rdb

package
v0.90.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 30, 2023 License: MIT Imports: 6 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source
var CheckAddDescriptionToDBSecurityGroup = rules.Register(
	scan.Rule{
		AVDID:      "AVD-NIF-0012",
		Aliases:    []string{"nifcloud-rdb-add-description-to-db-security-group"},
		Provider:   providers.NifcloudProvider,
		Service:    "rdb",
		ShortCode:  "add-description-to-db-security-group",
		Summary:    "Missing description for db security group.",
		Impact:     "Descriptions provide context for the firewall rule reasons",
		Resolution: "Add descriptions for all db security groups",
		Explanation: `DB security groups should include a description for auditing purposes.

Simplifies auditing, debugging, and managing db security groups.`,
		Links: []string{
			"https://pfs.nifcloud.com/help/rdb/fw_new.htm",
		},
		Terraform: &scan.EngineMetadata{
			GoodExamples:        terraformAddDescriptionToDBSecurityGroupGoodExamples,
			BadExamples:         terraformAddDescriptionToDBSecurityGroupBadExamples,
			Links:               terraformAddDescriptionToDBSecurityGroupLinks,
			RemediationMarkdown: terraformAddDescriptionToDBSecurityGroupRemediationMarkdown,
		},
		Severity: severity.Low,
	},
	func(s *state.State) (results scan.Results) {
		for _, group := range s.Nifcloud.RDB.DBSecurityGroups {
			if group.Metadata.IsUnmanaged() {
				continue
			}
			if group.Description.IsEmpty() {
				results.Add(
					"DB security group does not have a description.",
					group.Description,
				)
			} else if group.Description.EqualTo("Managed by Terraform") {
				results.Add(
					"DB security group explicitly uses the default description.",
					group.Description,
				)
			} else {
				results.AddPassed(&group)
			}
		}
		return
	},
)
View Source
var CheckBackupRetentionSpecified = rules.Register(
	scan.Rule{
		AVDID:       "AVD-NIF-0009",
		Provider:    providers.NifcloudProvider,
		Service:     "rdb",
		ShortCode:   "specify-backup-retention",
		Summary:     "RDB instance should have backup retention longer than 1 day",
		Impact:      "Potential loss of data and short opportunity for recovery",
		Resolution:  "Explicitly set the retention period to greater than the default",
		Explanation: `Backup retention periods should be set to a period that is a balance on cost and limiting risk.`,
		Links: []string{
			"https://pfs.nifcloud.com/spec/rdb/snapshot_backup.htm",
		},
		Terraform: &scan.EngineMetadata{
			GoodExamples:        terraformSpecifyBackupRetentionGoodExamples,
			BadExamples:         terraformSpecifyBackupRetentionBadExamples,
			Links:               terraformSpecifyBackupRetentionLinks,
			RemediationMarkdown: terraformSpecifyBackupRetentionRemediationMarkdown,
		},
		Severity: severity.Medium,
	},
	func(s *state.State) (results scan.Results) {
		for _, instance := range s.Nifcloud.RDB.DBInstances {
			if instance.Metadata.IsUnmanaged() {
				continue
			}
			if instance.BackupRetentionPeriodDays.LessThan(2) {
				results.Add(
					"Instance has very low backup retention period.",
					instance.BackupRetentionPeriodDays,
				)
			} else {
				results.AddPassed(&instance)
			}
		}

