more dummy rule

elastic · Mar 12, 2024 · 80a8a75 · 80a8a75
1 parent 76041d2
commit 80a8a75
Show file tree

Hide file tree

Showing 3 changed files with 125 additions and 0 deletions.
diff --git a/security-policies/bundle/compliance/cis_eks/rules/cis_4_3_2/data.yaml b/security-policies/bundle/compliance/cis_eks/rules/cis_4_3_2/data.yaml
@@ -0,0 +1,45 @@
+metadata:
+ id: 47c89612-7013-5403-988c-161b182c7dad
+ name: Ensure that all Namespaces have Network Policies defined
+ profile_applicability: '* Level 2'
+ description: Use network policies to isolate traffic in your cluster network.
+ rationale: |-
+ Running different applications on the same Kubernetes cluster creates a risk of one compromised application attacking a neighboring application.
+ Network segmentation is important to ensure that containers can communicate only with those they are supposed to.
+ A network policy is a specification of how selections of pods are allowed to communicate with each other and other network endpoints.
+
+
+ Network Policies are namespace scoped.
+ When a network policy is introduced to a given namespace, all traffic not allowed by the policy is denied.
+ However, if there are no network policies in a namespace all traffic will be allowed into and out of the pods in that namespace.
+ audit: |-
+ Run the below command and review the `NetworkPolicy` objects created in the cluster.
+
+ ```
+ kubectl get networkpolicy --all-namespaces
+ ```
+
+ Ensure that each namespace defined in the cluster has at least one Network Policy.
+ remediation: Follow the documentation and create `NetworkPolicy` objects as you
+ need them.
+ impact: |-
+ Once network policies are in use within a given namespace, traffic not explicitly allowed by a network policy will be denied. As such it is important to ensure that, when introducing network policies, legitimate traffic is not blocked.
+ default_value: |
+ By default, cluster control plane logs aren't sent to CloudWatch Logs. ... When you enable a log type, the logs are sent with a log verbosity level of 2 . To enable or disable control plane logs with the console. Open the Amazon EKS console at https://console.aws.amazon.com/eks/home#/clusters . Amazon EKS Information in CloudTrail CloudTrail is enabled on your AWS account when you create the account. When activity occurs in Amazon EKS, that activity is recorded in a CloudTrail event along with other AWS service events in Event history.
+ references: |-
+ 1. https://kubernetes.io/docs/concepts/services-networking/networkpolicies/
+ 2. https://octetz.com/posts/k8s-network-policy-apis
+ 3. https://kubernetes.io/docs/tasks/configure-pod-container/declare-network-policy/
+ section: CNI Plugin
+ version: '1.0'
+ tags:
+ - CIS
+ - EKS
+ - CIS 4.3.2
+ - CNI Plugin
+ benchmark:
+ name: CIS Amazon Elastic Kubernetes Service (EKS)
+ version: v1.0.1
+ id: cis_eks
+ rule_number: 4.3.2
+ posture_type: kspm
diff --git a/security-policies/bundle/compliance/cis_eks/rules/cis_4_3_2/rule.rego b/security-policies/bundle/compliance/cis_eks/rules/cis_4_3_2/rule.rego
@@ -0,0 +1,5 @@
+package compliance.cis_eks.rules.cis_2_1_1
+
+import data.compliance.policy.aws_eks.ensure_logs_enabled as audit
+
+finding = audit.finding
diff --git a/security-policies/bundle/compliance/cis_eks/rules/cis_4_3_2/test.rego b/security-policies/bundle/compliance/cis_eks/rules/cis_4_3_2/test.rego
@@ -0,0 +1,75 @@
+package compliance.cis_eks.rules.cis_2_1_1
+
+import data.cis_eks.test_data
+import data.lib.test
+import future.keywords.if
+
+test_violation if {
+ test.assert_fail(finding) with input as violating_input_all_logs_disabled
+ test.assert_fail(finding) with input as violating_input_some_disabled
+}
+
+test_pass if {
+ test.assert_pass(finding) with input as non_violating_input
+}
+
+test_not_evaluated if {
+ not finding with input as test_data.not_evaluated_input
+}
+
+violating_input_all_logs_disabled = result if {
+ logging = {"ClusterLogging": [{
+ "Enabled": false,
+ "Types": [
+ "api",
+ "audit",
+ "authenticator",
+ "controllerManager",
+ "scheduler",
+ ],
+ }]}
+
+ result = generate_eks_input_with_log(logging)
+}
+
+violating_input_some_disabled = result if {
+ logging = {"ClusterLogging": [
+ {
+ "Enabled": false,
+ "Types": [
+ "authenticator",
+ "controllerManager",
+ "scheduler",
+ ],
+ },
+ {
+ "Enabled": true,
+ "Types": [
+ "api",
+ "audit",
+ ],
+ },
+ ]}
+
+ result = generate_eks_input_with_log(logging)
+}
+
+non_violating_input = result if {
+ logging = {"ClusterLogging": [{
+ "Enabled": true,
+ "Types": [
+ "api",
+ "audit",
+ "authenticator",
+ "controllerManager",
+ "scheduler",
+ ],
+ }]}
+
+ result = generate_eks_input_with_log(logging)
+}
+
+generate_eks_input_with_log(logging) = result if {
+ encryption_config = {"EncryptionConfig : null"}
+ result = test_data.generate_eks_input(logging, encryption_config, true, true, [])
+}