-
Notifications
You must be signed in to change notification settings - Fork 43
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
7 changed files
with
284 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
47 changes: 47 additions & 0 deletions
47
security-policies/bundle/compliance/cis_azure/rules/cis_1_3/data.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,47 @@ | ||
metadata: | ||
id: 05dc7108-3ffb-5ae4-8db0-1aafb337a173 | ||
name: Ensure that 'Users can create Azure AD Tenants' is set to 'No' | ||
profile_applicability: '* Level 1' | ||
description: Require administrators or appropriately delegated users to create new | ||
tenants. | ||
rationale: |- | ||
It is recommended to only allow an administrator to create new tenants. | ||
This prevent users from creating new Azure AD or Azure AD B2C tenants and ensures that only authorized users are able to do so. | ||
audit: |- | ||
**From Azure Portal** | ||
1. From Azure Home select the Portal Menu | ||
2. Select `Azure Active Directory` | ||
3. Select `Users` | ||
4. Select `User settings` | ||
5. Ensure that `Users can create Azure AD Tenants` is set to `No` | ||
_Please note that at this point of time, there is no Azure CLI or other API commands | ||
available to programmatically conduct security assessment for this recommendation._ | ||
remediation: |- | ||
**From Azure Portal** | ||
1. From Azure Home select the Portal Menu | ||
2. Select `Azure Active Directory` | ||
3. Select `Users` | ||
4. Select `User settings` | ||
5. Set `Users can create Azure AD Tenants` to `No` | ||
impact: Enforcing this setting will ensure that only authorized users are able to | ||
create new tenants. | ||
default_value: '' | ||
references: |- | ||
1. https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/users-default-permissions | ||
2. https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#tenant-creator | ||
section: Identity and Access Management | ||
version: '1.0' | ||
tags: | ||
- CIS | ||
- AZURE | ||
- CIS 1.3 | ||
- Identity and Access Management | ||
benchmark: | ||
name: CIS Microsoft Azure Foundations | ||
version: v2.0.0 | ||
id: cis_azure | ||
rule_number: '1.3' | ||
posture_type: cspm |
37 changes: 37 additions & 0 deletions
37
security-policies/bundle/compliance/cis_azure/rules/cis_1_3/rule.rego
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,37 @@ | ||
package compliance.cis_azure.rules.cis_1_23 | ||
|
||
import data.compliance.lib.common | ||
import data.compliance.policy.azure.data_adapter | ||
import future.keywords.if | ||
import future.keywords.in | ||
|
||
finding = result if { | ||
# filter | ||
data_adapter.is_custom_role_definition | ||
|
||
# set result | ||
result := common.generate_result_without_expected( | ||
common.calculate_result(evaluation_results), | ||
{"Resource": data_adapter.resource}, | ||
) | ||
} | ||
|
||
has_administrator_action if { | ||
some permission in data_adapter.properties.permissions | ||
some action in permission.actions | ||
action == "*" | ||
} | ||
|
||
has_subscription_scope if { | ||
some scope in data_adapter.properties.assignableScopes | ||
regex.match(`^/(?:subscriptions/[a-z\d]{8}-[a-z\d]{4}-[a-z\d]{4}-[a-z\d]{4}-[a-z\d]{12})?$`, scope) | ||
} | ||
|
||
has_administrator_subscription_scope if { | ||
has_subscription_scope | ||
has_administrator_action | ||
} | ||
|
||
evaluation_results if { | ||
not has_administrator_subscription_scope | ||
} else = false |
84 changes: 84 additions & 0 deletions
84
security-policies/bundle/compliance/cis_azure/rules/cis_1_3/test.rego
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,84 @@ | ||
package compliance.cis_azure.rules.cis_1_23 | ||
|
||
import data.cis_azure.test_data | ||
import data.compliance.policy.azure.data_adapter | ||
import data.lib.test | ||
import future.keywords.if | ||
|
||
test_violation if { | ||
eval_fail with input as test_data.generate_azure_asset("azure-role-definition", { | ||
"assignableScopes": [ | ||
"/", | ||
"/subscriptions/11111111-2f22-3333-44e4-555f555g5555", | ||
], | ||
"permissions": [{"actions": ["*"]}], | ||
"type": "CustomRole", | ||
}) | ||
eval_fail with input as test_data.generate_azure_asset("azure-role-definition", { | ||
"assignableScopes": ["/subscriptions/11111111-2f22-3333-44e4-555f555g5555"], | ||
"permissions": [{"actions": ["*"]}], | ||
"type": "CustomRole", | ||
}) | ||
eval_fail with input as test_data.generate_azure_asset("azure-role-definition", { | ||
"assignableScopes": ["/"], | ||
"permissions": [{"actions": ["*"]}], | ||
"type": "CustomRole", | ||
}) | ||
eval_fail with input as test_data.generate_azure_asset("azure-role-definition", { | ||
"assignableScopes": [ | ||
"RandomScope", | ||
"/", | ||
"/subscriptions/11111111-2f22-3333-44e4-555f555g5555", | ||
], | ||
"permissions": [{"actions": ["RandomAction", "*"]}], | ||
"type": "CustomRole", | ||
}) | ||
} | ||
|
||
test_pass if { | ||
eval_pass with input as test_data.generate_azure_asset("azure-role-definition", { | ||
"assignableScopes": [ | ||
"/", | ||
"/subscriptions/11111111-2f22-3333-44e4-555f555g5555", | ||
], | ||
"permissions": [{"actions": ["RandomAction"]}], | ||
"type": "CustomRole", | ||
}) | ||
eval_pass with input as test_data.generate_azure_asset("azure-role-definition", { | ||
"assignableScopes": [ | ||
"/", | ||
