feat: Updated Azure.AppGwWAF.RuleGroups to use the rule sets (Azure#2630)

BenjaminEngeset · web-flow · commit 1be5441ad6ed · 2024-01-06T00:38:19.000+10:00
* feat: Changed Azure.AppGwWAF.RuleGroups to the latest bot manager rule set

* feat: Updated  Azure.AppGwWAF.RuleGroups

* feat: Updated number of rules
diff --git a/docs/CHANGELOG-v1.md b/docs/CHANGELOG-v1.md
@@ -46,6 +46,11 @@ What's changed since v1.32.1:
     - Added option for excluding subnets to `Azure.VNET.UseNSGs` by @BernieWhite.
       [#2572](https://github.com/Azure/PSRule.Rules.Azure/issues/2572)
       - To add a subnet exclusion, set the `AZURE_VNET_SUBNET_EXCLUDED_FROM_NSG` option.
+  - Azure Web Application Firewall (WAF):
+    - Updated `Azure.AppGwWAF.RuleGroups` to use the rule sets by @BenjaminEngeset.
+      [#2404](https://github.com/Azure/PSRule.Rules.Azure/issues/2404)
+      - The latest Bot Manager rule set is now `1.0`.
+      - The latest OWASP rule set is now `3.2`.
 - General improvements:
   - Quality updates to rules and documentation by @BernieWhite.
     [#1772](https://github.com/Azure/PSRule.Rules.Azure/issues/1772)
diff --git a/docs/en/rules/Azure.AppGwWAF.RuleGroups.md b/docs/en/rules/Azure.AppGwWAF.RuleGroups.md
@@ -1,5 +1,5 @@
 ---
-reviewed: 2022-09-20
+reviewed: 2024-01-04
 severity: Critical
 pillar: Security
 category: Network security and containment
@@ -29,7 +29,7 @@ Consider configuring Application Gateway WAF policy to use the recommended rule
 ## LINKS
 
 - [Best practices for endpoint security on Azure](https://learn.microsoft.com/azure/architecture/framework/security/design-network-endpoints)
-- [Securing PaaS deployments](https://docs.microsoft.com/azure/security/fundamentals/paas-deployments#install-a-web-application-firewall)
-- [Web Application Firewall CRS rule groups and rules](https://docs.microsoft.com/azure/web-application-firewall/ag/application-gateway-crs-rulegroups-rules)
-- [Bot protection overview](https://docs.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-configure-bot-protection)
-- [Web Application Firewall best practices](https://docs.microsoft.com/azure/web-application-firewall/ag/best-practices)
+- [Securing PaaS deployments](https://learn.microsoft.com/azure/security/fundamentals/paas-deployments#install-a-web-application-firewall)
+- [Web Application Firewall CRS rule groups and rules](https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-crs-rulegroups-rules)
+- [Bot protection overview](https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-configure-bot-protection)
+- [Web Application Firewall best practices](https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices)
diff --git a/src/PSRule.Rules.Azure/rules/Azure.AppGwWAF.Rule.yaml b/src/PSRule.Rules.Azure/rules/Azure.AppGwWAF.Rule.yaml
@@ -80,24 +80,23 @@ metadata:
   ref: AZR-000304
   tags:
     release: GA
-    ruleSet: 2022_09
+    ruleSet: 2024_03
     Azure.WAF/pillar: Security
 spec:
   type:
   - Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies
   condition:
     allOf:
-    # WAF policy has at least two rule groups. OWASP 3.1 is the minimum. Microsoft_BotManagerRuleSet 0.1 is the minimum.
+    # WAF policy has at least two rule groups. OWASP 3.2 is the minimum. Microsoft_BotManagerRuleSet 1.0 is the minimum.
     - field: Properties.managedRules.managedRuleSets
       greaterOrEquals: 2
     - field: Properties.managedRules.managedRuleSets[0].ruleSetType
       equals: OWASP 
     - field: Properties.managedRules.managedRuleSets[0].ruleSetVersion
-      version: '^3.1'
+      version: '>=3.2'
     - field: Properties.managedRules.managedRuleSets[1].ruleSetType
       equals: Microsoft_BotManagerRuleSet
     - field: Properties.managedRules.managedRuleSets[1].ruleSetVersion
-      version: '^0.1'
-
+      version: '>=1.0'
 
