[new rule] Master Node Configuration File permissions rules (#2)

Master Node Configuration File permissions rules

compliance/cis_k8s.rego

@@ -5,7 +5,7 @@ import data.compliance.cis.rules
 default_tags := ["CIS", "CIS v1.6.0", "Kubernetes"]
 
 findings[finding] {
-	some rule_id
-	data.activated_rules.cis_k8s[rule_id]
-	finding = rules[rule_id].finding
+    some rule_id
+    data.activated_rules.cis_k8s[rule_id]
+    finding = rules[rule_id].finding
 }

compliance/lib/common.rego

@@ -2,22 +2,16 @@ package compliance.lib.common
 
 # set the rule result
 calculate_result(evaluation) = "passed" {
-	evaluation
-} else = "violation" {
-	true
-}
+    evaluation
+} else = "violation"
 
 file_ownership_match(uid, gid, requierd_uid, requierd_gid) {
-	uid == requierd_uid
-	gid == requierd_gid
-} else = false {
-	true
-}
+    uid == requierd_uid
+    gid == requierd_gid
+} else = false
 
 # todo: compare performance of regex alternatives
 file_permission_match(filemode, user, group, other) {
-	pattern = sprintf("0?[0-%d][0-%d][0-%d]", [user, group, other])
-	regex.match(pattern, filemode)
-} else = false {
-	true
-}
+    pattern = sprintf("0?[0-%d][0-%d][0-%d]", [user, group, other])
+    regex.match(pattern, filemode)
+} else = false

compliance/lib/data_adapter.rego

@@ -1,30 +1,30 @@
 package compliance.lib.data_adapter
 
 is_osquery {
-	input.osquery
+    input.osquery
 }
 
 is_file {
-	is_osquery
-	input.osquery.filename
+    is_osquery
+    input.osquery.filename
 }
 
 filename = file_name {
-	is_file
-	file_name = input.osquery.filename
+    is_file
+    file_name = input.osquery.filename
 }
 
 filemode = file_mode {
-	is_file
-	file_mode = input.osquery.mode
+    is_file
+    file_mode = input.osquery.mode
 }
 
 owner_user_id = uid {
-	is_file
-	uid = input.osquery.uid
+    is_file
+    uid = input.osquery.uid
 }
 
 owner_group_id = gid {
-	is_file
-	gid = input.osquery.gid
+    is_file
+    gid = input.osquery.gid
 }

compliance/lib/test.rego

@@ -1,9 +1,9 @@
 package lib.test
 
 rule_pass(finding) {
-	finding.evaluation == "passed"
+    finding.evaluation == "passed"
 }
 
 rule_violation(finding) {
-	finding.evaluation == "violation"
+   finding.evaluation == "violation"
 }

compliance/rules/cis_1_1_1/rule.rego

@@ -1,20 +1,20 @@
 package compliance.cis.rules.cis_1_1_1
 
-import data.compliance.cis_k8s
-import data.compliance.lib.common
 import data.compliance.lib.data_adapter
+import data.compliance.lib.common
+import data.compliance.cis_k8s
 
 # Ensure that the API server pod specification file permissions are set to 644 or more restrictive
 finding = result {
-	data_adapter.filename == "kube-apiserver.yaml"
-	filemode := data_adapter.filemode
-	rule_evaluation := common.file_permission_match(filemode, 6, 4, 4)
+    data_adapter.filename == "kube-apiserver.yaml"
+    filemode := data_adapter.filemode
+    rule_evaluation := common.file_permission_match(filemode, 6, 4, 4)
 
-	# set result
-	result := {
-		"evaluation": common.calculate_result(rule_evaluation),
-		"evidence": {"filemode": filemode},
-		"rule_name": "Ensure that the API server pod specification file permissions are set to 644 or more restrictive",
-		"tags": array.concat(cis_k8s.default_tags, ["CIS 1.1.1"]),
-	}
-}
+    # set result
+    result := {
+        "evaluation" : common.calculate_result(rule_evaluation),
+        "evidence" : { "filemode" : filemode },
+        "rule_name" : "Ensure that the API server pod specification file permissions are set to 644 or more restrictive",
+        "tags" : array.concat(cis_k8s.default_tags, ["CIS 1.1.1"])
+    }
+}

compliance/rules/cis_1_1_1/test.rego

@@ -3,17 +3,19 @@ package compliance.cis.rules.cis_1_1_1
 import data.lib.test
 
 test_violation {
-	test.rule_violation(finding) with input as rule_input("0700")
+    test.rule_violation(finding) with input as rule_input("0700")
 }
 
 test_pass {
-	test.rule_pass(finding) with input as rule_input("0644")
+    test.rule_pass(finding) with input as rule_input("0644")
 }
 
