From 7ef6ac755a36392138ce8b23ff702eb16a42ef56 Mon Sep 17 00:00:00 2001 From: orenzohar Date: Thu, 11 Nov 2021 16:31:12 +0200 Subject: [PATCH 1/4] Master Node Configuration - file ownership rules --- compliance/cis_k8s.rego | 6 +++--- compliance/lib/common.rego | 22 ++++++++++++-------- compliance/lib/data_adapter.rego | 22 ++++++++++---------- compliance/lib/test.rego | 4 ++-- compliance/rules/cis_1_1_1/rule.rego | 26 ++++++++++++------------ compliance/rules/cis_1_1_1/test.rego | 20 +++++++++--------- compliance/rules/cis_1_1_14/rule.rego | 21 +++++++++++++++++++ compliance/rules/cis_1_1_14/test.rego | 21 +++++++++++++++++++ compliance/rules/cis_1_1_16/rule.rego | 21 +++++++++++++++++++ compliance/rules/cis_1_1_16/test.rego | 21 +++++++++++++++++++ compliance/rules/cis_1_1_18/rule.rego | 21 +++++++++++++++++++ compliance/rules/cis_1_1_18/test.rego | 21 +++++++++++++++++++ compliance/rules/cis_1_1_2/rule.rego | 29 +++++++++++++-------------- compliance/rules/cis_1_1_2/test.rego | 24 ++++++++++------------ compliance/rules/cis_1_1_4/rule.rego | 21 +++++++++++++++++++ compliance/rules/cis_1_1_4/test.rego | 21 +++++++++++++++++++ compliance/rules/cis_1_1_6/rule.rego | 21 +++++++++++++++++++ compliance/rules/cis_1_1_6/test.rego | 21 +++++++++++++++++++ compliance/rules/cis_1_1_8/rule.rego | 21 +++++++++++++++++++ compliance/rules/cis_1_1_8/test.rego | 21 +++++++++++++++++++ main.rego | 2 +- 21 files changed, 330 insertions(+), 77 deletions(-) create mode 100644 compliance/rules/cis_1_1_14/rule.rego create mode 100644 compliance/rules/cis_1_1_14/test.rego create mode 100644 compliance/rules/cis_1_1_16/rule.rego create mode 100644 compliance/rules/cis_1_1_16/test.rego create mode 100644 compliance/rules/cis_1_1_18/rule.rego create mode 100644 compliance/rules/cis_1_1_18/test.rego create mode 100644 compliance/rules/cis_1_1_4/rule.rego create mode 100644 compliance/rules/cis_1_1_4/test.rego create mode 100644 compliance/rules/cis_1_1_6/rule.rego create mode 100644 compliance/rules/cis_1_1_6/test.rego create mode 100644 compliance/rules/cis_1_1_8/rule.rego create mode 100644 compliance/rules/cis_1_1_8/test.rego diff --git a/compliance/cis_k8s.rego b/compliance/cis_k8s.rego index e054d10d..d5ebb579 100644 --- a/compliance/cis_k8s.rego +++ b/compliance/cis_k8s.rego @@ -5,7 +5,7 @@ import data.compliance.cis.rules default_tags := ["CIS", "CIS v1.6.0", "Kubernetes"] findings[finding] { - some rule_id - data.activated_rules.cis_k8s[rule_id] - finding = rules[rule_id].finding + some rule_id + data.activated_rules.cis_k8s[rule_id] + finding = rules[rule_id].finding } diff --git a/compliance/lib/common.rego b/compliance/lib/common.rego index bd6d9a17..025a71b4 100644 --- a/compliance/lib/common.rego +++ b/compliance/lib/common.rego @@ -2,16 +2,22 @@ package compliance.lib.common # set the rule result calculate_result(evaluation) = "passed" { - evaluation -} else = "violation" + evaluation +} else = "violation" { + true +} file_ownership_match(uid, gid, requierd_uid, requierd_gid) { - uid == requierd_uid - gid == requierd_gid -} else = false + uid == requierd_uid + gid == requierd_gid +} else = false { + true +} # todo: compare performance of regex alternatives file_permission_match(filemode, user, group, other) { - pattern = sprintf("0?[0-%d][0-%d][0-%d]", [user, group, other]) - regex.match(pattern, filemode) -} else = false \ No newline at end of file + pattern = sprintf("0?[0-%d][0-%d][0-%d]", [user, group, other]) + regex.match(pattern, filemode) +} else = false { + true +} diff --git a/compliance/lib/data_adapter.rego b/compliance/lib/data_adapter.rego index 90c722d2..fc743fca 100644 --- a/compliance/lib/data_adapter.rego +++ b/compliance/lib/data_adapter.rego @@ -1,30 +1,30 @@ package compliance.lib.data_adapter is_osquery { - input.osquery + input.osquery } is_file { - is_osquery - input.osquery.filename + is_osquery + input.osquery.filename } filename = file_name { - is_file - file_name = input.osquery.filename + is_file + file_name = input.osquery.filename } filemode = file_mode { - is_file - file_mode = input.osquery.mode + is_file + file_mode = input.osquery.mode } owner_user_id = uid { - is_file - uid = input.osquery.uid + is_file + uid = input.osquery.uid } owner_group_id = gid { - is_file - gid = input.osquery.gid + is_file + gid = input.osquery.gid } diff --git a/compliance/lib/test.rego b/compliance/lib/test.rego index 5fb73d30..b90c7916 100644 --- a/compliance/lib/test.rego +++ b/compliance/lib/test.rego @@ -1,9 +1,9 @@ package lib.test rule_pass(finding) { - finding.evaluation == "passed" + finding.evaluation == "passed" } rule_violation(finding) { - finding.evaluation == "violation" + finding.evaluation == "violation" } diff --git a/compliance/rules/cis_1_1_1/rule.rego b/compliance/rules/cis_1_1_1/rule.rego index d9f98ac4..5caed17c 100644 --- a/compliance/rules/cis_1_1_1/rule.rego +++ b/compliance/rules/cis_1_1_1/rule.rego @@ -1,20 +1,20 @@ package compliance.cis.rules.cis_1_1_1 -import data.compliance.lib.data_adapter -import data.compliance.lib.common import data.compliance.cis_k8s +import data.compliance.lib.common +import data.compliance.lib.data_adapter # Ensure that the API server pod specification file permissions are set to 644 or more restrictive finding = result { - data_adapter.filename == "kube-apiserver.yaml" - filemode := data_adapter.filemode - rule_evaluation := common.file_permission_match(filemode, 6, 4, 4) + data_adapter.filename == "kube-apiserver.yaml" + filemode := data_adapter.filemode + rule_evaluation := common.file_permission_match(filemode, 6, 4, 4) - # set result - result := { - "evaluation" : common.calculate_result(rule_evaluation), - "evidence" : { "filemode" : filemode }, - "rule_name" : "Ensure that the API server pod specification file permissions are set to 644 or more restrictive", - "tags" : array.concat(cis_k8s.default_tags, ["CIS 1.1.1"]) - } -} \ No newline at end of file + # set result + result := { + "evaluation": common.calculate_result(rule_evaluation), + "evidence": {"filemode": filemode}, + "rule_name": "Ensure that the API server pod specification file permissions are set to 644 or more restrictive", + "tags": array.concat(cis_k8s.default_tags, ["CIS 1.1.1"]), + } +} diff --git a/compliance/rules/cis_1_1_1/test.rego b/compliance/rules/cis_1_1_1/test.rego index 54511b18..3c60f34c 100644 --- a/compliance/rules/cis_1_1_1/test.rego +++ b/compliance/rules/cis_1_1_1/test.rego @@ -3,19 +3,17 @@ package compliance.cis.rules.cis_1_1_1 import data.lib.test test_violation { - test.rule_violation(finding) with input as rule_input("0700") + test.rule_violation(finding) with input as rule_input("0700") } test_pass { - test.rule_pass(finding) with input as rule_input("0644") + test.rule_pass(finding) with input as rule_input("0644") } -rule_input(filemode) = { - "osquery": { - "mode": filemode, - "path": "/hostfs/etc/kubernetes/manifests/kube-apiserver.yaml", - "uid": "root", - "filename": "kube-apiserver.yaml", - "gid": "root" - } -} \ No newline at end of file +rule_input(filemode) = {"osquery": { + "mode": filemode, + "path": "/hostfs/etc/kubernetes/manifests/kube-apiserver.yaml", + "uid": "root", + "filename": "kube-apiserver.yaml", + "gid": "root", +}} diff --git a/compliance/rules/cis_1_1_14/rule.rego b/compliance/rules/cis_1_1_14/rule.rego new file mode 100644 index 00000000..c76f603a --- /dev/null +++ b/compliance/rules/cis_1_1_14/rule.rego @@ -0,0 +1,21 @@ +package compliance.cis.rules.cis_1_1_14 + +import data.compliance.cis_k8s +import data.compliance.lib.common +import data.compliance.lib.data_adapter + +# Ensure that the admin.conf file ownership is set to root:root (Automated) +finding = result { + data_adapter.filename == "admin.conf" + uid = data_adapter.owner_user_id + gid = data_adapter.owner_group_id + rule_evaluation := common.file_ownership_match(uid, gid, "root", "root") + + # set result + result := { + "evaluation": common.calculate_result(rule_evaluation), + "evidence": {"uid": uid, "gid": gid}, + "rule_name": "Ensure that the API server pod specification file ownership is set to root:root", + "tags": array.concat(cis_k8s.default_tags, ["CIS 1.1.14"]), + } +} diff --git a/compliance/rules/cis_1_1_14/test.rego b/compliance/rules/cis_1_1_14/test.rego new file mode 100644 index 00000000..d4124e06 --- /dev/null +++ b/compliance/rules/cis_1_1_14/test.rego @@ -0,0 +1,21 @@ +package compliance.cis.rules.cis_1_1_14 + +import data.lib.test + +test_violation { + test.rule_violation(finding) with input as rule_input("root", "user") + test.rule_violation(finding) with input as rule_input("user", "root") + test.rule_violation(finding) with input as rule_input("user", "user") +} + +test_pass { + test.rule_pass(finding) with input as rule_input("root", "root") +} + +rule_input(uid, gid) = {"osquery": { + "mode": "0644", + "path": "/etc/kubernetes/admin.conf", + "uid": uid, + "filename": "admin.conf", + "gid": gid, +}} diff --git a/compliance/rules/cis_1_1_16/rule.rego b/compliance/rules/cis_1_1_16/rule.rego new file mode 100644 index 00000000..9d0d2900 --- /dev/null +++ b/compliance/rules/cis_1_1_16/rule.rego @@ -0,0 +1,21 @@ +package compliance.cis.rules.cis_1_1_16 + +import data.compliance.cis_k8s +import data.compliance.lib.common +import data.compliance.lib.data_adapter + +# Ensure that the scheduler.conf file ownership is set to root:root (Automated) +finding = result { + data_adapter.filename == "scheduler.conf" + uid = data_adapter.owner_user_id + gid = data_adapter.owner_group_id + rule_evaluation := common.file_ownership_match(uid, gid, "root", "root") + + # set result + result := { + "evaluation": common.calculate_result(rule_evaluation), + "evidence": {"uid": uid, "gid": gid}, + "rule_name": "Ensure that the scheduler.conf file ownership is set to root:root", + "tags": array.concat(cis_k8s.default_tags, ["CIS 1.1.16"]), + } +} diff --git a/compliance/rules/cis_1_1_16/test.rego b/compliance/rules/cis_1_1_16/test.rego new file mode 100644 index 00000000..58bdfb1d --- /dev/null +++ b/compliance/rules/cis_1_1_16/test.rego @@ -0,0 +1,21 @@ +package compliance.cis.rules.cis_1_1_16 + +import data.lib.test + +test_violation { + test.rule_violation(finding) with input as rule_input("root", "user") + test.rule_violation(finding) with input as rule_input("user", "root") + test.rule_violation(finding) with input as rule_input("user", "user") +} + +test_pass { + test.rule_pass(finding) with input as rule_input("root", "root") +} + +rule_input(uid, gid) = {"osquery": { + "mode": "0644", + "path": "/etc/kubernetes/scheduler.conf", + "uid": uid, + "filename": "scheduler.conf", + "gid": gid, +}} diff --git a/compliance/rules/cis_1_1_18/rule.rego b/compliance/rules/cis_1_1_18/rule.rego new file mode 100644 index 00000000..ad6d8528 --- /dev/null +++ b/compliance/rules/cis_1_1_18/rule.rego @@ -0,0 +1,21 @@ +package compliance.cis.rules.cis_1_1_18 + +import data.compliance.cis_k8s +import data.compliance.lib.common +import data.compliance.lib.data_adapter + +# Ensure that the controller-manager.conf file ownership is set to root:root (Automated) +finding = result { + data_adapter.filename == "controller-manager.conf" + uid = data_adapter.owner_user_id + gid = data_adapter.owner_group_id + rule_evaluation := common.file_ownership_match(uid, gid, "root", "root") + + # set result + result := { + "evaluation": common.calculate_result(rule_evaluation), + "evidence": {"uid": uid, "gid": gid}, + "rule_name": " Ensure that the controller-manager.conf file ownership is set to root:root", + "tags": array.concat(cis_k8s.default_tags, ["CIS 1.1.18"]), + } +} diff --git a/compliance/rules/cis_1_1_18/test.rego b/compliance/rules/cis_1_1_18/test.rego new file mode 100644 index 00000000..7d9e8b1d --- /dev/null +++ b/compliance/rules/cis_1_1_18/test.rego @@ -0,0 +1,21 @@ +package compliance.cis.rules.cis_1_1_18 + +import data.lib.test + +test_violation { + test.rule_violation(finding) with input as rule_input("root", "user") + test.rule_violation(finding) with input as rule_input("user", "root") + test.rule_violation(finding) with input as rule_input("user", "user") +} + +test_pass { + test.rule_pass(finding) with input as rule_input("root", "root") +} + +rule_input(uid, gid) = {"osquery": { + "mode": "0644", + "path": "/etc/kubernetes/controller-manager.conf", + "uid": uid, + "filename": "controller-manager.conf", + "gid": gid, +}} diff --git a/compliance/rules/cis_1_1_2/rule.rego b/compliance/rules/cis_1_1_2/rule.rego index 692fe1d0..f710a288 100644 --- a/compliance/rules/cis_1_1_2/rule.rego +++ b/compliance/rules/cis_1_1_2/rule.rego @@ -1,22 +1,21 @@ package compliance.cis.rules.cis_1_1_2 -import data.compliance.lib.data_adapter -import data.compliance.lib.common import data.compliance.cis_k8s - +import data.compliance.lib.common +import data.compliance.lib.data_adapter # Ensure that the API server pod specification file ownership is set to root:root finding = result { - data_adapter.filename == "kube-apiserver.yaml" - uid = data_adapter.owner_user_id - gid = data_adapter.owner_group_id - rule_evaluation := common.file_ownership_match(uid, gid, "root", "root") + data_adapter.filename == "kube-apiserver.yaml" + uid = data_adapter.owner_user_id + gid = data_adapter.owner_group_id + rule_evaluation := common.file_ownership_match(uid, gid, "root", "root") - # set result - result := { - "evaluation" : common.calculate_result(rule_evaluation), - "evidence" : {"uid" : uid, "gid" : gid}, - "rule_name" : "Ensure that the API server pod specification file ownership is set to root:root", - "tags" : array.concat(cis_k8s.default_tags, ["CIS 1.1.2"]) - } -} \ No newline at end of file + # set result + result := { + "evaluation": common.calculate_result(rule_evaluation), + "evidence": {"uid": uid, "gid": gid}, + "rule_name": "Ensure that the API server pod specification file ownership is set to root:root", + "tags": array.concat(cis_k8s.default_tags, ["CIS 1.1.2"]), + } +} diff --git a/compliance/rules/cis_1_1_2/test.rego b/compliance/rules/cis_1_1_2/test.rego index 08cc835a..cd7935a0 100644 --- a/compliance/rules/cis_1_1_2/test.rego +++ b/compliance/rules/cis_1_1_2/test.rego @@ -3,21 +3,19 @@ package compliance.cis.rules.cis_1_1_2 import data.lib.test test_violation { - test.rule_violation(finding) with input as rule_input("root", "user") - test.rule_violation(finding) with input as rule_input("user", "root") - test.rule_violation(finding) with input as rule_input("user", "user") + test.rule_violation(finding) with input as rule_input("root", "user") + test.rule_violation(finding) with input as rule_input("user", "root") + test.rule_violation(finding) with input as rule_input("user", "user") } test_pass { - test.rule_pass(finding) with input as rule_input("root", "root") + test.rule_pass(finding) with input as rule_input("root", "root") } -rule_input(uid, gid) = { - "osquery": { - "mode": "0644", - "path": "/hostfs/etc/kubernetes/manifests/kube-apiserver.yaml", - "uid": uid, - "filename": "kube-apiserver.yaml", - "gid": gid - } -} \ No newline at end of file +rule_input(uid, gid) = {"osquery": { + "mode": "0644", + "path": "/hostfs/etc/kubernetes/manifests/kube-apiserver.yaml", + "uid": uid, + "filename": "kube-apiserver.yaml", + "gid": gid, +}} diff --git a/compliance/rules/cis_1_1_4/rule.rego b/compliance/rules/cis_1_1_4/rule.rego new file mode 100644 index 00000000..5fc614bb --- /dev/null +++ b/compliance/rules/cis_1_1_4/rule.rego @@ -0,0 +1,21 @@ +package compliance.cis.rules.cis_1_1_4 + +import data.compliance.cis_k8s +import data.compliance.lib.common +import data.compliance.lib.data_adapter + +# Ensure that the controller manager pod specification file ownership is set to root:root (Automated) +finding = result { + data_adapter.filename == "kube-controller-manager.yaml" + uid = data_adapter.owner_user_id + gid = data_adapter.owner_group_id + rule_evaluation := common.file_ownership_match(uid, gid, "root", "root") + + # set result + result := { + "evaluation": common.calculate_result(rule_evaluation), + "evidence": {"uid": uid, "gid": gid}, + "rule_name": "Ensure that the controller manager pod specification file ownership is set to root:root", + "tags": array.concat(cis_k8s.default_tags, ["CIS 1.1.4"]), + } +} diff --git a/compliance/rules/cis_1_1_4/test.rego b/compliance/rules/cis_1_1_4/test.rego new file mode 100644 index 00000000..1e03c7f5 --- /dev/null +++ b/compliance/rules/cis_1_1_4/test.rego @@ -0,0 +1,21 @@ +package compliance.cis.rules.cis_1_1_4 + +import data.lib.test + +test_violation { + test.rule_violation(finding) with input as rule_input("root", "user") + test.rule_violation(finding) with input as rule_input("user", "root") + test.rule_violation(finding) with input as rule_input("user", "user") +} + +test_pass { + test.rule_pass(finding) with input as rule_input("root", "root") +} + +rule_input(uid, gid) = {"osquery": { + "mode": "0644", + "path": "/etc/kubernetes/manifests/kube-controller-manager.yaml", + "uid": uid, + "filename": "kube-controller-manager.yaml", + "gid": gid, +}} diff --git a/compliance/rules/cis_1_1_6/rule.rego b/compliance/rules/cis_1_1_6/rule.rego new file mode 100644 index 00000000..85fa7bc8 --- /dev/null +++ b/compliance/rules/cis_1_1_6/rule.rego @@ -0,0 +1,21 @@ +package compliance.cis.rules.cis_1_1_6 + +import data.compliance.cis_k8s +import data.compliance.lib.common +import data.compliance.lib.data_adapter + +# Ensure that the scheduler pod specification file ownership is set to root:root (Automated) +finding = result { + data_adapter.filename == "kube-scheduler.yaml" + uid = data_adapter.owner_user_id + gid = data_adapter.owner_group_id + rule_evaluation := common.file_ownership_match(uid, gid, "root", "root") + + # set result + result := { + "evaluation": common.calculate_result(rule_evaluation), + "evidence": {"uid": uid, "gid": gid}, + "rule_name": "Ensure that the scheduler pod specification file ownership is set to root:root", + "tags": array.concat(cis_k8s.default_tags, ["CIS 1.1.6"]), + } +} diff --git a/compliance/rules/cis_1_1_6/test.rego b/compliance/rules/cis_1_1_6/test.rego new file mode 100644 index 00000000..86ac29b6 --- /dev/null +++ b/compliance/rules/cis_1_1_6/test.rego @@ -0,0 +1,21 @@ +package compliance.cis.rules.cis_1_1_6 + +import data.lib.test + +test_violation { + test.rule_violation(finding) with input as rule_input("root", "user") + test.rule_violation(finding) with input as rule_input("user", "root") + test.rule_violation(finding) with input as rule_input("user", "user") +} + +test_pass { + test.rule_pass(finding) with input as rule_input("root", "root") +} + +rule_input(uid, gid) = {"osquery": { + "mode": "0644", + "path": "/etc/kubernetes/manifests/kube-scheduler.yaml", + "uid": uid, + "filename": "kube-scheduler.yaml", + "gid": gid, +}} diff --git a/compliance/rules/cis_1_1_8/rule.rego b/compliance/rules/cis_1_1_8/rule.rego new file mode 100644 index 00000000..bae16856 --- /dev/null +++ b/compliance/rules/cis_1_1_8/rule.rego @@ -0,0 +1,21 @@ +package compliance.cis.rules.cis_1_1_8 + +import data.compliance.cis_k8s +import data.compliance.lib.common +import data.compliance.lib.data_adapter + +# Ensure that the etcd pod specification file ownership is set to root:root (Automated) +finding = result { + data_adapter.filename == "etcd.yaml" + uid = data_adapter.owner_user_id + gid = data_adapter.owner_group_id + rule_evaluation := common.file_ownership_match(uid, gid, "root", "root") + + # set result + result := { + "evaluation": common.calculate_result(rule_evaluation), + "evidence": {"uid": uid, "gid": gid}, + "rule_name": "Ensure that the etcd pod specification file ownership is set to root:root", + "tags": array.concat(cis_k8s.default_tags, ["CIS 1.1.8"]), + } +} diff --git a/compliance/rules/cis_1_1_8/test.rego b/compliance/rules/cis_1_1_8/test.rego new file mode 100644 index 00000000..1bf9ad4d --- /dev/null +++ b/compliance/rules/cis_1_1_8/test.rego @@ -0,0 +1,21 @@ +package compliance.cis.rules.cis_1_1_8 + +import data.lib.test + +test_violation { + test.rule_violation(finding) with input as rule_input("root", "user") + test.rule_violation(finding) with input as rule_input("user", "root") + test.rule_violation(finding) with input as rule_input("user", "user") +} + +test_pass { + test.rule_pass(finding) with input as rule_input("root", "root") +} + +rule_input(uid, gid) = {"osquery": { + "mode": "0644", + "path": "/etc/kubernetes/manifests/etcd.yaml", + "uid": uid, + "filename": "etcd.yaml", + "gid": gid, +}} diff --git a/main.rego b/main.rego index f446add0..c3f97bb7 100644 --- a/main.rego +++ b/main.rego @@ -7,5 +7,5 @@ import data.compliance.cis_k8s # output is findings resource = input -findings = cis_k8s.findings +findings = cis_k8s.findings From 0d8c8e7fa09b4220cc4c103f2447c4697bb531f1 Mon Sep 17 00:00:00 2001 From: orenzohar Date: Mon, 15 Nov 2021 15:17:47 +0200 Subject: [PATCH 2/4] Add test data generator General repo struct refactor --- compliance/cis_k8s.rego | 11 -------- compliance/cis_k8s/cis_k8s.rego | 11 ++++++++ compliance/cis_k8s/rules/cis_1_1_1/rule.rego | 20 +++++++++++++++ compliance/cis_k8s/rules/cis_1_1_1/test.rego | 18 +++++++++++++ compliance/cis_k8s/rules/cis_1_1_13/rule.rego | 20 +++++++++++++++ compliance/cis_k8s/rules/cis_1_1_13/test.rego | 18 +++++++++++++ compliance/cis_k8s/rules/cis_1_1_15/rule.rego | 20 +++++++++++++++ compliance/cis_k8s/rules/cis_1_1_15/test.rego | 18 +++++++++++++ compliance/cis_k8s/rules/cis_1_1_17/rule.rego | 20 +++++++++++++++ compliance/cis_k8s/rules/cis_1_1_17/test.rego | 18 +++++++++++++ compliance/cis_k8s/rules/cis_1_1_2/rule.rego | 21 ++++++++++++++++ compliance/cis_k8s/rules/cis_1_1_2/test.rego | 19 ++++++++++++++ compliance/cis_k8s/rules/cis_1_1_3/rule.rego | 20 +++++++++++++++ compliance/cis_k8s/rules/cis_1_1_3/test.rego | 18 +++++++++++++ compliance/cis_k8s/rules/cis_1_1_5/rule.rego | 20 +++++++++++++++ compliance/cis_k8s/rules/cis_1_1_5/test.rego | 18 +++++++++++++ compliance/cis_k8s/rules/cis_1_1_7/rule.rego | 20 +++++++++++++++ compliance/cis_k8s/rules/cis_1_1_7/test.rego | 18 +++++++++++++ compliance/cis_k8s/test.rego | 18 +++++++++++++ compliance/lib/data_adapter.rego | 25 ++++++++----------- compliance/lib/test.rego | 9 ------- compliance/rules/cis_1_1_1/rule.rego | 20 --------------- compliance/rules/cis_1_1_1/test.rego | 21 ---------------- compliance/rules/cis_1_1_13/rule.rego | 20 --------------- compliance/rules/cis_1_1_13/test.rego | 21 ---------------- compliance/rules/cis_1_1_15/rule.rego | 20 --------------- compliance/rules/cis_1_1_15/test.rego | 21 ---------------- compliance/rules/cis_1_1_17/rule.rego | 20 --------------- compliance/rules/cis_1_1_17/test.rego | 21 ---------------- compliance/rules/cis_1_1_2/rule.rego | 22 ---------------- compliance/rules/cis_1_1_2/test.rego | 23 ----------------- compliance/rules/cis_1_1_3/rule.rego | 20 --------------- compliance/rules/cis_1_1_3/test.rego | 21 ---------------- compliance/rules/cis_1_1_5/rule.rego | 20 --------------- compliance/rules/cis_1_1_5/test.rego | 21 ---------------- compliance/rules/cis_1_1_7/rule.rego | 20 --------------- compliance/rules/cis_1_1_7/test.rego | 21 ---------------- 37 files changed, 345 insertions(+), 367 deletions(-) delete mode 100644 compliance/cis_k8s.rego create mode 100644 compliance/cis_k8s/cis_k8s.rego create mode 100644 compliance/cis_k8s/rules/cis_1_1_1/rule.rego create mode 100644 compliance/cis_k8s/rules/cis_1_1_1/test.rego create mode 100644 compliance/cis_k8s/rules/cis_1_1_13/rule.rego create mode 100644 compliance/cis_k8s/rules/cis_1_1_13/test.rego create mode 100644 compliance/cis_k8s/rules/cis_1_1_15/rule.rego create mode 100644 compliance/cis_k8s/rules/cis_1_1_15/test.rego create mode 100644 compliance/cis_k8s/rules/cis_1_1_17/rule.rego create mode 100644 compliance/cis_k8s/rules/cis_1_1_17/test.rego create mode 100644 