add dummy gcp rule

security-policies/bundle/compliance/cis_gcp/rules/cis_2_15/data.yaml

@@ -0,0 +1,104 @@
+metadata:
+ id: 43f5d256-b75d-559b-982e-532d707a7f40
+ name: Ensure 'Access Approval' is 'Enabled'
+ profile_applicability: '* Level 2'
+ description: |-
+ GCP Access Approval enables you to require your organizations' explicit approval whenever Google support try to access your projects.
+ You can then select users within your organization who can approve these requests through giving them a security role in IAM.
+ All access requests display which Google Employee requested them in an email or Pub/Sub message that you can choose to Approve.
+ This adds an additional control and logging of who in your organization approved/denied these requests.
+ rationale: |-
+ Controlling access to your information is one of the foundations of information security.
+ Google Employees do have access to your organizations' projects for support reasons.
+ With Access Approval, organizations can then be certain that their information is accessed by only approved Google Personnel.
+ audit: |-
+ **From Google Cloud Console**
+
+ **Determine if Access Transparency is Enabled as it is a Dependency**
+
+ 1. From the Google Cloud Home inside the project you wish to audit, click on the Navigation hamburger menu in the top left. Hover over the `IAM & Admin` Menu. Select `settings` in the middle of the column that opens.
+
+ 2. The status should be "Enabled' under the heading `Access Transparency`
+
+ **Determine if Access Approval is Enabled**
+
+ 3. From the Google Cloud Home, within the project you wish to check, click on the Navigation hamburger menu in the top left. Hover over the `Security` Menu. Select `Access Approval` in the middle of the column that opens. 
+
+ 4. The status will be displayed here. If you see a screen saying you need to enroll in Access Approval, it is not enabled.
+
+ **From Google Cloud CLI**
+
+ **Determine if Access Approval is Enabled**
+ 5. From within the project you wish to audit, run the following command.
+ ```
+ gcloud access-approval settings get
+ ```
+ 6. The status will be displayed in the output.
+
+ IF Access Approval is not enabled you should get this output:
+ ```
+ API [accessapproval.googleapis.com] not enabled on project [-----].
+ Would you like to enable and retry (this will take a few minutes)? (y/N)?
+ ```
+ After entering `Y` if you get the following output, it means that `Access Transparency` is not enabled:
+ ```
+ ERROR: (gcloud.access-approval.settings.get) FAILED_PRECONDITION: Precondition check failed.
+ ```
+ remediation: |-
+ **From Google Cloud Console**
+
+ 1. From the Google Cloud Home, within the project you wish to enable, click on the Navigation hamburger menu in the top left. Hover over the `Security` Menu. Select `Access Approval` in the middle of the column that opens. 
+
+ 2. The status will be displayed here. On this screen, there is an option to click `Enroll`. If it is greyed out and you see an error bar at the top of the screen that says `Access Transparency is not enabled` please view the corresponding reference within this section to enable it.
+
+ 3. In the second screen click `Enroll`.
+
+ **Grant an IAM Group or User the role with permissions to Add Users to be Access Approval message Recipients**
+
+ 4. From the Google Cloud Home, within the project you wish to enable, click on the Navigation hamburger menu in the top left. Hover over the `IAM and Admin`. Select `IAM` in the middle of the column that opens. 
+
+ 5. Click the blue button the says `+ ADD` at the top of the screen.
+
+ 6. In the `principals` field, select a user or group by typing in their associated email address.
+
+ 7. Click on the role field to expand it. In the filter field enter `Access Approval Approver` and select it.
+
+ 8. Click `save`.
+
+ **Add a Group or User as an Approver for Access Approval Requests**
+
+ 9. As a user with the `Access Approval Approver` permission, within the project where you wish to add an email address to which request will be sent, click on the Navigation hamburger menu in the top left. Hover over the `Security` Menu. Select `Access Approval` in the middle of the column that opens. 
+
+ 10. Click `Manage Settings`
+
+ 11. Under `Set up approval notifications`, enter the email address associated with a Google Cloud User or Group you wish to send Access Approval requests to. All future access approvals will be sent as emails to this address.
+
+ **From Google Cloud CLI**
+
+ 12. To update all services in an entire project, run the following command from an account that has permissions as an 'Approver for Access Approval Requests'
+
+ ```
+ gcloud access-approval settings update --project=<project name> --enrolled_services=all --notification_emails='<email recipient for access approval requests>@<domain name>'
+ ```
+ impact: |-
+ To use Access Approval your organization will need have enabled Access Transparency and have at one of the following support level: Enhanced or Premium. There will be subscription costs associated with these support levels, as well as increased storage costs for storing the logs. You will also not be able to turn the Access Transparency which Access Approval depends on, off yourself. To do so you will need to submit a service request to Google Cloud Support. There will also be additional overhead in managing user permissions. There may also be a potential delay in support times as Google Personnel will have to wait for their access to be approved.
+ default_value: ''
+ references: |-
+ 1. https://cloud.google.com/cloud-provider-access-management/access-approval/docs
+ 2. https://cloud.google.com/cloud-provider-access-management/access-approval/docs/overview
+ 3. https://cloud.google.com/cloud-provider-access-management/access-approval/docs/quickstart-custom-key
+ 4. https://cloud.google.com/cloud-provider-access-management/access-approval/docs/supported-services
+ 5. https://cloud.google.com/cloud-provider-access-management/access-approval/docs/view-historical-requests
+ section: Logging and Monitoring
+ version: '1.0'
+ tags:
+ - CIS
+ - GCP
+ - CIS 2.15
+ - Logging and Monitoring
+ benchmark:
+ name: CIS Google Cloud Platform Foundation
+ version: v2.0.0
+ id: cis_gcp
+ rule_number: '2.15'
+ posture_type: cspm

