Skip to content

Commit 1be5441

Browse files
feat: Updated Azure.AppGwWAF.RuleGroups to use the rule sets (Azure#2630)
* feat: Changed Azure.AppGwWAF.RuleGroups to the latest bot manager rule set * feat: Updated Azure.AppGwWAF.RuleGroups * feat: Updated number of rules
1 parent cd25f0a commit 1be5441

File tree

6 files changed

+28
-26
lines changed

6 files changed

+28
-26
lines changed

docs/CHANGELOG-v1.md

+5
Original file line numberDiff line numberDiff line change
@@ -46,6 +46,11 @@ What's changed since v1.32.1:
4646
- Added option for excluding subnets to `Azure.VNET.UseNSGs` by @BernieWhite.
4747
[#2572](https://github.com/Azure/PSRule.Rules.Azure/issues/2572)
4848
- To add a subnet exclusion, set the `AZURE_VNET_SUBNET_EXCLUDED_FROM_NSG` option.
49+
- Azure Web Application Firewall (WAF):
50+
- Updated `Azure.AppGwWAF.RuleGroups` to use the rule sets by @BenjaminEngeset.
51+
[#2404](https://github.com/Azure/PSRule.Rules.Azure/issues/2404)
52+
- The latest Bot Manager rule set is now `1.0`.
53+
- The latest OWASP rule set is now `3.2`.
4954
- General improvements:
5055
- Quality updates to rules and documentation by @BernieWhite.
5156
[#1772](https://github.com/Azure/PSRule.Rules.Azure/issues/1772)

docs/en/rules/Azure.AppGwWAF.RuleGroups.md

+5-5
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
---
2-
reviewed: 2022-09-20
2+
reviewed: 2024-01-04
33
severity: Critical
44
pillar: Security
55
category: Network security and containment
@@ -29,7 +29,7 @@ Consider configuring Application Gateway WAF policy to use the recommended rule
2929
## LINKS
3030

3131
- [Best practices for endpoint security on Azure](https://learn.microsoft.com/azure/architecture/framework/security/design-network-endpoints)
32-
- [Securing PaaS deployments](https://docs.microsoft.com/azure/security/fundamentals/paas-deployments#install-a-web-application-firewall)
33-
- [Web Application Firewall CRS rule groups and rules](https://docs.microsoft.com/azure/web-application-firewall/ag/application-gateway-crs-rulegroups-rules)
34-
- [Bot protection overview](https://docs.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-configure-bot-protection)
35-
- [Web Application Firewall best practices](https://docs.microsoft.com/azure/web-application-firewall/ag/best-practices)
32+
- [Securing PaaS deployments](https://learn.microsoft.com/azure/security/fundamentals/paas-deployments#install-a-web-application-firewall)
33+
- [Web Application Firewall CRS rule groups and rules](https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-crs-rulegroups-rules)
34+
- [Bot protection overview](https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-configure-bot-protection)
35+
- [Web Application Firewall best practices](https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices)

src/PSRule.Rules.Azure/rules/Azure.AppGwWAF.Rule.yaml

+4-5
Original file line numberDiff line numberDiff line change
@@ -80,24 +80,23 @@ metadata:
8080
ref: AZR-000304
8181
tags:
8282
release: GA
83-
ruleSet: 2022_09
83+
ruleSet: 2024_03
8484
Azure.WAF/pillar: Security
8585
spec:
8686
type:
8787
- Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies
8888
condition:
8989
allOf:
90-
# WAF policy has at least two rule groups. OWASP 3.1 is the minimum. Microsoft_BotManagerRuleSet 0.1 is the minimum.
90+
# WAF policy has at least two rule groups. OWASP 3.2 is the minimum. Microsoft_BotManagerRuleSet 1.0 is the minimum.
9191
- field: Properties.managedRules.managedRuleSets
9292
greaterOrEquals: 2
9393
- field: Properties.managedRules.managedRuleSets[0].ruleSetType
9494
equals: OWASP
9595
- field: Properties.managedRules.managedRuleSets[0].ruleSetVersion
96-
version: '^3.1'
96+
version: '>=3.2'
9797
- field: Properties.managedRules.managedRuleSets[1].ruleSetType
9898
equals: Microsoft_BotManagerRuleSet
9999
- field: Properties.managedRules.managedRuleSets[1].ruleSetVersion
100-
version: '^0.1'
101-
100+
version: '>=1.0'
102101

103102
#endregion Rules

tests/PSRule.Rules.Azure.Tests/Azure.AppGwWAF.Tests.ps1

+4-6
Original file line numberDiff line numberDiff line change
@@ -87,15 +87,13 @@ Describe 'Azure.AppGWWAF' -Tag 'Network', 'AppGwWAF' {
8787

8888
# Fail
8989
$ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' });
90-
$ruleResult | Should -Not -BeNullOrEmpty;
91-
$ruleResult.Length | Should -Be 1;
92-
$ruleResult.TargetName | Should -Be 'appgwwaf-C';
90+
$ruleResult.Length | Should -Be 2;
91+
$ruleResult.TargetName | Should -Be 'appgwwaf-A', 'appgwwaf-B';
9392

