diff --git a/rules/S7176/metadata.json b/rules/S7176/metadata.json new file mode 100644 index 00000000000..2c63c085104 --- /dev/null +++ b/rules/S7176/metadata.json @@ -0,0 +1,2 @@ +{ +} diff --git a/rules/S7176/secrets/metadata.json b/rules/S7176/secrets/metadata.json new file mode 100644 index 00000000000..4e20e1ed469 --- /dev/null +++ b/rules/S7176/secrets/metadata.json @@ -0,0 +1,56 @@ +{ + "title": "Kafka SASL passwords should not be disclosed", + "type": "VULNERABILITY", + "code": { + "impacts": { + "SECURITY": "HIGH" + }, + "attribute": "TRUSTWORTHY" + }, + "status": "ready", + "remediation": { + "func": "Constant\/Issue", + "constantCost": "30min" + }, + "tags": [ + "cwe", + "cert" + ], + "defaultSeverity": "Blocker", + "ruleSpecification": "RSPEC-7176", + "sqKey": "S7176", + "scope": "All", + "securityStandards": { + "CWE": [ + 798, + 259 + ], + "OWASP": [ + "A3" + ], + "CERT": [ + "MSC03-J." + ], + "OWASP Top 10 2021": [ + "A7" + ], + "PCI DSS 3.2": [ + "6.5.10" + ], + "PCI DSS 4.0": [ + "6.2.4" + ], + "ASVS 4.0": [ + "2.10.4", + "3.5.2", + "6.4.1" + ], + "STIG ASD_V5R3": [ + "V-222642" + ] + }, + "defaultQualityProfiles": [ + "Sonar way" + ], + "quickfix": "unknown" +} diff --git a/rules/S7176/secrets/rule.adoc b/rules/S7176/secrets/rule.adoc new file mode 100644 index 00000000000..c4d55db51ab --- /dev/null +++ b/rules/S7176/secrets/rule.adoc @@ -0,0 +1,68 @@ + +include::../../../shared_content/secrets/description.adoc[] + +== Why is this an issue? + +include::../../../shared_content/secrets/rationale.adoc[] + +=== What is the potential impact? + +Below are some real-world scenarios that illustrate some impacts of an attacker +exploiting the secret. + +:secret_type: secret + +include::../../../shared_content/secrets/impact/non_repudiation.adoc[] + +include::../../../shared_content/secrets/impact/data_modification.adoc[] + +include::../../../shared_content/secrets/impact/exceed_rate_limits.adoc[] + +== How to fix it + +include::../../../shared_content/secrets/fix/revoke.adoc[] + +include::../../../shared_content/secrets/fix/vault.adoc[] + +**Use templating to insert values during deployment** + +Some deployment scenarios may require secrets to be stored in files on disk. In +these cases, the configuration file should be modified during deployment so that +it contains secrets appropriate for the environment. + +The safest way to create configuration files is to use a templating engine +during the deployment process. These engines provide a reliable method for +replacing placeholders inside the template, ensuring that no placeholder is +missed. They also typically raise warnings a configuration value is missing, +helping to identify and diagnose bad deployments. + +=== Code examples + +==== Noncompliant code example + +In `kafka-sasl.conf`: +[source,diff-id=1,diff-type=noncompliant,subs="attributes"] +---- +spring.kafka.properties.sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required username='admin' password='P@ssw0rd!'; // Noncompliant +---- + +==== Compliant solution + +In `kafka-sasl.conf.template`: +[source,diff-id=1,diff-type=compliant,subs="attributes"] +---- +spring.kafka.properties.sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required username='{{KAFKA_USER}}' password='{{KAFKA_PASSWORD}}'; +---- + + +//=== How does this work? + +//=== Pitfalls + +//=== Going the extra mile + +== Resources + +include::../../../shared_content/secrets/resources/standards.adoc[] + +//=== Benchmarks