계: Security Features

소프트웨어 보안은 보안 소프트웨어가 아닙니다. 여기서는 인증, 액세스 제어, 기밀성, 암호화, 권한 관리 등의 항목에 대해 설명합니다.

312 개 항목 찾음

취약점

Axis 2 Misconfiguration: Insecure Transport Sender

Java/JSP

Abstract

이 구성은 민감한 정보에 대한 액세스에 SSL을 요구해야 합니다.

Explanation

응용 프로그램이 민감한 정보를 다루는데 메시지 수준 암호화를 사용하지 않는 경우, 암호화된 전송 채널을 통해서만 통신이 허용되어야 합니다. <transportSender> 태그는 http를 지정해서는 안 됩니다. 이 URL과의 통신이 암호화되지 않기 때문입니다.

References

[1] HTTP Transport Apache Software Foundation

[2] Axis2 Configuration Guide Apache Software Foundation

[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3

[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5

[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality

[7] Standards Mapping - CIS Kubernetes Benchmark complete

[8] Standards Mapping - Common Weakness Enumeration CWE ID 311

[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000068, CCI-001453, CCI-002418, CCI-002420, CCI-002421, CCI-002422, CCI-002890, CCI-003123

[10] Standards Mapping - FIPS200 CM, SC

[11] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection

[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-8 Transmission Confidentiality and Integrity (P1)

[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-8 Transmission Confidentiality and Integrity

[14] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management

[15] Standards Mapping - OWASP Top 10 2007 A9 Insecure Communications

[16] Standards Mapping - OWASP Top 10 2010 A9 Insufficient Transport Layer Protection

[17] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration

[18] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration

[19] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration

[20] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[21] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)

[22] Standards Mapping - OWASP Mobile 2014 M3 Insufficient Transport Layer Protection

[23] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 4.1, Requirement 6.5.10

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 4.1, Requirement 6.3.1.4, Requirement 6.5.9

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 4.1, Requirement 6.5.4

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 4.1, Requirement 6.5.4

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 4.1, Requirement 6.5.4

[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 4.1, Requirement 6.5.4

[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 4.1, Requirement 6.5.4

[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4

[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography

[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography

[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective C.4.1 - Web Software Communications

[35] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 319

[36] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 311

[37] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 311

[38] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260.1 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[52] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[53] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[54] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[55] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[56] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[57] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[58] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[59] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Transport Layer Protection (WASC-04)

[60] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authentication

desc.config.java.axis2_misconfiguration_insecure_transport_sender

Azure Ansible Misconfiguration: Improper Blob Storage Access Control

YAML

Abstract

이 Ansible 작업은 익명 액세스를 허용하는 Azure Blob Storage 컨테이너를 정의합니다.

Explanation

기본적으로 Azure Blob Storage 컨테이너는 해당하는 Blob에 대한 익명 액세스를 차단합니다.

충분하지 않은 액세스 구성은 시스템을 노출시키고 조직의 공격 표면을 확장합니다. 공개 액세스를 허용하는 리소스는 민감한 데이터를 의도치 않게 유출할 수 있습니다.

예제 1: 다음 예제 Ansible public_access 매개 변수를 container로 설정하여 Azure Blob Storage 컨테이너를 정의합니다. 이렇게 하면 컨테이너의 모든 blob 및 데이터에 익명으로 액세스할 수 있습니다.


- name: Create container test
  azure_rm_storageblob:
    resource_group: testGroup
    storage_account_name: sa001
    container: testContainer
    ...
    public_access: container
    ...

