-
Notifications
You must be signed in to change notification settings - Fork 43
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
3 changed files
with
125 additions
and
0 deletions.
There are no files selected for viewing
45 changes: 45 additions & 0 deletions
45
security-policies/bundle/compliance/cis_eks/rules/cis_4_3_2/data.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,45 @@ | ||
metadata: | ||
id: 47c89612-7013-5403-988c-161b182c7dad | ||
name: Ensure that all Namespaces have Network Policies defined | ||
profile_applicability: '* Level 2' | ||
description: Use network policies to isolate traffic in your cluster network. | ||
rationale: |- | ||
Running different applications on the same Kubernetes cluster creates a risk of one compromised application attacking a neighboring application. | ||
Network segmentation is important to ensure that containers can communicate only with those they are supposed to. | ||
A network policy is a specification of how selections of pods are allowed to communicate with each other and other network endpoints. | ||
Network Policies are namespace scoped. | ||
When a network policy is introduced to a given namespace, all traffic not allowed by the policy is denied. | ||
However, if there are no network policies in a namespace all traffic will be allowed into and out of the pods in that namespace. | ||
audit: |- | ||
Run the below command and review the `NetworkPolicy` objects created in the cluster. | ||
``` | ||
kubectl get networkpolicy --all-namespaces | ||
``` | ||
Ensure that each namespace defined in the cluster has at least one Network Policy. | ||
remediation: Follow the documentation and create `NetworkPolicy` objects as you | ||
need them. | ||
impact: |- | ||
Once network policies are in use within a given namespace, traffic not explicitly allowed by a network policy will be denied. As such it is important to ensure that, when introducing network policies, legitimate traffic is not blocked. | ||
default_value: | | ||
By default, cluster control plane logs aren't sent to CloudWatch Logs. ... When you enable a log type, the logs are sent with a log verbosity level of 2 . To enable or disable control plane logs with the console. Open the Amazon EKS console at https://console.aws.amazon.com/eks/home#/clusters . Amazon EKS Information in CloudTrail CloudTrail is enabled on your AWS account when you create the account. When activity occurs in Amazon EKS, that activity is recorded in a CloudTrail event along with other AWS service events in Event history. | ||
references: |- | ||
1. https://kubernetes.io/docs/concepts/services-networking/networkpolicies/ | ||
2. https://octetz.com/posts/k8s-network-policy-apis | ||
3. https://kubernetes.io/docs/tasks/configure-pod-container/declare-network-policy/ | ||
section: CNI Plugin | ||
version: '1.0' | ||
tags: | ||
- CIS | ||
- EKS | ||
- CIS 4.3.2 | ||
- CNI Plugin | ||
benchmark: | ||
name: CIS Amazon Elastic Kubernetes Service (EKS) | ||
version: v1.0.1 | ||
id: cis_eks | ||
rule_number: 4.3.2 | ||
posture_type: kspm |
5 changes: 5 additions & 0 deletions
5
security-policies/bundle/compliance/cis_eks/rules/cis_4_3_2/rule.rego
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
package compliance.cis_eks.rules.cis_2_1_1 | ||
|
||
import data.compliance.policy.aws_eks.ensure_logs_enabled as audit | ||
|
||
finding = audit.finding |
75 changes: 75 additions & 0 deletions
75
security-policies/bundle/compliance/cis_eks/rules/cis_4_3_2/test.rego
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,75 @@ | ||
package compliance.cis_eks.rules.cis_2_1_1 | ||
|
||
import data.cis_eks.test_data | ||
import data.lib.test | ||
import future.keywords.if | ||
|
||
test_violation if { | ||
test.assert_fail(finding) with input as violating_input_all_logs_disabled | ||
test.assert_fail(finding) with input as violating_input_some_disabled | ||
} | ||
|
||
test_pass if { | ||
test.assert_pass(finding) with input as non_violating_input | ||
} | ||
|
||
test_not_evaluated if { | ||
not finding with input as test_data.not_evaluated_input | ||
} | ||
|
||
violating_input_all_logs_disabled = result if { | ||
logging = {"ClusterLogging": [{ | ||
"Enabled": false, | ||
"Types": [ | ||
"api", | ||
"audit", | ||
"authenticator", | ||
"controllerManager", | ||
"scheduler", | ||
], | ||
}]} | ||
|
||
result = generate_eks_input_with_log(logging) | ||
} | ||
|
||
violating_input_some_disabled = result if { | ||
logging = {"ClusterLogging": [ | ||
{ | ||
"Enabled": false, | ||
"Types": [ | ||
"authenticator", | ||
"controllerManager", | ||
"scheduler", | ||
], | ||
}, | ||
{ | ||
"Enabled": true, | ||
"Types": [ | ||
"api", | ||
"audit", | ||
], | ||
}, | ||
]} | ||
|
||
result = generate_eks_input_with_log(logging) | ||
} | ||
|
||
non_violating_input = result if { | ||
logging = {"ClusterLogging": [{ | ||
"Enabled": true, | ||
"Types": [ | ||
"api", | ||
"audit", | ||
"authenticator", | ||
"controllerManager", | ||
"scheduler", | ||
], | ||
}]} | ||
|
||
result = generate_eks_input_with_log(logging) | ||
} | ||
|
||
generate_eks_input_with_log(logging) = result if { | ||
encryption_config = {"EncryptionConfig : null"} | ||
result = test_data.generate_eks_input(logging, encryption_config, true, true, []) | ||
} |