Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
View Source
var CheckNoPublicEgress = rules.Register( scan.Rule{ AVDID: "AVD-OPNSTK-0004", Provider: providers.OpenStackProvider, Service: "networking", ShortCode: "no-public-egress", Summary: "A security group rule allows egress traffic to multiple public addresses", Impact: "Potential exfiltration of data to the public internet", Resolution: "Employ more restrictive security group rules", Explanation: `Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.`, Links: []string{}, Terraform: &scan.EngineMetadata{ GoodExamples: terraformNoPublicEgressGoodExamples, BadExamples: terraformNoPublicEgressBadExamples, Links: terraformNoPublicEgressLinks, RemediationMarkdown: terraformNoPublicEgressRemediationMarkdown, }, Severity: severity.Medium, }, func(s *state.State) (results scan.Results) { for _, group := range s.OpenStack.Networking.SecurityGroups { for _, rule := range group.Rules { if rule.Metadata.IsUnmanaged() || rule.IsIngress.IsTrue() { continue } if cidr.IsPublic(rule.CIDR.Value()) && cidr.CountAddresses(rule.CIDR.Value()) > 1 { results.Add( "Security group rule allows egress to multiple public addresses.", rule.CIDR, ) } else { results.AddPassed(rule) } } } return }, )
View Source
var CheckNoPublicIngress = rules.Register( scan.Rule{ AVDID: "AVD-OPNSTK-0003", Provider: providers.OpenStackProvider, Service: "networking", ShortCode: "no-public-ingress", Summary: "A security group rule allows ingress traffic from multiple public addresses", Impact: "Exposure of infrastructure to the public internet", Resolution: "Employ more restrictive security group rules", Explanation: `Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.`, Links: []string{}, Terraform: &scan.EngineMetadata{ GoodExamples: terraformNoPublicIngressGoodExamples, BadExamples: terraformNoPublicIngressBadExamples, Links: terraformNoPublicIngressLinks, RemediationMarkdown: terraformNoPublicIngressRemediationMarkdown, }, Severity: severity.Medium, }, func(s *state.State) (results scan.Results) { for _, group := range s.OpenStack.Networking.SecurityGroups { for _, rule := range group.Rules { if rule.Metadata.IsUnmanaged() || rule.IsIngress.IsFalse() { continue } if cidr.IsPublic(rule.CIDR.Value()) && cidr.CountAddresses(rule.CIDR.Value()) > 1 { results.Add( "Security group rule allows ingress from multiple public addresses.", rule.CIDR, ) } else { results.AddPassed(rule) } } } return }, )
View Source
var CheckSecurityGroupHasDescription = rules.Register( scan.Rule{ AVDID: "AVD-OPNSTK-0005", Provider: providers.OpenStackProvider, Service: "networking", ShortCode: "describe-security-group", Summary: "Missing description for security group.", Impact: "Auditing capability and awareness limited.", Resolution: "Add descriptions for all security groups", Explanation: `Security groups should include a description for auditing purposes. Simplifies auditing, debugging, and managing security groups.`, Links: []string{}, Terraform: &scan.EngineMetadata{ GoodExamples: terraformSecurityGroupHasDescriptionGoodExamples, BadExamples: terraformSecurityGroupHasDescriptionBadExamples, Links: terraformSecurityGroupHasDescriptionLinks, RemediationMarkdown: terraformSecurityGroupHasDescriptionRemediationMarkdown, }, Severity: severity.Medium, }, func(s *state.State) (results scan.Results) { for _, group := range s.OpenStack.Networking.SecurityGroups { if group.Metadata.IsUnmanaged() { continue } if group.Description.IsEmpty() { results.Add( "Security group rule allows egress to multiple public addresses.", group.Description, ) } else { results.AddPassed(group) } } return }, )
Functions ¶
This section is empty.
Types ¶
This section is empty.
Source Files
Click to show internal directories.
Click to hide internal directories.