github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/openstack/networking/no_public_egress.go (about) 1 package compute 2 3 import ( 4 "github.com/khulnasoft-lab/defsec/internal/cidr" 5 "github.com/khulnasoft-lab/defsec/internal/rules" 6 "github.com/khulnasoft-lab/defsec/pkg/providers" 7 "github.com/khulnasoft-lab/defsec/pkg/scan" 8 "github.com/khulnasoft-lab/defsec/pkg/severity" 9 "github.com/khulnasoft-lab/defsec/pkg/state" 10 ) 11 12 var CheckNoPublicEgress = rules.Register( 13 scan.Rule{ 14 AVDID: "AVD-OPNSTK-0004", 15 Provider: providers.OpenStackProvider, 16 Service: "networking", 17 ShortCode: "no-public-egress", 18 Summary: "A security group rule allows egress traffic to multiple public addresses", 19 Impact: "Potential exfiltration of data to the public internet", 20 Resolution: "Employ more restrictive security group rules", 21 Explanation: `Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.`, 22 Links: []string{}, 23 Terraform: &scan.EngineMetadata{ 24 GoodExamples: terraformNoPublicEgressGoodExamples, 25 BadExamples: terraformNoPublicEgressBadExamples, 26 Links: terraformNoPublicEgressLinks, 27 RemediationMarkdown: terraformNoPublicEgressRemediationMarkdown, 28 }, 29 Severity: severity.Medium, 30 }, 31 func(s *state.State) (results scan.Results) { 32 for _, group := range s.OpenStack.Networking.SecurityGroups { 33 for _, rule := range group.Rules { 34 if rule.Metadata.IsUnmanaged() || rule.IsIngress.IsTrue() { 35 continue 36 } 37 if cidr.IsPublic(rule.CIDR.Value()) && cidr.CountAddresses(rule.CIDR.Value()) > 1 { 38 results.Add( 39 "Security group rule allows egress to multiple public addresses.", 40 rule.CIDR, 41 ) 42 } else { 43 results.AddPassed(rule) 44 } 45 } 46 } 47 return 48 }, 49 )