Skip to content

uri-weisman/csp-security-policies

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

157 Commits
.github
.github
 
 
bundle
bundle
 
 
server
server
 
 
.gitignore
.gitignore
 
 
.pre-commit-config.yaml
.pre-commit-config.yaml
 
 
LICENSE.txt
LICENSE.txt
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
main.go
main.go
 
 

Repository files navigation

Coverage Badge

Cloud Security Posture - Rego policies

.
├── README.md
├── bundle
│   ├── builder.go                            # Bundle building code
│   ├── compliance                            # Compliance policies
│   │   ├── cis_eks
│   │   │   ├── cis_eks.rego                  # Handles all EKS CIS rules evalutations
│   │   │   ├── data_adapter.rego
│   │   │   ├── rules
│   │   │   │   ├── cis_2_1_1                 # CIS EKS 2.1.1 rule package
│   │   │   │   │   ├── data.yaml             # Rule's metadata
│   │   │   │   │   ├── rule.rego             # Rule's rego
│   │   │   │   │   └── test.rego             # Rule's test
|   |   |   |   ├── ...
│   │   │   └── test_data.rego                # CIS EKS Test data generators
│   │   ├── cis_k8s
│   │   │   ├── cis_k8s.rego                  # Handles all Kubernetes CIS rules evalutations
│   │   │   ├── data_adapter.rego
│   │   │   ├── rules
│   │   │   │   ├── cis_1_1_1
│   │   │   │   │   ├── data.yaml
│   │   │   │   │   ├── rule.rego
│   │   │   │   │   └── test.rego
|   |   |   |   ├── ...
│   │   │   └── schemas                       # Benchmark's schemas
│   │   │   └── input_schema.json
│   │   ├── kubernetes_common
│   │   │   └── test_data.rego
│   │   ├── lib
│   │   │   ├── assert.rego
│   │   │   ├── common                        # Common functions and tests
│   │   │   │   ├── common.rego
│   │   │   │   └── test.rego
│   │   │   ├── data_adapter                  # Input data adapter and tests
│   │   │   │   ├── data_adapter.rego
│   │   │   │   └── test.rego
│   │   │   ├── output_validations            # Output validations for tests
│   │   │   │   ├── output_validations.rego
│   │   │   │   └── test.rego
│   │   │   └── test.rego
│   │   └── main.rego                         # Evaluates all policies and returns the findings
│   ├── embed.go                              # Embed of benchmarks
│   ├── server.go                             # Hosting and creation of bundle server functions
│   └── server_test.go
├── main.go
└── server
└── host.go                                   # Hosting and creation of bundle server for benchmarks

Local Evaluation

Add the following configuration files into the root folder

data.yaml

should contain the list of rules you want to evaluate (also supports json)

activated_rules:
  cis_k8s:
    - cis_1_1_1
    - cis_1_1_2
  cis_eks:
    - cis_3_1_1
    - cis_3_1_2
input.json

should contain an beat/agent output, e.g. filesystem data

{
  "type": "file",
  "resource": {
    "mode": "0700",
    "path": "/hostfs/etc/kubernetes/manifests/kube-apiserver.yaml",
    "owner": "etc",
    "group": "root",
    "name": "kube-apiserver.yaml",
    "gid": 20,
    "uid": 501
  }
}