 #endregion Rules
diff --git a/tests/PSRule.Rules.Azure.Tests/Azure.AppGwWAF.Tests.ps1 b/tests/PSRule.Rules.Azure.Tests/Azure.AppGwWAF.Tests.ps1
@@ -87,15 +87,13 @@ Describe 'Azure.AppGWWAF' -Tag 'Network', 'AppGwWAF' {
 
             # Fail
             $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' });
-            $ruleResult | Should -Not -BeNullOrEmpty;
-            $ruleResult.Length | Should -Be 1;
-            $ruleResult.TargetName | Should -Be 'appgwwaf-C';
+            $ruleResult.Length | Should -Be 2;
+            $ruleResult.TargetName | Should -Be 'appgwwaf-A', 'appgwwaf-B';
 
             # Pass
             $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' });
-            $ruleResult | Should -Not -BeNullOrEmpty;
-            $ruleResult.Length | Should -Be 2;
-            $ruleResult.TargetName | Should -Be 'appgwwaf-A', 'appgwwaf-B';
+            $ruleResult.Length | Should -Be 1;
+            $ruleResult.TargetName | Should -Be 'appgwwaf-C';
         }
     }
 }
diff --git a/tests/PSRule.Rules.Azure.Tests/Azure.Baseline.Tests.ps1 b/tests/PSRule.Rules.Azure.Tests/Azure.Baseline.Tests.ps1
@@ -150,7 +150,7 @@ Describe 'Baselines' -Tag Baseline {
             $result = @(Get-PSRule -Module PSRule.Rules.Azure -Baseline 'Azure.GA_2022_09' -WarningAction Ignore);
             $filteredResult = @($result | Where-Object { $_.Tag.release -in 'GA'});
             $filteredResult | Should -Not -BeNullOrEmpty;
-            $filteredResult.Length | Should -Be 303;
+            $filteredResult.Length | Should -Be 302;
         }
 
         It 'With Azure.Preview_2022_09' {
@@ -164,7 +164,7 @@ Describe 'Baselines' -Tag Baseline {
             $result = @(Get-PSRule -Module PSRule.Rules.Azure -Baseline 'Azure.GA_2022_12' -WarningAction Ignore);
             $filteredResult = @($result | Where-Object { $_.Tag.release -in 'GA'});
             $filteredResult | Should -Not -BeNullOrEmpty;
-            $filteredResult.Length | Should -Be 341;
+            $filteredResult.Length | Should -Be 340;
         }
 
         It 'With Azure.Preview_2022_12' {
@@ -178,7 +178,7 @@ Describe 'Baselines' -Tag Baseline {
             $result = @(Get-PSRule -Module PSRule.Rules.Azure -Baseline 'Azure.GA_2023_03' -WarningAction Ignore);
             $filteredResult = @($result | Where-Object { $_.Tag.release -in 'GA'});
             $filteredResult | Should -Not -BeNullOrEmpty;
-            $filteredResult.Length | Should -Be 361;
+            $filteredResult.Length | Should -Be 360;
         }
 
         It 'With Azure.Preview_2023_03' {
@@ -192,7 +192,7 @@ Describe 'Baselines' -Tag Baseline {
             $result = @(Get-PSRule -Module PSRule.Rules.Azure -Baseline 'Azure.GA_2023_06' -WarningAction Ignore);
             $filteredResult = @($result | Where-Object { $_.Tag.release -in 'GA'});
             $filteredResult | Should -Not -BeNullOrEmpty;
-            $filteredResult.Length | Should -Be 376;
+            $filteredResult.Length | Should -Be 375;
         }
 
         It 'With Azure.Preview_2023_06' {
@@ -206,7 +206,7 @@ Describe 'Baselines' -Tag Baseline {
             $result = @(Get-PSRule -Module PSRule.Rules.Azure -Baseline 'Azure.GA_2023_09' -WarningAction Ignore);
             $filteredResult = @($result | Where-Object { $_.Tag.release -in 'GA'});
             $filteredResult | Should -Not -BeNullOrEmpty;
-            $filteredResult.Length | Should -Be 387;
+            $filteredResult.Length | Should -Be 386;
         }
 
         It 'With Azure.Preview_2023_09' {
@@ -220,7 +220,7 @@ Describe 'Baselines' -Tag Baseline {
             $result = @(Get-PSRule -Module PSRule.Rules.Azure -Baseline 'Azure.GA_2023_12' -WarningAction Ignore);
             $filteredResult = @($result | Where-Object { $_.Tag.release -in 'GA'});
             $filteredResult | Should -Not -BeNullOrEmpty;
-            $filteredResult.Length | Should -Be 396;
+            $filteredResult.Length | Should -Be 395;
         }
 
