Control: Front Door firewall policy should restricts message lookup in Log4j2
Description
This control checks that Front Door firewall policy restricts message lookup in Log4j2 due to the CVE-2021-44228 vulnerability, also known as log4jshell.
Usage
Run the control in your terminal:
powerpipe control run terraform_azure_compliance.control.frontdoor_firewall_policy_restrict_message_lookup_log4j2Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run terraform_azure_compliance.control.frontdoor_firewall_policy_restrict_message_lookup_log4j2 --shareSQL
This control uses a named query:
with managed_rule as ( select name from terraform_resource, jsonb_array_elements ( case jsonb_typeof(attributes_std -> 'managed_rule') when 'array' then (attributes_std -> 'managed_rule') when 'object' then jsonb_build_array(attributes_std -> 'managed_rule') else null end ) r, jsonb_array_elements( case jsonb_typeof(r -> 'override') when 'array' then (r -> 'override') when 'object' then jsonb_build_array(r -> 'override') else null end ) as o where type = 'azurerm_frontdoor_firewall_policy' and r ->> 'type' in ('DefaultRuleSet', 'Microsoft_DefaultRuleSet') and o ->> 'rule_group_name' = 'JAVA' and o -> 'rule' ->> 'rule_id' = '944240' and ( o -> 'rule' ->> 'enabled' <> 'true' or o -> 'rule' -> 'enabled' is null or not ( (o -> 'rule' ->> 'action') in ('Block', 'Redirect')) ))select address as resource, case when (attributes_std -> 'managed_rule') is null then 'alarm' when m.name is not null then 'alarm' else 'ok' end status, split_part(address, '.', 2) || case when (attributes_std -> 'managed_rule') is null then ' managed rule not defined' when m.name is not null then ' does not restrict message lookup in Log4j2' else ' restrict message lookup in Log4j2' end || '.' reason , path || ':' || start_linefrom terraform_resource as r left join managed_rule as m on r.name = m.namewhere type = 'azurerm_frontdoor_firewall_policy';