Evaluate entire policy into output.json

opa eval data.main --format pretty -i input.json -b ./bundle > output.json

Evaluate findings only

opa eval data.main.findings --format pretty -i input.json -b ./bundle > output.json
Example output 
{
  "findings": [
    {
      "result": {
        "evaluation": "failed",
        "expected": {
          "filemode": "0644"
        },
        "evidence": {
          "filemode": "0700"
        }
      },
      "rule": {
        "id": "59b5a77b-b090-5630-9a33-73eb805b2d52",
        "name": "Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Automated)",
        "profile_applicability": "* Level 1 - Master Node\n",
        "description": "Ensure that the API server pod specification file has permissions of `644` or more restrictive.\n",
        "rationale": "The API server pod specification file controls various parameters that set the behavior of the API server. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n",
        "audit": "Run the below command (based on the file location on your system) on the\nmaster node.\nFor example,\n```\nstat -c %a /etc/kubernetes/manifests/kube-apiserver.yaml\n```\nVerify that the permissions are `644` or more restrictive.\n",
        "remediation": "Run the below command (based on the file location on your system) on the\nmaster node.\nFor example,\n```\nchmod 644 /etc/kubernetes/manifests/kube-apiserver.yaml\n```\n",
        "impact": "None\n",
        "default_value": "By default, the `kube-apiserver.yaml` file has permissions of `640`.\n",
        "references": "1. [https://kubernetes.io/docs/admin/kube-apiserver/](https://kubernetes.io/docs/admin/kube-apiserver/)\n",
        "section": "Master Node Configuration Files",
        "version": 1,
        "tags": [
          "CIS",
          "Kubernetes",
          "CIS 1.1.1",
          "Master Node Configuration Files"
        ],
        "benchmark": {
          "name": "CIS Kubernetes V1.20",
          "version": "v1.0.0"
        }
      }
    },
    {
      "result": {
        "evaluation": "passed",
        "expected": {
          "group": "root",
          "owner": "root"
        },
        "evidence": {
          "group": "root",
          "owner": "root"
        }
      },
      "rule": {
        "id": "9f318d4d-2451-574a-99dc-838ed213f09b",
        "name": "Ensure that the API server pod specification file ownership is set toroot:root (Automated)",
        "profile_applicability": "* Level 1 - Master Node\n",
        "description": "Ensure that the API server pod specification file ownership is set to `root:root`.\n",
        "rationale": "The API server pod specification file controls various parameters that set the behavior of the API server. You should set its file ownership to maintain the integrity of the file. The file should be owned by `root:root`.\n",
        "audit": "Run the below command (based on the file location on your system) on the\nmaster node.\nFor example,\n```\nstat -c %U:%G /etc/kubernetes/manifests/kube-apiserver.yaml\n```\nVerify that the ownership is set to `root:root`.\n",
        "remediation": "Run the below command (based on the file location on your system) on the\nmaster node.\nFor example,\n```\nchown root:root /etc/kubernetes/manifests/kube-apiserver.yaml\n```\n",
        "impact": "None\n",
        "default_value": "By default, the `kube-apiserver.yaml` file ownership is set to `root:root`.\n",
        "references": "1. [https://kubernetes.io/docs/admin/kube-apiserver/](https://kubernetes.io/docs/admin/kube-apiserver/)\n",
        "section": "Master Node Configuration Files",
        "version": 1,
        "tags": [
          "CIS",
          "Kubernetes",
          "CIS 1.1.2",
          "Master Node Configuration Files"
        ],
        "benchmark": {
          "name": "CIS Kubernetes V1.20",
          "version": "v1.0.0"
        }
      }
    }
  ],
  "resource": {
    "name": "kube-apiserver.yaml",
    "group": "root",
    "mode": "0700",
    "path": "/hostfs/etc/kubernetes/manifests/kube-apiserver.yaml",
    "type": "file",
    "owner": "root",
    "uid": 501,
    "gid": 20
  }
}

Evaluate with input schema

opa eval data.main --format pretty -i input.json -b ./bundle -s bundle/compliance/cis_k8s/schemas/input_schema.json
1 error occurred: bundle/compliance/lib/data_adapter.rego:11: rego_type_error: undefined ref: input.filenames
        input.filenames
              ^
              have: "filenames"
              want (one of): ["command" "filename" "gid" "mode" "path" "type" "uid"]

Local Testing

Test entire policy

opa build -b ./bundle -e ./bundle/compliance
opa test -b bundle.tar.gz -v

Test specific rule

opa test -v bundle/compliance/kubernetes_common bundle/compliance/lib bundle/compliance/cis_k8s/test_data.rego bundle/compliance/cis_k8s/rules/cis_1_1_2 --ignore="common_tests.rego"

Pre-commit hooks

see pre-commit package

  • Install the package brew install pre-commit
  • Then run pre-commit install
  • Finally pre-commit run --all-files --verbose

Running opa server with the compliance policy

docker run --rm -p 8181:8181 -v $(pwd):/bundle openpolicyagent/opa:0.36.1 run -s -b /bundle

Test it 🚀

curl --location --request POST 'http://localhost:8181/v1/data/main' \
--header 'Content-Type: application/json' \
--data-raw '{
    "input": {
        "resource": {
            "type": "file",
            "mode": "0700",
            "path": "/hostfs/etc/kubernetes/manifests/kube-apiserver.yaml",
            "uid": "etc",
            "name": "kube-apiserver.yaml",
            "group": "root"
        }
    }
}'

About

Cloud Security Posture security policies

Resources

Readme

License

View license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases 5

v0.0.19-go-lib Latest
May 30, 2022
+ 4 releases

Packages

No packages published

Languages

  • Open Policy Agent 97.9%
  • Go 2.1%