-rule_input(filemode) = {"osquery": {
-	"mode": filemode,
-	"path": "/hostfs/etc/kubernetes/manifests/kube-apiserver.yaml",
-	"uid": "root",
-	"filename": "kube-apiserver.yaml",
-	"gid": "root",
-}}
+rule_input(filemode) = {
+  "osquery": {
+    "mode": filemode,
+    "path": "/hostfs/etc/kubernetes/manifests/kube-apiserver.yaml",
+    "uid": "root",
+    "filename": "kube-apiserver.yaml",
+    "gid": "root"
+  }
+}

compliance/rules/cis_1_1_13/rule.rego

@@ -0,0 +1,20 @@
+package compliance.cis.rules.cis_1_1_13
+
+import data.compliance.lib.data_adapter
+import data.compliance.lib.common
+import data.compliance.cis_k8s
+
+# Ensure that the admin.conf file permissions are set to 644 or more restrictive
+finding = result {
+    data_adapter.filename == "admin.conf"
+    filemode := data_adapter.filemode
+    rule_evaluation := common.file_permission_match(filemode, 6, 4, 4)
+
+    # set result
+    result := {
+        "evaluation" : common.calculate_result(rule_evaluation),
+        "evidence" : { "filemode" : filemode },
+        "rule_name" : "Ensure that the admin.conf file permissions are set to 644 or more restrictive",
+        "tags" : array.concat(cis_k8s.default_tags, ["CIS 1.1.13"])
+    }
+}

compliance/rules/cis_1_1_13/test.rego

@@ -0,0 +1,21 @@
+package compliance.cis.rules.cis_1_1_13
+
+import data.lib.test
+
+test_violation {
+    test.rule_violation(finding) with input as rule_input("0700")
+}
+
+test_pass {
+    test.rule_pass(finding) with input as rule_input("0644")
+}
+
+rule_input(filemode) = {
+  "osquery": {
+    "mode": filemode,
+    "path": "/hostfs/etc/kubernetes/manifests/kube-apiserver.yaml",
+    "uid": "root",
+    "filename": "admin.conf",
+    "gid": "root"
+  }
+}

compliance/rules/cis_1_1_15/rule.rego

@@ -0,0 +1,20 @@
+package compliance.cis.rules.cis_1_1_15
+
+import data.compliance.lib.data_adapter
+import data.compliance.lib.common
+import data.compliance.cis_k8s
+
+# Ensure that the scheduler.conf file permissions are set to 644 or more restrictive (Automated)
+finding = result {
+    data_adapter.filename == "scheduler.conf"
+    filemode := data_adapter.filemode
+    rule_evaluation := common.file_permission_match(filemode, 6, 4, 4)
+
+    # set result
+    result := {
+        "evaluation" : common.calculate_result(rule_evaluation),
+        "evidence" : { "filemode" : filemode },
+        "rule_name" : "Ensure that the scheduler.conf file permissions are set to 644 or more restrictive",
+        "tags" : array.concat(cis_k8s.default_tags, ["CIS 1.1.15"])
+    }
+}

compliance/rules/cis_1_1_15/test.rego

@@ -0,0 +1,21 @@
+package compliance.cis.rules.cis_1_1_15
+
+import data.lib.test
+
+test_violation {
+    test.rule_violation(finding) with input as rule_input("0700")
+}
+
+test_pass {
+    test.rule_pass(finding) with input as rule_input("0644")
+}
+
+rule_input(filemode) = {
+  "osquery": {
+    "mode": filemode,
+    "path": "/hostfs/etc/kubernetes/manifests/kube-apiserver.yaml",
+    "uid": "root",
+    "filename": "scheduler.conf",
+    "gid": "root"
+  }
+}

compliance/rules/cis_1_1_17/rule.rego

@@ -0,0 +1,20 @@
+package compliance.cis.rules.cis_1_1_17
+
+import data.compliance.lib.data_adapter
+import data.compliance.lib.common
+import data.compliance.cis_k8s
+
+# Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive (Automated)
+finding = result {
+    data_adapter.filename == "controller-manager.conf"
+    filemode := data_adapter.filemode
+    rule_evaluation := common.file_permission_match(filemode, 6, 4, 4)
+
+    # set result
+    result := {
+        "evaluation" : common.calculate_result(rule_evaluation),
+        "evidence" : { "filemode" : filemode },
+        "rule_name" : "Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive",
+        "tags" : array.concat(cis_k8s.default_tags, ["CIS 1.1.17"])
+    }
+}

