Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(terraform): add CKV NCP rules about Network ACL. #3630

Merged
merged 43 commits into from
Oct 26, 2022
Merged

feat(terraform): add CKV NCP rules about Network ACL. #3630

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
43 commits
Select commit Hold shift + click to select a range
5afbd24
[22.09.27][추가] CKV_NCP_1
pj991207 Sep 27, 2022
4d48fe1
[22.09.27][추가] CKV_NCP_2
Floodnut Sep 27, 2022
9011d54
[22.09.27][Merge]
Floodnut Sep 27, 2022
ea829d9
Apply suggestions from code review
pj991207 Sep 27, 2022
0e76a1f
Apply suggestions from code review
pj991207 Sep 27, 2022
5150177
Apply suggestions from code review
pj991207 Sep 27, 2022
d2b322f
Create main.yml
pj991207 Sep 28, 2022
a7e3000
[22.09.28][수정] Lint test
Floodnut Sep 28, 2022
2f7dcdf
Merge branch 'master' of https://github.com/init-cloud/checkov
Floodnut Sep 28, 2022
f8e7357
Delete main.yml
pj991207 Sep 28, 2022
52cb35d
[22.09.29][수정]testcode 수정
pj991207 Sep 28, 2022
b1555cb
[22.09.29][수정] 테스트 코드 수정
Floodnut Sep 28, 2022
e77773d
[22.09.29][수정] 테스트코드 수정
Floodnut Sep 29, 2022
51d2b71
Merge branch 'master' into master
pj991207 Sep 29, 2022
1ccffed
[22.09.29][수정] add test resource for 'ncloud_access_control_group_rule'
Floodnut Sep 29, 2022
49fb76a
Merge branch 'master' of https://github.com/init-cloud/checkov
Floodnut Sep 29, 2022
a8ef4c5
Merge branch 'bridgecrewio:master' into master
Floodnut Oct 3, 2022
281c4dc
Merge branch 'bridgecrewio:master' into master
Floodnut Oct 3, 2022
ad93303
Merge branch 'bridgecrewio:master' into master
pj991207 Oct 3, 2022
5d8360b
[22.10.03][add]CKV_AWS_3 RULE
pj991207 Oct 3, 2022
b21c1f4
Merge branch 'bridgecrewio:master' into master
pj991207 Oct 3, 2022
3b28b37
[22.10.04][add]CKV_NCP_4, CKV_NCP_5 RULE
pj991207 Oct 4, 2022
87ecf3d
[22.10.04][add] NCP ACG Inbound for port 22, 3389
Floodnut Oct 4, 2022
53cd21b
[22.10.04][add] NCP NACL for port 20, 21, 22, 3389
taeng0204 Oct 4, 2022
8867513
[22.10.05][modify] LBSecureProtocols.py
taeng0204 Oct 5, 2022
ab60ab0
[22.10.05][add] NCP ACGIngress & Egress Check
taeng0204 Oct 5, 2022
f8be0ae
[22.10.06][add] NCP rules about ACG, LB, NACL, Encrpytion
Floodnut Oct 5, 2022
edfeef9
[22.10.06][refactor] rename rules
Floodnut Oct 5, 2022
0a66496
[22.10.07][add] NCP NACLPortCheck
Oct 7, 2022
740fc95
[22.10.08][refactor] modify rule id 77 to 14
Floodnut Oct 8, 2022
81fd1a7
[22.10.09][refactor] modify for ncp tf rules 8-11
Floodnut Oct 9, 2022
9f9a663
Merge branch 'bridgecrewio:master' into ncp/rule-8-11
Floodnut Oct 11, 2022
de9b809
[22.10.03][add]CKV_AWS_3 RULE
Floodnut Oct 17, 2022
10f8d68
Merge branch 'ncp/rule-8-11' of https://github.com/init-cloud/checkov…
Floodnut Oct 17, 2022
e7b9aab
[22.10.18][fix] fix ncp rule 2 id
Floodnut Oct 17, 2022
0561665
Merge branch 'bridgecrewio:master' into ncp/rule-8-11
Floodnut Oct 19, 2022
7748c64
[22.10.19][refactor] adjust ncp abs class
Floodnut Oct 19, 2022
d620a90
Merge branch 'bridgecrewio:master' into ncp/rule-8-11
Floodnut Oct 20, 2022
dd2a252
Merge branch 'bridgecrewio:master' into ncp/rule-8-11
Floodnut Oct 25, 2022
eaf3b54
[22.10.25][refactor]
Floodnut Oct 25, 2022
df437cc
Merge branch 'ncp/rule-8-11' of https://github.com/init-cloud/checkov…
Floodnut Oct 25, 2022
373106b
Merge branch 'bridgecrewio:master' into ncp/rule-8-11
Floodnut Oct 25, 2022
d102d99
[22.10.25][refactor] adjust change
Floodnut Oct 25, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 9 additions & 0 deletions checkov/terraform/checks/resource/ncp/NACLInbound20.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
from checkov.terraform.checks.resource.ncp.NACLInboundCheck import NACLInboundCheck


