Documentation ¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
View Source
var CheckAutoUpgrade = rules.Register( scan.Rule{ AVDID: "AVD-DIG-0008", Provider: providers.DigitalOceanProvider, Service: "compute", ShortCode: "kubernetes-auto-upgrades-not-enabled", Summary: "Kubernetes clusters should be auto-upgraded to ensure that they always contain the latest security patches.", Impact: "Not running the latest security patches on your Kubernetes cluster can make it a target for penetration.", Resolution: "Set maintenance policy deterministically when auto upgrades are enabled", Explanation: ``, Links: []string{ "https://docs.digitalocean.com/products/kubernetes/resources/best-practices/", }, Terraform: &scan.EngineMetadata{ GoodExamples: terraformKubernetesClusterAutoUpgradeGoodExample, BadExamples: terraformKubernetesClusterAutoUpgradeBadExample, Links: terraformKubernetesClusterAutoUpgradeLinks, RemediationMarkdown: terraformKubernetesAutoUpgradeMarkdown, }, Severity: severity.Critical, }, func(s *state.State) (results scan.Results) { for _, kc := range s.DigitalOcean.Compute.KubernetesClusters { if kc.IsUnmanaged() { continue } if kc.AutoUpgrade.IsFalse() { results.Add( "Kubernetes Cluster does not enable auto upgrades enabled", kc.AutoUpgrade, ) } else { results.AddPassed(&kc) } } return }, )
View Source
var CheckEnforceHttps = rules.Register( scan.Rule{ AVDID: "AVD-DIG-0002", Provider: providers.DigitalOceanProvider, Service: "compute", ShortCode: "enforce-https", Summary: "The load balancer forwarding rule is using an insecure protocol as an entrypoint", Impact: "Your inbound traffic is not protected", Resolution: "Switch to HTTPS to benefit from TLS security features", Explanation: `Plain HTTP is unencrypted and human-readable. This means that if a malicious actor was to eavesdrop on your connection, they would be able to see all of your data flowing back and forth. You should use HTTPS, which is HTTP over an encrypted (TLS) connection, meaning eavesdroppers cannot read your traffic.`, Links: []string{ "https://docs.digitalocean.com/products/networking/load-balancers/", }, Terraform: &scan.EngineMetadata{ GoodExamples: terraformEnforceHttpsGoodExamples, BadExamples: terraformEnforceHttpsBadExamples, Links: terraformEnforceHttpsLinks, RemediationMarkdown: terraformEnforceHttpsRemediationMarkdown, }, Severity: severity.Critical, }, func(s *state.State) (results scan.Results) { for _, lb := range s.DigitalOcean.Compute.LoadBalancers { for _, rule := range lb.ForwardingRules { if rule.EntryProtocol.EqualTo("http") { results.Add( "Load balancer has aforwarding rule which uses HTTP instead of HTTPS.", rule.EntryProtocol, ) } else { results.AddPassed(&rule) } } } return }, )
View Source
var CheckKubernetesSurgeUpgrades = rules.Register( scan.Rule{ AVDID: "AVD-DIG-0005", Provider: providers.DigitalOceanProvider, Service: "compute", ShortCode: "surge-upgrades-not-enabled", Summary: "The Kubernetes cluster does not enable surge upgrades", Impact: "Upgrades may influence availability of your Kubernetes cluster", Resolution: "Enable surge upgrades in your Kubernetes cluster", Explanation: `While upgrading your cluster, workloads will temporarily be moved to new nodes. A small cost will follow, but as a bonus, you won't experience downtime.`, Links: []string{ "https://docs.digitalocean.com/products/kubernetes/how-to/upgrade-cluster/#surge-upgrades", }, Terraform: &scan.EngineMetadata{ GoodExamples: terraformKubernetesClusterSurgeUpgradesGoodExamples, BadExamples: terraformKubernetesClusterSurgeUpgradesBadExamples, Links: terraformKubernetesClusterSurgeUpgradeLinks, RemediationMarkdown: terraformKubernetesClusterSurgeUpgradesMarkdown, }, Severity: severity.Medium, }, func(s *state.State) (results scan.Results) { for _, kc := range s.DigitalOcean.Compute.KubernetesClusters { if kc.IsUnmanaged() { continue } if kc.SurgeUpgrade.IsFalse() { results.Add( "Surge upgrades are disabled in your Kubernetes cluster. Please enable this feature.", kc.SurgeUpgrade, ) } else { results.AddPassed(&kc) } } return }, )