References

[1] Ansible Documentation azure.azcollection.azure_rm_storageblob – Manage blob containers and blob objects

[2] Microsoft Secure your Azure Storage account

[3] Microsoft Prevent anonymous public read access to containers and blobs - Remediate anonymous public access

[4] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2

[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 2

[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality

[8] Standards Mapping - CIS Kubernetes Benchmark complete

[9] Standards Mapping - Common Weakness Enumeration CWE ID 284, CWE ID 359

[10] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200

[11] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200

[12] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200

[13] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002475

[14] Standards Mapping - FIPS200 CM

[15] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection

[16] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-28 Protection of Information at Rest (P1)

[17] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-28 Protection of Information at Rest

[18] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage

[19] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling

[20] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration, A7 Insecure Cryptographic Storage, A8 Failure to Restrict URL Access

[21] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure

[22] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure

[23] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control

[24] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[25] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.4.2 Access Control Architectural Requirements (L2 L3), 1.4.4 Access Control Architectural Requirements (L2 L3)

[26] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 8.4

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 6.5.6, Requirement 8.4

[29] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 6.5.5, Requirement 8.4

[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 6.5.5, Requirement 8.2.1

[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 6.5.5, Requirement 8.2.1

[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 6.5.5, Requirement 8.2.1

[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 6.5.5, Requirement 8.2.1

[34] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.3.1, Requirement 3.5.1, Requirement 4.2.2, Requirement 6.2.4, Requirement 8.3.1

[35] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.1 - Sensitive Data Protection

[36] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.1 - Sensitive Data Protection

[37] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.1 - Sensitive Data Protection

[38] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 863

[39] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 863

[40] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3310 CAT I, APP3340 CAT I

[41] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3340 CAT I

[42] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3340 CAT I

[43] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3340 CAT I

[44] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3340 CAT I

[45] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3340 CAT I

[46] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3340 CAT I

[47] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002340 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002340 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002340 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002340 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002340 CAT II

[52] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002340 CAT II

[53] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002340 CAT II

[54] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002340 CAT II

[55] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002340 CAT II

[56] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002340 CAT II

[57] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002340 CAT II

[58] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002340 CAT II

[59] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002340 CAT II

[60] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001410 CAT II, APSC-DV-001520 CAT II

[61] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)

[62] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage

desc.structural.yaml.azure_ansible_misconfiguration_improper_blob_storage_access_control.base

Azure Ansible Misconfiguration: Improper Security Group Network Access Control

YAML

Abstract

이 Ansible 작업은 관리 서비스에 대한 액세스를 허용하는 네트워크 보안 그룹을 정의합니다.

Explanation

지나치게 광범위한 구성은 시스템을 노출시키고 조직의 공격 표면을 확장합니다. 공개 상호 작용이 가능한 서비스는 공격자의 거의 지속적인 검색 및 조사에 노출됩니다.

이는 노출된 서비스에 대한 제로데이 익스플로이트가 검색되어 게시되는 경우(예: Heartbleed) 특히 문제가 됩니다. 공격자는 패치되지 않고 노출된 시스템을 적극적으로 추적하고 검색하여 악용할 수 있습니다.

예제 1: 다음 예제 Ansible 작업은 RDP 서비스 포트(3389)를 포함한 포트 범위에 대한 무제한 인바운드 트래픽을 허용합니다.


- name: testFWRule
azure_rm_securitygroup:
    resource_group: testRG
    name: test
    rules:
    - name: rule001
        priority: 100
        direction: Inbound
        access: Allow
        protocol: "*"
        source_port_range: "*"
        destination_port_range: "3388-3398"
        source_address_prefix: "*"
        destination_address_prefix: "*"
    - name: rule002
        priority: 100
        direction: Inbound
        access: Allow
        protocol: "*"
        source_port_range: "*"
        destination_port_range: 22
        source_address_prefix: "*"
        destination_address_prefix: "*"

References

[1] Ansible Documentation azure.azcollection.azure_rm_securitygroup – Manage Azure network security groups

[2] Microsoft Network security groups

[3] David Geer Securing risky network ports

[4] Josh Fruhlinger CSO: What is the Heartbleed bug, how does it work and how was it fixed?

