@greenarmor/ges-policy-engine
Advanced tools
| import type { PolicyPack } from "@greenarmor/ges-core"; | ||
| export declare function createCISDockerPolicyPack(): PolicyPack; |
| export function createCISDockerPolicyPack() { | ||
| const controls = [ | ||
| { | ||
| id: "CIS-DOCKER-001", | ||
| name: "Run Container as Non-Root User", | ||
| description: "Containers should not run as the root user. A non-root user must be specified via the USER instruction or securityContext.", | ||
| category: "container-security", | ||
| framework: "CIS-DOCKER", | ||
| status: "not-implemented", | ||
| severity: "critical", | ||
| implementation_guidance: "Add a non-root user in the Dockerfile (e.g., `RUN adduser -D appuser && USER appuser`). In docker-compose, set `user: appuser` or `user: 1000:1000`. Never run containers as UID 0.", | ||
| checks: [ | ||
| { id: "CIS-DOCKER-001-C1", description: "Non-root USER instruction present in Dockerfile", status: "not-implemented" }, | ||
| { id: "CIS-DOCKER-001-C2", description: "user field set to non-root in docker-compose", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "CIS-DOCKER-002", | ||
| name: "Use Trusted Base Images Only", | ||
| description: "Base images should come from trusted, verified registries — not random Docker Hub images.", | ||
| category: "supply-chain", | ||
| framework: "CIS-DOCKER", | ||
| status: "not-implemented", | ||
| severity: "high", | ||
| implementation_guidance: "Use official images from verified publishers. Pin images to specific versions. Scan images with Trivy or Grype before deployment. Use private registry with image signing (cosign).", | ||
| checks: [ | ||
| { id: "CIS-DOCKER-002-C1", description: "Base images from trusted/official sources", status: "not-implemented" }, | ||
| { id: "CIS-DOCKER-002-C2", description: "Image scanning in CI/CD pipeline", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "CIS-DOCKER-003", | ||
| name: "Do Not Use :latest Tag", | ||
| description: "Using the :latest tag makes builds non-reproducible and can introduce unexpected breaking changes.", | ||
| category: "supply-chain", | ||
| framework: "CIS-DOCKER", | ||
| status: "not-implemented", | ||
| severity: "medium", | ||
| implementation_guidance: "Pin all FROM images to a specific version tag or digest (e.g., `node:20.11-alpine` instead of `node:latest`). Use SHA256 digests for maximum reproducibility.", | ||
| checks: [ | ||
| { id: "CIS-DOCKER-003-C1", description: "No :latest tag in FROM instructions", status: "not-implemented" }, | ||
| { id: "CIS-DOCKER-003-C2", description: "No :latest tag in docker-compose image references", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "CIS-DOCKER-004", | ||
| name: "Set Memory Limits", | ||
| description: "Containers must have memory limits to prevent resource exhaustion and DoS.", | ||
| category: "resource-management", | ||
| framework: "CIS-DOCKER", | ||
| status: "not-implemented", | ||
| severity: "medium", | ||
| implementation_guidance: "In docker-compose, set `mem_limit:` (e.g., `mem_limit: 512m`). In Kubernetes, set `resources.limits.memory`. In Docker run, use `--memory` flag.", | ||
| checks: [ | ||
| { id: "CIS-DOCKER-004-C1", description: "Memory limit defined for all containers", status: "not-implemented" }, | ||
| { id: "CIS-DOCKER-004-C2", description: "Memory request defined (Kubernetes)", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "CIS-DOCKER-005", | ||
| name: "Set CPU Limits", | ||
| description: "Containers must have CPU limits to ensure fair scheduling and prevent resource monopolization.", | ||
| category: "resource-management", | ||
| framework: "CIS-DOCKER", | ||
| status: "not-implemented", | ||
| severity: "medium", | ||
| implementation_guidance: "In docker-compose, set `cpus:` (e.g., `cpus: '0.5'`). In Kubernetes, set `resources.limits.cpu`. In Docker run, use `--cpus` flag.", | ||
| checks: [ | ||
| { id: "CIS-DOCKER-005-C1", description: "CPU limit defined for all containers", status: "not-implemented" }, | ||
| { id: "CIS-DOCKER-005-C2", description: "CPU request defined (Kubernetes)", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "CIS-DOCKER-006", | ||
| name: "Read-Only Root Filesystem", | ||
| description: "Container root filesystem should be read-only to prevent attackers from writing malicious files.", | ||
| category: "container-security", | ||
| framework: "CIS-DOCKER", | ||
| status: "not-implemented", | ||
| severity: "high", | ||
| implementation_guidance: "In docker-compose, set `read_only: true`. In Kubernetes, set `securityContext.readOnlyRootFilesystem: true`. Mount writable volumes only for specific paths that need writes (e.g., /tmp).", | ||
| checks: [ | ||
| { id: "CIS-DOCKER-006-C1", description: "read_only set to true in docker-compose", status: "not-implemented" }, | ||
| { id: "CIS-DOCKER-006-C2", description: "readOnlyRootFilesystem set to true (Kubernetes)", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "CIS-DOCKER-007", | ||
| name: "No Privileged Containers", | ||
| description: "Privileged containers have access to all host devices and kernel capabilities. This essentially grants root access to the host.", | ||
| category: "container-security", | ||
| framework: "CIS-DOCKER", | ||
| status: "not-implemented", | ||
| severity: "critical", | ||
| implementation_guidance: "Never set `privileged: true` in docker-compose or Kubernetes securityContext. If specific capabilities are needed, add only those via `cap_add` (compose) or `securityContext.capabilities.add` (K8s).", | ||
| checks: [ | ||
| { id: "CIS-DOCKER-007-C1", description: "No privileged: true in docker-compose", status: "not-implemented" }, | ||
| { id: "CIS-DOCKER-007-C2", description: "No privileged: true in Kubernetes manifests", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "CIS-DOCKER-008", | ||
| name: "Drop Dangerous Capabilities", | ||
| description: "Containers should drop all capabilities by default and only add those explicitly needed.", | ||
| category: "container-security", | ||
| framework: "CIS-DOCKER", | ||
| status: "not-implemented", | ||
| severity: "high", | ||
| implementation_guidance: "In docker-compose, use `cap_drop: [ALL]` then selectively add needed caps. In Kubernetes, set `securityContext.capabilities.drop: [ALL]`. Dangerous capabilities include SYS_ADMIN, NET_ADMIN, DAC_OVERRIDE.", | ||
| checks: [ | ||
| { id: "CIS-DOCKER-008-C1", description: "cap_drop: ALL in docker-compose or K8s", status: "not-implemented" }, | ||
| { id: "CIS-DOCKER-008-C2", description: "Only explicitly needed capabilities added", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "CIS-DOCKER-009", | ||
| name: "Use HEALTHCHECK Instruction", | ||
| description: "Containers should define a health check so orchestrators can detect and restart unhealthy instances.", | ||
| category: "operational", | ||
| framework: "CIS-DOCKER", | ||
| status: "not-implemented", | ||
| severity: "low", | ||
| implementation_guidance: "Add `HEALTHCHECK` instruction to Dockerfile (e.g., `HEALTHCHECK --interval=30s CMD curl -f http://localhost:3000/health || exit 1`). In docker-compose, set `healthcheck:` block.", | ||
| checks: [ | ||
| { id: "CIS-DOCKER-009-C1", description: "HEALTHCHECK instruction in Dockerfile", status: "not-implemented" }, | ||
| { id: "CIS-DOCKER-009-C2", description: "Health check configured in docker-compose", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "CIS-DOCKER-010", | ||
| name: "Pin Image Digests (SHA256)", | ||
| description: "Pin images by SHA256 digest instead of tags to guarantee the exact image content and prevent supply-chain attacks.", | ||
| category: "supply-chain", | ||
| framework: "CIS-DOCKER", | ||
| status: "not-implemented", | ||
| severity: "medium", | ||
| implementation_guidance: "Use `image: node@sha256:abc123...` instead of `image: node:20-alpine`. Generate digests with `docker images --digests`. Pin all production images by digest in docker-compose and Kubernetes manifests.", | ||
