Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
View Source
var CheckEnableBackup = rules.Register( scan.Rule{ AVDID: "AVD-GCP-0024", Provider: providers.GoogleProvider, Service: "sql", ShortCode: "enable-backup", Summary: "Enable automated backups to recover from data-loss", Impact: "No recovery of lost or corrupted data", Resolution: "Enable automated backups", Explanation: `Automated backups are not enabled by default. Backups are an easy way to restore data in a corruption or data-loss scenario.`, Links: []string{ "https://cloud.google.com/sql/docs/mysql/backup-recovery/backups", }, Terraform: &scan.EngineMetadata{ GoodExamples: terraformEnableBackupGoodExamples, BadExamples: terraformEnableBackupBadExamples, Links: terraformEnableBackupLinks, RemediationMarkdown: terraformEnableBackupRemediationMarkdown, }, Severity: severity.Medium, }, func(s *state.State) (results scan.Results) { for _, instance := range s.Google.SQL.Instances { if instance.Metadata.IsUnmanaged() || instance.IsReplica.IsTrue() { continue } if instance.Settings.Backups.Enabled.IsFalse() { results.Add( "Database instance does not have backups enabled.", instance.Settings.Backups.Enabled, ) } else { results.AddPassed(&instance) } } return }, )
View Source
var CheckEnablePgTempFileLogging = rules.Register( scan.Rule{ AVDID: "AVD-GCP-0014", Provider: providers.GoogleProvider, Service: "sql", ShortCode: "enable-pg-temp-file-logging", Summary: "Temporary file logging should be enabled for all temporary files.", Impact: "Use of temporary files will not be logged", Resolution: "Enable temporary file logging for all files", Explanation: `Temporary files are not logged by default. To log all temporary files, a value of ` + "`" + `0` + "`" + ` should set in the ` + "`" + `log_temp_files` + "`" + ` flag - as all files greater in size than the number of bytes set in this flag will be logged.`, Links: []string{ "https://postgresqlco.nf/doc/en/param/log_temp_files/", }, Terraform: &scan.EngineMetadata{ GoodExamples: terraformEnablePgTempFileLoggingGoodExamples, BadExamples: terraformEnablePgTempFileLoggingBadExamples, Links: terraformEnablePgTempFileLoggingLinks, RemediationMarkdown: terraformEnablePgTempFileLoggingRemediationMarkdown, }, Severity: severity.Medium, }, func(s *state.State) (results scan.Results) { for _, instance := range s.Google.SQL.Instances { if instance.Metadata.IsUnmanaged() { continue } if instance.DatabaseFamily() != sql.DatabaseFamilyPostgres { continue } if instance.Settings.Flags.LogTempFileSize.LessThan(0) { results.Add( "Database instance has temporary file logging disabled.", instance.Settings.Flags.LogTempFileSize, ) } else if instance.Settings.Flags.LogTempFileSize.GreaterThan(0) { results.Add( "Database instance has temporary file logging disabled for files of certain sizes.", instance.Settings.Flags.LogTempFileSize, ) } else { results.AddPassed(&instance) } } return }, )
View Source
var CheckEncryptInTransitData = rules.Register( scan.Rule{ AVDID: "AVD-GCP-0015", Provider: providers.GoogleProvider, Service: "sql", ShortCode: "encrypt-in-transit-data", Summary: "SSL connections to a SQL database instance should be enforced.", Impact: "Intercepted data can be read in transit", Resolution: "Enforce SSL for all connections", Explanation: `In-transit data should be encrypted so that if traffic is intercepted data will not be exposed in plaintext to attackers.`, Links: []string{ "https://cloud.google.com/sql/docs/mysql/configure-ssl-instance", }, Terraform: &scan.EngineMetadata{ GoodExamples: terraformEncryptInTransitDataGoodExamples, BadExamples: terraformEncryptInTransitDataBadExamples, Links: terraformEncryptInTransitDataLinks, RemediationMarkdown: terraformEncryptInTransitDataRemediationMarkdown, }, Severity: severity.High, }, func(s *state.State) (results scan.Results) { for _, instance := range s.Google.SQL.Instances { if instance.Metadata.IsUnmanaged() { continue } if instance.Settings.IPConfiguration.RequireTLS.IsFalse() { results.Add( "Database instance does not require TLS for all connections.", instance.Settings.IPConfiguration.RequireTLS, ) } else { results.AddPassed(&instance) } } return }, )