compliance/rules/cis_1_1_17/test.rego

@@ -0,0 +1,21 @@
+package compliance.cis.rules.cis_1_1_17
+
+import data.lib.test
+
+test_violation {
+    test.rule_violation(finding) with input as rule_input("0700")
+}
+
+test_pass {
+    test.rule_pass(finding) with input as rule_input("0644")
+}
+
+rule_input(filemode) = {
+  "osquery": {
+    "mode": filemode,
+    "path": "/hostfs/etc/kubernetes/manifests/kube-apiserver.yaml",
+    "uid": "root",
+    "filename": "controller-manager.conf",
+    "gid": "root"
+  }
+}

compliance/rules/cis_1_1_2/rule.rego

@@ -1,21 +1,22 @@
 package compliance.cis.rules.cis_1_1_2
 
-import data.compliance.cis_k8s
-import data.compliance.lib.common
 import data.compliance.lib.data_adapter
+import data.compliance.lib.common
+import data.compliance.cis_k8s
+
 
 # Ensure that the API server pod specification file ownership is set to root:root
 finding = result {
-	data_adapter.filename == "kube-apiserver.yaml"
-	uid = data_adapter.owner_user_id
-	gid = data_adapter.owner_group_id
-	rule_evaluation := common.file_ownership_match(uid, gid, "root", "root")
+    data_adapter.filename == "kube-apiserver.yaml"
+    uid = data_adapter.owner_user_id
+    gid = data_adapter.owner_group_id
+    rule_evaluation := common.file_ownership_match(uid, gid, "root", "root")
 
-	# set result
-	result := {
-		"evaluation": common.calculate_result(rule_evaluation),
-		"evidence": {"uid": uid, "gid": gid},
-		"rule_name": "Ensure that the API server pod specification file ownership is set to root:root",
-		"tags": array.concat(cis_k8s.default_tags, ["CIS 1.1.2"]),
-	}
-}
+    # set result
+    result := {
+        "evaluation" : common.calculate_result(rule_evaluation),
+        "evidence" : {"uid" : uid, "gid" : gid},
+        "rule_name" : "Ensure that the API server pod specification file ownership is set to root:root",
+        "tags" : array.concat(cis_k8s.default_tags, ["CIS 1.1.2"])
+    }
+}

compliance/rules/cis_1_1_2/test.rego

@@ -3,19 +3,21 @@ package compliance.cis.rules.cis_1_1_2
 import data.lib.test
 
 test_violation {
-	test.rule_violation(finding) with input as rule_input("root", "user")
-	test.rule_violation(finding) with input as rule_input("user", "root")
-	test.rule_violation(finding) with input as rule_input("user", "user")
+    test.rule_violation(finding) with input as rule_input("root", "user")
+    test.rule_violation(finding) with input as rule_input("user", "root")
+    test.rule_violation(finding) with input as rule_input("user", "user")
 }
 
 test_pass {
-	test.rule_pass(finding) with input as rule_input("root", "root")
+    test.rule_pass(finding) with input as rule_input("root", "root")
 }
 
-rule_input(uid, gid) = {"osquery": {
-	"mode": "0644",
-	"path": "/hostfs/etc/kubernetes/manifests/kube-apiserver.yaml",
-	"uid": uid,
-	"filename": "kube-apiserver.yaml",
-	"gid": gid,
-}}
+rule_input(uid, gid) = {
+  "osquery": {
+    "mode": "0644",
+    "path": "/hostfs/etc/kubernetes/manifests/kube-apiserver.yaml",
+    "uid": uid,
+    "filename": "kube-apiserver.yaml",
+    "gid": gid
+  }
+}

compliance/rules/cis_1_1_3/rule.rego

@@ -0,0 +1,20 @@
+package compliance.cis.rules.cis_1_1_3
+
+import data.compliance.lib.data_adapter
+import data.compliance.lib.common
+import data.compliance.cis_k8s
+
+# Ensure that the API server pod specification file permissions are set to 644 or more restrictive
+finding = result {
+    data_adapter.filename == "kube-controller-manager.yaml"
+    filemode := data_adapter.filemode
+    rule_evaluation := common.file_permission_match(filemode, 6, 4, 4)
+
+    # set result
+    result := {
+        "evaluation" : common.calculate_result(rule_evaluation),
+        "evidence" : { "filemode" : filemode },
+        "rule_name" : "Ensure that the controller manager pod specification file permissions are set to 644 or more restrictive",
+        "tags" : array.concat(cis_k8s.default_tags, ["CIS 1.1.3"])
+    }
+}