security-policies/bundle/compliance/cis_gcp/rules/cis_2_15/rule.rego

@@ -0,0 +1,34 @@
+package compliance.cis_gcp.rules.cis_2_1
+
+import data.compliance.lib.common
+import data.compliance.policy.gcp.data_adapter
+import future.keywords.if
+import future.keywords.in
+
+finding = result if {
+ data_adapter.is_policies_resource
+
+ result := common.generate_result_without_expected(
+ common.calculate_result(cloud_logging_is_configured),
+ input.resource,
+ )
+}
+
+cloud_logging_is_configured if {
+ policy := input.resource[_].iam_policy
+ has_read_write_logs(policy)
+ not has_exempted_members(policy)
+} else = false
+
+has_read_write_logs(policy) if {
+ log_types := {t | t = policy.audit_configs[i].audit_log_configs[j].log_type}
+ 1 in log_types # "ADMIN_READ"
+ 2 in log_types # "DATA_WRITE"
+ 3 in log_types # "DATA_READ"
+ policy.audit_configs[_].service == "allServices"
+} else = false
+
+has_exempted_members(policy) if {
+ configs := policy.audit_configs[_].audit_log_configs[_]
+ count(configs.exempted_members) > 0
+} else = false

security-policies/bundle/compliance/cis_gcp/rules/cis_2_15/test.rego

@@ -0,0 +1,85 @@
+package compliance.cis_gcp.rules.cis_2_1
+
+import data.cis_gcp.test_data
+import data.compliance.policy.gcp.data_adapter
+import data.lib.test
+import future.keywords.if
+
+test_violation if {
+ # fail when no read/write logs are set for project/folder/org level
+ eval_fail with input as test_data.generate_policies_asset([{}])
+
+ # fail when DATA_WRITE is missing from project
+ eval_fail with input as test_data.generate_policies_asset([{"iam_policy": {"audit_configs": [{
+ "audit_log_configs": [{"log_type": 2}, {"log_type": 1}],
+ "service": "allServices",
+ }]}}])
+
+ # fail when DATA_READ is missing from project
+ eval_fail with input as test_data.generate_policies_asset([{"iam_policy": {"audit_configs": [{
+ "audit_log_configs": [{"log_type": 3}, {"log_type": 1}],
+ "service": "allServices",
+ }]}}])
+
+ # fail when ADMIN_READ is missing from project
+ eval_fail with input as test_data.generate_policies_asset([{"iam_policy": {"audit_configs": [{
+ "audit_log_configs": [{"log_type": 3}, {"log_type": 2}],
+ "service": "allServices",
+ }]}}])
+
+ # fail when extempted members is not empty
+ eval_fail with input as test_data.generate_policies_asset([{"iam_policy": {"audit_configs": [{
+ "audit_log_configs": [
+ {
+ "log_type": 3,
+ "exempted_members": ["user:a"],
+ },
+ {"log_type": 2}, {"log_type": 1},
+ ],
+ "service": "allServices",
+ }]}}])
+
+ # fail when "service": "allServices" is missing from project
+ eval_fail with input as test_data.generate_policies_asset([{"iam_policy": {"audit_configs": [{"audit_log_configs": [{"log_type": 3}, {"log_type": 2}, {"log_type": 1}]}]}}])
+
+ # fail when DATA_READ and DATA_WRITE aren't set on the same policy
+ eval_fail with input as test_data.generate_policies_asset([
+ {"iam_policy": {"audit_configs": [{
+ "audit_log_configs": [{"log_type": 3}, {"log_type": 1}],
+ "service": "allServices",
+ }]}},
+ {"iam_policy": {"audit_configs": [{
+ "audit_log_configs": [{"log_type": 2}, {"log_type": 1}],
+ "service": "allServices",
+ }]}},
+ ])
+}
+
+test_pass if {
+ # passes when project has DATA_READ/DATA_WRITE/ADMIN_READ
+ # for all services, and with no exempted members
+ eval_pass with input as test_data.generate_policies_asset([{"iam_policy": {"audit_configs": [{
+ "audit_log_configs": [
+ {"log_type": 1},
+ {"log_type": 2},
+ {"log_type": 3},
+ ],
+ "service": "allServices",
+ }]}}])
+}
+
+test_not_evaluated if {
+ not_eval with input as test_data.not_eval_resource
+}
+
+eval_fail if {
+ test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter
+}
+
+eval_pass if {
+ test.assert_pass(finding) with data.benchmark_data_adapter as data_adapter
+}
+
+not_eval if {
+ not finding with data.benchmark_data_adapter as data_adapter
+}