[5] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2

[6] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 2

[7] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[8] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality

[9] Standards Mapping - Common Weakness Enumeration CWE ID 749

[10] Standards Mapping - Common Weakness Enumeration Top 25 2020 [25] CWE ID 862

[11] Standards Mapping - Common Weakness Enumeration Top 25 2021 [18] CWE ID 862

[12] Standards Mapping - Common Weakness Enumeration Top 25 2022 [16] CWE ID 862

[13] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084, CCI-002165

[14] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation

[15] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-6 Least Privilege (P1)

[16] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-6 Least Privilege

[17] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control

[18] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference

[19] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References

[20] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References

[21] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control

[22] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control

[23] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[24] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.3 General Access Control Design (L1 L2 L3)

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8

[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8

[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8

[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8

[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 1.4.2

[33] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control

[34] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control

[35] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls

[36] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 285

[37] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 863

[38] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 863

[39] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3480.1 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3480.1 CAT I

[41] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3480.1 CAT I

[42] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3480.1 CAT I

[43] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3480.1 CAT I

[44] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3480.1 CAT I

[45] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3480.1 CAT I

[46] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[52] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[53] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[54] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[55] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[56] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[57] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[58] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[59] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001410 CAT II, APSC-DV-001520 CAT II

[60] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)

[61] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization

desc.structural.yaml.azure_ansible_misconfiguration_improper_security_group_network_access_control.base

Azure Ansible Misconfiguration: Improper Storage Account Network Access Control

YAML

Abstract

이 Ansible 작업은 네트워크 액세스가 제한되지 않은 Azure 스토리지 계정을 정의합니다.

Explanation

기본적으로 Ansible에서 만든 Azure 스토리지 계정은 모든 네트워크에서 클라이언트의 연결을 수락합니다.

느슨한 액세스 구성은 시스템을 불필요하게 노출시키고 조직의 공격 표면을 확장합니다. 공개 상호 작용이 가능한 서비스는 악의적인 엔터티의 거의 지속적인 검색 및 조사에 노출됩니다.

예제 1: 다음 예제 Ansible 작업은 Azure 스토리지 계정에 대한 네트워크 액세스를 제한하지 못합니다.


- name: storage with network acl
azure_rm_storageaccount:
  resource_group: testGroup
  name: sa001
  type: Standard_RAGRS
  network_acls:
    bypass: AzureServices,Metrics
    default_action: Deny
    ip_rules:
      - value: 0.0.0.0/0
        action: Allow

References

[1] Microsoft azure.azcollection.azure_rm_storageaccount – Manage Azure storage accounts

[2] Microsoft Control network access to your storage account

[3] Microsoft Microsoft.Storage storageAccounts

[4] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2

[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 2

[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality

[8] Standards Mapping - Common Weakness Enumeration CWE ID 749

[9] Standards Mapping - Common Weakness Enumeration Top 25 2020 [25] CWE ID 862

[10] Standards Mapping - Common Weakness Enumeration Top 25 2021 [18] CWE ID 862

[11] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084, CCI-002165

[12] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation

[13] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-6 Least Privilege (P1)

[14] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-6 Least Privilege

[15] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control

[16] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference

[17] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References

[18] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References

[19] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control

[20] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control

[21] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[22] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.3 General Access Control Design (L1 L2 L3)

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8

[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8

[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 1.4.2

[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control

[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control

[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls

[34] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 285

[35] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 863

[36] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 863

[37] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3480.1 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3480.1 CAT I

[39] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3480.1 CAT I

[40] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3480.1 CAT I

[41] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3480.1 CAT I

[42] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3480.1 CAT I

[43] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3480.1 CAT I

[44] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[52] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[53] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[54] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[55] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[56] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[57] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001410 CAT II, APSC-DV-001520 CAT II

[58] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)

[59] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization

desc.structural.yaml.azure_ansible_misconfiguration_improper_storage_account_network_access_control.base

Azure Ansible Misconfiguration: Insecure MySQL Server Transport

YAML

Abstract

이 Ansible 작업은 Azure MySQL Database에 대한 전송 암호화를 명시적으로 비활성화합니다.

Explanation

기본적으로 Ansible 작업은 Azure MySQL Database 전송 암호화를 활성화하지 않습니다(Azure.Azcollection v1.11.0 이전 버전에 따름).

암호화되지 않은 통신 채널은 도청 및 변조되기 쉽습니다.

전송 보안을 비활성화하면 데이터가 무단 액세스, 도난 및 변조 위험에 노출됩니다.

예제 1: 다음 예제 Ansible 작업은 전송 암호화가 비활성화된 Azure MySQL Database를 정의합니다.


