Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
View Source
var CheckAddDescriptionToDBSecurityGroup = rules.Register( scan.Rule{ AVDID: "AVD-NIF-0012", Aliases: []string{"nifcloud-rdb-add-description-to-db-security-group"}, Provider: providers.NifcloudProvider, Service: "rdb", ShortCode: "add-description-to-db-security-group", Summary: "Missing description for db security group.", Impact: "Descriptions provide context for the firewall rule reasons", Resolution: "Add descriptions for all db security groups", Explanation: `DB security groups should include a description for auditing purposes. Simplifies auditing, debugging, and managing db security groups.`, Links: []string{ "https://pfs.nifcloud.com/help/rdb/fw_new.htm", }, Terraform: &scan.EngineMetadata{ GoodExamples: terraformAddDescriptionToDBSecurityGroupGoodExamples, BadExamples: terraformAddDescriptionToDBSecurityGroupBadExamples, Links: terraformAddDescriptionToDBSecurityGroupLinks, RemediationMarkdown: terraformAddDescriptionToDBSecurityGroupRemediationMarkdown, }, Severity: severity.Low, }, func(s *state.State) (results scan.Results) { for _, group := range s.Nifcloud.RDB.DBSecurityGroups { if group.Metadata.IsUnmanaged() { continue } if group.Description.IsEmpty() { results.Add( "DB security group does not have a description.", group.Description, ) } else if group.Description.EqualTo("Managed by Terraform") { results.Add( "DB security group explicitly uses the default description.", group.Description, ) } else { results.AddPassed(&group) } } return }, )
View Source
var CheckBackupRetentionSpecified = rules.Register( scan.Rule{ AVDID: "AVD-NIF-0009", Provider: providers.NifcloudProvider, Service: "rdb", ShortCode: "specify-backup-retention", Summary: "RDB instance should have backup retention longer than 1 day", Impact: "Potential loss of data and short opportunity for recovery", Resolution: "Explicitly set the retention period to greater than the default", Explanation: `Backup retention periods should be set to a period that is a balance on cost and limiting risk.`, Links: []string{ "https://pfs.nifcloud.com/spec/rdb/snapshot_backup.htm", }, Terraform: &scan.EngineMetadata{ GoodExamples: terraformSpecifyBackupRetentionGoodExamples, BadExamples: terraformSpecifyBackupRetentionBadExamples, Links: terraformSpecifyBackupRetentionLinks, RemediationMarkdown: terraformSpecifyBackupRetentionRemediationMarkdown, }, Severity: severity.Medium, }, func(s *state.State) (results scan.Results) { for _, instance := range s.Nifcloud.RDB.DBInstances { if instance.Metadata.IsUnmanaged() { continue } if instance.BackupRetentionPeriodDays.LessThan(2) { results.Add( "Instance has very low backup retention period.", instance.BackupRetentionPeriodDays, ) } else { results.AddPassed(&instance) } } return }, )
View Source
var CheckNoCommonPrivateDBInstance = rules.Register( scan.Rule{ AVDID: "AVD-NIF-0010", Aliases: []string{"nifcloud-rdb-no-common-private-db-instance"}, Provider: providers.NifcloudProvider, Service: "rdb", ShortCode: "no-common-private-db-instance", Summary: "The db instance has common private network", Impact: "The common private network is shared with other users", Resolution: "Use private LAN", Explanation: `When handling sensitive data between servers, please consider using a private LAN to isolate the private side network from the shared network.`, Links: []string{ "https://pfs.nifcloud.com/service/plan.htm", }, Terraform: &scan.EngineMetadata{ GoodExamples: terraformNoCommonPrivateDBInstanceGoodExamples, BadExamples: terraformNoCommonPrivateDBInstanceBadExamples, Links: terraformNoCommonPrivateDBInstanceLinks, RemediationMarkdown: terraformNoCommonPrivateDBInstanceRemediationMarkdown, }, Severity: severity.Low, }, func(s *state.State) (results scan.Results) { for _, instance := range s.Nifcloud.RDB.DBInstances { if instance.NetworkID.EqualTo("net-COMMON_PRIVATE") { results.Add( "The db instance has common private network", instance.NetworkID, ) } else { results.AddPassed(&instance) } } return }, )
View Source
var CheckNoPublicDbAccess = rules.Register( scan.Rule{ AVDID: "AVD-NIF-0008", Provider: providers.NifcloudProvider, Service: "rdb", ShortCode: "no-public-db-access", Summary: "A database resource is marked as publicly accessible.", Impact: "The database instance is publicly accessible", Resolution: "Set the database to not be publicly accessible", Explanation: `Database resources should not publicly available. You should limit all access to the minimum that is required for your application to function.`, Links: []string{ "https://pfs.nifcloud.com/guide/rdb/server_new.htm", }, Terraform: &scan.EngineMetadata{ GoodExamples: terraformNoPublicDbAccessGoodExamples, BadExamples: terraformNoPublicDbAccessBadExamples, Links: terraformNoPublicDbAccessLinks, RemediationMarkdown: terraformNoPublicDbAccessRemediationMarkdown, }, Severity: severity.Critical, }, func(s *state.State) (results scan.Results) { for _, instance := range s.Nifcloud.RDB.DBInstances { if instance.PublicAccess.IsTrue() { results.Add( "Instance is exposed publicly.", instance.PublicAccess, ) } else { results.AddPassed(&instance) } } return }, )
View Source
var CheckNoPublicIngressDBSgr = rules.Register( scan.Rule{ AVDID: "AVD-NIF-0011", Aliases: []string{"nifcloud-rdb-no-public-ingress-db-sgr"}, Provider: providers.NifcloudProvider, Service: "rdb", ShortCode: "no-public-ingress-db-sgr", Summary: "An ingress db security group rule allows traffic from /0.", Impact: "Your port exposed to the internet", Resolution: "Set a more restrictive cidr range", Explanation: `Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.`, Links: []string{ "https://pfs.nifcloud.com/api/rdb/AuthorizeDBSecurityGroupIngress.htm", }, Terraform: &scan.EngineMetadata{ GoodExamples: terraformNoPublicIngressDBSgrGoodExamples, BadExamples: terraformNoPublicIngressDBSgrBadExamples, Links: terraformNoPublicIngressDBSgrLinks, RemediationMarkdown: terraformNoPublicIngressDBSgrRemediationMarkdown, }, Severity: severity.Critical, }, func(s *state.State) (results scan.Results) { for _, group := range s.Nifcloud.RDB.DBSecurityGroups { for _, rule := range group.CIDRs { if cidr.IsPublic(rule.Value()) && cidr.CountAddresses(rule.Value()) > 1 { results.Add( "DB Security group rule allows ingress from public internet.", rule, ) } else { results.AddPassed(&group) } } } return }, )
Functions ¶
This section is empty.
Types ¶
This section is empty.
Source Files
¶
- add_description_to_db_security_group.go
- add_description_to_db_security_group.tf.go
- no_common_private_db_instance.go
- no_common_private_db_instance.tf.go
- no_public_db_access.go
- no_public_db_access.tf.go
- no_public_ingress_db_sgr.go
- no_public_ingress_db_sgr.tf.go
- specify_backup_retention.go
- specify_backup_retention.tf.go
Click to show internal directories.
Click to hide internal directories.