├── .gitignore
├── aws
├── iac
│ ├── .gitignore
│ └── master-snapshot.json
├── ack
│ └── master-snapshot.json
└── terraform
│ └── master-snapshot.json
├── azure
├── aso
│ ├── .gitignore
│ └── master-snapshot.json
├── iac
│ ├── .gitignore
│ └── master-snapshot.json
└── terraform
│ ├── .gitignore
│ └── master-snapshot.json
├── google
├── iac
│ ├── .gitignore
│ └── master-snapshot.json
├── kcc
│ ├── .gitignore
│ ├── master-snapshot.json
│ ├── ComputeDisk.rego
│ └── KMSCryptoKey.rego
└── terraform
│ └── master-snapshot.json
├── docs
├── help
│ └── playground.png
└── policies
│ ├── google
│ ├── kcc
│ │ └── all
│ │ │ ├── PR-GCP-0033-KCC.md
│ │ │ ├── PR-GCP-0049-KCC.md
│ │ │ ├── PR-GCP-0032-KCC.md
│ │ │ ├── PR-GCP-0001-KCC.md
│ │ │ ├── PR-GCP-0028-KCC.md
│ │ │ ├── PR-GCP-0029-KCC.md
│ │ │ ├── PR-GCP-0043-KCC.md
│ │ │ ├── PR-GCP-0051-KCC.md
│ │ │ ├── PR-GCP-0009-KCC.md
│ │ │ ├── PR-GCP-0055-KCC.md
│ │ │ ├── PR-GCP-0027-KCC.md
│ │ │ ├── PR-GCP-0030-KCC.md
│ │ │ ├── PR-GCP-0050-KCC.md
│ │ │ ├── PR-GCP-0053-KCC.md
│ │ │ ├── PR-GCP-0056-KCC.md
│ │ │ ├── PR-GCP-0061-KCC.md
│ │ │ ├── PR-GCP-0057-KCC.md
│ │ │ ├── PR-GCP-0002-KCC.md
│ │ │ ├── PR-GCP-0007-KCC.md
│ │ │ ├── PR-GCP-0010-KCC.md
│ │ │ ├── PR-GCP-0020-KCC.md
│ │ │ ├── PR-GCP-0023-KCC.md
│ │ │ ├── PR-GCP-0035-KCC.md
│ │ │ ├── PR-GCP-0040-KCC.md
│ │ │ ├── PR-GCP-0058-KCC.md
│ │ │ ├── PR-GCP-0003-KCC.md
│ │ │ ├── PR-GCP-0011-KCC.md
│ │ │ ├── PR-GCP-0012-KCC.md
│ │ │ ├── PR-GCP-0018-KCC.md
│ │ │ ├── PR-GCP-0022-KCC.md
│ │ │ ├── PR-GCP-0042-KCC.md
│ │ │ ├── PR-GCP-0048-KCC.md
│ │ │ ├── PR-GCP-0059-KCC.md
│ │ │ ├── PR-GCP-0015-KCC.md
│ │ │ ├── PR-GCP-0021-KCC.md
│ │ │ ├── PR-GCP-0024-KCC.md
│ │ │ ├── PR-GCP-0036-KCC.md
│ │ │ ├── PR-GCP-0062-KCC.md
│ │ │ ├── PR-GCP-0014-KCC.md
│ │ │ ├── PR-GCP-0016-KCC.md
│ │ │ ├── PR-GCP-0044-KCC.md
│ │ │ ├── PR-GCP-0017-KCC.md
│ │ │ ├── PR-GCP-0025-KCC.md
│ │ │ ├── PR-GCP-0038-KCC.md
│ │ │ ├── PR-GCP-0041-KCC.md
│ │ │ ├── PR-GCP-0052-KCC.md
│ │ │ ├── PR-GCP-0004-KCC.md
│ │ │ ├── PR-GCP-0013-KCC.md
│ │ │ ├── PR-GCP-0008-KCC.md
│ │ │ ├── PR-GCP-0019-KCC.md
│ │ │ ├── PR-GCP-0063-KCC.md
│ │ │ ├── PR-GCP-0034-KCC.md
│ │ │ ├── PR-GCP-0060-KCC.md
│ │ │ ├── PR-GCP-0039-KCC.md
│ │ │ ├── PR-GCP-0045-KCC.md
│ │ │ ├── PR-GCP-0005-KCC.md
│ │ │ ├── PR-GCP-0037-KCC.md
│ │ │ ├── PR-GCP-0006-KCC.md
│ │ │ ├── PR-GCP-0031-KCC.md
│ │ │ ├── PR-GCP-0047-KCC.md
│ │ │ ├── PR-GCP-0054-KCC.md
│ │ │ ├── PR-GCP-0026-KCC.md
│ │ │ └── PR-GCP-0046-KCC.md
│ ├── IaC
│ │ └── all
│ │ │ └── PR-GCP-0001-RGX.md
│ └── terraform
│ │ └── all
│ │ ├── PR-GCP-0001-RGX.md
│ │ ├── PR-GCP-TRF-INST-006.md
│ │ ├── PR-GCP-TRF-SQLI-001.md
│ │ ├── PR-GCP-TRF-INST-005.md
│ │ └── PR-GCP-TRF-SQLI-005.md
│ ├── azure
│ ├── terraform
│ │ └── all
│ │ │ ├── PR-AZR-TRF-SEC-002.md
│ │ │ ├── PR-AZR-TRF-SEC-003.md
│ │ │ ├── PR-AZR-TRF-SEC-001.md
│ │ │ └── PR-AZR-TRF-NSG-010.md
│ ├── IaC
│ │ └── all
│ │ │ ├── PR-AZR-ARM-SEC-003.md
│ │ │ ├── PR-AZR-ARM-SEC-002.md
│ │ │ └── PR-AZR-ARM-SEC-001.md
│ └── Cloud
│ │ └── all
│ │ ├── PR-AZR-CLD-AKS-009.md
│ │ ├── PR-AZR-CLD-SQL-047.md
│ │ ├── PR-AZR-CLD-WEB-007.md
│ │ ├── PR-AZR-CLD-KV-008.md
│ │ ├── PR-AZR-CLD-WEB-009.md
│ │ └── PR-AZR-CLD-WEB-013.md
│ ├── aws
│ ├── terraform
│ │ └── all
│ │ │ ├── PR-AWS-0031-RGX.md
│ │ │ ├── PR-AWS-0029-RGX.md
│ │ │ ├── PR-AWS-0030-RGX.md
│ │ │ ├── PR-AWS-0028-RGX.md
│ │ │ └── PR-AWS-0032-RGX.md
│ ├── IaC
│ │ └── all
│ │ │ ├── PR-AWS-0031-RGX.md
│ │ │ ├── PR-AWS-0029-RGX.md
│ │ │ ├── PR-AWS-0028-RGX.md
│ │ │ ├── PR-AWS-0030-RGX.md
│ │ │ └── PR-AWS-0032-RGX.md
│ ├── ack
│ │ └── all
│ │ │ ├── PR-AWS-0121-ACK.md
│ │ │ ├── PR-AWS-0128-ACK.md
│ │ │ ├── PR-AWS-0125-ACK.md
│ │ │ ├── PR-AWS-0153-ACK.md
│ │ │ ├── PR-AWS-0056-ACK.md
│ │ │ ├── PR-AWS-0036-ACK.md
│ │ │ └── PR-AWS-0154-ACK.md
│ └── Cloud
│ │ └── all
│ │ ├── PR-AWS-CLD-INS-001.md
│ │ ├── PR-AWS-CLD-MSK-002.md
│ │ ├── PR-AWS-CLD-VPC-004.md
│ │ ├── PR-AWS-CLD-ECR-005.md
│ │ ├── PR-AWS-CLD-MSK-007.md
│ │ ├── PR-AWS-CLD-EC2-012.md
│ │ ├── PR-AWS-CLD-GLUE-003.md
│ │ ├── PR-AWS-CLD-CFG-004.md
│ │ ├── PR-AWS-CLD-DAX-002.md
│ │ ├── PR-AWS-CLD-MQ-003.md
│ │ └── PR-AWS-CLD-MQ-004.md
│ └── kubernetes
│ └── Cloud
│ └── all
│ └── PR-K8S-0015.md
└── kubernetes
├── iac
├── master-snapshot-helm.json
└── master-snapshot.json
└── cloud
├── PR-K8S-0030.rego
├── PR-K8S-0036.rego
├── PR-K8S-0008.rego
├── PR-K8S-0018.rego
├── PR-K8S-0084.rego
├── PR-K8S-0014.rego
├── PR-K8S-0035.rego
├── PR-K8S-0057.rego
├── PR-K8S-0011.rego
├── PR-K8S-0012.rego
├── PR-K8S-0013.rego
├── PR-K8S-0023.rego
├── PR-K8S-0073.rego
├── PR-K8S-0020.rego
├── PR-K8S-0043.rego
├── PR-K8S-0074.rego
├── PR-K8S-0021.rego
├── PR-K8S-0069.rego
├── PR-K8S-0015.rego
├── PR-K8S-0042.rego
├── PR-K8S-0047.rego
├── PR-K8S-0072.rego
├── PR-K8S-0078.rego
├── PR-K8S-0009.rego
├── PR-K8S-0050.rego
├── PR-K8S-0063.rego
├── PR-K8S-0028.rego
├── PR-K8S-0058.rego
├── PR-K8S-0068.rego
├── PR-K8S-0027.rego
├── PR-K8S-0048.rego
├── PR-K8S-0059.rego
├── PR-K8S-0076.rego
├── PR-K8S-0034.rego
├── PR-K8S-0041.rego
├── PR-K8S-0044.rego
├── PR-K8S-0049.rego
├── PR-K8S-0079.rego
├── PR-K8S-0045.rego
├── PR-K8S-0026.rego
├── PR-K8S-0054.rego
├── PR-K8S-0083.rego
├── PR-K8S-0052.rego
├── PR-K8S-0024.rego
├── PR-K8S-0056.rego
├── PR-K8S-0010.rego
├── PR-K8S-0053.rego
├── PR-K8S-0031.rego
├── PR-K8S-0033.rego
├── PR-K8S-0067.rego
├── PR-K8S-0055.rego
├── PR-K8S-0070.rego
├── PR-K8S-0046.rego
└── PR-K8S-0003.rego
/.gitignore:
--------------------------------------------------------------------------------
1 | *.template.json
2 | .*vscode
--------------------------------------------------------------------------------
/aws/iac/.gitignore:
--------------------------------------------------------------------------------
1 | *.template.json
2 |
--------------------------------------------------------------------------------
/azure/aso/.gitignore:
--------------------------------------------------------------------------------
1 | *.template.json
2 |
--------------------------------------------------------------------------------
/azure/iac/.gitignore:
--------------------------------------------------------------------------------
1 | *.template.json
2 |
--------------------------------------------------------------------------------
/google/iac/.gitignore:
--------------------------------------------------------------------------------
1 | *.template.json
2 |
--------------------------------------------------------------------------------
/google/kcc/.gitignore:
--------------------------------------------------------------------------------
1 | *.template.json
2 |
--------------------------------------------------------------------------------
/azure/terraform/.gitignore:
--------------------------------------------------------------------------------
1 | *.template.json
2 |
--------------------------------------------------------------------------------
/docs/help/playground.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/prancer-io/prancer-compliance-test/HEAD/docs/help/playground.png
--------------------------------------------------------------------------------
/aws/ack/master-snapshot.json:
--------------------------------------------------------------------------------
1 | {
2 | "snapshots": [
3 | {
4 | "type": "filesystem",
5 | "connectorUser": "USER_1",
6 | "nodes": [
7 | {
8 | "masterSnapshotId": "ACK_TEMPLATE_SNAPSHOT",
9 | "type": "ack",
10 | "collection": "acktemplate",
11 | "paths": [
12 | "/"
13 | ]
14 | }
15 | ]
16 | }
17 | ]
18 | }
--------------------------------------------------------------------------------
/azure/iac/master-snapshot.json:
--------------------------------------------------------------------------------
1 | {
2 | "snapshots": [
3 | {
4 | "type": "filesystem",
5 | "connectorUser": "USER_1",
6 | "nodes": [
7 | {
8 | "masterSnapshotId": "ARM_TEMPLATE_SNAPSHOT",
9 | "type": "arm",
10 | "collection": "armtemplate",
11 | "paths": [
12 | "/"
13 | ]
14 | }
15 | ]
16 | }
17 | ]
18 | }
--------------------------------------------------------------------------------
/aws/terraform/master-snapshot.json:
--------------------------------------------------------------------------------
1 | {
2 | "snapshots": [
3 | {
4 | "type": "filesystem",
5 | "connectorUser": "USER_1",
6 | "nodes": [
7 | {
8 | "masterSnapshotId": "TRF_TEMPLATE_SNAPSHOT",
9 | "type": "terraform",
10 | "collection": "terraformtemplate",
11 | "paths": [
12 | "/"
13 | ]
14 | }
15 | ]
16 | }
17 | ]
18 | }
--------------------------------------------------------------------------------
/azure/aso/master-snapshot.json:
--------------------------------------------------------------------------------
1 | {
2 | "snapshots": [
3 | {
4 | "type": "filesystem",
5 | "connectorUser": "USER_1",
6 | "nodes": [
7 | {
8 | "masterSnapshotId": "ASO_TEMPLATE_SNAPSHOT",
9 | "type": "aso",
10 | "collection": "asotemplate",
11 | "paths": [
12 | "/config/samples/"
13 | ]
14 | }
15 | ]
16 | }
17 | ]
18 | }
--------------------------------------------------------------------------------
/azure/terraform/master-snapshot.json:
--------------------------------------------------------------------------------
1 | {
2 | "snapshots": [
3 | {
4 | "type": "filesystem",
5 | "connectorUser": "USER_1",
6 | "nodes": [
7 | {
8 | "masterSnapshotId": "TRF_TEMPLATE_SNAPSHOT",
9 | "type": "terraform",
10 | "collection": "terraformtemplate",
11 | "paths": [
12 | "/"
13 | ]
14 | }
15 | ]
16 | }
17 | ]
18 | }
--------------------------------------------------------------------------------
/kubernetes/iac/master-snapshot-helm.json:
--------------------------------------------------------------------------------
1 | {
2 | "snapshots": [
3 | {
4 | "type": "filesystem",
5 | "connectorUser": "USER_1",
6 | "nodes": [
7 | {
8 | "masterSnapshotId": "K8S_TEMPLATE_SNAPSHOT",
9 | "type": "helmChart",
10 | "collection": "K8Stemplate",
11 | "paths": [
12 | "/"
13 | ]
14 | }
15 | ]
16 | }
17 | ]
18 | }
--------------------------------------------------------------------------------
/aws/iac/master-snapshot.json:
--------------------------------------------------------------------------------
1 | {
2 | "snapshots": [
3 | {
4 | "type": "filesystem",
5 | "connectorUser": "USER_1",
6 | "nodes": [
7 | {
8 | "masterSnapshotId": "CFR_TEMPLATE_SNAPSHOT",
9 | "type": "cloudformation",
10 | "collection": "cloudformationtemplate",
11 | "paths": [
12 | "/"
13 | ]
14 | }
15 | ]
16 | }
17 | ]
18 | }
--------------------------------------------------------------------------------
/google/kcc/master-snapshot.json:
--------------------------------------------------------------------------------
1 | {
2 | "snapshots": [
3 | {
4 | "type": "filesystem",
5 | "connectorUser": "USER_1",
6 | "nodes": [
7 | {
8 | "masterSnapshotId": "KCC_TEMPLATE_SNAPSHOT",
9 | "type": "kcc",
10 | "collection": "kcctemplate",
11 | "paths": [
12 | "/samples/resources/"
13 | ]
14 | }
15 | ]
16 | }
17 | ]
18 | }
--------------------------------------------------------------------------------
/google/terraform/master-snapshot.json:
--------------------------------------------------------------------------------
1 | {
2 | "snapshots": [
3 | {
4 | "type": "filesystem",
5 | "connectorUser": "USER_1",
6 | "nodes": [
7 | {
8 | "masterSnapshotId": "TRF_TEMPLATE_SNAPSHOT",
9 | "type": "terraform",
10 | "collection": "terraformtemplate",
11 | "paths": [
12 | "/"
13 | ]
14 | }
15 | ]
16 | }
17 | ]
18 | }
--------------------------------------------------------------------------------
/kubernetes/iac/master-snapshot.json:
--------------------------------------------------------------------------------
1 | {
2 | "snapshots": [
3 | {
4 | "type": "filesystem",
5 | "connectorUser": "USER_1",
6 | "nodes": [
7 | {
8 | "masterSnapshotId": "K8S_TEMPLATE_SNAPSHOT",
9 | "type": "kubernetesObjectFiles",
10 | "collection": "K8Stemplate",
11 | "paths": [
12 | "/"
13 | ]
14 | }
15 | ]
16 | }
17 | ]
18 | }
--------------------------------------------------------------------------------
/google/iac/master-snapshot.json:
--------------------------------------------------------------------------------
1 | {
2 | "snapshots": [
3 | {
4 | "type": "filesystem",
5 | "connectorUser": "USER_1",
6 | "nodes": [
7 | {
8 | "masterSnapshotId": "GDF_TEMPLATE_SNAPSHOT",
9 | "type": "deploymentmanager",
10 | "collection": "deploymentmanagertemplate",
11 | "paths": [
12 | "/"
13 | ]
14 | }
15 | ]
16 | }
17 | ]
18 | }
--------------------------------------------------------------------------------
/kubernetes/cloud/PR-K8S-0030.rego:
--------------------------------------------------------------------------------
1 | package rule
2 |
3 | #
4 | # PR-K8S-0030
5 | #
6 |
7 | default rulepass = null
8 |
9 | k8s_issue["rulepass"] {
10 | lower(input.kind) == "pod"
11 | input.metadata.namespace == "default"
12 | }
13 |
14 | rulepass {
15 | lower(input.kind) == "pod"
16 | not k8s_issue["rulepass"]
17 | }
18 |
19 | rulepass = false {
20 | k8s_issue["rulepass"]
21 | }
22 |
23 | rulepass_err = "PR-K8S-0030: The default namespace should not be used" {
24 | k8s_issue["rulepass"]
25 | }
26 |
27 | k8s_issue_metadata := {
28 | "Policy Code": "PR-K8S-0030",
29 | "Type": "Cloud",
30 | "Product": "Kubernetes",
31 | "Language": "Cloud",
32 | "Policy Title": "The default namespace should not be used ",
33 | "Policy Description": "The default namespace should not be used ",
34 | "Resource Type": "pod",
35 | "Policy Help URL": "",
36 | "Resource Help URL": ""
37 | }
38 |
--------------------------------------------------------------------------------
/kubernetes/cloud/PR-K8S-0036.rego:
--------------------------------------------------------------------------------
1 | package rule
2 |
3 | #
4 | # PR-K8S-0036
5 | #
6 |
7 | default rulepass = null
8 |
9 | k8s_issue["rulepass"] {
10 | lower(input.kind) == "networkpolicy"
11 | count(input.spec.ingress) == 0
12 | }
13 |
14 | rulepass {
15 | lower(input.kind) == "networkpolicy"
16 | not k8s_issue["rulepass"]
17 | }
18 |
19 | rulepass = false {
20 | k8s_issue["rulepass"]
21 | }
22 |
23 | rulepass_err = "PR-K8S-0036: Restrict Traffic Among Pods with a Network Policy" {
24 | k8s_issue["rulepass"]
25 | }
26 |
27 | k8s_issue_metadata := {
28 | "Policy Code": "PR-K8S-0036",
29 | "Type": "Cloud",
30 | "Product": "Kubernetes",
31 | "Language": "Cloud",
32 | "Policy Title": "Restrict Traffic Among Pods with a Network Policy ",
33 | "Policy Description": "Restrict Traffic Among Pods with a Network Policy ",
34 | "Resource Type": "networkpolicy",
35 | "Policy Help URL": "",
36 | "Resource Help URL": ""
37 | }
38 |
--------------------------------------------------------------------------------
/kubernetes/cloud/PR-K8S-0008.rego:
--------------------------------------------------------------------------------
1 | package rule
2 |
3 | #
4 | # PR-K8S-0008
5 | #
6 |
7 | default rulepass = null
8 |
9 | k8s_issue["rulepass"] {
10 | lower(input.kind) == "podsecuritypolicy"
11 | input.spec.privileged
12 | }
13 |
14 | rulepass {
15 | lower(input.kind) == "podsecuritypolicy"
16 | not k8s_issue["rulepass"]
17 | }
18 |
19 | rulepass = false {
20 | k8s_issue["rulepass"]
21 | }
22 |
23 | rulepass_err = "PR-K8S-0008: Minimize the admission of privileged containers (PSP)" {
24 | k8s_issue["rulepass"]
25 | }
26 |
27 | k8s_issue_metadata := {
28 | "Policy Code": "PR-K8S-0008",
29 | "Type": "Cloud",
30 | "Product": "Kubernetes",
31 | "Language": "Cloud",
32 | "Policy Title": "Minimize the admission of privileged containers (PSP) ",
33 | "Policy Description": "Minimize the admission of privileged containers (PSP) ",
34 | "Resource Type": "podsecuritypolicy",
35 | "Policy Help URL": "",
36 | "Resource Help URL": ""
37 | }
38 |
--------------------------------------------------------------------------------
/kubernetes/cloud/PR-K8S-0018.rego:
--------------------------------------------------------------------------------
1 | package rule
2 |
3 | #
4 | # PR-K8S-0018
5 | #
6 |
7 | default rulepass = null
8 |
9 | k8s_issue["rulepass"] {
10 | lower(input.kind) == "pod"
11 | input.spec.containers[_].securityContext.privileged == true
12 | }
13 |
14 | rulepass {
15 | lower(input.kind) == "pod"
16 | not k8s_issue["rulepass"]
17 | }
18 |
19 | rulepass = false {
20 | k8s_issue["rulepass"]
21 | }
22 |
23 | rulepass_err = "PR-K8S-0018: Ensure that Containers are not running in privileged mode" {
24 | k8s_issue["rulepass"]
25 | }
26 |
27 | k8s_issue_metadata := {
28 | "Policy Code": "PR-K8S-0018",
29 | "Type": "Cloud",
30 | "Product": "Kubernetes",
31 | "Language": "Cloud",
32 | "Policy Title": "Ensure that Containers are not running in privileged mode ",
33 | "Policy Description": "Ensure that Containers are not running in privileged mode ",
34 | "Resource Type": "pod",
35 | "Policy Help URL": "",
36 | "Resource Help URL": ""
37 | }
38 |
--------------------------------------------------------------------------------
/kubernetes/cloud/PR-K8S-0084.rego:
--------------------------------------------------------------------------------
1 | package rule
2 |
3 | #
4 | # PR-K8S-0084
5 | #
6 |
7 | default rulepass = null
8 |
9 | k8s_issue["rulepass"] {
10 | lower(input.kind) == "pod"
11 | container := input.spec.containers[_]
12 | not container.securityContext.seLinuxOptions
13 | }
14 |
15 | rulepass {
16 | lower(input.kind) == "pod"
17 | not k8s_issue["rulepass"]
18 | }
19 |
20 | rulepass = false {
21 | k8s_issue["rulepass"]
22 | }
23 |
24 | rulepass_err = "PR-K8S-0084: Apply Security Context to Your Pods and Containers" {
25 | k8s_issue["rulepass"]
26 | }
27 |
28 | k8s_issue_metadata := {
29 | "Policy Code": "PR-K8S-0084",
30 | "Type": "Cloud",
31 | "Product": "Kubernetes",
32 | "Language": "Cloud",
33 | "Policy Title": "Apply Security Context to Your Pods and Containers ",
34 | "Policy Description": "Apply Security Context to Your Pods and Containers ",
35 | "Resource Type": "pod",
36 | "Policy Help URL": "",
37 | "Resource Help URL": ""
38 | }
39 |
--------------------------------------------------------------------------------
/kubernetes/cloud/PR-K8S-0014.rego:
--------------------------------------------------------------------------------
1 | package rule
2 |
3 | #
4 | # PR-K8S-0014
5 | #
6 |
7 | default rulepass = null
8 |
9 | k8s_issue["rulepass"] {
10 | lower(input.kind) == "podsecuritypolicy"
11 | input.spec.hostPID == true
12 | }
13 |
14 | rulepass {
15 | lower(input.kind) == "podsecuritypolicy"
16 | not k8s_issue["rulepass"]
17 | }
18 |
19 | rulepass = false {
20 | k8s_issue["rulepass"]
21 | }
22 |
23 | rulepass_err = "PR-K8S-0014: Minimize the admission of containers with allowPrivilegeEscalation (PSP)" {
24 | k8s_issue["rulepass"]
25 | }
26 |
27 | k8s_issue_metadata := {
28 | "Policy Code": "PR-K8S-0014",
29 | "Type": "Cloud",
30 | "Product": "Kubernetes",
31 | "Language": "Cloud",
32 | "Policy Title": "Minimize the admission of containers with allowPrivilegeEscalation (PSP) ",
33 | "Policy Description": "Minimize the admission of containers with allowPrivilegeEscalation (PSP) ",
34 | "Resource Type": "podsecuritypolicy",
35 | "Policy Help URL": "",
36 | "Resource Help URL": ""
37 | }
38 |
--------------------------------------------------------------------------------
/kubernetes/cloud/PR-K8S-0035.rego:
--------------------------------------------------------------------------------
1 | package rule
2 |
3 | #
4 | # PR-K8S-0035
5 | #
6 |
7 | default rulepass = null
8 |
9 | k8s_issue["rulepass"] {
10 | lower(input.kind) == "serviceaccount"
11 | input.automountServiceAccountToken == true
12 | }
13 |
14 | rulepass {
15 | lower(input.kind) == "serviceaccount"
16 | not k8s_issue["rulepass"]
17 | }
18 |
19 | rulepass = false {
20 | k8s_issue["rulepass"]
21 | }
22 |
23 | rulepass_err = "PR-K8S-0035: Ensure that Service Account Tokens are only mounted where necessary (RBAC)" {
24 | k8s_issue["rulepass"]
25 | }
26 |
27 | k8s_issue_metadata := {
28 | "Policy Code": "PR-K8S-0035",
29 | "Type": "Cloud",
30 | "Product": "Kubernetes",
31 | "Language": "Cloud",
32 | "Policy Title": "Ensure that Service Account Tokens are only mounted where necessary (RBAC) ",
33 | "Policy Description": "Ensure that Service Account Tokens are only mounted where necessary (RBAC) ",
34 | "Resource Type": "serviceaccount",
35 | "Policy Help URL": "",
36 | "Resource Help URL": ""
37 | }
38 |
--------------------------------------------------------------------------------
/kubernetes/cloud/PR-K8S-0057.rego:
--------------------------------------------------------------------------------
1 | package rule
2 |
3 | #
4 | # PR-K8S-0057
5 | #
6 |
7 | default rulepass = null
8 |
9 | k8s_issue["rulepass"] {
10 | lower(input.kind) == "pod"
11 | input.metadata.namespace != "kube-system"
12 | count(input.spec.volumes[_].hostPath) > 0
13 | }
14 |
15 | rulepass {
16 | lower(input.kind) == "pod"
17 | not k8s_issue["rulepass"]
18 | }
19 |
20 | rulepass = false {
21 | k8s_issue["rulepass"]
22 | }
23 |
24 | rulepass_err = "PR-K8S-0057: Ensure pods outside of kube-system do not have access to node volume" {
25 | k8s_issue["rulepass"]
26 | }
27 |
28 | k8s_issue_metadata := {
29 | "Policy Code": "PR-K8S-0057",
30 | "Type": "Cloud",
31 | "Product": "Kubernetes",
32 | "Language": "Cloud",
33 | "Policy Title": "Ensure pods outside of kube-system do not have access to node volume ",
34 | "Policy Description": "Ensure pods outside of kube-system do not have access to node volume ",
35 | "Resource Type": "pod",
36 | "Policy Help URL": "",
37 | "Resource Help URL": ""
38 | }
39 |
--------------------------------------------------------------------------------
/kubernetes/cloud/PR-K8S-0011.rego:
--------------------------------------------------------------------------------
1 | package rule
2 |
3 | #
4 | # PR-K8S-0011
5 | #
6 |
7 | default rulepass = null
8 |
9 | k8s_issue["rulepass"] {
10 | lower(input.kind) == "podsecuritypolicy"
11 | input.spec.hostIPC == true
12 | }
13 |
14 | rulepass {
15 | lower(input.kind) == "podsecuritypolicy"
16 | not k8s_issue["rulepass"]
17 | }
18 |
19 | rulepass = false {
20 | k8s_issue["rulepass"]
21 | }
22 |
23 | rulepass_err = "PR-K8S-0011: Minimize the admission of containers wishing to share the host IPC namespace (PSP)" {
24 | k8s_issue["rulepass"]
25 | }
26 |
27 | k8s_issue_metadata := {
28 | "Policy Code": "PR-K8S-0011",
29 | "Type": "Cloud",
30 | "Product": "Kubernetes",
31 | "Language": "Cloud",
32 | "Policy Title": "Minimize the admission of containers wishing to share the host IPC namespace (PSP) ",
33 | "Policy Description": "Minimize the admission of containers wishing to share the host IPC namespace (PSP) ",
34 | "Resource Type": "podsecuritypolicy",
35 | "Policy Help URL": "",
36 | "Resource Help URL": ""
37 | }
38 |
--------------------------------------------------------------------------------
/kubernetes/cloud/PR-K8S-0012.rego:
--------------------------------------------------------------------------------
1 | package rule
2 |
3 | #
4 | # PR-K8S-0012
5 | #
6 |
7 | default rulepass = null
8 |
9 | k8s_issue["rulepass"] {
10 | lower(input.kind) == "podsecuritypolicy"
11 | input.spec.hostNetwork == true
12 | }
13 |
14 | rulepass {
15 | lower(input.kind) == "podsecuritypolicy"
16 | not k8s_issue["rulepass"]
17 | }
18 |
19 | rulepass = false {
20 | k8s_issue["rulepass"]
21 | }
22 |
23 | rulepass_err = "PR-K8S-0012: Minimize the admission of containers wishing to share the host network namespace (PSP)" {
24 | k8s_issue["rulepass"]
25 | }
26 |
27 | k8s_issue_metadata := {
28 | "Policy Code": "PR-K8S-0012",
29 | "Type": "Cloud",
30 | "Product": "Kubernetes",
31 | "Language": "Cloud",
32 | "Policy Title": "Minimize the admission of containers wishing to share the host network namespace (PSP) ",
33 | "Policy Description": "Minimize the admission of containers wishing to share the host network namespace (PSP) ",
34 | "Resource Type": "podsecuritypolicy",
35 | "Policy Help URL": "",
36 | "Resource Help URL": ""
37 | }
38 |
--------------------------------------------------------------------------------
/kubernetes/cloud/PR-K8S-0013.rego:
--------------------------------------------------------------------------------
1 | package rule
2 |
3 | #
4 | # PR-K8S-0013
5 | #
6 |
7 | default rulepass = null
8 |
9 | k8s_issue["rulepass"] {
10 | lower(input.kind) == "podsecuritypolicy"
11 | input.spec.hostPID == true
12 | }
13 |
14 | rulepass {
15 | lower(input.kind) == "podsecuritypolicy"
16 | not k8s_issue["rulepass"]
17 | }
18 |
19 | rulepass = false {
20 | k8s_issue["rulepass"]
21 | }
22 |
23 | rulepass_err = "PR-K8S-0013: Minimize the admission of containers wishing to share the host process ID namespace (PSP)" {
24 | k8s_issue["rulepass"]
25 | }
26 |
27 | k8s_issue_metadata := {
28 | "Policy Code": "PR-K8S-0013",
29 | "Type": "Cloud",
30 | "Product": "Kubernetes",
31 | "Language": "Cloud",
32 | "Policy Title": "Minimize the admission of containers wishing to share the host process ID namespace (PSP) ",
33 | "Policy Description": "Minimize the admission of containers wishing to share the host process ID namespace (PSP) ",
34 | "Resource Type": "podsecuritypolicy",
35 | "Policy Help URL": "",
36 | "Resource Help URL": ""
37 | }
38 |
--------------------------------------------------------------------------------
/kubernetes/cloud/PR-K8S-0023.rego:
--------------------------------------------------------------------------------
1 | package rule
2 |
3 | #
4 | # PR-K8S-0023
5 | #
6 |
7 | default rulepass = null
8 |
9 | k8s_issue["rulepass"] {
10 | lower(input.kind) == "pod"
11 | count([
12 | c | regex.match(
13 | "container.apparmor.security.beta.kubernetes.io\/pod.*",
14 | input.metadata.annotations[_]
15 | );
16 | c := 1]) == 0
17 | }
18 |
19 | rulepass {
20 | lower(input.kind) == "pod"
21 | not k8s_issue["rulepass"]
22 | }
23 |
24 | rulepass = false {
25 | k8s_issue["rulepass"]
26 | }
27 |
28 | rulepass_err = "PR-K8S-0023: Ensure containers are secured with AppArmor profile" {
29 | k8s_issue["rulepass"]
30 | }
31 |
32 | k8s_issue_metadata := {
33 | "Policy Code": "PR-K8S-0023",
34 | "Type": "Cloud",
35 | "Product": "Kubernetes",
36 | "Language": "Cloud",
37 | "Policy Title": "Ensure containers are secured with AppArmor profile ",
38 | "Policy Description": "Ensure containers are secured with AppArmor profile ",
39 | "Resource Type": "pod",
40 | "Policy Help URL": "",
41 | "Resource Help URL": ""
42 | }
43 |
--------------------------------------------------------------------------------
/kubernetes/cloud/PR-K8S-0073.rego:
--------------------------------------------------------------------------------
1 | package rule
2 |
3 | #
4 | # PR-K8S-0073
5 | #
6 |
7 | default rulepass = null
8 |
9 | k8s_issue["rulepass"] {
10 | lower(input.kind) == "pod"
11 | input.spec.containers[_].name == "etcd"
12 | input.metadata.namespace == "kube-system"
13 | regex.match("--auto-tls=true", input.spec.containers[_].command[_])
14 | }
15 |
16 | rulepass {
17 | lower(input.kind) == "pod"
18 | not k8s_issue["rulepass"]
19 | }
20 |
21 | rulepass = false {
22 | k8s_issue["rulepass"]
23 | }
24 |
25 | rulepass_err = "PR-K8S-0073: Ensure that the --auto-tls argument is not set to true (etcd)" {
26 | k8s_issue["rulepass"]
27 | }
28 |
29 | k8s_issue_metadata := {
30 | "Policy Code": "PR-K8S-0073",
31 | "Type": "Cloud",
32 | "Product": "Kubernetes",
33 | "Language": "Cloud",
34 | "Policy Title": "Ensure that the --auto-tls argument is not set to true (etcd) ",
35 | "Policy Description": "Ensure that the --auto-tls argument is not set to true (etcd) ",
36 | "Resource Type": "pod",
37 | "Policy Help URL": "",
38 | "Resource Help URL": ""
39 | }
40 |
--------------------------------------------------------------------------------
/kubernetes/cloud/PR-K8S-0020.rego:
--------------------------------------------------------------------------------
1 | package rule
2 |
3 | #
4 | # PR-K8S-0020
5 | #
6 |
7 | default rulepass = null
8 |
9 | k8s_issue["rulepass"] {
10 | lower(input.kind) == "pod"
11 | input.spec.containers[_].name == "kube-apiserver"
12 | input.metadata.namespace == "kube-system"
13 | regex.match("--basic-auth-file.*", input.spec.containers[_].command[_])
14 | }
15 |
16 | rulepass {
17 | lower(input.kind) == "pod"
18 | not k8s_issue["rulepass"]
19 | }
20 |
21 | rulepass = false {
22 | k8s_issue["rulepass"]
23 | }
24 |
25 | rulepass_err = "PR-K8S-0020: Ensure that the --basic-auth-file argument is not set (API Server)" {
26 | k8s_issue["rulepass"]
27 | }
28 |
29 | k8s_issue_metadata := {
30 | "Policy Code": "PR-K8S-0020",
31 | "Type": "Cloud",
32 | "Product": "Kubernetes",
33 | "Language": "Cloud",
34 | "Policy Title": "Ensure that the --basic-auth-file argument is not set (API Server) ",
35 | "Policy Description": "Ensure that the --basic-auth-file argument is not set (API Server) ",
36 | "Resource Type": "pod",
37 | "Policy Help URL": "",
38 | "Resource Help URL": ""
39 | }
40 |
--------------------------------------------------------------------------------
/kubernetes/cloud/PR-K8S-0043.rego:
--------------------------------------------------------------------------------
1 | package rule
2 |
3 | #
4 | # PR-K8S-0043
5 | #
6 |
7 | default rulepass = null
8 |
9 | k8s_issue["rulepass"] {
10 | lower(input.kind) == "pod"
11 | input.spec.containers[_].name == "kube-apiserver"
12 | input.metadata.namespace == "kube-system"
13 | regex.match("--secure-port=0", input.spec.containers[_].command[_])
14 | }
15 |
16 | rulepass {
17 | lower(input.kind) == "pod"
18 | not k8s_issue["rulepass"]
19 | }
20 |
21 | rulepass = false {
22 | k8s_issue["rulepass"]
23 | }
24 |
25 | rulepass_err = "PR-K8S-0043: Ensure that the --secure-port argument is not set to 0 (API Server)" {
26 | k8s_issue["rulepass"]
27 | }
28 |
29 | k8s_issue_metadata := {
30 | "Policy Code": "PR-K8S-0043",
31 | "Type": "Cloud",
32 | "Product": "Kubernetes",
33 | "Language": "Cloud",
34 | "Policy Title": "Ensure that the --secure-port argument is not set to 0 (API Server) ",
35 | "Policy Description": "Ensure that the --secure-port argument is not set to 0 (API Server) ",
36 | "Resource Type": "pod",
37 | "Policy Help URL": "",
38 | "Resource Help URL": ""
39 | }
40 |
--------------------------------------------------------------------------------
/kubernetes/cloud/PR-K8S-0074.rego:
--------------------------------------------------------------------------------
1 | package rule
2 |
3 | #
4 | # PR-K8S-0074
5 | #
6 |
7 | default rulepass = null
8 |
9 | k8s_issue["rulepass"] {
10 | lower(input.kind) == "pod"
11 | input.spec.containers[_].name == "kube-apiserver"
12 | input.metadata.namespace == "kube-system"
13 | regex.match("--token-auth-file=.*", input.spec.containers[_].command[_])
14 | }
15 |
16 | rulepass {
17 | lower(input.kind) == "pod"
18 | not k8s_issue["rulepass"]
19 | }
20 |
21 | rulepass = false {
22 | k8s_issue["rulepass"]
23 | }
24 |
25 | rulepass_err = "PR-K8S-0074: Ensure that the --token-auth-file parameter is not set (API Server)" {
26 | k8s_issue["rulepass"]
27 | }
28 |
29 | k8s_issue_metadata := {
30 | "Policy Code": "PR-K8S-0074",
31 | "Type": "Cloud",
32 | "Product": "Kubernetes",
33 | "Language": "Cloud",
34 | "Policy Title": "Ensure that the --token-auth-file parameter is not set (API Server) ",
35 | "Policy Description": "Ensure that the --token-auth-file parameter is not set (API Server) ",
36 | "Resource Type": "pod",
37 | "Policy Help URL": "",
38 | "Resource Help URL": ""
39 | }
40 |
--------------------------------------------------------------------------------
/docs/policies/google/kcc/all/PR-GCP-0033-KCC.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | # Title: Default Network
6 |
7 |
8 | ***Master Test Id:*** TEST_ComputeNetwork_2
9 |
10 | ***Master Snapshot Id:*** ['KCC_TEMPLATE_SNAPSHOT']
11 |
12 | ***type:*** rego
13 |
14 | ***rule:*** file([ComputeNetwork.rego])
15 |
16 |
17 |
18 |
19 |
20 | |Title|Description|
21 | | :---: | :---: |
22 | |id|PR-GCP-0033-KCC|
23 | |eval|data.rule.legacy_network|
24 | |message|data.rule.legacy_network_err|
25 | |remediationDescription||
26 | |remediationFunction||
27 |
28 |
29 | ***Severity:*** Medium
30 |
31 | ***Description:*** A legacy network exists in a project.
