Skip to content

Commit

Permalink
Rule WAF documentation updates (#3273)
Browse files Browse the repository at this point in the history
  • Loading branch information
@BernieWhite
BernieWhite authored Mar 6, 2025
1 parent 27f1e99 commit d03653b
Show file tree
Hide file tree
Showing 6 changed files with 232 additions and 42 deletions.
3 changes: 3 additions & 0 deletions docs/CHANGELOG-v1.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,9 @@ What's changed since v1.41.4:
- General improvements:
- Added a new quickstart guide for using Azure Pipelines with PSRule by @that-ar-guy.
[#3220](https://github.com/Azure/PSRule.Rules.Azure/pull/3220)
- Engineering:
- Updates to WAF documentation by @BernieWhite.
[#2570](https://github.com/Azure/PSRule.Rules.Azure/issues/2570)

## v1.41.4

Expand Down
102 changes: 99 additions & 3 deletions docs/en/rules/Azure.NIC.UniqueDns.md
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,8 @@
---
reviewed: 2025-03-06
severity: Awareness
pillar: Operational Excellence
category: Deployment
pillar: Reliability
category: RE:01 Simplicity and efficiency
resource: Network Interface
online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.NIC.UniqueDns/
---
Expand All @@ -23,6 +24,101 @@ Using network interfaces with individual DNS server settings may increase manage

Consider updating NIC DNS server settings to inherit from virtual network.

## EXAMPLES

### Configure with Bicep

To deploy NICs that pass this rule:

- Clear the `properties.dnsSettings.dnsServers` property. OR
- Remove the `properties.dnsSettings` property.

For example:

```bicep
resource nic 'Microsoft.Network/networkInterfaces@2024-05-01' = {
name: name
location: location
properties: {
dnsSettings: {
dnsServers: []
}
ipConfigurations: [
{
name: 'ipconfig1'
properties: {
privateIPAllocationMethod: 'Dynamic'
subnet: {
id: subnetId
}
}
}
]
}
}
```

<!-- external:avm avm/res/network/network-interface dnsServers -->

### Configure with Azure template

To deploy NICs that pass this rule:

- Clear the `properties.dnsSettings.dnsServers` property. OR
- Remove the `properties.dnsSettings` property.

For example:

```json
{
"type": "Microsoft.Network/networkInterfaces",
"apiVersion": "2024-05-01",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"properties": {
"dnsSettings": {
"dnsServers": []
},
"ipConfigurations": [
{
"name": "ipconfig1",
"properties": {
"privateIPAllocationMethod": "Dynamic",
"subnet": {
"id": "[parameters('subnetId')]"
}
}
}
]
}
}
```

### Configure with Azure CLI

To configure NICs that pass this rule, clear the DNS servers configuration:

```bash
az network nic update -n '<name>' -g '<resource_group>' --dns-servers null
```

### Configure with Azure PowerShell

To configure NICs that pass this rule, clear the DNS servers configuration:

```powershell
# Place the network interface configuration into a variable.
$nic = Get-AzNetworkInterface -Name '<name>' -ResourceGroupName '<resource_group>'
# Remove the DNS servers configuration.
$nic.DnsSettings.DnsServers.Remove("192.168.1.100")
$nic.DnsSettings.DnsServers.Remove("192.168.1.101")
# Apply the new configuration to the network interface.
$nic | Set-AzNetworkInterface
```

## LINKS

- [Change DNS servers](https://learn.microsoft.com/azure/virtual-network/virtual-network-network-interface?tabs=azure-portal#change-dns-servers)
- [RE:01 Simplicity and efficiency](https://learn.microsoft.com/azure/well-architected/reliability/simplify)
- [Change DNS servers](https://learn.microsoft.com/azure/virtual-network/virtual-network-network-interface#change-dns-servers)
72 changes: 36 additions & 36 deletions docs/en/rules/Azure.SQL.MinTLS.md
View file
Original file line number Diff line number Diff line change
@@ -1,13 +1,13 @@
---
reviewed: 2024-04-15
reviewed: 2025-03-06
severity: Critical
pillar: Security
category: SE:07 Encryption
resource: SQL Database
online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.SQL.MinTLS/
---

# Azure SQL DB server minimum TLS version
# Logical SQL Servers accepts insecure TLS versions

## SYNOPSIS

Expand All @@ -19,7 +19,7 @@ The minimum version of TLS that Azure SQL Database servers accept is configurabl
Older TLS versions are no longer considered secure by industry standards, such as PCI DSS.

Azure lets you disable outdated protocols and require connections to use a minimum of TLS 1.2.
By default, TLS 1.0, TLS 1.1, and TLS 1.2 is accepted.
By default, TLS versions 1.0, 1.1, 1.2, and 1.3 are accepted.

When clients connect using an older version of TLS that is disabled, the connection will fail.

Expand All @@ -30,45 +30,16 @@ Also consider enforcing this setting using Azure Policy.

## EXAMPLES

### Configure with Azure template

To deploy logical SQL Servers that pass this rule:

- Set the `properties.minimalTlsVersion` to `1.2`.