         It 'With Azure.Preview_2023_12' {
diff --git a/tests/PSRule.Rules.Azure.Tests/Resources.AppGwWAF.json b/tests/PSRule.Rules.Azure.Tests/Resources.AppGwWAF.json
@@ -55,12 +55,12 @@
         "managedRuleSets": [
           {
             "ruleSetType": "OWASP",
-            "ruleSetVersion": "3.2",
+            "ruleSetVersion": "3.1",
             "ruleGroupOverrides": []
           },
           {
             "ruleSetType": "Microsoft_BotManagerRuleSet",
-            "ruleSetVersion": "0.1",
+            "ruleSetVersion": "1.0",
             "ruleGroupOverrides": []
           }
         ]
@@ -91,12 +91,12 @@
         "managedRuleSets": [
           {
             "ruleSetType": "OWASP",
-            "ruleSetVersion": "3.0",
+            "ruleSetVersion": "3.2",
             "ruleGroupOverrides": []
           },
           {
             "ruleSetType": "Microsoft_BotManagerRuleSet",
-            "ruleSetVersion": "0.1",
+            "ruleSetVersion": "1.0",
             "ruleGroupOverrides": []
           }
         ],

Original file line number	Diff line number	Diff line change
`@@ -87,15 +87,13 @@ Describe 'Azure.AppGWWAF' -Tag 'Network', 'AppGwWAF' {`
`87`	`87`
`88`	`88`	`# Fail`
`89`	`89`	`$ruleResult = @($filteredResult \| Where-Object { $_.Outcome -eq 'Fail' });`
`90`		`- $ruleResult \| Should -Not -BeNullOrEmpty;`
`91`		`- $ruleResult.Length \| Should -Be 1;`
`92`		`- $ruleResult.TargetName \| Should -Be 'appgwwaf-C';`
	`90`	`+ $ruleResult.Length \| Should -Be 2;`
	`91`	`+ $ruleResult.TargetName \| Should -Be 'appgwwaf-A', 'appgwwaf-B';`
`93`	`92`
`94`	`93`	`# Pass`
`95`	`94`	`$ruleResult = @($filteredResult \| Where-Object { $_.Outcome -eq 'Pass' });`
`96`		`- $ruleResult \| Should -Not -BeNullOrEmpty;`
`97`		`- $ruleResult.Length \| Should -Be 2;`
`98`		`- $ruleResult.TargetName \| Should -Be 'appgwwaf-A', 'appgwwaf-B';`
	`95`	`+ $ruleResult.Length \| Should -Be 1;`
	`96`	`+ $ruleResult.TargetName \| Should -Be 'appgwwaf-C';`
`99`	`97`	`}`
`100`	`98`	`}`
`101`	`99`	`}`
Original file line number	Diff line number	Diff line change
`@@ -55,12 +55,12 @@`
`55`	`55`	`"managedRuleSets": [`
`56`	`56`	`{`
`57`	`57`	`"ruleSetType": "OWASP",`
`58`		`- "ruleSetVersion": "3.2",`
	`58`	`+ "ruleSetVersion": "3.1",`
`59`	`59`	`"ruleGroupOverrides": []`
`60`	`60`	`},`
`61`	`61`	`{`
`62`	`62`	`"ruleSetType": "Microsoft_BotManagerRuleSet",`
`63`		`- "ruleSetVersion": "0.1",`
	`63`	`+ "ruleSetVersion": "1.0",`
`64`	`64`	`"ruleGroupOverrides": []`
`65`	`65`	`}`
`66`	`66`	`]`
`@@ -91,12 +91,12 @@`
`91`	`91`	`"managedRuleSets": [`
`92`	`92`	`{`
`93`	`93`	`"ruleSetType": "OWASP",`
`94`		`- "ruleSetVersion": "3.0",`
	`94`	`+ "ruleSetVersion": "3.2",`
`95`	`95`	`"ruleGroupOverrides": []`
`96`	`96`	`},`
`97`	`97`	`{`
`98`	`98`	`"ruleSetType": "Microsoft_BotManagerRuleSet",`
`99`		`- "ruleSetVersion": "0.1",`
	`99`	`+ "ruleSetVersion": "1.0",`
`100`	`100`	`"ruleGroupOverrides": []`
`101`	`101`	`}`
`102`	`102`	`],`