Documentation ¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
View Source
var CheckEnableDnssec = rules.Register( scan2.Rule{ AVDID: "AVD-GCP-0013", Provider: providers2.GoogleProvider, Service: "dns", ShortCode: "enable-dnssec", Summary: "Cloud DNS should use DNSSEC", Impact: "Unverified DNS responses could lead to man-in-the-middle attacks", Resolution: "Enable DNSSEC", Explanation: `DNSSEC authenticates DNS responses, preventing MITM attacks and impersonation.`, Links: []string{}, Terraform: &scan2.EngineMetadata{ GoodExamples: terraformEnableDnssecGoodExamples, BadExamples: terraformEnableDnssecBadExamples, Links: terraformEnableDnssecLinks, RemediationMarkdown: terraformEnableDnssecRemediationMarkdown, }, Severity: severity2.Medium, }, func(s *state2.State) (results scan2.Results) { for _, zone := range s.Google.DNS.ManagedZones { if zone.IsUnmanaged() || zone.IsPrivate() { continue } if zone.DNSSec.Enabled.IsFalse() { results.Add( "Managed zone does not have DNSSEC enabled.", zone.DNSSec.Enabled, ) } else { results.AddPassed(&zone) } } return }, )
View Source
var CheckNoRsaSha1 = rules.Register( scan2.Rule{ AVDID: "AVD-GCP-0012", Provider: providers2.GoogleProvider, Service: "dns", ShortCode: "no-rsa-sha1", Summary: "Zone signing should not use RSA SHA1", Impact: "Less secure encryption algorithm than others available", Resolution: "Use RSA SHA512", Explanation: `RSA SHA1 is a weaker algorithm than SHA2-based algorithms such as RSA SHA256/512`, Links: []string{}, Terraform: &scan2.EngineMetadata{ GoodExamples: terraformNoRsaSha1GoodExamples, BadExamples: terraformNoRsaSha1BadExamples, Links: terraformNoRsaSha1Links, RemediationMarkdown: terraformNoRsaSha1RemediationMarkdown, }, Severity: severity2.Medium, }, func(s *state2.State) (results scan2.Results) { for _, zone := range s.Google.DNS.ManagedZones { if zone.IsUnmanaged() { continue } if zone.DNSSec.DefaultKeySpecs.KeySigningKey.Algorithm.EqualTo("rsasha1") { results.Add( "Zone KSK uses RSA SHA1 for signing.", zone.DNSSec.DefaultKeySpecs.KeySigningKey.Algorithm, ) } else if zone.DNSSec.DefaultKeySpecs.ZoneSigningKey.Algorithm.EqualTo("rsasha1") { results.Add( "Zone ZSK uses RSA SHA1 for signing.", zone.DNSSec.DefaultKeySpecs.ZoneSigningKey.Algorithm, ) } else { results.AddPassed(&zone) } } return }, )
Functions ¶
This section is empty.
Types ¶
This section is empty.
Click to show internal directories.
Click to hide internal directories.