From 0d8c8e7fa09b4220cc4c103f2447c4697bb531f1 Mon Sep 17 00:00:00 2001 From: orenzohar Date: Mon, 15 Nov 2021 15:17:47 +0200 Subject: [PATCH 1/9] Add test data generator General repo struct refactor --- compliance/cis_k8s.rego | 11 -------- compliance/cis_k8s/cis_k8s.rego | 11 ++++++++ compliance/cis_k8s/rules/cis_1_1_1/rule.rego | 20 +++++++++++++++ compliance/cis_k8s/rules/cis_1_1_1/test.rego | 18 +++++++++++++ compliance/cis_k8s/rules/cis_1_1_13/rule.rego | 20 +++++++++++++++ compliance/cis_k8s/rules/cis_1_1_13/test.rego | 18 +++++++++++++ compliance/cis_k8s/rules/cis_1_1_15/rule.rego | 20 +++++++++++++++ compliance/cis_k8s/rules/cis_1_1_15/test.rego | 18 +++++++++++++ compliance/cis_k8s/rules/cis_1_1_17/rule.rego | 20 +++++++++++++++ compliance/cis_k8s/rules/cis_1_1_17/test.rego | 18 +++++++++++++ compliance/cis_k8s/rules/cis_1_1_2/rule.rego | 21 ++++++++++++++++ compliance/cis_k8s/rules/cis_1_1_2/test.rego | 19 ++++++++++++++ compliance/cis_k8s/rules/cis_1_1_3/rule.rego | 20 +++++++++++++++ compliance/cis_k8s/rules/cis_1_1_3/test.rego | 18 +++++++++++++ compliance/cis_k8s/rules/cis_1_1_5/rule.rego | 20 +++++++++++++++ compliance/cis_k8s/rules/cis_1_1_5/test.rego | 18 +++++++++++++ compliance/cis_k8s/rules/cis_1_1_7/rule.rego | 20 +++++++++++++++ compliance/cis_k8s/rules/cis_1_1_7/test.rego | 18 +++++++++++++ compliance/cis_k8s/test.rego | 18 +++++++++++++ compliance/lib/data_adapter.rego | 25 ++++++++----------- compliance/lib/test.rego | 9 ------- compliance/rules/cis_1_1_1/rule.rego | 20 --------------- compliance/rules/cis_1_1_1/test.rego | 21 ---------------- compliance/rules/cis_1_1_13/rule.rego | 20 --------------- compliance/rules/cis_1_1_13/test.rego | 21 ---------------- compliance/rules/cis_1_1_15/rule.rego | 20 --------------- compliance/rules/cis_1_1_15/test.rego | 21 ---------------- compliance/rules/cis_1_1_17/rule.rego | 20 --------------- compliance/rules/cis_1_1_17/test.rego | 21 ---------------- compliance/rules/cis_1_1_2/rule.rego | 22 ---------------- compliance/rules/cis_1_1_2/test.rego | 23 ----------------- compliance/rules/cis_1_1_3/rule.rego | 20 --------------- compliance/rules/cis_1_1_3/test.rego | 21 ---------------- compliance/rules/cis_1_1_5/rule.rego | 20 --------------- compliance/rules/cis_1_1_5/test.rego | 21 ---------------- compliance/rules/cis_1_1_7/rule.rego | 20 --------------- compliance/rules/cis_1_1_7/test.rego | 21 ---------------- 37 files changed, 345 insertions(+), 367 deletions(-) delete mode 100644 compliance/cis_k8s.rego create mode 100644 compliance/cis_k8s/cis_k8s.rego create mode 100644 compliance/cis_k8s/rules/cis_1_1_1/rule.rego create mode 100644 compliance/cis_k8s/rules/cis_1_1_1/test.rego create mode 100644 compliance/cis_k8s/rules/cis_1_1_13/rule.rego create mode 100644 compliance/cis_k8s/rules/cis_1_1_13/test.rego create mode 100644 compliance/cis_k8s/rules/cis_1_1_15/rule.rego create mode 100644 compliance/cis_k8s/rules/cis_1_1_15/test.rego create mode 100644 compliance/cis_k8s/rules/cis_1_1_17/rule.rego create mode 100644 compliance/cis_k8s/rules/cis_1_1_17/test.rego create mode 100644 compliance/cis_k8s/rules/cis_1_1_2/rule.rego create mode 100644 compliance/cis_k8s/rules/cis_1_1_2/test.rego create mode 100644 compliance/cis_k8s/rules/cis_1_1_3/rule.rego create mode 100644 compliance/cis_k8s/rules/cis_1_1_3/test.rego create mode 100644 compliance/cis_k8s/rules/cis_1_1_5/rule.rego create mode 100644 compliance/cis_k8s/rules/cis_1_1_5/test.rego create mode 100644 compliance/cis_k8s/rules/cis_1_1_7/rule.rego create mode 100644 compliance/cis_k8s/rules/cis_1_1_7/test.rego create mode 100644 compliance/cis_k8s/test.rego delete mode 100644 compliance/lib/test.rego delete mode 100644 compliance/rules/cis_1_1_1/rule.rego delete mode 100644 compliance/rules/cis_1_1_1/test.rego delete mode 100644 compliance/rules/cis_1_1_13/rule.rego delete mode 100644 compliance/rules/cis_1_1_13/test.rego delete mode 100644 compliance/rules/cis_1_1_15/rule.rego delete mode 100644 compliance/rules/cis_1_1_15/test.rego delete mode 100644 compliance/rules/cis_1_1_17/rule.rego delete mode 100644 compliance/rules/cis_1_1_17/test.rego delete mode 100644 compliance/rules/cis_1_1_2/rule.rego delete mode 100644 compliance/rules/cis_1_1_2/test.rego delete mode 100644 compliance/rules/cis_1_1_3/rule.rego delete mode 100644 compliance/rules/cis_1_1_3/test.rego delete mode 100644 compliance/rules/cis_1_1_5/rule.rego delete mode 100644 compliance/rules/cis_1_1_5/test.rego delete mode 100644 compliance/rules/cis_1_1_7/rule.rego delete mode 100644 compliance/rules/cis_1_1_7/test.rego diff --git a/compliance/cis_k8s.rego b/compliance/cis_k8s.rego deleted file mode 100644 index e054d10d..00000000 --- a/compliance/cis_k8s.rego +++ /dev/null @@ -1,11 +0,0 @@ -package compliance.cis_k8s - -import data.compliance.cis.rules - -default_tags := ["CIS", "CIS v1.6.0", "Kubernetes"] - -findings[finding] { - some rule_id - data.activated_rules.cis_k8s[rule_id] - finding = rules[rule_id].finding -} diff --git a/compliance/cis_k8s/cis_k8s.rego b/compliance/cis_k8s/cis_k8s.rego new file mode 100644 index 00000000..b4c2a348 --- /dev/null +++ b/compliance/cis_k8s/cis_k8s.rego @@ -0,0 +1,11 @@ +package compliance.cis_k8s + +import data.compliance.cis_k8s.rules + +default_tags := ["CIS", "CIS v1.6.0", "Kubernetes"] + +findings[finding] { + some rule_id + data.activated_rules.cis_k8s[rule_id] + finding = rules[rule_id].finding +} diff --git a/compliance/cis_k8s/rules/cis_1_1_1/rule.rego b/compliance/cis_k8s/rules/cis_1_1_1/rule.rego new file mode 100644 index 00000000..2d1173ec --- /dev/null +++ b/compliance/cis_k8s/rules/cis_1_1_1/rule.rego @@ -0,0 +1,20 @@ +package compliance.cis_k8s.rules.cis_1_1_1 + +import data.compliance.cis_k8s +import data.compliance.lib.common +import data.compliance.lib.data_adapter + +# Ensure that the API server pod specification file permissions are set to 644 or more restrictive +finding = result { + data_adapter.filename == "kube-apiserver.yaml" + filemode := data_adapter.filemode + rule_evaluation := common.file_permission_match(filemode, 6, 4, 4) + + # set result + result := { + "evaluation": common.calculate_result(rule_evaluation), + "evidence": {"filemode": filemode}, + "rule_name": "Ensure that the API server pod specification file permissions are set to 644 or more restrictive", + "tags": array.concat(cis_k8s.default_tags, ["CIS 1.1.1"]), + } +} diff --git a/compliance/cis_k8s/rules/cis_1_1_1/test.rego b/compliance/cis_k8s/rules/cis_1_1_1/test.rego new file mode 100644 index 00000000..82d0c0ed --- /dev/null +++ b/compliance/cis_k8s/rules/cis_1_1_1/test.rego @@ -0,0 +1,18 @@ +package compliance.cis_k8s.rules.cis_1_1_1 + +import data.cis_k8s.test + +test_violation { + test.rule_violation(finding) with input as rule_input("0700") +} + +test_pass { + test.rule_pass(finding) with input as rule_input("0644") +} + +rule_input(filemode) = filesystem_input { + filename := "kube-apiserver.yaml" + uid := "root" + gid := "root" + filesystem_input = test.generate_filesystem_input(filename, filemode, uid, gid) +} diff --git a/compliance/cis_k8s/rules/cis_1_1_13/rule.rego b/compliance/cis_k8s/rules/cis_1_1_13/rule.rego new file mode 100644 index 00000000..42bc814e --- /dev/null +++ b/compliance/cis_k8s/rules/cis_1_1_13/rule.rego @@ -0,0 +1,20 @@ +package