[Security Policies] [new rule] File ownerships (#5)

README.md

@@ -1,13 +1,18 @@
-# Cloud Security Posture security policies 
+# Cloud Security Posture - Rego policies
+
+![Coverage Badge](https://img.shields.io/endpoint?url=https://gist.githubusercontent.com/oren-zohar/a7160df46e48dff45b24096de9302d38/raw/csp-security-policies__heads_main.json)
+
+
+
     .
     ├── compliance                         # Compliance policies
     │   ├── lib
     │   │   ├── common.rego                # Common functions
     │   │   ├── data_adapter.rego          # Input data adapter
     │   │   └── test.rego                  # Common Test functions
     │   ├── cis_k8s
-    │   |   ├── cis_k8s.rego               # Handles all Kubernetes CIS rules evalutations
-    │   |   ├── test_data.rego             # CIS Test data functions
+    │   │   ├── cis_k8s.rego               # Handles all Kubernetes CIS rules evalutations
+    │   │   ├── test_data.rego             # CIS Test data functions
     │   │   ├── rules
     │   │   │   ├── cis_1_1_1                  # CIS 1.1.1 rule package 
     │   │   │   │   ├── rule.rego
@@ -32,7 +37,7 @@ should contain an beat/agent output, e.g. filesystem data
 
 ```json
 {
-    "type": "filesystem",
+    "type": "file-system",
     "mode": "0700",
     "path": "/hostfs/etc/kubernetes/manifests/kube-apiserver.yaml",
     "uid": "etc",
@@ -51,37 +56,63 @@ should contain an beat/agent output, e.g. filesystem data
 <summary>Example output</summary>
 
 ```json
-[
-  {
-    "evaluation": "violation",
-    "evidence": {
-      "filemode": "0700"
-    },
-    "rule_name": "Ensure that the API server pod specification file permissions are set to 644 or more restrictive",
-    "tags": [
-      "CIS",
-      "CIS v1.6.0",
-      "Kubernetes",
-      "CIS 1.1.1"
-    ]
-  },
-  {
-    "evaluation": "violation",
-    "evidence": {
-      "gid": "root",
-      "uid": "etc"
+{
+  "findings": [
+    {
+      "result": {
+        "evaluation": "failed",
+        "evidence": {
+          "filemode": "0700"
+        }
+      },
+      "rule": {
+        "benchmark": "CIS Kubernetes",
+        "description": "The API server pod specification file controls various parameters that set the behavior of the API server. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.",
+        "impact": "None",
+        "name": "Ensure that the API server pod specification file permissions are set to 644 or more restrictive",
+        "remediation": "chmod 644 /etc/kubernetes/manifests/kube-apiserver.yaml",
+        "tags": [
+          "CIS",
+          "CIS v1.6.0",
+          "Kubernetes",
+          "CIS 1.1.1",
+          "Master Node Configuration"
+        ]
+      }
     },
-    "rule_name": "Ensure that the API server pod specification file ownership is set to root:root",
-    "tags": [
-      "CIS",
-      "CIS v1.6.0",
-      "Kubernetes",
-      "CIS 1.1.2"
-    ]
+    {
+      "result": {
+        "evaluation": "passed",
+        "evidence": {
+          "gid": "root",
+          "uid": "root"
+        }
+      },
+      "rule": {
+        "benchmark": "CIS Kubernetes",
+        "description": "The API server pod specification file controls various parameters that set the behavior of the API server. You should set its file ownership to maintain the integrity of the file. The file should be owned by root:root.",
+        "impact": "None",
+        "name": "Ensure that the API server pod specification file ownership is set to root:root",
+        "remediation": "chown root:root /etc/kubernetes/manifests/kube-apiserver.yaml",
+        "tags": [
+          "CIS",
+          "CIS v1.6.0",
+          "Kubernetes",
+          "CIS 1.1.2",
+          "Master Node Configuration"
+        ]
+      }
+    }
+  ],
+  "resource": {
+    "filename": "kube-apiserver.yaml",
+    "gid": "root",
+    "mode": "0700",
+    "path": "/hostfs/etc/kubernetes/manifests/kube-apiserver.yaml",
+    "type": "file-system",
+    "uid": "root"
   }
-]
-
-
+}
 ```
 
 </details>

compliance/cis_k8s/cis_k8s.rego

@@ -4,8 +4,13 @@ import data.compliance.cis_k8s.rules
 
 default_tags := ["CIS", "CIS v1.6.0", "Kubernetes"]
 
+benchmark_name := "CIS Kubernetes"
+
 findings[finding] {
 	some rule_id
 	data.activated_rules.cis_k8s[rule_id]
-	finding = rules[rule_id].finding
+	finding = {
+		"result": rules[rule_id].finding,
+		"rule": rules[rule_id].metadata,
+	}
 }

compliance/cis_k8s/rules/cis_1_1_1/rule.rego

@@ -14,7 +14,14 @@ finding = result {
 	result := {
 		"evaluation": common.calculate_result(rule_evaluation),
 		"evidence": {"filemode": filemode},
-		"rule_name": "Ensure that the API server pod specification file permissions are set to 644 or more restrictive",
-		"tags": array.concat(cis_k8s.default_tags, ["CIS 1.1.1"]),
 	}
 }
+
+metadata = {
+	"name": "Ensure that the API server pod specification file permissions are set to 644 or more restrictive",
+	"description": "The API server pod specification file controls various parameters that set the behavior of the API server. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.",
+	"impact": "None",
+	"tags": array.concat(cis_k8s.default_tags, ["CIS 1.1.1", "Master Node Configuration"]),
+	"benchmark": cis_k8s.benchmark_name,
+	"remediation": "chmod 644 /etc/kubernetes/manifests/kube-apiserver.yaml",
+}

compliance/cis_k8s/rules/cis_1_1_1/test.rego

@@ -4,7 +4,7 @@ import data.cis_k8s.test_data
 import data.lib.test
 
 test_violation {
-	test.assert_violation(finding) with input as rule_input("kube-apiserver.yaml", "0700")
+	test.assert_fail(finding) with input as rule_input("kube-apiserver.yaml", "0700")
 }
 
 test_pass {

compliance/cis_k8s/rules/cis_1_1_13/rule.rego

@@ -14,7 +14,14 @@ finding = result {
 	result := {
 		"evaluation": common.calculate_result(rule_evaluation),
 		"evidence": {"filemode": filemode},
-		"rule_name": "Ensure that the admin.conf file permissions are set to 644 or more restrictive",
-		"tags": array.concat(cis_k8s.default_tags, ["CIS 1.1.13"]),
 	}
 }
+
+metadata = {
+	"name": "Ensure that the admin.conf file permissions are set to 644 or more restrictive",
+	"description": "The admin.conf is the administrator kubeconfig file defining various settings for the administration of the cluster. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.",
+	"impact": "None",
+	"tags": array.concat(cis_k8s.default_tags, ["CIS 1.1.13", "Master Node Configuration"]),
+	"benchmark": cis_k8s.benchmark_name,
+	"remediation": "chmod 644 /etc/kubernetes/admin.conf",
+}

compliance/cis_k8s/rules/cis_1_1_13/test.rego

@@ -4,7 +4,7 @@ import data.cis_k8s.test_data
 import data.lib.test
 
 test_violation {
-	test.assert_violation(finding) with input as rule_input("admin.conf", "0700")
+	test.assert_fail(finding) with input as rule_input("admin.conf", "0700")
 }
 
 test_pass {

compliance/cis_k8s/rules/cis_1_1_14/rule.rego

@@ -0,0 +1,28 @@
+package compliance.cis_k8s.rules.cis_1_1_14
+
+import data.compliance.cis_k8s
+import data.compliance.lib.common
+import data.compliance.lib.data_adapter
+
+# Ensure that the admin.conf file ownership is set to root:root (Automated)
+finding = result {
+	data_adapter.filename == "admin.conf"
+	uid = data_adapter.owner_user_id
+	gid = data_adapter.owner_group_id
+	rule_evaluation := common.file_ownership_match(uid, gid, "root", "root")
+
+	# set result
+	result := {
+		"evaluation": common.calculate_result(rule_evaluation),
+		"evidence": {"uid": uid, "gid": gid},
+	}
+}
+
+metadata = {
+	"name": "Ensure that the API server pod specification file ownership is set to root:root",
+	"description": "The admin.conf file contains the admin credentials for the cluster. You should set its file ownership to maintain the integrity of the file. The file should be owned by root:root.",
+	"impact": "None",
+	"tags": array.concat(cis_k8s.default_tags, ["CIS 1.1.14", "Master Node Configuration"]),
+	"benchmark": cis_k8s.benchmark_name,
+	"remediation": "chown root:root /etc/kubernetes/admin.conf",
+}

compliance/cis_k8s/rules/cis_1_1_14/test.rego

@@ -0,0 +1,23 @@
+package compliance.cis_k8s.rules.cis_1_1_14
+
+import data.cis_k8s.test_data
+import data.lib.test
+
+test_violation {
+	test.assert_fail(finding) with input as rule_input("admin.conf", "root", "user")
+	test.assert_fail(finding) with input as rule_input("admin.conf", "user", "root")
+	test.assert_fail(finding) with input as rule_input("admin.conf", "user", "user")
+}
+
+test_pass {
+	test.assert_pass(finding) with input as rule_input("admin.conf", "root", "root")
+}
+
+test_not_evaluated {
+	not finding with input as rule_input("file.txt", "root", "root")
+}
+
+rule_input(filename, uid, gid) = filesystem_input {
+	filemode := "0644"
+	filesystem_input = test_data.filesystem_input(filename, filemode, uid, gid)
+}

compliance/cis_k8s/rules/cis_1_1_15/rule.rego

@@ -14,7 +14,14 @@ finding = result {
 	result := {
 		"evaluation": common.calculate_result(rule_evaluation),
 		"evidence": {"filemode": filemode},
-		"rule_name": "Ensure that the scheduler.conf file permissions are set to 644 or more restrictive",
-		"tags": array.concat(cis_k8s.default_tags, ["CIS 1.1.15"]),
 	}
 }
+
+metadata = {
+	"name": "Ensure that the scheduler.conf file permissions are set to 644 or more restrictive",
+	"description": "The scheduler.conf file is the kubeconfig file for the Scheduler. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.",
+	"impact": "None",
+	"tags": array.concat(cis_k8s.default_tags, ["CIS 1.1.15", "Master Node Configuration"]),
+	"benchmark": cis_k8s.benchmark_name,
+	"remediation": "chmod 644 /etc/kubernetes/scheduler.conf",
+}

compliance/cis_k8s/rules/cis_1_1_15/test.rego

@@ -4,7 +4,7 @@ import data.cis_k8s.test_data
 import data.lib.test
 
 test_violation {
-	test.assert_violation(finding) with input as rule_input("scheduler.conf", "0700")
+	test.assert_fail(finding) with input as rule_input("scheduler.conf", "0700")
 }
 
 test_pass {

compliance/cis_k8s/rules/cis_1_1_16/rule.rego

@@ -0,0 +1,28 @@
+package compliance.cis_k8s.rules.cis_1_1_16
+
+import data.compliance.cis_k8s
+import data.compliance.lib.common
+import data.compliance.lib.data_adapter
+
+# Ensure that the scheduler.conf file ownership is set to root:root (Automated)
+finding = result {
+	data_adapter.filename == "scheduler.conf"
+	uid = data_adapter.owner_user_id
+	gid = data_adapter.owner_group_id
+	rule_evaluation := common.file_ownership_match(uid, gid, "root", "root")
+
+	# set result
+	result := {
+		"evaluation": common.calculate_result(rule_evaluation),
+		"evidence": {"uid": uid, "gid": gid},
+	}
+}
+
+metadata = {
+	"name": "Ensure that the scheduler.conf file ownership is set to root:root",
+	"description": "The scheduler.conf file is the kubeconfig file for the Scheduler. You should set its file ownership to maintain the integrity of the file. The file should be owned by root:root.",
+	"impact": "None",
+	"tags": array.concat(cis_k8s.default_tags, ["CIS 1.1.16", "Master Node Configuration"]),
+	"benchmark": cis_k8s.benchmark_name,
+	"remediation": "chown root:root /etc/kubernetes/scheduler.conf",
+}

compliance/cis_k8s/rules/cis_1_1_16/test.rego

@@ -0,0 +1,23 @@
+package compliance.cis_k8s.rules.cis_1_1_16
+
+import data.cis_k8s.test_data
+import data.lib.test
+
+test_violation {
+	test.assert_fail(finding) with input as rule_input("scheduler.conf", "root", "user")
+	test.assert_fail(finding) with input as rule_input("scheduler.conf", "user", "root")
+	test.assert_fail(finding) with input as rule_input("scheduler.conf", "user", "user")
+}
+
+test_pass {
+	test.assert_pass(finding) with input as rule_input("scheduler.conf", "root", "root")
+}
+
+test_not_evaluated {
+	not finding with input as rule_input("file.txt", "root", "root")
+}
+
+rule_input(filename, uid, gid) = filesystem_input {
+	filemode := "0644"
+	filesystem_input = test_data.filesystem_input(filename, filemode, uid, gid)
+}

compliance/cis_k8s/rules/cis_1_1_17/rule.rego

@@ -14,7 +14,14 @@ finding = result {
 	result := {
 		"evaluation": common.calculate_result(rule_evaluation),
 		"evidence": {"filemode": filemode},
-		"rule_name": "Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive",
-		"tags": array.concat(cis_k8s.default_tags, ["CIS 1.1.17"]),
 	}
 }
+
+metadata = {
+	"name": "Ensure that the controller-manager.conf file has permissions of 644 or more restrictive.",
+	"description": "The controller-manager.conf file is the kubeconfig file for the Controller Manager. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.",
+	"impact": "None",
+	"tags": array.concat(cis_k8s.default_tags, ["CIS 1.1.17", "Master Node Configuration"]),
+	"benchmark": cis_k8s.benchmark_name,
+	"remediation": "chmod 644 /etc/kubernetes/controller-manager.conf",
+}

compliance/cis_k8s/rules/cis_1_1_17/test.rego

@@ -4,7 +4,7 @@ import data.cis_k8s.test_data
 import data.lib.test
 
 test_violation {
-	test.assert_violation(finding) with input as rule_input("controller-manager.conf", "0700")
+	test.assert_fail(finding) with input as rule_input("controller-manager.conf", "0700")
 }
 
 test_pass {

compliance/cis_k8s/rules/cis_1_1_18/rule.rego

@@ -0,0 +1,28 @@
+package compliance.cis_k8s.rules.cis_1_1_18
+
+import data.compliance.cis_k8s
+import data.compliance.lib.common
+import data.compliance.lib.data_adapter
+
+#  Ensure that the controller-manager.conf file ownership is set to root:root (Automated)
+finding = result {
+	data_adapter.filename == "controller-manager.conf"
+	uid = data_adapter.owner_user_id
+	gid = data_adapter.owner_group_id
+	rule_evaluation := common.file_ownership_match(uid, gid, "root", "root")
+
+	# set result
+	result := {
+		"evaluation": common.calculate_result(rule_evaluation),
+		"evidence": {"uid": uid, "gid": gid},
+	}
+}
+
+metadata = {
+	"name": "Ensure that the controller-manager.conf file ownership is set to root:root",
+	"description": "The controller-manager.conf file is the kubeconfig file for the Controller Manager. You should set its file ownership to maintain the integrity of the file. The file should be owned by root:root.",
+	"impact": "None",
+	"tags": array.concat(cis_k8s.default_tags, ["CIS 1.1.18", "Master Node Configuration"]),
+	"benchmark": cis_k8s.benchmark_name,
+	"remediation": "chown root:root /etc/kubernetes/controller-manager.conf",
+}