Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
View Source
var CheckNoPlaintextPassword = rules.Register( scan.Rule{ AVDID: "AVD-OPNSTK-0001", Provider: providers.OpenStackProvider, Service: "compute", ShortCode: "no-plaintext-password", Summary: "No plaintext password for compute instance", Impact: "Including a plaintext password could lead to compromised instance", Resolution: "Do not use plaintext passwords in terraform files", Explanation: `Assigning a password to the compute instance using plaintext could lead to compromise; it would be preferable to use key-pairs as a login mechanism`, Links: []string{}, Terraform: &scan.EngineMetadata{ GoodExamples: terraformNoPlaintextPasswordGoodExamples, BadExamples: terraformNoPlaintextPasswordBadExamples, Links: terraformNoPlaintextPasswordLinks, RemediationMarkdown: terraformNoPlaintextPasswordRemediationMarkdown, }, Severity: severity.Medium, }, func(s *state.State) (results scan.Results) { for _, instance := range s.OpenStack.Compute.Instances { if instance.Metadata.IsUnmanaged() { continue } if instance.AdminPassword.IsNotEmpty() { results.Add( "Instance has admin password set.", instance.AdminPassword, ) } else { results.AddPassed(instance) } } return }, )
View Source
var CheckNoPublicAccess = rules.Register( scan.Rule{ AVDID: "AVD-OPNSTK-0002", Provider: providers.OpenStackProvider, Service: "compute", ShortCode: "no-public-access", Summary: "A firewall rule allows traffic from/to the public internet", Impact: "Exposure of infrastructure to the public internet", Resolution: "Employ more restrictive firewall rules", Explanation: `Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.`, Links: []string{}, Terraform: &scan.EngineMetadata{ GoodExamples: terraformNoPublicAccessGoodExamples, BadExamples: terraformNoPublicAccessBadExamples, Links: terraformNoPublicAccessLinks, RemediationMarkdown: terraformNoPublicAccessRemediationMarkdown, }, Severity: severity.Medium, }, func(s *state.State) (results scan.Results) { for _, rule := range s.OpenStack.Compute.Firewall.AllowRules { if rule.Metadata.IsUnmanaged() { continue } if rule.Enabled.IsFalse() { continue } if rule.Destination.IsEmpty() { results.Add( "Firewall rule does not restrict destination address internally.", rule.Destination, ) } else if cidr.IsPublic(rule.Destination.Value()) { results.Add( "Firewall rule allows public egress.", rule.Destination, ) } else if rule.Source.IsEmpty() { results.Add( "Firewall rule does not restrict source address internally.", rule.Source, ) } else if cidr.IsPublic(rule.Source.Value()) { results.Add( "Firewall rule allows public ingress.", rule.Source, ) } else { results.AddPassed(rule) } } return }, )
Functions ¶
This section is empty.
Types ¶
This section is empty.
Source Files
Click to show internal directories.
Click to hide internal directories.