compliance.cis_k8s.rules.cis_1_1_13 + +import data.compliance.cis_k8s +import data.compliance.lib.common +import data.compliance.lib.data_adapter + +# Ensure that the admin.conf file permissions are set to 644 or more restrictive +finding = result { + data_adapter.filename == "admin.conf" + filemode := data_adapter.filemode + rule_evaluation := common.file_permission_match(filemode, 6, 4, 4) + + # set result + result := { + "evaluation": common.calculate_result(rule_evaluation), + "evidence": {"filemode": filemode}, + "rule_name": "Ensure that the admin.conf file permissions are set to 644 or more restrictive", + "tags": array.concat(cis_k8s.default_tags, ["CIS 1.1.13"]), + } +} diff --git a/compliance/cis_k8s/rules/cis_1_1_13/test.rego b/compliance/cis_k8s/rules/cis_1_1_13/test.rego new file mode 100644 index 00000000..7359a307 --- /dev/null +++ b/compliance/cis_k8s/rules/cis_1_1_13/test.rego @@ -0,0 +1,18 @@ +package compliance.cis_k8s.rules.cis_1_1_13 + +import data.cis_k8s.test + +test_violation { + test.rule_violation(finding) with input as rule_input("0700") +} + +test_pass { + test.rule_pass(finding) with input as rule_input("0644") +} + +rule_input(filemode) = filesystem_input { + filename := "admin.conf" + uid := "root" + gid := "root" + filesystem_input = test.generate_filesystem_input(filename, filemode, uid, gid) +} diff --git a/compliance/cis_k8s/rules/cis_1_1_15/rule.rego b/compliance/cis_k8s/rules/cis_1_1_15/rule.rego new file mode 100644 index 00000000..3ad249db --- /dev/null +++ b/compliance/cis_k8s/rules/cis_1_1_15/rule.rego @@ -0,0 +1,20 @@ +package compliance.cis_k8s.rules.cis_1_1_15 + +import data.compliance.cis_k8s +import data.compliance.lib.common +import data.compliance.lib.data_adapter + +# Ensure that the scheduler.conf file permissions are set to 644 or more restrictive (Automated) +finding = result { + data_adapter.filename == "scheduler.conf" + filemode := data_adapter.filemode + rule_evaluation := common.file_permission_match(filemode, 6, 4, 4) + + # set result + result := { + "evaluation": common.calculate_result(rule_evaluation), + "evidence": {"filemode": filemode}, + "rule_name": "Ensure that the scheduler.conf file permissions are set to 644 or more restrictive", + "tags": array.concat(cis_k8s.default_tags, ["CIS 1.1.15"]), + } +} diff --git a/compliance/cis_k8s/rules/cis_1_1_15/test.rego b/compliance/cis_k8s/rules/cis_1_1_15/test.rego new file mode 100644 index 00000000..827e1348 --- /dev/null +++ b/compliance/cis_k8s/rules/cis_1_1_15/test.rego @@ -0,0 +1,18 @@ +package compliance.cis_k8s.rules.cis_1_1_15 + +import data.cis_k8s.test + +test_violation { + test.rule_violation(finding) with input as rule_input("0700") +} + +test_pass { + test.rule_pass(finding) with input as rule_input("0644") +} + +rule_input(filemode) = filesystem_input { + filename := "scheduler.conf" + uid := "root" + gid := "root" + filesystem_input = test.generate_filesystem_input(filename, filemode, uid, gid) +} diff --git a/compliance/cis_k8s/rules/cis_1_1_17/rule.rego b/compliance/cis_k8s/rules/cis_1_1_17/rule.rego new file mode 100644 index 00000000..cf7157a8 --- /dev/null +++ b/compliance/cis_k8s/rules/cis_1_1_17/rule.rego @@ -0,0 +1,20 @@ +package compliance.cis_k8s.rules.cis_1_1_17 + +import data.compliance.cis_k8s +import data.compliance.lib.common +import data.compliance.lib.data_adapter + +# Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive (Automated) +finding = result { + data_adapter.filename == "controller-manager.conf" + filemode := data_adapter.filemode + rule_evaluation := common.file_permission_match(filemode, 6, 4, 4) + + # set result + result := { + "evaluation": common.calculate_result(rule_evaluation), + "evidence": {"filemode": filemode}, + "rule_name": "Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive", + "tags": array.concat(cis_k8s.default_tags, ["CIS 1.1.17"]), + } +} diff --git a/compliance/cis_k8s/rules/cis_1_1_17/test.rego b/compliance/cis_k8s/rules/cis_1_1_17/test.rego new file mode 100644 index 00000000..7231c373 --- /dev/null +++ b/compliance/cis_k8s/rules/cis_1_1_17/test.rego @@ -0,0 +1,18 @@ +package compliance.cis_k8s.rules.cis_1_1_17 + +import data.cis_k8s.test + +test_violation { + test.rule_violation(finding) with input as rule_input("0700") +} + +test_pass { + test.rule_pass(finding) with input as rule_input("0644") +} + +rule_input(filemode) = filesystem_input { + filename := "controller-manager.conf" + uid := "root" + gid := "root" + filesystem_input = test.generate_filesystem_input(filename, filemode, uid, gid) +} diff --git a/compliance/cis_k8s/rules/cis_1_1_2/rule.rego b/compliance/cis_k8s/rules/cis_1_1_2/rule.rego new file mode 100644 index 00000000..af067636 --- /dev/null +++ b/compliance/cis_k8s/rules/cis_1_1_2/rule.rego @@ -0,0 +1,21 @@ +package compliance.cis_k8s.rules.cis_1_1_2 + +import data.compliance.cis_k8s +import data.compliance.lib.common +import data.compliance.lib.data_adapter + +# Ensure that the API server pod specification file ownership is set to root:root +finding = result { + data_adapter.filename == "kube-apiserver.yaml" + uid = data_adapter.owner_user_id + gid = data_adapter.owner_group_id + rule_evaluation := common.file_ownership_match(uid, gid, "root", "root") + + # set result + result := { + "evaluation": common.calculate_result(rule_evaluation), + "evidence": {"uid": uid, "gid": gid}, + "rule_name": "Ensure that the API server pod specification file ownership is set to root:root", + "tags": array.concat(cis_k8s.default_tags, ["CIS 1.1.2"]), + } +} diff --git a/compliance/cis_k8s/rules/cis_1_1_2/test.rego b/compliance/cis_k8s/rules/cis_1_1_2/test.rego new file mode 100644 index 00000000..0bea15a9 --- /dev/null +++ b/compliance/cis_k8s/rules/cis_1_1_2/test.rego @@ -0,0 +1,19 @@ +package compliance.cis_k8s.rules.cis_1_1_2 + +import data.cis_k8s.test + +test_violation { + test.rule_violation(finding) with input as rule_input("root", "user") + test.rule_violation(finding) with input as rule_input("user", "root") + test.rule_violation(finding) with input as rule_input("user", "user") +} + +test_pass { + test.rule_pass(finding) with input as rule_input("root", "root") +} + +rule_input(uid, gid) = filesystem_input { + filename := "kube-apiserver.yaml" + filemode := "0644" + filesystem_input = test.generate_filesystem_input(filename, filemode, uid, gid) +} diff --git a/compliance/cis_k8s/rules/cis_1_1_3/rule.rego b/compliance/cis_k8s/rules/cis_1_1_3/rule.rego new file mode 100644 index 00000000..8d385cae --- /dev/null +++ b/compliance/cis_k8s/rules/cis_1_1_3/rule.rego @@ -0,0 +1,20 @@ +package compliance.cis_k8s.rules.cis_1_1_3 + +import data.compliance.cis_k8s +import data.compliance.lib.common +import data.compliance.lib.data_adapter + +# Ensure that the API server pod specification file permissions are set to 644 or more restrictive +finding = result { + data_adapter.filename == "kube-controller-manager.yaml" + filemode := data_adapter.filemode + rule_evaluation := common.file_permission_match(filemode, 6, 4, 4) + + # set result + result := { + "evaluation": common.calculate_result(rule_evaluation), + "evidence": {"filemode": filemode}, + "rule_name": "Ensure that the controller manager pod specification file permissions are set to 644 or more restrictive", + "tags": array.concat(cis_k8s.default_tags, ["CIS 1.1.3"]), + } +} diff --git a/compliance/cis_k8s/rules/cis_1_1_3/test.rego b/compliance/cis_k8s/rules/cis_1_1_3/test.rego new file mode 100644 index 00000000..806d8f44 --- /dev/null +++ b/compliance/cis_k8s/rules/cis_1_1_3/test.rego @@ -0,0 +1,18 @@ +package compliance.cis_k8s.rules.cis_1_1_3 + +import data.cis_k8s.test + +test_violation { + test.rule_violation(finding) with input as rule_input("0700") +} + +test_pass { + test.rule_pass(finding) with input as rule_input("0644") +} + +rule_input(filemode) = filesystem_input { + filename := "kube-controller-manager.yaml" + uid := "root" + gid := "root" + filesystem_input = test.generate_filesystem_input(filename, filemode, uid, gid) +} diff --git a/compliance/cis_k8s/rules/cis_1_1_5/rule.rego b/compliance/cis_k8s/rules/cis_1_1_5/rule.rego new file mode 100644 index 00000000..f697eab0 --- /dev/null +++ b/compliance/cis_k8s/rules/cis_1_1_5/rule.rego @@ -0,0 +1,20 @@ +package compliance.cis_k8s.rules.cis_1_1_5 + +import data.compliance.cis_k8s +import data.compliance.lib.common +import data.compliance.lib.data_adapter + +# Ensure that the scheduler pod specification file permissions are set to 644 or more restrictive (Automated) +finding = result { + data_adapter.filename == "kube-scheduler.yaml" + filemode := data_adapter.filemode + rule_evaluation := common.file_permission_match(filemode, 6, 4, 4) + + # set result + result := { + "evaluation": common.calculate_result(rule_evaluation), + "evidence": {"filemode": filemode}, + "rule_name": "Ensure that the scheduler pod specification file permissions are set to 644 or more restrictive", + "tags": array.concat(cis_k8s.default_tags, ["CIS 1.1.5"]), + } +} diff --git a/compliance/cis_k8s/rules/cis_1_1_5/test.rego b/compliance/cis_k8s/rules/cis_1_1_5/test.rego new file mode 100644 index 00000000..b61ede1c --- /dev/null +++ b/compliance/cis_k8s/rules/cis_1_1_5/test.rego @@ -0,0 +1,18 @@ +package compliance.cis_k8s.rules.cis_1_1_5 + +import data.cis_k8s.test + +test_violation { + test.rule_violation(finding) with input as rule_input("0700") +} + +test_pass { + test.rule_pass(finding) with input as rule_input("0644") +} + +rule_input(filemode) = filesystem_input { + filename := "kube-scheduler.yaml" + uid := "root" + gid := "root" + filesystem_input = test.generate_filesystem_input(filename, filemode, uid, gid) +} diff --git a/compliance/cis_k8s/rules/cis_1_1_7/rule.rego b/compliance/cis_k8s/rules/cis_1_1_7/rule.rego new file mode 100644 index 00000000..e8ee8449 --- /dev/null +++ b/compliance/cis_k8s/rules/cis_1_1_7/rule.rego @@ -0,0 +1,20 @@ +package compliance.cis_k8s.rules.cis_1_1_7 + +import data.compliance.cis_k8s +import data.compliance.lib.common +import data.compliance.lib.data_adapter + +# Ensure that the etcd pod specification file permissions are set to 644 or more restrictive (Automated) +finding = result { + data_adapter.filename == "etcd.yaml" + filemode := data_adapter.filemode + rule_evaluation := common.file_permission_match(filemode, 6, 4, 4) + + # set result + result := { + "evaluation": common.calculate_result(rule_evaluation), + "evidence": {"filemode": filemode}, + "rule_name": "# Ensure that the etcd pod specification file permissions are set to 644 or more restrictive", + "tags": array.concat(cis_k8s.default_tags, ["CIS 1.1.7"]), + } +} diff --git a/compliance/cis_k8s/rules/cis_1_1_7/test.rego b/compliance/cis_k8s/rules/cis_1_1_7/test.rego new file mode 100644 index 00000000..aedcd48a --- /dev/null +++ b/compliance/cis_k8s/rules/cis_1_1_7/test.rego @@ -0,0 +1,18 @@ +package compliance.cis_k8s.rules.cis_1_1_7 + +import data.cis_k8s.test + +test_violation { + test.rule_violation(finding) with input as rule_input("0700") +} + +test_pass { + test.rule_pass(finding) with input as rule_input("0644") +} + +rule_input(filemode) = filesystem_input { + filename := "etcd.yaml" + uid := "root" + gid := "root" + filesystem_input = test.generate_filesystem_input(filename, filemode, uid, gid) +} diff --git a/compliance/cis_k8s/test.rego b/compliance/cis_k8s/test.rego new file mode 100644 index 00000000..00cfbee7 --- /dev/null +++ b/compliance/cis_k8s/test.rego @@ -0,0 +1,18 @@ +package cis_k8s.test + +rule_pass(finding) { + finding.evaluation == "passed" +} + +rule_violation(finding) { + finding.evaluation == "violation" +} + +generate_filesystem_input(filename, mode, uid, gid) = { + "type": "filesystem", + "path": "file/path", + "filename": filename, + "mode": mode, + "uid": uid, + "gid": gid, +} diff --git a/compliance/lib/data_adapter.rego b/compliance/lib/data_adapter.rego index 90c722d2..bf0ce1ca 100644 --- a/compliance/lib/data_adapter.rego +++ b/compliance/lib/data_adapter.rego @@ -1,30 +1,25 @@ package compliance.lib.data_adapter -is_osquery { - input.osquery -} - -is_file { - is_osquery - input.osquery.filename +is_filesystem { + input.type == "filesystem" } filename = file_name { - is_file - file_name = input.osquery.filename + is_filesystem + file_name = input.filename } filemode = file_mode { - is_file - file_mode = input.osquery.mode + is_filesystem + file_mode = input.mode } owner_user_id = uid { - is_file - uid = input.osquery.uid + is_filesystem + uid = input.uid } owner_group_id = gid { - is_file - gid = input.osquery.gid + is_filesystem + gid = input.gid } diff --git a/compliance/lib/test.rego b/compliance/lib/test.rego deleted file mode 100644 index 5fb73d30..00000000 --- a/compliance/lib/test.rego +++ /dev/null @@ -1,9 +0,0 @@ -package lib.test - -rule_pass(finding) { - finding.evaluation == "passed" -} - -rule_violation(finding) { - finding.evaluation == "violation" -} diff --git a/compliance/rules/cis_1_1_1/rule.rego b/compliance/rules/cis_1_1_1/rule.rego deleted file mode 100644 index d9f98ac4..00000000 --- a/compliance/rules/cis_1_1_1/rule.rego +++ /dev/null @@ -1,20 +0,0 @@ -package compliance.cis.rules.cis_1_1_1 - -import data.compliance.lib.data_adapter -import data.compliance.lib.common -import data.compliance.cis_k8s - -# Ensure that the API server pod specification file permissions are set to 644 or more restrictive -finding = result { - data_adapter.filename == "kube-apiserver.yaml" - filemode := data_adapter.filemode - rule_evaluation := common.file_permission_match(filemode, 6, 4, 4) - - # set result - result := { - "evaluation" : common.calculate_result(rule_evaluation), - "evidence" : { "filemode" : filemode }, - "rule_name" : "Ensure that the API server pod specification file permissions are set to 644 or more restrictive", - "tags" : array.concat(cis_k8s.default_tags, ["CIS 1.1.1"]) - } -} \ No newline at end of file diff --git a/compliance/rules/cis_1_1_1/test.rego b/compliance/rules/cis_1_1_1/test.rego deleted file mode 100644 index 54511b18..00000000 --- a/compliance/rules/cis_1_1_1/test.rego +++ /dev/null @@ -1,21 +0,0 @@ -package compliance.cis.rules.cis_1_1_1 - -import data.lib.test - -test_violation { - test.rule_violation(finding) with input as rule_input("0700") -} - -test_pass { - test.rule_pass(finding) with input as rule_input("0644") -} - -rule_input(filemode) = { - "osquery": { - "mode": filemode, - "path": "/hostfs/etc/kubernetes/manifests/kube-apiserver.yaml", - "uid": "root", - "filename": "kube-apiserver.yaml", - "gid": "root" - } -} \ No newline at end of file diff --git a/compliance/rules/cis_1_1_13/rule.rego b/compliance/rules/cis_1_1_13/rule.rego deleted