View Source
var CheckMysqlNoLocalInfile = rules.Register( scan.Rule{ AVDID: "AVD-GCP-0026", Provider: providers.GoogleProvider, Service: "sql", ShortCode: "mysql-no-local-infile", Summary: "Disable local_infile setting in MySQL", Impact: "Arbitrary files read by attackers when combined with a SQL injection vulnerability.", Resolution: "Disable the local infile setting", Explanation: `Arbitrary files can be read from the system using LOAD_DATA unless this setting is disabled.`, Links: []string{ "https://dev.mysql.com/doc/refman/8.0/en/load-data-local-security.html", }, Terraform: &scan.EngineMetadata{ GoodExamples: terraformMysqlNoLocalInfileGoodExamples, BadExamples: terraformMysqlNoLocalInfileBadExamples, Links: terraformMysqlNoLocalInfileLinks, RemediationMarkdown: terraformMysqlNoLocalInfileRemediationMarkdown, }, Severity: severity.High, }, func(s *state.State) (results scan.Results) { for _, instance := range s.Google.SQL.Instances { if instance.Metadata.IsUnmanaged() { continue } if instance.DatabaseFamily() != sql.DatabaseFamilyMySQL { continue } if instance.Settings.Flags.LocalInFile.IsTrue() { results.Add( "Database instance has local file read access enabled.", instance.Settings.Flags.LocalInFile, ) } else { results.AddPassed(&instance) } } return }, )
View Source
var CheckNoContainedDbAuth = rules.Register( scan.Rule{ AVDID: "AVD-GCP-0023", Provider: providers.GoogleProvider, Service: "sql", ShortCode: "no-contained-db-auth", Summary: "Contained database authentication should be disabled", Impact: "Access can be granted without knowledge of the database administrator", Resolution: "Disable contained database authentication", Explanation: `Users with ALTER permissions on users can grant access to a contained database without the knowledge of an administrator`, Links: []string{ "https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/contained-database-authentication-server-configuration-option?view=sql-server-ver15", }, Terraform: &scan.EngineMetadata{ GoodExamples: terraformNoContainedDbAuthGoodExamples, BadExamples: terraformNoContainedDbAuthBadExamples, Links: terraformNoContainedDbAuthLinks, RemediationMarkdown: terraformNoContainedDbAuthRemediationMarkdown, }, Severity: severity.Medium, }, func(s *state.State) (results scan.Results) { for _, instance := range s.Google.SQL.Instances { if instance.Metadata.IsUnmanaged() { continue } if instance.DatabaseFamily() != sql.DatabaseFamilySQLServer { continue } if instance.Settings.Flags.ContainedDatabaseAuthentication.IsTrue() { results.Add( "Database instance has contained database authentication enabled.", instance.Settings.Flags.ContainedDatabaseAuthentication, ) } else { results.AddPassed(&instance) } } return }, )
View Source
var CheckNoCrossDbOwnershipChaining = rules.Register( scan.Rule{ AVDID: "AVD-GCP-0019", Provider: providers.GoogleProvider, Service: "sql", ShortCode: "no-cross-db-ownership-chaining", Summary: "Cross-database ownership chaining should be disabled", Impact: "Unintended access to sensitive data", Resolution: "Disable cross database ownership chaining", Explanation: `Cross-database ownership chaining, also known as cross-database chaining, is a security feature of SQL Server that allows users of databases access to other databases besides the one they are currently using.