9493
# Pass
9594
$ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' });
96-
$ruleResult | Should -Not -BeNullOrEmpty;
97-
$ruleResult.Length | Should -Be 2;
98-
$ruleResult.TargetName | Should -Be 'appgwwaf-A', 'appgwwaf-B';
95+
$ruleResult.Length | Should -Be 1;
96+
$ruleResult.TargetName | Should -Be 'appgwwaf-C';
9997
}
10098
}
10199
}

tests/PSRule.Rules.Azure.Tests/Azure.Baseline.Tests.ps1

+6-6
Original file line numberDiff line numberDiff line change
@@ -150,7 +150,7 @@ Describe 'Baselines' -Tag Baseline {
150150
$result = @(Get-PSRule -Module PSRule.Rules.Azure -Baseline 'Azure.GA_2022_09' -WarningAction Ignore);
151151
$filteredResult = @($result | Where-Object { $_.Tag.release -in 'GA'});
152152
$filteredResult | Should -Not -BeNullOrEmpty;
153-
$filteredResult.Length | Should -Be 303;
153+
$filteredResult.Length | Should -Be 302;
154154
}
155155

156156
It 'With Azure.Preview_2022_09' {
@@ -164,7 +164,7 @@ Describe 'Baselines' -Tag Baseline {
164164
$result = @(Get-PSRule -Module PSRule.Rules.Azure -Baseline 'Azure.GA_2022_12' -WarningAction Ignore);
165165
$filteredResult = @($result | Where-Object { $_.Tag.release -in 'GA'});
166166
$filteredResult | Should -Not -BeNullOrEmpty;
167-
$filteredResult.Length | Should -Be 341;
167+
$filteredResult.Length | Should -Be 340;
168168
}
169169

170170
It 'With Azure.Preview_2022_12' {
@@ -178,7 +178,7 @@ Describe 'Baselines' -Tag Baseline {
178178
$result = @(Get-PSRule -Module PSRule.Rules.Azure -Baseline 'Azure.GA_2023_03' -WarningAction Ignore);
179179
$filteredResult = @($result | Where-Object { $_.Tag.release -in 'GA'});
180180
$filteredResult | Should -Not -BeNullOrEmpty;
181-
$filteredResult.Length | Should -Be 361;
181+
$filteredResult.Length | Should -Be 360;
182182
}
183183

184184
It 'With Azure.Preview_2023_03' {
@@ -192,7 +192,7 @@ Describe 'Baselines' -Tag Baseline {
192192
$result = @(Get-PSRule -Module PSRule.Rules.Azure -Baseline 'Azure.GA_2023_06' -WarningAction Ignore);
193193
$filteredResult = @($result | Where-Object { $_.Tag.release -in 'GA'});
194194
$filteredResult | Should -Not -BeNullOrEmpty;
195-
$filteredResult.Length | Should -Be 376;
195+
$filteredResult.Length | Should -Be 375;
196196
}
197197

198198
It 'With Azure.Preview_2023_06' {
@@ -206,7 +206,7 @@ Describe 'Baselines' -Tag Baseline {
206206
$result = @(Get-PSRule -Module PSRule.Rules.Azure -Baseline 'Azure.GA_2023_09' -WarningAction Ignore);
207207
$filteredResult = @($result | Where-Object { $_.Tag.release -in 'GA'});
208208
$filteredResult | Should -Not -BeNullOrEmpty;
209-
$filteredResult.Length | Should -Be 387;
209+
$filteredResult.Length | Should -Be 386;
210210
}
211211

212212
It 'With Azure.Preview_2023_09' {
@@ -220,7 +220,7 @@ Describe 'Baselines' -Tag Baseline {
220220
$result = @(Get-PSRule -Module PSRule.Rules.Azure -Baseline 'Azure.GA_2023_12' -WarningAction Ignore);
221221
$filteredResult = @($result | Where-Object { $_.Tag.release -in 'GA'});
222222
$filteredResult | Should -Not -BeNullOrEmpty;
223-
$filteredResult.Length | Should -Be 396;
223+
$filteredResult.Length | Should -Be 395;
224224
}
225225

226226
It 'With Azure.Preview_2023_12' {

tests/PSRule.Rules.Azure.Tests/Resources.AppGwWAF.json

+4-4
Original file line numberDiff line numberDiff line change
@@ -55,12 +55,12 @@
5555
"managedRuleSets": [
5656
{
5757
"ruleSetType": "OWASP",
58-
"ruleSetVersion": "3.2",
58+
"ruleSetVersion": "3.1",
5959
"ruleGroupOverrides": []
6060
},
6161
{
6262
"ruleSetType": "Microsoft_BotManagerRuleSet",
63-
"ruleSetVersion": "0.1",
63+
"ruleSetVersion": "1.0",
6464
"ruleGroupOverrides": []
6565
}
6666
]
@@ -91,12 +91,12 @@
9191
"managedRuleSets": [
9292
{
9393
"ruleSetType": "OWASP",
94-
"ruleSetVersion": "3.0",
94+
"ruleSetVersion": "3.2",
9595
"ruleGroupOverrides": []
9696
},
9797
{
9898
"ruleSetType": "Microsoft_BotManagerRuleSet",
99-
"ruleSetVersion": "0.1",
99+
"ruleSetVersion": "1.0",
100100
"ruleGroupOverrides": []
101101
}
102102
],

0 commit comments

Comments
 (0)