-
Notifications
You must be signed in to change notification settings - Fork 29
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Modify rule S6437: add Ansible (APPSEC-2164) (#4373)
* Add ansible to rule S6437 * Copy over ARM text * Complete Ansible text * Fix typo --------- Co-authored-by: egon-okerman-sonarsource <[email protected]> Co-authored-by: Egon Okerman <[email protected]>
- Loading branch information
3 people
authored
Oct 8, 2024
1 parent
a724ef1
commit 19df85c
Showing
2 changed files
with
79 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,2 @@ | ||
| { | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,77 @@ | ||
| include::../../../shared_content/secrets/description.adoc[] | ||
|
|
||
| == Why is this an issue? | ||
|
|
||
| include::../../../shared_content/secrets/rationale.adoc[] | ||
|
|
||
| === What is the potential impact? | ||
|
|
||
| include::../common/impact/rationale.adoc[] | ||
|
|
||
| include::../../../shared_content/secrets/impact/financial_loss.adoc[] | ||
|
|
||
| include::../../../shared_content/secrets/impact/security_downgrade.adoc[] | ||
|
|
||
| == How to fix it | ||
|
|
||
| === Code examples | ||
|
|
||
| ==== Noncompliant code example | ||
|
|
||
| [source,yaml,diff-id=1,diff-type=noncompliant] | ||
| ---- | ||
| - name: Example playbook | ||
| hosts: server | ||
| tasks: | ||
| - name: Add a new user | ||
| ansible.builtin.user: | ||
| name: admin | ||
| uid: 1040 | ||
| group: admin | ||
| password: hunter2 # Noncompliant | ||
| ---- | ||
|
|
||
| ==== Compliant solution | ||
|
|
||
| [source,yaml,diff-id=1,diff-type=compliant] | ||
| ---- | ||
| - name: Example playbook | ||
| hosts: server | ||
| tasks: | ||
| - name: Add a new user | ||
| ansible.builtin.user: | ||
| name: admin | ||
| uid: 1040 | ||
| group: admin | ||
| password: "{{ admin_password }}" | ||
| ---- | ||
|
|
||
| === How does this work? | ||
|
|
||
| While the noncompliant code example contains a hard-coded password, the compliant solution retrieves the secret's value externally. This avoids storing the password in the source code and allows the password to be different depending on the environment the code runs in. | ||
|
|
||
| Several methods can be used to retrieve the secret value externally. Ansible offers a built-in solution called Ansible Vault. Ansible Vault allows you to encrypt sensitive data and store it in a file. This encrypted file can then be used in your playbooks. | ||
|
|
||
| == Resources | ||
|
|
||
| === Documentation | ||
|
|
||
| * Ansible - https://docs.ansible.com/ansible/latest/vault_guide/index.html[Protecting sensitive data with Ansible Vault] | ||
| * Red Hat - https://www.redhat.com/sysadmin/ansible-playbooks-secrets[Handling secrets in your Ansible playbooks] | ||
|
|
||
| include::../common/resources/standards.adoc[] | ||
|
|
||
| ifdef::env-github,rspecator-view[] | ||
| ''' | ||
| == Implementation Specification | ||
| (visible only on this page) | ||
|
|
||
| === Message | ||
| Revoke and change this secret, as it might be compromised. | ||
|
|
||
| === Highlighting | ||
|
|
||
| Highlight property name and value | ||
|
|
||
| ''' | ||
| endif::env-github,rspecator-view[] |