32 |
33 |
34 |
35 | |Title|Description|
36 | | :---: | :---: |
37 | |cloud|git|
38 | |compliance|[]|
39 | |service|['kcc']|
40 |
41 |
42 | ***Resource Types:*** ['computenetwork']
43 |
44 |
45 | [ComputeNetwork.rego]: https://github.com/prancer-io/prancer-compliance-test/tree/master/google/kcc/ComputeNetwork.rego
46 |
--------------------------------------------------------------------------------
/docs/policies/google/kcc/all/PR-GCP-0049-KCC.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | # Title: DNSSEC Disabled
6 |
7 |
8 | ***Master Test Id:*** TEST_DNSManagedZone_1
9 |
10 | ***Master Snapshot Id:*** ['KCC_TEMPLATE_SNAPSHOT']
11 |
12 | ***type:*** rego
13 |
14 | ***rule:*** file([DNSManagedZone.rego])
15 |
16 |
17 |
18 |
19 |
20 | |Title|Description|
21 | | :---: | :---: |
22 | |id|PR-GCP-0049-KCC|
23 | |eval|data.rule.dnssec_disabled|
24 | |message|data.rule.dnssec_disabled_err|
25 | |remediationDescription||
26 | |remediationFunction||
27 |
28 |
29 | ***Severity:*** Medium
30 |
31 | ***Description:*** DNSSEC is disabled for Cloud DNS zones.
32 |
33 |
34 |
35 | |Title|Description|
36 | | :---: | :---: |
37 | |cloud|git|
38 | |compliance|[]|
39 | |service|['kcc']|
40 |
41 |
42 | ***Resource Types:*** ['dnsmanagedzone']
43 |
44 |
45 | [DNSManagedZone.rego]: https://github.com/prancer-io/prancer-compliance-test/tree/master/google/kcc/DNSManagedZone.rego
46 |
--------------------------------------------------------------------------------
/kubernetes/cloud/PR-K8S-0021.rego:
--------------------------------------------------------------------------------
1 | package rule
2 |
3 | #
4 | # PR-K8S-0021
5 | #
6 |
7 | default rulepass = null
8 |
9 | k8s_issue["rulepass"] {
10 | lower(input.kind) == "pod"
11 | count([
12 | c | regex.match("seccomp.security.alpha.kubernetes.io\/pod.*", input.metadata.annotations[_]);
13 | c := 1]) == 0
14 | }
15 |
16 | rulepass {
17 | lower(input.kind) == "pod"
18 | not k8s_issue["rulepass"]
19 | }
20 |
21 | rulepass = false {
22 | k8s_issue["rulepass"]
23 | }
24 |
25 | rulepass_err = "PR-K8S-0021: Ensure that the seccomp profile is set to runtime/default in your pod definitions" {
26 | k8s_issue["rulepass"]
27 | }
28 |
29 | k8s_issue_metadata := {
30 | "Policy Code": "PR-K8S-0021",
31 | "Type": "Cloud",
32 | "Product": "Kubernetes",
33 | "Language": "Cloud",
34 | "Policy Title": "Ensure that the seccomp profile is set to runtime/default in your pod definitions ",
35 | "Policy Description": "Ensure that the seccomp profile is set to runtime/default in your pod definitions ",
36 | "Resource Type": "pod",
37 | "Policy Help URL": "",
38 | "Resource Help URL": ""
39 | }
40 |
--------------------------------------------------------------------------------
/kubernetes/cloud/PR-K8S-0069.rego:
--------------------------------------------------------------------------------
1 | package rule
2 |
3 | #
4 | # PR-K8S-0069
5 | #
6 |
7 | default rulepass = null
8 |
9 | k8s_issue["rulepass"] {
10 | lower(input.kind) == "pod"
11 | input.spec.containers[_].name == "kube-apiserver"
12 | input.metadata.namespace == "kube-system"
13 | regex.match("--kubelet-https=false", input.spec.containers[_].command[_])
14 | }
15 |
16 | rulepass {
17 | lower(input.kind) == "pod"
18 | not k8s_issue["rulepass"]
19 | }
20 |
21 | rulepass = false {
22 | k8s_issue["rulepass"]
23 | }
24 |
25 | rulepass_err = "PR-K8S-0069: Ensure that the --kubelet-https argument is set to true (API Server)" {
26 | k8s_issue["rulepass"]
27 | }
28 |
29 | k8s_issue_metadata := {
30 | "Policy Code": "PR-K8S-0069",
31 | "Type": "Cloud",
32 | "Product": "Kubernetes",
33 | "Language": "Cloud",
34 | "Policy Title": "Ensure that the --kubelet-https argument is set to true (API Server) ",
35 | "Policy Description": "Ensure that the --kubelet-https argument is set to true (API Server) ",
36 | "Resource Type": "pod",
37 | "Policy Help URL": "",
38 | "Resource Help URL": ""
39 | }
40 |
--------------------------------------------------------------------------------
/docs/policies/google/kcc/all/PR-GCP-0032-KCC.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | # Title: Default Network
6 |
7 |
8 | ***Master Test Id:*** TEST_ComputeNetwork_1
9 |
10 | ***Master Snapshot Id:*** ['KCC_TEMPLATE_SNAPSHOT']
11 |
12 | ***type:*** rego
13 |
14 | ***rule:*** file([ComputeNetwork.rego])
15 |
16 |
17 |
18 |
19 |
20 | |Title|Description|
21 | | :---: | :---: |
22 | |id|PR-GCP-0032-KCC|
23 | |eval|data.rule.default_network|
24 | |message|data.rule.default_network_err|
25 | |remediationDescription||
26 | |remediationFunction||
27 |
28 |
29 | ***Severity:*** Medium
30 |
31 | ***Description:*** The default network exists in a project.
32 |
33 |
34 |
35 | |Title|Description|
36 | | :---: | :---: |
37 | |cloud|git|
38 | |compliance|[]|
39 | |service|['kcc']|
40 |
41 |
42 | ***Resource Types:*** ['computenetwork']
43 |
44 |
45 | [ComputeNetwork.rego]: https://github.com/prancer-io/prancer-compliance-test/tree/master/google/kcc/ComputeNetwork.rego
46 |
--------------------------------------------------------------------------------
/kubernetes/cloud/PR-K8S-0015.rego:
--------------------------------------------------------------------------------
1 | package rule
2 |
3 | #
4 | # PR-K8S-0015
5 | #
6 |
7 | default rulepass = null
8 |
9 | k8s_issue["rulepass"] {
10 | lower(input.kind) == "pod"
11 | input.spec.containers[_].securityContext.runAsNonRoot == false
12 | }
13 |
14 | k8s_issue["rulepass"] {
15 | lower(input.kind) == "pod"
16 | input.spec.containers[_].securityContext.runAsUser == 0
17 | }
18 |
19 | rulepass {
20 | lower(input.kind) == "pod"
21 | not k8s_issue["rulepass"]
22 | }
23 |
24 | rulepass = false {
25 | k8s_issue["rulepass"]
26 | }
27 |
28 | rulepass_err = "PR-K8S-0015: Do not generally permit containers to be run as the root user." {
29 | k8s_issue["rulepass"]
30 | }
31 |
32 | k8s_issue_metadata := {
33 | "Policy Code": "PR-K8S-0015",
34 | "Type": "Cloud",
35 | "Product": "Kubernetes",
36 | "Language": "Cloud",
37 | "Policy Title": "Do not generally permit containers to be run as the root user. ",
38 | "Policy Description": "Do not generally permit containers to be run as the root user. ",
39 | "Resource Type": "pod",
40 | "Policy Help URL": "",
41 | "Resource Help URL": ""
42 | }
43 |
--------------------------------------------------------------------------------
/docs/policies/google/kcc/all/PR-GCP-0001-KCC.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | # Title: Disk CMEK Disabled
6 |
7 |
8 | ***Master Test Id:*** TEST_ComputeDisk
9 |
10 | ***Master Snapshot Id:*** ['KCC_TEMPLATE_SNAPSHOT']
11 |
12 | ***type:*** rego
13 |
14 | ***rule:*** file([ComputeDisk.rego])
15 |
16 |
17 |
18 |
19 |
20 | |Title|Description|
21 | | :---: | :---: |
22 | |id|PR-GCP-0001-KCC|
23 | |eval|data.rule.disk_cmek_disabled|
24 | |message|data.rule.disk_cmek_disabled_err|
25 | |remediationDescription||
26 | |remediationFunction||
27 |
28 |
29 | ***Severity:*** Medium
30 |
31 | ***Description:*** Disks on this VM are not encrypted with CMEK or CSEC.
32 |
33 |
34 |
35 | |Title|Description|
36 | | :---: | :---: |
37 | |cloud|git|
38 | |compliance|[]|
39 | |service|['kcc']|
40 |
41 |
42 | ***Resource Types:*** ['computedisk']
43 |
44 |
45 | [ComputeDisk.rego]: https://github.com/prancer-io/prancer-compliance-test/tree/master/google/kcc/ComputeDisk.rego
46 |
--------------------------------------------------------------------------------
/docs/policies/google/kcc/all/PR-GCP-0028-KCC.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | # Title: OS Login Disabled
6 |
7 |
8 | ***Master Test Id:*** TEST_ComputeInstance_4
9 |
10 | ***Master Snapshot Id:*** ['KCC_TEMPLATE_SNAPSHOT']
11 |
12 | ***type:*** rego
13 |
14 | ***rule:*** file([ComputeInstance.rego])
15 |
16 |
17 |
18 |
19 |
20 | |Title|Description|
21 | | :---: | :---: |
22 | |id|PR-GCP-0028-KCC|
23 | |eval|data.rule.os_login_disabled|
24 | |message|data.rule.os_login_disabled_err|
25 | |remediationDescription||
26 | |remediationFunction||
27 |
28 |
29 | ***Severity:*** Medium
30 |
31 | ***Description:*** OS Login is disabled on this instance.
32 |
33 |
34 |
35 | |Title|Description|
36 | | :---: | :---: |
37 | |cloud|git|
38 | |compliance|[]|
39 | |service|['kcc']|
40 |
41 |
42 | ***Resource Types:*** ['computeinstance']
43 |
44 |
45 | [ComputeInstance.rego]: https://github.com/prancer-io/prancer-compliance-test/tree/master/google/kcc/ComputeInstance.rego
46 |
--------------------------------------------------------------------------------
/docs/policies/google/kcc/all/PR-GCP-0029-KCC.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | # Title: Public IP Address
6 |
7 |
8 | ***Master Test Id:*** TEST_ComputeInstance_5
9 |
10 | ***Master Snapshot Id:*** ['KCC_TEMPLATE_SNAPSHOT']
11 |
12 | ***type:*** rego
13 |
14 | ***rule:*** file([ComputeInstance.rego])
15 |
16 |
17 |
18 |
19 |
20 | |Title|Description|
21 | | :---: | :---: |
22 | |id|PR-GCP-0029-KCC|
23 | |eval|data.rule.public_ip_address|
24 | |message|data.rule.public_ip_address_err|
25 | |remediationDescription||
26 | |remediationFunction||
27 |
28 |
29 | ***Severity:*** Medium
30 |
31 | ***Description:*** An instance has a public IP address.
32 |
33 |
34 |
35 | |Title|Description|
36 | | :---: | :---: |
37 | |cloud|git|
38 | |compliance|[]|
39 | |service|['kcc']|
40 |
41 |
42 | ***Resource Types:*** ['computeinstance']
43 |
44 |
45 | [ComputeInstance.rego]: https://github.com/prancer-io/prancer-compliance-test/tree/master/google/kcc/ComputeInstance.rego
46 |
--------------------------------------------------------------------------------
/docs/policies/google/kcc/all/PR-GCP-0043-KCC.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | # Title: Web UI Enabled
6 |
7 |
8 | ***Master Test Id:*** TEST_ContainerCluster_9
9 |
10 | ***Master Snapshot Id:*** ['KCC_TEMPLATE_SNAPSHOT']
11 |
12 | ***type:*** rego
13 |
14 | ***rule:*** file([ContainerCluster.rego])
15 |
16 |
17 |
18 |
19 |
20 | |Title|Description|
21 | | :---: | :---: |
22 | |id|PR-GCP-0043-KCC|
23 | |eval|data.rule.web_ui_enabled|
24 | |message|data.rule.web_ui_enabled_err|
25 | |remediationDescription||
26 | |remediationFunction||
27 |
28 |
29 | ***Severity:*** Medium
30 |
31 | ***Description:*** The GKE web UI (dashboard) is enabled.
32 |
33 |
34 |
35 | |Title|Description|
36 | | :---: | :---: |
37 | |cloud|git|
38 | |compliance|[]|
39 | |service|['kcc']|
40 |
41 |
42 | ***Resource Types:*** ['containercluster']
43 |
44 |
45 | [ContainerCluster.rego]: https://github.com/prancer-io/prancer-compliance-test/tree/master/google/kcc/ContainerCluster.rego
46 |
--------------------------------------------------------------------------------
/docs/policies/google/kcc/all/PR-GCP-0051-KCC.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | # Title: Audit Logging Disabled
6 |
7 |
8 | ***Master Test Id:*** TEST_IAMpolicy_1
9 |
10 | ***Master Snapshot Id:*** ['KCC_TEMPLATE_SNAPSHOT']
11 |
12 | ***type:*** rego
13 |
14 | ***rule:*** file([IAMpolicy.rego])
15 |
16 |
17 |
18 |
19 |
20 | |Title|Description|
21 | | :---: | :---: |
22 | |id|PR-GCP-0051-KCC|
23 | |eval|data.rule.audit_logging_disabled|
24 | |message|data.rule.audit_logging_disabled_err|
25 | |remediationDescription||
26 | |remediationFunction||
27 |
28 |
29 | ***Severity:*** Medium
30 |
31 | ***Description:*** Audit logging has been disabled for this resource.
32 |
33 |
34 |
35 | |Title|Description|
36 | | :---: | :---: |
37 | |cloud|git|
38 | |compliance|[]|
39 | |service|['kcc']|
40 |
41 |
42 | ***Resource Types:*** ['iampolicy']
43 |
44 |
45 | [IAMpolicy.rego]: https://github.com/prancer-io/prancer-compliance-test/tree/master/google/kcc/IAMpolicy.rego
46 |
--------------------------------------------------------------------------------
/docs/policies/google/IaC/all/PR-GCP-0001-RGX.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | # Title: There is a possibility that secure password is exposed
6 |
7 |
8 | ***Master Test Id:*** PR-GCP-0001-RGX
9 |
10 | ***Master Snapshot Id:*** ['GDF_TEMPLATE_SNAPSHOT']
11 |
12 | ***type:*** python
13 |
14 | ***rule:*** file([secret_tf.py])
15 |
16 |
17 |
18 |
19 |
20 | |Title|Description|
21 | | :---: | :---: |
22 | |id|PR-GCP-0001-RGX|
23 | |eval|entropy_password|
24 | |message|entropy_password_err|
25 | |remediationDescription||
26 | |remediationFunction||
27 |
28 |
29 | ***Severity:*** High
30 |
31 | ***Description:*** There is a possibility that secure password is exposed
32 |
33 |
34 |
35 | |Title|Description|
36 | | :---: | :---: |
37 | |cloud|git|
38 | |compliance|['CSA-CCM', 'HITRUST', 'ISO 27001', 'NIST 800', 'NIST CSF', 'PCI-DSS']|
39 | |service|['deploymentmanager']|
40 |
41 |
42 |
43 | [secret_tf.py]: https://github.com/prancer-io/prancer-compliance-test/tree/master/google/iac/secret_tf.py
44 |
--------------------------------------------------------------------------------
/docs/policies/google/kcc/all/PR-GCP-0009-KCC.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | # Title: Open Firewall
6 |
7 |
8 | ***Master Test Id:*** TEST_ComputeFirewall_8
9 |
10 | ***Master Snapshot Id:*** ['KCC_TEMPLATE_SNAPSHOT']
11 |
12 | ***type:*** rego
13 |
14 | ***rule:*** file([ComputeFirewall.rego])
15 |
16 |
17 |
18 |
19 |
20 | |Title|Description|
21 | | :---: | :---: |
22 | |id|PR-GCP-0009-KCC|
23 | |eval|data.rule.open_firewall|
24 | |message|data.rule.open_firewall_err|
25 | |remediationDescription||
26 | |remediationFunction||
27 |
28 |
29 | ***Severity:*** Medium
30 |
31 | ***Description:*** A firewall is configured to be open to public access.
32 |
33 |
34 |
35 | |Title|Description|
36 | | :---: | :---: |
37 | |cloud|git|
38 | |compliance|[]|
39 | |service|['kcc']|
40 |
41 |
42 | ***Resource Types:*** ['computefirewall']
43 |
44 |
45 | [ComputeFirewall.rego]: https://github.com/prancer-io/prancer-compliance-test/tree/master/google/kcc/ComputeFirewall.rego
46 |
--------------------------------------------------------------------------------
/kubernetes/cloud/PR-K8S-0042.rego:
--------------------------------------------------------------------------------
1 | package rule
2 |
3 | #
4 | # PR-K8S-0042
5 | #
6 |
7 | default rulepass = null
8 |
9 | k8s_issue["rulepass"] {
10 | lower(input.kind) == "pod"
11 | input.spec.containers[_].name == "kube-apiserver"
12 | input.metadata.namespace == "kube-system"
13 | regex.match("--insecure-bind-address.*", input.spec.containers[_].command[_])
14 | }
15 |
16 | rulepass {
17 | lower(input.kind) == "pod"
18 | not k8s_issue["rulepass"]
19 | }
20 |
21 | rulepass = false {
22 | k8s_issue["rulepass"]
23 | }
24 |
25 | rulepass_err = "PR-K8S-0042: Ensure that the --insecure-bind-address argument is not set (API Server)" {
26 | k8s_issue["rulepass"]
27 | }
28 |
29 | k8s_issue_metadata := {
30 | "Policy Code": "PR-K8S-0042",
31 | "Type": "Cloud",
32 | "Product": "Kubernetes",
33 | "Language": "Cloud",
34 | "Policy Title": "Ensure that the --insecure-bind-address argument is not set (API Server) ",
35 | "Policy Description": "Ensure that the --insecure-bind-address argument is not set (API Server) ",
36 | "Resource Type": "pod",
37 | "Policy Help URL": "",
38 | "Resource Help URL": ""
39 | }
40 |
--------------------------------------------------------------------------------
/docs/policies/google/kcc/all/PR-GCP-0055-KCC.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | # Title: KMS Key Not Rotated
6 |
7 |
8 | ***Master Test Id:*** TEST_KMSCryptoKey
9 |
10 | ***Master Snapshot Id:*** ['KCC_TEMPLATE_SNAPSHOT']
11 |
12 | ***type:*** rego
13 |
14 | ***rule:*** file([KMSCryptoKey.rego])
15 |
16 |
17 |
18 |
19 |
20 | |Title|Description|
21 | | :---: | :---: |
22 | |id|PR-GCP-0055-KCC|
23 | |eval|data.rule.kms_key_not_rotated|
24 | |message|data.rule.kms_key_not_rotated_err|
25 | |remediationDescription||
26 | |remediationFunction||
27 |
28 |
29 | ***Severity:*** Medium
30 |
31 | ***Description:*** Rotation isn't configured on a Cloud KMS encryption key.
32 |
33 |
34 |
35 | |Title|Description|
36 | | :---: | :---: |
37 | |cloud|git|
38 | |compliance|[]|
39 | |service|['kcc']|
40 |
41 |
42 | ***Resource Types:*** ['kmscryptokey']
43 |
44 |
45 | [KMSCryptoKey.rego]: https://github.com/prancer-io/prancer-compliance-test/tree/master/google/kcc/KMSCryptoKey.rego
46 |
--------------------------------------------------------------------------------
/docs/policies/google/terraform/all/PR-GCP-0001-RGX.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | # Title: There is a possibility that secure password is exposed
6 |
7 |
8 | ***Master Test Id:*** PR-GCP-0001-RGX
9 |
10 | ***Master Snapshot Id:*** ['TRF_TEMPLATE_SNAPSHOT']
11 |
12 | ***type:*** python
13 |
14 | ***rule:*** file([secret_tf.py])
15 |
16 |
17 |
18 |
19 |
20 | |Title|Description|
21 | | :---: | :---: |
22 | |id|PR-GCP-0001-RGX|
23 | |eval|entropy_password|
24 | |message|entropy_password_err|
25 | |remediationDescription||
26 | |remediationFunction||
27 |
28 |
29 | ***Severity:*** High
30 |
31 | ***Description:*** There is a possibility that secure password is exposed
32 |
33 |
34 |
35 | |Title|Description|
36 | | :---: | :---: |
37 | |cloud|git|
38 | |compliance|['CSA-CCM', 'HITRUST', 'ISO 27001', 'NIST 800', 'NIST CSF', 'PCI-DSS']|
39 | |service|['terraform']|
40 |
41 |
42 |
43 | [secret_tf.py]: https://github.com/prancer-io/prancer-compliance-test/tree/master/google/terraform/secret_tf.py
44 |
--------------------------------------------------------------------------------
/docs/policies/google/kcc/all/PR-GCP-0027-KCC.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | # Title: IP Forwarding Enabled
6 |
7 |
8 | ***Master Test Id:*** TEST_ComputeInstance_3
9 |
10 | ***Master Snapshot Id:*** ['KCC_TEMPLATE_SNAPSHOT']
11 |
12 | ***type:*** rego
13 |
14 | ***rule:*** file([ComputeInstance.rego])
15 |
16 |
17 |
18 |
19 |
20 | |Title|Description|
21 | | :---: | :---: |
22 | |id|PR-GCP-0027-KCC|
23 | |eval|data.rule.ip_forwarding_enabled|
24 | |message|data.rule.ip_forwarding_enabled_err|
25 | |remediationDescription||
26 | |remediationFunction||
27 |
28 |
29 | ***Severity:*** Medium
30 |
31 | ***Description:*** IP forwarding is enabled on instances.
32 |
33 |
34 |
35 | |Title|Description|
36 | | :---: | :---: |
37 | |cloud|git|
38 | |compliance|[]|
39 | |service|['kcc']|
40 |
41 |
42 | ***Resource Types:*** ['computeinstance']
43 |
44 |
45 | [ComputeInstance.rego]: https://github.com/prancer-io/prancer-compliance-test/tree/master/google/kcc/ComputeInstance.rego
46 |
--------------------------------------------------------------------------------
/docs/policies/google/kcc/all/PR-GCP-0030-KCC.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | # Title: Shielded VM Disabled
6 |
7 |
8 | ***Master Test Id:*** TEST_ComputeInstance_6
9 |
10 | ***Master Snapshot Id:*** ['KCC_TEMPLATE_SNAPSHOT']
11 |
12 | ***type:*** rego
13 |
14 | ***rule:*** file([ComputeInstance.rego])
15 |
16 |
17 |
18 |
19 |
20 | |Title|Description|
21 | | :---: | :---: |
22 | |id|PR-GCP-0030-KCC|
23 | |eval|data.rule.shielded_vm_disabled|
24 | |message|data.rule.shielded_vm_disabled_err|
25 | |remediationDescription||
26 | |remediationFunction||
27 |
28 |
29 | ***Severity:*** Medium
30 |
31 | ***Description:*** Shielded VM is disabled on this instance.
