network

package
v1.0.3 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Aug 25, 2023 License: MIT Imports: 5 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source
var CheckAddSecurityGroupToRouter = rules.Register(
	scan.Rule{
		AVDID:       "AVD-NIF-0016",
		Aliases:     []string{"nifcloud-computing-add-security-group-to-router"},
		Provider:    providers.NifcloudProvider,
		Service:     "network",
		ShortCode:   "add-security-group-to-router",
		Summary:     "Missing security group for router.",
		Impact:      "A security group controls the traffic that is allowed to reach and leave the resources that it is associated with.",
		Resolution:  "Add security group for all routers",
		Explanation: "Need to add a security group to your router.",
		Links: []string{
			"https://pfs.nifcloud.com/help/router/change.htm",
		},
		Terraform: &scan.EngineMetadata{
			GoodExamples:        terraformAddSecurityGroupToRouterGoodExamples,
			BadExamples:         terraformAddSecurityGroupToRouterBadExamples,
			Links:               terraformAddSecurityGroupToRouterLinks,
			RemediationMarkdown: terraformAddSecurityGroupToRouterRemediationMarkdown,
		},
		Severity: severity.Critical,
	},
	func(s *state.State) (results scan.Results) {
		for _, router := range s.Nifcloud.Network.Routers {
			if router.Metadata.IsUnmanaged() {
				continue
			}
			if router.SecurityGroup.IsEmpty() {
				results.Add(
					"Router does not have a securiy group.",
					router.SecurityGroup,
				)
			} else {
				results.AddPassed(&router)
			}
		}
		return
	},
)
View Source
var CheckAddSecurityGroupToVpnGateway = rules.Register(
	scan.Rule{
		AVDID:       "AVD-NIF-0018",
		Aliases:     []string{"nifcloud-computing-add-security-group-to-vpn-gateway"},
		Provider:    providers.NifcloudProvider,
		Service:     "network",
		ShortCode:   "add-security-group-to-vpn-gateway",
		Summary:     "Missing security group for vpnGateway.",
		Impact:      "A security group controls the traffic that is allowed to reach and leave the resources that it is associated with.",
		Resolution:  "Add security group for all vpnGateways",
		Explanation: "Need to add a security group to your vpnGateway.",
		Links: []string{
			"https://pfs.nifcloud.com/help/vpngw/change.htm",
		},
		Terraform: &scan.EngineMetadata{
			GoodExamples:        terraformAddSecurityGroupToVpnGatewayGoodExamples,
			BadExamples:         terraformAddSecurityGroupToVpnGatewayBadExamples,
			Links:               terraformAddSecurityGroupToVpnGatewayLinks,
			RemediationMarkdown: terraformAddSecurityGroupToVpnGatewayRemediationMarkdown,
		},
		Severity: severity.Critical,
	},
	func(s *state.State) (results scan.Results) {
		for _, vpnGateway := range s.Nifcloud.Network.VpnGateways {
			if vpnGateway.Metadata.IsUnmanaged() {
				continue
			}
			if vpnGateway.SecurityGroup.IsEmpty() {
				results.Add(
					"VpnGateway does not have a securiy group.",
					vpnGateway.SecurityGroup,
				)
			} else {
				results.AddPassed(&vpnGateway)
			}
		}
		return
	},
)
View Source
var CheckHttpNotUsed = rules.Register(
	scan.Rule{
		AVDID:      "AVD-NIF-0021",
		Provider:   providers.NifcloudProvider,
		Service:    "network",
		ShortCode:  "http-not-used",
		Summary:    "Use of plain HTTP.",
		Impact:     "Your traffic is not protected",
		Resolution: "Switch to HTTPS to benefit from TLS security features",
		Explanation: `Plain HTTP is unencrypted and human-readable. This means that if a malicious actor was to eavesdrop on your connection, they would be able to see all of your data flowing back and forth.

You should use HTTPS, which is HTTP over an encrypted (TLS) connection, meaning eavesdroppers cannot read your traffic.`,
		Links: []string{
			"https://www.cloudflare.com/en-gb/learning/ssl/why-is-http-not-secure/",
		},
		Terraform: &scan.EngineMetadata{
			GoodExamples:        terraformHttpNotUsedGoodExamples,
			BadExamples:         terraformHttpNotUsedBadExamples,
			Links:               terraformHttpNotUsedLinks,
			RemediationMarkdown: terraformHttpNotUsedRemediationMarkdown,
		},
		Severity: severity.Critical,
	},
	func(s *state.State) (results scan.Results) {
		for _, lb := range s.Nifcloud.Network.LoadBalancers {
			for _, listener := range lb.Listeners {
				if !listener.Protocol.EqualTo("HTTP") {
					results.AddPassed(&listener)
					continue
				}

				results.Add(
					"Listener for l4 load balancer does not use HTTPS.",
					listener.Protocol,
				)
			}
		}
		for _, elb := range s.Nifcloud.Network.ElasticLoadBalancers {
			var publicLB bool
			for _, ni := range elb.NetworkInterfaces {
				if ni.NetworkID.EqualTo("net-COMMON_GLOBAL") && ni.IsVipNetwork.IsTrue() {
					publicLB = true
				}
			}

