Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
View Source
var CheckEnableDnssec = rules.Register( rules.Rule{ AVDID: "AVD-GCP-0013", Provider: provider.GoogleProvider, Service: "dns", ShortCode: "enable-dnssec", Summary: "Cloud DNS should use DNSSEC", Impact: "Unverified DNS responses could lead to man-in-the-middle attacks", Resolution: "Enable DNSSEC", Explanation: `DNSSEC authenticates DNS responses, preventing MITM attacks and impersonation.`, Links: []string{}, Severity: severity.Medium, }, func(s *state.State) (results rules.Results) { for _, zone := range s.Google.DNS.ManagedZones { if zone.DNSSec.Enabled.IsFalse() { results.Add( "Managed zone does not have DNSSEC enabled.", zone.DNSSec.Enabled, ) } } return }, )
View Source
var CheckNoRsaSha1 = rules.Register( rules.Rule{ AVDID: "AVD-GCP-0012", Provider: provider.GoogleProvider, Service: "dns", ShortCode: "no-rsa-sha1", Summary: "Zone signing should not use RSA SHA1", Impact: "Less secure encryption algorithm than others available", Resolution: "Use RSA SHA512", Explanation: `RSA SHA1 is a weaker algorithm than SHA2-based algorithms such as RSA SHA256/512`, Links: []string{}, Severity: severity.Medium, }, func(s *state.State) (results rules.Results) { for _, zone := range s.Google.DNS.ManagedZones { if zone.DNSSec.DefaultKeySpecs.KeySigningKey.Algorithm.EqualTo("rsasha1") { results.Add( "Zone KSK uses RSA SHA1 for signing.", zone.DNSSec.DefaultKeySpecs.KeySigningKey.Algorithm, ) } if zone.DNSSec.DefaultKeySpecs.ZoneSigningKey.Algorithm.EqualTo("rsasha1") { results.Add( "Zone ZSK uses RSA SHA1 for signing.", zone.DNSSec.DefaultKeySpecs.ZoneSigningKey.Algorithm, ) } } return }, )
Functions ¶
This section is empty.
Types ¶
This section is empty.
Source Files
Click to show internal directories.
Click to hide internal directories.