Merge pull request #402 from lucas-giaco/master

accurics.gcp.IAM.104 Fire rule when client certificate is enabled
tenable · Nov 24, 2020 · 9b32df3 · 9b32df3
2 parents 55a6c2c + f4c70ae
commit 9b32df3
Show file tree

Hide file tree

Showing 3 changed files with 4 additions and 4 deletions.
diff --git a/docs/policies/gcp.md b/docs/policies/gcp.md
@@ -74,7 +74,7 @@
 | Network Security | gcp | HIGH | Ensure Master Authentication is set to enabled on Kubernetes Engine Clusters. | accurics.gcp.NS.112 |
 | Operational Efficiency | gcp | HIGH | Ensure Kubernetes Cluster is created with Alias IP ranges enabled | accurics.gcp.OPS.115 |
 | Network Security | gcp | HIGH | Ensure GKE Control Plane is not public. | accurics.gcp.NS.109 |
-| Identity & Access Management | gcp | HIGH | Ensure Kubernetes Cluster is created with Client Certificate enabled. | accurics.gcp.IAM.104 |
+| Identity & Access Management | gcp | HIGH | Ensure Kubernetes Cluster is created with Client Certificate disabled. | accurics.gcp.IAM.104 |
 | Operational Efficiency | gcp | HIGH | Ensure Kubernetes Clusters are configured with Labels. | accurics.gcp.OPS.113 |
 | Identity & Access Management | gcp | HIGH | Ensure Legacy Authorization is set to disabled on Kubernetes Engine Clusters. | accurics.gcp.IAM.142 |
 | Logging | gcp | HIGH | Ensure Stackdriver Logging is enabled on Kubernetes Engine Clusters. | accurics.gcp.LOG.100 |

diff --git a/pkg/policies/opa/rego/gcp/google_container_cluster/accurics.gcp.IAM.104.json b/pkg/policies/opa/rego/gcp/google_container_cluster/accurics.gcp.IAM.104.json
@@ -3,8 +3,8 @@
     "file": "clientCertificateEnabled.rego",
     "template_args": null,
     "severity": "HIGH",
-    "description": "Ensure Kubernetes Cluster is created with Client Certificate enabled.",
+    "description": "Ensure Kubernetes Cluster is created with Client Certificate disabled.",
     "reference_id": "accurics.gcp.IAM.104",
     "category": "Identity \u0026 Access Management",
     "version": 1
-}
+}
diff --git a/pkg/policies/opa/rego/gcp/google_container_cluster/clientCertificateEnabled.rego b/pkg/policies/opa/rego/gcp/google_container_cluster/clientCertificateEnabled.rego
@@ -3,5 +3,5 @@ package accurics
 clientCertificateEnabled[container_cluster.id] {
   container_cluster := input.google_container_cluster[_]
   master := container_cluster.config.master_auth[_]
-  master.client_certificate_config[_].issue_client_certificate == false
+  master.client_certificate_config[_].issue_client_certificate == true
 }