Azure Instance Using Basic Authentication
- Query id: dafe30ec-325d-4516-85d1-e8e6776f012c
- Query name: Azure Instance Using Basic Authentication
- Platform: Terraform
- Severity: Medium
- Category: Best Practices
- CWE: 284
- Risk score: 5.7
- URL: Github
Description¶
Azure Instances should use SSH Key instead of basic authentication
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "azurerm_virtual_machine" "positive1" {
name = "${var.prefix}-vm"
location = azurerm_resource_group.main.location
resource_group_name = azurerm_resource_group.main.name
network_interface_ids = []
vm_size = "Standard_DS1_v2"
os_profile_linux_config {
disable_password_authentication = false
}
}
Positive test num. 2 - tf file
resource "azurerm_linux_virtual_machine" "positive2" {
name = "${var.prefix}-vm"
location = azurerm_resource_group.main.location
resource_group_name = azurerm_resource_group.main.name
network_interface_ids = []
vm_size = "Standard_DS1_v2"
disable_password_authentication = false
}
Positive test num. 3 - tf file
resource "azurerm_linux_virtual_machine_scale_set" "positive3" {
name = "positive3-vmss"
resource_group_name = azurerm_resource_group.positive3.name
location = azurerm_resource_group.positive3.location
sku = "Standard_F2"
instances = 1
admin_username = "adminuser"
disable_password_authentication = false
}
Positive test num. 4 - tf file
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "azurerm_virtual_machine" "negative1_1" {
name = "${var.prefix}-vm"
location = azurerm_resource_group.main.location
resource_group_name = azurerm_resource_group.main.name
network_interface_ids = [azurerm_network_interface.main.id]
vm_size = "Standard_DS1_v2"
os_profile_linux_config {
disable_password_authentication = true
}
}
resource "azurerm_virtual_machine" "negative1_2" {
name = "${var.prefix}-vm"
location = azurerm_resource_group.main.location
resource_group_name = azurerm_resource_group.main.name
network_interface_ids = [azurerm_network_interface.main.id]
vm_size = "Standard_DS1_v2"
# missing "os_profile_linux_config" - means it is not a linux vm
}
Negative test num. 2 - tf file
resource "azurerm_linux_virtual_machine" "negative2_1" {
name = "${var.prefix}-vm"
location = azurerm_resource_group.main.location
resource_group_name = azurerm_resource_group.main.name
network_interface_ids = [azurerm_network_interface.main.id]
vm_size = "Standard_DS1_v2"
# missing "disable_password_authentication" - defaults to true
}
resource "azurerm_linux_virtual_machine" "negative2_2" {
name = "${var.prefix}-vm"
location = azurerm_resource_group.main.location
resource_group_name = azurerm_resource_group.main.name
network_interface_ids = [azurerm_network_interface.main.id]
vm_size = "Standard_DS1_v2"
disable_password_authentication = true
}
Negative test num. 3 - tf file
resource "azurerm_linux_virtual_machine_scale_set" "negative3_1" {
name = "negative3_1-vmss"
resource_group_name = azurerm_resource_group.negative3_1.name
location = azurerm_resource_group.negative3_1.location
sku = "Standard_F2"
instances = 1
admin_username = "adminuser"
# missing "disable_password_authentication" - defaults to true
}
resource "azurerm_linux_virtual_machine_scale_set" "negative3_2" {
name = "negative3_2-vmss"
resource_group_name = azurerm_resource_group.negative3_2.name
location = azurerm_resource_group.negative3_2.location
sku = "Standard_F2"
instances = 1
admin_username = "adminuser"
disable_password_authentication = true
}
Negative test num. 4 - tf file
resource "azurerm_virtual_machine_scale_set" "negative4_1" {
name = "${var.prefix}-vm"
location = azurerm_resource_group.main.location
resource_group_name = azurerm_resource_group.main.name
os_profile_linux_config {
disable_password_authentication = true
}
}
resource "azurerm_virtual_machine_scale_set" "negative4_2" {
name = "${var.prefix}-vm"
location = azurerm_resource_group.main.location
resource_group_name = azurerm_resource_group.main.name
# missing "os_profile_linux_config" - means it is not a linux vm
}