Beta - VM Without Admin SSH Public Key Set
- Query id: a5cfef8f-910e-4fd6-8155-f381b236a492
- Query name: Beta - VM Without Admin SSH Public Key Set
- Platform: Terraform
- Severity: Medium
- Category: Access Control
- CWE: 521
- Risk score: 3.0
- URL: Github
Description¶
All linux based virtual machines should set SSH keys for enchanced security
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "azurerm_linux_virtual_machine" "positive1_1" {
name = "positive1_1-machine"
resource_group_name = azurerm_resource_group.positive1_1.name
location = azurerm_resource_group.positive1_1.location
size = "Standard_F2"
admin_username = "adminuser"
network_interface_ids = [
azurerm_network_interface.positive1_1.id,
]
# missing "admin_ssh_key"
}
resource "azurerm_linux_virtual_machine" "positive1_2" {
name = "positive1_2-machine"
resource_group_name = azurerm_resource_group.positive1_2.name
location = azurerm_resource_group.positive1_2.location
size = "Standard_F2"
admin_username = "adminuser"
network_interface_ids = [
azurerm_network_interface.positive1_2.id,
]
admin_ssh_key { # single ssh key
username = "adminuser"
# missing "public_key" (tecnically required)
}
}
resource "azurerm_linux_virtual_machine" "positive1_3" {
name = "positive1_3-machine"
resource_group_name = azurerm_resource_group.positive1_3.name
location = azurerm_resource_group.positive1_3.location
size = "Standard_F2"
admin_username = "adminuser"
network_interface_ids = [
azurerm_network_interface.positive1_3.id,
]
admin_ssh_key { # ssh key array
username = "adminuser_1"
# missing "public_key" (tecnically required)
}
admin_ssh_key {
username = "adminuser_2"
# missing "public_key" (tecnically required)
}
}
Positive test num. 2 - tf file
resource "azurerm_linux_virtual_machine_scale_set" "positive2_1" {
name = "positive2_1-machine"
resource_group_name = azurerm_resource_group.positive2_1.name
location = azurerm_resource_group.positive2_1.location
size = "Standard_F2"
admin_username = "adminuser"
network_interface_ids = [
azurerm_network_interface.positive2_1.id,
]
# missing "admin_ssh_key"
}
resource "azurerm_linux_virtual_machine_scale_set" "positive2_2" {
name = "positive2_2-machine"
resource_group_name = azurerm_resource_group.positive2_2.name
location = azurerm_resource_group.positive2_2.location
size = "Standard_F2"
admin_username = "adminuser"
network_interface_ids = [
azurerm_network_interface.positive2_2.id,
]
admin_ssh_key { # single ssh key
username = "adminuser"
# missing "public_key" (tecnically required)
}
}
resource "azurerm_linux_virtual_machine_scale_set" "positive2_3" {
name = "positive2_3-machine"
resource_group_name = azurerm_resource_group.positive2_3.name
location = azurerm_resource_group.positive2_3.location
size = "Standard_F2"
admin_username = "adminuser"
network_interface_ids = [
azurerm_network_interface.positive2_3.id,
]
admin_ssh_key { # ssh key array
username = "adminuser_1"
# missing "public_key" (tecnically required)
}
admin_ssh_key {
username = "adminuser_2"
# missing "public_key" (tecnically required)
}
}
Positive test num. 3 - json file
{
"format_version": "1.2",
"terraform_version": "1.11.2",
"planned_values": {
"root_module": {
"child_modules": [
{
"address": "module.example_module",
"resources": [
{
"address": "module.example_module.azurerm_linux_virtual_machine.example_vm[0]",
"mode": "managed",
"type": "azurerm_linux_virtual_machine",
"name": "example_vm",
"index": 0,
"provider_name": "registry.terraform.io/hashicorp/azurerm",
"schema_version": 0,
"values": {
"admin_ssh_key": [],
"name": "example-vm",
"location": "westeurope",
"resource_group_name": "example-rg",
"size": "Standard_D2s_v5",
"admin_username": "localadm",
"disable_password_authentication": false,
"provision_vm_agent": true,
"allow_extension_operations": true,
"priority": "Regular",
"identity": [
{
"type": "SystemAssigned",
"identity_ids": null
}
],
"os_disk": [
{
"name": "example-vm-osdisk",
"caching": "ReadWrite",
"storage_account_type": "StandardSSD_LRS",
