github.com/ofiriro3/csp-security-policies
.
├── compliance # Compliance policies
│ ├── lib
│ │ ├── common.rego # Common functions
│ │ ├── common_tests.rego # Common functions tests
│ │ ├── data_adapter.rego # Input data adapter
│ │ └── test.rego # Common Test functions
│ ├── cis_k8s
│ │ ├── cis_k8s.rego # Handles all Kubernetes CIS rules evalutations
│ │ ├── test_data.rego # CIS Test data generators
│ │ ├── schemas # Benchmark's schemas
│ │ │ └── input_scehma.rego
│ │ ├── rules
│ │ │ ├── cis_1_1_1 # CIS 1.1.1 rule package
│ │ │ │ ├── rule.rego
│ │ │ │ └── test.rego
│ │ │ │ └── data.yaml # Rule's metadata
│ │ │ └── ...
└── main.rego # Evaluates all policies and returns the findings
Add the following configuration files into the root folder
data.yamlshould contain the list of rules you want to evaluate (also supports json)
activated_rules:
cis_k8s:
- cis_1_1_1
- cis_1_1_2
cis_eks:
- cis_3_1_1
- cis_3_1_2
input.jsonshould contain an beat/agent output, e.g. filesystem data
{
"type": "file",
"resource": {
"mode": "0700",
"path": "/hostfs/etc/kubernetes/manifests/kube-apiserver.yaml",
"owner": "etc",
"group": "root",
"name": "kube-apiserver.yaml",
"gid": 20,
"uid": 501
}
}
opa eval data.main --format pretty -i input.json -b . > output.json
opa eval data.main.findings --format pretty -i input.json -b . > output.json
{
"findings": [
{
"result": {
"evaluation": "failed",
"expected": {
"filemode": "0644"
},
"evidence": {
"filemode": "0700"
}
},
"rule": {
"id": "59b5a77b-b090-5630-9a33-73eb805b2d52",
"name": "Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Automated)",
"profile_applicability": "* Level 1 - Master Node\n",
"description": "Ensure that the API server pod specification file has permissions of `644` or more restrictive.\n",
"rationale": "The API server pod specification file controls various parameters that set the behavior of the API server. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n",
"audit": "Run the below command (based on the file location on your system) on the\nmaster node.\nFor example,\n```\nstat -c %a /etc/kubernetes/manifests/kube-apiserver.yaml\n```\nVerify that the permissions are `644` or more restrictive.\n",
"remediation": "Run the below command (based on the file location on your system) on the\nmaster node.\nFor example,\n```\nchmod 644 /etc/kubernetes/manifests/kube-apiserver.yaml\n```\n",
"impact": "None\n",
"default_value": "By default, the `kube-apiserver.yaml` file has permissions of `640`.\n",
"references": "1. [https://kubernetes.io/docs/admin/kube-apiserver/](https://kubernetes.io/docs/admin/kube-apiserver/)\n",
"section": "Master Node Configuration Files",
"version": 1,
"tags": [
"CIS",
"Kubernetes",
"CIS 1.1.1",
"Master Node Configuration Files"
],
"benchmark": {
"name": "CIS Kubernetes V1.20",
"version": "v1.0.0"
}
}
},
{
"result": {
"evaluation": "passed",
"expected": {
"group": "root",
"owner": "root"
},
"evidence": {
"group": "root",
"owner": "root"
}
},
"rule": {
"id": "9f318d4d-2451-574a-99dc-838ed213f09b",
"name": "Ensure that the API server pod specification file ownership is set toroot:root (Automated)",
"profile_applicability": "* Level 1 - Master Node\n",
"description": "Ensure that the API server pod specification file ownership is set to `root:root`.\n",
"rationale": "The API server pod specification file controls various parameters that set the behavior of the API server. You should set its file ownership to maintain the integrity of the file. The file should be owned by `root:root`.\n",
"audit": "Run the below command (based on the file location on your system) on the\nmaster node.\nFor example,\n```\nstat -c %U:%G /etc/kubernetes/manifests/kube-apiserver.yaml\n```\nVerify that the ownership is set to `root:root`.\n",
"remediation": "Run the below command (based on the file location on your system) on the\nmaster node.\nFor example,\n```\nchown root:root /etc/kubernetes/manifests/kube-apiserver.yaml\n```\n",
"impact": "None\n",
"default_value": "By default, the `kube-apiserver.yaml` file ownership is set to `root:root`.\n",
"references": "1. [https://kubernetes.io/docs/admin/kube-apiserver/](https://kubernetes.io/docs/admin/kube-apiserver/)\n",
"section": "Master Node Configuration Files",
"version": 1,
"tags": [
"CIS",
"Kubernetes",
"CIS 1.1.2",
"Master Node Configuration Files"
],
"benchmark": {
"name": "CIS Kubernetes V1.20",
"version": "v1.0.0"
}
}
}
],
"resource": {
"name": "kube-apiserver.yaml",
"group": "root",
"mode": "0700",
"path": "/hostfs/etc/kubernetes/manifests/kube-apiserver.yaml",
"type": "file",
"owner": "root",
"uid": 501,
"gid": 20
}
}
❯ opa eval data.main --format pretty -i input.json -b . -s compliance/cis_k8s/schemas/input_schema.json
1 error occurred: compliance/lib/data_adapter.rego:11: rego_type_error: undefined ref: input.filenames
input.filenames
^
have: "filenames"
want (one of): ["command" "filename" "gid" "mode" "path" "type" "uid"]
opa build -b ./ -e ./compliance
opa test -b bundle.tar.gz -v
opa test -v compliance/lib compliance/cis_k8s/test_data.rego compliance/cis_k8s/rules/cis_1_1_2 --ignore="common_tests.rego"
see pre-commit package
brew install pre-commitpre-commit installpre-commit run --all-files --verbosedocker run --rm -p 8181:8181 -v $(pwd):/bundle openpolicyagent/opa:0.36.1 run -s -b /bundle
Test it 🚀
curl --location --request POST 'http://localhost:8181/v1/data/main' \
--header 'Content-Type: application/json' \
--data-raw '{
"input": {
"resource": {
"type": "file",
"mode": "0700",
"path": "/hostfs/etc/kubernetes/manifests/kube-apiserver.yaml",
"uid": "etc",
"name": "kube-apiserver.yaml",
"group": "root"
}
}
}'
FAQs
Unknown package
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.
Research
Security News
A threat actor's playbook for exploiting the npm ecosystem was exposed on the dark web, detailing how to build a blockchain-powered botnet.
Security News
NVD’s backlog surpasses 20,000 CVEs as analysis slows and NIST announces new system updates to address ongoing delays.