file mode 100644 index 355997d3..00000000 --- a/compliance/rules/cis_1_1_13/rule.rego +++ /dev/null @@ -1,20 +0,0 @@ -package compliance.cis.rules.cis_1_1_13 - -import data.compliance.lib.data_adapter -import data.compliance.lib.common -import data.compliance.cis_k8s - -# Ensure that the admin.conf file permissions are set to 644 or more restrictive -finding = result { - data_adapter.filename == "admin.conf" - filemode := data_adapter.filemode - rule_evaluation := common.file_permission_match(filemode, 6, 4, 4) - - # set result - result := { - "evaluation" : common.calculate_result(rule_evaluation), - "evidence" : { "filemode" : filemode }, - "rule_name" : "Ensure that the admin.conf file permissions are set to 644 or more restrictive", - "tags" : array.concat(cis_k8s.default_tags, ["CIS 1.1.13"]) - } -} \ No newline at end of file diff --git a/compliance/rules/cis_1_1_13/test.rego b/compliance/rules/cis_1_1_13/test.rego deleted file mode 100644 index 1e8c683b..00000000 --- a/compliance/rules/cis_1_1_13/test.rego +++ /dev/null @@ -1,21 +0,0 @@ -package compliance.cis.rules.cis_1_1_13 - -import data.lib.test - -test_violation { - test.rule_violation(finding) with input as rule_input("0700") -} - -test_pass { - test.rule_pass(finding) with input as rule_input("0644") -} - -rule_input(filemode) = { - "osquery": { - "mode": filemode, - "path": "/hostfs/etc/kubernetes/manifests/kube-apiserver.yaml", - "uid": "root", - "filename": "admin.conf", - "gid": "root" - } -} \ No newline at end of file diff --git a/compliance/rules/cis_1_1_15/rule.rego b/compliance/rules/cis_1_1_15/rule.rego deleted file mode 100644 index a2afbcc3..00000000 --- a/compliance/rules/cis_1_1_15/rule.rego +++ /dev/null @@ -1,20 +0,0 @@ -package compliance.cis.rules.cis_1_1_15 - -import data.compliance.lib.data_adapter -import data.compliance.lib.common -import data.compliance.cis_k8s - -# Ensure that the scheduler.conf file permissions are set to 644 or more restrictive (Automated) -finding = result { - data_adapter.filename == "scheduler.conf" - filemode := data_adapter.filemode - rule_evaluation := common.file_permission_match(filemode, 6, 4, 4) - - # set result - result := { - "evaluation" : common.calculate_result(rule_evaluation), - "evidence" : { "filemode" : filemode }, - "rule_name" : "Ensure that the scheduler.conf file permissions are set to 644 or more restrictive", - "tags" : array.concat(cis_k8s.default_tags, ["CIS 1.1.15"]) - } -} \ No newline at end of file diff --git a/compliance/rules/cis_1_1_15/test.rego b/compliance/rules/cis_1_1_15/test.rego deleted file mode 100644 index 73da57b9..00000000 --- a/compliance/rules/cis_1_1_15/test.rego +++ /dev/null @@ -1,21 +0,0 @@ -package compliance.cis.rules.cis_1_1_15 - -import data.lib.test - -test_violation { - test.rule_violation(finding) with input as rule_input("0700") -} - -test_pass { - test.rule_pass(finding) with input as rule_input("0644") -} - -rule_input(filemode) = { - "osquery": { - "mode": filemode, - "path": "/hostfs/etc/kubernetes/manifests/kube-apiserver.yaml", - "uid": "root", - "filename": "scheduler.conf", - "gid": "root" - } -} \ No newline at end of file diff --git a/compliance/rules/cis_1_1_17/rule.rego b/compliance/rules/cis_1_1_17/rule.rego deleted file mode 100644 index bdd2014b..00000000 --- a/compliance/rules/cis_1_1_17/rule.rego +++ /dev/null @@ -1,20 +0,0 @@ -package compliance.cis.rules.cis_1_1_17 - -import data.compliance.lib.data_adapter -import data.compliance.lib.common -import data.compliance.cis_k8s - -# Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive (Automated) -finding = result { - data_adapter.filename == "controller-manager.conf" - filemode := data_adapter.filemode - rule_evaluation := common.file_permission_match(filemode, 6, 4, 4) - - # set result - result := { - "evaluation" : common.calculate_result(rule_evaluation), - "evidence" : { "filemode" : filemode }, - "rule_name" : "Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive", - "tags" : array.concat(cis_k8s.default_tags, ["CIS 1.1.17"]) - } -} \ No newline at end of file diff --git a/compliance/rules/cis_1_1_17/test.rego b/compliance/rules/cis_1_1_17/test.rego deleted file mode 100644 index 0bc4fd15..00000000 --- a/compliance/rules/cis_1_1_17/test.rego +++ /dev/null @@ -1,21 +0,0 @@ -package compliance.cis.rules.cis_1_1_17 - -import data.lib.test - -test_violation { - test.rule_violation(finding) with input as rule_input("0700") -} - -test_pass { - test.rule_pass(finding) with input as rule_input("0644") -} - -rule_input(filemode) = { - "osquery": { - "mode": filemode, - "path": "/hostfs/etc/kubernetes/manifests/kube-apiserver.yaml", - "uid": "root", - "filename": "controller-manager.conf", - "gid": "root" - } -} \ No newline at end of file diff --git a/compliance/rules/cis_1_1_2/rule.rego b/compliance/rules/cis_1_1_2/rule.rego deleted file mode 100644 index 692fe1d0..00000000 --- a/compliance/rules/cis_1_1_2/rule.rego +++ /dev/null @@ -1,22 +0,0 @@ -package compliance.cis.rules.cis_1_1_2 - -import data.compliance.lib.data_adapter -import data.compliance.lib.common -import data.compliance.cis_k8s - - -# Ensure that the API server pod specification file ownership is set to root:root -finding = result { - data_adapter.filename == "kube-apiserver.yaml" - uid = data_adapter.owner_user_id - gid = data_adapter.owner_group_id - rule_evaluation := common.file_ownership_match(uid, gid, "root", "root") - - # set result - result := { - "evaluation" : common.calculate_result(rule_evaluation), - "evidence" : {"uid" : uid, "gid" : gid}, - "rule_name" : "Ensure that the API server pod specification file ownership is set to root:root", - "tags" : array.concat(cis_k8s.default_tags, ["CIS 1.1.2"]) - } -} \ No newline at end of file diff --git a/compliance/rules/cis_1_1_2/test.rego b/compliance/rules/cis_1_1_2/test.rego deleted file mode 100644 index 08cc835a..00000000 --- a/compliance/rules/cis_1_1_2/test.rego +++ /dev/null @@ -1,23 +0,0 @@ -package compliance.cis.rules.cis_1_1_2 - -import data.lib.test - -test_violation { - test.rule_violation(finding) with input as rule_input("root", "user") - test.rule_violation(finding) with input as rule_input("user", "root") - test.rule_violation(finding) with input as rule_input("user", "user") -} - -test_pass { - test.rule_pass(finding) with input as rule_input("root", "root") -} - -rule_input(uid, gid) = { - "osquery": { - "mode": "0644", - "path": "/hostfs/etc/kubernetes/manifests/kube-apiserver.yaml", - "uid": uid, - "filename": "kube-apiserver.yaml", - "gid": gid - } -} \ No newline at end of file diff --git a/compliance/rules/cis_1_1_3/rule.rego b/compliance/rules/cis_1_1_3/rule.rego deleted file mode 100644 index bcd0ffba..00000000 --- a/compliance/rules/cis_1_1_3/rule.rego +++ /dev/null @@ -1,20 +0,0 @@ -package compliance.cis.rules.cis_1_1_3 - -import data.compliance.lib.data_adapter -import data.compliance.lib.common -import data.compliance.cis_k8s - -# Ensure that the API server pod specification file permissions are set to 644 or more restrictive -finding = result { - data_adapter.filename == "kube-controller-manager.yaml" - filemode := data_adapter.filemode - rule_evaluation := common.file_permission_match(filemode, 6, 4, 4) - - # set result - result := { - "evaluation" : common.calculate_result(rule_evaluation), - "evidence" : { "filemode" : filemode }, - "rule_name" : "Ensure that the controller manager pod specification file permissions are set to 644 or more restrictive", - "tags" : array.concat(cis_k8s.default_tags, ["CIS 1.1.3"]) - } -} \ No newline at end of file diff --git a/compliance/rules/cis_1_1_3/test.rego b/compliance/rules/cis_1_1_3/test.rego deleted file mode 100644 index bbb1e769..00000000 --- a/compliance/rules/cis_1_1_3/test.rego +++ /dev/null @@ -1,21 +0,0 @@ -package compliance.cis.rules.cis_1_1_3 - -import data.lib.test - -test_violation { - test.rule_violation(finding) with input as rule_input("0700") -} - -test_pass { - test.rule_pass(finding) with input as rule_input("0644") -} - -rule_input(filemode) = { - "osquery": { - "mode": filemode, - "path": "/hostfs/etc/kubernetes/manifests/kube-apiserver.yaml", - "uid": "root", - "filename": "kube-controller-manager.yaml", - "gid": "root" - } -} \ No newline at end of file diff --git a/compliance/rules/cis_1_1_5/rule.rego b/compliance/rules/cis_1_1_5/rule.rego deleted file mode 100644 index 9375e436..00000000 --- a/compliance/rules/cis_1_1_5/rule.rego +++ /dev/null @@ -1,20 +0,0 @@ -package compliance.cis.rules.cis_1_1_5 - -import data.compliance.lib.data_adapter -import data.compliance.lib.common -import data.compliance.cis_k8s - -# Ensure that the scheduler pod specification file permissions are set to 644 or more restrictive (Automated) -finding = result { - data_adapter.filename == "kube-scheduler.yaml" - filemode := data_adapter.filemode - rule_evaluation := common.file_permission_match(filemode, 6, 4, 4) - - # set result - result := { - "evaluation" : common.calculate_result(rule_evaluation), - "evidence" : { "filemode" : filemode }, - "rule_name" : "Ensure that the scheduler pod specification file permissions are set to 644 or more restrictive", - "tags" : array.concat(cis_k8s.default_tags, ["CIS 1.1.5"]) - } -} \ No newline at end of file diff --git a/compliance/rules/cis_1_1_5/test.rego b/compliance/rules/cis_1_1_5/test.rego deleted file mode 100644 index cbd73058..00000000 --- a/compliance/rules/cis_1_1_5/test.rego +++ /dev/null @@ -1,21 +0,0 @@ -package compliance.cis.rules.cis_1_1_5 - -import data.lib.test - -test_violation { - test.rule_violation(finding) with input as rule_input("0700") -} - -test_pass { - test.rule_pass(finding) with input as rule_input("0644") -} - -rule_input(filemode) = { - "osquery": { - "mode": filemode, - "path": "/hostfs/etc/kubernetes/manifests/kube-apiserver.yaml", - "uid": "root", - "filename": "kube-scheduler.yaml", - "gid": "root" - } -} \ No newline at end of file diff --git a/compliance/rules/cis_1_1_7/rule.rego b/compliance/rules/cis_1_1_7/rule.rego deleted file mode 100644 index 2b5cd00e..00000000 --- a/compliance/rules/cis_1_1_7/rule.rego +++ /dev/null @@ -1,20 +0,0 @@ -package compliance.cis.rules.cis_1_1_7 - -import data.compliance.lib.data_adapter -import data.compliance.lib.common -import data.compliance.cis_k8s - -# Ensure that the etcd pod specification file permissions are set to 644 or more restrictive (Automated) -finding = result { - data_adapter.filename == "etcd.yaml" - filemode := data_adapter.filemode - rule_evaluation := common.file_permission_match(filemode, 6, 4, 4) - - # set result - result := { - "evaluation" : common.calculate_result(rule_evaluation), - "evidence" : { "filemode" : filemode }, - "rule_name" : "# Ensure that the etcd pod specification file permissions are set to 644 or more restrictive", - "tags" : array.concat(cis_k8s.default_tags, ["CIS 1.1.7"]) - } -} \ No newline at end of file diff --git a/compliance/rules/cis_1_1_7/test.rego b/compliance/rules/cis_1_1_7/test.rego deleted file mode 100644 index fdad0d78..00000000 --- a/compliance/rules/cis_1_1_7/test.rego +++ /dev/null @@ -1,21 +0,0 @@ -package compliance.cis.rules.cis_1_1_7 - -import data.lib.test - -test_violation { - test.rule_violation(finding) with input as rule_input("0700") -} - -test_pass { - test.rule_pass(finding) with input as rule_input("0644") -} - -rule_input(filemode) = { - "osquery": { - "mode": filemode, - "path": "/hostfs/etc/kubernetes/manifests/kube-apiserver.yaml", - "uid": "root", - "filename": "etcd.yaml", - "gid": "root" - } -} \ No newline at end of file From 40f3602dd5f58c3dbe4ed836028cce5c30709923 Mon Sep 17 00:00:00 2001 From: orenzohar Date: Mon, 15 Nov 2021 15:43:09 +0200 Subject: [PATCH 2/9] Readme Split common test function from k8s test data function file --- compliance/cis_k8s/rules/cis_1_1_1/test.rego | 5 +++-- compliance/cis_k8s/rules/cis_1_1_13/test.rego | 5 +++-- compliance/cis_k8s/rules/cis_1_1_15/test.rego | 5 +++-- compliance/cis_k8s/rules/cis_1_1_17/test.rego | 5 +++-- compliance/cis_k8s/rules/cis_1_1_2/test.rego | 5 +++-- compliance/cis_k8s/rules/cis_1_1_3/test.rego | 5 +++-- compliance/cis_k8s/rules/cis_1_1_5/test.rego | 5 +++-- compliance/cis_k8s/rules/cis_1_1_7/test.rego | 5 +++-- compliance/cis_k8s/test.rego | 18 ------------------ compliance/cis_k8s/test_data.rego | 11 +++++++++++ compliance/lib/test.rego | 9 +++++++++ 11 files changed, 44 insertions(+), 34 deletions(-) delete mode 100644 compliance/cis_k8s/test.rego create mode 100644 compliance/cis_k8s/test_data.rego create mode 100644 compliance/lib/test.rego diff --git a/compliance/cis_k8s/rules/cis_1_1_1/test.rego b/compliance/cis_k8s/rules/cis_1_1_1/test.rego index 82d0c0ed..6d301df8 100644 --- a/compliance/cis_k8s/rules/cis_1_1_1/test.rego +++ b/compliance/cis_k8s/rules/cis_1_1_1/test.rego @@ -1,6 +1,7 @@ package compliance.cis_k8s.rules.cis_1_1_1 -import data.cis_k8s.test +import data.cis_k8s.test_data +import data.lib.test test_violation { test.rule_violation(finding) with input as rule_input("0700") @@ -14,5 +15,5 @@ rule_input(filemode) = filesystem_input { filename := "kube-apiserver.yaml" uid := "root" gid := "root" - filesystem_input = test.generate_filesystem_input(filename, filemode, uid, gid) + filesystem_input = test_data.filesystem_input(filename, filemode, uid, gid) } diff --git a/compliance/cis_k8s/rules/cis_1_1_13/test.rego b/compliance/cis_k8s/rules/cis_1_1_13/test.rego index 7359a307..6bdb4556 100644 --- a/compliance/cis_k8s/rules/cis_1_1_13/test.rego +++ b/compliance/cis_k8s/rules/cis_1_1_13/test.rego @@ -1,6 +1,7 @@ package compliance.cis_k8s.rules.cis_1_1_13 -import data.cis_k8s.test +import data.cis_k8s.test_data +import data.lib.test test_violation { test.rule_violation(finding) with input as rule_input("0700") @@ -14,5 +15,5 @@ rule_input(filemode) = filesystem_input { filename := "admin.conf" uid := "root" gid := "root" - filesystem_input = test.generate_filesystem_input(filename, filemode, uid, gid) + filesystem_input = test_data.filesystem_input(filename, filemode, uid, gid) } diff --git a/compliance/cis_k8s/rules/cis_1_1_15/test.rego b/compliance/cis_k8s/rules/cis_1_1_15/test.rego index 827e1348..a6192229 100644 --- a/compliance/cis_k8s/rules/cis_1_1_15/test.rego +++ b/compliance/cis_k8s/rules/cis_1_1_15/test.rego @@ -1,6 +1,7 @@ package compliance.cis_k8s.rules.cis_1_1_15 -import data.cis_k8s.test +import data.cis_k8s.test_data +import data.lib.test test_violation { test.rule_violation(finding) with input as rule_input("0700") @@ -14,5 +15,5 @@ rule_input(filemode) = filesystem_input { filename := "scheduler.conf" uid := "root" gid := "root" - filesystem_input = test.generate_filesystem_input(filename, filemode, uid, gid) + filesystem_input = test_data.filesystem_input(filename, filemode, uid, gid) } diff --git a/compliance/cis_k8s/rules/cis_1_1_17/test.rego b/compliance/cis_k8s/rules/cis_1_1_17/test.rego index 7231c373..3d2c582e 100644 --- a/compliance/cis_k8s/rules/cis_1_1_17/test.rego +++ b/compliance/cis_k8s/rules/cis_1_1_17/test.rego @@ -1,6 +1,7 @@ package compliance.cis_k8s.rules.cis_1_1_17 -import data.cis_k8s.test +import data.cis_k8s.test_data +import data.lib.test test_violation { test.rule_violation(finding) with input as rule_input("0700") @@ -14,5 +15,5 @@ rule_input(filemode) = filesystem_input { filename := "controller-manager.conf" uid := "root" gid := "root" - filesystem_input = test.generate_filesystem_input(filename, filemode, uid, gid) + filesystem_input = test_data.filesystem_input(filename, filemode, uid, gid) } diff --git a/compliance/cis_k8s/rules/cis_1_1_2/test.rego b/compliance/cis_k8s/rules/cis_1_1_2/test.rego index 0bea15a9..d2d5704f 100644 --- a/compliance/cis_k8s/rules/cis_1_1_2/test.rego +++ b/compliance/cis_k8s/rules/cis_1_1_2/test.rego @@ -1,6 +1,7 @@ package compliance.cis_k8s.rules.cis_1_1_2 -import data.cis_k8s.test +import data.cis_k8s.test_data +import data.lib.test test_violation { test.rule_violation(finding) with input as rule_input("root", "user") @@ -15,5 +16,5 @@ test_pass { rule_input(uid, gid) = filesystem_input { filename := "kube-apiserver.yaml" filemode := "0644" - filesystem_input = test.generate_filesystem_input(filename, filemode, uid, gid) + filesystem_input = test_data.filesystem_input(filename, filemode, uid, gid) } diff --git a/compliance/cis_k8s/rules/cis_1_1_3/test.rego b/compliance/cis_k8s/rules/cis_1_1_3/test.rego index 806d8f44..cb7ba667 100644 --- a/compliance/cis_k8s/rules/cis_1_1_3/test.rego +++ b/compliance/cis_k8s/rules/cis_1_1_3/test.rego @@ -1,6 +1,7 @@ package compliance.cis_k8s.rules.cis_1_1_3 -import data.cis_k8s.test +import data.cis_k8s.test_data +import data.lib.test test_violation { test.rule_violation(finding) with input as rule_input("0700") @@ -14,5 +15,5 @@ rule_input(filemode) = filesystem_input { filename := "kube-controller-manager.yaml" uid := "root" gid := "root" - filesystem_input = test.generate_filesystem_input(filename, filemode, uid, gid) + filesystem_input = test_data.filesystem_input(filename, filemode, uid, gid) } diff --git a/compliance/cis_k8s/rules/cis_1_1_5/test.rego b/compliance/cis_k8s/rules/cis_1_1_5/test.rego index b61ede1c..57d6c5f6 100644 --- a/compliance/cis_k8s/rules/cis_1_1_5/test.rego +++ b/compliance/cis_k8s/rules/cis_1_1_5/test.rego @@ -1,6 +1,7 @@ package compliance.cis_k8s.rules.cis_1_1_5 -import data.cis_k8s.test +import data.cis_k8s.test_data +import data.lib.test test_violation { test.rule_violation(finding) with input as rule_input("0700") @@ -14,5 +15,5 @@ rule_input(filemode) = filesystem_input { filename := "kube-scheduler.yaml" uid := "root" gid := "root" - filesystem_input = test.generate_filesystem_input(filename, filemode, uid, gid) + filesystem_input = test_data.filesystem_input(filename, filemode, uid, gid) } diff --git a/compliance/cis_k8s/rules/cis_1_1_7/test.rego b/compliance/cis_k8s/rules/cis_1_1_7/test.rego index aedcd48a..bbc904e4 100644 --- a/compliance/cis_k8s/rules/cis_1_1_7/test.rego +++ b/compliance/cis_k8s/rules/cis_1_1_7/test.rego @@ -1,6 +1,7 @@ package compliance.cis_k8s.rules.cis_1_1_7 -import data.cis_k8s.test +import data.cis_k8s.test_data +import data.lib.test test_violation { test.rule_violation(finding) with input as rule_input("0700") @@ -14,5 +15,5 @@ rule_input(filemode) = filesystem_input { filename := "etcd.yaml" uid := "root" gid := "root" - filesystem_input = test.generate_filesystem_input(filename, filemode, uid, gid) + filesystem_input = test_data.filesystem_input(filename, filemode, uid, gid) } diff --git a/compliance/cis_k8s/test.rego b/compliance/cis_k8s/test.rego deleted file mode 100644 index 00cfbee7..00000000 --- a/compliance/cis_k8s/test.rego +++ /dev/null @@ -1,18 +0,0 @@ -package cis_k8s.test - -rule_pass(finding) { - finding.evaluation == "passed" -} - -rule_violation(finding) { - finding.evaluation == "violation" -} - -generate_filesystem_input(filename, mode, uid, gid) = { - "type": "filesystem", - "path": "file/path", - "filename": filename, - "mode": mode, - "uid": uid, - "gid": gid, -} diff --git a/compliance/cis_k8s/test_data.rego b/compliance/cis_k8s/test_data.rego new file mode 100644 index 00000000..10557206 --- /dev/null +++ b/compliance/cis_k8s/test_data.rego @@ -0,0 +1,11 @@ +package cis_k8s.test_data + +# test data generater +filesystem_input(filename, mode, uid, gid) = { + "type": "filesystem", + "path": "file/path", + "filename": filename, + "mode": mode, + "uid": uid, + "gid": gid, +} diff --git a/compliance/lib/test.rego b/compliance/lib/test.rego new file mode 100644 index 00000000..b90c7916 --- /dev/null +++ b/compliance/lib/test.rego @@ -0,0 +1,9 @@ +package lib.test + +rule_pass(finding) { + finding.evaluation == "passed" +} + +rule_violation(finding) { + finding.evaluation == "violation" +} From 453782a287ec1f8d177179e536ea02568b2abed6 Mon Sep 17 00:00:00 2001 From: orenzohar Date: Mon, 15 Nov 2021 15:43:57 +0200 Subject: [PATCH 3/9] Readme --- README.md | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 70026d9f..49c1ef42 100644 --- a/README.md +++ b/README.md @@ -5,12 +5,13 @@ │ │ ├── common.rego # Common functions │ │ ├── data_adapter.rego # Input data adapter │ │ └── test.rego # Common Test functions - │ ├── rules/cis - │ │ ├── cis_1_1_1 # rule package + │ ├── cis_k8s/rules + │ | ├── cis_k8s.rego # Handles all Kubernetes CIS rules evalutations + │ | ├── test_data.rego # CIS Test data functions + │ │ ├── cis_1_1_1 # CIS 1.1.1 rule package │ │ │ ├── rule.rego │ │ │ └── test.rego │ │ └── ... - │ └── cis_k8s.rego # Handles all Kubernetes CIS rules evalutations └── main.rego # Evaluate all policies and returns the findings ## Local Evaluation @@ -30,7 +31,7 @@ should contain an beat/agent output, e.g. OSQuery ```json { - "type": "file", + "type": "filesystem", "mode": "0700", "path": "/hostfs/etc/kubernetes/manifests/kube-apiserver.yaml", "uid": "etc", From d4aa802f9aed538593e5394139b60350bfc7ac51 Mon Sep 17 00:00:00 2001 From: orenzohar Date: Tue, 16 Nov 2021 10:54:37 +0200 Subject: [PATCH 4/9] API Server First rule --- compliance/cis_k8s/rules/cis_1_2_2/rule.rego | 19 +++++++++++++++++++ compliance/cis_k8s/rules/cis_1_2_2/test.rego | 20 ++++++++++++++++++++ compliance/lib/data_adapter.rego | 9 +++++++++ 3 files changed, 48 insertions(+) create mode 100644 compliance/cis_k8s/rules/cis_1_2_2/rule.rego create mode 100644 compliance/cis_k8s/rules/cis_1_2_2/test.rego diff --git a/compliance/cis_k8s/rules/cis_1_2_2/rule.rego b/compliance/cis_k8s/rules/cis_1_2_2/rule.rego new file mode 100644 index 00000000..0d167bf5 --- /dev/null +++ b/compliance/cis_k8s/rules/cis_1_2_2/rule.rego @@ -0,0 +1,19 @@ +package compliance.cis_k8s.rules.cis_1_2_2 + +import data.compliance.cis_k8s +import data.compliance.lib.common +import data.compliance.lib.data_adapter + +# Ensure that the --basic-auth-file argument is not set (Automated) +finding = result { + command_args := data_adapter.command_args + rule_evaluation := contains(command_args, "-basic-auth-file") + + # set result + result := { + "evaluation": common.calculate_result(rule_evaluation), + "evidence": {"command_args": command_args}, + "rule_name": "Ensure that the --basic-auth-file argument is not set", + "tags": array.concat(cis_k8s.default_tags, ["CIS 1.2.2"]), + } +} diff --git a/compliance/cis_k8s/rules/cis_1_2_2/test.rego b/compliance/cis_k8s/rules/cis_1_2_2/test.rego new file mode 100644 index 00000000..fe85a621 --- /dev/null +++ b/compliance/cis_k8s/rules/cis_1_2_2/test.rego @@ -0,0 +1,20 @@ +package compliance.cis_k8s.rules.cis_1_2_2 + +import data.cis_k8s.test_data +import data.lib.test + +# +#test_violation { +# test.rule_violation(finding) with input as rule_input("0700") +#} +# +#test_pass { +# test.rule_pass(finding) with input as rule_input("0644") +#} +# +#rule_input(filemode) = filesystem_input { +# filename := "kube-apiserver.yaml" +# uid := "root" +# gid := "root" +# filesystem_input = test_data.filesystem_input(filename, filemode, uid, gid) +#} diff --git a/compliance/lib/data_adapter.rego b/compliance/lib/data_adapter.rego index bf0ce1ca..57be9cbc 100644 --- a/compliance/lib/data_adapter.rego +++ b/compliance/lib/data_adapter.rego @@ -23,3 +23,12 @@ owner_group_id = gid { is_filesystem gid = input.gid } + +is_process { + input.type == "process" +} + +command_args = args { + is_process + args = input.command +} From 94fb6975b59945c8f726b6de77551639d3f106f7 Mon Sep 17 00:00:00 2001 From: orenzohar Date: Tue, 16 Nov 2021 16:44:04 +0200 Subject: [PATCH 5/9] First automated rule under API server (1.2.2) --- compliance/cis_k8s/rules/cis_1_2_2/rule.rego | 10 +++++--- compliance/cis_k8s/rules/cis_1_2_2/test.rego | 24 ++++++++------------ compliance/cis_k8s/test_data.rego | 7 ++++++ compliance/lib/common.rego | 24 +++++++++++++------- compliance/lib/data_adapter.rego | 2 +- main.rego | 2 +- 6 files changed, 41 insertions(+), 28 deletions(-) diff --git a/compliance/cis_k8s/rules/cis_1_2_2/rule.rego b/compliance/cis_k8s/rules/cis_1_2_2/rule.rego index 0d167bf5..e63cde4a 100644 --- a/compliance/cis_k8s/rules/cis_1_2_2/rule.rego +++ b/compliance/cis_k8s/rules/cis_1_2_2/rule.rego @@ -7,13 +7,17 @@ import data.compliance.lib.data_adapter # Ensure that the --basic-auth-file argument is not set (Automated) finding = result { command_args := data_adapter.command_args - rule_evaluation := contains(command_args, "-basic-auth-file") + rule_evaluation := contains(command_args, "--basic-auth-file") == false # set result result := { "evaluation": common.calculate_result(rule_evaluation), "evidence": {"command_args": command_args}, - "rule_name": "Ensure that the --basic-auth-file argument is not set", - "tags": array.concat(cis_k8s.default_tags, ["CIS 1.2.2"]), + "tags": array.concat(cis_k8s.default_tags, metadata.tags), } } + +metadata = { + "rule_name": "Ensure that the --basic-auth-file argument is not set", + "tags": ["CIS 1.2.2", "API Server"], +} diff --git a/compliance/cis_k8s/rules/cis_1_2_2/test.rego b/compliance/cis_k8s/rules/cis_1_2_2/test.rego index fe85a621..02763fdc 100644 --- a/compliance/cis_k8s/rules/cis_1_2_2/test.rego +++ b/compliance/cis_k8s/rules/cis_1_2_2/test.rego @@ -3,18 +3,12 @@ package compliance.cis_k8s.rules.cis_1_2_2 import data.cis_k8s.test_data import data.lib.test -# -#test_violation { -# test.rule_violation(finding) with input as rule_input("0700") -#} -# -#test_pass { -# test.rule_pass(finding) with input as rule_input("0644") -#} -# -#rule_input(filemode) = filesystem_input { -# filename := "kube-apiserver.yaml" -# uid := "root" -# gid := "root" -# filesystem_input = test_data.filesystem_input(filename, filemode, uid, gid) -#} +test_violation { + test.rule_violation(finding) with input as rule_input("--basic-auth-file") +} + +test_pass { + test.rule_pass(finding) with input as rule_input("") +} + +rule_input(argument) = test_data.api_server_input([argument]) diff --git a/compliance/cis_k8s/test_data.rego b/compliance/cis_k8s/test_data.rego index 10557206..43b63bd1 100644 --- a/compliance/cis_k8s/test_data.rego +++ b/compliance/cis_k8s/test_data.rego @@ -1,6 +1,7 @@ package cis_k8s.test_data # test data generater + filesystem_input(filename, mode, uid, gid) = { "type": "filesystem", "path": "file/path", @@ -9,3 +10,9 @@ filesystem_input(filename, mode, uid, gid) = { "uid": uid, "gid": gid, } + +# Recivies an array of arguments representing the API Server command +api_server_input(arguments) = { + "type": "api_server", + "command": concat(" ", array.concat(["kube-apiserver --allow-privileged=true"], arguments)), +} diff --git a/compliance/lib/common.rego b/compliance/lib/common.rego index bd6d9a17..1bed224f 100644 --- a/compliance/lib/common.rego +++ b/compliance/lib/common.rego @@ -1,17 +1,25 @@ package compliance.lib.common # set the rule result +default evaluation = "violation" + calculate_result(evaluation) = "passed" { - evaluation -} else = "violation" + evaluation == true +} else = "violation" { + evaluation == false +} file_ownership_match(uid, gid, requierd_uid, requierd_gid) { - uid == requierd_uid - gid == requierd_gid -} else = false + uid == requierd_uid + gid == requierd_gid +} else = false { + true +} # todo: compare performance of regex alternatives file_permission_match(filemode, user, group, other) { - pattern = sprintf("0?[0-%d][0-%d][0-%d]", [user, group, other]) - regex.match(pattern, filemode) -} else = false \ No newline at end of file + pattern = sprintf("0?[0-%d][0-%d][0-%d]", [user, group, other]) + regex.match(pattern, filemode) +} else = false { + true +} diff --git a/compliance/lib/data_adapter.rego b/compliance/lib/data_adapter.rego index 57be9cbc..abdb5829 100644 --- a/compliance/lib/data_adapter.rego +++ b/compliance/lib/data_adapter.rego @@ -25,7 +25,7 @@ owner_group_id = gid { } is_process { - input.type == "process" + input.type == "api_server" } command_args = args { diff --git a/main.rego b/main.rego index f446add0..c3f97bb7 100644 --- a/main.rego +++ b/main.rego @@ -7,5 +7,5 @@ import data.compliance.cis_k8s # output is findings resource = input -findings = cis_k8s.findings +findings = cis_k8s.findings From bcc7a464096c95011e7e29830227f23bad2e979c Mon Sep 17 00:00:00 2001 From: orenzohar Date: Wed, 17 Nov 2021 11:11:16 +0200 Subject: [PATCH 6/9] More meta! --- compliance/cis_k8s/rules/cis_1_2_2/rule.rego | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/compliance/cis_k8s/rules/cis_1_2_2/rule.rego b/compliance/cis_k8s/rules/cis_1_2_2/rule.rego index e63cde4a..97f1262b 100644 --- a/compliance/cis_k8s/rules/cis_1_2_2/rule.rego +++ b/compliance/cis_k8s/rules/cis_1_2_2/rule.rego @@ -14,10 +14,15 @@ finding = result { "evaluation": common.calculate_result(rule_evaluation), "evidence": {"command_args": command_args}, "tags": array.concat(cis_k8s.default_tags, metadata.tags), + "remediation": "Follow the documentation and configure alternate mechanisms for authentication. Then, edit the API server pod specification file /etc/kubernetes/manifests/kube- apiserver.yaml on the master node and remove the --basic-auth-file= parameter.", } } metadata = { - "rule_name": "Ensure that the --basic-auth-file argument is not set", + "name": "Ensure that the --basic-auth-file argument is not set", + "description": "Basic authentication uses plaintext credentials for authentication. Currently, the basic authentication credentials last indefinitely, and the password cannot be changed