| checks: [ | ||
| { id: "CIS-DOCKER-010-C1", description: "Production images pinned by SHA256 digest", status: "not-implemented" }, | ||
| { id: "CIS-DOCKER-010-C2", description: "Digest verification in CI/CD", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| ]; | ||
| return { | ||
| id: "cis-docker", | ||
| name: "CIS Docker Benchmark Policy Pack", | ||
| description: "CIS Docker Benchmark controls for secure container configuration and deployment.", | ||
| version: "1.0.0", | ||
| project_types: [ | ||
| "saas", "api-backend", "generic-web-application", "ai-application", | ||
| "healthcare-system", "government-system", "blockchain", | ||
| ], | ||
| controls, | ||
| frameworks: ["CIS-DOCKER"], | ||
| }; | ||
| } |
| import type { PolicyPack } from "@greenarmor/ges-core"; | ||
| export declare function createCISKubernetesPolicyPack(): PolicyPack; |
| export function createCISKubernetesPolicyPack() { | ||
| const controls = [ | ||
| { | ||
| id: "CIS-K8S-001", | ||
| name: "API Server Uses RBAC", | ||
| description: "The Kubernetes API server must use Role-Based Access Control (RBAC) to enforce least-privilege access.", | ||
| category: "access-control", | ||
| framework: "CIS-K8S", | ||
| status: "not-implemented", | ||
| severity: "critical", | ||
| implementation_guidance: "Ensure `--authorization-mode` includes RBAC on the API server. Create specific Roles/RoleBindings with least privilege. Avoid ClusterRoleBindings with cluster-admin for service accounts. Audit RBAC policies regularly.", | ||
| checks: [ | ||
| { id: "CIS-K8S-001-C1", description: "RBAC authorization mode enabled on API server", status: "not-implemented" }, | ||
| { id: "CIS-K8S-001-C2", description: "Least-privilege RoleBindings defined", status: "not-implemented" }, | ||
| { id: "CIS-K8S-001-C3", description: "No service accounts with cluster-admin", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "CIS-K8S-002", | ||
| name: "API Server Not Exposed Publicly", | ||
| description: "The Kubernetes API server should not be accessible from the public internet without VPN or bastion.", | ||
| category: "network-security", | ||
| framework: "CIS-K8S", | ||
| status: "not-implemented", | ||
| severity: "critical", | ||
| implementation_guidance: "Use private cluster endpoints (e.g., AWS EKS private endpoint, GKE private cluster). Restrict API server access with authorized network ranges. Use a VPN or bastion host for administrative access.", | ||
| checks: [ | ||
| { id: "CIS-K8S-002-C1", description: "API server endpoint is private", status: "not-implemented" }, | ||
| { id: "CIS-K8S-002-C2", description: "Authorized network restrictions configured", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "CIS-K8S-003", | ||
| name: "etcd Encryption at Rest", | ||
| description: "etcd (the Kubernetes data store) must have encryption at rest enabled to protect secrets stored in the cluster.", | ||
| category: "encryption", | ||
| framework: "CIS-K8S", | ||
| status: "not-implemented", | ||
| severity: "critical", | ||
| implementation_guidance: "Enable encryption at rest with a KMS provider. Configure `--encryption-provider-config` on the API server. Use a managed KMS key (AWS KMS, GCP KMS, Azure Key Vault). Verify secrets are encrypted: `kubectl get secrets -o jsonpath='{.data}' | base64 -d`.", | ||
| checks: [ | ||
| { id: "CIS-K8S-003-C1", description: "Encryption at rest enabled for etcd", status: "not-implemented" }, | ||
| { id: "CIS-K8S-003-C2", description: "KMS provider configured for key management", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "CIS-K8S-004", | ||
| name: "Pod Security Standards Enforced", | ||
| description: "Pod Security Standards (PSS) or Pod Security Policies must be enforced to prevent privileged containers and dangerous configurations.", | ||
| category: "container-security", | ||
| framework: "CIS-K8S", | ||
| status: "not-implemented", | ||
| severity: "high", | ||
| implementation_guidance: "Enable Pod Security Admission with at least `restricted` policy on production namespaces. Alternatively, use OPA Gatekeeper or Kyverno for policy enforcement. Block privileged pods, host namespaces, host paths, and root containers.", | ||
| checks: [ | ||
| { id: "CIS-K8S-004-C1", description: "Pod Security Standards enforced (restricted profile)", status: "not-implemented" }, | ||
| { id: "CIS-K8S-004-C2", description: "Privileged containers blocked by policy", status: "not-implemented" }, | ||
| { id: "CIS-K8S-004-C3", description: "Host namespaces (PID, IPC, Network) blocked", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "CIS-K8S-005", | ||
| name: "Network Policies Configured", | ||
| description: "Network Policies must be defined to restrict pod-to-pod communication (micro-segmentation).", | ||
| category: "network-security", | ||
| framework: "CIS-K8S", | ||
| status: "not-implemented", | ||
| severity: "high", | ||
| implementation_guidance: "Install a CNI that supports NetworkPolicies (Calico, Cilium, Azure NPM). Define default-deny ingress and egress policies per namespace. Allow only required communication paths between services. Regularly audit policy coverage.", | ||
| checks: [ | ||
| { id: "CIS-K8S-005-C1", description: "Default-deny network policy per namespace", status: "not-implemented" }, | ||
| { id: "CIS-K8S-005-C2", description: "Specific allow rules for required traffic", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "CIS-K8S-006", | ||
| name: "Container Images from Trusted Registry", | ||
| description: "All container images must come from a trusted, private registry — not public Docker Hub.", | ||
| category: "supply-chain", | ||
| framework: "CIS-K8S", | ||
| status: "not-implemented", | ||
| severity: "high", | ||
| implementation_guidance: "Use a private container registry (ECR, GCR, ACR, Harbor). Configure image pull secrets. Scan images before pushing with Trivy/Grype. Enforce image provenance with OPA Gatekeeper or Kyverno admission controllers.", | ||
| checks: [ | ||
| { id: "CIS-K8S-006-C1", description: "Images pulled from private trusted registry", status: "not-implemented" }, | ||
| { id: "CIS-K8S-006-C2", description: "Image scanning before deployment", status: "not-implemented" }, | ||
| { id: "CIS-K8S-006-C3", description: "Image pull secrets configured", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "CIS-K8S-007", | ||
| name: "Run Pods as Non-Root", | ||
| description: "Pods must run as a non-root user via securityContext.runAsNonRoot.", | ||
| category: "container-security", | ||
| framework: "CIS-K8S", | ||
| status: "not-implemented", | ||
| severity: "high", | ||
| implementation_guidance: "Set `securityContext.runAsNonRoot: true` and `securityContext.runAsUser: <non-zero-uid>` on all pods. Enforce via Pod Security Standards (restricted profile) or OPA Gatekeeper policies.", | ||
| checks: [ | ||
| { id: "CIS-K8S-007-C1", description: "runAsNonRoot: true on all pods", status: "not-implemented" }, | ||
| { id: "CIS-K8S-007-C2", description: "runAsUser set to non-zero UID", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "CIS-K8S-008", | ||
| name: "Read-Only Root Filesystem for Pods", | ||
| description: "Pod containers should set readOnlyRootFilesystem to prevent writing to the container's root filesystem.", | ||
| category: "container-security", | ||
| framework: "CIS-K8S", | ||
| status: "not-implemented", | ||
| severity: "medium", | ||
| implementation_guidance: "Set `securityContext.readOnlyRootFilesystem: true` on all containers. Mount emptyDir volumes for paths that need writes (/tmp, /var/cache). Enforce via Pod Security Standards restricted profile.", | ||
| checks: [ | ||
| { id: "CIS-K8S-008-C1", description: "readOnlyRootFilesystem: true on all containers", status: "not-implemented" }, | ||
| { id: "CIS-K8S-008-C2", description: "Writable volumes mounted only where needed", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "CIS-K8S-009", | ||
| name: "Resource Limits Defined", | ||
