kspec/policies/hetzner-security.yml at main · kopexa-grc/kspec · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
apiVersion: kopexa.io/v1alpha1
kind: Policy
metadata:
  name: kopexa-hetzner-security
  title: Kopexa Hetzner Cloud Security
  version: 1.0.0
  tags:
    kopexa.com/category: security
    kopexa.com/platform: hetzner,cloud

require:
  - provider: hetzner

authors:
  - name: Kopexa GmbH
    email: security@kopexa.com

groups:
  - title: Hetzner Server Security
    checks:
      - uid: kopexa-hetzner-security-servers-have-delete-protection
      - uid: kopexa-hetzner-security-servers-have-rebuild-protection
      - uid: kopexa-hetzner-security-servers-use-private-networks
      - uid: kopexa-hetzner-security-servers-have-backups

  - title: Hetzner Firewall Security
    checks:
      - uid: kopexa-hetzner-security-firewalls-have-rules
      - uid: kopexa-hetzner-security-no-overly-permissive-inbound
      - uid: kopexa-hetzner-security-firewalls-are-applied

  - title: Hetzner Volume Security
    checks:
      - uid: kopexa-hetzner-security-volumes-have-delete-protection
      - uid: kopexa-hetzner-security-unattached-volumes

  - title: Hetzner Network Security
    checks:
      - uid: kopexa-hetzner-security-networks-have-subnets
      - uid: kopexa-hetzner-security-networks-have-delete-protection

  - title: Hetzner SSH Key Security
    checks:
      - uid: kopexa-hetzner-security-use-modern-ssh-keys
      - uid: kopexa-hetzner-security-ssh-keys-have-labels
      - uid: kopexa-hetzner-security-ssh-keys-rotation
      - uid: kopexa-hetzner-security-ssh-keys-not-ancient

  - title: Hetzner IP Security
    checks:
      - uid: kopexa-hetzner-security-floating-ips-not-blocked
      - uid: kopexa-hetzner-security-floating-ips-have-dns-ptr

scoring_system: highest_impact

queries:
  # Server Security Checks
  - uid: kopexa-hetzner-security-servers-have-delete-protection
    title: Ensure production servers have delete protection enabled
    resource: hcloud_server
    severity: medium
    query: |
      resource.has_delete_protection == true
    docs: |
      Delete protection prevents accidental deletion of critical server instances.
      Production servers should have this enabled to prevent service disruption.
    remediation: |
      Enable delete protection in Hetzner Cloud Console or via API:
      hcloud server enable-protection <server-id> delete

  - uid: kopexa-hetzner-security-servers-have-rebuild-protection
    title: Ensure production servers have rebuild protection enabled
    resource: hcloud_server
    severity: medium
    query: |
      resource.has_rebuild_protection == true
    docs: |
      Rebuild protection prevents accidental rebuilding of server instances which
      would result in data loss and service disruption.
    remediation: |
      Enable rebuild protection in Hetzner Cloud Console or via API:
      hcloud server enable-protection <server-id> rebuild

  - uid: kopexa-hetzner-security-servers-use-private-networks
    title: Ensure servers are connected to private networks for internal communication
    resource: hcloud_server
    severity: low
    query: |
      resource.has_private_network == true
    docs: |
      Private networks provide isolated communication between servers without
      exposing traffic to the public internet. This check is most relevant for
      multi-server environments where internal services need to communicate.
      For single-server deployments, this check may not be applicable.
    remediation: |
      For multi-server environments:
      1. Create a private network in Hetzner Cloud Console
      2. Attach all servers to the private network
      3. Configure internal services to use private network IPs

  - uid: kopexa-hetzner-security-servers-have-backups
    title: Ensure servers have automated backups enabled
    resource: hcloud_server
    severity: high
    query: |
      resource.has_backup_window == true
    docs: |
      Automated backups provide disaster recovery capability and protect against
      data loss from hardware failures or accidental deletion.
    remediation: |
      Enable automated backups for the server in Hetzner Cloud Console:
      Server > Backups > Enable Backups

  # Firewall Security Checks
  - uid: kopexa-hetzner-security-firewalls-have-rules
    title: Ensure firewalls have at least one rule defined
    resource: hcloud_firewall
    severity: high
    query: |
      resource.has_rules == true
    docs: |
      Firewalls without rules provide no protection. Each firewall should have
      explicit rules to control traffic flow.
    remediation: |
      Add firewall rules to control inbound and outbound traffic:
      hcloud firewall add-rule <firewall-id> --direction in --protocol tcp --port 22 --source-ips 0.0.0.0/0

  - uid: kopexa-hetzner-security-no-overly-permissive-inbound
    title: Ensure firewalls do not allow all inbound traffic from any IP
    resource: hcloud_firewall
    severity: critical
    query: |
      resource.allows_all_inbound == false
    docs: |
      Allowing all inbound traffic from any IP (0.0.0.0/0 or ::/0) exposes servers
      to attacks from the entire internet. Firewall rules should be restricted to
      specific IP ranges or ports.
    remediation: |
      1. Review firewall rules in Hetzner Cloud Console
      2. Remove or restrict rules that allow 0.0.0.0/0 source
      3. Limit access to specific IP ranges or implement VPN access

