Skip to content

Commit

Permalink
[Security Policies] [Metadata] Rule number field refactoring (elastic…
Browse files Browse the repository at this point in the history 
…#160)
  • Loading branch information
@oren-zohar @orestisfl
oren-zohar authored and orestisfl committed Oct 11, 2023
1 parent c5570d5 commit 277d98a
Show file tree
Hide file tree
Showing 140 changed files with 4,399 additions and 4,529 deletions.
20 changes: 9 additions & 11 deletions .pre-commit-config.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,15 +5,15 @@ repos:
name: OPA fmt
description: Formats Rego policy using opa fmt
entry: opa fmt
args: [-w]
args: [ -w ]
language: system
files: (\.rego)$

- id: opa-check
name: OPA check
description: Check syntax of staged Rego files
entry: opa check
args: [-S, "./bundle/compliance"]
args: [ -S, './bundle/compliance' ]
pass_filenames: false
language: system
files: (\.rego)$
Expand All @@ -22,7 +22,7 @@ repos:
name: OPA test
description: Runs OPA unit tests on rego source files
entry: opa test
args: [-b, "./bundle"]
args: [ -b, './bundle' ]
pass_filenames: false
language: system

Expand All @@ -37,12 +37,10 @@ repos:
rev: v0.32.2
hooks:
- id: markdownlint
args: [
"--disable",
MD013, # Line length can be ignored for now
MD033, # Allow inline HTML
MD046, # Allow code blocks to be fenced with backticks
MD041, # Allow multiple top level headers
"--",
]
args: [ '--disable',
MD013, # Line length can be ignored for now
MD033, # Allow inline HTML
MD046, # Allow code blocks to be fenced with backticks
MD041, # Allow multiple top level headers
'--' ]
files: \.(md|markdown)$
6 changes: 3 additions & 3 deletions README.md
View file
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
# Cloud Security Posture - Rego policies

[![CIS K8S](https://img.shields.io/badge/CIS-Kubernetes%20(73.6%25)-326CE5?logo=Kubernetes)](RULES.md#k8s-cis-benchmark)
[![CIS EKS](https://img.shields.io/badge/CIS-Amazon%20EKS%20(59.6%25)-FF9900?logo=Amazon+EKS)](RULES.md#eks-cis-benchmark)
[![CIS AWS](https://img.shields.io/badge/CIS-AWS%20(3.2%25)-232F3E?logo=Amazon+AWS)](RULES.md#aws-cis-benchmark)
[![CIS K8S](https://img.shields.io/badge/CIS-Kubernetes%20(74%25)-326CE5?logo=Kubernetes)](RULES.md#k8s-cis-benchmark)
[![CIS EKS](https://img.shields.io/badge/CIS-Amazon%20EKS%20(60%25)-FF9900?logo=Amazon+EKS)](RULES.md#eks-cis-benchmark)
[![CIS AWS](https://img.shields.io/badge/CIS-AWS%20(3%25)-232F3E?logo=Amazon+AWS)](RULES.md#aws-cis-benchmark)

![Coverage Badge](https://img.shields.io/endpoint?url=https://gist.githubusercontent.com/oren-zohar/a7160df46e48dff45b24096de9302d38/raw/csp-security-policies_coverage.json)