| description: "All containers must define resource requests and limits for CPU and memory.", | ||
| category: "resource-management", | ||
| framework: "CIS-K8S", | ||
| status: "not-implemented", | ||
| severity: "medium", | ||
| implementation_guidance: "Set `resources.requests` and `resources.limits` for CPU and memory on every container. Use LimitRange for namespace defaults. Use ResourceQuota to enforce total namespace limits. Monitor actual usage to tune values.", | ||
| checks: [ | ||
| { id: "CIS-K8S-009-C1", description: "CPU and memory requests defined", status: "not-implemented" }, | ||
| { id: "CIS-K8S-009-C2", description: "CPU and memory limits defined", status: "not-implemented" }, | ||
| { id: "CIS-K8S-009-C3", description: "LimitRange default policy configured", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "CIS-K8S-010", | ||
| name: "Audit Logging Enabled", | ||
| description: "Kubernetes audit logging must be enabled to track all API server requests for security analysis.", | ||
| category: "audit-logging", | ||
| framework: "CIS-K8S", | ||
| status: "not-implemented", | ||
| severity: "critical", | ||
| implementation_guidance: "Configure `--audit-log-path` and audit policy on the API server. Forward audit logs to a central log store (ELK, Loki, Splunk). Define audit rules for sensitive resources (secrets, RBAC, pods/exec). Retain logs per compliance requirements.", | ||
| checks: [ | ||
| { id: "CIS-K8S-010-C1", description: "Audit logging enabled on API server", status: "not-implemented" }, | ||
| { id: "CIS-K8S-010-C2", description: "Audit policy defines rules for sensitive resources", status: "not-implemented" }, | ||
| { id: "CIS-K8S-010-C3", description: "Audit logs forwarded to central store", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "CIS-K8S-011", | ||
| name: "Secrets Encrypted (KMS/Provider)", | ||
| description: "Kubernetes Secrets should be encrypted using an external KMS provider, not stored in plaintext in etcd.", | ||
| category: "encryption", | ||
| framework: "CIS-K8S", | ||
| status: "not-implemented", | ||
| severity: "high", | ||
| implementation_guidance: "Configure a KMS encryption provider on the API server. Use AWS KMS, GCP KMS, or Azure Key Vault. Alternatively, use external secret management (External Secrets Operator with Vault, AWS Secrets Manager). Rotate encryption keys periodically.", | ||
| checks: [ | ||
| { id: "CIS-K8S-011-C1", description: "KMS encryption provider configured", status: "not-implemented" }, | ||
| { id: "CIS-K8S-011-C2", description: "Encryption key rotation policy defined", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "CIS-K8S-012", | ||
| name: "Use securityContext", | ||
| description: "All pods and containers must define a securityContext with appropriate security settings.", | ||
| category: "container-security", | ||
| framework: "CIS-K8S", | ||
| status: "not-implemented", | ||
| severity: "medium", | ||
| implementation_guidance: "Define `securityContext` at both pod and container level. Include runAsNonRoot, runAsUser, fsGroup, capabilities.drop, seccompProfile, and allowPrivilegeEscalation: false. Validate via CI pipeline or admission webhook.", | ||
| checks: [ | ||
| { id: "CIS-K8S-012-C1", description: "securityContext defined at pod level", status: "not-implemented" }, | ||
| { id: "CIS-K8S-012-C2", description: "securityContext defined at container level", status: "not-implemented" }, | ||
| { id: "CIS-K8S-012-C3", description: "allowPrivilegeEscalation: false set", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| ]; | ||
| return { | ||
| id: "cis-kubernetes", | ||
| name: "CIS Kubernetes Benchmark Policy Pack", | ||
| description: "CIS Kubernetes Benchmark controls for secure cluster configuration, pod security, and network policies.", | ||
| version: "1.0.0", | ||
| project_types: [ | ||
| "saas", "api-backend", "generic-web-application", "ai-application", | ||
| "government-system", "blockchain", | ||
| ], | ||
| controls, | ||
| frameworks: ["CIS-K8S"], | ||
| }; | ||
| } |
| import type { PolicyPack } from "@greenarmor/ges-core"; | ||
| export declare function createOWASPLLMPolicyPack(): PolicyPack; |
| export function createOWASPLLMPolicyPack() { | ||
| const controls = [ | ||
| { | ||
| id: "LLM-001", | ||
| name: "Prompt Injection Protection", | ||
| description: "Protect against prompt injection attacks where malicious inputs manipulate the model into bypassing safety rules or revealing system prompts.", | ||
| category: "ai-security", | ||
| framework: "OWASP-LLM", | ||
| status: "not-implemented", | ||
| severity: "critical", | ||
| implementation_guidance: "Separate system prompts from user inputs using structured delimiters. Implement input sanitization and length limits. Use a secondary model to classify inputs for injection attempts. Never expose raw system prompts in outputs. Log and alert on suspicious patterns.", | ||
| checks: [ | ||
| { id: "LLM-001-C1", description: "System prompts isolated from user input", status: "not-implemented" }, | ||
| { id: "LLM-001-C2", description: "Input sanitization and injection detection", status: "not-implemented" }, | ||
| { id: "LLM-001-C3", description: "Suspicious pattern logging and alerting", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "LLM-002", | ||
| name: "Insecure Output Handling and Validation", | ||
| description: "Validate and sanitize LLM outputs before passing to downstream systems, rendering to users, or executing as code.", | ||
| category: "ai-security", | ||
| framework: "OWASP-LLM", | ||
| status: "not-implemented", | ||
| severity: "critical", | ||
| implementation_guidance: "Treat all LLM output as untrusted. Validate output against expected schema before use. Encode output for the target context (HTML, SQL, shell). Never pass raw LLM output to eval(), exec(), or database queries. Implement output rate limiting.", | ||
| checks: [ | ||
| { id: "LLM-002-C1", description: "Output schema validation before downstream use", status: "not-implemented" }, | ||
| { id: "LLM-002-C2", description: "Context-appropriate encoding of outputs", status: "not-implemented" }, | ||
| { id: "LLM-002-C2b", description: "No raw LLM output passed to execution functions", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "LLM-003", | ||
| name: "Training Data Poisoning Prevention", | ||
| description: "Prevent adversaries from manipulating training or fine-tuning data to introduce vulnerabilities, backdoors, or biases.", | ||
| category: "ai-security", | ||
| framework: "OWASP-LLM", | ||
| status: "not-implemented", | ||
| severity: "high", | ||
| implementation_guidance: "Validate and curate all training data sources. Implement data provenance tracking. Use statistical anomaly detection on training datasets. Restrict write access to training data pipelines. Test models for backdoor triggers after training.", | ||
| checks: [ | ||
| { id: "LLM-003-C1", description: "Training data source validation", status: "not-implemented" }, | ||
| { id: "LLM-003-C2", description: "Data provenance tracking implemented", status: "not-implemented" }, | ||
| { id: "LLM-003-C3", description: "Post-training backdoor testing", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "LLM-004", | ||
| name: "Model DoS Protection (Rate Limiting)", | ||
| description: "Protect against denial-of-service attacks that exhaust model compute resources through expensive prompts or high-volume requests.", | ||
| category: "ai-security", | ||
| framework: "OWASP-LLM", | ||
| status: "not-implemented", | ||
| severity: "high", | ||
| implementation_guidance: "Implement per-user and per-IP rate limiting. Enforce maximum token limits per request. Set timeouts on model inference. Monitor for prompt stuffing (extremely long inputs). Use a queue with bounded concurrency. Implement cost-based limits.", | ||
| checks: [ | ||
| { id: "LLM-004-C1", description: "Per-user rate limiting on AI endpoints", status: "not-implemented" }, | ||
