Documentation ¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
View Source
var CheckDisablePasswordAuthentication = rules.Register( scan2.Rule{ AVDID: "AVD-AZU-0039", Provider: providers2.AzureProvider, Service: "compute", ShortCode: "disable-password-authentication", Summary: "Password authentication should be disabled on Azure virtual machines", Impact: "Using password authentication is less secure that ssh keys may result in compromised servers", Resolution: "Use ssh authentication for virtual machines", Explanation: `Access to virtual machines should be authenticated using SSH keys. Removing the option of password authentication enforces more secure methods while removing the risks inherent with passwords.`, Links: []string{}, Terraform: &scan2.EngineMetadata{ GoodExamples: terraformDisablePasswordAuthenticationGoodExamples, BadExamples: terraformDisablePasswordAuthenticationBadExamples, Links: terraformDisablePasswordAuthenticationLinks, RemediationMarkdown: terraformDisablePasswordAuthenticationRemediationMarkdown, }, Severity: severity2.High, }, func(s *state2.State) (results scan2.Results) { for _, vm := range s.Azure.Compute.LinuxVirtualMachines { if vm.IsUnmanaged() { continue } if vm.OSProfileLinuxConfig.DisablePasswordAuthentication.IsFalse() { results.Add( "Linux virtual machine allows password authentication.", vm.OSProfileLinuxConfig.DisablePasswordAuthentication, ) } else { results.AddPassed(&vm) } } return }, )
View Source
var CheckEnableDiskEncryption = rules.Register( scan2.Rule{ AVDID: "AVD-AZU-0038", Provider: providers2.AzureProvider, Service: "compute", ShortCode: "enable-disk-encryption", Summary: "Enable disk encryption on managed disk", Impact: "Data could be read if compromised", Resolution: "Enable encryption on managed disks", Explanation: `Manage disks should be encrypted at rest. When specifying the <code>encryption_settings</code> block, the enabled attribute should be set to <code>true</code>.`, Links: []string{ "https://docs.microsoft.com/en-us/azure/virtual-machines/linux/disk-encryption", }, Terraform: &scan2.EngineMetadata{ GoodExamples: terraformEnableDiskEncryptionGoodExamples, BadExamples: terraformEnableDiskEncryptionBadExamples, Links: terraformEnableDiskEncryptionLinks, RemediationMarkdown: terraformEnableDiskEncryptionRemediationMarkdown, }, Severity: severity2.High, }, func(s *state2.State) (results scan2.Results) { for _, disk := range s.Azure.Compute.ManagedDisks { if disk.IsUnmanaged() { continue } if disk.Encryption.Enabled.IsFalse() { results.Add( "Managed disk is not encrypted.", disk.Encryption.Enabled, ) } else { results.AddPassed(&disk) } } return }, )
View Source
var CheckNoSecretsInCustomData = rules.Register( scan2.Rule{ AVDID: "AVD-AZU-0037", Provider: providers2.AzureProvider, Service: "compute", ShortCode: "no-secrets-in-custom-data", Summary: "Ensure that no sensitive credentials are exposed in VM custom_data", Impact: "Sensitive credentials in custom_data can be leaked", Resolution: "Don't use sensitive credentials in the VM custom_data", Explanation: `When creating Azure Virtual Machines, custom_data is used to pass start up information into the EC2 instance. This custom_dat must not contain access key credentials.`, Links: []string{}, Terraform: &scan2.EngineMetadata{ GoodExamples: terraformNoSecretsInCustomDataGoodExamples, BadExamples: terraformNoSecretsInCustomDataBadExamples, Links: terraformNoSecretsInCustomDataLinks, RemediationMarkdown: terraformNoSecretsInCustomDataRemediationMarkdown, }, Severity: severity2.Medium, }, func(s *state2.State) (results scan2.Results) { for _, vm := range s.Azure.Compute.LinuxVirtualMachines { if vm.IsUnmanaged() { continue } if result := scanner.Scan(vm.CustomData.Value()); result.TransgressionFound { results.Add( "Virtual machine includes secret(s) in custom data.", vm.CustomData, ) } else { results.AddPassed(&vm) } } for _, vm := range s.Azure.Compute.WindowsVirtualMachines { if vm.IsUnmanaged() { continue } if result := scanner.Scan(vm.CustomData.Value()); result.TransgressionFound { results.Add( "Virtual machine includes secret(s) in custom data.", vm.CustomData, ) } else { results.AddPassed(&vm) } } return }, )
Functions ¶
This section is empty.
Types ¶
This section is empty.
Click to show internal directories.
Click to hide internal directories.