Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
View Source
var CheckAddDescriptionToSecurityGroup = rules.Register( scan.Rule{ AVDID: "AVD-NIF-0002", Aliases: []string{"nifcloud-computing-add-description-to-security-group"}, Provider: providers.NifcloudProvider, Service: "computing", ShortCode: "add-description-to-security-group", Summary: "Missing description for security group.", Impact: "Descriptions provide context for the firewall rule reasons", Resolution: "Add descriptions for all security groups", Explanation: `Security groups should include a description for auditing purposes. Simplifies auditing, debugging, and managing security groups.`, Links: []string{ "https://pfs.nifcloud.com/help/fw/change.htm", }, Terraform: &scan.EngineMetadata{ GoodExamples: terraformAddDescriptionToSecurityGroupGoodExamples, BadExamples: terraformAddDescriptionToSecurityGroupBadExamples, Links: terraformAddDescriptionToSecurityGroupLinks, RemediationMarkdown: terraformAddDescriptionToSecurityGroupRemediationMarkdown, }, Severity: severity.Low, }, func(s *state.State) (results scan.Results) { for _, group := range s.Nifcloud.Computing.SecurityGroups { if group.Metadata.IsUnmanaged() { continue } if group.Description.IsEmpty() { results.Add( "Security group does not have a description.", group.Description, ) } else if group.Description.EqualTo("Managed by Terraform") { results.Add( "Security group explicitly uses the default description.", group.Description, ) } else { results.AddPassed(&group) } } return }, )
View Source
var CheckAddDescriptionToSecurityGroupRule = rules.Register( scan.Rule{ AVDID: "AVD-NIF-0003", Aliases: []string{"nifcloud-computing-add-description-to-security-group-rule"}, Provider: providers.NifcloudProvider, Service: "computing", ShortCode: "add-description-to-security-group-rule", Summary: "Missing description for security group rule.", Impact: "Descriptions provide context for the firewall rule reasons", Resolution: "Add descriptions for all security groups rules", Explanation: `Security group rules should include a description for auditing purposes. Simplifies auditing, debugging, and managing security groups.`, Links: []string{ "https://pfs.nifcloud.com/help/fw/rule_new.htm", }, Terraform: &scan.EngineMetadata{ GoodExamples: terraformAddDescriptionToSecurityGroupRuleGoodExamples, BadExamples: terraformAddDescriptionToSecurityGroupRuleBadExamples, Links: terraformAddDescriptionToSecurityGroupRuleLinks, RemediationMarkdown: terraformAddDescriptionToSecurityGroupRuleRemediationMarkdown, }, Severity: severity.Low, }, func(s *state.State) (results scan.Results) { for _, group := range s.Nifcloud.Computing.SecurityGroups { for _, rule := range append(group.EgressRules, group.IngressRules...) { if rule.Description.IsEmpty() { results.Add( "Security group rule does not have a description.", rule.Description, ) } else { results.AddPassed(&rule) } } } return }, )
View Source
var CheckAddSecurityGroupToInstance = rules.Register( scan.Rule{ AVDID: "AVD-NIF-0004", Aliases: []string{"nifcloud-computing-add-security-group-to-instance"}, Provider: providers.NifcloudProvider, Service: "computing", ShortCode: "add-security-group-to-instance", Summary: "Missing security group for instance.", Impact: "A security group controls the traffic that is allowed to reach and leave the resources that it is associated with.", Resolution: "Add security group for all instances", Explanation: "Need to add a security group to your instance.", Links: []string{ "https://pfs.nifcloud.com/help/server/change_fw.htm", }, Terraform: &scan.EngineMetadata{ GoodExamples: terraformAddSecurityGroupToInstanceGoodExamples, BadExamples: terraformAddSecurityGroupToInstanceBadExamples, Links: terraformAddSecurityGroupToInstanceLinks, RemediationMarkdown: terraformAddSecurityGroupToInstanceRemediationMarkdown, }, Severity: severity.Critical, }, func(s *state.State) (results scan.Results) { for _, instance := range s.Nifcloud.Computing.Instances { if instance.Metadata.IsUnmanaged() { continue } if instance.SecurityGroup.IsEmpty() { results.Add( "Instance does not have a securiy group.", instance.SecurityGroup, ) } else { results.AddPassed(&instance) } } return }, )
View Source
var CheckNoCommonPrivateInstance = rules.Register( scan.Rule{ AVDID: "AVD-NIF-0005", Aliases: []string{"nifcloud-computing-no-common-private-instance"}, Provider: providers.NifcloudProvider, Service: "computing", ShortCode: "no-common-private-instance", Summary: "The instance has common private network", Impact: "The common private network is shared with other users", Resolution: "Use private LAN", Explanation: `When handling sensitive data between servers, please consider using a private LAN to isolate the private side network from the shared network.`, Links: []string{ "https://pfs.nifcloud.com/service/plan.htm", }, Terraform: &scan.EngineMetadata{ GoodExamples: terraformNoCommonPrivateInstanceGoodExamples, BadExamples: terraformNoCommonPrivateInstanceBadExamples, Links: terraformNoCommonPrivateInstanceLinks, RemediationMarkdown: terraformNoCommonPrivateInstanceRemediationMarkdown, }, Severity: severity.Low, }, func(s *state.State) (results scan.Results) { for _, instance := range s.Nifcloud.Computing.Instances { for _, ni := range instance.NetworkInterfaces { if ni.NetworkID.EqualTo("net-COMMON_PRIVATE") { results.Add( "The instance has common private network", ni.NetworkID, ) } else { results.AddPassed(&ni) } } } return }, )
View Source
var CheckNoPublicIngressSgr = rules.Register( scan.Rule{ AVDID: "AVD-NIF-0001", Aliases: []string{"nifcloud-computing-no-public-ingress-sgr"}, Provider: providers.NifcloudProvider, Service: "computing", ShortCode: "no-public-ingress-sgr", Summary: "An ingress security group rule allows traffic from /0.", Impact: "Your port exposed to the internet", Resolution: "Set a more restrictive cidr range", Explanation: `Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible. When publishing web applications, use a load balancer instead of publishing directly to instances. `, Links: []string{ "https://pfs.nifcloud.com/help/fw/rule_new.htm", }, Terraform: &scan.EngineMetadata{ GoodExamples: terraformNoPublicIngressSgrGoodExamples, BadExamples: terraformNoPublicIngressSgrBadExamples, Links: terraformNoPublicIngressSgrLinks, RemediationMarkdown: terraformNoPublicIngressSgrRemediationMarkdown, }, Severity: severity.Critical, }, func(s *state.State) (results scan.Results) { for _, group := range s.Nifcloud.Computing.SecurityGroups { for _, rule := range group.IngressRules { if cidr.IsPublic(rule.CIDR.Value()) && cidr.CountAddresses(rule.CIDR.Value()) > 1 { results.Add( "Security group rule allows ingress from public internet.", rule.CIDR, ) } else { results.AddPassed(&rule) } } } return }, )
Functions ¶
This section is empty.
Types ¶
This section is empty.
Source Files
¶
- add_description_to_security_group.go
- add_description_to_security_group.tf.go
- add_description_to_security_group_rule.go
- add_description_to_security_group_rule.tf.go
- add_security_group_to_instance.go
- add_security_group_to_instance.tf.go
- no_common_private_instance.go
- no_common_private_instance.tf.go
- no_public_ingress_sgr.go
- no_public_ingress_sgr.tf.go
Click to show internal directories.
Click to hide internal directories.