| { id: "LLM-004-C2", description: "Maximum token limit per request", status: "not-implemented" }, | ||
| { id: "LLM-004-C3", description: "Inference timeout configured", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "LLM-005", | ||
| name: "Supply Chain Validation for Models", | ||
| description: "Validate the provenance and integrity of pre-trained models, embeddings, and plugins before integration.", | ||
| category: "ai-security", | ||
| framework: "OWASP-LLM", | ||
| status: "not-implemented", | ||
| severity: "high", | ||
| implementation_guidance: "Only download models from trusted sources (HuggingFace verified, official repos). Verify model checksums/signatures. Scan model files for embedded malware. Document model licenses and usage restrictions. Maintain an inventory of all model dependencies.", | ||
| checks: [ | ||
| { id: "LLM-005-C1", description: "Model source verification (checksum/signature)", status: "not-implemented" }, | ||
| { id: "LLM-005-C2", description: "Model file malware scanning", status: "not-implemented" }, | ||
| { id: "LLM-005-C3", description: "Model dependency inventory maintained", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "LLM-006", | ||
| name: "Sensitive Data Disclosure Prevention", | ||
| description: "Prevent the LLM from disclosing sensitive training data, PII, API keys, or internal system information in its outputs.", | ||
| category: "ai-security", | ||
| framework: "OWASP-LLM", | ||
| status: "not-implemented", | ||
| severity: "critical", | ||
| implementation_guidance: "Differential privacy techniques during training. PII detection and redaction on both inputs and outputs. Avoid including secrets or PII in training/fine-tuning data. Implement output filtering for sensitive patterns. Log all outputs for audit.", | ||
| checks: [ | ||
| { id: "LLM-006-C1", description: "PII detection and redaction on outputs", status: "not-implemented" }, | ||
| { id: "LLM-006-C2", description: "No secrets/PII in training data", status: "not-implemented" }, | ||
| { id: "LLM-006-C3", description: "Output logging for audit purposes", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "LLM-007", | ||
| name: "Insecure Plugin Design", | ||
| description: "Plugins and tools connected to the LLM must validate inputs, enforce authorization, and limit blast radius.", | ||
| category: "ai-security", | ||
| framework: "OWASP-LLM", | ||
| status: "not-implemented", | ||
| severity: "high", | ||
| implementation_guidance: "Validate all plugin inputs independently of the LLM. Implement strict authorization per plugin action. Limit plugin data access to minimum required. Sandbox plugin execution. Rate-limit plugin calls. Log all plugin invocations.", | ||
| checks: [ | ||
| { id: "LLM-007-C1", description: "Plugin input validation independent of LLM", status: "not-implemented" }, | ||
| { id: "LLM-007-C2", description: "Per-action authorization enforced", status: "not-implemented" }, | ||
| { id: "LLM-007-C3", description: "Plugin calls logged for audit", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "LLM-008", | ||
| name: "Excessive Agency / Unbounded Actions", | ||
| description: "Limit the actions an LLM agent can take autonomously. Prevent agents from performing destructive operations without human approval.", | ||
| category: "ai-security", | ||
| framework: "OWASP-LLM", | ||
| status: "not-implemented", | ||
| severity: "critical", | ||
| implementation_guidance: "Implement human-in-the-loop for destructive actions (delete, write, send, execute). Define explicit allowlists of permitted actions. Set maximum scope per agent session. Implement rollback/undo for reversible actions. Log all autonomous decisions.", | ||
| checks: [ | ||
| { id: "LLM-008-C1", description: "Human approval required for destructive actions", status: "not-implemented" }, | ||
| { id: "LLM-008-C2", description: "Explicit action allowlist defined", status: "not-implemented" }, | ||
| { id: "LLM-008-C3", description: "Autonomous decisions logged", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "LLM-009", | ||
| name: "Overreliance and Output Grounding", | ||
| description: "Prevent overreliance on LLM outputs by grounding responses, providing citations, and communicating uncertainty.", | ||
| category: "ai-security", | ||
| framework: "OWASP-LLM", | ||
| status: "not-implemented", | ||
| severity: "medium", | ||
| implementation_guidance: "Implement RAG (Retrieval-Augmented Generation) to ground responses in verified data. Require source citations for factual claims. Display confidence scores where available. Add disclaimers about AI-generated content. Provide feedback mechanism for incorrect outputs.", | ||
| checks: [ | ||
| { id: "LLM-009-C1", description: "RAG implementation for grounding", status: "not-implemented" }, | ||
| { id: "LLM-009-C2", description: "Source citations required for factual claims", status: "not-implemented" }, | ||
| { id: "LLM-009-C3", description: "AI-generated content disclaimers", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "LLM-010", | ||
| name: "Model Theft Protection", | ||
| description: "Protect proprietary models from extraction attacks that attempt to clone the model through repeated queries.", | ||
| category: "ai-security", | ||
| framework: "OWASP-LLM", | ||
| status: "not-implemented", | ||
| severity: "high", | ||
| implementation_guidance: "Implement query rate limiting and volume monitoring. Detect extraction patterns (high-volume systematic queries). Watermark model outputs. Use API gateways with DDoS protection. Legal protections (NDAs, terms of service) for model access.", | ||
| checks: [ | ||
| { id: "LLM-010-C1", description: "Query volume monitoring and anomaly detection", status: "not-implemented" }, | ||
| { id: "LLM-010-C2", description: "Output watermarking implemented", status: "not-implemented" }, | ||
| { id: "LLM-010-C3", description: "API gateway with DDoS protection", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| ]; | ||
| return { | ||
| id: "owasp-llm", | ||
| name: "OWASP LLM Top 10 Policy Pack", | ||
| description: "OWASP Top 10 for Large Language Model Applications — covers prompt injection, insecure output handling, training data poisoning, model DoS, supply chain, data disclosure, plugin security, excessive agency, overreliance, and model theft.", | ||
| version: "1.0.0", | ||
| project_types: ["ai-application", "mcp-server"], | ||
| controls, | ||
| frameworks: ["OWASP-LLM"], | ||
| }; | ||
| } |
| import type { PolicyPack } from "@greenarmor/ges-core"; | ||
| export declare function createOWASPMASVSPolicyPack(): PolicyPack; |
| export function createOWASPMASVSPolicyPack() { | ||
| const controls = [ | ||
| { | ||
| id: "MASVS-001", | ||
| name: "Secure Local Storage of Sensitive Data", | ||
| description: "Sensitive data (passwords, tokens, PII) must be stored securely using platform keychain/keystore, not in plaintext files or SharedPreferences.", | ||
| category: "data-protection", | ||
| framework: "OWASP-MASVS", | ||
| status: "not-implemented", | ||
| severity: "critical", | ||
| implementation_guidance: "Use iOS Keychain (SecItemAdd) or Android Keystore (AndroidKeyStore provider) for credentials and tokens. Never store secrets in SharedPreferences, UserDefaults, SQLite, or plain files. Use platform biometric-protected storage for highest sensitivity data.", | ||
| checks: [ | ||
| { id: "MASVS-001-C1", description: "Keychain/Keystore used for credential storage", status: "not-implemented" }, | ||
| { id: "MASVS-001-C2", description: "No secrets in SharedPreferences/UserDefaults/SQLite", status: "not-implemented" }, | ||
| { id: "MASVS-001-C3", description: "Biometric protection enabled for highest-sensitivity data", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "MASVS-002", | ||
| name: "No Keystroke Logging or Screen Capture", | ||
| description: "The app must prevent keystroke logging, screen capture, and screen recording of sensitive screens.", | ||