  - uid: kopexa-hetzner-security-firewalls-are-applied
    title: Ensure firewalls are applied to at least one resource
    resource: hcloud_firewall
    severity: medium
    query: |
      resource.is_applied == true
    docs: |
      Firewalls that are not applied to any resources provide no protection.
      Ensure firewalls are attached to servers or use label selectors.
    remediation: |
      Apply the firewall to servers or use label selectors:
      hcloud firewall apply-to-resource <firewall-id> --type server --server <server-id>

  # Volume Security Checks
  - uid: kopexa-hetzner-security-volumes-have-delete-protection
    title: Ensure volumes have delete protection enabled
    resource: hcloud_volume
    severity: medium
    query: |
      resource.has_delete_protection == true
    docs: |
      Delete protection prevents accidental deletion of storage volumes which
      could result in permanent data loss.
    remediation: |
      Enable delete protection for the volume:
      hcloud volume enable-protection <volume-id> delete

  - uid: kopexa-hetzner-security-unattached-volumes
    title: Identify unattached volumes (informational)
    resource: hcloud_volume
    severity: low
    query: |
      resource.is_attached == true
    docs: |
      Unattached volumes may indicate orphaned resources that incur costs
      without providing value. Review and remove unused volumes.
    remediation: |
      Attach or remove unused volumes to reduce costs:
      hcloud volume attach <volume-id> --server <server-id>

  # Network Security Checks
  - uid: kopexa-hetzner-security-networks-have-subnets
    title: Ensure private networks have at least one subnet
    resource: hcloud_network
    severity: high
    query: |
      resource.has_subnets == true
    docs: |
      Private networks require at least one subnet to be functional.
      Subnets define the IP ranges available for attached resources.
    remediation: |
      Add at least one subnet to the network:
      hcloud network add-subnet <network-id> --type server --network-zone eu-central --ip-range 10.0.0.0/24

  - uid: kopexa-hetzner-security-networks-have-delete-protection
    title: Ensure networks have delete protection enabled
    resource: hcloud_network
    severity: medium
    query: |
      resource.has_delete_protection == true
    docs: |
      Delete protection prevents accidental deletion of private networks which
      would disrupt internal communication between servers.
    remediation: |
      Enable delete protection for the network:
      hcloud network enable-protection <network-id> delete

  # SSH Key Security Checks
  - uid: kopexa-hetzner-security-use-modern-ssh-keys
    title: Ensure SSH keys use modern algorithms (Ed25519 preferred over RSA/DSA)
    resource: hcloud_ssh_key
    severity: low
    query: |
      resource.is_weak_key_type == false
    docs: |
      Ed25519 SSH keys are more secure and efficient than older RSA or DSA keys.
      DSA keys are considered weak and should be replaced immediately.
    remediation: |
      Generate new SSH keys using Ed25519 algorithm:
      ssh-keygen -t ed25519 -C "your_email@example.com"

  - uid: kopexa-hetzner-security-ssh-keys-have-labels
    title: Ensure SSH keys have labels for organization
    resource: hcloud_ssh_key
    severity: low
    query: |
      resource.has_labels == true
    docs: |
      Labels help organize and manage SSH keys, making it easier to identify
      key ownership and purpose.
    remediation: |
      Add labels to SSH keys for better organization:
      hcloud ssh-key add-label <key-id> owner=team-name

  - uid: kopexa-hetzner-security-ssh-keys-rotation
    title: Ensure SSH keys are rotated annually
    resource: hcloud_ssh_key
    severity: medium
    query: |
      resource.needs_rotation == false
    docs: |
      SSH keys should be rotated at least annually as a security best practice.
      Keys older than 365 days may have been compromised or shared inappropriately
      over time. Regular rotation limits the exposure window of any single key.
    remediation: |
      1. Generate a new SSH key: ssh-keygen -t ed25519 -C "your_email@example.com"
      2. Add the new key to Hetzner Cloud Console
      3. Update servers to use the new key
      4. Remove the old key from Hetzner Cloud Console

  - uid: kopexa-hetzner-security-ssh-keys-not-ancient
    title: Ensure SSH keys are not older than 2 years
    resource: hcloud_ssh_key
    severity: high
    query: |
      resource.is_old == false
    docs: |
      SSH keys older than 2 years pose a significant security risk. Extended key
      lifespans increase the likelihood of key compromise, unauthorized sharing,
      or use by former team members.
    remediation: |
      Immediately rotate any SSH keys older than 2 years:
      1. Generate a new SSH key with Ed25519 algorithm
      2. Replace the old key on all systems
      3. Delete the old key from Hetzner Cloud Console
      4. Document the rotation in your security log

  # Floating IP Security Checks
  - uid: kopexa-hetzner-security-floating-ips-not-blocked
    title: Ensure floating IPs are not blocked
    resource: hcloud_floating_ip
    severity: high
    query: |
      resource.is_blocked == false
    docs: |
      Blocked floating IPs indicate potential abuse or policy violations.
      Contact Hetzner support to resolve blocked IPs.
    remediation: |
      Contact Hetzner support if your IP is blocked to resolve the issue.

  - uid: kopexa-hetzner-security-floating-ips-have-dns-ptr
    title: Ensure floating IPs have PTR records configured
    resource: hcloud_floating_ip
    severity: low
    query: |
      resource.has_dns_ptr == true
    docs: |
      PTR records (reverse DNS) are important for email deliverability and
      proper hostname resolution. Many services check PTR records for spam filtering.
    remediation: |
      Configure reverse DNS PTR records for your floating IPs:
      hcloud floating-ip set-rdns <ip-id> --ip <ip-address> --hostname <hostname>