32 |
33 |
34 |
35 | |Title|Description|
36 | | :---: | :---: |
37 | |cloud|git|
38 | |compliance|[]|
39 | |service|['kcc']|
40 |
41 |
42 | ***Resource Types:*** ['computeinstance']
43 |
44 |
45 | [ComputeInstance.rego]: https://github.com/prancer-io/prancer-compliance-test/tree/master/google/kcc/ComputeInstance.rego
46 |
--------------------------------------------------------------------------------
/docs/policies/google/kcc/all/PR-GCP-0050-KCC.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | # Title: RSASHA1 For Signing
6 |
7 |
8 | ***Master Test Id:*** TEST_DNSManagedZone_2
9 |
10 | ***Master Snapshot Id:*** ['KCC_TEMPLATE_SNAPSHOT']
11 |
12 | ***type:*** rego
13 |
14 | ***rule:*** file([DNSManagedZone.rego])
15 |
16 |
17 |
18 |
19 |
20 | |Title|Description|
21 | | :---: | :---: |
22 | |id|PR-GCP-0050-KCC|
23 | |eval|data.rule.rsasha1_for_signing|
24 | |message|data.rule.rsasha1_for_signing_err|
25 | |remediationDescription||
26 | |remediationFunction||
27 |
28 |
29 | ***Severity:*** Medium
30 |
31 | ***Description:*** RSASHA1 is used for key signing in Cloud DNS zones.
32 |
33 |
34 |
35 | |Title|Description|
36 | | :---: | :---: |
37 | |cloud|git|
38 | |compliance|[]|
39 | |service|['kcc']|
40 |
41 |
42 | ***Resource Types:*** ['dnsmanagedzone']
43 |
44 |
45 | [DNSManagedZone.rego]: https://github.com/prancer-io/prancer-compliance-test/tree/master/google/kcc/DNSManagedZone.rego
46 |
--------------------------------------------------------------------------------
/docs/policies/google/kcc/all/PR-GCP-0053-KCC.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | # Title: Redis Role Used On Org
6 |
7 |
8 | ***Master Test Id:*** TEST_IAMPolicy_3
9 |
10 | ***Master Snapshot Id:*** ['KCC_TEMPLATE_SNAPSHOT']
11 |
12 | ***type:*** rego
13 |
14 | ***rule:*** file([IAMpolicy.rego])
15 |
16 |
17 |
18 |
19 |
20 | |Title|Description|
21 | | :---: | :---: |
22 | |id|PR-GCP-0053-KCC|
23 | |eval|data.rule.redis_role_used_on_org|
24 | |message|data.rule.redis_role_used_on_org_err|
25 | |remediationDescription||
26 | |remediationFunction||
27 |
28 |
29 | ***Severity:*** Medium
30 |
31 | ***Description:*** A Redis IAM role is assigned at the organization or folder level.
32 |
33 |
34 |
35 | |Title|Description|
36 | | :---: | :---: |
37 | |cloud|git|
38 | |compliance|[]|
39 | |service|['kcc']|
40 |
41 |
42 | ***Resource Types:*** ['iampolicy']
43 |
44 |
45 | [IAMpolicy.rego]: https://github.com/prancer-io/prancer-compliance-test/tree/master/google/kcc/IAMpolicy.rego
46 |
--------------------------------------------------------------------------------
/docs/policies/google/kcc/all/PR-GCP-0056-KCC.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | # Title: Auto Backup Disabled
6 |
7 |
8 | ***Master Test Id:*** TEST_SQLInstance_1
9 |
10 | ***Master Snapshot Id:*** ['KCC_TEMPLATE_SNAPSHOT']
11 |
12 | ***type:*** rego
13 |
14 | ***rule:*** file([SQLInstance.rego])
15 |
16 |
17 |
18 |
19 |
20 | |Title|Description|
21 | | :---: | :---: |
22 | |id|PR-GCP-0056-KCC|
23 | |eval|data.rule.auto_backup_disabled|
24 | |message|data.rule.auto_backup_disabled_err|
25 | |remediationDescription||
26 | |remediationFunction||
27 |
28 |
29 | ***Severity:*** Medium
30 |
31 | ***Description:*** A Cloud SQL database doesn't have automatic backups enabled.
32 |
33 |
34 |
35 | |Title|Description|
36 | | :---: | :---: |
37 | |cloud|git|
38 | |compliance|[]|
39 | |service|['kcc']|
40 |
41 |
42 | ***Resource Types:*** ['sqlinstance']
43 |
44 |
45 | [SQLInstance.rego]: https://github.com/prancer-io/prancer-compliance-test/tree/master/google/kcc/SQLInstance.rego
46 |
--------------------------------------------------------------------------------
/docs/policies/google/kcc/all/PR-GCP-0061-KCC.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | # Title: Bucket Logging Disabled
6 |
7 |
8 | ***Master Test Id:*** TEST_StorageBucket_3
9 |
10 | ***Master Snapshot Id:*** ['KCC_TEMPLATE_SNAPSHOT']
11 |
12 | ***type:*** rego
13 |
14 | ***rule:*** file([StorageBucket.rego])
15 |
16 |
17 |
18 |
19 |
20 | |Title|Description|
21 | | :---: | :---: |
22 | |id|PR-GCP-0061-KCC|
23 | |eval|data.rule.bucket_logging_disabled|
24 | |message|data.rule.bucket_logging_disabled_err|
25 | |remediationDescription||
26 | |remediationFunction||
27 |
28 |
29 | ***Severity:*** Medium
30 |
31 | ***Description:*** There is a storage bucket without logging enabled.
32 |
33 |
34 |
35 | |Title|Description|
36 | | :---: | :---: |
37 | |cloud|git|
38 | |compliance|[]|
39 | |service|['kcc']|
40 |
41 |
42 | ***Resource Types:*** ['storagebucket']
43 |
44 |
45 | [StorageBucket.rego]: https://github.com/prancer-io/prancer-compliance-test/tree/master/google/kcc/StorageBucket.rego
46 |
--------------------------------------------------------------------------------
/kubernetes/cloud/PR-K8S-0047.rego:
--------------------------------------------------------------------------------
1 | package rule
2 |
3 | #
4 | # PR-K8S-0047
5 | #
6 |
7 | default rulepass = null
8 |
9 | k8s_issue["rulepass"] {
10 | lower(input.kind) == "pod"
11 | input.spec.containers[_].name == "kube-apiserver"
12 | input.metadata.namespace == "kube-system"
13 | regex.match("--insecure-allow-any-token=.*", input.spec.containers[_].command[_])
14 | }
15 |
16 | rulepass {
17 | lower(input.kind) == "pod"
18 | not k8s_issue["rulepass"]
19 | }
20 |
21 | rulepass = false {
22 | k8s_issue["rulepass"]
23 | }
24 |
25 | rulepass_err = "PR-K8S-0047: Ensure that the --insecure-allow-any-token argument is not set (API Server)" {
26 | k8s_issue["rulepass"]
27 | }
28 |
29 | k8s_issue_metadata := {
30 | "Policy Code": "PR-K8S-0047",
31 | "Type": "Cloud",
32 | "Product": "Kubernetes",
33 | "Language": "Cloud",
34 | "Policy Title": "Ensure that the --insecure-allow-any-token argument is not set (API Server) ",
35 | "Policy Description": "Ensure that the --insecure-allow-any-token argument is not set (API Server) ",
36 | "Resource Type": "pod",
37 | "Policy Help URL": "",
38 | "Resource Help URL": ""
39 | }
40 |
--------------------------------------------------------------------------------
/docs/policies/google/kcc/all/PR-GCP-0057-KCC.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | # Title: SSL Not Enforced
6 |
7 |
8 | ***Master Test Id:*** TEST_SQLInstance_2
9 |
10 | ***Master Snapshot Id:*** ['KCC_TEMPLATE_SNAPSHOT']
11 |
12 | ***type:*** rego
13 |
14 | ***rule:*** file([SQLInstance.rego])
15 |
16 |
17 |
18 |
19 |
20 | |Title|Description|
21 | | :---: | :---: |
22 | |id|PR-GCP-0057-KCC|
23 | |eval|data.rule.ssl_not_enforced|
24 | |message|data.rule.ssl_not_enforced_err|
25 | |remediationDescription||
26 | |remediationFunction||
27 |
28 |
29 | ***Severity:*** Medium
30 |
31 | ***Description:*** A Cloud SQL database instance doesn't require all incoming connections to use SSL.
32 |
33 |
34 |
35 | |Title|Description|
36 | | :---: | :---: |
37 | |cloud|git|
38 | |compliance|[]|
39 | |service|['kcc']|
40 |
41 |
42 | ***Resource Types:*** ['sqlinstance']
43 |
44 |
45 | [SQLInstance.rego]: https://github.com/prancer-io/prancer-compliance-test/tree/master/google/kcc/SQLInstance.rego
46 |
--------------------------------------------------------------------------------
/kubernetes/cloud/PR-K8S-0072.rego:
--------------------------------------------------------------------------------
1 | package rule
2 |
3 | #
4 | # PR-K8S-0072
5 | #
6 |
7 | default rulepass = null
8 |
9 | k8s_issue["rulepass"] {
10 | lower(input.kind) == "pod"
11 | input.spec.containers[_].name == "etcd"
12 | input.metadata.namespace == "kube-system"
13 | count([
14 | c | regex.match("--client-cert-auth=true", input.spec.containers[_].command[_]);
15 | c := 1]) == 0
16 | }
17 |
18 | rulepass {
19 | lower(input.kind) == "pod"
20 | not k8s_issue["rulepass"]
21 | }
22 |
23 | rulepass = false {
24 | k8s_issue["rulepass"]
25 | }
26 |
27 | rulepass_err = "PR-K8S-0072: Ensure that the --client-cert-auth argument is set to true (etcd)" {
28 | k8s_issue["rulepass"]
29 | }
30 |
31 | k8s_issue_metadata := {
32 | "Policy Code": "PR-K8S-0072",
33 | "Type": "Cloud",
34 | "Product": "Kubernetes",
35 | "Language": "Cloud",
36 | "Policy Title": "Ensure that the --client-cert-auth argument is set to true (etcd) ",
37 | "Policy Description": "Ensure that the --client-cert-auth argument is set to true (etcd) ",
38 | "Resource Type": "pod",
39 | "Policy Help URL": "",
40 | "Resource Help URL": ""
41 | }
42 |
--------------------------------------------------------------------------------
/kubernetes/cloud/PR-K8S-0078.rego:
--------------------------------------------------------------------------------
1 | package rule
2 |
3 | #
4 | # PR-K8S-0078
5 | #
6 |
7 | default rulepass = null
8 |
9 | k8s_issue["rulepass"] {
10 | lower(input.kind) == "pod"
11 | input.spec.containers[_].name == "kube-apiserver"
12 | input.metadata.namespace == "kube-system"
13 | regex.match("--service-account-lookup=false", input.spec.containers[_].command[_])
14 | }
15 |
16 | rulepass {
17 | lower(input.kind) == "pod"
18 | not k8s_issue["rulepass"]
19 | }
20 |
21 | rulepass = false {
22 | k8s_issue["rulepass"]
23 | }
24 |
25 | rulepass_err = "PR-K8S-0078: Ensure that the --service-account-lookup argument is set to true (API Server)" {
26 | k8s_issue["rulepass"]
27 | }
28 |
29 | k8s_issue_metadata := {
30 | "Policy Code": "PR-K8S-0078",
31 | "Type": "Cloud",
32 | "Product": "Kubernetes",
33 | "Language": "Cloud",
34 | "Policy Title": "Ensure that the --service-account-lookup argument is set to true (API Server) ",
35 | "Policy Description": "Ensure that the --service-account-lookup argument is set to true (API Server) ",
36 | "Resource Type": "pod",
37 | "Policy Help URL": "",
38 | "Resource Help URL": ""
39 | }
40 |
--------------------------------------------------------------------------------
/docs/policies/azure/terraform/all/PR-AZR-TRF-SEC-002.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | # Title: There is a possibility that secure password is exposed
6 |
7 |
8 | ***Master Test Id:*** PR-AZR-TRF-SEC-002
9 |
10 | ***Master Snapshot Id:*** ['TRF_TEMPLATE_SNAPSHOT']
11 |
12 | ***type:*** python
13 |
14 | ***rule:*** file([secret_tf.py])
15 |
16 |
17 |
18 |
19 |
20 | |Title|Description|
21 | | :---: | :---: |
22 | |id|PR-AZR-TRF-SEC-002|
23 | |eval|password_leak|
24 | |message|password_leak_err|
25 | |remediationDescription||
26 | |remediationFunction|PR_AZR_TRF_SEC_002.py|
27 |
28 |
29 | ***Severity:*** High
30 |
31 | ***Description:*** There is a possibility that secure password is exposed. Make sure to put those secrets in a vault and access from there.
32 |
33 |
34 |
35 | |Title|Description|
36 | | :---: | :---: |
37 | |cloud|git|
38 | |compliance|[]|
39 | |service|['terraform']|
40 |
41 |
42 |
43 | [secret_tf.py]: https://github.com/prancer-io/prancer-compliance-test/tree/master/azure/terraform/secret_tf.py
44 |
--------------------------------------------------------------------------------
/docs/policies/google/kcc/all/PR-GCP-0002-KCC.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | # Title: Egress Deny Rule Not Set
6 |
7 |
8 | ***Master Test Id:*** TEST_ComputeFirewall_1
9 |
10 | ***Master Snapshot Id:*** ['KCC_TEMPLATE_SNAPSHOT']
11 |
12 | ***type:*** rego
13 |
14 | ***rule:*** file([ComputeFirewall.rego])
15 |
16 |
17 |
18 |
19 |
20 | |Title|Description|
21 | | :---: | :---: |
22 | |id|PR-GCP-0002-KCC|
23 | |eval|data.rule.egress_deny_rule_not_set|
24 | |message|data.rule.egress_deny_rule_not_set_err|
25 | |remediationDescription||
26 | |remediationFunction||
27 |
28 |
29 | ***Severity:*** Medium
30 |
31 | ***Description:*** An egress deny rule is not set on a firewall.
32 |
33 |
34 |
35 | |Title|Description|
36 | | :---: | :---: |
37 | |cloud|git|
38 | |compliance|[]|
39 | |service|['kcc']|
40 |
41 |
42 | ***Resource Types:*** ['computefirewall']
43 |
44 |
45 | [ComputeFirewall.rego]: https://github.com/prancer-io/prancer-compliance-test/tree/master/google/kcc/ComputeFirewall.rego
46 |
--------------------------------------------------------------------------------
/docs/policies/google/kcc/all/PR-GCP-0007-KCC.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | # Title: Open DNS Port
6 |
7 |
8 | ***Master Test Id:*** TEST_ComputeFirewall_6
9 |
10 | ***Master Snapshot Id:*** ['KCC_TEMPLATE_SNAPSHOT']
11 |
12 | ***type:*** rego
13 |
14 | ***rule:*** file([ComputeFirewall.rego])
15 |
16 |
17 |
18 |
19 |
20 | |Title|Description|
21 | | :---: | :---: |
22 | |id|PR-GCP-0007-KCC|
23 | |eval|data.rule.open_dns_port|
24 | |message|data.rule.open_dns_port_err|
25 | |remediationDescription||
26 | |remediationFunction||
27 |
28 |
29 | ***Severity:*** Medium
30 |
31 | ***Description:*** A firewall is configured to have an open DNS port that allows generic access.
32 |
33 |
34 |
35 | |Title|Description|
36 | | :---: | :---: |
37 | |cloud|git|
38 | |compliance|[]|
39 | |service|['kcc']|
40 |
41 |
42 | ***Resource Types:*** ['computefirewall']
43 |
44 |
45 | [ComputeFirewall.rego]: https://github.com/prancer-io/prancer-compliance-test/tree/master/google/kcc/ComputeFirewall.rego
46 |
--------------------------------------------------------------------------------
/docs/policies/google/kcc/all/PR-GCP-0010-KCC.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | # Title: Open FTP Port
6 |
7 |
8 | ***Master Test Id:*** TEST_ComputeFirewall_9
9 |
10 | ***Master Snapshot Id:*** ['KCC_TEMPLATE_SNAPSHOT']
11 |
12 | ***type:*** rego
13 |
14 | ***rule:*** file([ComputeFirewall.rego])
15 |
16 |
17 |
18 |
19 |
20 | |Title|Description|
21 | | :---: | :---: |
22 | |id|PR-GCP-0010-KCC|
23 | |eval|data.rule.open_ftp_port|
24 | |message|data.rule.open_ftp_port_err|
25 | |remediationDescription||
26 | |remediationFunction||
27 |
28 |
29 | ***Severity:*** Medium
30 |
31 | ***Description:*** A firewall is configured to have an open FTP port that allows generic access.
32 |
33 |
34 |
35 | |Title|Description|
36 | | :---: | :---: |
37 | |cloud|git|
38 | |compliance|[]|
39 | |service|['kcc']|
40 |
41 |
42 | ***Resource Types:*** ['computefirewall']
43 |
44 |
45 | [ComputeFirewall.rego]: https://github.com/prancer-io/prancer-compliance-test/tree/master/google/kcc/ComputeFirewall.rego
46 |
--------------------------------------------------------------------------------
/docs/policies/google/kcc/all/PR-GCP-0020-KCC.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | # Title: Open RDP Port
6 |
7 |
8 | ***Master Test Id:*** TEST_ComputeFirewall_19
9 |
10 | ***Master Snapshot Id:*** ['KCC_TEMPLATE_SNAPSHOT']
11 |
12 | ***type:*** rego
13 |
14 | ***rule:*** file([ComputeFirewall.rego])
15 |
16 |
17 |
18 |
19 |
20 | |Title|Description|
21 | | :---: | :---: |
22 | |id|PR-GCP-0020-KCC|
23 | |eval|data.rule.open_rdp_port|
24 | |message|data.rule.open_rdp_port_err|
25 | |remediationDescription||
26 | |remediationFunction||
27 |
28 |
29 | ***Severity:*** Medium
30 |
31 | ***Description:*** A firewall is configured to have an open RDP port that allows generic access.
32 |
33 |
34 |
35 | |Title|Description|
36 | | :---: | :---: |
37 | |cloud|git|
38 | |compliance|[]|
39 | |service|['kcc']|
40 |
41 |
42 | ***Resource Types:*** ['computefirewall']
43 |
44 |
45 | [ComputeFirewall.rego]: https://github.com/prancer-io/prancer-compliance-test/tree/master/google/kcc/ComputeFirewall.rego
46 |
--------------------------------------------------------------------------------
/docs/policies/google/kcc/all/PR-GCP-0023-KCC.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | # Title: Open SSH Port
6 |
7 |
8 | ***Master Test Id:*** TEST_ComputeFirewall_22
9 |
10 | ***Master Snapshot Id:*** ['KCC_TEMPLATE_SNAPSHOT']
11 |
12 | ***type:*** rego
13 |
14 | ***rule:*** file([ComputeFirewall.rego])
15 |
16 |
17 |
18 |
19 |
20 | |Title|Description|
21 | | :---: | :---: |
22 | |id|PR-GCP-0023-KCC|
23 | |eval|data.rule.open_ssh_port|
24 | |message|data.rule.open_ssh_port_err|
25 | |remediationDescription||
26 | |remediationFunction||
27 |
28 |
29 | ***Severity:*** Medium
30 |
31 | ***Description:*** A firewall is configured to have an open SSH port that allows generic access.
32 |
33 |
34 |
35 | |Title|Description|
36 | | :---: | :---: |
37 | |cloud|git|
38 | |compliance|[]|
39 | |service|['kcc']|
40 |
41 |
42 | ***Resource Types:*** ['computefirewall']
43 |
44 |
45 | [ComputeFirewall.rego]: https://github.com/prancer-io/prancer-compliance-test/tree/master/google/kcc/ComputeFirewall.rego
46 |
--------------------------------------------------------------------------------
/docs/policies/google/kcc/all/PR-GCP-0035-KCC.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | # Title: Cluster Logging Disabled
6 |
7 |
8 | ***Master Test Id:*** TEST_ContainerCluster_1
9 |
10 | ***Master Snapshot Id:*** ['KCC_TEMPLATE_SNAPSHOT']
11 |
12 | ***type:*** rego
13 |
14 | ***rule:*** file([ContainerCluster.rego])
15 |
16 |
17 |
18 |
19 |
20 | |Title|Description|
21 | | :---: | :---: |
22 | |id|PR-GCP-0035-KCC|
23 | |eval|data.rule.cluster_logging_disabled|
24 | |message|data.rule.cluster_logging_disabled_err|
25 | |remediationDescription||
26 | |remediationFunction||
27 |
28 |
29 | ***Severity:*** Medium
30 |
31 | ***Description:*** Logging isn't enabled for a GKE cluster.
32 |
33 |
34 |
35 | |Title|Description|
36 | | :---: | :---: |
37 | |cloud|git|
38 | |compliance|[]|
39 | |service|['kcc']|
40 |
41 |
42 | ***Resource Types:*** ['containercluster']
43 |
44 |
45 | [ContainerCluster.rego]: https://github.com/prancer-io/prancer-compliance-test/tree/master/google/kcc/ContainerCluster.rego
46 |
--------------------------------------------------------------------------------
/docs/policies/google/kcc/all/PR-GCP-0040-KCC.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | # Title: Network Policy Disabled
6 |
7 |
8 | ***Master Test Id:*** TEST_ContainerCluster_6
9 |
10 | ***Master Snapshot Id:*** ['KCC_TEMPLATE_SNAPSHOT']
11 |
12 | ***type:*** rego
13 |
14 | ***rule:*** file([ContainerCluster.rego])
15 |
16 |
17 |
18 |
19 |
20 | |Title|Description|
21 | | :---: | :---: |
22 | |id|PR-GCP-0040-KCC|
23 | |eval|data.rule.network_policy_disabled|
24 | |message|data.rule.network_policy_disabled_err|
25 | |remediationDescription||
26 | |remediationFunction||
27 |
28 |
29 | ***Severity:*** Medium
30 |
31 | ***Description:*** Network policy is disabled on GKE clusters.
32 |
33 |
34 |
35 | |Title|Description|
36 | | :---: | :---: |
37 | |cloud|git|
38 | |compliance|[]|
39 | |service|['kcc']|
40 |
41 |
42 | ***Resource Types:*** ['containercluster']
43 |
44 |
45 | [ContainerCluster.rego]: https://github.com/prancer-io/prancer-compliance-test/tree/master/google/kcc/ContainerCluster.rego
46 |
--------------------------------------------------------------------------------
/docs/policies/google/kcc/all/PR-GCP-0058-KCC.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | # Title: Sql No Root Password
6 |
7 |
8 | ***Master Test Id:*** TEST_SQLInstance_3
9 |
10 | ***Master Snapshot Id:*** ['KCC_TEMPLATE_SNAPSHOT']
11 |
12 | ***type:*** rego
13 |
14 | ***rule:*** file([SQLInstance.rego])
15 |
16 |
17 |
18 |
19 |
20 | |Title|Description|
21 | | :---: | :---: |
22 | |id|PR-GCP-0058-KCC|
23 | |eval|data.rule.sql_no_root_password|
24 | |message|data.rule.sql_no_root_password_err|
25 | |remediationDescription||
26 | |remediationFunction||
27 |
28 |
29 | ***Severity:*** Medium
30 |
31 | ***Description:*** A Cloud SQL database doesn't have a password configured for the root account.
32 |
33 |
34 |
35 | |Title|Description|
36 | | :---: | :---: |
37 | |cloud|git|
38 | |compliance|[]|
39 | |service|['kcc']|
40 |
41 |
42 | ***Resource Types:*** ['sqlinstance']
43 |
44 |
45 | [SQLInstance.rego]: https://github.com/prancer-io/prancer-compliance-test/tree/master/google/kcc/SQLInstance.rego
46 |
--------------------------------------------------------------------------------
/kubernetes/cloud/PR-K8S-0009.rego:
--------------------------------------------------------------------------------
1 | package rule
2 |
3 | #
4 | # PR-K8S-0009
5 | #
6 |
7 | default rulepass = null
8 |
9 | k8s_issue["rulepass"] {
10 | lower(input.kind) == "podsecuritypolicy"
11 | lower(input.spec.runAsUser.rule) == "runasany"
12 | }
13 |
14 | k8s_issue["rulepass"] {
15 | lower(input.kind) == "podsecuritypolicy"
16 | lower(input.spec.runAsUser.rule) == "mustrunas"
17 | input.spec.runAsUser.ranges[_].min == 0
18 | }
19 |
20 | rulepass {
21 | lower(input.kind) == "podsecuritypolicy"
22 | not k8s_issue["rulepass"]
23 | }
24 |
25 | rulepass = false {
26 | k8s_issue["rulepass"]
27 | }
28 |
29 | rulepass_err = "PR-K8S-0009: Minimize the admission of root containers (PSP)" {
30 | k8s_issue["rulepass"]
31 | }
32 |
33 | k8s_issue_metadata := {
34 | "Policy Code": "PR-K8S-0009",
35 | "Type": "Cloud",
36 | "Product": "Kubernetes",
37 | "Language": "Cloud",
38 | "Policy Title": "Minimize the admission of root containers (PSP) ",
39 | "Policy Description": "Minimize the admission of root containers (PSP) ",
40 | "Resource Type": "podsecuritypolicy",
41 | "Policy Help URL": "",
42 | "Resource Help URL": ""
43 | }
44 |
--------------------------------------------------------------------------------
/kubernetes/cloud/PR-K8S-0050.rego:
--------------------------------------------------------------------------------
1 | package rule
2 |
3 | #
4 | # PR-K8S-0050
5 | #
6 |
7 | default rulepass = null
8 |
9 | k8s_issue["rulepass"] {
10 | lower(input.kind) == "pod"
11 | input.spec.containers[_].name == "kube-apiserver"
12 | input.metadata.namespace == "kube-system"
13 | count([
14 | c | regex.match("--insecure-port=0", input.spec.containers[_].command[_]);
15 | c := 1]) == 0
16 | }
17 |
18 | rulepass {
19 | lower(input.kind) == "pod"
20 | not k8s_issue["rulepass"]
21 | }
22 |
23 | rulepass = false {
24 | k8s_issue["rulepass"]
25 | }
26 |
27 | rulepass_err = "PR-K8S-0050: Ensure that the --insecure-port argument is set to 0 (API Server)" {
28 | k8s_issue["rulepass"]
29 | }
30 |
31 | k8s_issue_metadata := {
32 | "Policy Code": "PR-K8S-0050",
33 | "Type": "Cloud",
34 | "Product": "Kubernetes",
35 | "Language": "Cloud",
36 | "Policy Title": "Ensure that the --insecure-port argument is set to 0 (API Server) ",
37 | "Policy Description": "Ensure that the --insecure-port argument is set to 0 (API Server) ",
38 | "Resource Type": "pod",
39 | "Policy Help URL": "",
40 | "Resource Help URL": ""
41 | }
42 |
--------------------------------------------------------------------------------
/kubernetes/cloud/PR-K8S-0063.rego:
--------------------------------------------------------------------------------
1 | package rule
2 |
3 | #
4 | # PR-K8S-0063
5 | #
6 |
7 | default rulepass = null
8 |
9 | k8s_issue["rulepass"] {
10 | lower(input.kind) == "pod"
11 | input.spec.containers[_].name == "kube-apiserver"
12 | input.metadata.namespace == "kube-system"
13 | regex.match("--feature-gates=.*AdvancedAuditing=false.*", input.spec.containers[_].command[_])
14 | }
15 |
16 | rulepass {
17 | lower(input.kind) == "pod"
18 | not k8s_issue["rulepass"]
19 | }
20 |
21 | rulepass = false {
22 | k8s_issue["rulepass"]
23 | }
24 |
25 | rulepass_err = "PR-K8S-0063: Ensure that the AdvancedAuditing argument is not set to false (API Server)" {
26 | k8s_issue["rulepass"]
27 | }
28 |
29 | k8s_issue_metadata := {
30 | "Policy Code": "PR-K8S-0063",
31 | "Type": "Cloud",
32 | "Product": "Kubernetes",
33 | "Language": "Cloud",
34 | "Policy Title": "Ensure that the AdvancedAuditing argument is not set to false (API Server) ",
35 | "Policy Description": "Ensure that the AdvancedAuditing argument is not set to false (API Server) ",
36 | "Resource Type": "pod",
37 | "Policy Help URL": "",
38 | "Resource Help URL": ""
39 | }
40 |
--------------------------------------------------------------------------------
/docs/policies/azure/IaC/all/PR-AZR-ARM-SEC-003.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | # Title: There is a possibility that secure password is exposed
6 |
7 |
8 | ***Master Test Id:*** PR-AZR-ARM-SEC-003
9 |
10 | ***Master Snapshot Id:*** ['ARM_TEMPLATE_SNAPSHOT']
11 |
12 | ***type:*** python
13 |
14 | ***rule:*** file([secret_azure_iac.py])
15 |
16 |
17 |
18 |
19 |
20 | |Title|Description|
21 | | :---: | :---: |
22 | |id|PR-AZR-ARM-SEC-003|
23 | |eval|entropy_password|
24 | |message|entropy_password_err|
25 | |remediationDescription||
26 | |remediationFunction|PR_AZR_ARM_SEC_003.py|
27 |
28 |
29 | ***Severity:*** High
30 |
31 | ***Description:*** There is a possibility that secure password is exposed. Make sure to put those secrets in a vault and access from there.
32 |
33 |
34 |
35 | |Title|Description|
36 | | :---: | :---: |
37 | |cloud|git|
38 | |compliance|[]|
39 | |service|['arm']|
40 |
41 |
42 |
43 | [secret_azure_iac.py]: https://github.com/prancer-io/prancer-compliance-test/tree/master/azure/iac/secret_azure_iac.py
44 |
--------------------------------------------------------------------------------
/docs/policies/azure/terraform/all/PR-AZR-TRF-SEC-003.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | # Title: There is a possibility that secure password is exposed
6 |
7 |
8 | ***Master Test Id:*** PR-AZR-TRF-SEC-003
9 |
10 | ***Master Snapshot Id:*** ['TRF_TEMPLATE_SNAPSHOT']
11 |
12 | ***type:*** python
13 |
14 | ***rule:*** file([secret_tf.py])
15 |
16 |
17 |
18 |
19 |
20 | |Title|Description|
21 | | :---: | :---: |
22 | |id|PR-AZR-TRF-SEC-003|
23 | |eval|entropy_password|
24 | |message|entropy_password_err|
25 | |remediationDescription||
26 | |remediationFunction|PR_AZR_TRF_SEC_003.py|
27 |
28 |
29 | ***Severity:*** High
30 |
31 | ***Description:*** There is a possibility that secure password is exposed. Make sure to put those secrets in a vault and access from there.
32 |
33 |
34 |
35 | |Title|Description|
36 | | :---: | :---: |
37 | |cloud|git|
38 | |compliance|[]|
39 | |service|['terraform']|
40 |
41 |
42 |
43 | [secret_tf.py]: https://github.com/prancer-io/prancer-compliance-test/tree/master/azure/terraform/secret_tf.py
44 |
--------------------------------------------------------------------------------
/docs/policies/google/kcc/all/PR-GCP-0003-KCC.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | # Title: Firewall Rule Logging Disabled
6 |
7 |
8 | ***Master Test Id:*** TEST_ComputeFirewall_2
9 |
10 | ***Master Snapshot Id:*** ['KCC_TEMPLATE_SNAPSHOT']
11 |
12 | ***type:*** rego
13 |
14 | ***rule:*** file([ComputeFirewall.rego])
15 |
16 |
17 |
18 |
19 |
20 | |Title|Description|
21 | | :---: | :---: |
22 | |id|PR-GCP-0003-KCC|
23 | |eval|data.rule.firewall_rule_logging_disabled|
24 | |message|data.rule.firewall_rule_logging_disabled_err|
25 | |remediationDescription||
26 | |remediationFunction||
27 |
28 |
29 | ***Severity:*** Medium
30 |
31 | ***Description:*** Firewall rule logging is disabled.