View Source
var CheckNoPublicEgress = rules.Register( scan.Rule{ AVDID: "AVD-DIG-0003", Provider: providers.DigitalOceanProvider, Service: "compute", ShortCode: "no-public-egress", Summary: "The firewall has an outbound rule with open access", Impact: "The port is exposed for ingress from the internet", Resolution: "Set a more restrictive cidr range", Explanation: `Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.`, Links: []string{ "https://docs.digitalocean.com/products/networking/firewalls/how-to/configure-rules/", }, Terraform: &scan.EngineMetadata{ GoodExamples: terraformNoPublicEgressGoodExamples, BadExamples: terraformNoPublicEgressBadExamples, Links: terraformNoPublicEgressLinks, RemediationMarkdown: terraformNoPublicEgressRemediationMarkdown, }, Severity: severity.Critical, }, func(s *state.State) (results scan.Results) { for _, firewall := range s.DigitalOcean.Compute.Firewalls { var failed bool for _, rule := range firewall.OutboundRules { for _, address := range rule.DestinationAddresses { if cidr.IsPublic(address.Value()) && cidr.CountAddresses(address.Value()) > 1 { failed = true results.Add( "Egress rule allows access to multiple public addresses.", address, ) } } } if !failed { results.AddPassed(&firewall) } } return }, )
View Source
var CheckNoPublicIngress = rules.Register( scan.Rule{ AVDID: "AVD-DIG-0001", Provider: providers.DigitalOceanProvider, Service: "compute", ShortCode: "no-public-ingress", Summary: "The firewall has an inbound rule with open access", Impact: "Your port is exposed to the internet", Resolution: "Set a more restrictive CIRDR range", Explanation: `Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.`, Links: []string{ "https://docs.digitalocean.com/products/networking/firewalls/how-to/configure-rules/", }, Terraform: &scan.EngineMetadata{ GoodExamples: terraformNoPublicIngressGoodExamples, BadExamples: terraformNoPublicIngressBadExamples, Links: terraformNoPublicIngressLinks, RemediationMarkdown: terraformNoPublicIngressRemediationMarkdown, }, Severity: severity.Critical, }, func(s *state.State) (results scan.Results) { for _, firewall := range s.DigitalOcean.Compute.Firewalls { var failed bool for _, rule := range firewall.InboundRules { for _, address := range rule.SourceAddresses { if cidr.IsPublic(address.Value()) && cidr.CountAddresses(address.Value()) > 1 { failed = true results.Add( "Ingress rule allows access from multiple public addresses.", address, ) } } } if !failed { results.AddPassed(&firewall) } } return }, )
View Source
var CheckUseSshKeys = rules.Register( scan.Rule{ AVDID: "AVD-DIG-0004", Provider: providers.DigitalOceanProvider, Service: "compute", ShortCode: "use-ssh-keys", Summary: "SSH Keys are the preferred way to connect to your droplet, no keys are supplied", Impact: "Logging in with username and password is easier to compromise", Resolution: "Use ssh keys for login", Explanation: `When working with a server, you’ll likely spend most of your time in a terminal session connected to your server through SSH. A more secure alternative to password-based logins, SSH keys use encryption to provide a secure way of logging into your server and are recommended for all users.`, Links: []string{ "https://www.digitalocean.com/community/tutorials/understanding-the-ssh-encryption-and-connection-process", }, Terraform: &scan.EngineMetadata{ GoodExamples: terraformUseSshKeysGoodExamples, BadExamples: terraformUseSshKeysBadExamples, Links: terraformUseSshKeysLinks, RemediationMarkdown: terraformUseSshKeysRemediationMarkdown, }, Severity: severity.High, }, func(s *state.State) (results scan.Results) { for _, droplet := range s.DigitalOcean.Compute.Droplets { if droplet.IsUnmanaged() { continue } if len(droplet.SSHKeys) == 0 { results.Add( "Droplet does not have an SSH key specified.", &droplet, ) } else { results.AddPassed(&droplet) } } return }, )
Functions ¶
This section is empty.
Types ¶
This section is empty.
Source Files ¶
Click to show internal directories.
Click to hide internal directories.