test

.github/workflows/sync-rule-templates.yml

@@ -22,7 +22,6 @@ jobs:
  token: ${{ secrets.CLOUDSEC_MACHINE_TOKEN }}
  repository: elastic/integrations
  path: integrations
- fetch-depth: 0
 
  - name: Checkout Cloudbeat repo
  uses: actions/checkout@v4

security-policies/bundle/compliance/cis_azure/rules/cis_1_3/data.yaml

@@ -0,0 +1,47 @@
+metadata:
+ id: 05dc7108-3ffb-5ae4-8db0-1aafb337a173
+ name: Ensure that 'Users can create Azure AD Tenants' is set to 'No'
+ profile_applicability: '* Level 1'
+ description: Require administrators or appropriately delegated users to create new
+ tenants.
+ rationale: |-
+ It is recommended to only allow an administrator to create new tenants.
+ This prevent users from creating new Azure AD or Azure AD B2C tenants and ensures that only authorized users are able to do so.
+ audit: |-
+ **From Azure Portal**
+
+ 1. From Azure Home select the Portal Menu
+ 2. Select `Azure Active Directory`
+ 3. Select `Users`
+ 4. Select `User settings`
+ 5. Ensure that `Users can create Azure AD Tenants` is set to `No`
+
+ _Please note that at this point of time, there is no Azure CLI or other API commands 
+ available to programmatically conduct security assessment for this recommendation._
+ remediation: |-
+ **From Azure Portal**
+
+ 1. From Azure Home select the Portal Menu
+ 2. Select `Azure Active Directory`
+ 3. Select `Users`
+ 4. Select `User settings`
+ 5. Set `Users can create Azure AD Tenants` to `No`
+ impact: Enforcing this setting will ensure that only authorized users are able to
+ create new tenants.
+ default_value: ''
+ references: |-
+ 1. https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/users-default-permissions
+ 2. https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#tenant-creator
+ section: Identity and Access Management
+ version: '1.0'
+ tags:
+ - CIS
+ - AZURE
+ - CIS 1.3
+ - Identity and Access Management
+ benchmark:
+ name: CIS Microsoft Azure Foundations
+ version: v2.0.0
+ id: cis_azure
+ rule_number: '1.3'
+ posture_type: cspm

security-policies/bundle/compliance/cis_azure/rules/cis_1_3/rule.rego

@@ -0,0 +1,37 @@
+package compliance.cis_azure.rules.cis_1_23
+
+import data.compliance.lib.common
+import data.compliance.policy.azure.data_adapter
+import future.keywords.if
+import future.keywords.in
+
+finding = result if {
+ # filter
+ data_adapter.is_custom_role_definition
+
+ # set result
+ result := common.generate_result_without_expected(
+ common.calculate_result(evaluation_results),
+ {"Resource": data_adapter.resource},
+ )
+}
+
+has_administrator_action if {
+ some permission in data_adapter.properties.permissions
+ some action in permission.actions
+ action == "*"
+}
+
+has_subscription_scope if {
+ some scope in data_adapter.properties.assignableScopes
+ regex.match(`^/(?:subscriptions/[a-z\d]{8}-[a-z\d]{4}-[a-z\d]{4}-[a-z\d]{4}-[a-z\d]{12})?$`, scope)
+}
+
+has_administrator_subscription_scope if {
+ has_subscription_scope
+ has_administrator_action
+}
+
+evaluation_results if {
+ not has_administrator_subscription_scope
+} else = false

security-policies/bundle/compliance/cis_azure/rules/cis_1_3/test.rego

@@ -0,0 +1,84 @@
+package compliance.cis_azure.rules.cis_1_23
+
+import data.cis_azure.test_data
+import data.compliance.policy.azure.data_adapter
+import data.lib.test
+import future.keywords.if
+
+test_violation if {
+ eval_fail with input as test_data.generate_azure_asset("azure-role-definition", {
+ "assignableScopes": [
+ "/",
+ "/subscriptions/11111111-2f22-3333-44e4-555f555g5555",
+ ],
+ "permissions": [{"actions": ["*"]}],
+ "type": "CustomRole",
+ })
+ eval_fail with input as test_data.generate_azure_asset("azure-role-definition", {
+ "assignableScopes": ["/subscriptions/11111111-2f22-3333-44e4-555f555g5555"],
+ "permissions": [{"actions": ["*"]}],
+ "type": "CustomRole",
+ })
+ eval_fail with input as test_data.generate_azure_asset("azure-role-definition", {
+ "assignableScopes": ["/"],
+ "permissions": [{"actions": ["*"]}],
+ "type": "CustomRole",
+ })
+ eval_fail with input as test_data.generate_azure_asset("azure-role-definition", {
+ "assignableScopes": [
+ "RandomScope",
+ "/",
+ "/subscriptions/11111111-2f22-3333-44e4-555f555g5555",
+ ],
+ "permissions": [{"actions": ["RandomAction", "*"]}],
+ "type": "CustomRole",
+ })
+}
+
+test_pass if {
+ eval_pass with input as test_data.generate_azure_asset("azure-role-definition", {
+ "assignableScopes": [
+ "/",
+ "/subscriptions/11111111-2f22-3333-44e4-555f555g5555",
+ ],
+ "permissions": [{"actions": ["RandomAction"]}],
+ "type": "CustomRole",
+ })
+ eval_pass with input as test_data.generate_azure_asset("azure-role-definition", {
+ "assignableScopes": [
+ "/",
+ "/subscriptions/11111111-2f22-3333-44e4-555f555g5555/RandomScope",
+ ],
+ "permissions": [{"actions": ["RandomAction"]}],
+ "type": "CustomRole",
+ })
+ eval_pass with input as test_data.generate_azure_asset("azure-role-definition", {
+ "assignableScopes": ["RandomScope"],
+ "permissions": [{"actions": ["*"]}],
+ "type": "CustomRole",
+ })
+}
+
+test_not_evaluated if {
+ not_eval with input as test_data.generate_azure_asset("azure-role-definition", {
+ "assignableScopes": [
+ "/",
+ "/subscriptions/11111111-2f22-3333-44e4-555f555g5555",
+ ],
+ "permissions": [{"actions": ["*"]}],
+ "type": "BuiltInRole",
+ })
+ not_eval with input as test_data.not_eval_resource
+}
+
+eval_fail if {
+ test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter
+}
+
+eval_pass if {
+ test.assert_pass(finding) with data.benchmark_data_adapter as data_adapter
+}
+
+not_eval if {
+ not finding with data.benchmark_data_adapter as data_adapter
+}

