github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/nifcloud/nas/no_public_ingress_nas_sgr.go (about) 1 package nas 2 3 import ( 4 "github.com/khulnasoft-lab/defsec/internal/cidr" 5 "github.com/khulnasoft-lab/defsec/internal/rules" 6 "github.com/khulnasoft-lab/defsec/pkg/providers" 7 "github.com/khulnasoft-lab/defsec/pkg/scan" 8 "github.com/khulnasoft-lab/defsec/pkg/severity" 9 "github.com/khulnasoft-lab/defsec/pkg/state" 10 ) 11 12 var CheckNoPublicIngressNASSgr = rules.Register( 13 scan.Rule{ 14 AVDID: "AVD-NIF-0014", 15 Aliases: []string{"nifcloud-nas-no-public-ingress-nas-sgr"}, 16 Provider: providers.NifcloudProvider, 17 Service: "nas", 18 ShortCode: "no-public-ingress-nas-sgr", 19 Summary: "An ingress nas security group rule allows traffic from /0.", 20 Impact: "Your port exposed to the internet", 21 Resolution: "Set a more restrictive cidr range", 22 Explanation: `Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.`, 23 Links: []string{ 24 "https://pfs.nifcloud.com/api/nas/AuthorizeNASSecurityGroupIngress.htm", 25 }, 26 Terraform: &scan.EngineMetadata{ 27 GoodExamples: terraformNoPublicIngressNASSgrGoodExamples, 28 BadExamples: terraformNoPublicIngressNASSgrBadExamples, 29 Links: terraformNoPublicIngressNASSgrLinks, 30 RemediationMarkdown: terraformNoPublicIngressNASSgrRemediationMarkdown, 31 }, 32 Severity: severity.Critical, 33 }, 34 func(s *state.State) (results scan.Results) { 35 for _, group := range s.Nifcloud.NAS.NASSecurityGroups { 36 for _, rule := range group.CIDRs { 37 if cidr.IsPublic(rule.Value()) && cidr.CountAddresses(rule.Value()) > 1 { 38 results.Add( 39 "NAS Security group rule allows ingress from public internet.", 40 rule, 41 ) 42 } else { 43 results.AddPassed(&group) 44 } 45 } 46 } 47 return 48 }, 49 )