TITAN AI · CONDUIT Agent

CONDUIT TICKET REPORT

CHG0030003

TICKET

TICKET Azure Critical New

Opened by TITAN AI · CONDUIT · Scanner found the finding, CONDUIT forwarded this ticket via CONDUIT generic-API layer, assigned network_operations, populated every ticket field, The ticket is routed and awaiting team approval — CONDUIT will update it after TITAN FORGE applies the fix.

Finding Summary

Short description: [TITAN] Critical — security on nsg-titan-webtier
Severity: Critical
Priority: 1 - Critical
Resource: nsg-titan-webtier
Resource type: Microsoft.Network/networkSecurityGroups
Cloud: Azure
Subscription / Account: 4f29d094-1079-44c9-acb0-4d73a7a2dd34
Resource group / Project: rg-titan-demo

The Security Finding

NSG rule AllowSSHAll permits SSH (port 22) from 0.0.0.0/0 — Internet-wide privilege escalation path to every VM in the subnet.

ITIL Change Management Fields

Justification

NSG rule AllowSSHAll permits SSH (port 22) from 0.0.0.0/0 — Internet-wide privilege escalation path to every VM in the subnet.

Implementation Plan

1. Pre-change snapshot captured by TITAN (auto-rollback available).
2. Execute fix command:
   az network nsg rule update --name AllowSSHAll --nsg-name nsg-titan-webtier --resource-group rg-titan-demo --source-address-prefixes VirtualNetwork
3. TITAN FORGE verifies the fix was applied.
4. Post-change rescan by TITAN SCOUT — finding must no longer appear.
5. Close ticket with Successful close_code.

Risk & Impact Analysis

Risk level: HIGH business risk — active exposure; fix required immediately.
Business impact if unremediated: Potential data exfil, privilege escalation, or compliance breach.
Scope: single resource (nsg-titan-webtier).
Blast radius: change is idempotent; pre-change snapshot captured by TITAN; auto-rollback available if rescan fails.
Finding detail: NSG rule AllowSSHAll permits SSH (port 22) from 0.0.0.0/0 — Internet-wide privilege escalation path to every VM in the subnet.

Backout / Rollback Plan

1. TITAN auto-captured snapshot of nsg-titan-webtier before change (baseline: titan-live-demo-20260421T213642Z).
2. If post-change rescan still shows the finding OR a new issue appears within 15 min:
   a. TITAN FORGE fires rollback automatically using stored snapshot.
   b. Incident reopens and escalates to on-call.
3. Manual rollback command path (human override) is documented in close notes.

Test Plan

1. TITAN SCOUT rescans nsg-titan-webtier immediately after FORGE applies the change.
2. PASS criteria: the specific finding no longer appears in SCOUT results.
3. PASS criteria: no new CRITICAL or HIGH findings introduced by the change.
4. Automated compliance check: HIPAA/PCI/SOC2 controls re-evaluated.
5. If any check fails, backout plan fires automatically.

Recommended Fix

az network nsg rule update --name AllowSSHAll --nsg-name nsg-titan-webtier --resource-group rg-titan-demo --source-address-prefixes VirtualNetwork

Compliance Mapping

CIS 1.x IAMNIST AC-2SOC 2 CC6.1CIS Azure 6.2

Routing Metadata

Assignment group: network_operations
Change type: Normal
Approval required: Yes
Planned start: —
Planned end: —
Scan ID: titan-live-demo-20260421T213642Z
Generated at: 2026-04-21T21:36:42.881752+00:00
Opened: 2026-04-21 14:36:43
Closed: 2026-04-21 14:36:43
Close code: —

Attached Security Ticket

SERVICENOW · TICKET

SEC-8011 · [TITAN] Critical — security on nsg-titan-webtier

Priority: Critical TICKET Azure

Ticket Description

NSG rule AllowSSHAll permits SSH (port 22) from 0.0.0.0/0 — Internet-wide privilege escalation path to every VM in the subnet.

Recommended Fix: az network nsg rule update --name AllowSSHAll --nsg-name nsg-titan-webtier --resource-group rg-titan-demo --source-address-prefixes VirtualNetwork

AI Close Notes

(awaiting close)