SSL Enforce Disabled

  • Query id: 961ce567-a16d-4d7d-9027-f0ec2628a555
  • Query name: SSL Enforce Disabled
  • Platform: Ansible
  • Severity: Medium
  • Category: Encryption
  • CWE: 319
  • URL: Github

Description

Make sure that for PosgreSQL, the 'Enforce SSL connection' is set to 'ENABLED'
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
- name: Create (or update) PostgreSQL Server
  azure.azcollection.azure_rm_postgresqlserver:
    resource_group: myResourceGroup
    name: testserver
    sku:
      name: B_Gen5_1
      tier: Basic
    location: eastus
    storage_mb: 1024
    admin_username: cloudsa
    admin_password: password
- name: Create (or update) PostgreSQL Server2
  azure.azcollection.azure_rm_postgresqlserver:
    resource_group: myResourceGroup
    name: testserver
    sku:
      name: B_Gen5_1
      tier: Basic
    location: eastus
    storage_mb: 1024
    enforce_ssl: no
    admin_username: cloudsa
    admin_password: password

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
- name: Create (or update) PostgreSQL Server
  azure.azcollection.azure_rm_postgresqlserver:
    resource_group: myResourceGroup
    name: testserver
    sku:
      name: B_Gen5_1
      tier: Basic
    location: eastus
    storage_mb: 1024
    enforce_ssl: yes
    admin_username: cloudsa
    admin_password: password
- name: Create (or update) PostgreSQL Server2
  azure.azcollection.azure_rm_postgresqlserver:
    resource_group: myResourceGroup
    name: testserver
    sku:
      name: B_Gen5_1
      tier: Basic
    location: eastus
    storage_mb: 1024
    enforce_ssl: Yes
    admin_username: cloudsa
    admin_password: password
- name: Create (or update) PostgreSQL Server3
  azure.azcollection.azure_rm_postgresqlserver:
    resource_group: myResourceGroup
    name: testserver
    sku:
      name: B_Gen5_1
      tier: Basic
    location: eastus
    storage_mb: 1024
    enforce_ssl: true
    admin_username: cloudsa
    admin_password: password
- name: Create (or update) PostgreSQL Server4
  azure.azcollection.azure_rm_postgresqlserver:
    resource_group: myResourceGroup
    name: testserver
    sku:
      name: B_Gen5_1
      tier: Basic
    location: eastus
    storage_mb: 1024
    enforce_ssl: true
    admin_username: cloudsa
    admin_password: password
- name: Create (or update) PostgreSQL Server5
  azure.azcollection.azure_rm_postgresqlserver:
    resource_group: myResourceGroup
    name: testserver
    sku:
      name: B_Gen5_1
      tier: Basic
    location: eastus
    storage_mb: 1024
    enforce_ssl: yes
    admin_username: cloudsa
    admin_password: password
- name: Create (or update) PostgreSQL Server6
  azure.azcollection.azure_rm_postgresqlserver:
    resource_group: myResourceGroup
    name: testserver
    sku:
      name: B_Gen5_1
      tier: Basic
    location: eastus
    storage_mb: 1024
    enforce_ssl: Yes
    admin_username: cloudsa
    admin_password: password
- name: Create (or update) PostgreSQL Server7
  azure.azcollection.azure_rm_postgresqlserver:
    resource_group: myResourceGroup
    name: testserver
    sku:
      name: B_Gen5_1
      tier: Basic
    location: eastus
    storage_mb: 1024
    enforce_ssl: 'true'
    admin_username: cloudsa
    admin_password: password
- name: Create (or update) PostgreSQL Server8
  azure.azcollection.azure_rm_postgresqlserver:
    resource_group: myResourceGroup
    name: testserver
    sku:
      name: B_Gen5_1
      tier: Basic
    location: eastus
    storage_mb: 1024
    enforce_ssl: 'True'
    admin_username: cloudsa
    admin_password: password