class NACLInbound20(NACLInboundCheck):
def __init__(self):
super().__init__(check_id="CKV_NCP_8", port=20)


check = NACLInbound20()
9 changes: 9 additions & 0 deletions checkov/terraform/checks/resource/ncp/NACLInbound21.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
from checkov.terraform.checks.resource.ncp.NACLInboundCheck import NACLInboundCheck


class NACLInbound21(NACLInboundCheck):
def __init__(self):
super().__init__(check_id="CKV_NCP_9", port=21)


check = NACLInbound21()
9 changes: 9 additions & 0 deletions checkov/terraform/checks/resource/ncp/NACLInbound22.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
from checkov.terraform.checks.resource.ncp.NACLInboundCheck import NACLInboundCheck


class NACLInbound22(NACLInboundCheck):
def __init__(self):
super().__init__(check_id="CKV_NCP_10", port=22)


check = NACLInbound22()
9 changes: 9 additions & 0 deletions checkov/terraform/checks/resource/ncp/NACLInbound3389.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
from checkov.terraform.checks.resource.ncp.NACLInboundCheck import NACLInboundCheck


class NACLInbound3389(NACLInboundCheck):
def __init__(self):
super().__init__(check_id="CKV_NCP_11", port=3389)


check = NACLInbound3389()
27 changes: 27 additions & 0 deletions checkov/terraform/checks/resource/ncp/NACLInboundCheck.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
from checkov.terraform.checks.resource.base_resource_check import BaseResourceCheck
from checkov.common.models.enums import CheckResult, CheckCategories


class NACLInboundCheck(BaseResourceCheck):
def __init__(self, check_id, port):
name = f"Ensure no NACL allow inbound from 0.0.0.0:0 to port {port}"
id = check_id
supported_resources = ('ncloud_network_acl_rule',)
categories = (CheckCategories.NETWORKING,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
self.port = port

def scan_resource_conf(self, conf):
for inbound in conf.get('inbound', []):
if inbound['rule_action'] == ["ALLOW"]:
ip = inbound.get('ip_block', ['0.0.0.0/0'])
if ip == ['0.0.0.0/0'] or ip == ['::/0']:
port = inbound.get('port_range', str(self.port))[0]
if port == str(self.port):
return CheckResult.FAILED
elif port.find('-'):
port_range = list(map(int, port.split("-")))
if port_range[0] <= self.port <= port_range[-1]:
return CheckResult.FAILED

return CheckResult.PASSED
83 changes: 83 additions & 0 deletions tests/terraform/checks/resource/ncp/example_NACLInbound20/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,83 @@
resource "ncloud_network_acl_rule" "pass" {
network_acl_no = ncloud_network_acl.nacl.id

inbound {
priority = 100
protocol = "TCP"
rule_action = "ALLOW"
ip_block = "10.3.0.0/18"
port_range = "20"
}
}

resource "ncloud_network_acl_rule" "pass1" {
network_acl_no = ncloud_network_acl.nacl.id

inbound {
priority = 110
protocol = "TCP"
rule_action = "ALLOW"
ip_block = "0.0.0.0/0"
port_range = "222"
}

inbound {
priority = 100
protocol = "TCP"
rule_action = "ALLOW"
ip_block = "10.0.0.0/32"
port_range = "19-21"
}

inbound {
priority = 120
protocol = "TCP"
rule_action = "DROP"
ip_block = "0.0.0.0/0"
port_range = "20"
}

outbound {
priority = 199
protocol = "TCP"
rule_action = "ALLOW"
ip_block = "0.0.0.0/0"
port_range = "20"
}
}

resource "ncloud_network_acl_rule" "fail" {
network_acl_no = ncloud_network_acl.nacl.id

inbound {
priority = 100
protocol = "TCP"
rule_action = "ALLOW"
ip_block = "0.0.0.0/0"
port_range = "20"
}
}