			if !publicLB {
				continue
			}

			for _, listener := range elb.Listeners {
				if !listener.Protocol.EqualTo("HTTP") {
					results.AddPassed(&listener)
					continue
				}

				results.Add(
					"Listener for multi load balancer does not use HTTPS.",
					listener.Protocol,
				)
			}
		}

		return
	},
)
View Source
var CheckNoCommonPrivateElasticLoadBalancer = rules.Register(
	scan.Rule{
		AVDID:       "AVD-NIF-0019",
		Aliases:     []string{"nifcloud-network-no-common-private-elb"},
		Provider:    providers.NifcloudProvider,
		Service:     "network",
		ShortCode:   "no-common-private-elb",
		Summary:     "The elb has common private network",
		Impact:      "The common private network is shared with other users",
		Resolution:  "Use private LAN",
		Explanation: `When handling sensitive data between servers, please consider using a private LAN to isolate the private side network from the shared network.`,
		Links: []string{
			"https://pfs.nifcloud.com/service/plan.htm",
		},
		Terraform: &scan.EngineMetadata{
			GoodExamples:        terraformNoCommonPrivateElasticLoadBalancerGoodExamples,
			BadExamples:         terraformNoCommonPrivateElasticLoadBalancerBadExamples,
			Links:               terraformNoCommonPrivateElasticLoadBalancerLinks,
			RemediationMarkdown: terraformNoCommonPrivateElasticLoadBalancerRemediationMarkdown,
		},
		Severity: severity.Low,
	},
	func(s *state.State) (results scan.Results) {
		for _, elb := range s.Nifcloud.Network.ElasticLoadBalancers {
			for _, ni := range elb.NetworkInterfaces {
				if ni.NetworkID.EqualTo("net-COMMON_PRIVATE") {
					results.Add(
						"The elb has common private network",
						ni.NetworkID,
					)
				} else {
					results.AddPassed(&ni)
				}
			}
		}
		return
	},
)
View Source
var CheckNoCommonPrivateRouter = rules.Register(
	scan.Rule{
		AVDID:       "AVD-NIF-0017",
		Aliases:     []string{"nifcloud-network-no-common-private-router"},
		Provider:    providers.NifcloudProvider,
		Service:     "network",
		ShortCode:   "no-common-private-router",
		Summary:     "The router has common private network",
		Impact:      "The common private network is shared with other users",
		Resolution:  "Use private LAN",
		Explanation: `When handling sensitive data between servers, please consider using a private LAN to isolate the private side network from the shared network.`,
		Links: []string{
			"https://pfs.nifcloud.com/service/plan.htm",
		},
		Terraform: &scan.EngineMetadata{
			GoodExamples:        terraformNoCommonPrivateRouterGoodExamples,
			BadExamples:         terraformNoCommonPrivateRouterBadExamples,
			Links:               terraformNoCommonPrivateRouterLinks,
			RemediationMarkdown: terraformNoCommonPrivateRouterRemediationMarkdown,
		},
		Severity: severity.Low,
	},
	func(s *state.State) (results scan.Results) {
		for _, router := range s.Nifcloud.Network.Routers {
			for _, ni := range router.NetworkInterfaces {
				if ni.NetworkID.EqualTo("net-COMMON_PRIVATE") {
					results.Add(
						"The router has common private network",
						ni.NetworkID,
					)
				} else {
					results.AddPassed(&ni)
				}
			}
		}
		return
	},
)
View Source
var CheckUseSecureTlsPolicy = rules.Register(
	scan.Rule{
		AVDID:       "AVD-NIF-0020",
		Provider:    providers.NifcloudProvider,
		Service:     "network",
		ShortCode:   "use-secure-tls-policy",
		Summary:     "An outdated SSL policy is in use by a load balancer.",
		Impact:      "The SSL policy is outdated and has known vulnerabilities",
		Resolution:  "Use a more recent TLS/SSL policy for the load balancer",
		Explanation: `You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.`,
		Links: []string{
			"https://pfs.nifcloud.com/service/lb_l4.htm",
		},
		Terraform: &scan.EngineMetadata{
			GoodExamples:        terraformUseSecureTlsPolicyGoodExamples,
			BadExamples:         terraformUseSecureTlsPolicyBadExamples,
			Links:               terraformUseSecureTlsPolicyLinks,
			RemediationMarkdown: terraformUseSecureTlsPolicyRemediationMarkdown,
		},
		Severity: severity.Critical,
	},
	func(s *state.State) (results scan.Results) {
		for _, lb := range s.Nifcloud.Network.LoadBalancers {
			for _, listener := range lb.Listeners {
				for _, outdated := range outdatedSSLPolicies {
					if listener.TLSPolicy.EqualTo(outdated) && listener.Protocol.EqualTo("HTTPS") {
						results.Add(
							"Listener uses an outdated TLS policy.",
							listener.TLSPolicy,
						)
					} else {
						results.AddPassed(&listener)
					}
				}
			}
		}
		return
	},
)

Functions

This section is empty.

Types

This section is empty.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL