Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
View Source
var CheckEnforceHttps = rules.Register( rules.Rule{ AVDID: "AVD-DIG-0002", Provider: provider.DigitalOceanProvider, Service: "compute", ShortCode: "enforce-https", Summary: "The load balancer forwarding rule is using an insecure protocol as an entrypoint", Impact: "Your inbound traffic is not protected", Resolution: "Switch to HTTPS to benefit from TLS security features", Explanation: `Plain HTTP is unencrypted and human-readable. This means that if a malicious actor was to eavesdrop on your connection, they would be able to see all of your data flowing back and forth. You should use HTTPS, which is HTTP over an encrypted (TLS) connection, meaning eavesdroppers cannot read your traffic.`, Links: []string{ "https://docs.digitalocean.com/products/networking/load-balancers/", }, Severity: severity.Critical, }, func(s *state.State) (results rules.Results) { for _, lb := range s.DigitalOcean.Compute.LoadBalancers { for _, rule := range lb.ForwardingRules { if rule.EntryProtocol.EqualTo("http") { results.Add( "Load balancer has aforwarding rule which uses HTTP instead of HTTPS.", rule.EntryProtocol, ) } } } return }, )
View Source
var CheckNoPublicEgress = rules.Register( rules.Rule{ AVDID: "AVD-DIG-0003", Provider: provider.DigitalOceanProvider, Service: "compute", ShortCode: "no-public-egress", Summary: "The firewall has an outbound rule with open access", Impact: "The port is exposed for ingress from the internet", Resolution: "Set a more restrictive cidr range", Explanation: `Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.`, Links: []string{ "https://docs.digitalocean.com/products/networking/firewalls/how-to/configure-rules/", }, Severity: severity.Critical, }, func(s *state.State) (results rules.Results) { for _, x := range s.AWS.S3.Buckets { if x.Encryption.Enabled.IsFalse() { results.Add( "", x.Encryption.Enabled, ) } } return }, )
View Source
var CheckNoPublicIngress = rules.Register( rules.Rule{ AVDID: "AVD-DIG-0001", Provider: provider.DigitalOceanProvider, Service: "compute", ShortCode: "no-public-ingress", Summary: "The firewall has an inbound rule with open access", Impact: "Your port is exposed to the internet", Resolution: "Set a more restrictive CIRDR range", Explanation: `Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.`, Links: []string{ "https://docs.digitalocean.com/products/networking/firewalls/how-to/configure-rules/", }, Severity: severity.Critical, }, func(s *state.State) (results rules.Results) { for _, x := range s.AWS.S3.Buckets { if x.Encryption.Enabled.IsFalse() { results.Add( "", x.Encryption.Enabled, ) } } return }, )
View Source
var CheckUseSshKeys = rules.Register( rules.Rule{ AVDID: "AVD-DIG-0004", Provider: provider.DigitalOceanProvider, Service: "droplet", ShortCode: "use-ssh-keys", Summary: "SSH Keys are the preferred way to connect to your droplet, no keys are supplied", Impact: "Logging in with username and password is easier to compromise", Resolution: "Use ssh keys for login", Explanation: `When working with a server, you’ll likely spend most of your time in a terminal session connected to your server through SSH. A more secure alternative to password-based logins, SSH keys use encryption to provide a secure way of logging into your server and are recommended for all users.`, Links: []string{ "https://www.digitalocean.com/community/tutorials/understanding-the-ssh-encryption-and-connection-process", }, Severity: severity.High, }, func(s *state.State) (results rules.Results) { for _, droplet := range s.DigitalOcean.Compute.Droplets { if len(droplet.SSHKeys) == 0 { results.Add( "Droplet does not have an SSH key specified.", droplet, ) } } return }, )
Functions ¶
This section is empty.
Types ¶
This section is empty.
Source Files
Click to show internal directories.
Click to hide internal directories.