`, Links: []string{ "https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/cross-db-ownership-chaining-server-configuration-option?view=sql-server-ver15", }, Terraform: &scan.EngineMetadata{ GoodExamples: terraformNoCrossDbOwnershipChainingGoodExamples, BadExamples: terraformNoCrossDbOwnershipChainingBadExamples, Links: terraformNoCrossDbOwnershipChainingLinks, RemediationMarkdown: terraformNoCrossDbOwnershipChainingRemediationMarkdown, }, Severity: severity.Medium, }, func(s *state.State) (results scan.Results) { for _, instance := range s.Google.SQL.Instances { if instance.Metadata.IsUnmanaged() { continue } if instance.DatabaseFamily() != sql.DatabaseFamilySQLServer { continue } if instance.Settings.Flags.CrossDBOwnershipChaining.IsTrue() { results.Add( "Database instance has cross database ownership chaining enabled.", instance.Settings.Flags.CrossDBOwnershipChaining, ) } else { results.AddPassed(&instance) } } return }, )
View Source
var CheckNoPublicAccess = rules.Register( scan.Rule{ AVDID: "AVD-GCP-0017", Provider: providers.GoogleProvider, Service: "sql", ShortCode: "no-public-access", Summary: "Ensure that Cloud SQL Database Instances are not publicly exposed", Impact: "Public exposure of sensitive data", Resolution: "Remove public access from database instances", Explanation: `Database instances should be configured so that they are not available over the public internet, but to internal compute resources which access them.`, Links: []string{ "https://www.cloudconformity.com/knowledge-base/gcp/CloudSQL/publicly-accessible-cloud-sql-instances.html", }, Terraform: &scan.EngineMetadata{ GoodExamples: terraformNoPublicAccessGoodExamples, BadExamples: terraformNoPublicAccessBadExamples, Links: terraformNoPublicAccessLinks, RemediationMarkdown: terraformNoPublicAccessRemediationMarkdown, }, Severity: severity.High, }, func(s *state.State) (results scan.Results) { for _, instance := range s.Google.SQL.Instances { if instance.Metadata.IsUnmanaged() { continue } if instance.Settings.IPConfiguration.EnableIPv4.IsTrue() { results.Add( "Database instance is granted a public internet address.", instance.Settings.IPConfiguration.EnableIPv4, ) } for _, network := range instance.Settings.IPConfiguration.AuthorizedNetworks { if cidr.IsPublic(network.CIDR.Value()) { results.Add( "Database instance allows access from the public internet.", network.CIDR, ) } else { results.AddPassed(&instance) } } } return }, )
View Source
var CheckPgLogCheckpoints = rules.Register( scan.Rule{ AVDID: "AVD-GCP-0025", Provider: providers.GoogleProvider, Service: "sql", ShortCode: "pg-log-checkpoints", Summary: "Ensure that logging of checkpoints is enabled.", Impact: "Insufficient diagnostic data.", Resolution: "Enable checkpoints logging.", Explanation: `Logging checkpoints provides useful diagnostic data, which can identify performance issues in an application and potential DoS vectors.`, Links: []string{ "https://www.postgresql.org/docs/13/runtime-config-logging.html#GUC-LOG-CHECKPOINTS", }, Terraform: &scan.EngineMetadata{ GoodExamples: terraformPgLogCheckpointsGoodExamples, BadExamples: terraformPgLogCheckpointsBadExamples, Links: terraformPgLogCheckpointsLinks, RemediationMarkdown: terraformPgLogCheckpointsRemediationMarkdown, }, Severity: severity.Medium, }, func(s *state.State) (results scan.Results) { for _, instance := range s.Google.SQL.Instances { if instance.Metadata.IsUnmanaged() { continue } if instance.DatabaseFamily() != sql.DatabaseFamilyPostgres { continue } if instance.Settings.Flags.LogCheckpoints.IsFalse() { results.Add( "Database instance is not configured to log checkpoints.", instance.Settings.Flags.LogCheckpoints, ) } else { results.AddPassed(&instance) } } return }, )
View Source