resource "ncloud_network_acl_rule" "fail1" {
network_acl_no = ncloud_network_acl.nacl.id

inbound {
priority = 100
protocol = "TCP"
rule_action = "ALLOW"
ip_block = "::/0"
port_range = "20"
}
}

resource "ncloud_network_acl_rule" "fail2" {
network_acl_no = ncloud_network_acl.nacl.id

inbound {
priority = 100
protocol = "TCP"
rule_action = "ALLOW"
ip_block = "0.0.0.0/0"
port_range = "3-40"
}
}
83 changes: 83 additions & 0 deletions tests/terraform/checks/resource/ncp/example_NACLInbound21/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,83 @@
resource "ncloud_network_acl_rule" "pass" {
network_acl_no = ncloud_network_acl.nacl.id

inbound {
priority = 100
protocol = "TCP"
rule_action = "ALLOW"
ip_block = "10.3.0.0/18"
port_range = "21"
}
}

resource "ncloud_network_acl_rule" "pass1" {
network_acl_no = ncloud_network_acl.nacl.id

inbound {
priority = 110
protocol = "TCP"
rule_action = "ALLOW"
ip_block = "0.0.0.0/0"
port_range = "222"
}

inbound {
priority = 100
protocol = "TCP"
rule_action = "ALLOW"
ip_block = "10.0.0.0/32"
port_range = "19-22"
}

inbound {
priority = 120
protocol = "TCP"
rule_action = "DROP"
ip_block = "0.0.0.0/0"
port_range = "21"
}

outbound {
priority = 199
protocol = "TCP"
rule_action = "ALLOW"
ip_block = "0.0.0.0/0"
port_range = "21"
}
}

resource "ncloud_network_acl_rule" "fail" {
network_acl_no = ncloud_network_acl.nacl.id

inbound {
priority = 100
protocol = "TCP"
rule_action = "ALLOW"
ip_block = "0.0.0.0/0"
port_range = "21"
}
}

resource "ncloud_network_acl_rule" "fail1" {
network_acl_no = ncloud_network_acl.nacl.id

inbound {
priority = 100
protocol = "TCP"
rule_action = "ALLOW"
ip_block = "::/0"
port_range = "21"
}
}

resource "ncloud_network_acl_rule" "fail2" {
network_acl_no = ncloud_network_acl.nacl.id

inbound {
priority = 100
protocol = "TCP"
rule_action = "ALLOW"
ip_block = "0.0.0.0/0"
port_range = "3-40"
}
}
83 changes: 83 additions & 0 deletions tests/terraform/checks/resource/ncp/example_NACLInbound22/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,83 @@
resource "ncloud_network_acl_rule" "pass" {
network_acl_no = ncloud_network_acl.nacl.id

inbound {
priority = 100
protocol = "TCP"
rule_action = "ALLOW"
ip_block = "10.3.0.0/18"
port_range = "22"
}
}

resource "ncloud_network_acl_rule" "pass1" {
network_acl_no = ncloud_network_acl.nacl.id

inbound {
priority = 110
protocol = "TCP"
rule_action = "ALLOW"
ip_block = "0.0.0.0/0"
port_range = "222"
}

inbound {
priority = 100
protocol = "TCP"
rule_action = "ALLOW"
ip_block = "10.0.0.0/32"
port_range = "19-23"
}

inbound {
priority = 120
protocol = "TCP"
rule_action = "DROP"
ip_block = "0.0.0.0/0"
port_range = "22"
}

outbound {
priority = 199
protocol = "TCP"
rule_action = "ALLOW"
ip_block = "0.0.0.0/0"
port_range = "22"
}
}

resource "ncloud_network_acl_rule" "fail" {
network_acl_no = ncloud_network_acl.nacl.id

inbound {
priority = 100
protocol = "TCP"
rule_action = "ALLOW"
ip_block = "0.0.0.0/0"
port_range = "22"
}
}

resource "ncloud_network_acl_rule" "fail1" {
network_acl_no = ncloud_network_acl.nacl.id

inbound {
priority = 100
protocol = "TCP"
rule_action = "ALLOW"
ip_block = "::/0"
port_range = "22"
}
}

resource "ncloud_network_acl_rule" "fail2" {
network_acl_no = ncloud_network_acl.nacl.id

inbound {
priority = 100
protocol = "TCP"
rule_action = "ALLOW"
ip_block = "0.0.0.0/0"
port_range = "3-40"
}
}
Loading