| category: "data-protection", | ||
| framework: "OWASP-MASVS", | ||
| status: "not-implemented", | ||
| severity: "high", | ||
| implementation_guidance: "On Android, set `FLAG_SECURE` on sensitive activities. On iOS, use `UITextField.isSecureTextEntry` for password fields and overlay protected views. Detect and warn about screen recording. Disable autocorrect and custom keyboards on sensitive inputs.", | ||
| checks: [ | ||
| { id: "MASVS-002-C1", description: "FLAG_SECURE set on sensitive Android activities", status: "not-implemented" }, | ||
| { id: "MASVS-002-C2", description: "Screen capture detection on iOS", status: "not-implemented" }, | ||
| { id: "MASVS-002-C3", description: "Custom keyboards disabled on sensitive inputs", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "MASVS-003", | ||
| name: "Secure Key Management (No Hardcoded Keys)", | ||
| description: "Cryptographic keys, API keys, and secrets must not be hardcoded in the app binary. Use runtime key exchange or secure enclave.", | ||
| category: "cryptography", | ||
| framework: "OWASP-MASVS", | ||
| status: "not-implemented", | ||
| severity: "critical", | ||
| implementation_guidance: "Never hardcode keys in source code, resources, or assets. Use certificate pinning to secure key exchange. Store keys in platform secure enclave (Keychain/Keystore). Consider server-side key management with mutual TLS for highest security.", | ||
| checks: [ | ||
| { id: "MASVS-003-C1", description: "No hardcoded API keys or secrets in source", status: "not-implemented" }, | ||
| { id: "MASVS-003-C2", description: "Keys stored in secure enclave", status: "not-implemented" }, | ||
| { id: "MASVS-003-C3", description: "Key rotation mechanism implemented", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "MASVS-004", | ||
| name: "Strong Authentication with Biometrics", | ||
| description: "The app must support biometric authentication (Face ID/Touch ID/Fingerprint) with device passcode as fallback.", | ||
| category: "authentication", | ||
| framework: "OWASP-MASVS", | ||
| status: "not-implemented", | ||
| severity: "high", | ||
| implementation_guidance: "Use LocalAuthentication (iOS) or BiometricPrompt (Android) for biometric auth. Always provide passcode fallback. Use biometric-protected Keychain/Keystore for the auth token. Never store biometric data — rely on platform APIs.", | ||
| checks: [ | ||
| { id: "MASVS-004-C1", description: "Biometric authentication implemented", status: "not-implemented" }, | ||
| { id: "MASVS-004-C2", description: "Passcode fallback available", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "MASVS-005", | ||
| name: "Certificate Pinning for Network Communication", | ||
| description: "All network communication must use certificate pinning to prevent MITM attacks.", | ||
| category: "network-security", | ||
| framework: "OWASP-MASVS", | ||
| status: "not-implemented", | ||
| severity: "critical", | ||
| implementation_guidance: "Pin server certificates or public keys in the app. Use TrustKit (iOS) or Network Security Config with pin-set (Android). Include backup pins for key rotation. Enforce TLS 1.2+ minimum. Handle pin validation failures by aborting the connection.", | ||
| checks: [ | ||
| { id: "MASVS-005-C1", description: "Certificate pinning configured", status: "not-implemented" }, | ||
| { id: "MASVS-005-C2", description: "Backup pin included for rotation", status: "not-implemented" }, | ||
| { id: "MASVS-005-C3", description: "TLS 1.2+ enforced", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "MASVS-006", | ||
| name: "Code Obfuscation and Anti-Tampering", | ||
| description: "The app binary should be obfuscated and include integrity checks to deter reverse engineering and tampering.", | ||
| category: "resilience", | ||
| framework: "OWASP-MASVS", | ||
| status: "not-implemented", | ||
| severity: "medium", | ||
| implementation_guidance: "Use ProGuard/R8 (Android) for code obfuscation. Implement runtime integrity checks (SafetyNet/Play Integrity API on Android, DeviceCheck on iOS). Detect debugger attachment. Use anti-frida/anti-hooking techniques for high-security apps.", | ||
| checks: [ | ||
| { id: "MASVS-006-C1", description: "Code obfuscation enabled (ProGuard/R8)", status: "not-implemented" }, | ||
| { id: "MASVS-006-C2", description: "Runtime integrity checks implemented", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "MASVS-007", | ||
| name: "Input Validation on All Inputs", | ||
| description: "All user inputs, deep links, IPC inputs, and web view inputs must be validated and sanitized.", | ||
| category: "validation", | ||
| framework: "OWASP-MASVS", | ||
| status: "not-implemented", | ||
| severity: "high", | ||
| implementation_guidance: "Validate all inputs on both client and server. Use allowlists for acceptable values. Sanitize inputs before passing to SQL, file, or command contexts. Validate deep link parameters. Restrict WebView JavaScript interfaces.", | ||
| checks: [ | ||
| { id: "MASVS-007-C1", description: "All user inputs validated", status: "not-implemented" }, | ||
| { id: "MASVS-007-C2", description: "Deep link parameters validated", status: "not-implemented" }, | ||
| { id: "MASVS-007-C3", description: "WebView inputs sanitized", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "MASVS-008", | ||
| name: "Secure IPC Between App Components", | ||
| description: "Inter-process communication between app components (Activities, Services, Content Providers, Broadcast Receivers) must be secured.", | ||
| category: "platform-security", | ||
| framework: "OWASP-MASVS", | ||
| status: "not-implemented", | ||
| severity: "medium", | ||
| implementation_guidance: "Set `android:exported=\"false\"` on components not needed by other apps. Use explicit intents over implicit. Apply signature-level permissions for internal communication. Validate all IPC inputs. Use App Sandbox and App Groups correctly on iOS.", | ||
| checks: [ | ||
| { id: "MASVS-008-C1", description: "Exported components minimized and secured", status: "not-implemented" }, | ||
| { id: "MASVS-008-C2", description: "Explicit intents used for internal IPC", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "MASVS-009", | ||
| name: "Tapjacking and Clickjacking Protection", | ||
| description: "The app must protect against tapjacking attacks where overlay windows trick users into tapping hidden elements.", | ||
| category: "platform-security", | ||
| framework: "OWASP-MASVS", | ||
| status: "not-implemented", | ||
| severity: "low", | ||
| implementation_guidance: "Set `android:filterTouchesWhenObscured=\"true\"` on sensitive views. Detect and block overlay windows. Use `setFilterTouchesWhenObscured(true)` programmatically for critical UI elements.", | ||
| checks: [ | ||
| { id: "MASVS-009-C1", description: "filterTouchesWhenObscured set on sensitive views", status: "not-implemented" }, | ||
| { id: "MASVS-009-C2", description: "Overlay window detection implemented", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "MASVS-010", | ||
| name: "Runtime Integrity Checks (Root/Jailbreak Detection)", | ||
| description: "The app must detect rooted (Android) or jailbroken (iOS) devices and respond appropriately.", | ||
| category: "resilience", | ||
| framework: "OWASP-MASVS", | ||
| status: "not-implemented", | ||
| severity: "high", | ||
| implementation_guidance: "Use RootBeer (Android) or jailbreak detection libraries (iOS). Check for common root indicators (su binary, Magisk, Cydia). On detected compromise, either warn the user, disable sensitive features, or refuse to run. Never rely solely on client-side detection.", | ||
| checks: [ | ||
| { id: "MASVS-010-C1", description: "Root/jailbreak detection implemented", status: "not-implemented" }, | ||
| { id: "MASVS-010-C2", description: "Appropriate response on compromised device", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| ]; | ||
| return { | ||
| id: "owasp-masvs", | ||