Expand Down
12 changes: 6 additions & 6 deletions RULES.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -154,7 +154,6 @@
| [3.2.7](bundle/compliance/cis_eks/rules/cis_3_2_7) | 3.2 | Ensure that the --make-iptables-util-chains argument is set to true | :white_check_mark: | Automated |
| [3.2.8](bundle/compliance/cis_eks/rules/cis_3_2_8) | 3.2 | Ensure that the --hostname-override argument is not set | :white_check_mark: | Manual |
| [3.2.9](bundle/compliance/cis_eks/rules/cis_3_2_9) | 3.2 | Ensure that the --eventRecordQPS argument is set to 0 or a level which ensures appropriate event capture | :white_check_mark: | Automated |
| 3.3.1 | 3.3 | Prefer using Container-Optimized OS when possible | :x: | Manual |
| 4.1.1 | 4.1 | Ensure that the cluster-admin role is only used where required | :x: | Manual |
| 4.1.2 | 4.1 | Minimize access to secrets | :x: | Manual |
| 4.1.3 | 4.1 | Minimize wildcard use in Roles and ClusterRoles | :x: | Manual |
Expand All @@ -168,21 +167,22 @@
| [4.2.5](bundle/compliance/cis_eks/rules/cis_4_2_5) | 4.2 | Minimize the admission of containers with allowPrivilegeEscalation | :white_check_mark: | Automated |
| [4.2.6](bundle/compliance/cis_eks/rules/cis_4_2_6) | 4.2 | Minimize the admission of root containers | :white_check_mark: | Automated |
| [4.2.7](bundle/compliance/cis_eks/rules/cis_4_2_7) | 4.2 | Minimize the admission of containers with the NET_RAW capability | :white_check_mark: | Automated |
| [4.2.8](bundle/compliance/cis_eks/rules/cis_4_2_8) | 4.2 | Minimize the admission of containers with added capabilities | :white_check_mark: | Manual |
| [4.2.8](bundle/compliance/cis_eks/rules/cis_4_2_8) | 4.2 | Minimize the admission of containers with added capabilities | :white_check_mark: | Automated |
| [4.2.9](bundle/compliance/cis_eks/rules/cis_4_2_9) | 4.2 | Minimize the admission of containers with capabilities assigned | :white_check_mark: | Manual |
| 4.3.1 | 4.3 | Ensure latest CNI version is used | :x: | Manual |
| 4.3.2 | 4.3 | Ensure that all Namespaces have Network Policies defined | :x: | Manual |
| 4.3.2 | 4.3 | Ensure that all Namespaces have Network Policies defined | :x: | Automated |
| 4.4.1 | 4.4 | Prefer using secrets as files over secrets as environment variables | :x: | Manual |
| 4.4.2 | 4.4 | Consider external secret storage | :x: | Manual |
| 4.5.1 | 4.5 | Configure Image Provenance using ImagePolicyWebhook admission controller | :x: | Manual |
| 4.6.1 | 4.6 | Create administrative boundaries between resources using namespaces | :x: | Manual |
| 4.6.2 | 4.6 | Apply Security Context to Your Pods and Containers | :x: | Manual |
| 4.6.3 | 4.6 | The default namespace should not be used | :x: | Manual |
| 4.6.3 | 4.6 | The default namespace should not be used | :x: | Automated |
| [5.1.1](bundle/compliance/cis_eks/rules/cis_5_1_1) | 5.1 | Ensure Image Vulnerability Scanning using Amazon ECR image scanning or a third party provider | :white_check_mark: | Manual |
| 5.1.2 | 5.1 | Minimize user access to Amazon ECR | :x: | Manual |
| 5.1.3 | 5.1 | Minimize cluster access to read-only for Amazon ECR | :x: | Manual |
| 5.1.4 | 5.1 | Minimize Container Registries to only those approved | :x: | Manual |
| 5.2.1 | 5.2 | Prefer using managed identities for workloads | :x: | Manual |
| [5.3.1](bundle/compliance/cis_eks/rules/cis_5_3_1) | 5.3 | Ensure Kubernetes Secrets are encrypted using Customer Master Keys (CMKs) managed in AWS KMS | :white_check_mark: | Manual |
| 5.2.1 | 5.2 | Prefer using dedicated EKS Service Accounts | :x: | Manual |
| [5.3.1](bundle/compliance/cis_eks/rules/cis_5_3_1) | 5.3 | Ensure Kubernetes Secrets are encrypted using Customer Master Keys (CMKs) managed in AWS KMS | :white_check_mark: | Automated |
| [5.4.1](bundle/compliance/cis_eks/rules/cis_5_4_1) | 5.4 | Restrict Access to the Control Plane Endpoint | :white_check_mark: | Manual |
| [5.4.2](bundle/compliance/cis_eks/rules/cis_5_4_2) | 5.4 | Ensure clusters are created with Private Endpoint Enabled and Public Access Disabled | :white_check_mark: | Manual |
| [5.4.3](bundle/compliance/cis_eks/rules/cis_5_4_3) | 5.4 | Ensure clusters are created with Private Nodes | :white_check_mark: | Manual |
Expand Down
53 changes: 22 additions & 31 deletions bundle/compliance/cis_aws/rules/cis_1_8/data.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,66 +1,57 @@
metadata:
id: 0674190c-677c-5f17-bcc8-f60e913eb9d6
id: 328079dd-6af7-5967-97cf-b6db063dd90f
name: Ensure IAM password policy requires minimum length of 14 or greater
profile_applicability: "* Level 1"
description: Password policies are, in part, used to enforce password complexity
requirements. IAM password policies can be used to ensure password are at
least a given length. It is recommended that the password policy require a
minimum password length 14.
version: "1.0"
rationale: Setting a password complexity policy increases account resiliency
against brute force login attempts.
audit: >