var CheckPgLogConnections = rules.Register( scan.Rule{ AVDID: "AVD-GCP-0016", Provider: providers.GoogleProvider, Service: "sql", ShortCode: "pg-log-connections", Summary: "Ensure that logging of connections is enabled.", Impact: "Insufficient diagnostic data.", Resolution: "Enable connection logging.", Explanation: `Logging connections provides useful diagnostic data such as session length, which can identify performance issues in an application and potential DoS vectors.`, Links: []string{ "https://www.postgresql.org/docs/13/runtime-config-logging.html#GUC-LOG-CONNECTIONS", }, Terraform: &scan.EngineMetadata{ GoodExamples: terraformPgLogConnectionsGoodExamples, BadExamples: terraformPgLogConnectionsBadExamples, Links: terraformPgLogConnectionsLinks, RemediationMarkdown: terraformPgLogConnectionsRemediationMarkdown, }, Severity: severity.Medium, }, func(s *state.State) (results scan.Results) { for _, instance := range s.Google.SQL.Instances { if instance.Metadata.IsUnmanaged() { continue } if instance.DatabaseFamily() != sql.DatabaseFamilyPostgres { continue } if instance.Settings.Flags.LogConnections.IsFalse() { results.Add( "Database instance is not configured to log connections.", instance.Settings.Flags.LogConnections, ) } else { results.AddPassed(&instance) } } return }, )
View Source
var CheckPgLogDisconnections = rules.Register( scan.Rule{ AVDID: "AVD-GCP-0022", Provider: providers.GoogleProvider, Service: "sql", ShortCode: "pg-log-disconnections", Summary: "Ensure that logging of disconnections is enabled.", Impact: "Insufficient diagnostic data.", Resolution: "Enable disconnection logging.", Explanation: `Logging disconnections provides useful diagnostic data such as session length, which can identify performance issues in an application and potential DoS vectors.`, Links: []string{ "https://www.postgresql.org/docs/13/runtime-config-logging.html#GUC-LOG-DISCONNECTIONS", }, Terraform: &scan.EngineMetadata{ GoodExamples: terraformPgLogDisconnectionsGoodExamples, BadExamples: terraformPgLogDisconnectionsBadExamples, Links: terraformPgLogDisconnectionsLinks, RemediationMarkdown: terraformPgLogDisconnectionsRemediationMarkdown, }, Severity: severity.Medium, }, func(s *state.State) (results scan.Results) { for _, instance := range s.Google.SQL.Instances { if instance.Metadata.IsUnmanaged() { continue } if instance.DatabaseFamily() != sql.DatabaseFamilyPostgres { continue } if instance.Settings.Flags.LogDisconnections.IsFalse() { results.Add( "Database instance is not configured to log disconnections.", instance.Settings.Flags.LogDisconnections, ) } else { results.AddPassed(&instance) } } return }, )
View Source
var CheckPgLogErrors = rules.Register( scan.Rule{ AVDID: "AVD-GCP-0018", Provider: providers.GoogleProvider, Service: "sql", ShortCode: "pg-log-errors", Summary: "Ensure that Postgres errors are logged", Impact: "Loss of error logging", Resolution: "Set the minimum log severity to at least ERROR", Explanation: `Setting the minimum log severity too high will cause errors not to be logged`, Links: []string{ "https://postgresqlco.nf/doc/en/param/log_min_messages/", "https://www.postgresql.org/docs/13/runtime-config-logging.html#GUC-LOG-MIN-MESSAGES", }, Terraform: &scan.EngineMetadata{ GoodExamples: terraformPgLogErrorsGoodExamples, BadExamples: terraformPgLogErrorsBadExamples, Links: terraformPgLogErrorsLinks, RemediationMarkdown: terraformPgLogErrorsRemediationMarkdown, }, Severity: severity.Low, }, func(s *state.State) (results scan.Results) { for _, instance := range s.Google.SQL.Instances { if instance.Metadata.IsUnmanaged() { continue } if instance.DatabaseFamily() != sql.DatabaseFamilyPostgres { continue } if instance.Settings.Flags.LogMinMessages.IsOneOf("FATAL", "PANIC", "LOG") { results.Add( "Database instance is not configured to log errors.", instance.Settings.Flags.LogMinMessages, ) } else { results.AddPassed(&instance) } } return }, )