without restarting the API server. The basic authentication is currently supported for convenience. Hence, basic authentication should not be used.", + "impact": "You will have to configure and use alternate authentication mechanisms such as tokens and certificates. Username and password for basic authentication could no longer be used.", + "version": "Version 7", "tags": ["CIS 1.2.2", "API Server"], + "benchmark": "CIS Kubernetes", } From a85e7ca1cfd8442a936c33c87630cc2695304c6e Mon Sep 17 00:00:00 2001 From: orenzohar Date: Thu, 18 Nov 2021 16:14:05 +0200 Subject: [PATCH 7/9] Merge branch 'main' into folder-rules-impl --- compliance/cis_k8s/rules/cis_1_2_2/test.rego | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/compliance/cis_k8s/rules/cis_1_2_2/test.rego b/compliance/cis_k8s/rules/cis_1_2_2/test.rego index c330b28b..60568bec 100644 --- a/compliance/cis_k8s/rules/cis_1_2_2/test.rego +++ b/compliance/cis_k8s/rules/cis_1_2_2/test.rego @@ -4,7 +4,7 @@ import data.cis_k8s.test_data import data.lib.test test_violation { - test.assert_violation(finding) with input as rule_input("api_server", "--basic-auth-file") + test.assert_fail(finding) with input as rule_input("api_server", "--basic-auth-file") } test_pass { From 46048a9bce3b80f042c9671eb598815a07cca3cb Mon Sep 17 00:00:00 2001 From: orenzohar Date: Thu, 18 Nov 2021 16:39:39 +0200 Subject: [PATCH 8/9] main changes --- compliance/cis_k8s/rules/cis_1_2_2/rule.rego | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/compliance/cis_k8s/rules/cis_1_2_2/rule.rego b/compliance/cis_k8s/rules/cis_1_2_2/rule.rego index 97f1262b..9a13765a 100644 --- a/compliance/cis_k8s/rules/cis_1_2_2/rule.rego +++ b/compliance/cis_k8s/rules/cis_1_2_2/rule.rego @@ -13,8 +13,6 @@ finding = result { result := { "evaluation": common.calculate_result(rule_evaluation), "evidence": {"command_args": command_args}, - "tags": array.concat(cis_k8s.default_tags, metadata.tags), - "remediation": "Follow the documentation and configure alternate mechanisms for authentication. Then, edit the API server pod specification file /etc/kubernetes/manifests/kube- apiserver.yaml on the master node and remove the --basic-auth-file= parameter.", } } @@ -22,7 +20,7 @@ metadata = { "name": "Ensure that the --basic-auth-file argument is not set", "description": "Basic authentication uses plaintext credentials for authentication. Currently, the basic authentication credentials last indefinitely, and the password cannot be changed without restarting the API server. The basic authentication is currently supported for convenience. Hence, basic authentication should not be used.", "impact": "You will have to configure and use alternate authentication mechanisms such as tokens and certificates. Username and password for basic authentication could no longer be used.", - "version": "Version 7", - "tags": ["CIS 1.2.2", "API Server"], + "tags": array.concat(cis_k8s.default_tags, ["CIS 1.2.2", "API Server"]), "benchmark": "CIS Kubernetes", + "remediation": "Follow the documentation and configure alternate mechanisms for authentication. Then, edit the API server pod specification file /etc/kubernetes/manifests/kube- apiserver.yaml on the master node and remove the --basic-auth-file= parameter.", } From 5e879b977a4e774329f796fe319ffe8ca13daa8c Mon Sep 17 00:00:00 2001 From: orenzohar Date: Mon, 22 Nov 2021 18:15:38 +0200 Subject: [PATCH 9/9] cr changes --- compliance/cis_k8s/rules/cis_1_2_2/rule.rego | 6 ++-- compliance/cis_k8s/test_data.rego | 2 +- compliance/lib/common.rego | 30 ++++++++++++++++++++ compliance/lib/data_adapter.rego | 3 +- 4 files changed, 36 insertions(+), 5 deletions(-) diff --git a/compliance/cis_k8s/rules/cis_1_2_2/rule.rego b/compliance/cis_k8s/rules/cis_1_2_2/rule.rego index 9a13765a..cd464bac 100644 --- a/compliance/cis_k8s/rules/cis_1_2_2/rule.rego +++ b/compliance/cis_k8s/rules/cis_1_2_2/rule.rego @@ -7,7 +7,7 @@ import data.compliance.lib.data_adapter # Ensure that the --basic-auth-file argument is not set (Automated) finding = result { command_args := data_adapter.command_args - rule_evaluation := contains(command_args, "--basic-auth-file") == false + rule_evaluation := common.array_contains(command_args, "--basic-auth-file") == false # set result result := { @@ -21,6 +21,6 @@ metadata = { "description": "Basic authentication uses plaintext credentials for authentication. Currently, the basic authentication credentials last indefinitely, and the password cannot be changed without restarting the API server. The basic authentication is currently supported for convenience. Hence, basic authentication should not be used.", "impact": "You will have to configure and use alternate authentication mechanisms such as tokens and certificates. Username and password for basic authentication could no longer be used.", "tags": array.concat(cis_k8s.default_tags, ["CIS 1.2.2", "API Server"]), - "benchmark": "CIS Kubernetes", - "remediation": "Follow the documentation and configure alternate mechanisms for authentication. Then, edit the API server pod specification file /etc/kubernetes/manifests/kube- apiserver.yaml on the master node and remove the --basic-auth-file= parameter.", + "benchmark": cis_k8s.benchmark_name, + "remediation": "Follow the documentation and configure alternate mechanisms for authentication. Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and remove the --basic-auth-file= parameter.", } diff --git a/compliance/cis_k8s/test_data.rego b/compliance/cis_k8s/test_data.rego index 2672772c..a49190f2 100644 --- a/compliance/cis_k8s/test_data.rego +++ b/compliance/cis_k8s/test_data.rego @@ -13,5 +13,5 @@ filesystem_input(filename, mode, uid, gid) = { # Recivies an array of arguments representing the API Server command api_server_input(process_type, arguments) = { "type": process_type, - "command": concat(" ", array.concat(["kube-apiserver --allow-privileged=true"], arguments)), + "command": concat(" ", array.concat(["kube-apiserver"], arguments)), } diff --git a/compliance/lib/common.rego b/compliance/lib/common.rego index 92c4d48b..81ef71d1 100644 --- a/compliance/lib/common.rego +++ b/compliance/lib/common.rego @@ -21,3 +21,33 @@ file_permission_match(filemode, user, group, other) { } else = false { true } + +array_contains(array, key) { + contains(array[_], key) +} else = false { + true +} + +# gets argument's value +get_arg_value(arguments, key) = value { + contains(arguments[i], key) + argument := arguments[i] + [_, value] := split(argument, "=") +} + +# checks if argument contains value (argument format is csv) +arg_values_contains(arguments, key, value) { + argument := get_arg_value(arguments, key) + values := split(argument, ",") + value = values[_] +} else = false { + true +} + +# checks if a argument is set to greater value then minimum +arg_at_least(arguments, key, minimum) { + value := get_arg_value(arguments, key) + to_number(value) >= minimum +} else = false { + true +} diff --git a/compliance/lib/data_adapter.rego b/compliance/lib/data_adapter.rego index 80cdc6ef..417384b7 100644 --- a/compliance/lib/data_adapter.rego +++ b/compliance/lib/data_adapter.rego @@ -33,7 +33,8 @@ is_process { input.type == "api_server" } +# split the process args string into an array command_args = args { is_process - args = input.command + args = split(input.command, " ") }