Perform the following to ensure the password policy is configured as
prescribed:
rule_number: '1.8'
profile_applicability: '* Level 1'
description: |-
Password policies are, in part, used to enforce password complexity requirements.
IAM password policies can be used to ensure password are at least a given length.
It is recommended that the password policy require a minimum password length 14.
rationale: |-
Setting a password complexity policy increases account resiliency against brute force login attempts.
audit: |-
Perform the following to ensure the password policy is configured as prescribed:
**From Console:**
1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings)
2. Go to IAM Service on the AWS Console
3. Click on Account Settings on the Left Pane
4. Ensure "Minimum password length" is set to 14 or greater.
**From Command Line:**
```
aws iam get-account-password-policy
```
Ensure the output of the above command includes "MinimumPasswordLength": 14 (or higher)
remediation: >
remediation: |-
Perform the following to set the password policy as prescribed:
**From Console:**
1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings)
2. Go to IAM Service on the AWS Console
3. Click on Account Settings on the Left Pane
4. Set "Minimum password length" to `14` or greater.
5. Click "Apply password policy"
**From Command Line:**
```
aws iam update-account-password-policy --minimum-password-length 14
```
Note: All commands starting with "aws iam update-account-password-policy" can be combined into a single command.
impact: ""
default_value: ""
impact: None
default_value: ''
references:
- https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html
- https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#configure-strong-password-policy
tags:
- CIS
- AWS
- CIS 1.8
- Identity and Access Management
- https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html
- https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#configure-strong-password-policy
section: Identity and Access Management
version: '1.0'
tags:
- CIS
- CIS_AWS
- CIS 1.8
- Identity and Access Management
benchmark:
name: CIS Amazon Web Services Foundations
version: v1.5.0
Expand Down
52 changes: 19 additions & 33 deletions bundle/compliance/cis_aws/rules/cis_1_9/data.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,71 +1,57 @@
metadata:
id: 1e20e1e4-0104-5c4c-a4be-afd48eaa46f6
id: b7a0af34-6b0b-5d6c-ade0-40e78890db00
name: Ensure IAM password policy prevents password reuse
profile_applicability: "* Level 1"
description: IAM password policies can prevent the reuse of a given password by
the same user. It is recommended that the password policy prevent the reuse
of passwords.
version: "1.0"
rule_number: '1.9'
profile_applicability: '* Level 1'
description: |-
IAM password policies can prevent the reuse of a given password by the same user.
It is recommended that the password policy prevent the reuse of passwords.
rationale: Preventing password reuse increases account resiliency against brute
force login attempts.
audit: >
Perform the following to ensure the password policy is configured as
prescribed:
audit: |-
Perform the following to ensure the password policy is configured as prescribed:
**From Console:**
1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings)
2. Go to IAM Service on the AWS Console
3. Click on Account Settings on the Left Pane
4. Ensure "Prevent password reuse" is checked
5. Ensure "Number of passwords to remember" is set to 24
**From Command Line:**
```
aws iam get-account-password-policy
```
Ensure the output of the above command includes "PasswordReusePrevention": 24
remediation: >
remediation: |-
Perform the following to set the password policy as prescribed:
**From Console:**
1. Login to AWS Console (with appropriate permissions to View Identity Access Management Account Settings)
2. Go to IAM Service on the AWS Console
3. Click on Account Settings on the Left Pane
4. Check "Prevent password reuse"
5. Set "Number of passwords to remember" is set to `24`
**From Command Line:**
```
aws iam update-account-password-policy --password-reuse-prevention 24
```
Note: All commands starting with "aws iam update-account-password-policy" can be combined into a single command.
impact: ""
default_value: ""
impact: None
default_value: ''
references:
- https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html
- https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#configure-strong-password-policy
tags:
- CIS
- AWS
- CIS 1.9
- Identity and Access Management
- https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html
- https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#configure-strong-password-policy
section: Identity and Access Management
version: '1.0'
tags:
- CIS
- CIS_AWS
- CIS 1.9
- Identity and Access Management
benchmark:
name: CIS Amazon Web Services Foundations
version: v1.5.0
Expand Down
Loading

0 comments on commit 277d98a

Please sign in to comment.