32 |
33 |
34 |
35 | |Title|Description|
36 | | :---: | :---: |
37 | |cloud|git|
38 | |compliance|[]|
39 | |service|['kcc']|
40 |
41 |
42 | ***Resource Types:*** ['computefirewall']
43 |
44 |
45 | [ComputeFirewall.rego]: https://github.com/prancer-io/prancer-compliance-test/tree/master/google/kcc/ComputeFirewall.rego
46 |
--------------------------------------------------------------------------------
/docs/policies/google/kcc/all/PR-GCP-0011-KCC.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | # Title: Open HTTP Port
6 |
7 |
8 | ***Master Test Id:*** TEST_ComputeFirewall_10
9 |
10 | ***Master Snapshot Id:*** ['KCC_TEMPLATE_SNAPSHOT']
11 |
12 | ***type:*** rego
13 |
14 | ***rule:*** file([ComputeFirewall.rego])
15 |
16 |
17 |
18 |
19 |
20 | |Title|Description|
21 | | :---: | :---: |
22 | |id|PR-GCP-0011-KCC|
23 | |eval|data.rule.open_http_port|
24 | |message|data.rule.open_http_port_err|
25 | |remediationDescription||
26 | |remediationFunction||
27 |
28 |
29 | ***Severity:*** Medium
30 |
31 | ***Description:*** A firewall is configured to have an open HTTP port that allows generic access.
32 |
33 |
34 |
35 | |Title|Description|
36 | | :---: | :---: |
37 | |cloud|git|
38 | |compliance|[]|
39 | |service|['kcc']|
40 |
41 |
42 | ***Resource Types:*** ['computefirewall']
43 |
44 |
45 | [ComputeFirewall.rego]: https://github.com/prancer-io/prancer-compliance-test/tree/master/google/kcc/ComputeFirewall.rego
46 |
--------------------------------------------------------------------------------
/docs/policies/google/kcc/all/PR-GCP-0012-KCC.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | # Title: Open LDAP Port
6 |
7 |
8 | ***Master Test Id:*** TEST_ComputeFirewall_11
9 |
10 | ***Master Snapshot Id:*** ['KCC_TEMPLATE_SNAPSHOT']
11 |
12 | ***type:*** rego
13 |
14 | ***rule:*** file([ComputeFirewall.rego])
15 |
16 |
17 |
18 |
19 |
20 | |Title|Description|
21 | | :---: | :---: |
22 | |id|PR-GCP-0012-KCC|
23 | |eval|data.rule.open_ldap_port|
24 | |message|data.rule.open_ldap_port_err|
25 | |remediationDescription||
26 | |remediationFunction||
27 |
28 |
29 | ***Severity:*** Medium
30 |
31 | ***Description:*** A firewall is configured to have an open LDAP port that allows generic access.
32 |
33 |
34 |
35 | |Title|Description|
36 | | :---: | :---: |
37 | |cloud|git|
38 | |compliance|[]|
39 | |service|['kcc']|
40 |
41 |
42 | ***Resource Types:*** ['computefirewall']
43 |
44 |
45 | [ComputeFirewall.rego]: https://github.com/prancer-io/prancer-compliance-test/tree/master/google/kcc/ComputeFirewall.rego
46 |
--------------------------------------------------------------------------------
/docs/policies/google/kcc/all/PR-GCP-0018-KCC.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | # Title: Open POP3 Port
6 |
7 |
8 | ***Master Test Id:*** TEST_ComputeFirewall_17
9 |
10 | ***Master Snapshot Id:*** ['KCC_TEMPLATE_SNAPSHOT']
11 |
12 | ***type:*** rego
13 |
14 | ***rule:*** file([ComputeFirewall.rego])
15 |
16 |
17 |
18 |
19 |
20 | |Title|Description|
21 | | :---: | :---: |
22 | |id|PR-GCP-0018-KCC|
23 | |eval|data.rule.open_pop3_port|
24 | |message|data.rule.open_pop3_port_err|
25 | |remediationDescription||
26 | |remediationFunction||
27 |
28 |
29 | ***Severity:*** Medium
30 |
31 | ***Description:*** A firewall is configured to have an open POP3 port that allows generic access.
32 |
33 |
34 |
35 | |Title|Description|
36 | | :---: | :---: |
37 | |cloud|git|
38 | |compliance|[]|
39 | |service|['kcc']|
40 |
41 |
42 | ***Resource Types:*** ['computefirewall']
43 |
44 |
45 | [ComputeFirewall.rego]: https://github.com/prancer-io/prancer-compliance-test/tree/master/google/kcc/ComputeFirewall.rego
46 |
--------------------------------------------------------------------------------
/docs/policies/google/kcc/all/PR-GCP-0022-KCC.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | # Title: Open SMTP Port
6 |
7 |
8 | ***Master Test Id:*** TEST_ComputeFirewall_21
9 |
10 | ***Master Snapshot Id:*** ['KCC_TEMPLATE_SNAPSHOT']
11 |
12 | ***type:*** rego
13 |
14 | ***rule:*** file([ComputeFirewall.rego])
15 |
16 |
17 |
18 |
19 |
20 | |Title|Description|
21 | | :---: | :---: |
22 | |id|PR-GCP-0022-KCC|
23 | |eval|data.rule.open_smtp_port|
24 | |message|data.rule.open_smtp_port_err|
25 | |remediationDescription||
26 | |remediationFunction||
27 |
28 |
29 | ***Severity:*** Medium
30 |
31 | ***Description:*** A firewall is configured to have an open SMTP port that allows generic access.
32 |
33 |
34 |
35 | |Title|Description|
36 | | :---: | :---: |
37 | |cloud|git|
38 | |compliance|[]|
39 | |service|['kcc']|
40 |
41 |
42 | ***Resource Types:*** ['computefirewall']
43 |
44 |
45 | [ComputeFirewall.rego]: https://github.com/prancer-io/prancer-compliance-test/tree/master/google/kcc/ComputeFirewall.rego
46 |
--------------------------------------------------------------------------------
/docs/policies/google/kcc/all/PR-GCP-0042-KCC.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | # Title: Private Cluster Disabled
6 |
7 |
8 | ***Master Test Id:*** TEST_ContainerCluster_8
9 |
10 | ***Master Snapshot Id:*** ['KCC_TEMPLATE_SNAPSHOT']
11 |
12 | ***type:*** rego
13 |
14 | ***rule:*** file([ContainerCluster.rego])
15 |
16 |
17 |
18 |
19 |
20 | |Title|Description|
21 | | :---: | :---: |
22 | |id|PR-GCP-0042-KCC|
23 | |eval|data.rule.private_cluster_disabled|
24 | |message|data.rule.private_cluster_disabled_err|
25 | |remediationDescription||
26 | |remediationFunction||
27 |
28 |
29 | ***Severity:*** Medium
30 |
31 | ***Description:*** A GKE cluster has a Private cluster disabled.
32 |
33 |
34 |
35 | |Title|Description|
36 | | :---: | :---: |
37 | |cloud|git|
38 | |compliance|[]|
39 | |service|['kcc']|
40 |
41 |
42 | ***Resource Types:*** ['containercluster']
43 |
44 |
45 | [ContainerCluster.rego]: https://github.com/prancer-io/prancer-compliance-test/tree/master/google/kcc/ContainerCluster.rego
46 |
--------------------------------------------------------------------------------
/docs/policies/google/kcc/all/PR-GCP-0048-KCC.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | # Title: Legacy Metadata Enabled
6 |
7 |
8 | ***Master Test Id:*** TEST_ContainerNodePool_4
9 |
10 | ***Master Snapshot Id:*** ['KCC_TEMPLATE_SNAPSHOT']
11 |
12 | ***type:*** rego
13 |
14 | ***rule:*** file([ContainerNodePool.rego])
15 |
16 |
17 |
18 |
19 |
20 | |Title|Description|
21 | | :---: | :---: |
22 | |id|PR-GCP-0048-KCC|
23 | |eval|data.rule.legacy_metadata_enabled|
24 | |message|data.rule.legacy_metadata_enabled_err|
25 | |remediationDescription||
26 | |remediationFunction||
27 |
28 |
29 | ***Severity:*** Medium
30 |
31 | ***Description:*** Legacy metadata is enabled on GKE clusters.
32 |
33 |
34 |
35 | |Title|Description|
36 | | :---: | :---: |
37 | |cloud|git|
38 | |compliance|[]|
39 | |service|['kcc']|
40 |
41 |
42 | ***Resource Types:*** ['containernodepool']
43 |
44 |
45 | [ContainerNodePool.rego]: https://github.com/prancer-io/prancer-compliance-test/tree/master/google/kcc/ContainerNodePool.rego
46 |
--------------------------------------------------------------------------------
/docs/policies/google/kcc/all/PR-GCP-0059-KCC.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | # Title: Bucket CMEK Disabled
6 |
7 |
8 | ***Master Test Id:*** TEST_StorageBucket_1
9 |
10 | ***Master Snapshot Id:*** ['KCC_TEMPLATE_SNAPSHOT']
11 |
12 | ***type:*** rego
13 |
14 | ***rule:*** file([StorageBucket.rego])
15 |
16 |
17 |
18 |
19 |
20 | |Title|Description|
21 | | :---: | :---: |
22 | |id|PR-GCP-0059-KCC|
23 | |eval|data.rule.bucket_cmek_disabled|
24 | |message|data.rule.bucket_cmek_disabled_err|
25 | |remediationDescription||
26 | |remediationFunction||
27 |
28 |
29 | ***Severity:*** Medium
30 |
31 | ***Description:*** A bucket is not encrypted with customer-managed encryption keys (CMEK).
32 |
33 |
34 |
35 | |Title|Description|
36 | | :---: | :---: |
37 | |cloud|git|
38 | |compliance|[]|
39 | |service|['kcc']|
40 |
41 |
42 | ***Resource Types:*** ['storagebucket']
43 |
44 |
45 | [StorageBucket.rego]: https://github.com/prancer-io/prancer-compliance-test/tree/master/google/kcc/StorageBucket.rego
46 |
--------------------------------------------------------------------------------
/docs/policies/azure/terraform/all/PR-AZR-TRF-SEC-001.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | # Title: Ensure Secrets are not hardcoded in the template
6 |
7 |
8 | ***Master Test Id:*** PR-AZR-TRF-SEC-001
9 |
10 | ***Master Snapshot Id:*** ['TRF_TEMPLATE_SNAPSHOT']
11 |
12 | ***type:*** rego
13 |
14 | ***rule:*** file([secrets.rego])
15 |
16 |
17 |
18 |
19 |
20 | |Title|Description|
21 | | :---: | :---: |
22 | |id|PR-AZR-TRF-SEC-001|
23 | |eval|data.rule.gl_azure_secrets|
24 | |message|data.rule.gl_azure_secrets_err|
25 | |remediationDescription||
26 | |remediationFunction|PR_AZR_TRF_SEC_001.py|
27 |
28 |
29 | ***Severity:*** Medium
30 |
31 | ***Description:*** Secrets should not be hardcoded in the Template. Make sure to put those secrets in a vault and access from there.
32 |
33 |
34 |
35 | |Title|Description|
36 | | :---: | :---: |
37 | |cloud|git|
38 | |compliance|[]|
39 | |service|['terraform']|
40 |
41 |
42 |
43 | [secrets.rego]: https://github.com/prancer-io/prancer-compliance-test/tree/master/azure/terraform/secrets.rego
44 |
--------------------------------------------------------------------------------
/docs/policies/google/kcc/all/PR-GCP-0015-KCC.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | # Title: Open MySQL Port
6 |
7 |
8 | ***Master Test Id:*** TEST_ComputeFirewall_14
9 |
10 | ***Master Snapshot Id:*** ['KCC_TEMPLATE_SNAPSHOT']
11 |
12 | ***type:*** rego
13 |
14 | ***rule:*** file([ComputeFirewall.rego])
15 |
16 |
17 |
18 |
19 |
20 | |Title|Description|
21 | | :---: | :---: |
22 | |id|PR-GCP-0015-KCC|
23 | |eval|data.rule.open_mysql_port|
24 | |message|data.rule.open_mysql_port_err|
25 | |remediationDescription||
26 | |remediationFunction||
27 |
28 |
29 | ***Severity:*** Medium
30 |
31 | ***Description:*** A firewall is configured to have an open MySQL port that allows generic access.
32 |
33 |
34 |
35 | |Title|Description|
36 | | :---: | :---: |
37 | |cloud|git|
38 | |compliance|[]|
39 | |service|['kcc']|
40 |
41 |
42 | ***Resource Types:*** ['computefirewall']
43 |
44 |
45 | [ComputeFirewall.rego]: https://github.com/prancer-io/prancer-compliance-test/tree/master/google/kcc/ComputeFirewall.rego
46 |
--------------------------------------------------------------------------------
/docs/policies/google/kcc/all/PR-GCP-0021-KCC.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | # Title: Open REDIS Port
6 |
7 |
8 | ***Master Test Id:*** TEST_ComputeFirewall_20
9 |
10 | ***Master Snapshot Id:*** ['KCC_TEMPLATE_SNAPSHOT']
11 |
12 | ***type:*** rego
13 |
14 | ***rule:*** file([ComputeFirewall.rego])
15 |
16 |
17 |
18 |
19 |
20 | |Title|Description|
21 | | :---: | :---: |
22 | |id|PR-GCP-0021-KCC|
23 | |eval|data.rule.open_redis_port|
24 | |message|data.rule.open_redis_port_err|
25 | |remediationDescription||
26 | |remediationFunction||
27 |
28 |
29 | ***Severity:*** Medium
30 |
31 | ***Description:*** A firewall is configured to have an open REDIS port that allows generic access.
32 |
33 |
34 |
35 | |Title|Description|
36 | | :---: | :---: |
37 | |cloud|git|
38 | |compliance|[]|
39 | |service|['kcc']|
40 |
41 |
42 | ***Resource Types:*** ['computefirewall']
43 |
44 |
45 | [ComputeFirewall.rego]: https://github.com/prancer-io/prancer-compliance-test/tree/master/google/kcc/ComputeFirewall.rego
46 |
--------------------------------------------------------------------------------
/docs/policies/google/kcc/all/PR-GCP-0024-KCC.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | # Title: Open TELNET Port
6 |
7 |
8 | ***Master Test Id:*** TEST_ComputeFirewall_23
9 |
10 | ***Master Snapshot Id:*** ['KCC_TEMPLATE_SNAPSHOT']
11 |
12 | ***type:*** rego
13 |
14 | ***rule:*** file([ComputeFirewall.rego])
15 |
16 |
17 |
18 |
19 |
20 | |Title|Description|
21 | | :---: | :---: |
22 | |id|PR-GCP-0024-KCC|
23 | |eval|data.rule.open_telnet_port|
24 | |message|data.rule.open_telnet_port_err|
25 | |remediationDescription||
26 | |remediationFunction||
27 |
28 |
29 | ***Severity:*** Medium
30 |
31 | ***Description:*** A firewall is configured to have an open TELNET port that allows generic access.
32 |
33 |
34 |
35 | |Title|Description|
36 | | :---: | :---: |
37 | |cloud|git|
38 | |compliance|[]|
39 | |service|['kcc']|
40 |
41 |
42 | ***Resource Types:*** ['computefirewall']
43 |
44 |
45 | [ComputeFirewall.rego]: https://github.com/prancer-io/prancer-compliance-test/tree/master/google/kcc/ComputeFirewall.rego
46 |
--------------------------------------------------------------------------------
/docs/policies/google/kcc/all/PR-GCP-0036-KCC.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | # Title: Cluster Monitoring Disabled
6 |
7 |
8 | ***Master Test Id:*** TEST_ContainerCluster_2
9 |
10 | ***Master Snapshot Id:*** ['KCC_TEMPLATE_SNAPSHOT']
11 |
12 | ***type:*** rego
13 |
14 | ***rule:*** file([ContainerCluster.rego])
15 |
16 |
17 |
18 |
19 |
20 | |Title|Description|
21 | | :---: | :---: |
22 | |id|PR-GCP-0036-KCC|
23 | |eval|data.rule.cluster_monitoring_disabled|
24 | |message|data.rule.cluster_monitoring_disabled_err|
25 | |remediationDescription||
26 | |remediationFunction||
27 |
28 |
29 | ***Severity:*** Medium
30 |
31 | ***Description:*** Monitoring is disabled on GKE clusters.
32 |
33 |
34 |
35 | |Title|Description|
36 | | :---: | :---: |
37 | |cloud|git|
38 | |compliance|[]|
39 | |service|['kcc']|
40 |
41 |
42 | ***Resource Types:*** ['containercluster']
43 |
44 |
45 | [ContainerCluster.rego]: https://github.com/prancer-io/prancer-compliance-test/tree/master/google/kcc/ContainerCluster.rego
46 |
--------------------------------------------------------------------------------
/docs/policies/google/kcc/all/PR-GCP-0062-KCC.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | # Title: Locked Retention Policy Not Set
6 |
7 |
8 | ***Master Test Id:*** TEST_StorageBucket_4
9 |
10 | ***Master Snapshot Id:*** ['KCC_TEMPLATE_SNAPSHOT']
11 |
12 | ***type:*** rego
13 |
14 | ***rule:*** file([StorageBucket.rego])
15 |
16 |
17 |
18 |
19 |
20 | |Title|Description|
21 | | :---: | :---: |
22 | |id|PR-GCP-0062-KCC|
23 | |eval|data.rule.locked_retention_policy_not_set|
24 | |message|data.rule.locked_retention_policy_not_set_err|
25 | |remediationDescription||
26 | |remediationFunction||
27 |
28 |
29 | ***Severity:*** Medium
30 |
31 | ***Description:*** A locked retention policy is not set for logs.
32 |
33 |
34 |
35 | |Title|Description|
36 | | :---: | :---: |
37 | |cloud|git|
38 | |compliance|[]|
39 | |service|['kcc']|
40 |
41 |
42 | ***Resource Types:*** ['storagebucket']
43 |
44 |
45 | [StorageBucket.rego]: https://github.com/prancer-io/prancer-compliance-test/tree/master/google/kcc/StorageBucket.rego
46 |
--------------------------------------------------------------------------------
/docs/policies/azure/IaC/all/PR-AZR-ARM-SEC-002.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | # Title: There is a possibility that secure password is exposed
6 |
7 |
8 | ***Master Test Id:*** PR-AZR-ARM-SEC-002
9 |
10 | ***Master Snapshot Id:*** ['ARM_TEMPLATE_SNAPSHOT']
11 |
12 | ***type:*** python
13 |
14 | ***rule:*** file([secret_azure_iac.py])
15 |
16 |
17 |
18 |
19 |
20 | |Title|Description|
21 | | :---: | :---: |
22 | |id|PR-AZR-ARM-SEC-002|
23 | |eval|azure_password_leak|
24 | |message|azure_password_leak_err|
25 | |remediationDescription||
26 | |remediationFunction|PR_AZR_ARM_SEC_002.py|
27 |
28 |
29 | ***Severity:*** High
30 |
31 | ***Description:*** There is a possibility that secure password is exposed. Make sure to put those secrets in a vault and access from there.
32 |
33 |
34 |
35 | |Title|Description|
36 | | :---: | :---: |
37 | |cloud|git|
38 | |compliance|[]|
39 | |service|['arm']|
40 |
41 |
42 |
43 | [secret_azure_iac.py]: https://github.com/prancer-io/prancer-compliance-test/tree/master/azure/iac/secret_azure_iac.py
44 |
--------------------------------------------------------------------------------
/docs/policies/google/kcc/all/PR-GCP-0014-KCC.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | # Title: Open MONGODB Port
6 |
7 |
8 | ***Master Test Id:*** TEST_ComputeFirewall_13
9 |
10 | ***Master Snapshot Id:*** ['KCC_TEMPLATE_SNAPSHOT']
11 |
12 | ***type:*** rego
13 |
14 | ***rule:*** file([ComputeFirewall.rego])
15 |
16 |
17 |
18 |
19 |
20 | |Title|Description|
21 | | :---: | :---: |
22 | |id|PR-GCP-0014-KCC|
23 | |eval|data.rule.open_mongodb_port|
24 | |message|data.rule.open_mongodb_port_err|
25 | |remediationDescription||
26 | |remediationFunction||
27 |
28 |
29 | ***Severity:*** Medium
30 |
31 | ***Description:*** A firewall is configured to have an open MONGODB port that allows generic access.
32 |
33 |
34 |
35 | |Title|Description|
36 | | :---: | :---: |
37 | |cloud|git|
38 | |compliance|[]|
39 | |service|['kcc']|
40 |
41 |
42 | ***Resource Types:*** ['computefirewall']
43 |
44 |
45 | [ComputeFirewall.rego]: https://github.com/prancer-io/prancer-compliance-test/tree/master/google/kcc/ComputeFirewall.rego
46 |
--------------------------------------------------------------------------------
/docs/policies/google/kcc/all/PR-GCP-0016-KCC.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | # Title: Open NETBIOS Port
6 |
7 |
8 | ***Master Test Id:*** TEST_ComputeFirewall_15
9 |
10 | ***Master Snapshot Id:*** ['KCC_TEMPLATE_SNAPSHOT']
11 |
12 | ***type:*** rego
13 |
14 | ***rule:*** file([ComputeFirewall.rego])
15 |
16 |
17 |
18 |
19 |
20 | |Title|Description|
21 | | :---: | :---: |
22 | |id|PR-GCP-0016-KCC|
23 | |eval|data.rule.open_netbios_port|
24 | |message|data.rule.open_netbios_port_err|
25 | |remediationDescription||
26 | |remediationFunction||
27 |
28 |
29 | ***Severity:*** Medium
30 |
31 | ***Description:*** A firewall is configured to have an open NETBIOS port that allows generic access.
32 |
33 |
34 |
35 | |Title|Description|
36 | | :---: | :---: |
37 | |cloud|git|
38 | |compliance|[]|
39 | |service|['kcc']|
40 |
41 |
42 | ***Resource Types:*** ['computefirewall']
43 |
44 |
45 | [ComputeFirewall.rego]: https://github.com/prancer-io/prancer-compliance-test/tree/master/google/kcc/ComputeFirewall.rego
46 |
--------------------------------------------------------------------------------
/docs/policies/google/kcc/all/PR-GCP-0044-KCC.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | # Title: Workload Identity Disabled
6 |
7 |
8 | ***Master Test Id:*** TEST_ContainerCluster_10
9 |
10 | ***Master Snapshot Id:*** ['KCC_TEMPLATE_SNAPSHOT']
11 |
12 | ***type:*** rego
13 |
14 | ***rule:*** file([ContainerCluster.rego])
15 |
16 |
17 |
18 |
19 |
20 | |Title|Description|
21 | | :---: | :---: |
22 | |id|PR-GCP-0044-KCC|
23 | |eval|data.rule.workload_identity_disabled|
24 | |message|data.rule.workload_identity_disabled_err|
25 | |remediationDescription||
26 | |remediationFunction||
27 |
28 |
29 | ***Severity:*** Medium
30 |
31 | ***Description:*** Workload Identity is disabled on a GKE cluster.
32 |
33 |
34 |
35 | |Title|Description|
36 | | :---: | :---: |
37 | |cloud|git|
38 | |compliance|[]|
39 | |service|['kcc']|
40 |
41 |
42 | ***Resource Types:*** ['containercluster']
43 |
44 |
45 | [ContainerCluster.rego]: https://github.com/prancer-io/prancer-compliance-test/tree/master/google/kcc/ContainerCluster.rego
46 |
--------------------------------------------------------------------------------
/docs/policies/google/kcc/all/PR-GCP-0017-KCC.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | # Title: Open ORACLEDB Port
6 |
7 |
8 | ***Master Test Id:*** TEST_ComputeFirewall_16
9 |
10 | ***Master Snapshot Id:*** ['KCC_TEMPLATE_SNAPSHOT']
11 |
12 | ***type:*** rego
13 |
14 | ***rule:*** file([ComputeFirewall.rego])
15 |
16 |
17 |
18 |
19 |
20 | |Title|Description|
21 | | :---: | :---: |
22 | |id|PR-GCP-0017-KCC|
23 | |eval|data.rule.open_oracledb_port|
24 | |message|data.rule.open_oracledb_port_err|
25 | |remediationDescription||
26 | |remediationFunction||
27 |
28 |
29 | ***Severity:*** Medium
30 |
31 | ***Description:*** A firewall is configured to have an open ORACLEDB port that allows generic access.
32 |
33 |
34 |
35 | |Title|Description|
36 | | :---: | :---: |
37 | |cloud|git|
38 | |compliance|[]|
39 | |service|['kcc']|
40 |
41 |
42 | ***Resource Types:*** ['computefirewall']
43 |
44 |
45 | [ComputeFirewall.rego]: https://github.com/prancer-io/prancer-compliance-test/tree/master/google/kcc/ComputeFirewall.rego
46 |
--------------------------------------------------------------------------------
/docs/policies/google/kcc/all/PR-GCP-0025-KCC.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | # Title: Compute Secure Boot Disabled
6 |
7 |
8 | ***Master Test Id:*** TEST_ComputeInstance_1
9 |
10 | ***Master Snapshot Id:*** ['KCC_TEMPLATE_SNAPSHOT']
11 |
12 | ***type:*** rego
13 |
14 | ***rule:*** file([ComputeInstance.rego])
15 |
16 |
17 |
18 |
19 |
20 | |Title|Description|
21 | | :---: | :---: |
22 | |id|PR-GCP-0025-KCC|
23 | |eval|data.rule.compute_secure_boot_disabled|
24 | |message|data.rule.compute_secure_boot_disabled_err|
25 | |remediationDescription||
26 | |remediationFunction||
27 |
28 |
29 | ***Severity:*** Medium
30 |
31 | ***Description:*** This Shielded VM does not have Secure Boot enabled.
32 |
33 |
34 |
35 | |Title|Description|
36 | | :---: | :---: |
37 | |cloud|git|
38 | |compliance|[]|
39 | |service|['kcc']|
40 |
41 |
42 | ***Resource Types:*** ['computeinstance']
43 |
44 |
45 | [ComputeInstance.rego]: https://github.com/prancer-io/prancer-compliance-test/tree/master/google/kcc/ComputeInstance.rego
46 |
--------------------------------------------------------------------------------
/docs/policies/google/kcc/all/PR-GCP-0038-KCC.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | # Title: Legacy Authorization Enabled
6 |
7 |
8 | ***Master Test Id:*** TEST_ContainerCluster_4
9 |
10 | ***Master Snapshot Id:*** ['KCC_TEMPLATE_SNAPSHOT']
11 |
12 | ***type:*** rego
13 |
14 | ***rule:*** file([ContainerCluster.rego])
15 |
16 |
17 |
18 |
19 |
20 | |Title|Description|
21 | | :---: | :---: |
22 | |id|PR-GCP-0038-KCC|
23 | |eval|data.rule.legacy_authorization_enabled|
24 | |message|data.rule.legacy_authorization_enabled_err|
25 | |remediationDescription||
26 | |remediationFunction||
27 |
28 |
29 | ***Severity:*** Medium
30 |
31 | ***Description:*** Legacy Authorization is enabled on GKE clusters.
32 |
33 |
34 |
35 | |Title|Description|
36 | | :---: | :---: |
37 | |cloud|git|
38 | |compliance|[]|
39 | |service|['kcc']|
40 |
41 |
42 | ***Resource Types:*** ['containercluster']
43 |
44 |
45 | [ContainerCluster.rego]: https://github.com/prancer-io/prancer-compliance-test/tree/master/google/kcc/ContainerCluster.rego
46 |
--------------------------------------------------------------------------------
/docs/policies/google/kcc/all/PR-GCP-0041-KCC.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | # Title: Pod Security Policy Disabled
6 |
7 |
8 | ***Master Test Id:*** TEST_ContainerCluster_7
9 |
10 | ***Master Snapshot Id:*** ['KCC_TEMPLATE_SNAPSHOT']
11 |
12 | ***type:*** rego
13 |
14 | ***rule:*** file([ContainerCluster.rego])
15 |
16 |
17 |
18 |
19 |
20 | |Title|Description|
21 | | :---: | :---: |
22 | |id|PR-GCP-0041-KCC|
23 | |eval|data.rule.pod_security_policy_disabled|
24 | |message|data.rule.pod_security_policy_disabled_err|
25 | |remediationDescription||
26 | |remediationFunction||
27 |
28 |
29 | ***Severity:*** Medium
30 |
31 | ***Description:*** PodSecurityPolicy is disabled on a GKE cluster.
32 |
33 |
34 |
35 | |Title|Description|
36 | | :---: | :---: |
37 | |cloud|git|
38 | |compliance|[]|
39 | |service|['kcc']|
40 |
41 |
42 | ***Resource Types:*** ['containercluster']
43 |
44 |
45 | [ContainerCluster.rego]: https://github.com/prancer-io/prancer-compliance-test/tree/master/google/kcc/ContainerCluster.rego
46 |
--------------------------------------------------------------------------------
/docs/policies/google/kcc/all/PR-GCP-0052-KCC.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | # Title: Primitive Roles Used
6 |
7 |
8 | ***Master Test Id:*** TEST_IAMPolicy_2
9 |
10 | ***Master Snapshot Id:*** ['KCC_TEMPLATE_SNAPSHOT']
11 |
12 | ***type:*** rego
13 |
14 | ***rule:*** file([IAMpolicy.rego])
15 |
16 |
17 |
18 |
19 |
20 | |Title|Description|
21 | | :---: | :---: |
22 | |id|PR-GCP-0052-KCC|
23 | |eval|data.rule.primitive_roles_used|
24 | |message|data.rule.primitive_roles_used_err|
25 | |remediationDescription||
26 | |remediationFunction||
27 |
28 |
29 | ***Severity:*** Medium
30 |
31 | ***Description:*** A user has the basic role, Owner, Writer, or Reader. These roles are too permissive and shouldn't be used.
32 |
33 |
34 |
35 | |Title|Description|
36 | | :---: | :---: |
37 | |cloud|git|
38 | |compliance|[]|
39 | |service|['kcc']|
40 |
41 |
42 | ***Resource Types:*** ['iampolicy']
43 |
44 |
45 | [IAMpolicy.rego]: https://github.com/prancer-io/prancer-compliance-test/tree/master/google/kcc/IAMpolicy.rego
46 |
--------------------------------------------------------------------------------
/kubernetes/cloud/PR-K8S-0028.rego:
--------------------------------------------------------------------------------
1 | package rule
2 |
3 | #
4 | # PR-K8S-0028
5 | #
6 |
7 | default rulepass = null
8 |
9 | k8s_issue["rulepass"] {
10 | lower(input.kind) == "pod"
11 | input.spec.containers[_].name == "kube-apiserver"
12 | input.metadata.namespace == "kube-system"
13 | count([
14 | c | regex.match("--anonymous-auth=.*true.*", input.spec.containers[_].command[_]);
15 | c := 1]) > 0
16 | }
17 |
18 | rulepass {
19 | lower(input.kind) == "pod"
20 | not k8s_issue["rulepass"]
21 | }
22 |
23 | rulepass = false {
24 | k8s_issue["rulepass"]
25 | }
26 |
27 | rulepass_err = "PR-K8S-0028: Ensure that the --anonymous-auth argument is set to false (API Server)" {
28 | k8s_issue["rulepass"]
29 | }
30 |
31 | k8s_issue_metadata := {
32 | "Policy Code": "PR-K8S-0028",
33 | "Type": "Cloud",
34 | "Product": "Kubernetes",
35 | "Language": "Cloud",
36 | "Policy Title": "Ensure that the --anonymous-auth argument is set to false (API Server) ",
37 | "Policy Description": "Ensure that the --anonymous-auth argument is set to false (API Server) ",
38 | "Resource Type": "pod",
39 | "Policy Help URL": "",
40 | "Resource Help URL": ""
41 | }
42 |
--------------------------------------------------------------------------------
/docs/policies/google/kcc/all/PR-GCP-0004-KCC.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | # Title: OPEN CASSANDRA PORT
6 |
7 |
8 | ***Master Test Id:*** TEST_ComputeFirewall_3
9 |
10 | ***Master Snapshot Id:*** ['KCC_TEMPLATE_SNAPSHOT']
11 |
12 | ***type:*** rego
13 |
14 | ***rule:*** file([ComputeFirewall.rego])
15 |
16 |
17 |
18 |
19 |
20 | |Title|Description|
21 | | :---: | :---: |
22 | |id|PR-GCP-0004-KCC|
23 | |eval|data.rule.open_cassandra_port|
24 | |message|data.rule.open_cassandra_port_err|
25 | |remediationDescription||
26 | |remediationFunction||
27 |
28 |
29 | ***Severity:*** Medium
30 |
31 | ***Description:*** A firewall is configured to have an open CASSANDRA port that allows generic access.