"/subscriptions/11111111-2f22-3333-44e4-555f555g5555/RandomScope", | ||
], | ||
"permissions": [{"actions": ["RandomAction"]}], | ||
"type": "CustomRole", | ||
}) | ||
eval_pass with input as test_data.generate_azure_asset("azure-role-definition", { | ||
"assignableScopes": ["RandomScope"], | ||
"permissions": [{"actions": ["*"]}], | ||
"type": "CustomRole", | ||
}) | ||
} | ||
|
||
test_not_evaluated if { | ||
not_eval with input as test_data.generate_azure_asset("azure-role-definition", { | ||
"assignableScopes": [ | ||
"/", | ||
"/subscriptions/11111111-2f22-3333-44e4-555f555g5555", | ||
], | ||
"permissions": [{"actions": ["*"]}], | ||
"type": "BuiltInRole", | ||
}) | ||
not_eval with input as test_data.not_eval_resource | ||
} | ||
|
||
eval_fail if { | ||
test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter | ||
} | ||
|
||
eval_pass if { | ||
test.assert_pass(finding) with data.benchmark_data_adapter as data_adapter | ||
} | ||
|
||
not_eval if { | ||
not finding with data.benchmark_data_adapter as data_adapter | ||
} |
36 changes: 36 additions & 0 deletions
36
security-policies/bundle/compliance/cis_eks/rules/cis_4_6_3/data.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,36 @@ | ||
metadata: | ||
id: 1b5aa7d2-4700-5393-9fb1-8021a440161d | ||
name: The default namespace should not be used | ||
profile_applicability: '* Level 2' | ||
description: |- | ||
Kubernetes provides a default namespace, where objects are placed if no namespace is specified for them. | ||
Placing objects in this namespace makes application of RBAC and other controls more difficult. | ||
rationale: |- | ||
Resources in a Kubernetes cluster should be segregated by namespace, to allow for security controls to be applied at that level and to make it easier to manage resources. | ||
audit: |- | ||
Run this command to list objects in default namespace | ||
``` | ||
kubectl get all -n default | ||
``` | ||
The only entries there should be system managed resources such as the `kubernetes` service | ||
remediation: |- | ||
Ensure that namespaces are created to allow for appropriate segregation of Kubernetes resources and that all new resources are created in a specific namespace. | ||
impact: None | ||
default_value: | | ||
By default, cluster control plane logs aren't sent to CloudWatch Logs. ... When you enable a log type, the logs are sent with a log verbosity level of 2 . To enable or disable control plane logs with the console. Open the Amazon EKS console at https://console.aws.amazon.com/eks/home#/clusters . Amazon EKS Information in CloudTrail CloudTrail is enabled on your AWS account when you create the account. When activity occurs in Amazon EKS, that activity is recorded in a CloudTrail event along with other AWS service events in Event history. | ||
references: '' | ||
section: General Policies | ||
version: '1.0' | ||
tags: | ||
- CIS | ||
- EKS | ||
- CIS 4.6.3 | ||
- General Policies | ||
benchmark: | ||
name: CIS Amazon Elastic Kubernetes Service (EKS) | ||
version: v1.0.1 | ||
id: cis_eks | ||
rule_number: 4.6.3 | ||
posture_type: kspm |
5 changes: 5 additions & 0 deletions
5
security-policies/bundle/compliance/cis_eks/rules/cis_4_6_3/rule.rego
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
package compliance.cis_eks.rules.cis_2_1_1 | ||
|
||
import data.compliance.policy.aws_eks.ensure_logs_enabled as audit | ||
|
||
finding = audit.finding |
75 changes: 75 additions & 0 deletions
75
security-policies/bundle/compliance/cis_eks/rules/cis_4_6_3/test.rego
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,75 @@ | ||
package compliance.cis_eks.rules.cis_2_1_1 | ||
|
||
import data.cis_eks.test_data | ||
import data.lib.test | ||
import future.keywords.if | ||
|
||
test_violation if { | ||
test.assert_fail(finding) with input as violating_input_all_logs_disabled | ||
test.assert_fail(finding) with input as violating_input_some_disabled | ||
} | ||
|
||
test_pass if { | ||
test.assert_pass(finding) with input as non_violating_input | ||
} | ||
|
||
test_not_evaluated if { | ||
not finding with input as test_data.not_evaluated_input | ||
} | ||
|
||
violating_input_all_logs_disabled = result if { | ||
logging = {"ClusterLogging": [{ | ||
"Enabled": false, | ||
"Types": [ | ||
"api", | ||
"audit", | ||
"authenticator", | ||
"controllerManager", | ||
"scheduler", | ||
], | ||
}]} | ||
|
||
result = generate_eks_input_with_log(logging) | ||
} | ||
|
||
violating_input_some_disabled = result if { | ||
logging = {"ClusterLogging": [ | ||
{ | ||
"Enabled": false, | ||
"Types": [ | ||
"authenticator", | ||
"controllerManager", | ||
"scheduler", | ||
], | ||
}, | ||
{ | ||
"Enabled": true, | ||
"Types": [ | ||
"api", | ||
"audit", | ||
], | ||
}, | ||
]} | ||
|
||
result = generate_eks_input_with_log(logging) | ||
} | ||
|
||
non_violating_input = result if { | ||
logging = {"ClusterLogging": [{ | ||
"Enabled": true, | ||
"Types": [ | ||
"api", | ||
"audit", | ||
"authenticator", | ||
"controllerManager", | ||
"scheduler", | ||
], | ||
}]} | ||
|
||
result = generate_eks_input_with_log(logging) | ||
} | ||
|
||
generate_eks_input_with_log(logging) = result if { | ||
encryption_config = {"EncryptionConfig : null"} | ||
result = test_data.generate_eks_input(logging, encryption_config, true, true, []) | ||
} |