For example:

```json
{
"type": "Microsoft.Sql/servers",
"apiVersion": "2023-08-01-preview",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"properties": {
"publicNetworkAccess": "Disabled",
"minimalTlsVersion": "1.2",
"administrators": {
"azureADOnlyAuthentication": true,
"administratorType": "ActiveDirectory",
"login": "[parameters('adminLogin')]",
"principalType": "Group",
"sid": "[parameters('adminPrincipalId')]",
"tenantId": "[tenant().tenantId]"
}
}
}
```

### Configure with Bicep

To deploy logical SQL Servers that pass this rule:

- Set the `properties.minimalTlsVersion` to `1.2`.
- Set the `properties.minimalTlsVersion` property to `1.2` or `1.3`.

For example:

```bicep
resource server 'Microsoft.Sql/servers@2023-08-01-preview' = {
resource server 'Microsoft.Sql/servers@2024-05-01-preview' = {
name: name
location: location
identity: {
Expand All @@ -91,6 +62,35 @@ resource server 'Microsoft.Sql/servers@2023-08-01-preview' = {

<!-- external:avm avm/res/sql/server minimalTlsVersion -->

### Configure with Azure template

To deploy logical SQL Servers that pass this rule:

- Set the `properties.minimalTlsVersion` property to `1.2` or `1.3`.

For example:

```json
{
"type": "Microsoft.Sql/servers",
"apiVersion": "2024-05-01-preview",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"properties": {
"publicNetworkAccess": "Disabled",
"minimalTlsVersion": "1.2",
"administrators": {
"azureADOnlyAuthentication": true,
"administratorType": "ActiveDirectory",
"login": "[parameters('adminLogin')]",
"principalType": "Group",
"sid": "[parameters('adminPrincipalId')]",
"tenantId": "[tenant().tenantId]"
}
}
}
```

### Configure with Azure Policy

To address this issue at runtime use the following policies:
Expand All @@ -102,7 +102,7 @@ To address this issue at runtime use the following policies:

- [SE:07 Encryption](https://learn.microsoft.com/azure/well-architected/security/encryption#data-in-transit)
- [DP-3: Encrypt sensitive data in transit](https://learn.microsoft.com/security/benchmark/azure/baselines/azure-sql-security-baseline#dp-3-encrypt-sensitive-data-in-transit)
- [Minimal TLS Version](https://learn.microsoft.com/azure/azure-sql/database/connectivity-settings#minimal-tls-version)
- [Minimal TLS Version](https://learn.microsoft.com/azure/azure-sql/database/connectivity-settings#minimum-tls-version)
- [TLS encryption in Azure](https://learn.microsoft.com/azure/security/fundamentals/encryption-overview#tls-encryption-in-azure)
- [Preparing for TLS 1.2 in Microsoft Azure](https://azure.microsoft.com/updates/azuretls12/)
- [Preparing for TLS 1.2 in Microsoft Azure](https://azure.microsoft.com/updates?id=azuretls12)
- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.sql/servers)
35 changes: 35 additions & 0 deletions docs/examples/resources/nic.bicep
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
// Copyright (c) Microsoft Corporation.
// Licensed under the MIT License.

// Bicep documentation examples

@sys.description('The name of the resource.')
param name string

@sys.description('The location resources will be deployed.')
param location string = resourceGroup().location

@sys.description('The subnet ID for the NIC.')
param subnetId string

// An example network interface card.
resource nic 'Microsoft.Network/networkInterfaces@2024-05-01' = {
name: name
location: location
properties: {
dnsSettings: {
dnsServers: []
}
ipConfigurations: [
{
name: 'ipconfig1'
properties: {
privateIPAllocationMethod: 'Dynamic'
subnet: {
id: subnetId
}
}
}
]
}
}
56 changes: 56 additions & 0 deletions docs/examples/resources/nic.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.33.93.31351",
"templateHash": "13688522478259295419"
}
},
"parameters": {
"name": {
"type": "string",
"metadata": {
"description": "The name of the resource."
}
},
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "The location resources will be deployed."
}
},
"subnetId": {
"type": "string",
"metadata": {
"description": "The subnet ID for the NIC."
}
}
},
"resources": [
{
"type": "Microsoft.Network/networkInterfaces",
"apiVersion": "2024-05-01",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"properties": {
"dnsSettings": {
"dnsServers": []
},
"ipConfigurations": [
{
"name": "ipconfig1",
"properties": {
"privateIPAllocationMethod": "Dynamic",
"subnet": {
"id": "[parameters('subnetId')]"
}
}
}
]
}
}
]
}
6 changes: 3 additions & 3 deletions src/PSRule.Rules.Azure/rules/Azure.NIC.Rule.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,9 +44,9 @@ metadata:
alias:
- Azure.VM.UniqueDns
tags:
release: 'GA'
ruleSet: '2020_06'
Azure.WAF/pillar: Operational Excellence
release: GA
ruleSet: 2020_06
Azure.WAF/pillar: Reliability
spec:
type:
- Microsoft.Network/networkInterfaces
Expand Down

0 comments on commit d03653b

Please sign in to comment.