32 |
33 |
34 |
35 | |Title|Description|
36 | | :---: | :---: |
37 | |cloud|git|
38 | |compliance|[]|
39 | |service|['kcc']|
40 |
41 |
42 | ***Resource Types:*** ['computefirewall']
43 |
44 |
45 | [ComputeFirewall.rego]: https://github.com/prancer-io/prancer-compliance-test/tree/master/google/kcc/ComputeFirewall.rego
46 |
--------------------------------------------------------------------------------
/docs/policies/google/kcc/all/PR-GCP-0013-KCC.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | # Title: Open MEMCACHED Port
6 |
7 |
8 | ***Master Test Id:*** TEST_ComputeFirewall_12
9 |
10 | ***Master Snapshot Id:*** ['KCC_TEMPLATE_SNAPSHOT']
11 |
12 | ***type:*** rego
13 |
14 | ***rule:*** file([ComputeFirewall.rego])
15 |
16 |
17 |
18 |
19 |
20 | |Title|Description|
21 | | :---: | :---: |
22 | |id|PR-GCP-0013-KCC|
23 | |eval|data.rule.open_memcached_port|
24 | |message|data.rule.open_memcached_port_err|
25 | |remediationDescription||
26 | |remediationFunction||
27 |
28 |
29 | ***Severity:*** Medium
30 |
31 | ***Description:*** A firewall is configured to have an open MEMCACHED port that allows generic access.
32 |
33 |
34 |
35 | |Title|Description|
36 | | :---: | :---: |
37 | |cloud|git|
38 | |compliance|[]|
39 | |service|['kcc']|
40 |
41 |
42 | ***Resource Types:*** ['computefirewall']
43 |
44 |
45 | [ComputeFirewall.rego]: https://github.com/prancer-io/prancer-compliance-test/tree/master/google/kcc/ComputeFirewall.rego
46 |
--------------------------------------------------------------------------------
/kubernetes/cloud/PR-K8S-0058.rego:
--------------------------------------------------------------------------------
1 | package rule
2 |
3 | #
4 | # PR-K8S-0058
5 | #
6 |
7 | default rulepass = null
8 |
9 | k8s_issue["rulepass"] {
10 | lower(input.kind) == "pod"
11 | input.spec.containers[_].name == "kube-apiserver"
12 | input.metadata.namespace == "kube-system"
13 | regex.match("--authorization-mode=.*AlwaysAllow.*", input.spec.containers[_].command[_])
14 | }
15 |
16 | rulepass {
17 | lower(input.kind) == "pod"
18 | not k8s_issue["rulepass"]
19 | }
20 |
21 | rulepass = false {
22 | k8s_issue["rulepass"]
23 | }
24 |
25 | rulepass_err = "PR-K8S-0058: Ensure that the --authorization-mode argument is not set to AlwaysAllow (API Server)" {
26 | k8s_issue["rulepass"]
27 | }
28 |
29 | k8s_issue_metadata := {
30 | "Policy Code": "PR-K8S-0058",
31 | "Type": "Cloud",
32 | "Product": "Kubernetes",
33 | "Language": "Cloud",
34 | "Policy Title": "Ensure that the --authorization-mode argument is not set to AlwaysAllow (API Server) ",
35 | "Policy Description": "Ensure that the --authorization-mode argument is not set to AlwaysAllow (API Server) ",
36 | "Resource Type": "pod",
37 | "Policy Help URL": "",
38 | "Resource Help URL": ""
39 | }
40 |
--------------------------------------------------------------------------------
/kubernetes/cloud/PR-K8S-0068.rego:
--------------------------------------------------------------------------------
1 | package rule
2 |
3 | #
4 | # PR-K8S-0068
5 | #
6 |
7 | default rulepass = null
8 |
9 | k8s_issue["rulepass"] {
10 | lower(input.kind) == "pod"
11 | input.spec.containers[_].name == "kube-apiserver"
12 | input.metadata.namespace == "kube-system"
13 | count([
14 | c | regex.match("--etcd-cafile=.*", input.spec.containers[_].command[_]);
15 | c := 1]) == 0
16 | }
17 |
18 | rulepass {
19 | lower(input.kind) == "pod"
20 | not k8s_issue["rulepass"]
21 | }
22 |
23 | rulepass = false {
24 | k8s_issue["rulepass"]
25 | }
26 |
27 | rulepass_err = "PR-K8S-0068: Ensure that the --etcd-cafile argument is set as appropriate (API Server)" {
28 | k8s_issue["rulepass"]
29 | }
30 |
31 | k8s_issue_metadata := {
32 | "Policy Code": "PR-K8S-0068",
33 | "Type": "Cloud",
34 | "Product": "Kubernetes",
35 | "Language": "Cloud",
36 | "Policy Title": "Ensure that the --etcd-cafile argument is set as appropriate (API Server) ",
37 | "Policy Description": "Ensure that the --etcd-cafile argument is set as appropriate (API Server) ",
38 | "Resource Type": "pod",
39 | "Policy Help URL": "",
40 | "Resource Help URL": ""
41 | }
42 |
--------------------------------------------------------------------------------
/docs/policies/azure/Cloud/all/PR-AZR-CLD-AKS-009.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | # Title: Ensure Kubernetes Dashboard is disabled
6 |
7 |
8 | ***Master Test Id:*** PR-AZR-CLD-AKS-009
9 |
10 | ***Master Snapshot Id:*** ['AZRSNP_219']
11 |
12 | ***type:*** rego
13 |
14 | ***rule:*** file([aks.rego])
15 |
16 |
17 |
18 |
19 |
20 | |Title|Description|
21 | | :---: | :---: |
22 | |id|PR-AZR-CLD-AKS-009|
23 | |eval|data.rule.aks_kub_dashboard_disabled|
24 | |message|data.rule.aks_kub_dashboard_disabled_err|
25 | |remediationDescription|Use CLI Command:
az aks disable-addons -g myRG -n myAKScluster -a kube-dashboard|
26 | |remediationFunction|PR_AZR_CLD_AKS_009.py|
27 |
28 |
29 | ***Severity:*** Medium
30 |
31 | ***Description:*** Disable the Kubernetes dashboard on Azure Kubernetes Service
32 |
33 |
34 |
35 | |Title|Description|
36 | | :---: | :---: |
37 | |cloud|azure|
38 | |compliance|[]|
39 | |service|['Containers']|
40 |
41 |
42 |
43 | [aks.rego]: https://github.com/prancer-io/prancer-compliance-test/tree/master/azure/cloud/aks.rego
44 |
--------------------------------------------------------------------------------
/docs/policies/google/kcc/all/PR-GCP-0008-KCC.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | # Title: Open DNS Port
6 |
7 |
8 | ***Master Test Id:*** TEST_ComputeFirewall_7
9 |
10 | ***Master Snapshot Id:*** ['KCC_TEMPLATE_SNAPSHOT']
11 |
12 | ***type:*** rego
13 |
14 | ***rule:*** file([ComputeFirewall.rego])
15 |
16 |
17 |
18 |
19 |
20 | |Title|Description|
21 | | :---: | :---: |
22 | |id|PR-GCP-0008-KCC|
23 | |eval|data.rule.open_elasticsearch_port|
24 | |message|data.rule.open_elasticsearch_port_err|
25 | |remediationDescription||
26 | |remediationFunction||
27 |
28 |
29 | ***Severity:*** Medium
30 |
31 | ***Description:*** A firewall is configured to have an open ELASTICSEARCH port that allows generic access.
32 |
33 |
34 |
35 | |Title|Description|
36 | | :---: | :---: |
37 | |cloud|git|
38 | |compliance|[]|
39 | |service|['kcc']|
40 |
41 |
42 | ***Resource Types:*** ['computefirewall']
43 |
44 |
45 | [ComputeFirewall.rego]: https://github.com/prancer-io/prancer-compliance-test/tree/master/google/kcc/ComputeFirewall.rego
46 |
--------------------------------------------------------------------------------
/docs/policies/google/kcc/all/PR-GCP-0019-KCC.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | # Title: Open POSTGRESQL Port
6 |
7 |
8 | ***Master Test Id:*** TEST_ComputeFirewall_18
9 |
10 | ***Master Snapshot Id:*** ['KCC_TEMPLATE_SNAPSHOT']
11 |
12 | ***type:*** rego
13 |
14 | ***rule:*** file([ComputeFirewall.rego])
15 |
16 |
17 |
18 |
19 |
20 | |Title|Description|
21 | | :---: | :---: |
22 | |id|PR-GCP-0019-KCC|
23 | |eval|data.rule.open_postgresql_port|
24 | |message|data.rule.open_postgresql_port_err|
25 | |remediationDescription||
26 | |remediationFunction||
27 |
28 |
29 | ***Severity:*** Medium
30 |
31 | ***Description:*** A firewall is configured to have an open POSTGRESQL port that allows generic access.
32 |
33 |
34 |
35 | |Title|Description|
36 | | :---: | :---: |
37 | |cloud|git|
38 | |compliance|[]|
39 | |service|['kcc']|
40 |
41 |
42 | ***Resource Types:*** ['computefirewall']
43 |
44 |
45 | [ComputeFirewall.rego]: https://github.com/prancer-io/prancer-compliance-test/tree/master/google/kcc/ComputeFirewall.rego
46 |
--------------------------------------------------------------------------------
/docs/policies/google/kcc/all/PR-GCP-0063-KCC.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | # Title: Object Versioning Disabled
6 |
7 |
8 | ***Master Test Id:*** TEST_StorageBucket_5
9 |
10 | ***Master Snapshot Id:*** ['KCC_TEMPLATE_SNAPSHOT']
11 |
12 | ***type:*** rego
13 |
14 | ***rule:*** file([StorageBucket.rego])
15 |
16 |
17 |
18 |
19 |
20 | |Title|Description|
21 | | :---: | :---: |
22 | |id|PR-GCP-0063-KCC|
23 | |eval|data.rule.object_versioning_disabled|
24 | |message|data.rule.object_versioning_disabled_err|
25 | |remediationDescription||
26 | |remediationFunction||
27 |
28 |
29 | ***Severity:*** Medium
30 |
31 | ***Description:*** Object versioning isn't enabled on a storage bucket where sinks are configured.
32 |
33 |
34 |
35 | |Title|Description|
36 | | :---: | :---: |
37 | |cloud|git|
38 | |compliance|[]|
39 | |service|['kcc']|
40 |
41 |
42 | ***Resource Types:*** ['storagebucket']
43 |
44 |
45 | [StorageBucket.rego]: https://github.com/prancer-io/prancer-compliance-test/tree/master/google/kcc/StorageBucket.rego
46 |
--------------------------------------------------------------------------------
/docs/policies/aws/terraform/all/PR-AWS-0031-RGX.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | # Title: Ensure no hardcoded password set in the template
6 |
7 |
8 | ***Master Test Id:*** PR-AWS-0031-RGX
9 |
10 | ***Master Snapshot Id:*** ['TRF_TEMPLATE_SNAPSHOT']
11 |
12 | ***type:*** python
13 |
14 | ***rule:*** file([secret_tf.py])
15 |
16 |
17 |
18 |
19 |
20 | |Title|Description|
21 | | :---: | :---: |
22 | |id|PR-AWS-0031-RGX|
23 | |eval|password_leak|
24 | |message|password_leak_err|
25 | |remediationDescription||
26 | |remediationFunction||
27 |
28 |
29 | ***Severity:*** High
30 |
31 | ***Description:*** Ensure no hardcoded password set in the template, template should not have any secret in it. Make sure to put the secrets in a vault
32 |
33 |
34 |
35 | |Title|Description|
36 | | :---: | :---: |
37 | |cloud|git|
38 | |compliance|[]|
39 | |service|['terraform']|
40 |
41 |
42 | ***Resource Types:*** []
43 |
44 |
45 | [secret_tf.py]: https://github.com/prancer-io/prancer-compliance-test/tree/master/aws/terraform/secret_tf.py
46 |
--------------------------------------------------------------------------------
/kubernetes/cloud/PR-K8S-0027.rego:
--------------------------------------------------------------------------------
1 | package rule
2 |
3 | #
4 | # PR-K8S-0027
5 | #
6 |
7 | default rulepass = null
8 |
9 | k8s_issue["rulepass"] {
10 | lower(input.kind) == "pod"
11 | input.spec.containers[_].name == "kube-apiserver"
12 | input.metadata.namespace == "kube-system"
13 | count([
14 | c | regex.match("--authorization-mode=.*RBAC.*", input.spec.containers[_].command[_]);
15 | c := 1]) == 0
16 | }
17 |
18 | rulepass {
19 | lower(input.kind) == "pod"
20 | not k8s_issue["rulepass"]
21 | }
22 |
23 | rulepass = false {
24 | k8s_issue["rulepass"]
25 | }
26 |
27 | rulepass_err = "PR-K8S-0027: Ensure that the --authorization-mode argument includes RBAC (API Server)" {
28 | k8s_issue["rulepass"]
29 | }
30 |
31 | k8s_issue_metadata := {
32 | "Policy Code": "PR-K8S-0027",
33 | "Type": "Cloud",
34 | "Product": "Kubernetes",
35 | "Language": "Cloud",
36 | "Policy Title": "Ensure that the --authorization-mode argument includes RBAC (API Server) ",
37 | "Policy Description": "Ensure that the --authorization-mode argument includes RBAC (API Server) ",
38 | "Resource Type": "pod",
39 | "Policy Help URL": "",
40 | "Resource Help URL": ""
41 | }
42 |
--------------------------------------------------------------------------------
/kubernetes/cloud/PR-K8S-0048.rego:
--------------------------------------------------------------------------------
1 | package rule
2 |
3 | #
4 | # PR-K8S-0048
5 | #
6 |
7 | default rulepass = null
8 |
9 | k8s_issue["rulepass"] {
10 | lower(input.kind) == "pod"
11 | input.spec.containers[_].name == "kube-apiserver"
12 | input.metadata.namespace == "kube-system"
13 | count([
14 | c | regex.match("--authorization-mode=.*Node.*", input.spec.containers[_].command[_]);
15 | c := 1]) == 0
16 | }
17 |
18 | rulepass {
19 | lower(input.kind) == "pod"
20 | not k8s_issue["rulepass"]
21 | }
22 |
23 | rulepass = false {
24 | k8s_issue["rulepass"]
25 | }
26 |
27 | rulepass_err = "PR-K8S-0048: Ensure that the --authorization-mode argument is set to Node (API Server)" {
28 | k8s_issue["rulepass"]
29 | }
30 |
31 | k8s_issue_metadata := {
32 | "Policy Code": "PR-K8S-0048",
33 | "Type": "Cloud",
34 | "Product": "Kubernetes",
35 | "Language": "Cloud",
36 | "Policy Title": "Ensure that the --authorization-mode argument is set to Node (API Server) ",
37 | "Policy Description": "Ensure that the --authorization-mode argument is set to Node (API Server) ",
38 | "Resource Type": "pod",
39 | "Policy Help URL": "",
40 | "Resource Help URL": ""
41 | }
42 |
--------------------------------------------------------------------------------
/kubernetes/cloud/PR-K8S-0059.rego:
--------------------------------------------------------------------------------
1 | package rule
2 |
3 | #
4 | # PR-K8S-0059
5 | #
6 |
7 | default rulepass = null
8 |
9 | k8s_issue["rulepass"] {
10 | lower(input.kind) == "pod"
11 | input.spec.containers[_].name == "kube-apiserver"
12 | input.metadata.namespace == "kube-system"
13 | count([
14 | c | regex.match("--audit-log-path=.*", input.spec.containers[_].command[_]);
15 | c := 1]) == 0
16 | }
17 |
18 | rulepass {
19 | lower(input.kind) == "pod"
20 | not k8s_issue["rulepass"]
21 | }
22 |
23 | rulepass = false {
24 | k8s_issue["rulepass"]
25 | }
26 |
27 | rulepass_err = "PR-K8S-0059: Ensure that the --audit-log-path argument is set as appropriate (API Server)" {
28 | k8s_issue["rulepass"]
29 | }
30 |
31 | k8s_issue_metadata := {
32 | "Policy Code": "PR-K8S-0059",
33 | "Type": "Cloud",
34 | "Product": "Kubernetes",
35 | "Language": "Cloud",
36 | "Policy Title": "Ensure that the --audit-log-path argument is set as appropriate (API Server) ",
37 | "Policy Description": "Ensure that the --audit-log-path argument is set as appropriate (API Server) ",
38 | "Resource Type": "pod",
39 | "Policy Help URL": "",
40 | "Resource Help URL": ""
41 | }
42 |
--------------------------------------------------------------------------------
/kubernetes/cloud/PR-K8S-0076.rego:
--------------------------------------------------------------------------------
1 | package rule
2 |
3 | #
4 | # PR-K8S-0076
5 | #
6 |
7 | default rulepass = null
8 |
9 | k8s_issue["rulepass"] {
10 | lower(input.kind) == "pod"
11 | input.spec.containers[_].name == "kube-apiserver"
12 | input.metadata.namespace == "kube-system"
13 | count([
14 | c | regex.match("--client-ca-file=.*", input.spec.containers[_].command[_]);
15 | c := 1]) == 0
16 | }
17 |
18 | rulepass {
19 | lower(input.kind) == "pod"
20 | not k8s_issue["rulepass"]
21 | }
22 |
23 | rulepass = false {
24 | k8s_issue["rulepass"]
25 | }
26 |
27 | rulepass_err = "PR-K8S-0076: Ensure that the --client-ca-file argument is set as appropriate (API Server)" {
28 | k8s_issue["rulepass"]
29 | }
30 |
31 | k8s_issue_metadata := {
32 | "Policy Code": "PR-K8S-0076",
33 | "Type": "Cloud",
34 | "Product": "Kubernetes",
35 | "Language": "Cloud",
36 | "Policy Title": "Ensure that the --client-ca-file argument is set as appropriate (API Server) ",
37 | "Policy Description": "Ensure that the --client-ca-file argument is set as appropriate (API Server) ",
38 | "Resource Type": "pod",
39 | "Policy Help URL": "",
40 | "Resource Help URL": ""
41 | }
42 |
--------------------------------------------------------------------------------
/docs/policies/google/kcc/all/PR-GCP-0034-KCC.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | # Title: Bucket CMEK Disabled
6 |
7 |
8 | ***Master Test Id:*** TEST_ComputeSubnetwork
9 |
10 | ***Master Snapshot Id:*** ['KCC_TEMPLATE_SNAPSHOT']
11 |
12 | ***type:*** rego
13 |
14 | ***rule:*** file([ComputeSubnetwork.rego])
15 |
16 |
17 |
18 |
19 |
20 | |Title|Description|
21 | | :---: | :---: |
22 | |id|PR-GCP-0034-KCC|
23 | |eval|data.rule.private_google_access_disabled|
24 | |message|data.rule.private_google_access_disabled_err|
25 | |remediationDescription||
26 | |remediationFunction||
27 |
28 |
29 | ***Severity:*** Medium
30 |
31 | ***Description:*** There are private subnetworks without access to Google public APIs.
32 |
33 |
34 |
35 | |Title|Description|
36 | | :---: | :---: |
37 | |cloud|git|
38 | |compliance|[]|
39 | |service|['kcc']|
40 |
41 |
42 | ***Resource Types:*** ['computesubnetwork']
43 |
44 |
45 | [ComputeSubnetwork.rego]: https://github.com/prancer-io/prancer-compliance-test/tree/master/google/kcc/ComputeSubnetwork.rego
46 |
--------------------------------------------------------------------------------
/docs/policies/google/kcc/all/PR-GCP-0060-KCC.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | # Title: Bucket Policy Only Disabled
6 |
7 |
8 | ***Master Test Id:*** TEST_StorageBucket_2
9 |
10 | ***Master Snapshot Id:*** ['KCC_TEMPLATE_SNAPSHOT']
11 |
12 | ***type:*** rego
13 |
14 | ***rule:*** file([StorageBucket.rego])
15 |
16 |
17 |
18 |
19 |
20 | |Title|Description|
21 | | :---: | :---: |
22 | |id|PR-GCP-0060-KCC|
23 | |eval|data.rule.bucket_policy_only_disabled|
24 | |message|data.rule.bucket_policy_only_disabled_err|
25 | |remediationDescription||
26 | |remediationFunction||
27 |
28 |
29 | ***Severity:*** Medium
30 |
31 | ***Description:*** Uniform bucket-level access, previously called Bucket Policy Only, isn't configured.
32 |
33 |
34 |
35 | |Title|Description|
36 | | :---: | :---: |
37 | |cloud|git|
38 | |compliance|[]|
39 | |service|['kcc']|
40 |
41 |
42 | ***Resource Types:*** ['storagebucket']
43 |
44 |
45 | [StorageBucket.rego]: https://github.com/prancer-io/prancer-compliance-test/tree/master/google/kcc/StorageBucket.rego
46 |
--------------------------------------------------------------------------------
/docs/policies/aws/terraform/all/PR-AWS-0029-RGX.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | # Title: There is a possibility that AWS account ID has leaked
6 |
7 |
8 | ***Master Test Id:*** PR-AWS-0029-RGX
9 |
10 | ***Master Snapshot Id:*** ['TRF_TEMPLATE_SNAPSHOT']
11 |
12 | ***type:*** python
13 |
14 | ***rule:*** file([secret_tf.py])
15 |
16 |
17 |
18 |
19 |
20 | |Title|Description|
21 | | :---: | :---: |
22 | |id|PR-AWS-0029-RGX|
23 | |eval|gl_aws_account|
24 | |message|gl_aws_account_err|
25 | |remediationDescription||
26 | |remediationFunction||
27 |
28 |
29 | ***Severity:*** High
30 |
31 | ***Description:*** There is a possibility that AWS account ID has leaked, template should not have any secret in it. Make sure to put the secrets in a vault
32 |
33 |
34 |
35 | |Title|Description|
36 | | :---: | :---: |
37 | |cloud|git|
38 | |compliance|[]|
39 | |service|['terraform']|
40 |
41 |
42 | ***Resource Types:*** []
43 |
44 |
45 | [secret_tf.py]: https://github.com/prancer-io/prancer-compliance-test/tree/master/aws/terraform/secret_tf.py
46 |
--------------------------------------------------------------------------------
/docs/policies/aws/IaC/all/PR-AWS-0031-RGX.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | # Title: Ensure no hardcoded password set in the template
6 |
7 |
8 | ***Master Test Id:*** PR-AWS-0031-RGX
9 |
10 | ***Master Snapshot Id:*** ['CFR_TEMPLATE_SNAPSHOT']
11 |
12 | ***type:*** python
13 |
14 | ***rule:*** file([secret_aws_iac.py])
15 |
16 |
17 |
18 |
19 |
20 | |Title|Description|
21 | | :---: | :---: |
22 | |id|PR-AWS-0031-RGX|
23 | |eval|aws_password_leak|
24 | |message|aws_password_leak_err|
25 | |remediationDescription||
26 | |remediationFunction||
27 |
28 |
29 | ***Severity:*** High
30 |
31 | ***Description:*** Ensure no hardcoded password set in the template, template should not have any secret in it. Make sure to put the secrets in a vault
32 |
33 |
34 |
35 | |Title|Description|
36 | | :---: | :---: |
37 | |cloud|git|
38 | |compliance|[]|
39 | |service|['cloudformation']|
40 |
41 |
42 | ***Resource Types:*** []
43 |
44 |
45 | [secret_aws_iac.py]: https://github.com/prancer-io/prancer-compliance-test/tree/master/aws/iac/secret_aws_iac.py
46 |
--------------------------------------------------------------------------------
/docs/policies/google/kcc/all/PR-GCP-0039-KCC.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | # Title: Master Authorized Networks Disabled
6 |
7 |
8 | ***Master Test Id:*** TEST_ContainerCluster_5
9 |
10 | ***Master Snapshot Id:*** ['KCC_TEMPLATE_SNAPSHOT']
11 |
12 | ***type:*** rego
13 |
14 | ***rule:*** file([ContainerCluster.rego])
15 |
16 |
17 |
18 |
19 |
20 | |Title|Description|
21 | | :---: | :---: |
22 | |id|PR-GCP-0039-KCC|
23 | |eval|data.rule.master_authorized_networks_disabled|
24 | |message|data.rule.master_authorized_networks_disabled_err|
25 | |remediationDescription||
26 | |remediationFunction||
27 |
28 |
29 | ***Severity:*** Medium
30 |
31 | ***Description:*** Master Authorized Networks is not enabled on GKE clusters.
32 |
33 |
34 |
35 | |Title|Description|
36 | | :---: | :---: |
37 | |cloud|git|
38 | |compliance|[]|
39 | |service|['kcc']|
40 |
41 |
42 | ***Resource Types:*** ['containercluster']
43 |
44 |
45 | [ContainerCluster.rego]: https://github.com/prancer-io/prancer-compliance-test/tree/master/google/kcc/ContainerCluster.rego
46 |
--------------------------------------------------------------------------------
/docs/policies/google/kcc/all/PR-GCP-0045-KCC.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | # Title: Auto Repair Disabled
6 |
7 |
8 | ***Master Test Id:*** TEST_ContainerNodePool_1
9 |
10 | ***Master Snapshot Id:*** ['KCC_TEMPLATE_SNAPSHOT']
11 |
12 | ***type:*** rego
13 |
14 | ***rule:*** file([ContainerNodePool.rego])
15 |
16 |
17 |
18 |
19 |
20 | |Title|Description|
21 | | :---: | :---: |
22 | |id|PR-GCP-0045-KCC|
23 | |eval|data.rule.auto_repair_disabled|
24 | |message|data.rule.auto_repair_disabled_err|
25 | |remediationDescription||
26 | |remediationFunction||
27 |
28 |
29 | ***Severity:*** Medium
30 |
31 | ***Description:*** A GKE cluster's auto repair feature, which keeps nodes in a healthy, running state, is disabled.
32 |
33 |
34 |
35 | |Title|Description|
36 | | :---: | :---: |
37 | |cloud|git|
38 | |compliance|[]|
39 | |service|['kcc']|
40 |
41 |
42 | ***Resource Types:*** ['containernodepool']
43 |
44 |
45 | [ContainerNodePool.rego]: https://github.com/prancer-io/prancer-compliance-test/tree/master/google/kcc/ContainerNodePool.rego
46 |
--------------------------------------------------------------------------------
/docs/policies/aws/IaC/all/PR-AWS-0029-RGX.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | # Title: There is a possibility that AWS account ID has leaked
6 |
7 |
8 | ***Master Test Id:*** PR-AWS-0029-RGX
9 |
10 | ***Master Snapshot Id:*** ['CFR_TEMPLATE_SNAPSHOT']
11 |
12 | ***type:*** python
13 |
14 | ***rule:*** file([secret_aws_iac.py])
15 |
16 |
17 |
18 |
19 |
20 | |Title|Description|
21 | | :---: | :---: |
22 | |id|PR-AWS-0029-RGX|
23 | |eval|gl_aws_account|
24 | |message|gl_aws_account_err|
25 | |remediationDescription||
26 | |remediationFunction||
27 |
28 |
29 | ***Severity:*** High
30 |
31 | ***Description:*** There is a possibility that AWS account ID has leaked, template should not have any secret in it. Make sure to put the secrets in a vault
32 |
33 |
34 |
35 | |Title|Description|
36 | | :---: | :---: |
37 | |cloud|git|
38 | |compliance|[]|
39 | |service|['cloudformation']|
40 |
41 |
42 | ***Resource Types:*** []
43 |
44 |
45 | [secret_aws_iac.py]: https://github.com/prancer-io/prancer-compliance-test/tree/master/aws/iac/secret_aws_iac.py
46 |
--------------------------------------------------------------------------------
/docs/policies/aws/terraform/all/PR-AWS-0030-RGX.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | # Title: There is a possibility that Aws access key id is exposed
6 |
7 |
8 | ***Master Test Id:*** PR-AWS-0030-RGX
9 |
10 | ***Master Snapshot Id:*** ['TRF_TEMPLATE_SNAPSHOT']
11 |
12 | ***type:*** python
13 |
14 | ***rule:*** file([secret_tf.py])
15 |
16 |
17 |
18 |
19 |
20 | |Title|Description|
21 | | :---: | :---: |
22 | |id|PR-AWS-0030-RGX|
23 | |eval|al_access_key_id|
24 | |message|al_access_key_id_err|
25 | |remediationDescription||
26 | |remediationFunction||
27 |
28 |
29 | ***Severity:*** High
30 |
31 | ***Description:*** There is a possibility that Aws access key id is exposed, template should not have any secret in it. Make sure to put the secrets in a vault
32 |
33 |
34 |
35 | |Title|Description|
36 | | :---: | :---: |
37 | |cloud|git|
38 | |compliance|[]|
39 | |service|['terraform']|
40 |
41 |
42 | ***Resource Types:*** []
43 |
44 |
45 | [secret_tf.py]: https://github.com/prancer-io/prancer-compliance-test/tree/master/aws/terraform/secret_tf.py
46 |
--------------------------------------------------------------------------------
/docs/policies/google/kcc/all/PR-GCP-0005-KCC.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | # Title: Open Ciscosecure Websm Port
6 |
7 |
8 | ***Master Test Id:*** TEST_ComputeFirewall_4
9 |
10 | ***Master Snapshot Id:*** ['KCC_TEMPLATE_SNAPSHOT']
11 |
12 | ***type:*** rego
13 |
14 | ***rule:*** file([ComputeFirewall.rego])
15 |
16 |
17 |
18 |
19 |
20 | |Title|Description|
21 | | :---: | :---: |
22 | |id|PR-GCP-0005-KCC|
23 | |eval|data.rule.open_ciscosecure_websm_port|
24 | |message|data.rule.open_ciscosecure_websm_port_err|
25 | |remediationDescription||
26 | |remediationFunction||
27 |
28 |
29 | ***Severity:*** Medium
30 |
31 | ***Description:*** A firewall is configured to have an open CISCOSECURE_WEBSM port that allows generic access.
32 |
33 |
34 |
35 | |Title|Description|
36 | | :---: | :---: |
37 | |cloud|git|
38 | |compliance|[]|
39 | |service|['kcc']|
40 |
41 |
42 | ***Resource Types:*** ['computefirewall']
43 |
44 |
45 | [ComputeFirewall.rego]: https://github.com/prancer-io/prancer-compliance-test/tree/master/google/kcc/ComputeFirewall.rego
46 |
--------------------------------------------------------------------------------
/docs/policies/google/kcc/all/PR-GCP-0037-KCC.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | # Title: COS Not Used
6 |
7 |
8 | ***Master Test Id:*** TEST_ContainerCluster_3
9 |
10 | ***Master Snapshot Id:*** ['KCC_TEMPLATE_SNAPSHOT']
11 |
12 | ***type:*** rego
13 |
14 | ***rule:*** file([ContainerCluster.rego])
15 |
16 |
17 |
18 |
19 |
20 | |Title|Description|
21 | | :---: | :---: |
22 | |id|PR-GCP-0037-KCC|
23 | |eval|data.rule.cos_not_used|
24 | |message|data.rule.cos_not_used_err|
25 | |remediationDescription||
26 | |remediationFunction||
27 |
28 |
29 | ***Severity:*** Medium
30 |
31 | ***Description:*** Compute Engine VMs aren't using the Container-Optimized OS that is designed for running Docker containers on Google Cloud securely.
