/
dns.sp
108 lines (99 loc) · 3.71 KB
/
dns.sp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
locals {
policy_bundle_dns_common_tags = merge(local.gcp_compliance_common_tags, {
service = "GCP/DNS"
})
}
control "dnssec_prevent_rsasha1_ksk" {
title = "Ensure that RSASHA1 is not used for key-signing key in Cloud DNS"
query = query.dns_managed_zone_key_signing_not_using_rsasha1
tags = merge(local.policy_bundle_dns_common_tags, {
cft_scorecard_v1 = "true"
severity = "high"
})
}
control "dnssec_prevent_rsasha1_zsk" {
title = "Ensure that RSASHA1 is not used for zone-signing key in Cloud DNS"
query = query.dns_managed_zone_zone_signing_not_using_rsasha1
tags = merge(local.policy_bundle_dns_common_tags, {
cft_scorecard_v1 = "true"
severity = "high"
})
}
control "dns_managed_zone_dnssec_enabled" {
title = "Ensure that DNSSEC is enabled for Cloud DNS"
description = "Cloud Domain Name System (DNS) is a fast, reliable, and cost-effective domain name system that powers millions of domains on the internet. Domain Name System Security Extensions (DNSSEC) in Cloud DNS enables domain owners to take easy steps to protect their domains against DNS hijacking and man-in-the-middle and other attacks."
query = query.dns_managed_zone_dnssec_enabled
tags = local.policy_bundle_dns_common_tags
}
query "dns_managed_zone_key_signing_not_using_rsasha1" {
sql = <<-EOQ
select
self_link resource,
case
when visibility = 'private' then 'skip'
when dnssec_config_state is null then 'alarm'
when dnssec_config_default_key_specs @> '[{"keyType": "keySigning", "algorithm": "rsasha1"}]' then 'alarm'
else 'ok'
end as status,
case
when visibility = 'private'
then title || ' is private.'
when dnssec_config_state is null
then title || ' DNSSEC not enabled.'
when dnssec_config_default_key_specs @> '[{"keyType": "keySigning", "algorithm": "rsasha1"}]'
then title || ' using RSASHA1 algorithm for key-signing.'
else title || ' not using RSASHA1 algorithm for key-signing.'
end as reason
${local.tag_dimensions_sql}
${local.common_dimensions_global_sql}
from
gcp_dns_managed_zone;
EOQ
}
query "dns_managed_zone_zone_signing_not_using_rsasha1" {
sql = <<-EOQ
select
self_link resource,
case
when visibility = 'private' then 'skip'
when dnssec_config_state is null then 'alarm'
when dnssec_config_default_key_specs @> '[{"keyType": "zoneSigning", "algorithm": "rsasha1"}]' then 'alarm'
else 'ok'
end as status,
case
when visibility = 'private'
then title || ' is private.'
when dnssec_config_state is null
then title || ' DNSSEC not enabled.'
when dnssec_config_default_key_specs @> '[{"keyType": "zoneSigning", "algorithm": "rsasha1"}]'
then title || ' using RSASHA1 algorithm for zone-signing.'
else title || ' not using RSASHA1 algorithm for zone-signing.'
end as reason
${local.tag_dimensions_sql}
${local.common_dimensions_global_sql}
from
gcp_dns_managed_zone;
EOQ
}
query "dns_managed_zone_dnssec_enabled" {
sql = <<-EOQ
select
self_link resource,
case
when visibility = 'private' then 'skip'
when visibility = 'public' and (dnssec_config_state is null or dnssec_config_state = 'off') then 'alarm'
else 'ok'
end as status,
case
when visibility = 'private'
then title || ' is private.'
when visibility = 'public' and (dnssec_config_state is null or dnssec_config_state = 'off')
then title || ' DNSSEC not enabled.'
else title || ' DNSSEC enabled.'
end as reason
${local.tag_dimensions_sql}
${local.common_dimensions_global_sql}
from
gcp_dns_managed_zone;
EOQ
}