- name: Create MySQL Server
azure.azcollection.azure_rm_mysqlserver:
    resource_group: testGroup
    name: testMySQL
    sku:
    name: B_Gen5_1
    tier: Basic
    location: westeurope
    storage_mb: 8096
    version: 5.6
    enforce_ssl: false
    admin_username: test
    admin_password: complicatedPass

References

[1] Ansible Documentation azure.azcollection.azure_rm_mysqlserver – Manage MySQL Server instance

[2] Microsoft Security in Azure Database for MySQL

[3] Microsoft SSL/TLS connectivity in Azure Database for MySQL

[4] Standards Mapping - CIS Azure Kubernetes Service Benchmark 4

[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4

[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality

[8] Standards Mapping - CIS Kubernetes Benchmark partial

[9] Standards Mapping - Common Weakness Enumeration CWE ID 297

[10] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287, [25] CWE ID 295

[11] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287

[12] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287

[13] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287

[14] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000068, CCI-001453, CCI-002418, CCI-002420, CCI-002421, CCI-002422, CCI-002890, CCI-003123

[15] Standards Mapping - FIPS200 CM, SC

[16] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection

[17] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-8 Transmission Confidentiality and Integrity (P1)

[18] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-8 Transmission Confidentiality and Integrity

[19] Standards Mapping - OWASP Top 10 2004 A3 Broken Authentication and Session Management

[20] Standards Mapping - OWASP Top 10 2007 A9 Insecure Communications

[21] Standards Mapping - OWASP Top 10 2010 A9 Insufficient Transport Layer Protection

[22] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure

[23] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure

[24] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration

[25] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[26] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 6.2.1 Algorithms (L1 L2 L3), 9.2.1 Server Communications Security Requirements (L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)

[27] Standards Mapping - OWASP Mobile 2014 M3 Insufficient Transport Layer Protection

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 4.1, Requirement 6.5.10

[29] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 4.1, Requirement 6.3.1.4, Requirement 6.5.9

[30] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 4.1, Requirement 6.5.4

[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 4.1, Requirement 6.5.4

[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 4.1, Requirement 6.5.4

[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 4.1, Requirement 6.5.4

[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 4.1, Requirement 6.5.4

[35] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4

[36] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography

[37] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective B.2.5 - Terminal Software Design

[38] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective B.2.5 - Terminal Software Design, Control Objective C.4.1 - Web Software Communications

[39] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[52] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[53] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[54] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[55] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[56] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[57] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[58] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[59] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Transport Layer Protection (WASC-04)

[60] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage

desc.structural.yaml.azure_ansible_misconfiguration_insecure_mysql_server_transport.base

Azure Ansible Misconfiguration: Insecure PostgreSQL Server Transport

YAML

Abstract

이 Ansible 작업은 Azure Database for PostgreSQL에 대한 전송 암호화를 명시적으로 비활성화합니다.

Explanation

기본적으로 이 Ansible 작업은 Azure Database for PostgreSQL 전송 암호화를 활성화하지 않습니다(Azure.Azcollection v1.11.0 이전 버전에 따름).

암호화되지 않은 통신 채널은 도청 및 변조되기 쉽습니다.

전송 보안을 비활성화하면 데이터가 무단 액세스, 도난 및 변조 위험에 노출됩니다.

예제 1: 다음 예제 Ansible 작업은 전송 암호화가 비활성화된 Azure Database for PostgreSQL을 정의합니다.


- name: Create Postgres Server
  azure.azcollection.azure_rm_postgresqlserver:
    resource_group: testGroup
    name: testPostgres
    sku:
      name: B_Gen5_1
      tier: Basic
    location: westeurope
    storage_mb: 8096
    version: 5.6
    enforce_ssl: false
    admin_username: test
    admin_password: complicatedPass

References

[1] Ansible Documentation azure.azcollection.azure_rm_postgresqlserver – Manage PostgreSQL Server instance

[2] Microsoft Security in Azure Database for PostgreSQL - Single Server

[3] Microsoft Configure TLS connectivity in Azure Database for PostgreSQL - Single Server