IP Forwarding Enabled

  • Query id: 11bd3554-cd56-4257-8e25-7aaf30cf8f5f
  • Query name: IP Forwarding Enabled
  • Platform: Ansible
  • Severity: Medium
  • Category: Networking and Firewall
  • URL: Github

Description

Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true
Documentation

Code samples

Code samples with security vulnerabilities

Postitive test num. 1 - yaml file
#this is a problematic code where the query should report a result(s)
- name: create a instance
  google.cloud.gcp_compute_instance:
    name: test_object
    machine_type: n1-standard-1
    metadata:
      startup-script-url: gs:://graphite-playground/bootstrap.sh
      cost-center: '12345'
    labels:
      environment: production
    network_interfaces:
    - network: "{{ network }}"
      access_configs:
      - name: External NAT
        nat_ip: "{{ address }}"
        type: ONE_TO_ONE_NAT
    zone: us-central1-a
    project: test_project
    auth_kind: serviceaccount
    service_account_file: "/tmp/auth.pem"
    state: present
    can_ip_forward: yes

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
#this code is a correct code for which the query should not find any result
- name: create a instance
  google.cloud.gcp_compute_instance:
    name: test_object
    machine_type: n1-standard-1
    metadata:
      startup-script-url: gs:://graphite-playground/bootstrap.sh
      cost-center: '12345'
    labels:
      environment: production
    network_interfaces:
    - network: '{{ network }}'
      access_configs:
      - name: External NAT
        nat_ip: '{{ address }}'
        type: ONE_TO_ONE_NAT
    zone: us-central1-a
    project: test_project
    auth_kind: serviceaccount
    service_account_file: /tmp/auth.pem
    state: present
    can_ip_forward: no