| name: "OWASP MASVS (Mobile Application Security Verification Standard) Policy Pack", | ||
| description: "OWASP MASVS controls for mobile application security covering storage, crypto, network, authentication, and resilience.", | ||
| version: "1.0.0", | ||
| project_types: ["mobile-application"], | ||
| controls, | ||
| frameworks: ["OWASP-MASVS"], | ||
| }; | ||
| } |
| import type { PolicyPack } from "@greenarmor/ges-core"; | ||
| export declare function createPCIDSSPolicyPack(): PolicyPack; |
| export function createPCIDSSPolicyPack() { | ||
| const controls = [ | ||
| { | ||
| id: "PCI-001", | ||
| name: "Network Segmentation for Cardholder Data", | ||
| description: "Cardholder Data Environment (CDE) must be isolated from other networks via firewalls, VLANs, or network segmentation.", | ||
| category: "network-security", | ||
| framework: "PCI-DSS", | ||
| status: "not-implemented", | ||
| severity: "critical", | ||
| implementation_guidance: "Isolate the CDE in its own VLAN/subnet. Implement firewalls between CDE and corporate networks. Deny all traffic by default, allow only necessary ports. Document segmentation in a network diagram. Test segmentation quarterly.", | ||
| checks: [ | ||
| { id: "PCI-001-C1", description: "CDE isolated via firewall/VLAN", status: "not-implemented" }, | ||
| { id: "PCI-001-C2", description: "Default-deny rules between zones", status: "not-implemented" }, | ||
| { id: "PCI-001-C3", description: "Quarterly segmentation testing", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "PCI-002", | ||
| name: "Encryption of Cardholder Data in Transit", | ||
| description: "Cardholder data must be encrypted during transmission using strong cryptography (TLS 1.2+).", | ||
| category: "encryption", | ||
| framework: "PCI-DSS", | ||
| status: "not-implemented", | ||
| severity: "critical", | ||
| implementation_guidance: "Enforce TLS 1.2 minimum on all endpoints handling CHD. Disable SSL, TLS 1.0, 1.1. Use strong cipher suites (no RC4, no 3DES). Implement HSTS. Verify certificates with mutual TLS where applicable. Never transmit CHD over unencrypted channels (email, HTTP, FTP).", | ||
| checks: [ | ||
| { id: "PCI-002-C1", description: "TLS 1.2+ enforced on all CHD endpoints", status: "not-implemented" }, | ||
| { id: "PCI-002-C2", description: "Weak protocols and ciphers disabled", status: "not-implemented" }, | ||
| { id: "PCI-002-C3", description: "HSTS header configured", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "PCI-003", | ||
| name: "Encryption of Stored Cardholder Data", | ||
| description: "Stored cardholder data (PAN) must be encrypted using strong, industry-accepted algorithms. Display PAN masked (max first 6/last 4 digits).", | ||
| category: "encryption", | ||
| framework: "PCI-DSS", | ||
| status: "not-implemented", | ||
| severity: "critical", | ||
| implementation_guidance: "Encrypt stored PAN with AES-256 or equivalent. Use transparent data encryption (TDE) at database level. Implement field-level encryption for maximum security. Tokenize PAN where possible. Mask PAN in all displays (show only first 6 and last 4 digits). Do not store CVV/CVC after authorization.", | ||
| checks: [ | ||
| { id: "PCI-003-C1", description: "PAN encrypted at rest (AES-256)", status: "not-implemented" }, | ||
| { id: "PCI-003-C2", description: "PAN masked in UI and logs (first 6/last 4)", status: "not-implemented" }, | ||
| { id: "PCI-003-C3", description: "CVV/CVC not stored post-authorization", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "PCI-004", | ||
| name: "Access Control to Cardholder Data", | ||
| description: "Access to cardholder data must be restricted on a need-to-know basis via role-based access control.", | ||
| category: "access-control", | ||
| framework: "PCI-DSS", | ||
| status: "not-implemented", | ||
| severity: "critical", | ||
| implementation_guidance: "Implement RBAC with explicit roles for CDE access. Define need-to-know criteria per role. Default deny all access. Review access lists quarterly. Revoke access immediately upon role change or termination. Log all access to cardholder data.", | ||
| checks: [ | ||
| { id: "PCI-004-C1", description: "RBAC with need-to-know enforcement", status: "not-implemented" }, | ||
| { id: "PCI-004-C2", description: "Quarterly access review", status: "not-implemented" }, | ||
| { id: "PCI-004-C3", description: "Access logging for CHD", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "PCI-005", | ||
| name: "Unique ID for Each Person with Computer Access", | ||
| description: "Every user with access to cardholder data must have a unique identification ID. No shared or generic accounts.", | ||
| category: "authentication", | ||
| framework: "PCI-DSS", | ||
| status: "not-implemented", | ||
| severity: "high", | ||
| implementation_guidance: "Assign unique user IDs to all personnel. Eliminate shared/generic accounts. Implement password complexity requirements (min 12 chars, mixed case, numbers, symbols). Enforce 90-day password rotation or use passphrases. Lock accounts after 6 failed attempts.", | ||
| checks: [ | ||
| { id: "PCI-005-C1", description: "Unique user IDs (no shared accounts)", status: "not-implemented" }, | ||
| { id: "PCI-005-C2", description: "Password complexity requirements enforced", status: "not-implemented" }, | ||
| { id: "PCI-005-C3", description: "Account lockout after failed attempts", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "PCI-006", | ||
| name: "MFA for All Access to Cardholder Data", | ||
| description: "Multi-factor authentication is required for all access to the cardholder data environment, including remote and administrative access.", | ||
| category: "authentication", | ||
| framework: "PCI-DSS", | ||
| status: "not-implemented", | ||
| severity: "critical", | ||
| implementation_guidance: "Require MFA for: all remote network access, all access to CDE, all administrative access. Use TOTP, hardware tokens, or push notifications (not SMS). Enforce MFA on VPN, SSH, RDP, web admin panels. Test MFA regularly.", | ||
| checks: [ | ||
| { id: "PCI-006-C1", description: "MFA for all CDE access", status: "not-implemented" }, | ||
| { id: "PCI-006-C2", description: "MFA for remote and admin access", status: "not-implemented" }, | ||
| { id: "PCI-006-C3", description: "Non-SMS MFA methods used", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "PCI-007", | ||
| name: "Audit Logging for All Access to CHD", | ||
| description: "Audit logs must capture all access to cardholder data, including administrator actions, with sufficient detail for forensic analysis.", | ||
| category: "audit-logging", | ||
| framework: "PCI-DSS", | ||
| status: "not-implemented", | ||
| severity: "critical", | ||
| implementation_guidance: "Log all access to CHD (read/write/delete). Include user ID, timestamp, action, resource, source IP. Log all admin actions (config changes, account creation). Forward logs to centralized, tamper-evident storage. Retain logs for at least 1 year (3 months online). Review daily.", | ||
| checks: [ | ||
| { id: "PCI-007-C1", description: "All CHD access logged with required fields", status: "not-implemented" }, | ||
| { id: "PCI-007-C2", description: "Logs forwarded to centralized tamper-evident store", status: "not-implemented" }, | ||
| { id: "PCI-007-C3", description: "1-year retention with daily review", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "PCI-008", | ||
| name: "Quarterly Vulnerability Scans", | ||
| description: "Perform quarterly internal and external vulnerability scans by an ASV (Approved Scanning Vendor) for external-facing systems.", | ||
| category: "vulnerability-management", | ||
| framework: "PCI-DSS", | ||
| status: "not-implemented", | ||
| severity: "high", | ||
| implementation_guidance: "Run internal vulnerability scans quarterly (Nessus, Qualys). Use PCI ASV for quarterly external scans. Remediate all critical/high findings within 30 days. Rescan after remediation. Document scan results and remediation evidence.", | ||
