时间戳

首页 > 解决方案 > 如何在 tfsec 中创建自定义检查

terraform - 如何在 tfsec 中创建自定义检查

问题描述

我希望在使用 tfsec 的 IaC 代码扫描中实施以下策略:

Custom Check: GCP Firewall rule allows all traffic on Telnet port (23)

以下是我的 .json 格式的自定义检查:

{
  "checks": 
    [
      {
        "code": "CUS003",
        "description": "Custom Check: GCP Firewall rule allows all traffic on Telnet port (23)",
        "requiredTypes": 
          [
            "resource"
          ],
          "requiredLabels": 
          [
            "google_compute_firewall"
          ],
          "severity": "WARNING",
          "matchSpec": 
          {
            "name": "CUS003_matchSpec_name",
            "action": "and",
            "predicateMatchSpec": 
            [
                  {
                    "name": "source_ranges",
                    "action": "contains",
                    "value": "0.0.0.0/0"
                },
                {
                    "name": "ports",
                    "action": "contains",
                    "value": "23"
                }
            ]
          },
        "errorMessage": "[WARNING] GCP Firewall rule allows all traffic on Telnet port (23)",
        "relatedLinks": 
          [
            "https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_firewall"
          ]
      }
    ]  
}

我试过使用“not”、“notContains”、“equals”、“subMatch”和/或“predicateMatchSpec”的组合,但没有任何效果。

为了测试它,我有目的地创建了应该失败的防火墙规则和应该通过检查的其他规则。当我检查失败时,它适用于所有规则,而不仅仅是一些规则。同样,当我获得检查通过时,它适用于所有规则,而不仅仅是一些规则。

可能有用的文档:tfsec 自定义检查

任何帮助表示赞赏。不幸的是,“tfsec”不是标签,所以我希望这是我面临的地形问题。

标签: terraformtfsec

解决方案

我认为现在看它的格式很明显,它source_rangesgoogle_compute_firewall资源的子项。该ports属性是 的子属性allow。您的检查假设它portssource_ranges.

我认为这个检查可以通过以下方式实现 - 它会根据需要进行谓词检查是否有 source_range 并且有一个名为 allow 的块,其属性端口包含 23

{
  "checks": [
    {
      "code": "CUS003",
      "description": "Custom Check: GCP Firewall rule allows all traffic on Telnet port (23)",
      "requiredTypes": [
        "resource"
      ],
      "requiredLabels": [
        "google_compute_firewall"
      ],
      "severity": "WARNING",
      "matchSpec": {
        "action": "and",
        "predicateMatchSpec": [
          {
            "name": "source_ranges",
            "action": "contains",
            "value": "0.0.0.0/0"
          },
          {
            "name": "allow",
            "action": "isPresent",
            "subMatch": {
              "name": "ports",
              "action": "contains",
              "value": "23",
              "ignoreUndefined": true
            }
          }
        ]
      },
      "errorMessage": "[WARNING] GCP Firewall rule allows all traffic on Telnet port (23)",
      "relatedLinks": [
        "https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_firewall"
      ]
    }
  ]
}

我已经针对以下主体对其进行了测试

resource "google_compute_firewall" "default" {
  name    = "test-firewall"
  network = google_compute_network.default.name

  allow {
    protocol = "tcp"
    ports    = ["23", "8080", "1000-2000"]
  }
  source_ranges = ["0.0.0.0/0"]
  source_tags = ["web"]
}

resource "google_compute_network" "default" {
  name = "test-network"
}

推荐阅读