OTEL-033: Receiver on non-localhost endpoint without TLS

Severity: warn (advisory)

Rule Details

If a receiver is bound to a non-localhost endpoint (an interface other than 127.0.0.1/localhost), it is almost certainly reachable from another host on the network. Without a tls block, the receiver will happily accept cleartext OTLP/HTTP from any caller that can reach the port — so anyone between the client and the Collector can read the traffic or inject it.

This rule fires when a receiver protocol has an endpoint that does not contain localhost or 127.0.0.1 and no tls block is configured. Receivers using transport: "unix" are exempt, since Unix domain sockets are local IPC whose access is controlled by filesystem permissions.

Options

This rule has no options.

Examples

Avoid

receivers:
  otlp:
    protocols:
      grpc:
        endpoint: "0.0.0.0:4317"
        # no tls block

Prefer

receivers:
  otlp:
    protocols:
      grpc:
        endpoint: "10.0.0.5:4317"
        tls:
          min_version: "1.3"
          cert_file: /etc/certs/server.crt
          key_file: /etc/certs/server.key

When Not To Use It

The receiver sits behind a service mesh sidecar that terminates mTLS on its behalf. In that case the mesh provides the encryption, and you should still pin the receiver to a local interface (e.g. 127.0.0.1) so only the sidecar can talk to it.

Related Rules

• OTEL-010 — receivers should not bind to 0.0.0.0
• OTEL-018 — OTLP exporter without TLS on non-local endpoint
• OTEL-031 — TLS min_version below 1.2

Version

Available since augur v0.1.0.

Further Reading

• OpenTelemetry Collector — TLS configuration

Resources

• Rule source: policy/main/security.rego