32 |
33 |
34 |
35 | |Title|Description|
36 | | :---: | :---: |
37 | |cloud|git|
38 | |compliance|[]|
39 | |service|['kcc']|
40 |
41 |
42 | ***Resource Types:*** ['containercluster']
43 |
44 |
45 | [ContainerCluster.rego]: https://github.com/prancer-io/prancer-compliance-test/tree/master/google/kcc/ContainerCluster.rego
46 |
--------------------------------------------------------------------------------
/google/kcc/ComputeDisk.rego:
--------------------------------------------------------------------------------
1 | package rule
2 |
3 | # https://cloud.google.com/config-connector/docs/reference/resource-docs/compute/computedisk
4 |
5 | #
6 | # DISK_CMEK_DISABLED
7 | # DISK_CSEK_DISABLED
8 | # PR-GCP-0001-KCC
9 |
10 | default disk_cmek_disabled = null
11 |
12 | gc_issue["disk_cmek_disabled"] {
13 | lower(input.kind) == "computedisk"
14 | not input.spec.diskEncryptionKey
15 | }
16 |
17 | disk_cmek_disabled {
18 | lower(input.kind) == "computedisk"
19 | not gc_issue["disk_cmek_disabled"]
20 | }
21 |
22 | disk_cmek_disabled = false {
23 | gc_issue["disk_cmek_disabled"]
24 | }
25 |
26 | disk_cmek_disabled_err = "Disks on this VM are not encrypted with CMEK or CSEC." {
27 | gc_issue["disk_cmek_disabled"]
28 | }
29 |
30 | disk_cmek_disabled_metadata := {
31 | "Policy Code": "DISK_CMEK_DISABLED",
32 | "Type": "IaC",
33 | "Product": "GCP",
34 | "Language": "KCC",
35 | "Policy Title": "Disk CMEK Disabled",
36 | "Policy Description": "Disks on this VM are not encrypted with CMEK or CSEC.",
37 | "Resource Type": "ComputeDisk",
38 | "Policy Help URL": "",
39 | "Resource Help URL": "https://cloud.google.com/config-connector/docs/reference/resource-docs/compute/computedisk"
40 | }
41 |
--------------------------------------------------------------------------------
/docs/policies/aws/terraform/all/PR-AWS-0028-RGX.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | # Title: There is a possibility that AWS secret access key has leaked
6 |
7 |
8 | ***Master Test Id:*** PR-AWS-0028-RGX
9 |
10 | ***Master Snapshot Id:*** ['TRF_TEMPLATE_SNAPSHOT']
11 |
12 | ***type:*** python
13 |
14 | ***rule:*** file([secret_tf.py])
15 |
16 |
17 |
18 |
19 |
20 | |Title|Description|
21 | | :---: | :---: |
22 | |id|PR-AWS-0028-RGX|
23 | |eval|gl_aws_secrets|
24 | |message|gl_aws_secrets_err|
25 | |remediationDescription||
26 | |remediationFunction||
27 |
28 |
29 | ***Severity:*** High
30 |
31 | ***Description:*** There is a possibility that AWS secret access key has leaked, template should not have any secret in it. Make sure to put the secrets in a vault
32 |
33 |
34 |
35 | |Title|Description|
36 | | :---: | :---: |
37 | |cloud|git|
38 | |compliance|[]|
39 | |service|['terraform']|
40 |
41 |
42 | ***Resource Types:*** []
43 |
44 |
45 | [secret_tf.py]: https://github.com/prancer-io/prancer-compliance-test/tree/master/aws/terraform/secret_tf.py
46 |
--------------------------------------------------------------------------------
/docs/policies/google/kcc/all/PR-GCP-0006-KCC.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | # Title: Open Directory Services Port
6 |
7 |
8 | ***Master Test Id:*** TEST_ComputeFirewall_5
9 |
10 | ***Master Snapshot Id:*** ['KCC_TEMPLATE_SNAPSHOT']
11 |
12 | ***type:*** rego
13 |
14 | ***rule:*** file([ComputeFirewall.rego])
15 |
16 |
17 |
18 |
19 |
20 | |Title|Description|
21 | | :---: | :---: |
22 | |id|PR-GCP-0006-KCC|
23 | |eval|data.rule.open_directory_services_port|
24 | |message|data.rule.open_directory_services_port_err|
25 | |remediationDescription||
26 | |remediationFunction||
27 |
28 |
29 | ***Severity:*** Medium
30 |
31 | ***Description:*** A firewall is configured to have an open DIRECTORY_SERVICES port that allows generic access.
32 |
33 |
34 |
35 | |Title|Description|
36 | | :---: | :---: |
37 | |cloud|git|
38 | |compliance|[]|
39 | |service|['kcc']|
40 |
41 |
42 | ***Resource Types:*** ['computefirewall']
43 |
44 |
45 | [ComputeFirewall.rego]: https://github.com/prancer-io/prancer-compliance-test/tree/master/google/kcc/ComputeFirewall.rego
46 |
--------------------------------------------------------------------------------
/docs/policies/google/kcc/all/PR-GCP-0031-KCC.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | # Title: Org Policy Confidential VM Policy
6 |
7 |
8 | ***Master Test Id:*** TEST_ComputeInstance_7
9 |
10 | ***Master Snapshot Id:*** ['KCC_TEMPLATE_SNAPSHOT']
11 |
12 | ***type:*** rego
13 |
14 | ***rule:*** file([ComputeInstance.rego])
15 |
16 |
17 |
18 |
19 |
20 | |Title|Description|
21 | | :---: | :---: |
22 | |id|PR-GCP-0031-KCC|
23 | |eval|data.rule.org_policy_confidential_vm_policy|
24 | |message|data.rule.org_policy_confidential_vm_policy_err|
25 | |remediationDescription||
26 | |remediationFunction||
27 |
28 |
29 | ***Severity:*** Medium
30 |
31 | ***Description:*** A Compute Engine resource is out of compliance with the constraints/compute.
32 |
33 |
34 |
35 | |Title|Description|
36 | | :---: | :---: |
37 | |cloud|git|
38 | |compliance|[]|
39 | |service|['kcc']|
40 |
41 |
42 | ***Resource Types:*** ['computeinstance']
43 |
44 |
45 | [ComputeInstance.rego]: https://github.com/prancer-io/prancer-compliance-test/tree/master/google/kcc/ComputeInstance.rego
46 |
--------------------------------------------------------------------------------
/docs/policies/google/kcc/all/PR-GCP-0047-KCC.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | # Title: COS Not Used
6 |
7 |
8 | ***Master Test Id:*** TEST_ContainerNodePool_3
9 |
10 | ***Master Snapshot Id:*** ['KCC_TEMPLATE_SNAPSHOT']
11 |
12 | ***type:*** rego
13 |
14 | ***rule:*** file([ContainerNodePool.rego])
15 |
16 |
17 |
18 |
19 |
20 | |Title|Description|
21 | | :---: | :---: |
22 | |id|PR-GCP-0047-KCC|
23 | |eval|data.rule.cos_not_used|
24 | |message|data.rule.cos_not_used_err|
25 | |remediationDescription||
26 | |remediationFunction||
27 |
28 |
29 | ***Severity:*** Medium
30 |
31 | ***Description:*** Compute Engine VMs aren't using the Container-Optimized OS that is designed for running Docker containers on Google Cloud securely.
32 |
33 |
34 |
35 | |Title|Description|
36 | | :---: | :---: |
37 | |cloud|git|
38 | |compliance|[]|
39 | |service|['kcc']|
40 |
41 |
42 | ***Resource Types:*** ['containernodepool']
43 |
44 |
45 | [ContainerNodePool.rego]: https://github.com/prancer-io/prancer-compliance-test/tree/master/google/kcc/ContainerNodePool.rego
46 |
--------------------------------------------------------------------------------
/docs/policies/google/kcc/all/PR-GCP-0054-KCC.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | # Title: Service Account Key Not Rotated
6 |
7 |
8 | ***Master Test Id:*** TEST_IAMServiceAccountKey
9 |
10 | ***Master Snapshot Id:*** ['KCC_TEMPLATE_SNAPSHOT']
11 |
12 | ***type:*** rego
13 |
14 | ***rule:*** file([IAMServiceAccountKey.rego])
15 |
16 |
17 |
18 |
19 |
20 | |Title|Description|
21 | | :---: | :---: |
22 | |id|PR-GCP-0054-KCC|
23 | |eval|data.rule.service_account_key_not_rotated|
24 | |message|data.rule.service_account_key_not_rotated_err|
25 | |remediationDescription||
26 | |remediationFunction||
27 |
28 |
29 | ***Severity:*** Medium
30 |
31 | ***Description:*** A service account key hasn't been rotated for more than 90 days
32 |
33 |
34 |
35 | |Title|Description|
36 | | :---: | :---: |
37 | |cloud|git|
38 | |compliance|[]|
39 | |service|['kcc']|
40 |
41 |
42 | ***Resource Types:*** ['iamserviceaccountkey']
43 |
44 |
45 | [IAMServiceAccountKey.rego]: https://github.com/prancer-io/prancer-compliance-test/tree/master/google/kcc/IAMServiceAccountKey.rego
46 |
--------------------------------------------------------------------------------
/kubernetes/cloud/PR-K8S-0034.rego:
--------------------------------------------------------------------------------
1 | package rule
2 |
3 | #
4 | # PR-K8S-0034
5 | #
6 |
7 | default rulepass = null
8 |
9 | k8s_issue["rulepass"] {
10 | lower(input.kind) == "pod"
11 | input.spec.containers[_].name == "kube-controller-manager"
12 | input.metadata.namespace == "kube-system"
13 | count([
14 | c | regex.match("--root-ca-file=.*", input.spec.containers[_].command[_]);
15 | c := 1]) == 0
16 | }
17 |
18 | rulepass {
19 | lower(input.kind) == "pod"
20 | not k8s_issue["rulepass"]
21 | }
22 |
23 | rulepass = false {
24 | k8s_issue["rulepass"]
25 | }
26 |
27 | rulepass_err = "PR-K8S-0034: Ensure that the --root-ca-file argument is set as appropriate (Controller Manager)" {
28 | k8s_issue["rulepass"]
29 | }
30 |
31 | k8s_issue_metadata := {
32 | "Policy Code": "PR-K8S-0034",
33 | "Type": "Cloud",
34 | "Product": "Kubernetes",
35 | "Language": "Cloud",
36 | "Policy Title": "Ensure that the --root-ca-file argument is set as appropriate (Controller Manager) ",
37 | "Policy Description": "Ensure that the --root-ca-file argument is set as appropriate (Controller Manager) ",
38 | "Resource Type": "pod",
39 | "Policy Help URL": "",
40 | "Resource Help URL": ""
41 | }
42 |
--------------------------------------------------------------------------------
/kubernetes/cloud/PR-K8S-0041.rego:
--------------------------------------------------------------------------------
1 | package rule
2 |
3 | #
4 | # PR-K8S-0041
5 | #
6 |
7 | default rulepass = null
8 |
9 | k8s_issue["rulepass"] {
10 | lower(input.kind) == "pod"
11 | input.spec.containers[_].name == "kube-apiserver"
12 | input.metadata.namespace == "kube-system"
13 | count([
14 | c | regex.match("--enable-admission-plugins=.*EventRateLimit.*", input.spec.containers[_].command[_]);
15 | c := 1]) == 0
16 | }
17 |
18 | rulepass {
19 | lower(input.kind) == "pod"
20 | not k8s_issue["rulepass"]
21 | }
22 |
23 | rulepass = false {
24 | k8s_issue["rulepass"]
25 | }
26 |
27 | rulepass_err = "PR-K8S-0041: Ensure that the admission control plugin EventRateLimit is set (API Server)" {
28 | k8s_issue["rulepass"]
29 | }
30 |
31 | k8s_issue_metadata := {
32 | "Policy Code": "PR-K8S-0041",
33 | "Type": "Cloud",
34 | "Product": "Kubernetes",
35 | "Language": "Cloud",
36 | "Policy Title": "Ensure that the admission control plugin EventRateLimit is set (API Server) ",
37 | "Policy Description": "Ensure that the admission control plugin EventRateLimit is set (API Server) ",
38 | "Resource Type": "pod",
39 | "Policy Help URL": "",
40 | "Resource Help URL": ""
41 | }
42 |
--------------------------------------------------------------------------------
/kubernetes/cloud/PR-K8S-0044.rego:
--------------------------------------------------------------------------------
1 | package rule
2 |
3 | #
4 | # PR-K8S-0044
5 | #
6 |
7 | default rulepass = null
8 |
9 | k8s_issue["rulepass"] {
10 | lower(input.kind) == "pod"
11 | input.spec.containers[_].name == "kube-apiserver"
12 | input.metadata.namespace == "kube-system"
13 | count([
14 | c | regex.match("--repair-malformed-updates=false", input.spec.containers[_].command[_]);
15 | c := 1]) == 0
16 | }
17 |
18 | rulepass {
19 | lower(input.kind) == "pod"
20 | not k8s_issue["rulepass"]
21 | }
22 |
23 | rulepass = false {
24 | k8s_issue["rulepass"]
25 | }
26 |
27 | rulepass_err = "PR-K8S-0044: Ensure that the --repair-malformed-updates argument is set to false (API Server)" {
28 | k8s_issue["rulepass"]
29 | }
30 |
31 | k8s_issue_metadata := {
32 | "Policy Code": "PR-K8S-0044",
33 | "Type": "Cloud",
34 | "Product": "Kubernetes",
35 | "Language": "Cloud",
36 | "Policy Title": "Ensure that the --repair-malformed-updates argument is set to false (API Server) ",
37 | "Policy Description": "Ensure that the --repair-malformed-updates argument is set to false (API Server) ",
38 | "Resource Type": "pod",
39 | "Policy Help URL": "",
40 | "Resource Help URL": ""
41 | }
42 |
--------------------------------------------------------------------------------
/kubernetes/cloud/PR-K8S-0049.rego:
--------------------------------------------------------------------------------
1 | package rule
2 |
3 | #
4 | # PR-K8S-0049
5 | #
6 |
7 | default rulepass = null
8 |
9 | k8s_issue["rulepass"] {
10 | lower(input.kind) == "pod"
11 | input.spec.containers[_].name == "kube-apiserver"
12 | input.metadata.namespace == "kube-system"
13 | count([
14 | c | regex.match("--enable-admission-plugins=.*NodeRestriction.*", input.spec.containers[_].command[_]);
15 | c := 1]) == 0
16 | }
17 |
18 | rulepass {
19 | lower(input.kind) == "pod"
20 | not k8s_issue["rulepass"]
21 | }
22 |
23 | rulepass = false {
24 | k8s_issue["rulepass"]
25 | }
26 |
27 | rulepass_err = "PR-K8S-0049: Ensure that the admission control plugin NodeRestriction is set (API Server)" {
28 | k8s_issue["rulepass"]
29 | }
30 |
31 | k8s_issue_metadata := {
32 | "Policy Code": "PR-K8S-0049",
33 | "Type": "Cloud",
34 | "Product": "Kubernetes",
35 | "Language": "Cloud",
36 | "Policy Title": "Ensure that the admission control plugin NodeRestriction is set (API Server) ",
37 | "Policy Description": "Ensure that the admission control plugin NodeRestriction is set (API Server) ",
38 | "Resource Type": "pod",
39 | "Policy Help URL": "",
40 | "Resource Help URL": ""
41 | }
42 |
--------------------------------------------------------------------------------
/kubernetes/cloud/PR-K8S-0079.rego:
--------------------------------------------------------------------------------
1 | package rule
2 |
3 | #
4 | # PR-K8S-0079
5 | #
6 |
7 | default rulepass = null
8 |
9 | k8s_issue["rulepass"] {
10 | lower(input.kind) == "pod"
11 | input.spec.containers[_].name == "kube-apiserver"
12 | input.metadata.namespace == "kube-system"
13 | count([
14 | c | regex.match("--enable-admission-plugins=.*ServiceAccount.*", input.spec.containers[_].command[_]);
15 | c := 1]) == 0
16 | }
17 |
18 | rulepass {
19 | lower(input.kind) == "pod"
20 | not k8s_issue["rulepass"]
21 | }
22 |
23 | rulepass = false {
24 | k8s_issue["rulepass"]
25 | }
26 |
27 | rulepass_err = "PR-K8S-0079: Ensure that the admission control plugin ServiceAccount is set (API Server)" {
28 | k8s_issue["rulepass"]
29 | }
30 |
31 | k8s_issue_metadata := {
32 | "Policy Code": "PR-K8S-0079",
33 | "Type": "Cloud",
34 | "Product": "Kubernetes",
35 | "Language": "Cloud",
36 | "Policy Title": "Ensure that the admission control plugin ServiceAccount is set (API Server) ",
37 | "Policy Description": "Ensure that the admission control plugin ServiceAccount is set (API Server) ",
38 | "Resource Type": "pod",
39 | "Policy Help URL": "",
40 | "Resource Help URL": ""
41 | }
42 |
--------------------------------------------------------------------------------
/docs/policies/aws/IaC/all/PR-AWS-0028-RGX.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | # Title: There is a possibility that AWS secret access key has leaked
6 |
7 |
8 | ***Master Test Id:*** PR-AWS-0028-RGX
9 |
10 | ***Master Snapshot Id:*** ['CFR_TEMPLATE_SNAPSHOT']
11 |
12 | ***type:*** python
13 |
14 | ***rule:*** file([secret_aws_iac.py])
15 |
16 |
17 |
18 |
19 |
20 | |Title|Description|
21 | | :---: | :---: |
22 | |id|PR-AWS-0028-RGX|
23 | |eval|gl_aws_secrets|
24 | |message|gl_aws_secrets_err|
25 | |remediationDescription||
26 | |remediationFunction||
27 |
28 |
29 | ***Severity:*** High
30 |
31 | ***Description:*** There is a possibility that AWS secret access key has leaked, template should not have any secret in it. Make sure to put the secrets in a vault
32 |
33 |
34 |
35 | |Title|Description|
36 | | :---: | :---: |
37 | |cloud|git|
38 | |compliance|[]|
39 | |service|['cloudformation']|
40 |
41 |
42 | ***Resource Types:*** []
43 |
44 |
45 | [secret_aws_iac.py]: https://github.com/prancer-io/prancer-compliance-test/tree/master/aws/iac/secret_aws_iac.py
46 |
--------------------------------------------------------------------------------
/docs/policies/aws/IaC/all/PR-AWS-0030-RGX.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | # Title: There is a possibility that Aws access key id is exposed
6 |
7 |
8 | ***Master Test Id:*** PR-AWS-0030-RGX
9 |
10 | ***Master Snapshot Id:*** ['CFR_TEMPLATE_SNAPSHOT']
11 |
12 | ***type:*** python
13 |
14 | ***rule:*** file([secret_aws_iac.py])
15 |
16 |
17 |
18 |
19 |
20 | |Title|Description|
21 | | :---: | :---: |
22 | |id|PR-AWS-0030-RGX|
23 | |eval|al_access_key_id|
24 | |message|al_access_key_id_err|
25 | |remediationDescription||
26 | |remediationFunction||
27 |
28 |
29 | ***Severity:*** High
30 |
31 | ***Description:*** There is a possibility that Aws access key id is exposed, template should not have any secret in it. Make sure to put the secrets in a vault
32 |
33 |
34 |
35 | |Title|Description|
36 | | :---: | :---: |
37 | |cloud|git|
38 | |compliance|[]|
39 | |service|['cloudformation']|
40 |
41 |
42 | ***Resource Types:*** []
43 |
44 |
45 | [secret_aws_iac.py]: https://github.com/prancer-io/prancer-compliance-test/tree/master/aws/iac/secret_aws_iac.py
46 |
--------------------------------------------------------------------------------
/docs/policies/azure/IaC/all/PR-AZR-ARM-SEC-001.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | # Title: Ensure Secrets are not hardcoded in the ARM template
6 |
7 |
8 | ***Master Test Id:*** PR-AZR-ARM-SEC-001
9 |
10 | ***Master Snapshot Id:*** ['ARM_TEMPLATE_SNAPSHOT']
11 |
12 | ***type:*** rego
13 |
14 | ***rule:*** file([secrets.rego])
15 |
16 |
17 |
18 |
19 |
20 | |Title|Description|
21 | | :---: | :---: |
22 | |id|PR-AZR-ARM-SEC-001|
23 | |eval|data.rule.gl_azure_secrets|
24 | |message|data.rule.gl_azure_secrets_err|
25 | |remediationDescription||
26 | |remediationFunction|PR_AZR_ARM_SEC_001.py|
27 |
28 |
29 | ***Severity:*** Medium
30 |
31 | ***Description:*** Secrets should not be hardcoded in the ARM Template. Make sure to put those secrets in a vault and access from there.
32 |
33 |
34 |
35 | |Title|Description|
36 | | :---: | :---: |
37 | |cloud|git|
38 | |compliance|[]|
39 | |service|['arm']|
40 |
41 |
42 | ***Resource Types:*** []
43 |
44 |
45 | [secrets.rego]: https://github.com/prancer-io/prancer-compliance-test/tree/master/azure/iac/secrets.rego
46 |
--------------------------------------------------------------------------------
/docs/policies/google/kcc/all/PR-GCP-0026-KCC.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | # Title: Compute Serial Ports Enabled
6 |
7 |
8 | ***Master Test Id:*** TEST_ComputeInstance_2
9 |
10 | ***Master Snapshot Id:*** ['KCC_TEMPLATE_SNAPSHOT']
11 |
12 | ***type:*** rego
13 |
14 | ***rule:*** file([ComputeInstance.rego])
15 |
16 |
17 |
18 |
19 |
20 | |Title|Description|
21 | | :---: | :---: |
22 | |id|PR-GCP-0026-KCC|
23 | |eval|data.rule.compute_serial_ports_enabled|
24 | |message|data.rule.compute_serial_ports_enabled_err|
25 | |remediationDescription||
26 | |remediationFunction||
27 |
28 |
29 | ***Severity:*** Medium
30 |
31 | ***Description:*** Serial ports are enabled for an instance, allowing connections to the instance's serial console.
32 |
33 |
34 |
35 | |Title|Description|
36 | | :---: | :---: |
37 | |cloud|git|
38 | |compliance|[]|
39 | |service|['kcc']|
40 |
41 |
42 | ***Resource Types:*** ['computeinstance']
43 |
44 |
45 | [ComputeInstance.rego]: https://github.com/prancer-io/prancer-compliance-test/tree/master/google/kcc/ComputeInstance.rego
46 |
--------------------------------------------------------------------------------
/kubernetes/cloud/PR-K8S-0045.rego:
--------------------------------------------------------------------------------
1 | package rule
2 |
3 | #
4 | # PR-K8S-0045
5 | #
6 |
7 | default rulepass = null
8 |
9 | k8s_issue["rulepass"] {
10 | lower(input.kind) == "pod"
11 | input.spec.containers[_].name == "kube-apiserver"
12 | input.metadata.namespace == "kube-system"
13 | count([
14 | c | regex.match("--enable-admission-plugins=.*AlwaysPullImages.*", input.spec.containers[_].command[_]);
15 | c := 1]) == 0
16 | }
17 |
18 | rulepass {
19 | lower(input.kind) == "pod"
20 | not k8s_issue["rulepass"]
21 | }
22 |
23 | rulepass = false {
24 | k8s_issue["rulepass"]
25 | }
26 |
27 | rulepass_err = "PR-K8S-0045: Ensure that the admission control plugin AlwaysPullImages is set (API Server)" {
28 | k8s_issue["rulepass"]
29 | }
30 |
31 | k8s_issue_metadata := {
32 | "Policy Code": "PR-K8S-0045",
33 | "Type": "Cloud",
34 | "Product": "Kubernetes",
35 | "Language": "Cloud",
36 | "Policy Title": "Ensure that the admission control plugin AlwaysPullImages is set (API Server) ",
37 | "Policy Description": "Ensure that the admission control plugin AlwaysPullImages is set (API Server) ",
38 | "Resource Type": "pod",
39 | "Policy Help URL": "",
40 | "Resource Help URL": ""
41 | }
42 |
--------------------------------------------------------------------------------
/kubernetes/cloud/PR-K8S-0026.rego:
--------------------------------------------------------------------------------
1 | package rule
2 |
3 | #
4 | # PR-K8S-0026
5 | #
6 |
7 | default rulepass = null
8 |
9 | k8s_issue["rulepass"] {
10 | lower(input.kind) == "pod"
11 | input.spec.containers[_].name == "kube-apiserver"
12 | input.metadata.namespace == "kube-system"
13 | count([
14 | c | regex.match("--enable-admission-plugins=.*PodSecurityPolicy.*", input.spec.containers[_].command[_]);
15 | c := 1]) == 0
16 | }
17 |
18 | rulepass {
19 | lower(input.kind) == "pod"
20 | not k8s_issue["rulepass"]
21 | }
22 |
23 | rulepass = false {
24 | k8s_issue["rulepass"]
25 | }
26 |
27 | rulepass_err = "PR-K8S-0026: Ensure that the admission control plugin PodSecurityPolicy is set (API Server)" {
28 | k8s_issue["rulepass"]
29 | }
30 |
31 | k8s_issue_metadata := {
32 | "Policy Code": "PR-K8S-0026",
33 | "Type": "Cloud",
34 | "Product": "Kubernetes",
35 | "Language": "Cloud",
36 | "Policy Title": "Ensure that the admission control plugin PodSecurityPolicy is set (API Server) ",
37 | "Policy Description": "Ensure that the admission control plugin PodSecurityPolicy is set (API Server) ",
38 | "Resource Type": "pod",
39 | "Policy Help URL": "",
40 | "Resource Help URL": ""
41 | }
42 |
--------------------------------------------------------------------------------
/kubernetes/cloud/PR-K8S-0054.rego:
--------------------------------------------------------------------------------
1 | package rule
2 |
3 | #
4 | # PR-K8S-0054
5 | #
6 |
7 | default rulepass = null
8 |
9 | k8s_issue["rulepass"] {
10 | lower(input.kind) == "pod"
11 | input.spec.containers[_].name == "kube-apiserver"
12 | input.metadata.namespace == "kube-system"
13 | count([
14 | c | regex.match("--enable-admission-plugins=.*DenyEscalatingExec.*", input.spec.containers[_].command[_]);
15 | c := 1]) == 0
16 | }
17 |
18 | rulepass {
19 | lower(input.kind) == "pod"
20 | not k8s_issue["rulepass"]
21 | }
22 |
23 | rulepass = false {
24 | k8s_issue["rulepass"]
25 | }
26 |
27 | rulepass_err = "PR-K8S-0054: Ensure that the admission control plugin DenyEscalatingExec is set (API Server)" {
28 | k8s_issue["rulepass"]
29 | }
30 |
31 | k8s_issue_metadata := {
32 | "Policy Code": "PR-K8S-0054",
33 | "Type": "Cloud",
34 | "Product": "Kubernetes",
35 | "Language": "Cloud",
36 | "Policy Title": "Ensure that the admission control plugin DenyEscalatingExec is set (API Server) ",
37 | "Policy Description": "Ensure that the admission control plugin DenyEscalatingExec is set (API Server) ",
38 | "Resource Type": "pod",
39 | "Policy Help URL": "",
40 | "Resource Help URL": ""
41 | }
42 |
--------------------------------------------------------------------------------
/kubernetes/cloud/PR-K8S-0083.rego:
--------------------------------------------------------------------------------
1 | package rule
2 |
3 | #
4 | # PR-K8S-0083
5 | #
6 |
7 | default rulepass = null
8 |
9 | k8s_issue["rulepass"] {
10 | lower(input.kind) == "pod"
11 | input.spec.containers[_].name == "kube-apiserver"
12 | input.metadata.namespace == "kube-system"
13 | count([
14 | c | regex.match("--service-account-key-file=.*", input.spec.containers[_].command[_]);
15 | c := 1]) == 0
16 | }
17 |
18 | rulepass {
19 | lower(input.kind) == "pod"
20 | not k8s_issue["rulepass"]
21 | }
22 |
23 | rulepass = false {
24 | k8s_issue["rulepass"]
25 | }
26 |
27 | rulepass_err = "PR-K8S-0083: Ensure that the --service-account-key-file argument is set as appropriate (API Server)" {
28 | k8s_issue["rulepass"]
29 | }
30 |
31 | k8s_issue_metadata := {
32 | "Policy Code": "PR-K8S-0083",
33 | "Type": "Cloud",
34 | "Product": "Kubernetes",
35 | "Language": "Cloud",
36 | "Policy Title": "Ensure that the --service-account-key-file argument is set as appropriate (API Server) ",
37 | "Policy Description": "Ensure that the --service-account-key-file argument is set as appropriate (API Server) ",
38 | "Resource Type": "pod",
39 | "Policy Help URL": "",
40 | "Resource Help URL": ""
41 | }
42 |
--------------------------------------------------------------------------------
/docs/policies/aws/ack/all/PR-AWS-0121-ACK.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | # Title: AWS RDS database instance is publicly accessible
6 |
7 |
8 | ***Master Test Id:*** TEST_RDS_1
9 |
10 | ***Master Snapshot Id:*** ['ACK_TEMPLATE_SNAPSHOT']
11 |
12 | ***type:*** rego
13 |
14 | ***rule:*** file([rds.rego])
15 |
16 |
17 |
18 |
19 |
20 | |Title|Description|
21 | | :---: | :---: |
22 | |id|PR-AWS-0121-ACK|
23 | |eval|data.rule.rds_public|
24 | |message|data.rule.rds_public_err|
25 | |remediationDescription||
26 | |remediationFunction||
27 |
28 |
29 | ***Severity:*** Medium
30 |
31 | ***Description:*** This policy identifies RDS database instances which are publicly accessible.DB instances should not be publicly accessible to protect the integrety of data.Public accessibility of DB instances can be modified by turning on or off the Public accessibility parameter.
32 |
33 |
34 |
35 | |Title|Description|
36 | | :---: | :---: |
37 | |cloud|git|
38 | |compliance|[]|
39 | |service|['ack']|
40 |
41 |
42 |
43 | [rds.rego]: https://github.com/prancer-io/prancer-compliance-test/tree/master/aws/ack/rds.rego
44 |
--------------------------------------------------------------------------------
/google/kcc/KMSCryptoKey.rego:
--------------------------------------------------------------------------------
1 | package rule
2 |
3 | # https://cloud.google.com/config-connector/docs/reference/resource-docs/kms/kmscryptokey
4 |
5 | #
6 | # KMS_KEY_NOT_ROTATED
7 | # PR-GCP-0055-KCC
8 |
9 | default kms_key_not_rotated = null
10 |
11 | gc_issue["kms_key_not_rotated"] {
12 | lower(input.kind) == "kmscryptokey"
13 | count([c | input.spec.auditConfigs[_].auditLogConfigs; c := 1]) == 0
14 | }
15 |
16 | kms_key_not_rotated {
17 | lower(input.kind) == "kmscryptokey"
18 | not gc_issue["kms_key_not_rotated"]
19 | }
20 |
21 | kms_key_not_rotated = false {
22 | gc_issue["kms_key_not_rotated"]
23 | }
24 |
25 | kms_key_not_rotated_err = "Rotation isn't configured on a Cloud KMS encryption key." {
26 | gc_issue["kms_key_not_rotated"]
27 | }
28 |
29 | kms_key_not_rotated_metadata := {
30 | "Policy Code": "KMS_KEY_NOT_ROTATED",
31 | "Type": "IaC",
32 | "Product": "GCP",
33 | "Language": "KCC",
34 | "Policy Title": "KMS Key Not Rotated",
35 | "Policy Description": "Rotation isn't configured on a Cloud KMS encryption key.",
36 | "Resource Type": "KMSCryptoKey",
37 | "Policy Help URL": "",
38 | "Resource Help URL": "https://cloud.google.com/config-connector/docs/reference/resource-docs/kms/kmscryptokey"
39 | }
40 |
--------------------------------------------------------------------------------
/kubernetes/cloud/PR-K8S-0052.rego:
--------------------------------------------------------------------------------
1 | package rule
2 |
3 | #
4 | # PR-K8S-0052
5 | #
6 |
7 | default rulepass = null
8 |
9 | k8s_issue["rulepass"] {
10 | lower(input.kind) == "pod"
11 | input.spec.containers[_].name == "kube-scheduler"
12 | input.metadata.namespace == "kube-system"
13 | regex.match("--address=.*", input.spec.containers[_].command[_])
14 | count([
15 | c | regex.match("--address=127.0.0.1", input.spec.containers[_].command[_]);
16 | c := 1]) == 0
17 | }
18 |
19 | rulepass {
20 | lower(input.kind) == "pod"
21 | not k8s_issue["rulepass"]
22 | }
23 |
24 | rulepass = false {
25 | k8s_issue["rulepass"]
26 | }
27 |
28 | rulepass_err = "PR-K8S-0052: Ensure that the --address argument is set to 127.0.0.1 (Scheduler)" {
29 | k8s_issue["rulepass"]
30 | }
31 |
32 | k8s_issue_metadata := {
33 | "Policy Code": "PR-K8S-0052",
34 | "Type": "Cloud",
35 | "Product": "Kubernetes",
36 | "Language": "Cloud",
37 | "Policy Title": "Ensure that the --address argument is set to 127.0.0.1 (Scheduler) ",
38 | "Policy Description": "Ensure that the --address argument is set to 127.0.0.1 (Scheduler) ",
39 | "Resource Type": "pod",
40 | "Policy Help URL": "",
41 | "Resource Help URL": ""
42 | }
43 |
--------------------------------------------------------------------------------
/docs/policies/google/kcc/all/PR-GCP-0046-KCC.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | # Title: Auto Upgrade Disabled
6 |
7 |
8 | ***Master Test Id:*** TEST_ContainerNodePool_2
9 |
10 | ***Master Snapshot Id:*** ['KCC_TEMPLATE_SNAPSHOT']
11 |
12 | ***type:*** rego
13 |
14 | ***rule:*** file([ContainerNodePool.rego])
15 |
16 |
17 |
18 |
19 |
20 | |Title|Description|
21 | | :---: | :---: |
22 | |id|PR-GCP-0046-KCC|
23 | |eval|data.rule.auto_upgrade_disabled|
24 | |message|data.rule.auto_upgrade_disabled_err|
25 | |remediationDescription||
26 | |remediationFunction||
27 |
28 |
29 | ***Severity:*** Medium
30 |
31 | ***Description:*** A GKE cluster's auto upgrade feature, which keeps clusters and node pools on the latest stable version of Kubernetes, is disabled.
32 |
33 |
34 |
35 | |Title|Description|
36 | | :---: | :---: |
37 | |cloud|git|
38 | |compliance|[]|
39 | |service|['kcc']|
40 |
41 |
42 | ***Resource Types:*** ['containernodepool']
43 |
44 |
45 | [ContainerNodePool.rego]: https://github.com/prancer-io/prancer-compliance-test/tree/master/google/kcc/ContainerNodePool.rego
46 |
--------------------------------------------------------------------------------
/docs/policies/aws/Cloud/all/PR-AWS-CLD-INS-001.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | # Title: Enable AWS Inspector to detect Vulnerability
6 |
7 |
8 | ***Master Test Id:*** PR-AWS-CLD-INS-001
9 |
10 | ***Master Snapshot Id:*** ['TEST_ALL_15']
11 |
12 | ***type:*** rego
13 |
14 | ***rule:*** file([all.rego])
15 |
16 |
17 |
18 |
19 |
20 | |Title|Description|
21 | | :---: | :---: |
22 | |id|PR-AWS-CLD-INS-001|
23 | |eval|data.rule.ins_package|
24 | |message|data.rule.ins_package_err|
25 | |remediationDescription|Make sure you are following the Cloudformation template format presented here|
26 | |remediationFunction|PR_AWS_CLD_INS_001.py|
27 |
28 |
29 | ***Severity:*** High
30 |
31 | ***Description:*** Enable AWS Inspector to detect Vulnerability
32 |
33 |
34 |
35 | |Title|Description|
36 | | :---: | :---: |
37 | |cloud|AWS|
38 | |compliance|[]|
39 | |service|['inspector']|
40 |
41 |
42 |
43 | [all.rego]: https://github.com/prancer-io/prancer-compliance-test/tree/master/aws/cloud/all.rego
44 |
--------------------------------------------------------------------------------
/docs/policies/aws/ack/all/PR-AWS-0128-ACK.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | # Title: AWS RDS instance with copy tags to snapshots disabled
6 |
7 |
8 | ***Master Test Id:*** TEST_RDS_4
9 |
10 | ***Master Snapshot Id:*** ['ACK_TEMPLATE_SNAPSHOT']
11 |
12 | ***type:*** rego
13 |
14 | ***rule:*** file([rds.rego])
15 |
16 |
17 |
18 |
19 |
20 | |Title|Description|
21 | | :---: | :---: |
22 | |id|PR-AWS-0128-ACK|
23 | |eval|data.rule.rds_snapshot|
24 | |message|data.rule.rds_snapshot_err|
25 | |remediationDescription||
26 | |remediationFunction||
27 |
28 |
29 | ***Severity:*** Medium
30 |
31 | ***Description:*** This policy identifies RDS instances which have copy tags to snapshots disabled. Copy tags to snapshots copies all the user-defined tags from the DB instance to snapshots. Copying tags allow you to add metadata and apply access policies to your Amazon RDS resources.
32 |
33 |
34 |
35 | |Title|Description|
36 | | :---: | :---: |
37 | |cloud|git|
38 | |compliance|[]|
39 | |service|['ack']|
40 |
41 |
42 |
43 | [rds.rego]: https://github.com/prancer-io/prancer-compliance-test/tree/master/aws/ack/rds.rego
44 |
--------------------------------------------------------------------------------
/docs/policies/kubernetes/Cloud/all/PR-K8S-0015.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | # Title: Do not admit root containers
6 |
7 |
8 | ***Master Test Id:*** K8S_test_0015
9 |
10 | ***Master Snapshot Id:*** ['K8SSNP_POD_']
11 |
12 | ***type:*** rego
13 |
14 | ***rule:*** file([PR-K8S-0015.rego])
15 |
16 |
17 |
18 |
19 |
20 | |Title|Description|
21 | | :---: | :---: |
22 | |id|PR-K8S-0015|
23 | |eval|data.rule.rulepass|
24 | |message|data.rule.rulepass_err|
25 | |remediationDescription| Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.runAsUser.rule is set to either MustRunAsNonRoot or MustRunAs with the range of UIDs not including 0.|
26 | |remediationFunction|PR-K8S-0015.py|
27 |
28 |
29 | ***Severity:*** Medium
30 |
31 | ***Description:*** Do not generally permit containers to be run as the root user.
32 |
33 |
34 |
35 | |Title|Description|
36 | | :---: | :---: |
37 | |cloud|kubernetes|
38 | |compliance|['CIS']|
39 | |service|['pod']|
40 |
41 |
42 |
43 | [PR-K8S-0015.rego]: https://github.com/prancer-io/prancer-compliance-test/tree/master/kubernetes/cloud/PR-K8S-0015.rego
44 |
--------------------------------------------------------------------------------
/kubernetes/cloud/PR-K8S-0024.rego:
--------------------------------------------------------------------------------
1 | package rule
2 |
3 | #
4 | # PR-K8S-0024
5 | #
6 |
7 | default rulepass = null
8 |
9 | k8s_issue["rulepass"] {
10 | lower(input.kind) == "pod"
11 | input.spec.containers[_].name == "kube-apiserver"
12 | input.metadata.namespace == "kube-system"
13 | count([
14 | c | regex.match("--kubelet-certificate-authority=.*", input.spec.containers[_].command[_]);
15 | c := 1]) == 0
16 | }
17 |
18 | rulepass {
19 | lower(input.kind) == "pod"
20 | not k8s_issue["rulepass"]
21 | }
22 |
23 | rulepass = false {
24 | k8s_issue["rulepass"]
25 | }
26 |
27 | rulepass_err = "PR-K8S-0024: Ensure that the --kubelet-certificate-authority argument is set as appropriate (API Server)" {
28 | k8s_issue["rulepass"]
29 | }
30 |
31 | k8s_issue_metadata := {
32 | "Policy Code": "PR-K8S-0024",
33 | "Type": "Cloud",
34 | "Product": "Kubernetes",
35 | "Language": "Cloud",
36 | "Policy Title": "Ensure that the --kubelet-certificate-authority argument is set as appropriate (API Server) ",
37 | "Policy Description": "Ensure that the --kubelet-certificate-authority argument is set as appropriate (API Server) ",
38 | "Resource Type": "pod",
39 | "Policy Help URL": "",
40 | "Resource Help URL": ""
41 | }
42 |
--------------------------------------------------------------------------------
/docs/policies/aws/ack/all/PR-AWS-0125-ACK.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | # Title: AWS RDS instance is not encrypted
6 |
7 |
8 | ***Master Test Id:*** TEST_RDS_2
9 |
10 | ***Master Snapshot Id:*** ['ACK_TEMPLATE_SNAPSHOT']
11 |
12 | ***type:*** rego
13 |
14 | ***rule:*** file([rds.rego])
15 |
16 |
17 |
18 |
19 |
20 | |Title|Description|
21 | | :---: | :---: |
22 | |id|PR-AWS-0125-ACK|
23 | |eval|data.rule.rds_encrypt|
24 | |message|data.rule.rds_encrypt_err|
25 | |remediationDescription||
26 | |remediationFunction||
27 |
28 |
29 | ***Severity:*** Medium
30 |
31 | ***Description:*** This policy identifies AWS RDS instances which are not encrypted. Amazon Relational Database Service (Amazon RDS) is a web service that makes it easier to set up and manage databases. Amazon allows customers to turn on encryption for RDS which is recommended for compliance and security reasons.
32 |
33 |
34 |
35 | |Title|Description|
36 | | :---: | :---: |
37 | |cloud|git|
38 | |compliance|[]|
39 | |service|['ack']|
40 |
41 |
42 |
43 | [rds.rego]: https://github.com/prancer-io/prancer-compliance-test/tree/master/aws/ack/rds.rego
44 |
--------------------------------------------------------------------------------
/docs/policies/aws/terraform/all/PR-AWS-0032-RGX.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | # Title: There is a possibility that a value might contains a secret string or password
6 |
7 |
8 | ***Master Test Id:*** PR-AWS-0032-RGX
9 |
10 | ***Master Snapshot Id:*** ['TRF_TEMPLATE_SNAPSHOT']
11 |
12 | ***type:*** python
13 |
14 | ***rule:*** file([secret_tf.py])
15 |
16 |
17 |
18 |
19 |
20 | |Title|Description|
21 | | :---: | :---: |
22 | |id|PR-AWS-0032-RGX|
23 | |eval|entropy_password|
24 | |message|entropy_password_err|
25 | |remediationDescription||
26 | |remediationFunction||
27 |
28 |
29 | ***Severity:*** High
30 |
31 | ***Description:*** There is a possibility that a value might contains a secret string or password, template should not have any secret in it. Make sure to put the secrets in a vault
32 |
33 |
34 |
35 | |Title|Description|
36 | | :---: | :---: |
37 | |cloud|git|
38 | |compliance|[]|
39 | |service|['terraform']|
40 |
41 |
42 | ***Resource Types:*** []
43 |
44 |
45 | [secret_tf.py]: https://github.com/prancer-io/prancer-compliance-test/tree/master/aws/terraform/secret_tf.py
46 |
--------------------------------------------------------------------------------
/docs/policies/aws/IaC/all/PR-AWS-0032-RGX.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | # Title: There is a possibility that a value might contains a secret string or password
6 |
7 |
8 | ***Master Test Id:*** PR-AWS-0032-RGX
9 |
10 | ***Master Snapshot Id:*** ['CFR_TEMPLATE_SNAPSHOT']
11 |
12 | ***type:*** python
13 |
14 | ***rule:*** file([secret_aws_iac.py])
15 |
16 |
17 |
18 |
19 |
20 | |Title|Description|
21 | | :---: | :---: |
22 | |id|PR-AWS-0032-RGX|
23 | |eval|entropy_password|
24 | |message|entropy_password_err|
25 | |remediationDescription||
26 | |remediationFunction||
27 |
28 |
29 | ***Severity:*** High
30 |
31 | ***Description:*** There is a possibility that a value might contains a secret string or password, template should not have any secret in it. Make sure to put the secrets in a vault
32 |
33 |
34 |
35 | |Title|Description|
36 | | :---: | :---: |
37 | |cloud|git|
38 | |compliance|[]|
39 | |service|['cloudformation']|
40 |
41 |
42 | ***Resource Types:*** []
43 |
44 |
45 | [secret_aws_iac.py]: https://github.com/prancer-io/prancer-compliance-test/tree/master/aws/iac/secret_aws_iac.py
46 |
--------------------------------------------------------------------------------
/kubernetes/cloud/PR-K8S-0056.rego:
--------------------------------------------------------------------------------
1 | package rule
2 |
3 | #
4 | # PR-K8S-0056
5 | #
6 |
7 | default rulepass = null
8 |
9 | k8s_issue["rulepass"] {
10 | lower(input.kind) == "pod"
11 | input.spec.containers[_].name == "kube-scheduler"
12 | input.metadata.namespace == "kube-system"
13 | regex.match("--bind-address=.*", input.spec.containers[_].command[_])
14 | count([
15 | c | regex.match("--bind-address=127.0.0.1", input.spec.containers[_].command[_]);
16 | c := 1]) == 0
17 | }
18 |
19 | rulepass {
20 | lower(input.kind) == "pod"
21 | not k8s_issue["rulepass"]
22 | }
23 |
24 | rulepass = false {
25 | k8s_issue["rulepass"]
26 | }
27 |
28 | rulepass_err = "PR-K8S-0056: Ensure that the --bind-address argument is set to 127.0.0.1 (Scheduler)" {
29 | k8s_issue["rulepass"]
30 | }
31 |
32 | k8s_issue_metadata := {
33 | "Policy Code": "PR-K8S-0056",
34 | "Type": "Cloud",
35 | "Product": "Kubernetes",
36 | "Language": "Cloud",
37 | "Policy Title": "Ensure that the --bind-address argument is set to 127.0.0.1 (Scheduler) ",
38 | "Policy Description": "Ensure that the --bind-address argument is set to 127.0.0.1 (Scheduler) ",
39 | "Resource Type": "pod",
40 | "Policy Help URL": "",
41 | "Resource Help URL": ""
42 | }
43 |
--------------------------------------------------------------------------------
/docs/policies/aws/ack/all/PR-AWS-0153-ACK.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | # Title: AWS SNS topic encrypted using default KMS key instead of CMK
6 |
7 |
8 | ***Master Test Id:*** TEST_SNS_1
9 |
10 | ***Master Snapshot Id:*** ['ACK_TEMPLATE_SNAPSHOT']
11 |
12 | ***type:*** rego
13 |
14 | ***rule:*** file([sns.rego])
15 |
16 |
17 |
18 |
19 |
20 | |Title|Description|
21 | | :---: | :---: |
22 | |id|PR-AWS-0153-ACK|
23 | |eval|data.rule.sns_encrypt_key|
24 | |message|data.rule.sns_encrypt_key_err|
25 | |remediationDescription||
26 | |remediationFunction||
27 |
28 |
29 | ***Severity:*** Medium
30 |
31 | ***Description:*** This policy identifies Amazon Simple Notification Service (SNS) topics that are encrypted with the default AWS Key Management Service (KMS) keys. As a best practice, use Customer Master Keys (CMK) to encrypt the data in your SNS topics and ensure full control over your data.
32 |
33 |
34 |
35 | |Title|Description|
36 | | :---: | :---: |
37 | |cloud|git|
38 | |compliance|[]|
39 | |service|['ack']|
40 |
41 |
42 |
43 | [sns.rego]: https://github.com/prancer-io/prancer-compliance-test/tree/master/aws/ack/sns.rego
44 |
--------------------------------------------------------------------------------
/kubernetes/cloud/PR-K8S-0010.rego:
--------------------------------------------------------------------------------
1 | package rule
2 |
3 | #
4 | # PR-K8S-0010
5 | #
6 |
7 | default rulepass = null
8 |
9 | k8s_issue["rulepass"] {
10 | lower(input.kind) == "podsecuritypolicy"
11 | not input.spec.requiredDropCapabilities
12 | }
13 |
14 | k8s_issue["rulepass"] {
15 | lower(input.kind) == "podsecuritypolicy"
16 | rdc := input.spec.requiredDropCapabilities
17 | count([c | rdc[_] == "NET_RAW"; c := 1]) == 0
18 | count([c | rdc[_] == "ALL"; c := 1]) == 0
19 | }
20 |
21 | rulepass {
22 | lower(input.kind) == "podsecuritypolicy"
23 | not k8s_issue["rulepass"]
24 | }
25 |
26 | rulepass = false {
27 | k8s_issue["rulepass"]
28 | }
29 |
30 | rulepass_err = "PR-K8S-0010: Minimize the admission of containers with the NET_RAW capability (PSP)" {
31 | k8s_issue["rulepass"]
32 | }
33 |
34 | k8s_issue_metadata := {
35 | "Policy Code": "PR-K8S-0010",
36 | "Type": "Cloud",
37 | "Product": "Kubernetes",
38 | "Language": "Cloud",
39 | "Policy Title": "Minimize the admission of containers with the NET_RAW capability (PSP) ",
40 | "Policy Description": "Minimize the admission of containers with the NET_RAW capability (PSP) ",
41 | "Resource Type": "podsecuritypolicy",
42 | "Policy Help URL": "",
43 | "Resource Help URL": ""
44 | }
45 |
--------------------------------------------------------------------------------
/kubernetes/cloud/PR-K8S-0053.rego:
--------------------------------------------------------------------------------
1 | package rule
2 |
3 | #
4 | # PR-K8S-0053
5 | #
6 |
7 | default rulepass = null
8 |
9 | k8s_issue["rulepass"] {
10 | lower(input.kind) == "pod"
11 | input.spec.containers[_].name == "kube-controller-manager"
12 | input.metadata.namespace == "kube-system"
13 | regex.match("--address=.*", input.spec.containers[_].command[_])
14 | count([
15 | c | regex.match("--address=127.0.0.1", input.spec.containers[_].command[_]);
16 | c := 1]) == 0
17 | }
18 |
19 | rulepass {
20 | lower(input.kind) == "pod"
21 | not k8s_issue["rulepass"]
22 | }
23 |
24 | rulepass = false {
25 | k8s_issue["rulepass"]
26 | }
27 |
28 | rulepass_err = "PR-K8S-0053: Ensure that the --address argument is set to 127.0.0.1 (Controller Manager)" {
29 | k8s_issue["rulepass"]
30 | }
31 |
32 | k8s_issue_metadata := {
33 | "Policy Code": "PR-K8S-0053",
34 | "Type": "Cloud",
35 | "Product": "Kubernetes",
36 | "Language": "Cloud",
37 | "Policy Title": "Ensure that the --address argument is set to 127.0.0.1 (Controller Manager) ",
38 | "Policy Description": "Ensure that the --address argument is set to 127.0.0.1 (Controller Manager) ",
39 | "Resource Type": "pod",
40 | "Policy Help URL": "",
41 | "Resource Help URL": ""
42 | }
43 |
--------------------------------------------------------------------------------
/kubernetes/cloud/PR-K8S-0031.rego:
--------------------------------------------------------------------------------
1 | package rule
2 |
3 | #
4 | # PR-K8S-0031
5 | #
6 |
7 | default rulepass = null
8 |
9 | k8s_issue["rulepass"] {
10 | lower(input.kind) == "pod"
11 | input.spec.containers[_].name == "kube-controller-manager"
12 | input.metadata.namespace == "kube-system"
13 | count([
14 | c | regex.match("--terminated-pod-gc-threshold=.*", input.spec.containers[_].command[_]);
15 | c := 1]) == 0
16 | }
17 |
18 | rulepass {
19 | lower(input.kind) == "pod"
20 | not k8s_issue["rulepass"]
21 | }
22 |
23 | rulepass = false {
24 | k8s_issue["rulepass"]
25 | }
26 |
27 | rulepass_err = "PR-K8S-0031: Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Controller Manager)" {
28 | k8s_issue["rulepass"]
29 | }
30 |
31 | k8s_issue_metadata := {
32 | "Policy Code": "PR-K8S-0031",
33 | "Type": "Cloud",
34 | "Product": "Kubernetes",
35 | "Language": "Cloud",
36 | "Policy Title": "Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Controller Manager) ",
37 | "Policy Description": "Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Controller Manager) ",
38 | "Resource Type": "pod",
39 | "Policy Help URL": "",
40 | "Resource Help URL": ""
41 | }
42 |
--------------------------------------------------------------------------------
/kubernetes/cloud/PR-K8S-0033.rego:
--------------------------------------------------------------------------------
1 | package rule
2 |
3 | #
4 | # PR-K8S-0033
5 | #
6 |
7 | default rulepass = null
8 |
9 | k8s_issue["rulepass"] {
10 | lower(input.kind) == "pod"
11 | input.spec.containers[_].name == "kube-controller-manager"
12 | input.metadata.namespace == "kube-system"
13 | count([
14 | c | regex.match("--use-service-account-credentials=.*true.*", input.spec.containers[_].command[_]);
15 | c := 1]) == 0
16 | }
17 |
18 | rulepass {
19 | lower(input.kind) == "pod"
20 | not k8s_issue["rulepass"]
21 | }
22 |
23 | rulepass = false {
24 | k8s_issue["rulepass"]
25 | }
26 |
27 | rulepass_err = "PR-K8S-0033: Ensure that the --use-service-account-credentials argument is set to true (Controller Manager)" {
28 | k8s_issue["rulepass"]
29 | }
30 |
31 | k8s_issue_metadata := {
32 | "Policy Code": "PR-K8S-0033",
33 | "Type": "Cloud",
34 | "Product": "Kubernetes",
35 | "Language": "Cloud",
36 | "Policy Title": "Ensure that the --use-service-account-credentials argument is set to true (Controller Manager) ",
37 | "Policy Description": "Ensure that the --use-service-account-credentials argument is set to true (Controller Manager) ",
38 | "Resource Type": "pod",
39 | "Policy Help URL": "",
40 | "Resource Help URL": ""
41 | }
42 |
--------------------------------------------------------------------------------
/docs/policies/azure/Cloud/all/PR-AZR-CLD-SQL-047.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | # Title: Ensure SQL servers don't have public network access enabled
6 |
7 |
8 | ***Master Test Id:*** PR-AZR-CLD-SQL-047
9 |
10 | ***Master Snapshot Id:*** ['AZRSNP_400']
11 |
12 | ***type:*** rego
13 |
14 | ***rule:*** file([sql_servers.rego])
15 |
16 |
17 |
18 |
19 |
20 | |Title|Description|
21 | | :---: | :---: |
22 | |id|PR-AZR-CLD-SQL-047|
23 | |eval|data.rule.sql_public_access|
24 | |message|data.rule.sql_public_access_err|
25 | |remediationDescription|Please Visit here for details.|
26 | |remediationFunction|PR_AZR_CLD_SQL_047.py|
27 |
28 |
29 | ***Severity:*** High
30 |
31 | ***Description:*** Always use Private Endpoint for Azure SQL Database and SQL Managed Instance
32 |
33 |
34 |
35 | |Title|Description|
36 | | :---: | :---: |
37 | |cloud|azure|
38 | |compliance|['Best Practice']|
39 | |service|['Databases']|
40 |
41 |
42 |
43 | [sql_servers.rego]: https://github.com/prancer-io/prancer-compliance-test/tree/master/azure/cloud/sql_servers.rego
44 |
--------------------------------------------------------------------------------
/kubernetes/cloud/PR-K8S-0067.rego:
--------------------------------------------------------------------------------
1 | package rule
2 |
3 | #
4 | # PR-K8S-0067
5 | #
6 |
7 | default rulepass = null
8 |
9 | k8s_issue["rulepass"] {
10 | lower(input.kind) == "pod"
11 | input.spec.containers[_].name == "kube-controller-manager"
12 | input.metadata.namespace == "kube-system"
13 | count([
14 | c | regex.match("--feature-gates=.*RotateKubeletServerCertificate=true.*", input.spec.containers[_].command[_]);
15 | c := 1]) == 0
16 | }
17 |
18 | rulepass {
19 | lower(input.kind) == "pod"
20 | not k8s_issue["rulepass"]
21 | }
22 |
23 | rulepass = false {
24 | k8s_issue["rulepass"]
25 | }
26 |
27 | rulepass_err = "PR-K8S-0067: Ensure that the RotateKubeletServerCertificate argument is set to true (Controller Manager)" {
28 | k8s_issue["rulepass"]
29 | }
30 |
31 | k8s_issue_metadata := {
32 | "Policy Code": "PR-K8S-0067",
33 | "Type": "Cloud",
34 | "Product": "Kubernetes",
35 | "Language": "Cloud",
36 | "Policy Title": "Ensure that the RotateKubeletServerCertificate argument is set to true (Controller Manager) ",
37 | "Policy Description": "Ensure that the RotateKubeletServerCertificate argument is set to true (Controller Manager) ",
38 | "Resource Type": "pod",
39 | "Policy Help URL": "",
40 | "Resource Help URL": ""
41 | }
42 |
--------------------------------------------------------------------------------
/kubernetes/cloud/PR-K8S-0055.rego:
--------------------------------------------------------------------------------
1 | package rule
2 |
3 | #
4 | # PR-K8S-0055
5 | #
6 |
7 | default rulepass = null
8 |
9 | k8s_issue["rulepass"] {
10 | lower(input.kind) == "pod"
11 | input.spec.containers[_].name == "kube-controller-manager"
12 | input.metadata.namespace == "kube-system"
13 | regex.match("--bind-address=.*", input.spec.containers[_].command[_])
14 | count([
15 | c | regex.match("--bind-address=127.0.0.1", input.spec.containers[_].command[_]);
16 | c := 1]) == 0
17 | }
18 |
19 | rulepass {
20 | lower(input.kind) == "pod"
21 | not k8s_issue["rulepass"]
22 | }
23 |
24 | rulepass = false {
25 | k8s_issue["rulepass"]
26 | }
27 |
28 | rulepass_err = "PR-K8S-0055: Ensure that the --bind-address argument is set to 127.0.0.1 (Controller Manager)" {
29 | k8s_issue["rulepass"]
30 | }
31 |
32 | k8s_issue_metadata := {
33 | "Policy Code": "PR-K8S-0055",
34 | "Type": "Cloud",
35 | "Product": "Kubernetes",
36 | "Language": "Cloud",
37 | "Policy Title": "Ensure that the --bind-address argument is set to 127.0.0.1 (Controller Manager) ",
38 | "Policy Description": "Ensure that the --bind-address argument is set to 127.0.0.1 (Controller Manager) ",
39 | "Resource Type": "pod",
40 | "Policy Help URL": "",
41 | "Resource Help URL": ""
42 | }
43 |
--------------------------------------------------------------------------------
/kubernetes/cloud/PR-K8S-0070.rego:
--------------------------------------------------------------------------------
1 | package rule
2 |
3 | #
4 | # PR-K8S-0070
5 | #
6 |
7 | default rulepass = null
8 |
9 | k8s_issue["rulepass"] {
10 | lower(input.kind) == "pod"
11 | input.spec.containers[_].name == "kube-controller-manager"
12 | input.metadata.namespace == "kube-system"
13 | count([
14 | c | regex.match("--service-account-private-key-file=.*", input.spec.containers[_].command[_]);
15 | c := 1]) == 0
16 | }
17 |
18 | rulepass {
19 | lower(input.kind) == "pod"
20 | not k8s_issue["rulepass"]
21 | }
22 |
23 | rulepass = false {
24 | k8s_issue["rulepass"]
25 | }
26 |
27 | rulepass_err = "PR-K8S-0070: Ensure that the --service-account-private-key-file argument is set as appropriate (Controller Manager)" {
28 | k8s_issue["rulepass"]
29 | }
30 |
31 | k8s_issue_metadata := {
32 | "Policy Code": "PR-K8S-0070",
33 | "Type": "Cloud",
34 | "Product": "Kubernetes",
35 | "Language": "Cloud",
36 | "Policy Title": "Ensure that the --service-account-private-key-file argument is set as appropriate (Controller Manager) ",
37 | "Policy Description": "Ensure that the --service-account-private-key-file argument is set as appropriate (Controller Manager) ",
38 | "Resource Type": "pod",
39 | "Policy Help URL": "",
40 | "Resource Help URL": ""
41 | }
42 |
--------------------------------------------------------------------------------
/docs/policies/aws/ack/all/PR-AWS-0056-ACK.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | # Title: AWS ElastiCache Redis cluster with Redis AUTH feature disabled
6 |
7 |
8 | ***Master Test Id:*** TEST_ELASTIC_CACHE_2
9 |
10 | ***Master Snapshot Id:*** ['ACK_TEMPLATE_SNAPSHOT']
11 |
12 | ***type:*** rego
13 |
14 | ***rule:*** file([elasticache.rego])
15 |
16 |
17 |
18 |
19 |
20 | |Title|Description|
21 | | :---: | :---: |
22 | |id|PR-AWS-0056-ACK|
23 | |eval|data.rule.cache_redis_auth|
24 | |message|data.rule.cache_redis_auth_err|
25 | |remediationDescription||
26 | |remediationFunction||
27 |
28 |
29 | ***Severity:*** Medium
30 |
31 | ***Description:*** This policy identifies ElastiCache Redis clusters which have Redis AUTH feature disabled. Redis AUTH can improve data security by requiring the user to enter a password before they are granted permission to execute Redis commands on a password protected Redis server.
32 |
33 |
34 |
35 | |Title|Description|
36 | | :---: | :---: |
37 | |cloud|git|
38 | |compliance|[]|
39 | |service|['ack']|
40 |
41 |
42 |
43 | [elasticache.rego]: https://github.com/prancer-io/prancer-compliance-test/tree/master/aws/ack/elasticache.rego
44 |
--------------------------------------------------------------------------------
/docs/policies/azure/Cloud/all/PR-AZR-CLD-WEB-007.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | # Title: Azure Web Service http logging should be enabled
6 |
7 |
8 | ***Master Test Id:*** PR-AZR-CLD-WEB-007
9 |
10 | ***Master Snapshot Id:*** ['AZRSNP_100']
11 |
12 | ***type:*** rego
13 |
14 | ***rule:*** file([web.rego])
15 |
16 |
17 |
18 |
19 |
20 | |Title|Description|
21 | | :---: | :---: |
22 | |id|PR-AZR-CLD-WEB-007|
23 | |eval|data.rule.web_service_http_logging_enabled|
24 | |message|data.rule.web_service_http_logging_enabled_err|
25 | |remediationDescription|Follow the guideline mentioned here|
26 | |remediationFunction|PR_AZR_CLD_WEB_007.py|
27 |
28 |
29 | ***Severity:*** Medium
30 |
31 | ***Description:*** This policy will identify the Azure Web service which don't have http logging enabled and give alert
32 |
33 |
34 |
35 | |Title|Description|
36 | | :---: | :---: |
37 | |cloud|azure|
38 | |compliance|[]|
39 | |service|['Compute']|
40 |
41 |
42 |
43 | [web.rego]: https://github.com/prancer-io/prancer-compliance-test/tree/master/azure/cloud/web.rego
44 |
--------------------------------------------------------------------------------
/docs/policies/google/terraform/all/PR-GCP-TRF-INST-006.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | # Title: VM Instances without any Label information
6 |
7 |
8 | ***Master Test Id:*** PR-GCP-TRF-INST-006
9 |
10 | ***Master Snapshot Id:*** ['TRF_TEMPLATE_SNAPSHOT']
11 |
12 | ***type:*** rego
13 |
14 | ***rule:*** file([compute.v1.instance.rego])
15 |
16 |
17 |
18 |
19 |
20 | |Title|Description|
21 | | :---: | :---: |
22 | |id|PR-GCP-TRF-INST-006|
23 | |eval|data.rule.vm_no_labels|
24 | |message|data.rule.vm_no_labels_err|
25 | |remediationDescription||
26 | |remediationFunction||
27 |
28 |
29 | ***Severity:*** Medium
30 |
31 | ***Description:*** VM instance does not have any Labels. Labels can be used for easy identification and searches.
