enforced = "TLS1_2"
threat_detection_policy {
enabled = false
}
}
Positive test num. 2 - tf file
resource "azurerm_postgresql_server" "positive2" {
name = "example-psqlserver"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
administrator_login = "psqladminun"
administrator_login_password = "H@Sh1CoR3!"
sku_name = "GP_Gen5_4"
version = "9.6"
storage_mb = 640000
backup_retention_days = 7
geo_redundant_backup_enabled = true
auto_grow_enabled = true
public_network_access_enabled = false
ssl_enforcement_enabled = true
ssl_minimal_tls_version_enforced = "TLS1_2"
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "azurerm_postgresql_server" "negative" {
name = "example-psqlserver"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
administrator_login = "psqladminun"
administrator_login_password = "H@Sh1CoR3!"
sku_name = "GP_Gen5_4"
version = "9.6"
storage_mb = 640000
backup_retention_days = 7
geo_redundant_backup_enabled = true
auto_grow_enabled = true
public_network_access_enabled = false
ssl_enforcement_enabled = true
ssl_minimal_tls_version_enforced = "TLS1_2"
threat_detection_policy {
enabled = true
}
}