| checks: [ | ||
| { id: "PCI-008-C1", description: "Quarterly internal vulnerability scans", status: "not-implemented" }, | ||
| { id: "PCI-008-C2", description: "ASV external scans quarterly", status: "not-implemented" }, | ||
| { id: "PCI-008-C3", description: "Critical/high remediated within 30 days", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "PCI-009", | ||
| name: "Annual Penetration Testing", | ||
| description: "Perform annual penetration testing on the CDE and after any significant network or application change.", | ||
| category: "vulnerability-management", | ||
| framework: "PCI-DSS", | ||
| status: "not-implemented", | ||
| severity: "high", | ||
| implementation_guidance: "Engage qualified penetration testers annually. Cover both network-layer and application-layer testing. Include segmentation testing. Remediate findings per severity SLA. Retest after remediation. Document full report with evidence.", | ||
| checks: [ | ||
| { id: "PCI-009-C1", description: "Annual penetration test performed", status: "not-implemented" }, | ||
| { id: "PCI-009-C2", description: "Segmentation testing included", status: "not-implemented" }, | ||
| { id: "PCI-009-C3", description: "Findings remediated and retested", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "PCI-010", | ||
| name: "File Integrity Monitoring (FIM)", | ||
| description: "Deploy file integrity monitoring to detect unauthorized changes to critical system files, configuration files, and content files.", | ||
| category: "monitoring", | ||
| framework: "PCI-DSS", | ||
| status: "not-implemented", | ||
| severity: "medium", | ||
| implementation_guidance: "Deploy FIM tools (OSSEC, Tripwire, AIDE) on all systems in the CDE. Monitor critical OS files, application binaries, configuration files, and content files. Generate alerts on changes. Review FIM alerts daily. Establish baseline and whitelist known-good changes.", | ||
| checks: [ | ||
| { id: "PCI-010-C1", description: "FIM deployed on all CDE systems", status: "not-implemented" }, | ||
| { id: "PCI-010-C2", description: "Critical files monitored with alerting", status: "not-implemented" }, | ||
| { id: "PCI-010-C3", description: "Daily FIM alert review", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "PCI-011", | ||
| name: "Secure Software Development Practices", | ||
| description: "Develop applications based on secure coding guidelines. Review custom code for vulnerabilities before release.", | ||
| category: "secure-development", | ||
| framework: "PCI-DSS", | ||
| status: "not-implemented", | ||
| severity: "high", | ||
| implementation_guidance: "Follow secure coding guidelines (OWASP ASVS). Implement code review (peer review + automated SAST). Train developers on secure coding. Separate dev/test/production environments. Remove test data and accounts before production. Implement change control procedures.", | ||
| checks: [ | ||
| { id: "PCI-011-C1", description: "Secure coding guidelines followed", status: "not-implemented" }, | ||
| { id: "PCI-011-C2", description: "Code review (peer + SAST) before release", status: "not-implemented" }, | ||
| { id: "PCI-011-C3", description: "Separation of dev/test/prod environments", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "PCI-012", | ||
| name: "Change Control Procedures", | ||
| description: "All changes to systems in the CDE must follow documented change control procedures with approval and rollback plans.", | ||
| category: "change-management", | ||
| framework: "PCI-DSS", | ||
| status: "not-implemented", | ||
| severity: "medium", | ||
| implementation_guidance: "Document change request, impact analysis, approval, and testing. Require management approval for all production changes. Include rollback plan. Log all changes. Review changes post-implementation. No unauthorized or emergency changes without documented justification.", | ||
| checks: [ | ||
| { id: "PCI-012-C1", description: "Documented change control process", status: "not-implemented" }, | ||
| { id: "PCI-012-C2", description: "Management approval for production changes", status: "not-implemented" }, | ||
| { id: "PCI-012-C3", description: "Rollback plans documented", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| ]; | ||
| return { | ||
| id: "pci-dss", | ||
| name: "PCI DSS Policy Pack", | ||
| description: "Payment Card Industry Data Security Standard (PCI DSS) controls for protecting cardholder data.", | ||
| version: "1.0.0", | ||
| project_types: ["saas", "api-backend", "generic-web-application"], | ||
| controls, | ||
| frameworks: ["PCI-DSS"], | ||
| }; | ||
| } |
| import type { PolicyPack } from "@greenarmor/ges-core"; | ||
| export declare function createSOC2PolicyPack(): PolicyPack; |
| export function createSOC2PolicyPack() { | ||
| const controls = [ | ||
| { | ||
| id: "SOC2-001", | ||
| name: "Security — Logical and Physical Access Controls", | ||
| description: "Implement logical access security software, infrastructure, and controls over IT assets to prevent unauthorized access.", | ||
| category: "access-control", | ||
| framework: "SOC2", | ||
| status: "not-implemented", | ||
| severity: "critical", | ||
| implementation_guidance: "Implement RBAC with least-privilege principles. Use MFA for all access. Maintain current inventory of IT assets. Enforce password complexity and rotation. Regularly review access rights. Physical access controls (badge access, visitor logs) for data centers.", | ||
| checks: [ | ||
| { id: "SOC2-001-C1", description: "RBAC with least-privilege implemented", status: "not-implemented" }, | ||
| { id: "SOC2-001-C2", description: "IT asset inventory maintained", status: "not-implemented" }, | ||
| { id: "SOC2-001-C3", description: "Quarterly access rights review", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "SOC2-002", | ||
| name: "Security — User Authentication and Identification", | ||
| description: "Authenticate and authorize users before granting access to systems and data. Unique user IDs for all users.", | ||
| category: "authentication", | ||
| framework: "SOC2", | ||
| status: "not-implemented", | ||
| severity: "critical", | ||
| implementation_guidance: "Unique user IDs for all personnel. MFA for remote and admin access. Password policy (12+ chars, complexity). Session timeout and lockout policies. Account provisioning/deproving workflow with HR integration. SSO where possible.", | ||
| checks: [ | ||
| { id: "SOC2-002-C1", description: "Unique user IDs enforced", status: "not-implemented" }, | ||
| { id: "SOC2-002-C2", description: "MFA for remote and admin access", status: "not-implemented" }, | ||
| { id: "SOC2-002-C3", description: "Session timeout configured", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "SOC2-003", | ||
| name: "Security — Network Protection (Firewall, IDS/IPS)", | ||
| description: "Implement perimeter security controls including firewalls, intrusion detection/prevention, and network segmentation.", | ||
| category: "network-security", | ||
| framework: "SOC2", | ||
| status: "not-implemented", | ||
| severity: "high", | ||
| implementation_guidance: "Deploy next-gen firewalls with default-deny rules. Implement intrusion detection/prevention (IDS/IPS). Segment networks (DMZ, internal, CDE). Regular firewall rule reviews. DDoS protection. VPN for remote access. WAF for web applications.", | ||
| checks: [ | ||
| { id: "SOC2-003-C1", description: "Firewall with default-deny rules", status: "not-implemented" }, | ||
| { id: "SOC2-003-C2", description: "IDS/IPS deployed", status: "not-implemented" }, | ||
| { id: "SOC2-003-C3", description: "Network segmentation implemented", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "SOC2-004", | ||
| name: "Availability — Backup and Recovery Procedures", | ||
| description: "Establish backup and recovery procedures and test them periodically to ensure availability commitments are met.", | ||
| category: "availability", | ||