32 |
33 |
34 |
35 | |Title|Description|
36 | | :---: | :---: |
37 | |cloud|git|
38 | |compliance|['ISO 27001', 'NIST 800', 'NIST CSF', 'PCI-DSS', 'CSA-CCM']|
39 | |service|['terraform']|
40 |
41 |
42 | ***Resource Types:*** ['google_compute_instance']
43 |
44 |
45 | [compute.v1.instance.rego]: https://github.com/prancer-io/prancer-compliance-test/tree/master/google/terraform/compute.v1.instance.rego
46 |
--------------------------------------------------------------------------------
/docs/policies/aws/ack/all/PR-AWS-0036-ACK.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | # Title: AWS DynamoDB encrypted using AWS owned CMK instead of AWS managed CMK
6 |
7 |
8 | ***Master Test Id:*** TEST_DYNAMODB
9 |
10 | ***Master Snapshot Id:*** ['ACK_TEMPLATE_SNAPSHOT']
11 |
12 | ***type:*** rego
13 |
14 | ***rule:*** file([dynamodb.rego])
15 |
16 |
17 |
18 |
19 |
20 | |Title|Description|
21 | | :---: | :---: |
22 | |id|PR-AWS-0036-ACK|
23 | |eval|data.rule.dynamodb_encrypt|
24 | |message|data.rule.dynamodb_encrypt_err|
25 | |remediationDescription||
26 | |remediationFunction||
27 |
28 |
29 | ***Severity:*** Medium
30 |
31 | ***Description:*** This policy identifies the DynamoDB tables that use AWS owned CMK (default ) instead of AWS managed CMK (KMS ) to encrypt data. AWS managed CMK provide additional features such as the ability to view the CMK and key policy, and audit the encryption and decryption of DynamoDB tables.
32 |
33 |
34 |
35 | |Title|Description|
36 | | :---: | :---: |
37 | |cloud|git|
38 | |compliance|[]|
39 | |service|['ack']|
40 |
41 |
42 |
43 | [dynamodb.rego]: https://github.com/prancer-io/prancer-compliance-test/tree/master/aws/ack/dynamodb.rego
44 |
--------------------------------------------------------------------------------
/docs/policies/azure/Cloud/all/PR-AZR-CLD-KV-008.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | # Title: Key Vault should use a virtual network service endpoint
6 |
7 |
8 | ***Master Test Id:*** PR-AZR-CLD-KV-008
9 |
10 | ***Master Snapshot Id:*** ['AZRSNP_228']
11 |
12 | ***type:*** rego
13 |
14 | ***rule:*** file([Keyvault.rego])
15 |
16 |
17 |
18 |
19 |
20 | |Title|Description|
21 | | :---: | :---: |
22 | |id|PR-AZR-CLD-KV-008|
23 | |eval|data.rule.keyvault_service_endpoint|
24 | |message|data.rule.keyvault_service_endpoint_err|
25 | |remediationDescription|Follow the guideline mentioned here|
26 | |remediationFunction|PR_AZR_CLD_KV_008.py|
27 |
28 |
29 | ***Severity:*** Medium
30 |
31 | ***Description:*** This policy audits any Key Vault not configured to use a virtual network service endpoint.
32 |
33 |
34 |
35 | |Title|Description|
36 | | :---: | :---: |
37 | |cloud|azure|
38 | |compliance|[]|
39 | |service|['Security']|
40 |
41 |
42 |
43 | [Keyvault.rego]: https://github.com/prancer-io/prancer-compliance-test/tree/master/azure/cloud/Keyvault.rego
44 |
--------------------------------------------------------------------------------
/docs/policies/aws/Cloud/all/PR-AWS-CLD-MSK-002.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | # Title: Ensure data is Encrypted in transit (TLS)
6 |
7 |
8 | ***Master Test Id:*** PR-AWS-CLD-MSK-002
9 |
10 | ***Master Snapshot Id:*** ['TEST_MSK']
11 |
12 | ***type:*** rego
13 |
14 | ***rule:*** file([msk.rego])
15 |
16 |
17 |
18 |
19 |
20 | |Title|Description|
21 | | :---: | :---: |
22 | |id|PR-AWS-CLD-MSK-002|
23 | |eval|data.rule.msk_in_transit_encryption|
24 | |message|data.rule.msk_in_transit_encryption_err|
25 | |remediationDescription|Make sure you are following the Cloudformation template format presented here|
26 | |remediationFunction|PR_AWS_CLD_MSK_002.py|
27 |
28 |
29 | ***Severity:*** High
30 |
31 | ***Description:*** Ensure data is Encrypted in transit (TLS)
32 |
33 |
34 |
35 | |Title|Description|
36 | | :---: | :---: |
37 | |cloud|AWS|
38 | |compliance|['GDPR', 'NIST 800']|
39 | |service|['msk']|
40 |
41 |
42 |
43 | [msk.rego]: https://github.com/prancer-io/prancer-compliance-test/tree/master/aws/cloud/msk.rego
44 |
--------------------------------------------------------------------------------
/docs/policies/azure/terraform/all/PR-AZR-TRF-NSG-010.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | # Title: Internet connectivity via tcp over insecure port should be prevented
6 |
7 |
8 | ***Master Test Id:*** PR-AZR-TRF-NSG-010
9 |
10 | ***Master Snapshot Id:*** ['TRF_TEMPLATE_SNAPSHOT']
11 |
12 | ***type:*** rego
13 |
14 | ***rule:*** file([nsg.rego])
15 |
16 |
17 |
18 |
19 |
20 | |Title|Description|
21 | | :---: | :---: |
22 | |id|PR-AZR-TRF-NSG-010|
23 | |eval|data.rule.inbound_insecure_port|
24 | |message|data.rule.inbound_insecure_port_err|
25 | |remediationDescription||
26 | |remediationFunction|PR_AZR_TRF_NSG_010.py|
27 |
28 |
29 | ***Severity:*** High
30 |
31 | ***Description:*** Identify network traffic coming from internet which is plain text FTP, Telnet or HTTP from Internet.
32 |
33 |
34 |
35 | |Title|Description|
36 | | :---: | :---: |
37 | |cloud|git|
38 | |compliance|['GDPR', 'HIPAA', 'NIST CSF', 'PCI-DSS', 'SOC 2']|
39 | |service|['terraform']|
40 |
41 |
42 | ***Resource Types:*** ['azurerm_network_security_rule']
43 |
44 |
45 | [nsg.rego]: https://github.com/prancer-io/prancer-compliance-test/tree/master/azure/terraform/nsg.rego
46 |
--------------------------------------------------------------------------------
/docs/policies/aws/Cloud/all/PR-AWS-CLD-VPC-004.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | # Title: Ensure default VPC is not being used.
6 |
7 |
8 | ***Master Test Id:*** PR-AWS-CLD-VPC-004
9 |
10 | ***Master Snapshot Id:*** ['TEST_EC2_04']
11 |
12 | ***type:*** rego
13 |
14 | ***rule:*** file([vpc.rego])
15 |
16 |
17 |
18 |
19 |
20 | |Title|Description|
21 | | :---: | :---: |
22 | |id|PR-AWS-CLD-VPC-004|
23 | |eval|data.rule.default_vpc_not_used|
24 | |message|data.rule.default_vpc_not_used_err|
25 | |remediationDescription|Make sure you are following the Cloudformation template format presented here|
26 | |remediationFunction|PR_AWS_CLD_VPC_004.py|
27 |
28 |
29 | ***Severity:*** Medium
30 |
31 | ***Description:*** It is to check that only firm managed VPC is used and not the default one.
32 |
33 |
34 |
35 | |Title|Description|
36 | | :---: | :---: |
37 | |cloud|AWS|
38 | |compliance|['Best Practice']|
39 | |service|['vpc']|
40 |
41 |
42 |
43 | [vpc.rego]: https://github.com/prancer-io/prancer-compliance-test/tree/master/aws/cloud/vpc.rego
44 |
--------------------------------------------------------------------------------
/docs/policies/azure/Cloud/all/PR-AZR-CLD-WEB-009.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | # Title: Azure Web Service request tracing should be enabled
6 |
7 |
8 | ***Master Test Id:*** PR-AZR-CLD-WEB-009
9 |
10 | ***Master Snapshot Id:*** ['AZRSNP_100']
11 |
12 | ***type:*** rego
13 |
14 | ***rule:*** file([web.rego])
15 |
16 |
17 |
18 |
19 |
20 | |Title|Description|
21 | | :---: | :---: |
22 | |id|PR-AZR-CLD-WEB-009|
23 | |eval|data.rule.web_service_request_tracing_enabled|
24 | |message|data.rule.web_service_request_tracing_enabled_err|
25 | |remediationDescription|Follow the guideline mentioned here|
26 | |remediationFunction|PR_AZR_CLD_WEB_009.py|
27 |
28 |
29 | ***Severity:*** Medium
30 |
31 | ***Description:*** This policy will identify the Azure web service which doesn't have request tracing enabled and give the alert
32 |
33 |
34 |
35 | |Title|Description|
36 | | :---: | :---: |
37 | |cloud|azure|
38 | |compliance|[]|
39 | |service|['Compute']|
40 |
41 |
42 |
43 | [web.rego]: https://github.com/prancer-io/prancer-compliance-test/tree/master/azure/cloud/web.rego
44 |
--------------------------------------------------------------------------------
/docs/policies/google/terraform/all/PR-GCP-TRF-SQLI-001.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | # Title: GCP SQL Instances without any Label information
6 |
7 |
8 | ***Master Test Id:*** PR-GCP-TRF-SQLI-001
9 |
10 | ***Master Snapshot Id:*** ['TRF_TEMPLATE_SNAPSHOT']
11 |
12 | ***type:*** rego
13 |
14 | ***rule:*** file([sqladmin.rego])
15 |
16 |
17 |
18 |
19 |
20 | |Title|Description|
21 | | :---: | :---: |
22 | |id|PR-GCP-TRF-SQLI-001|
23 | |eval|data.rule.sql_labels|
24 | |message|data.rule.sql_labels_err|
25 | |remediationDescription||
26 | |remediationFunction||
27 |
28 |
29 | ***Severity:*** Low
30 |
31 | ***Description:*** This policy identifies the SQL DB instance which does not have any Labels. Labels can be used for easy identification and searches.
32 |
33 |
34 |
35 | |Title|Description|
36 | | :---: | :---: |
37 | |cloud|git|
38 | |compliance|['CSA-CCM', 'HITRUST', 'ISO 27001', 'NIST 800', 'NIST CSF', 'PCI-DSS']|
39 | |service|['terraform']|
40 |
41 |
42 | ***Resource Types:*** ['google_sql_database_instance']
43 |
44 |
45 | [sqladmin.rego]: https://github.com/prancer-io/prancer-compliance-test/tree/master/google/terraform/sqladmin.rego
46 |
--------------------------------------------------------------------------------
/docs/policies/aws/Cloud/all/PR-AWS-CLD-ECR-005.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | # Title: Enable Enhanced scan type for AWS ECR registry to detect vulnerability
6 |
7 |
8 | ***Master Test Id:*** PR-AWS-CLD-ECR-005
9 |
10 | ***Master Snapshot Id:*** ['TEST_ECR']
11 |
12 | ***type:*** rego
13 |
14 | ***rule:*** file([ecr.rego])
15 |
16 |
17 |
18 |
19 |
20 | |Title|Description|
21 | | :---: | :---: |
22 | |id|PR-AWS-CLD-ECR-005|
23 | |eval|data.rule.ecr_vulnerability|
24 | |message|data.rule.ecr_vulnerability_err|
25 | |remediationDescription|Make sure you are following the Terraform template format presented here|
26 | |remediationFunction|PR_AWS_CLD_ECR_005.py|
27 |
28 |
29 | ***Severity:*** High
30 |
31 | ***Description:*** Enable Enhanced scan type for AWS ECR registry to detect vulnerability
32 |
33 |
34 |
35 | |Title|Description|
36 | | :---: | :---: |
37 | |cloud|AWS|
38 | |compliance|['PCI DSS', 'GDPR']|
39 | |service|['ecr']|
40 |
41 |
42 |
43 | [ecr.rego]: https://github.com/prancer-io/prancer-compliance-test/tree/master/aws/cloud/ecr.rego
44 |
--------------------------------------------------------------------------------
/docs/policies/google/terraform/all/PR-GCP-TRF-INST-005.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | # Title: VM Instances without any Custom metadata information
6 |
7 |
8 | ***Master Test Id:*** PR-GCP-TRF-INST-005
9 |
10 | ***Master Snapshot Id:*** ['TRF_TEMPLATE_SNAPSHOT']
11 |
12 | ***type:*** rego
13 |
14 | ***rule:*** file([compute.v1.instance.rego])
15 |
16 |
17 |
18 |
19 |
20 | |Title|Description|
21 | | :---: | :---: |
22 | |id|PR-GCP-TRF-INST-005|
23 | |eval|data.rule.vm_metadata|
24 | |message|data.rule.vm_metadata_err|
25 | |remediationDescription||
26 | |remediationFunction||
27 |
28 |
29 | ***Severity:*** Low
30 |
31 | ***Description:*** VM instance does not have any Custom metadata. Custom metadata can be used for easy identification and searches.
32 |
33 |
34 |
35 | |Title|Description|
36 | | :---: | :---: |
37 | |cloud|git|
38 | |compliance|['ISO 27001', 'NIST 800', 'NIST CSF', 'PCI-DSS', 'CSA-CCM']|
39 | |service|['terraform']|
40 |
41 |
42 | ***Resource Types:*** ['google_compute_instance']
43 |
44 |
45 | [compute.v1.instance.rego]: https://github.com/prancer-io/prancer-compliance-test/tree/master/google/terraform/compute.v1.instance.rego
46 |
--------------------------------------------------------------------------------
/docs/policies/google/terraform/all/PR-GCP-TRF-SQLI-005.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | # Title: SQL Instances with network authorization exposing them to the Internet
6 |
7 |
8 | ***Master Test Id:*** PR-GCP-TRF-SQLI-005
9 |
10 | ***Master Snapshot Id:*** ['TRF_TEMPLATE_SNAPSHOT']
11 |
12 | ***type:*** rego
13 |
14 | ***rule:*** file([sqladmin.rego])
15 |
16 |
17 |
18 |
19 |
20 | |Title|Description|
21 | | :---: | :---: |
22 | |id|PR-GCP-TRF-SQLI-005|
23 | |eval|data.rule.sql_exposed|
24 | |message|data.rule.sql_exposed_err|
25 | |remediationDescription||
26 | |remediationFunction||
27 |
28 |
29 | ***Severity:*** Medium
30 |
31 | ***Description:*** Checks to verify that the SQL instance should not have any authorization to allow network traffic to the internet.
32 |
33 |
34 |
35 | |Title|Description|
36 | | :---: | :---: |
37 | |cloud|git|
38 | |compliance|['CIS', 'CSA-CCM', 'HIPAA', 'ISO 27001', 'NIST 800', 'PCI-DSS']|
39 | |service|['terraform']|
40 |
41 |
42 | ***Resource Types:*** ['google_sql_database_instance']
43 |
44 |
45 | [sqladmin.rego]: https://github.com/prancer-io/prancer-compliance-test/tree/master/google/terraform/sqladmin.rego
46 |
--------------------------------------------------------------------------------
/kubernetes/cloud/PR-K8S-0046.rego:
--------------------------------------------------------------------------------
1 | package rule
2 |
3 | #
4 | # PR-K8S-0046
5 | #
6 |
7 | default rulepass = null
8 |
9 | k8s_issue["rulepass"] {
10 | lower(input.kind) == "pod"
11 | input.spec.containers[_].name == "kube-apiserver"
12 | input.metadata.namespace == "kube-system"
13 | regex.match("--disable-admission-plugins=.*", input.spec.containers[_].command[_])
14 | count([
15 | c | regex.match("--disable-admission-plugins=.*NamespaceLifecycle.*", input.spec.containers[_].command[_]);
16 | c := 1]) == 0
17 | }
18 |
19 | rulepass {
20 | lower(input.kind) == "pod"
21 | not k8s_issue["rulepass"]
22 | }
23 |
24 | rulepass = false {
25 | k8s_issue["rulepass"]
26 | }
27 |
28 | rulepass_err = "PR-K8S-0046: Ensure that the admission control plugin NamespaceLifecycle is set (API Server)" {
29 | k8s_issue["rulepass"]
30 | }
31 |
32 | k8s_issue_metadata := {
33 | "Policy Code": "PR-K8S-0046",
34 | "Type": "Cloud",
35 | "Product": "Kubernetes",
36 | "Language": "Cloud",
37 | "Policy Title": "Ensure that the admission control plugin NamespaceLifecycle is set (API Server) ",
38 | "Policy Description": "Ensure that the admission control plugin NamespaceLifecycle is set (API Server) ",
39 | "Resource Type": "pod",
40 | "Policy Help URL": "",
41 | "Resource Help URL": ""
42 | }
43 |
--------------------------------------------------------------------------------
/docs/policies/aws/Cloud/all/PR-AWS-CLD-MSK-007.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | # Title: Ensure public access is disabled for AWS MSK.
6 |
7 |
8 | ***Master Test Id:*** PR-AWS-CLD-MSK-007
9 |
10 | ***Master Snapshot Id:*** ['TEST_MSK']
11 |
12 | ***type:*** rego
13 |
14 | ***rule:*** file([msk.rego])
15 |
16 |
17 |
18 |
19 |
20 | |Title|Description|
21 | | :---: | :---: |
22 | |id|PR-AWS-CLD-MSK-007|
23 | |eval|data.rule.msk_public_access|
24 | |message|data.rule.msk_public_access_err|
25 | |remediationDescription|Make sure you are following the Cloudformation template format presented here|
26 | |remediationFunction|PR_AWS_CLD_MSK_007.py|
27 |
28 |
29 | ***Severity:*** High
30 |
31 | ***Description:*** It check whether public access is turned on to the brokers of MSK clusters.
32 |
33 |
34 |
35 | |Title|Description|
36 | | :---: | :---: |
37 | |cloud|AWS|
38 | |compliance|['GDPR', 'NIST 800']|
39 | |service|['msk']|
40 |
41 |
42 |
43 | [msk.rego]: https://github.com/prancer-io/prancer-compliance-test/tree/master/aws/cloud/msk.rego
44 |
--------------------------------------------------------------------------------
/docs/policies/aws/Cloud/all/PR-AWS-CLD-EC2-012.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | # Title: Ensure EBS deletion protection is enabled
6 |
7 |
8 | ***Master Test Id:*** PR-AWS-CLD-EC2-012
9 |
10 | ***Master Snapshot Id:*** ['TEST_EC2_01']
11 |
12 | ***type:*** rego
13 |
14 | ***rule:*** file([ec2.rego])
15 |
16 |
17 |
18 |
19 |
20 | |Title|Description|
21 | | :---: | :---: |
22 | |id|PR-AWS-CLD-EC2-012|
23 | |eval|data.rule.ebs_deletion_protection|
24 | |message|data.rule.ebs_deletion_protection_err|
25 | |remediationDescription|Make sure you are following the Cloudformation template format presented here|
26 | |remediationFunction|PR_AWS_CLD_EC2_012.py|
27 |
28 |
29 | ***Severity:*** Low
30 |
31 | ***Description:*** This control checks if the EBS volumes provisioned is configured with deletion protection which protects from accidental deletions
32 |
33 |
34 |
35 | |Title|Description|
36 | | :---: | :---: |
37 | |cloud|AWS|
38 | |compliance|[]|
39 | |service|['ec2']|
40 |
41 |
42 |
43 | [ec2.rego]: https://github.com/prancer-io/prancer-compliance-test/tree/master/aws/cloud/ec2.rego
44 |
--------------------------------------------------------------------------------
/docs/policies/aws/Cloud/all/PR-AWS-CLD-GLUE-003.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | # Title: Ensure AWS Glue encrypt data at rest.
6 |
7 |
8 | ***Master Test Id:*** PR-AWS-CLD-GLUE-003
9 |
10 | ***Master Snapshot Id:*** ['TEST_ALL_06']
11 |
12 | ***type:*** rego
13 |
14 | ***rule:*** file([all.rego])
15 |
16 |
17 |
18 |
19 |
20 | |Title|Description|
21 | | :---: | :---: |
22 | |id|PR-AWS-CLD-GLUE-003|
23 | |eval|data.rule.glue_encrypt_data_at_rest|
24 | |message|data.rule.glue_encrypt_data_at_rest_err|
25 | |remediationDescription|Make sure you are following the Cloudformation template format presented here|
26 | |remediationFunction|PR_AWS_CLD_GLUE_003.py|
27 |
28 |
29 | ***Severity:*** High
30 |
31 | ***Description:*** It is to check that AWS Glue encryption at rest is enabled.
32 |
33 |
34 |
35 | |Title|Description|
36 | | :---: | :---: |
37 | |cloud|AWS|
38 | |compliance|['GDPR', 'NIST 800']|
39 | |service|['glue']|
40 |
41 |
42 |
43 | [all.rego]: https://github.com/prancer-io/prancer-compliance-test/tree/master/aws/cloud/all.rego
44 |
--------------------------------------------------------------------------------
/docs/policies/aws/ack/all/PR-AWS-0154-ACK.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | # Title: AWS SNS topic with server-side encryption disabled
6 |
7 |
8 | ***Master Test Id:*** TEST_SNS_2
9 |
10 | ***Master Snapshot Id:*** ['ACK_TEMPLATE_SNAPSHOT']
11 |
12 | ***type:*** rego
13 |
14 | ***rule:*** file([sns.rego])
15 |
16 |
17 |
18 |
19 |
20 | |Title|Description|
21 | | :---: | :---: |
22 | |id|PR-AWS-0154-ACK|
23 | |eval|data.rule.sns_encrypt|
24 | |message|data.rule.sns_encrypt_err|
25 | |remediationDescription||
26 | |remediationFunction||
27 |
28 |
29 | ***Severity:*** Medium
30 |
31 | ***Description:*** This policy identifies Amazon Simple Notification Service (SNS) topics that have server-side encryption disabled. As a best practice, enable server-side encryption for at-rest encryption of message content published to SNS topics. When you publish a message, the SNS encrypts your message as soon as it receives it, and decrypts it just prior to delivery.
32 |
33 |
34 |
35 | |Title|Description|
36 | | :---: | :---: |
37 | |cloud|git|
38 | |compliance|[]|
39 | |service|['ack']|
40 |
41 |
42 |
43 | [sns.rego]: https://github.com/prancer-io/prancer-compliance-test/tree/master/aws/ack/sns.rego
44 |
--------------------------------------------------------------------------------
/docs/policies/azure/Cloud/all/PR-AZR-CLD-WEB-013.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | # Title: Azure Web Service Dot Net Framework should be latest
6 |
7 |
8 | ***Master Test Id:*** PR-AZR-CLD-WEB-013
9 |
10 | ***Master Snapshot Id:*** ['AZRSNP_100']
11 |
12 | ***type:*** rego
13 |
14 | ***rule:*** file([web.rego])
15 |
16 |
17 |
18 |
19 |
20 | |Title|Description|
21 | | :---: | :---: |
22 | |id|PR-AZR-CLD-WEB-013|
23 | |eval|data.rule.web_service_net_framework_latest|
24 | |message|data.rule.web_service_net_framework_latest_err|
25 | |remediationDescription|Follow the guideline mentioned here|
26 | |remediationFunction|PR_AZR_CLD_WEB_013.py|
27 |
28 |
29 | ***Severity:*** Medium
30 |
31 | ***Description:*** This policy will identify the Azure web service which doesn't have the latest version of Net Framework and give the alert
32 |
33 |
34 |
35 | |Title|Description|
36 | | :---: | :---: |
37 | |cloud|azure|
38 | |compliance|[]|
39 | |service|['Compute']|
40 |
41 |
42 |
43 | [web.rego]: https://github.com/prancer-io/prancer-compliance-test/tree/master/azure/cloud/web.rego
44 |
--------------------------------------------------------------------------------
/docs/policies/aws/Cloud/all/PR-AWS-CLD-CFG-004.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | # Title: Ensure AWS Config includes global resources types (IAM).
6 |
7 |
8 | ***Master Test Id:*** PR-AWS-CLD-CFG-004
9 |
10 | ***Master Snapshot Id:*** ['TEST_ALL_09']
11 |
12 | ***type:*** rego
13 |
14 | ***rule:*** file([all.rego])
15 |
16 |
17 |
18 |
19 |
20 | |Title|Description|
21 | | :---: | :---: |
22 | |id|PR-AWS-CLD-CFG-004|
23 | |eval|data.rule.config_includes_global_resources|
24 | |message|data.rule.config_includes_global_resources_err|
25 | |remediationDescription|Make sure you are following the Cloudformation template format presented here|
26 | |remediationFunction|PR_AWS_CLD_CFG_004.py|
27 |
28 |
29 | ***Severity:*** Low
30 |
31 | ***Description:*** It checks that global resource types are included in AWS Config.
32 |
33 |
34 |
35 | |Title|Description|
36 | | :---: | :---: |
37 | |cloud|AWS|
38 | |compliance|[]|
39 | |service|['config']|
40 |
41 |
42 |
43 | [all.rego]: https://github.com/prancer-io/prancer-compliance-test/tree/master/aws/cloud/all.rego
44 |
--------------------------------------------------------------------------------
/kubernetes/cloud/PR-K8S-0003.rego:
--------------------------------------------------------------------------------
1 | package rule
2 |
3 | #
4 | # PR-K8S-0003
5 | #
6 |
7 | default rulepass = null
8 |
9 | k8s_issue["rulepass"] {
10 | lower(input.kind) == "rolebinding"
11 | lower(input.roleRef.kind) == "role"
12 | lower(input.roleRef.name) == "default"
13 | }
14 |
15 | k8s_issue["rulepass"] {
16 | lower(input.kind) == "clusterrolebinding"
17 | lower(input.roleRef.kind) == "role"
18 | lower(input.roleRef.name) == "default"
19 | }
20 |
21 | rulepass {
22 | lower(input.kind) == "rolebinding"
23 | not k8s_issue["rulepass"]
24 | }
25 |
26 | rulepass {
27 | lower(input.kind) == "clusterrolebinding"
28 | not k8s_issue["rulepass"]
29 | }
30 |
31 | rulepass = false {
32 | k8s_issue["rulepass"]
33 | }
34 |
35 | rulepass_err = "PR-K8S-0003: Ensure that default service accounts are not actively used. (RBAC)" {
36 | k8s_issue["rulepass"]
37 | }
38 |
39 | k8s_issue_metadata := {
40 | "Policy Code": "PR-K8S-0003",
41 | "Type": "Cloud",
42 | "Product": "Kubernetes",
43 | "Language": "Cloud",
44 | "Policy Title": "Ensure that default service accounts are not actively used. (RBAC) ",
45 | "Policy Description": "Ensure that default service accounts are not actively used. (RBAC) ",
46 | "Resource Type": "rolebinding",
47 | "Policy Help URL": "",
48 | "Resource Help URL": ""
49 | }
50 |
--------------------------------------------------------------------------------
/docs/policies/aws/Cloud/all/PR-AWS-CLD-DAX-002.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | # Title: Ensure AWS DAX data is encrypted in transit
6 |
7 |
8 | ***Master Test Id:*** PR-AWS-CLD-DAX-002
9 |
10 | ***Master Snapshot Id:*** ['TEST_DAX']
11 |
12 | ***type:*** rego
13 |
14 | ***rule:*** file([database.rego])
15 |
16 |
17 |
18 |
19 |
20 | |Title|Description|
21 | | :---: | :---: |
22 | |id|PR-AWS-CLD-DAX-002|
23 | |eval|data.rule.dax_cluster_endpoint_encrypt_at_rest|
24 | |message|data.rule.dax_cluster_endpoint_encrypt_at_rest_err|
25 | |remediationDescription|Make sure you are following the Cloudformation template format presented here|
26 | |remediationFunction|PR_AWS_CLD_DAX_002.py|
27 |
28 |
29 | ***Severity:*** High
30 |
31 | ***Description:*** This control is to check that the communication between the application and DAX is always encrypted
32 |
33 |
34 |
35 | |Title|Description|
36 | | :---: | :---: |
37 | |cloud|AWS|
38 | |compliance|[]|
39 | |service|['dax']|
40 |
41 |
42 |
43 | [database.rego]: https://github.com/prancer-io/prancer-compliance-test/tree/master/aws/cloud/database.rego
44 |
--------------------------------------------------------------------------------
/docs/policies/aws/Cloud/all/PR-AWS-CLD-MQ-003.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | # Title: Ensure ActiveMQ engine version is approved by GS.
6 |
7 |
8 | ***Master Test Id:*** PR-AWS-CLD-MQ-003
9 |
10 | ***Master Snapshot Id:*** ['TEST_ALL_12']
11 |
12 | ***type:*** rego
13 |
14 | ***rule:*** file([all.rego])
15 |
16 |
17 |
18 |
19 |
20 | |Title|Description|
21 | | :---: | :---: |
22 | |id|PR-AWS-CLD-MQ-003|
23 | |eval|data.rule.mq_activemq_approved_engine_version|
24 | |message|data.rule.mq_activemq_approved_engine_version_err|
25 | |remediationDescription|Make sure you are following the Cloudformation template format presented here|
26 | |remediationFunction|PR_AWS_CLD_MQ_003.py|
27 |
28 |
29 | ***Severity:*** Medium
30 |
31 | ***Description:*** It is used to check only firm approved version of ActiveMQ is being used.
32 |
33 |
34 |
35 | |Title|Description|
36 | | :---: | :---: |
37 | |cloud|AWS|
38 | |compliance|['PCI DSS']|
39 | |service|['mq']|
40 |
41 |
42 |
43 | [all.rego]: https://github.com/prancer-io/prancer-compliance-test/tree/master/aws/cloud/all.rego
44 |
--------------------------------------------------------------------------------
/docs/policies/aws/Cloud/all/PR-AWS-CLD-MQ-004.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | # Title: Ensure RabbitMQ engine version is approved by GS.
6 |
7 |
8 | ***Master Test Id:*** PR-AWS-CLD-MQ-004
9 |
10 | ***Master Snapshot Id:*** ['TEST_ALL_12']
11 |
12 | ***type:*** rego
13 |
14 | ***rule:*** file([all.rego])
15 |
16 |
17 |
18 |
19 |
20 | |Title|Description|
21 | | :---: | :---: |
22 | |id|PR-AWS-CLD-MQ-004|
23 | |eval|data.rule.mq_rabbitmq_approved_engine_version|
24 | |message|data.rule.mq_rabbitmq_approved_engine_version_err|
25 | |remediationDescription|Make sure you are following the Cloudformation template format presented here|
26 | |remediationFunction|PR_AWS_CLD_MQ_004.py|
27 |
28 |
29 | ***Severity:*** Medium
30 |
31 | ***Description:*** It is used to check only firm approved version of RabbitMQ is being used.
32 |
33 |
34 |
35 | |Title|Description|
36 | | :---: | :---: |
37 | |cloud|AWS|
38 | |compliance|['PCI DSS']|
39 | |service|['mq']|
40 |
41 |
42 |
43 | [all.rego]: https://github.com/prancer-io/prancer-compliance-test/tree/master/aws/cloud/all.rego
44 |
--------------------------------------------------------------------------------