		return
	},
)
View Source
var CheckNoCommonPrivateDBInstance = rules.Register(
	scan.Rule{
		AVDID:       "AVD-NIF-0010",
		Aliases:     []string{"nifcloud-rdb-no-common-private-db-instance"},
		Provider:    providers.NifcloudProvider,
		Service:     "rdb",
		ShortCode:   "no-common-private-db-instance",
		Summary:     "The db instance has common private network",
		Impact:      "The common private network is shared with other users",
		Resolution:  "Use private LAN",
		Explanation: `When handling sensitive data between servers, please consider using a private LAN to isolate the private side network from the shared network.`,
		Links: []string{
			"https://pfs.nifcloud.com/service/plan.htm",
		},
		Terraform: &scan.EngineMetadata{
			GoodExamples:        terraformNoCommonPrivateDBInstanceGoodExamples,
			BadExamples:         terraformNoCommonPrivateDBInstanceBadExamples,
			Links:               terraformNoCommonPrivateDBInstanceLinks,
			RemediationMarkdown: terraformNoCommonPrivateDBInstanceRemediationMarkdown,
		},
		Severity: severity.Low,
	},
	func(s *state.State) (results scan.Results) {
		for _, instance := range s.Nifcloud.RDB.DBInstances {
			if instance.NetworkID.EqualTo("net-COMMON_PRIVATE") {
				results.Add(
					"The db instance has common private network",
					instance.NetworkID,
				)
			} else {
				results.AddPassed(&instance)
			}
		}
		return
	},
)
View Source
var CheckNoPublicDbAccess = rules.Register(
	scan.Rule{
		AVDID:       "AVD-NIF-0008",
		Provider:    providers.NifcloudProvider,
		Service:     "rdb",
		ShortCode:   "no-public-db-access",
		Summary:     "A database resource is marked as publicly accessible.",
		Impact:      "The database instance is publicly accessible",
		Resolution:  "Set the database to not be publicly accessible",
		Explanation: `Database resources should not publicly available. You should limit all access to the minimum that is required for your application to function.`,
		Links: []string{
			"https://pfs.nifcloud.com/guide/rdb/server_new.htm",
		},
		Terraform: &scan.EngineMetadata{
			GoodExamples:        terraformNoPublicDbAccessGoodExamples,
			BadExamples:         terraformNoPublicDbAccessBadExamples,
			Links:               terraformNoPublicDbAccessLinks,
			RemediationMarkdown: terraformNoPublicDbAccessRemediationMarkdown,
		},
		Severity: severity.Critical,
	},
	func(s *state.State) (results scan.Results) {
		for _, instance := range s.Nifcloud.RDB.DBInstances {
			if instance.PublicAccess.IsTrue() {
				results.Add(
					"Instance is exposed publicly.",
					instance.PublicAccess,
				)
			} else {
				results.AddPassed(&instance)
			}
		}
		return
	},
)
View Source
var CheckNoPublicIngressDBSgr = rules.Register(
	scan.Rule{
		AVDID:       "AVD-NIF-0011",
		Aliases:     []string{"nifcloud-rdb-no-public-ingress-db-sgr"},
		Provider:    providers.NifcloudProvider,
		Service:     "rdb",
		ShortCode:   "no-public-ingress-db-sgr",
		Summary:     "An ingress db security group rule allows traffic from /0.",
		Impact:      "Your port exposed to the internet",
		Resolution:  "Set a more restrictive cidr range",
		Explanation: `Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.`,
		Links: []string{
			"https://pfs.nifcloud.com/api/rdb/AuthorizeDBSecurityGroupIngress.htm",
		},
		Terraform: &scan.EngineMetadata{
			GoodExamples:        terraformNoPublicIngressDBSgrGoodExamples,
			BadExamples:         terraformNoPublicIngressDBSgrBadExamples,
			Links:               terraformNoPublicIngressDBSgrLinks,
			RemediationMarkdown: terraformNoPublicIngressDBSgrRemediationMarkdown,
		},
		Severity: severity.Critical,
	},
	func(s *state.State) (results scan.Results) {
		for _, group := range s.Nifcloud.RDB.DBSecurityGroups {
			for _, rule := range group.CIDRs {
				if cidr.IsPublic(rule.Value()) && cidr.CountAddresses(rule.Value()) > 1 {
					results.Add(
						"DB Security group rule allows ingress from public internet.",
						rule,
					)
				} else {
					results.AddPassed(&group)
				}
			}
		}
		return
	},
)

Functions

This section is empty.

Types

This section is empty.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL