Merge pull request #1 from elastic/infra_changes

general changes
elastic · Nov 11, 2021 · b9db385 · b9db385
2 parents 2650c5e + e1532a5
commit b9db385
Show file tree

Hide file tree

Showing 15 changed files with 158 additions and 125 deletions.
diff --git a/.gitignore b/.gitignore
@@ -1,2 +1,3 @@
-data.json
+output.json
+data.yaml
 input.json
diff --git a/compliance/cis.rego b/compliance/cis.rego
diff --git a/compliance/cis_k8s.rego b/compliance/cis_k8s.rego
@@ -0,0 +1,11 @@
+package compliance.cis_k8s
+
+import data.compliance.cis.rules
+
+default_tags := ["CIS", "CIS v1.6.0", "Kubernetes"]
+
+findings[finding] {
+    some rule_id
+    data.activated_rules.cis_k8s[rule_id]
+    finding = rules[rule_id].finding
+}
diff --git a/compliance/lib/common.rego b/compliance/lib/common.rego
@@ -0,0 +1,17 @@
+package compliance.lib.common
+
+# set the rule result
+calculate_result(evaluation) = "passed" {
+    evaluation
+} else = "violation"
+
+file_ownership_match(uid, gid, requierd_uid, requierd_gid) {
+    uid == requierd_uid
+    gid == requierd_gid
+} else = false
+
+# todo: compare performance of regex alternatives
+file_permission_match(filemode, user, group, other) {
+    pattern = sprintf("0?[0-%d][0-%d][0-%d]", [user, group, other])
+    regex.match(pattern, filemode)
+} else = false
diff --git a/compliance/lib/data_adapter.rego b/compliance/lib/data_adapter.rego
@@ -0,0 +1,30 @@
+package compliance.lib.data_adapter
+
+is_osquery {
+    input.osquery
+}
+
+is_file {
+    is_osquery
+    input.osquery.filename
+}
+
+filename = file_name {
+    is_file
+    file_name = input.osquery.filename
+}
+
+filemode = file_mode {
+    is_file
+    file_mode = input.osquery.mode
+}
+
+owner_user_id = uid {
+    is_file
+    uid = input.osquery.uid
+}
+
+owner_group_id = gid {
+    is_file
+    gid = input.osquery.gid
+}
diff --git a/compliance/lib/osquery.rego b/compliance/lib/osquery.rego
diff --git a/compliance/lib/test.rego b/compliance/lib/test.rego
@@ -0,0 +1,9 @@
+package lib.test
+
+rule_pass(finding) {
+    finding.evaluation == "passed"
+}
+
+rule_violation(finding) {
+   finding.evaluation == "violation"
+}
diff --git a/compliance/rules/cis_1_1_1/cis_1_1_1.rego b/compliance/rules/cis_1_1_1/cis_1_1_1.rego
diff --git a/compliance/rules/cis_1_1_1/rule.rego b/compliance/rules/cis_1_1_1/rule.rego
@@ -0,0 +1,20 @@
+package compliance.cis.rules.cis_1_1_1
+
+import data.compliance.lib.data_adapter
+import data.compliance.lib.common
+import data.compliance.cis_k8s
+
+# Ensure that the API server pod specification file permissions are set to 644 or more restrictive
+finding = result {
+    data_adapter.filename == "kube-apiserver.yaml"
+    filemode := data_adapter.filemode
+    rule_evaluation := common.file_permission_match(filemode, 6, 4, 4)
+
+    # set result
+    result := {
+        "evaluation" : common.calculate_result(rule_evaluation),
+        "evidence" : { "filemode" : filemode },
+        "rule_name" : "Ensure that the API server pod specification file permissions are set to 644 or more restrictive",
+        "tags" : array.concat(cis_k8s.default_tags, ["CIS 1.1.1"])
+    }
+}
diff --git a/compliance/rules/cis_1_1_1/test.rego b/compliance/rules/cis_1_1_1/test.rego
@@ -0,0 +1,21 @@
+package compliance.cis.rules.cis_1_1_1
+
+import data.lib.test
+
+test_violation {
+    test.rule_violation(finding) with input as rule_input("0700")
+}
+
+test_pass {
+    test.rule_pass(finding) with input as rule_input("0644")
+}
+
+rule_input(filemode) = {
+  "osquery": {
+    "mode": filemode,
+    "path": "/hostfs/etc/kubernetes/manifests/kube-apiserver.yaml",
+    "uid": "root",
+    "filename": "kube-apiserver.yaml",
+    "gid": "root"
+  }
+}
diff --git a/compliance/rules/cis_1_1_2/rule.rego b/compliance/rules/cis_1_1_2/rule.rego
@@ -0,0 +1,22 @@
+package compliance.cis.rules.cis_1_1_2
+
+import data.compliance.lib.data_adapter
+import data.compliance.lib.common
+import data.compliance.cis_k8s
+
+
+# Ensure that the API server pod specification file ownership is set to root:root
+finding = result {
+    data_adapter.filename == "kube-apiserver.yaml"
+    uid = data_adapter.owner_user_id
+    gid = data_adapter.owner_group_id
+    rule_evaluation := common.file_ownership_match(uid, gid, "root", "root")
+
+    # set result
+    result := {
+        "evaluation" : common.calculate_result(rule_evaluation),
+        "evidence" : {"uid" : uid, "gid" : gid},
+        "rule_name" : "Ensure that the API server pod specification file ownership is set to root:root",
+        "tags" : array.concat(cis_k8s.default_tags, ["CIS 1.1.2"])
+    }
+}
diff --git a/compliance/rules/cis_1_1_2/test.rego b/compliance/rules/cis_1_1_2/test.rego
@@ -0,0 +1,23 @@
+package compliance.cis.rules.cis_1_1_2
+
+import data.lib.test
+
+test_violation {
+    test.rule_violation(finding) with input as rule_input("root", "user")
+    test.rule_violation(finding) with input as rule_input("user", "root")
+    test.rule_violation(finding) with input as rule_input("user", "user")
+}
+
+test_pass {
+    test.rule_pass(finding) with input as rule_input("root", "root")
+}
+
+rule_input(uid, gid) = {
+  "osquery": {
+    "mode": "0644",
+    "path": "/hostfs/etc/kubernetes/manifests/kube-apiserver.yaml",
+    "uid": uid,
+    "filename": "kube-apiserver.yaml",
+    "gid": gid
+  }
+}
diff --git a/data.json b/data.json
diff --git a/input.json b/input.json
diff --git a/main.rego b/main.rego
@@ -1,11 +1,11 @@
 package main
 
-import data.compliance.cis
+import data.compliance.cis_k8s
 
 # input is a resource
-# data is configuration
+# data is policy/configuration
 # output is findings
 
 resource = input
-findings = cis.findings
+findings = cis_k8s.findings