"write_accelerator_enabled": false
}
],
"source_image_id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/example-rg/providers/Microsoft.Compute/galleries/exampleGallery/images/RHEL8_Mutable/versions/latest",
"tags": {
"environment": "test",
"project": "sample"
},
"zone": "1"
},
"sensitive_values": {
"admin_password": true
}
}
]
}
]
}
},
"resource_changes": [
{
"address": "module.example_module.azurerm_linux_virtual_machine.example_vm[0]",
"module_address": "module.example_module",
"mode": "managed",
"type": "azurerm_linux_virtual_machine",
"name": "example_vm",
"index": 0,
"provider_name": "registry.terraform.io/hashicorp/azurerm",
"change": {
"actions": ["create"],
"before": null,
"after": {
"name": "example-vm",
"location": "westeurope",
"resource_group_name": "example-rg",
"size": "Standard_D2s_v5",
"admin_username": "localadm",
"disable_password_authentication": false,
"provision_vm_agent": true,
"allow_extension_operations": true,
"identity": [
{
"type": "SystemAssigned",
"identity_ids": null
}
],
"os_disk": [
{
"name": "example-vm-osdisk",
"caching": "ReadWrite",
"storage_account_type": "StandardSSD_LRS"
}
],
"source_image_id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/example-rg/providers/Microsoft.Compute/galleries/exampleGallery/images/RHEL8_Mutable/versions/latest",
"tags": {
"environment": "test",
"project": "sample"
},
"zone": "1"
},
"after_unknown": {
"id": true,
"private_ip_address": true,
"public_ip_address": true,
"virtual_machine_id": true
}
}
}
],
"configuration": {
"provider_config": {
"azurerm": {
"name": "azurerm",
"full_name": "registry.terraform.io/hashicorp/azurerm",
"version_constraint": "~> 4.8",
"expressions": {
"features": [
{
"key_vault": [
{
"purge_soft_delete_on_destroy": { "constant_value": false },
"purge_soft_deleted_keys_on_destroy": { "constant_value": false },
"recover_soft_deleted_key_vaults": { "constant_value": true },
"recover_soft_deleted_keys": { "constant_value": true }
}
]
}
],
"resource_provider_registrations": { "constant_value": "none" }
}
}
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "azurerm_linux_virtual_machine" "negative1_1" {
name = "negative1_1-machine"
resource_group_name = azurerm_resource_group.negative1_1.name
location = azurerm_resource_group.negative1_1.location
size = "Standard_F2"
admin_username = "adminuser"
network_interface_ids = [
azurerm_network_interface.negative1_1.id,
]
admin_ssh_key { # single ssh key
username = "adminuser"
public_key = file("~/.ssh/id_rsa.pub")
}
}
resource "azurerm_linux_virtual_machine" "negative1_2" {
name = "negative1_2-machine"
resource_group_name = azurerm_resource_group.negative1_2.name
location = azurerm_resource_group.negative1_2.location
size = "Standard_F2"
admin_username = "adminuser"
network_interface_ids = [
azurerm_network_interface.negative1_2.id,
]
admin_ssh_key { # ssh key array
username = "adminuser_1"
public_key = file("~/.ssh/id_rsa.pub")
}
admin_ssh_key {
username = "adminuser_2"
public_key = file("~/.ssh/id_rsa.pub")
}
}
Negative test num. 2 - tf file
resource "azurerm_linux_virtual_machine_scale_set" "negative2_1" {
name = "negative2_1-machine"
resource_group_name = azurerm_resource_group.negative2_1.name
location = azurerm_resource_group.negative2_1.location
size = "Standard_F2"
admin_username = "adminuser"
network_interface_ids = [
azurerm_network_interface.negative2_1.id,
]
admin_ssh_key { # single ssh key
username = "adminuser"
public_key = file("~/.ssh/id_rsa.pub")
}
}
resource "azurerm_linux_virtual_machine_scale_set" "negative2_2" {
name = "negative2_2-machine"
resource_group_name = azurerm_resource_group.negative2_2.name
location = azurerm_resource_group.negative2_2.location
size = "Standard_F2"
admin_username = "adminuser"
network_interface_ids = [
azurerm_network_interface.negative2_2.id,
]
admin_ssh_key { # ssh key array
username = "adminuser_1"
public_key = file("~/.ssh/id_rsa.pub")
}
admin_ssh_key {
username = "adminuser_2"
public_key = file("~/.ssh/id_rsa.pub")
}
}