security-policies/bundle/compliance/cis_eks/rules/cis_4_6_3/data.yaml

@@ -0,0 +1,36 @@
+metadata:
+ id: 1b5aa7d2-4700-5393-9fb1-8021a440161d
+ name: The default namespace should not be used
+ profile_applicability: '* Level 2'
+ description: |-
+ Kubernetes provides a default namespace, where objects are placed if no namespace is specified for them.
+ Placing objects in this namespace makes application of RBAC and other controls more difficult.
+ rationale: |-
+ Resources in a Kubernetes cluster should be segregated by namespace, to allow for security controls to be applied at that level and to make it easier to manage resources.
+ audit: |-
+ Run this command to list objects in default namespace
+
+ ```
+ kubectl get all -n default
+ ```
+
+ The only entries there should be system managed resources such as the `kubernetes` service
+ remediation: |-
+ Ensure that namespaces are created to allow for appropriate segregation of Kubernetes resources and that all new resources are created in a specific namespace.
+ impact: None
+ default_value: |
+ By default, cluster control plane logs aren't sent to CloudWatch Logs. ... When you enable a log type, the logs are sent with a log verbosity level of 2 . To enable or disable control plane logs with the console. Open the Amazon EKS console at https://console.aws.amazon.com/eks/home#/clusters . Amazon EKS Information in CloudTrail CloudTrail is enabled on your AWS account when you create the account. When activity occurs in Amazon EKS, that activity is recorded in a CloudTrail event along with other AWS service events in Event history.
+ references: ''
+ section: General Policies
+ version: '1.0'
+ tags:
+ - CIS
+ - EKS
+ - CIS 4.6.3
+ - General Policies
+ benchmark:
+ name: CIS Amazon Elastic Kubernetes Service (EKS)
+ version: v1.0.1
+ id: cis_eks
+ rule_number: 4.6.3
+ posture_type: kspm

security-policies/bundle/compliance/cis_eks/rules/cis_4_6_3/rule.rego

@@ -0,0 +1,5 @@
+package compliance.cis_eks.rules.cis_2_1_1
+
+import data.compliance.policy.aws_eks.ensure_logs_enabled as audit
+
+finding = audit.finding

security-policies/bundle/compliance/cis_eks/rules/cis_4_6_3/test.rego

@@ -0,0 +1,75 @@
+package compliance.cis_eks.rules.cis_2_1_1
+
+import data.cis_eks.test_data
+import data.lib.test
+import future.keywords.if
+
+test_violation if {
+ test.assert_fail(finding) with input as violating_input_all_logs_disabled
+ test.assert_fail(finding) with input as violating_input_some_disabled
+}
+
+test_pass if {
+ test.assert_pass(finding) with input as non_violating_input
+}
+
+test_not_evaluated if {
+ not finding with input as test_data.not_evaluated_input
+}
+
+violating_input_all_logs_disabled = result if {
+ logging = {"ClusterLogging": [{
+ "Enabled": false,
+ "Types": [
+ "api",
+ "audit",
+ "authenticator",
+ "controllerManager",
+ "scheduler",
+ ],
+ }]}
+
+ result = generate_eks_input_with_log(logging)
+}
+
+violating_input_some_disabled = result if {
+ logging = {"ClusterLogging": [
+ {
+ "Enabled": false,
+ "Types": [
+ "authenticator",
+ "controllerManager",
+ "scheduler",
+ ],
+ },
+ {
+ "Enabled": true,
+ "Types": [
+ "api",
+ "audit",
+ ],
+ },
+ ]}
+
+ result = generate_eks_input_with_log(logging)
+}
+
+non_violating_input = result if {
+ logging = {"ClusterLogging": [{
+ "Enabled": true,
+ "Types": [
+ "api",
+ "audit",
+ "authenticator",
+ "controllerManager",
+ "scheduler",
+ ],
+ }]}
+
+ result = generate_eks_input_with_log(logging)
+}
+
+generate_eks_input_with_log(logging) = result if {
+ encryption_config = {"EncryptionConfig : null"}
+ result = test_data.generate_eks_input(logging, encryption_config, true, true, [])
+}