CCSS (Common Configuration Scoring System) is a set of measures used to determine the severity of the rule.
Each rule is associated with a high-level category. For example IAM, Container, Monitoring, Logging, Network, etc.
Is your environment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-CC-00509
- creditSnyk Research Team
Description
The secret value will be readable to anyone with access to the version control system, which can lead to unauthorized data disclosure or privilege escalation.
How to fix?
Set properties.osProfile.linuxConfiguration.ssh attribute instead of password authentication.
Set admin_ssh_key (azurerm_linux_virtual_machine) or os_profile_linux_config.ssh_keys (azurerm_virtual_machine) attribute instead of password authentication.
Example Configuration
# azurerm_linux_virtual_machine example
resource "azurerm_linux_virtual_machine" "allowed1" {
name = "examplevmv1"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
size = "Standard_F2"
network_interface_ids = [azurerm_network_interface.example.id]
admin_username = "adminuser"
admin_ssh_key {
username = "adminuser"
public_key = file("~/.ssh/id_rsa.pub")
}
os_disk {
caching = "ReadWrite"
storage_account_type = "Standard_LRS"
}
source_image_reference {
publisher = "Canonical"
offer = "UbuntuServer"
sku = "16.04-LTS"
version = "latest"
}
}
# azurerm_virtual_machine example
resource "azurerm_virtual_machine" "allowed2" {
name = "examplevm"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
network_interface_ids = [azurerm_network_interface.example.id]
vm_size = "Standard_DS1_v2"
storage_image_reference {
publisher = "Canonical"
offer = "UbuntuServer"
sku = "16.04-LTS"
version = "latest"
}
storage_os_disk {
name = "myosdisk1"
caching = "ReadWrite"
create_option = "FromImage"
managed_disk_type = "Standard_LRS"
}
os_profile {
computer_name = "hostname"
admin_username = "testadmin"
}
os_profile_linux_config {
disable_password_authentication = true
ssh_keys {
key_data = file("~/.ssh/id_rsa.pub")
path = "/home/testadmin/.ssh/authorized_keys"
}
}
tags = {
environment = "staging"
}
}