View Source
var CheckPgLogLockWaits = rules.Register( scan.Rule{ AVDID: "AVD-GCP-0020", Provider: providers.GoogleProvider, Service: "sql", ShortCode: "pg-log-lock-waits", Summary: "Ensure that logging of lock waits is enabled.", Impact: "Issues leading to denial of service may not be identified.", Resolution: "Enable lock wait logging.", Explanation: `Lock waits are often an indication of poor performance and often an indicator of a potential denial of service vulnerability, therefore occurrences should be logged for analysis.`, Links: []string{ "https://www.postgresql.org/docs/13/runtime-config-logging.html#GUC-LOG-LOCK-WAITS", }, Terraform: &scan.EngineMetadata{ GoodExamples: terraformPgLogLockWaitsGoodExamples, BadExamples: terraformPgLogLockWaitsBadExamples, Links: terraformPgLogLockWaitsLinks, RemediationMarkdown: terraformPgLogLockWaitsRemediationMarkdown, }, Severity: severity.Medium, }, func(s *state.State) (results scan.Results) { for _, instance := range s.Google.SQL.Instances { if instance.Metadata.IsUnmanaged() { continue } if instance.DatabaseFamily() != sql.DatabaseFamilyPostgres { continue } if instance.Settings.Flags.LogLockWaits.IsFalse() { results.Add( "Database instance is not configured to log lock waits.", instance.Settings.Flags.LogLockWaits, ) } else { results.AddPassed(&instance) } } return }, )
View Source
var CheckPgNoMinStatementLogging = rules.Register( scan.Rule{ AVDID: "AVD-GCP-0021", Provider: providers.GoogleProvider, Service: "sql", ShortCode: "pg-no-min-statement-logging", Summary: "Ensure that logging of long statements is disabled.", Impact: "Sensitive data could be exposed in the database logs.", Resolution: "Disable minimum duration statement logging completely", Explanation: `Logging of statements which could contain sensitive data is not advised, therefore this setting should preclude all statements from being logged.`, Links: []string{ "https://www.postgresql.org/docs/13/runtime-config-logging.html#GUC-LOG-MIN-DURATION-STATEMENT", }, Terraform: &scan.EngineMetadata{ GoodExamples: terraformPgNoMinStatementLoggingGoodExamples, BadExamples: terraformPgNoMinStatementLoggingBadExamples, Links: terraformPgNoMinStatementLoggingLinks, RemediationMarkdown: terraformPgNoMinStatementLoggingRemediationMarkdown, }, Severity: severity.Low, }, func(s *state.State) (results scan.Results) { for _, instance := range s.Google.SQL.Instances { if instance.Metadata.IsUnmanaged() { continue } if instance.DatabaseFamily() != sql.DatabaseFamilyPostgres { continue } if instance.Settings.Flags.LogMinDurationStatement.NotEqualTo(-1) { results.Add( "Database instance is configured to log statements.", instance.Settings.Flags.LogMinDurationStatement, ) } else { results.AddPassed(&instance) } } return }, )
Functions ¶
This section is empty.
Types ¶
This section is empty.
Source Files
¶
- enable_backup.go
- enable_backup.tf.go
- enable_pg_temp_file_logging.go
- enable_pg_temp_file_logging.tf.go
- encrypt_in_transit_data.go
- encrypt_in_transit_data.tf.go
- mysql_no_local_infile.go
- mysql_no_local_infile.tf.go
- no_contained_db_auth.go
- no_contained_db_auth.tf.go
- no_cross_db_ownership_chaining.go
- no_cross_db_ownership_chaining.tf.go
- no_public_access.go
- no_public_access.tf.go
- pg_log_checkpoints.go
- pg_log_checkpoints.tf.go
- pg_log_connections.go
- pg_log_connections.tf.go
- pg_log_disconnections.go
- pg_log_disconnections.tf.go
- pg_log_errors.go
- pg_log_errors.tf.go
- pg_log_lock_waits.go
- pg_log_lock_waits.tf.go
- pg_no_min_statement_logging.go
- pg_no_min_statement_logging.tf.go
Click to show internal directories.
Click to hide internal directories.