IP Forwarding Enabled
- Query id: 11bd3554-cd56-4257-8e25-7aaf30cf8f5f
- Query name: IP Forwarding Enabled
- Platform: Ansible
- Severity: Medium
- Category: Networking and Firewall
- URL: Github
Description¶
Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Postitive test num. 1 - yaml file
#this is a problematic code where the query should report a result(s)
- name: create a instance
google.cloud.gcp_compute_instance:
name: test_object
machine_type: n1-standard-1
metadata:
startup-script-url: gs:://graphite-playground/bootstrap.sh
cost-center: '12345'
labels:
environment: production
network_interfaces:
- network: "{{ network }}"
access_configs:
- name: External NAT
nat_ip: "{{ address }}"
type: ONE_TO_ONE_NAT
zone: us-central1-a
project: test_project
auth_kind: serviceaccount
service_account_file: "/tmp/auth.pem"
state: present
can_ip_forward: yes
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
#this code is a correct code for which the query should not find any result
- name: create a instance
google.cloud.gcp_compute_instance:
name: test_object
machine_type: n1-standard-1
metadata:
startup-script-url: gs:://graphite-playground/bootstrap.sh
cost-center: '12345'
labels:
environment: production
network_interfaces:
- network: '{{ network }}'
access_configs:
- name: External NAT
nat_ip: '{{ address }}'
type: ONE_TO_ONE_NAT
zone: us-central1-a
project: test_project
auth_kind: serviceaccount
service_account_file: /tmp/auth.pem
state: present
can_ip_forward: no