compliance/cis_k8s/rules/cis_1_1_2/rule.rego create mode 100644 compliance/cis_k8s/rules/cis_1_1_2/test.rego create mode 100644 compliance/cis_k8s/rules/cis_1_1_3/rule.rego create mode 100644 compliance/cis_k8s/rules/cis_1_1_3/test.rego create mode 100644 compliance/cis_k8s/rules/cis_1_1_5/rule.rego create mode 100644 compliance/cis_k8s/rules/cis_1_1_5/test.rego create mode 100644 compliance/cis_k8s/rules/cis_1_1_7/rule.rego create mode 100644 compliance/cis_k8s/rules/cis_1_1_7/test.rego create mode 100644 compliance/cis_k8s/test.rego delete mode 100644 compliance/lib/test.rego delete mode 100644 compliance/rules/cis_1_1_1/rule.rego delete mode 100644 compliance/rules/cis_1_1_1/test.rego delete mode 100644 compliance/rules/cis_1_1_13/rule.rego delete mode 100644 compliance/rules/cis_1_1_13/test.rego delete mode 100644 compliance/rules/cis_1_1_15/rule.rego delete mode 100644 compliance/rules/cis_1_1_15/test.rego delete mode 100644 compliance/rules/cis_1_1_17/rule.rego delete mode 100644 compliance/rules/cis_1_1_17/test.rego delete mode 100644 compliance/rules/cis_1_1_2/rule.rego delete mode 100644 compliance/rules/cis_1_1_2/test.rego delete mode 100644 compliance/rules/cis_1_1_3/rule.rego delete mode 100644 compliance/rules/cis_1_1_3/test.rego delete mode 100644 compliance/rules/cis_1_1_5/rule.rego delete mode 100644 compliance/rules/cis_1_1_5/test.rego delete mode 100644 compliance/rules/cis_1_1_7/rule.rego delete mode 100644 compliance/rules/cis_1_1_7/test.rego diff --git a/compliance/cis_k8s.rego b/compliance/cis_k8s.rego deleted file mode 100644 index e054d10d..00000000 --- a/compliance/cis_k8s.rego +++ /dev/null @@ -1,11 +0,0 @@ -package compliance.cis_k8s - -import data.compliance.cis.rules - -default_tags := ["CIS", "CIS v1.6.0", "Kubernetes"] - -findings[finding] { - some rule_id - data.activated_rules.cis_k8s[rule_id] - finding = rules[rule_id].finding -} diff --git a/compliance/cis_k8s/cis_k8s.rego b/compliance/cis_k8s/cis_k8s.rego new file mode 100644 index 00000000..b4c2a348 --- /dev/null +++ b/compliance/cis_k8s/cis_k8s.rego @@ -0,0 +1,11 @@ +package compliance.cis_k8s + +import data.compliance.cis_k8s.rules + +default_tags := ["CIS", "CIS v1.6.0", "Kubernetes"] + +findings[finding] { + some rule_id + data.activated_rules.cis_k8s[rule_id] + finding = rules[rule_id].finding +} diff --git a/compliance/cis_k8s/rules/cis_1_1_1/rule.rego b/compliance/cis_k8s/rules/cis_1_1_1/rule.rego new file mode 100644 index 00000000..2d1173ec --- /dev/null +++ b/compliance/cis_k8s/rules/cis_1_1_1/rule.rego @@ -0,0 +1,20 @@ +package compliance.cis_k8s.rules.cis_1_1_1 + +import data.compliance.cis_k8s +import data.compliance.lib.common +import data.compliance.lib.data_adapter + +# Ensure that the API server pod specification file permissions are set to 644 or more restrictive +finding = result { + data_adapter.filename == "kube-apiserver.yaml" + filemode := data_adapter.filemode + rule_evaluation := common.file_permission_match(filemode, 6, 4, 4) + + # set result + result := { + "evaluation": common.calculate_result(rule_evaluation), + "evidence": {"filemode": filemode}, + "rule_name": "Ensure that the API server pod specification file permissions are set to 644 or more restrictive", + "tags": array.concat(cis_k8s.default_tags, ["CIS 1.1.1"]), + } +} diff --git a/compliance/cis_k8s/rules/cis_1_1_1/test.rego b/compliance/cis_k8s/rules/cis_1_1_1/test.rego new file mode 100644 index 00000000..82d0c0ed --- /dev/null +++ b/compliance/cis_k8s/rules/cis_1_1_1/test.rego @@ -0,0 +1,18 @@ +package compliance.cis_k8s.rules.cis_1_1_1 + +import data.cis_k8s.test + +test_violation { + test.rule_violation(finding) with input as rule_input("0700") +} + +test_pass { + test.rule_pass(finding) with input as rule_input("0644") +} + +rule_input(filemode) = filesystem_input { + filename := "kube-apiserver.yaml" + uid := "root" + gid := "root" + filesystem_input = test.generate_filesystem_input(filename, filemode, uid, gid) +} diff --git a/compliance/cis_k8s/rules/cis_1_1_13/rule.rego b/compliance/cis_k8s/rules/cis_1_1_13/rule.rego new file mode 100644 index 00000000..42bc814e --- /dev/null +++ b/compliance/cis_k8s/rules/cis_1_1_13/rule.rego @@ -0,0 +1,20 @@ +package compliance.cis_k8s.rules.cis_1_1_13 + +import data.compliance.cis_k8s +import data.compliance.lib.common +import data.compliance.lib.data_adapter + +# Ensure that the admin.conf file permissions are set to 644 or more restrictive +finding = result { + data_adapter.filename == "admin.conf" + filemode := data_adapter.filemode + rule_evaluation := common.file_permission_match(filemode, 6, 4, 4) + + # set result + result := { + "evaluation": common.calculate_result(rule_evaluation), + "evidence": {"filemode": filemode}, + "rule_name": "Ensure that the admin.conf file permissions are set to 644 or more restrictive", + "tags": array.concat(cis_k8s.default_tags, ["CIS 1.1.13"]), + } +} diff --git a/compliance/cis_k8s/rules/cis_1_1_13/test.rego b/compliance/cis_k8s/rules/cis_1_1_13/test.rego new file mode 100644 index 00000000..7359a307 --- /dev/null +++ b/compliance/cis_k8s/rules/cis_1_1_13/test.rego @@ -0,0 +1,18 @@ +package compliance.cis_k8s.rules.cis_1_1_13 + +import data.cis_k8s.test + +test_violation { + test.rule_violation(finding) with input as rule_input("0700") +} + +test_pass { + test.rule_pass(finding) with input as rule_input("0644") +} + +rule_input(filemode) = filesystem_input { + filename := "admin.conf" + uid := "root" + gid := "root" + filesystem_input = test.generate_filesystem_input(filename, filemode, uid, gid) +} diff --git a/compliance/cis_k8s/rules/cis_1_1_15/rule.rego b/compliance/cis_k8s/rules/cis_1_1_15/rule.rego new file mode 100644 index 00000000..3ad249db --- /dev/null +++ b/compliance/cis_k8s/rules/cis_1_1_15/rule.rego @@ -0,0 +1,20 @@ +package compliance.cis_k8s.rules.cis_1_1_15 + +import data.compliance.cis_k8s +import data.compliance.lib.common +import data.compliance.lib.data_adapter + +# Ensure that the scheduler.conf file permissions are set to 644 or more restrictive (Automated) +finding = result { + data_adapter.filename == "scheduler.conf" + filemode := data_adapter.filemode + rule_evaluation := common.file_permission_match(filemode, 6, 4, 4) + + # set result + result := { + "evaluation": common.calculate_result(rule_evaluation), + "evidence": {"filemode": filemode}, + "rule_name": "Ensure that the scheduler.conf file permissions are set to 644 or more restrictive", + "tags": array.concat(cis_k8s.default_tags, ["CIS 1.1.15"]), + } +} diff --git a/compliance/cis_k8s/rules/cis_1_1_15/test.rego b/compliance/cis_k8s/rules/cis_1_1_15/test.rego new file mode 100644 index 00000000..827e1348 --- /dev/null +++ b/compliance/cis_k8s/rules/cis_1_1_15/test.rego @@ -0,0 +1,18 @@ +package compliance.cis_k8s.rules.cis_1_1_15 + +import data.cis_k8s.test + +test_violation { + test.rule_violation(finding) with input as rule_input("0700") +} + +test_pass { + test.rule_pass(finding) with input as rule_input("0644") +} + +rule_input(filemode) = filesystem_input { + filename := "scheduler.conf" + uid := "root" + gid := "root" + filesystem_input = test.generate_filesystem_input(filename, filemode, uid, gid) +} diff --git a/compliance/cis_k8s/rules/cis_1_1_17/rule.rego b/compliance/cis_k8s/rules/cis_1_1_17/rule.rego new file mode 100644 index 00000000..cf7157a8 --- /dev/null +++ b/compliance/cis_k8s/rules/cis_1_1_17/rule.rego @@ -0,0 +1,20 @@ +package compliance.cis_k8s.rules.cis_1_1_17 + +import data.compliance.cis_k8s +import data.compliance.lib.common +import data.compliance.lib.data_adapter + +# Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive (Automated) +finding = result { + data_adapter.filename == "controller-manager.conf" + filemode := data_adapter.filemode + rule_evaluation := common.file_permission_match(filemode, 6, 4, 4) + + # set result + result := { + "evaluation": common.calculate_result(rule_evaluation), + "evidence": {"filemode": filemode}, + "rule_name": "Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive", + "tags": array.concat(cis_k8s.default_tags, ["CIS 1.1.17"]), + } +} diff --git a/compliance/cis_k8s/rules/cis_1_1_17/test.rego b/compliance/cis_k8s/rules/cis_1_1_17/test.rego new file mode 100644 index 00000000..7231c373 --- /dev/null +++ b/compliance/cis_k8s/rules/cis_1_1_17/test.rego @@ -0,0 +1,18 @@ +package compliance.cis_k8s.rules.cis_1_1_17 + +import data.cis_k8s.test + +test_violation { + test.rule_violation(finding) with input as rule_input("0700") +} + +test_pass { + test.rule_pass(finding) with input as rule_input("0644") +} + +rule_input(filemode) = filesystem_input { + filename := "controller-manager.conf" + uid := "root" + gid := "root" + filesystem_input = test.generate_filesystem_input(filename, filemode, uid, gid) +} diff --git a/compliance/cis_k8s/rules/cis_1_1_2/rule.rego b/compliance/cis_k8s/rules/cis_1_1_2/rule.rego new file mode 100644 index 00000000..af067636 --- /dev/null +++ b/compliance/cis_k8s/rules/cis_1_1_2/rule.rego @@ -0,0 +1,21 @@ +package compliance.cis_k8s.rules.cis_1_1_2 + +import data.compliance.cis_k8s +import data.compliance.lib.common +import data.compliance.lib.data_adapter + +# Ensure that the API server pod specification file ownership is set to root:root +finding = result { + data_adapter.filename == "kube-apiserver.yaml" + uid = data_adapter.owner_user_id + gid = data_adapter.owner_group_id + rule_evaluation := common.file_ownership_match(uid, gid, "root", "root") + + # set result + result := { + "evaluation": common.calculate_result(rule_evaluation), + "evidence": {"uid": uid, "gid": gid}, + "rule_name": "Ensure that the API server pod specification file ownership is set to root:root", + "tags": array.concat(cis_k8s.default_tags, ["CIS 1.1.2"]), + } +} diff --git a/compliance/cis_k8s/rules/cis_1_1_2/test.rego b/compliance/cis_k8s/rules/cis_1_1_2/test.rego new file mode 100644 index 00000000..0bea15a9 --- /dev/null +++ b/compliance/cis_k8s/rules/cis_1_1_2/test.rego @@ -0,0 +1,19 @@ +package compliance.cis_k8s.rules.cis_1_1_2 + +import data.cis_k8s.test + +test_violation { + test.rule_violation(finding) with input as rule_input("root", "user") + test.rule_violation(finding) with input as rule_input("user", "root") + test.rule_violation(finding) with input as rule_input("user", "user") +} + +test_pass { + test.rule_pass(finding) with input as rule_input("root", "root") +} + +rule_input(uid, gid) = filesystem_input { + filename := "kube-apiserver.yaml" + filemode := "0644" + filesystem_input = test.generate_filesystem_input(filename, filemode, uid, gid) +} diff --git a/compliance/cis_k8s/rules/cis_1_1_3/rule.rego b/compliance/cis_k8s/rules/cis_1_1_3/rule.rego new file mode 100644 index 00000000..8d385cae --- /dev/null +++ b/compliance/cis_k8s/rules/cis_1_1_3/rule.rego @@ -0,0 +1,20 @@ +package compliance.cis_k8s.rules.cis_1_1_3 + +import data.compliance.cis_k8s +import data.compliance.lib.common +import data.compliance.lib.data_adapter + +# Ensure that the API server pod specification file permissions are set to 644 or more restrictive +finding = result { + data_adapter.filename == "kube-controller-manager.yaml" + filemode := data_adapter.filemode + rule_evaluation := common.file_permission_match(filemode, 6, 4, 4) + + # set result + result := { + "evaluation": common.calculate_result(rule_evaluation), + "evidence": {"filemode": filemode}, + "rule_name": "Ensure that the controller manager pod specification file permissions are set to 644 or more restrictive", + "tags": array.concat(cis_k8s.default_tags, ["CIS 1.1.3"]), + } +} diff --git a/compliance/cis_k8s/rules/cis_1_1_3/test.rego b/compliance/cis_k8s/rules/cis_1_1_3/test.rego new file mode 100644 index 00000000..806d8f44 --- /dev/null +++ b/compliance/cis_k8s/rules/cis_1_1_3/test.rego @@ -0,0 +1,18 @@ +package compliance.cis_k8s.rules.cis_1_1_3 + +import data.cis_k8s.test + +test_violation { + test.rule_violation(finding) with input as rule_input("0700") +} + +test_pass { + test.rule_pass(finding) with input as rule_input("0644") +} + +rule_input(filemode) = filesystem_input { + filename := "kube-controller-manager.yaml" + uid := "root" + gid := "root" + filesystem_input = test.generate_filesystem_input(filename, filemode, uid, gid) +} diff --git a/compliance/cis_k8s/rules/cis_1_1_5/rule.rego b/compliance/cis_k8s/rules/cis_1_1_5/rule.rego new file mode 100644 index 00000000..f697eab0 --- /dev/null +++ b/compliance/cis_k8s/rules/cis_1_1_5/rule.rego @@ -0,0 +1,20 @@ +package compliance.cis_k8s.rules.cis_1_1_5 + +import data.compliance.cis_k8s +import data.compliance.lib.common +import data.compliance.lib.data_adapter + +# Ensure that the scheduler pod specification file permissions are set to 644 or more restrictive (Automated) +finding = result { + data_adapter.filename == "kube-scheduler.yaml" + filemode := data_adapter.filemode + rule_evaluation := common.file_permission_match(filemode, 6, 4, 4) + + # set result + result := { + "evaluation": common.calculate_result(rule_evaluation), + "evidence": {"filemode": filemode}, + "rule_name": "Ensure that the scheduler pod specification file permissions are set to 644 or more restrictive", + "tags": array.concat(cis_k8s.default_tags, ["CIS 1.1.5"]), + } +} diff --git a/compliance/cis_k8s/rules/cis_1_1_5/test.rego b/compliance/cis_k8s/rules/cis_1_1_5/test.rego new file mode 100644 index 00000000..b61ede1c --- /dev/null +++ b/compliance/cis_k8s/rules/cis_1_1_5/test.rego @@ -0,0 +1,18 @@ +package compliance.cis_k8s.rules.cis_1_1_5 + +import data.cis_k8s.test + +test_violation { + test.rule_violation(finding) with input as rule_input("0700") +} + +test_pass { + test.rule_pass(finding) with input as rule_input("0644") +} + +rule_input(filemode) = filesystem_input { + filename := "kube-scheduler.yaml" + uid := "root" + gid := "root" + filesystem_input = test.generate_filesystem_input(filename, filemode, uid, gid) +} diff --git a/compliance/cis_k8s/rules/cis_1_1_7/rule.rego b/compliance/cis_k8s/rules/cis_1_1_7/rule.rego new file mode 100644 index 00000000..e8ee8449 --- /dev/null +++ b/compliance/cis_k8s/rules/cis_1_1_7/rule.rego @@ -0,0 +1,20 @@ +package compliance.cis_k8s.rules.cis_1_1_7 + +import data.compliance.cis_k8s +import data.compliance.lib.common +import data.compliance.lib.data_adapter + +# Ensure that the etcd pod specification file permissions are set to 644 or more restrictive (Automated) +finding = result { + data_adapter.filename == "etcd.yaml" + filemode := data_adapter.filemode + rule_evaluation := common.file_permission_match(filemode, 6, 4, 4) + + # set result + result := { + "evaluation": common.calculate_result(rule_evaluation), + "evidence": {"filemode": filemode}, + "rule_name": "# Ensure that the etcd pod specification file permissions are set to 644 or more restrictive", + "tags": array.concat(cis_k8s.default_tags, ["CIS 1.1.7"]), + } +} diff --git a/compliance/cis_k8s/rules/cis_1_1_7/test.rego b/compliance/cis_k8s/rules/cis_1_1_7/test.rego new file mode 100644 index 00000000..aedcd48a --- /dev/null +++ b/compliance/cis_k8s/rules/cis_1_1_7/test.rego @@ -0,0 +1,18 @@ +package compliance.cis_k8s.rules.cis_1_1_7 + +import data.cis_k8s.test + +test_violation { + test.rule_violation(finding) with input as rule_input("0700") +} + +test_pass { + test.rule_pass(finding) with input as rule_input("0644") +} + +rule_input(filemode) = filesystem_input { + filename := "etcd.yaml" + uid := "root" + gid := "root" + filesystem_input = test.generate_filesystem_input(filename, filemode, uid, gid) +} diff --git a/compliance/cis_k8s/test.rego b/compliance/cis_k8s/test.rego new file mode 100644 index 00000000..00cfbee7 --- /dev/null +++ b/compliance/cis_k8s/test.rego @@ -0,0 +1,18 @@ +package cis_k8s.test + +rule_pass(finding) { + finding.evaluation == "passed" +} + +rule_violation(finding) { + finding.evaluation == "violation" +} + +generate_filesystem_input(filename, mode, uid, gid) = { + "type": "filesystem", + "path": "file/path", + "filename": filename, + "mode": mode, + "uid": uid, + "gid": gid, +} diff --git a/compliance/lib/data_adapter.rego b/compliance/lib/data_adapter.rego index 90c722d2..bf0ce1ca 100644 --- a/compliance/lib/data_adapter.rego +++ b/compliance/lib/data_adapter.rego @@ -1,30 +1,25 @@ package compliance.lib.data_adapter -is_osquery { - input.osquery -} - -is_file { - is_osquery - input.osquery.filename +is_filesystem { + input.type == "filesystem" } filename = file_name { - is_file - file_name = input.osquery.filename + is_filesystem + file_name = input.filename } filemode = file_mode { - is_file - file_mode = input.osquery.mode + is_filesystem + file_mode = input.mode } owner_user_id = uid { - is_file - uid = input.osquery.uid + is_filesystem + uid = input.uid } owner_group_id = gid { - is_file - gid = input.osquery.gid + is_filesystem + gid = input.gid } diff --git a/compliance/lib/test.rego b/compliance/lib/test.rego deleted file mode 100644 index 5fb73d30..00000000 --- a/compliance/lib/test.rego +++ /dev/null @@ -1,9 +0,0 @@ -package lib.test - -rule_pass(finding) { - finding.evaluation == "passed" -} - -rule_violation(finding) { - finding.evaluation == "violation" -} diff --git a/compliance/rules/cis_1_1_1/rule.rego b/compliance/rules/cis_1_1_1/rule.rego deleted file mode 100644 index d9f98ac4..00000000 --- a/compliance/rules/cis_1_1_1/rule.rego +++ /dev/null @@ -1,20 +0,0 @@ -package compliance.cis.rules.cis_1_1_1 - -import data.compliance.lib.data_adapter -import data.compliance.lib.common -import data.compliance.cis_k8s - -# Ensure that the API server pod specification file permissions are set to 644 or more restrictive -finding = result { - data_adapter.filename == "kube-apiserver.yaml" - filemode := data_adapter.filemode - rule_evaluation := common.file_permission_match(filemode, 6, 4, 4) - - # set result - result := { - "evaluation" : common.calculate_result(rule_evaluation), - "evidence" : { "filemode" : filemode }, - "rule_name" : "Ensure that the API server pod specification file permissions are set to 644 or more restrictive", - "tags" : array.concat(cis_k8s.default_tags, ["CIS 1.1.1"]) - } -} \ No newline at end of file diff --git a/compliance/rules/cis_1_1_1/test.rego b/compliance/rules/cis_1_1_1/test.rego deleted file mode 100644 index 54511b18..00000000 --- a/compliance/rules/cis_1_1_1/test.rego +++ /dev/null @@ -1,21 +0,0 @@ -package compliance.cis.rules.cis_1_1_1 - -import data.lib.test - -test_violation { - test.rule_violation(finding) with input as rule_input("0700") -} - -test_pass { - test.rule_pass(finding) with input as rule_input("0644") -} - -rule_input(filemode) = { - "osquery": { - "mode": filemode, - "path": "/hostfs/etc/kubernetes/manifests/kube-apiserver.yaml", - "uid": "root", - "filename": "kube-apiserver.yaml", - "gid": "root" - } -} \ No newline at end of file diff --git a/compliance/rules/cis_1_1_13/rule.rego b/compliance/rules/cis_1_1_13/rule.rego deleted file mode 100644 index 355997d3..00000000 --- a/compliance/rules/cis_1_1_13/rule.rego +++ /dev/null @@ -1,20 +0,0 @@ -package compliance.cis.rules.cis_1_1_13 - -import data.compliance.lib.data_adapter -import data.compliance.lib.common -import data.compliance.cis_k8s - -# Ensure that the admin.conf file permissions are set to 644 or more restrictive -finding = result { - data_adapter.filename == "admin.conf" - filemode := data_adapter.filemode - rule_evaluation := common.file_permission_match(filemode, 6, 4, 4) - - # set result - result := { - "evaluation" : common.calculate_result(rule_evaluation), - "evidence" : { "filemode" : filemode }, - "rule_name" : "Ensure that the admin.conf file permissions are set to 644 or more restrictive", - "tags" : array.concat(cis_k8s.default_tags, ["CIS 1.1.13"]) - } -} \ No newline at end of file diff --git a/compliance/rules/cis_1_1_13/test.rego b/compliance/rules/cis_1_1_13/test.rego deleted file mode 100644 index 1e8c683b..00000000 --- a/compliance/rules/cis_1_1_13/test.rego +++ /dev/null @@ -1,21 +0,0 @@ -package compliance.cis.rules.cis_1_1_13 - -import data.lib.test - -test_violation { - test.rule_violation(finding) with input as rule_input("0700") -} - -test_pass { - test.rule_pass(finding) with input as rule_input("0644") -} - -rule_input(filemode) = { - "osquery": { - "mode": filemode, - "path": "/hostfs/etc/kubernetes/manifests/kube-apiserver.yaml", - "uid": "root", - "filename": "admin.conf", - "gid": "root" - } -} \ No newline at end of file diff --git a/compliance/rules/cis_1_1_15/rule.rego b/compliance/rules/cis_1_1_15/rule.rego deleted file mode 100644 index a2afbcc3..00000000 --- a/compliance/rules/cis_1_1_15/rule.rego +++ /dev/null @@ -1,20 +0,0 @@ -package compliance.cis.rules.cis_1_1_15 - -import data.compliance.lib.data_adapter -import data.compliance.lib.common -import data.compliance.cis_k8s - -# Ensure that the scheduler.conf file permissions are set to 644 or more restrictive (Automated) -finding = result { - data_adapter.filename == "scheduler.conf" - filemode := data_adapter.filemode - rule_evaluation := common.file_permission_match(filemode, 6, 4, 4) - - # set result - result := { - "evaluation" : common.calculate_result(rule_evaluation), - "evidence" : { "filemode" : filemode }, - "rule_name" : "Ensure that the scheduler.conf file permissions are set to 644 or more restrictive", - "tags" : array.concat(cis_k8s.default_tags, ["CIS 1.1.15"]) - } -} \ No newline at end of file diff --git a/compliance/rules/cis_1_1_15/test.rego b/compliance/rules/cis_1_1_15/test.rego deleted file mode 100644 index 73da57b9..00000000 --- a/compliance/rules/cis_1_1_15/test.rego +++ /dev/null @@ -1,21 +0,0 @@ -package compliance.cis.rules.cis_1_1_15 - -import data.lib.test - -test_violation { - test.rule_violation(finding) with input as rule_input("0700") -} - -test_pass { - test.rule_pass(finding) with input as rule_input("0644") -} - -rule_input(filemode) = { - "osquery": { - "mode": filemode, - "path": "/hostfs/etc/kubernetes/manifests/kube-apiserver.yaml", - "uid": "root", - "filename": "scheduler.conf", - "gid": "root" - } -} \ No newline at end of file diff --git a/compliance/rules/cis_1_1_17/rule.rego b/compliance/rules/cis_1_1_17/rule.rego deleted file mode 100644 index bdd2014b..00000000 --- a/compliance/rules/cis_1_1_17/rule.rego +++ /dev/null @@ -1,20 +0,0 @@ -package compliance.cis.rules.cis_1_1_17 - -import data.compliance.lib.data_adapter -import data.compliance.lib.common -import data.compliance.cis_k8s - -# Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive (Automated) -finding = result { - data_adapter.filename == "controller-manager.conf" - filemode := data_adapter.filemode - rule_evaluation := common.file_permission_match(filemode, 6, 4, 4) - - # set result - result := { - "evaluation" : common.calculate_result(rule_evaluation), - "evidence" : { "filemode" : filemode }, - "rule_name" : "Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive", - "tags" : array.concat(cis_k8s.default_tags, ["CIS 1.1.17"]) - } -} \ No newline at end of file diff --git a/compliance/rules/cis_1_1_17/test.rego b/compliance/rules/cis_1_1_17/test.rego deleted file mode 100644 index 0bc4fd15..00000000 --- a/compliance/rules/cis_1_1_17/test.rego +++ /dev/null @@ -1,21 +0,0 @@ -package compliance.cis.rules.cis_1_1_17 - -import data.lib.test - -test_violation { - test.rule_violation(finding) with input as rule_input("0700") -} - -test_pass { - test.rule_pass(finding) with input as rule_input("0644") -} - -rule_input(filemode) = { - "osquery": { - "mode": filemode, - "path": "/hostfs/etc/kubernetes/manifests/kube-apiserver.yaml", - "uid": "root", - "filename": "controller-manager.conf", - "gid": "root" - } -} \ No newline at end of file diff --git a/compliance/rules/cis_1_1_2/rule.rego b/compliance/rules/cis_1_1_2/rule.rego deleted file mode 100644 index 692fe1d0..00000000 --- a/compliance/rules/cis_1_1_2/rule.rego +++ /dev/null @@ -1,22 +0,0 @@ -package compliance.cis.rules.cis_1_1_2 - -import data.compliance.lib.data_adapter -import data.compliance.lib.common -import data.compliance.cis_k8s - - -# Ensure that the API server pod specification file ownership is set to root:root -finding = result { - data_adapter.filename == "kube-apiserver.yaml" - uid = data_adapter.owner_user_id - gid = data_adapter.owner_group_id - rule_evaluation := common.file_ownership_match(uid, gid, "root", "root") - - # set result - result := { - "evaluation" : common.calculate_result(rule_evaluation), - "evidence" : {"uid" : uid, "gid" : gid}, - "rule_name" : "Ensure that the API server pod specification file ownership is set to root:root", - "tags" : array.concat(cis_k8s.default_tags, ["CIS 1.1.2"]) - } -} \ No newline at end of file diff --git a/compliance/rules/cis_1_1_2/test.rego b/compliance/rules/cis_1_1_2/test.rego deleted file mode 100644 index 08cc835a..00000000 --- a/compliance/rules/cis_1_1_2/test.rego +++ /dev/null @@ -1,23 +0,0 @@ -package compliance.cis.rules.cis_1_1_2 - -import data.lib.test - -test_violation { - test.rule_violation(finding) with input as rule_input("root", "user") - test.rule_violation(finding) with input as rule_input("user", "root") - test.rule_violation(finding) with input as rule_input("user", "user") -} - -test_pass { - test.rule_pass(finding) with input as rule_input("root", "root") -} - -rule_input(uid, gid) = { - "osquery": { - "mode": "0644", - "path": "/hostfs/etc/kubernetes/manifests/kube-apiserver.yaml", - "uid": uid, - "filename": "kube-apiserver.yaml", - "gid": gid - } -} \ No newline at end of file diff --git a/compliance/rules/cis_1_1_3/rule.rego b/compliance/rules/cis_1_1_3/rule.rego deleted file mode 100644 index bcd0ffba..00000000 --- a/compliance/rules/cis_1_1_3/rule.rego +++ /dev/null @@ -1,20 +0,0 @@ -package compliance.cis.rules.cis_1_1_3 - -import data.compliance.lib.data_adapter -import data.compliance.lib.common -import data.compliance.cis_k8s - -# Ensure that the API server pod specification file permissions are set to 644 or more restrictive -finding = result { - data_adapter.filename == "kube-controller-manager.yaml" - filemode := data_adapter.filemode - rule_evaluation := common.file_permission_match(filemode, 6, 4, 4) - - # set result - result := { - "evaluation" : common.calculate_result(rule_evaluation), - "evidence" : { "filemode" : filemode }, - "rule_name" : "Ensure that the controller manager pod specification file permissions are set to 644 or more restrictive", - "tags" : array.concat(cis_k8s.default_tags, ["CIS 1.1.3"]) - } -} \ No newline at end of file diff --git a/compliance/rules/cis_1_1_3/test.rego b/compliance/rules/cis_1_1_3/test.rego deleted file mode 100644 index bbb1e769..00000000 --- a/compliance/rules/cis_1_1_3/test.rego +++ /dev/null @@ -1,21 +0,0 @@ -package compliance.cis.rules.cis_1_1_3 - -import data.lib.test - -test_violation { - test.rule_violation(finding) with input as rule_input("0700") -} - -test_pass { - test.rule_pass(finding) with input as rule_input("0644") -} - -rule_input(filemode) = { - "osquery": { - "mode": filemode, - "path": "/hostfs/etc/kubernetes/manifests/kube-apiserver.yaml", - "uid": "root", - "filename": "kube-controller-manager.yaml", - "gid": "root" - } -} \ No newline at end of file diff --git a/compliance/rules/cis_1_1_5/rule.rego b/compliance/rules/cis_1_1_5/rule.rego deleted file mode 100644 index 9375e436..00000000 --- a/compliance/rules/cis_1_1_5/rule.rego +++ /dev/null @@ -1,20 +0,0 @@ -package compliance.cis.rules.cis_1_1_5 - -import data.compliance.lib.data_adapter -import data.compliance.lib.common -import data.compliance.cis_k8s - -# Ensure that the scheduler pod specification file permissions are set to 644 or more restrictive (Automated) -finding = result { - data_adapter.filename == "kube-scheduler.yaml" - filemode := data_adapter.filemode - rule_evaluation := common.file_permission_match(filemode, 6, 4, 4) - - # set result - result := { - "evaluation" : common.calculate_result(rule_evaluation), - "evidence" : { "filemode" : filemode }, - "rule_name" : "Ensure that the scheduler pod specification file permissions are set to 644 or more restrictive", - "tags" : array.concat(cis_k8s.default_tags, ["CIS 1.1.5"]) - } -} \ No newline at end of file diff --git a/compliance/rules/cis_1_1_5/test.rego b/compliance/rules/cis_1_1_5/test.rego deleted file mode 100644 index cbd73058..00000000 --- a/compliance/rules/cis_1_1_5/test.rego +++ /dev/null @@ -1,21 +0,0 @@ -package compliance.cis.rules.cis_1_1_5 - -import data.lib.test - -test_violation { - test.rule_violation(finding) with input as rule_input("0700") -} - -test_pass { - test.rule_pass(finding) with input as rule_input("0644") -} - -rule_input(filemode) = { - "osquery": { - "mode": filemode, - "path": "/hostfs/etc/kubernetes/manifests/kube-apiserver.yaml", - "uid": "root", - "filename": "kube-scheduler.yaml", - "gid": "root" - } -} \ No newline at end of file diff --git a/compliance/rules/cis_1_1_7/rule.rego b/compliance/rules/cis_1_1_7/rule.rego deleted file mode 100644 index 2b5cd00e..00000000 --- a/compliance/rules/cis_1_1_7/rule.rego +++ /dev/null @@ -1,20 +0,0 @@ -package compliance.cis.rules.cis_1_1_7 - -import data.compliance.lib.data_adapter -import data.compliance.lib.common -import data.compliance.cis_k8s - -# Ensure that the etcd pod specification file permissions are set to 644 or more restrictive (Automated) -finding = result { - data_adapter.filename == "etcd.yaml" - filemode := data_adapter.filemode - rule_evaluation := common.file_permission_match(filemode, 6, 4, 4) - - # set result - result := { - "evaluation" : common.calculate_result(rule_evaluation), - "evidence" : { "filemode" : filemode }, - "rule_name" : "# Ensure that the etcd pod specification file permissions are set to 644 or more restrictive", - "tags" : array.concat(cis_k8s.default_tags, ["CIS 1.1.7"]) - } -} \ No newline at end of file diff --git a/compliance/rules/cis_1_1_7/test.rego b/compliance/rules/cis_1_1_7/test.rego deleted file mode 100644 index fdad0d78..00000000 --- a/compliance/rules/cis_1_1_7/test.rego +++ /dev/null @@ -1,21 +0,0 @@ -package compliance.cis.rules.cis_1_1_7 - -import data.lib.test - -test_violation { - test.rule_violation(finding) with input as rule_input("0700") -} - -test_pass { - test.rule_pass(finding) with input as rule_input("0644") -} - -rule_input(filemode) = { - "osquery": { - "mode": filemode, - "path": "/hostfs/etc/kubernetes/manifests/kube-apiserver.yaml", - "uid": "root", - "filename": "etcd.yaml", - "gid": "root" - } -} \ No newline at end of file From 40f3602dd5f58c3dbe4ed836028cce5c30709923 Mon Sep 17 00:00:00 2001 From: orenzohar Date: Mon, 15 Nov 2021 15:43:09 +0200 Subject: [PATCH 3/4] Readme Split common test function from k8s test data function file --- compliance/cis_k8s/rules/cis_1_1_1/test.rego | 5 +++-- compliance/cis_k8s/rules/cis_1_1_13/test.rego | 5 +++-- compliance/cis_k8s/rules/cis_1_1_15/test.rego | 5 +++-- compliance/cis_k8s/rules/cis_1_1_17/test.rego | 5 +++-- compliance/cis_k8s/rules/cis_1_1_2/test.rego | 5 +++-- compliance/cis_k8s/rules/cis_1_1_3/test.rego | 5 +++-- compliance/cis_k8s/rules/cis_1_1_5/test.rego | 5 +++-- compliance/cis_k8s/rules/cis_1_1_7/test.rego | 5 +++-- compliance/cis_k8s/test.rego | 18 ------------------ compliance/cis_k8s/test_data.rego | 11 +++++++++++ compliance/lib/test.rego | 9 +++++++++ 11 files changed, 44 insertions(+), 34 deletions(-) delete mode 100644 compliance/cis_k8s/test.rego create mode 100644 compliance/cis_k8s/test_data.rego create mode 100644 compliance/lib/test.rego diff --git a/compliance/cis_k8s/rules/cis_1_1_1/test.rego b/compliance/cis_k8s/rules/cis_1_1_1/test.rego index 82d0c0ed..6d301df8 100644 --- a/compliance/cis_k8s/rules/cis_1_1_1/test.rego +++ b/compliance/cis_k8s/rules/cis_1_1_1/test.rego @@ -1,6 +1,7 @@ package compliance.cis_k8s.rules.cis_1_1_1 -import data.cis_k8s.test +import data.cis_k8s.test_data +import data.lib.test test_violation { test.rule_violation(finding) with input as rule_input("0700") @@ -14,5 +15,5 @@ rule_input(filemode) = filesystem_input { filename := "kube-apiserver.yaml" uid := "root" gid := "root" - filesystem_input = test.generate_filesystem_input(filename, filemode, uid, gid) + filesystem_input = test_data.filesystem_input(filename, filemode, uid, gid) } diff --git a/compliance/cis_k8s/rules/cis_1_1_13/test.rego b/compliance/cis_k8s/rules/cis_1_1_13/test.rego index 7359a307..6bdb4556 100644 --- a/compliance/cis_k8s/rules/cis_1_1_13/test.rego +++ b/compliance/cis_k8s/rules/cis_1_1_13/test.rego @@ -1,6 +1,7 @@ package compliance.cis_k8s.rules.cis_1_1_13 -import data.cis_k8s.test +import data.cis_k8s.test_data +import data.lib.test test_violation { test.rule_violation(finding) with input as rule_input("0700") @@ -14,5 +15,5 @@ rule_input(filemode) = filesystem_input { filename := "admin.conf" uid := "root" gid := "root" - filesystem_input = test.generate_filesystem_input(filename, filemode, uid, gid) + filesystem_input = test_data.filesystem_input(filename, filemode, uid, gid) } diff --git a/compliance/cis_k8s/rules/cis_1_1_15/test.rego b/compliance/cis_k8s/rules/cis_1_1_15/test.rego index 827e1348..a6192229 100644 --- a/compliance/cis_k8s/rules/cis_1_1_15/test.rego +++ b/compliance/cis_k8s/rules/cis_1_1_15/test.rego @@ -1,6 +1,7 @@ package compliance.cis_k8s.rules.cis_1_1_15 -import data.cis_k8s.test +import data.cis_k8s.test_data +import data.lib.test test_violation { test.rule_violation(finding) with input as rule_input("0700") @@ -14,5 +15,5 @@ rule_input(filemode) = filesystem_input { filename := "scheduler.conf" uid := "root" gid := "root" - filesystem_input = test.generate_filesystem_input(filename, filemode, uid, gid) + filesystem_input = test_data.filesystem_input(filename, filemode, uid, gid) } diff --git a/compliance/cis_k8s/rules/cis_1_1_17/test.rego b/compliance/cis_k8s/rules/cis_1_1_17/test.rego index 7231c373..3d2c582e 100644 --- a/compliance/cis_k8s/rules/cis_1_1_17/test.rego +++ b/compliance/cis_k8s/rules/cis_1_1_17/test.rego @@ -1,6 +1,7 @@ package compliance.cis_k8s.rules.cis_1_1_17 -import data.cis_k8s.test +import data.cis_k8s.test_data +import data.lib.test test_violation { test.rule_violation(finding) with input as rule_input("0700") @@ -14,5 +15,5 @@ rule_input(filemode) = filesystem_input { filename := "controller-manager.conf" uid := "root" gid := "root" - filesystem_input = test.generate_filesystem_input(filename, filemode, uid, gid) + filesystem_input = test_data.filesystem_input(filename, filemode, uid, gid) } diff --git a/compliance/cis_k8s/rules/cis_1_1_2/test.rego b/compliance/cis_k8s/rules/cis_1_1_2/test.rego index 0bea15a9..d2d5704f 100644 --- a/compliance/cis_k8s/rules/cis_1_1_2/test.rego +++ b/compliance/cis_k8s/rules/cis_1_1_2/test.rego @@ -1,6 +1,7 @@ package compliance.cis_k8s.rules.cis_1_1_2 -import data.cis_k8s.test +import data.cis_k8s.test_data +import data.lib.test test_violation { test.rule_violation(finding) with input as rule_input("root", "user") @@ -15,5 +16,5 @@ test_pass { rule_input(uid, gid) = filesystem_input { filename := "kube-apiserver.yaml" filemode := "0644" - filesystem_input = test.generate_filesystem_input(filename, filemode, uid, gid) + filesystem_input = test_data.filesystem_input(filename, filemode, uid, gid) } diff --git a/compliance/cis_k8s/rules/cis_1_1_3/test.rego b/compliance/cis_k8s/rules/cis_1_1_3/test.rego index 806d8f44..cb7ba667 100644 --- a/compliance/cis_k8s/rules/cis_1_1_3/test.rego +++ b/compliance/cis_k8s/rules/cis_1_1_3/test.rego @@ -1,6 +1,7 @@ package compliance.cis_k8s.rules.cis_1_1_3 -import data.cis_k8s.test +import data.cis_k8s.test_data +import data.lib.test test_violation { test.rule_violation(finding) with input as rule_input("0700") @@ -14,5 +15,5 @@ rule_input(filemode) = filesystem_input { filename := "kube-controller-manager.yaml" uid := "root" gid := "root" - filesystem_input = test.generate_filesystem_input(filename, filemode, uid, gid) + filesystem_input = test_data.filesystem_input(filename, filemode, uid, gid) } diff --git a/compliance/cis_k8s/rules/cis_1_1_5/test.rego b/compliance/cis_k8s/rules/cis_1_1_5/test.rego index b61ede1c..57d6c5f6 100644 --- a/compliance/cis_k8s/rules/cis_1_1_5/test.rego +++ b/compliance/cis_k8s/rules/cis_1_1_5/test.rego @@ -1,6 +1,7 @@ package compliance.cis_k8s.rules.cis_1_1_5 -import data.cis_k8s.test +import data.cis_k8s.test_data +import data.lib.test test_violation { test.rule_violation(finding) with input as rule_input("0700") @@ -14,5 +15,5 @@ rule_input(filemode) = filesystem_input { filename := "kube-scheduler.yaml" uid := "root" gid := "root" - filesystem_input = test.generate_filesystem_input(filename, filemode, uid, gid) + filesystem_input = test_data.filesystem_input(filename, filemode, uid, gid) } diff --git a/compliance/cis_k8s/rules/cis_1_1_7/test.rego b/compliance/cis_k8s/rules/cis_1_1_7/test.rego index aedcd48a..bbc904e4 100644 --- a/compliance/cis_k8s/rules/cis_1_1_7/test.rego +++ b/compliance/cis_k8s/rules/cis_1_1_7/test.rego @@ -1,6 +1,7 @@ package compliance.cis_k8s.rules.cis_1_1_7 -import data.cis_k8s.test +import data.cis_k8s.test_data +import data.lib.test test_violation { test.rule_violation(finding) with input as rule_input("0700") @@ -14,5 +15,5 @@ rule_input(filemode) = filesystem_input { filename := "etcd.yaml" uid := "root" gid := "root" - filesystem_input = test.generate_filesystem_input(filename, filemode, uid, gid) + filesystem_input = test_data.filesystem_input(filename, filemode, uid, gid) } diff --git a/compliance/cis_k8s/test.rego b/compliance/cis_k8s/test.rego deleted file mode 100644 index 00cfbee7..00000000 --- a/compliance/cis_k8s/test.rego +++ /dev/null @@ -1,18 +0,0 @@ -package cis_k8s.test - -rule_pass(finding) { - finding.evaluation == "passed" -} - -rule_violation(finding) { - finding.evaluation == "violation" -} - -generate_filesystem_input(filename, mode, uid, gid) = { - "type": "filesystem", - "path": "file/path", - "filename": filename, - "mode": mode, - "uid": uid, - "gid": gid, -} diff --git a/compliance/cis_k8s/test_data.rego b/compliance/cis_k8s/test_data.rego new file mode 100644 index 00000000..10557206 --- /dev/null +++ b/compliance/cis_k8s/test_data.rego @@ -0,0 +1,11 @@ +package cis_k8s.test_data + +# test data generater +filesystem_input(filename, mode, uid, gid) = { + "type": "filesystem", + "path": "file/path", + "filename": filename, + "mode": mode, + "uid": uid, + "gid": gid, +} diff --git a/compliance/lib/test.rego b/compliance/lib/test.rego new file mode 100644 index 00000000..b90c7916 --- /dev/null +++ b/compliance/lib/test.rego @@ -0,0 +1,9 @@ +package lib.test + +rule_pass(finding) { + finding.evaluation == "passed" +} + +rule_violation(finding) { + finding.evaluation == "violation" +} From 453782a287ec1f8d177179e536ea02568b2abed6 Mon Sep 17 00:00:00 2001 From: orenzohar Date: Mon, 15 Nov 2021 15:43:57 +0200 Subject: [PATCH 4/4] Readme --- README.md | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 70026d9f..49c1ef42 100644 --- a/README.md +++ b/README.md @@ -5,12 +5,13 @@ │ │ ├── common.rego # Common functions │ │ ├── data_adapter.rego # Input data adapter │ │ └── test.rego # Common Test functions - │ ├── rules/cis - │ │ ├── cis_1_1_1 # rule package + │ ├── cis_k8s/rules + │ | ├── cis_k8s.rego # Handles all Kubernetes CIS rules evalutations + │ | ├── test_data.rego # CIS Test data functions + │ │ ├── cis_1_1_1 # CIS 1.1.1 rule package │ │ │ ├── rule.rego │ │ │ └── test.rego │ │ └── ... - │ └── cis_k8s.rego # Handles all Kubernetes CIS rules evalutations └── main.rego # Evaluate all policies and returns the findings ## Local Evaluation @@ -30,7 +31,7 @@ should contain an beat/agent output, e.g. OSQuery ```json { - "type": "file", + "type": "filesystem", "mode": "0700", "path": "/hostfs/etc/kubernetes/manifests/kube-apiserver.yaml", "uid": "etc",