| framework: "SOC2", | ||
| status: "not-implemented", | ||
| severity: "high", | ||
| implementation_guidance: "Define RPO and RTO objectives. Automate daily backups with encryption. Store backups off-site and in different availability zones. Test restoration quarterly. Document recovery procedures. Monitor backup completion and alert on failures.", | ||
| checks: [ | ||
| { id: "SOC2-004-C1", description: "RPO/RTO defined and documented", status: "not-implemented" }, | ||
| { id: "SOC2-004-C2", description: "Encrypted automated backups", status: "not-implemented" }, | ||
| { id: "SOC2-004-C3", description: "Quarterly restore testing", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "SOC2-005", | ||
| name: "Availability — Environmental Protections", | ||
| description: "Implement environmental protections at data centers including redundant power, cooling, and fire suppression.", | ||
| category: "availability", | ||
| framework: "SOC2", | ||
| status: "not-implemented", | ||
| severity: "medium", | ||
| implementation_guidance: "For on-prem: UPS/generators, HVAC, fire suppression, water detection. For cloud: select multi-AZ/multi-region deployment. Document vendor SLAs for infrastructure. Monitor environmental sensors. Annual DR exercise.", | ||
| checks: [ | ||
| { id: "SOC2-005-C1", description: "Redundant power and cooling", status: "not-implemented" }, | ||
| { id: "SOC2-005-C2", description: "Multi-AZ or multi-region deployment", status: "not-implemented" }, | ||
| { id: "SOC2-005-C3", description: "Environmental monitoring", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "SOC2-006", | ||
| name: "Processing Integrity — Data Validation", | ||
| description: "Implement controls to ensure data is processed completely, accurately, and on time. Validate inputs and outputs.", | ||
| category: "processing-integrity", | ||
| framework: "SOC2", | ||
| status: "not-implemented", | ||
| severity: "high", | ||
| implementation_guidance: "Validate all data inputs (schema, range, type). Implement reconciliation controls for data processing. Monitor processing errors and alert. Log all data transformations. Implement error handling and retry mechanisms. Periodic data quality audits.", | ||
| checks: [ | ||
| { id: "SOC2-006-C1", description: "Input validation on all data entry points", status: "not-implemented" }, | ||
| { id: "SOC2-006-C2", description: "Data reconciliation controls", status: "not-implemented" }, | ||
| { id: "SOC2-006-C3", description: "Processing error monitoring and alerting", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "SOC2-007", | ||
| name: "Confidentiality — Encryption and Data Segregation", | ||
| description: "Encrypt confidential data at rest and in transit. Segregate confidential data from other data stores.", | ||
| category: "confidentiality", | ||
| framework: "SOC2", | ||
| status: "not-implemented", | ||
| severity: "critical", | ||
| implementation_guidance: "Encrypt at rest with AES-256 (database TDE, disk encryption, S3 SSE). Encrypt in transit with TLS 1.2+. Implement data classification and label confidential data. Segregate confidential data stores. Use field-level encryption for highest sensitivity. Rotate encryption keys.", | ||
| checks: [ | ||
| { id: "SOC2-007-C1", description: "Encryption at rest (AES-256)", status: "not-implemented" }, | ||
| { id: "SOC2-007-C2", description: "Encryption in transit (TLS 1.2+)", status: "not-implemented" }, | ||
| { id: "SOC2-007-C3", description: "Data classification and segregation", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "SOC2-008", | ||
| name: "Confidentiality — Data Disposal Procedures", | ||
| description: "Establish secure data disposal procedures for media, devices, and data that is no longer needed.", | ||
| category: "confidentiality", | ||
| framework: "SOC2", | ||
| status: "not-implemented", | ||
| severity: "medium", | ||
| implementation_guidance: "Document data retention schedule. Securely wipe or destroy media (NIST 800-88). Cryptographic erasure for cloud storage. Certificate of destruction. Logging of disposal events. Periodic review of retention compliance.", | ||
| checks: [ | ||
| { id: "SOC2-008-C1", description: "Data retention schedule documented", status: "not-implemented" }, | ||
| { id: "SOC2-008-C2", description: "Secure media disposal (NIST 800-88)", status: "not-implemented" }, | ||
| { id: "SOC2-008-C3", description: "Disposal events logged", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "SOC2-009", | ||
| name: "Privacy — Data Retention and Disposal", | ||
| description: "Retain personal data only as long as needed for the stated purpose, then securely dispose of it.", | ||
| category: "privacy", | ||
| framework: "SOC2", | ||
| status: "not-implemented", | ||
| severity: "high", | ||
| implementation_guidance: "Define retention periods per data category. Implement automated data expiration/deletion. Document legal basis for retention periods. Regular purge cycles. Verify deletion is complete and irreversible. Maintain disposal audit trail.", | ||
| checks: [ | ||
| { id: "SOC2-009-C1", description: "Retention periods defined per data category", status: "not-implemented" }, | ||
| { id: "SOC2-009-C2", description: "Automated data expiration implemented", status: "not-implemented" }, | ||
| { id: "SOC2-009-C3", description: "Disposal audit trail maintained", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "SOC2-010", | ||
| name: "Privacy — Consent and Choice Management", | ||
| description: "Obtain and manage consent for data collection, use, and sharing. Honor opt-out requests.", | ||
| category: "privacy", | ||
| framework: "SOC2", | ||
| status: "not-implemented", | ||
| severity: "high", | ||
| implementation_guidance: "Implement consent capture mechanism (cookie banner, registration form). Store consent records with timestamp and scope. Allow users to view, modify, and revoke consent. Honor deletion requests (GDPR Art 17). Process opt-outs within 30 days. Audit consent changes.", | ||
| checks: [ | ||
| { id: "SOC2-010-C1", description: "Consent capture mechanism implemented", status: "not-implemented" }, | ||
| { id: "SOC2-010-C2", description: "Consent records stored with timestamp/scope", status: "not-implemented" }, | ||
| { id: "SOC2-010-C3", description: "Opt-out and deletion request handling", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "SOC2-011", | ||
| name: "Security — Vulnerability Management Program", | ||
| description: "Implement a vulnerability management program including scanning, remediation SLAs, and penetration testing.", | ||
| category: "vulnerability-management", | ||
| framework: "SOC2", | ||
| status: "not-implemented", | ||
| severity: "critical", | ||
| implementation_guidance: "Run automated vulnerability scans (SAST, DAST, dependency) in CI/CD. Monthly internal scans. Annual penetration testing. Remediation SLAs: Critical 7 days, High 30 days, Medium 90 days. Track findings to closure. Document risk acceptance for deferred items.", | ||
| checks: [ | ||
| { id: "SOC2-011-C1", description: "Automated scanning in CI/CD", status: "not-implemented" }, | ||
| { id: "SOC2-011-C2", description: "Remediation SLAs defined and tracked", status: "not-implemented" }, | ||
| { id: "SOC2-011-C3", description: "Annual penetration testing", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "SOC2-012", | ||
| name: "Security — Incident Response Procedures", | ||
| description: "Establish documented incident response procedures with defined roles, escalation, and notification requirements.", | ||
| category: "incident-response", | ||
| framework: "SOC2", | ||
| status: "not-implemented", | ||
| severity: "high", | ||
| implementation_guidance: "Document IR plan with roles and contact lists. Define severity classification and escalation matrix. Conduct annual tabletop exercises. 24/7 incident monitoring (SIEM, on-call). Notification procedures (72h breach notification). Post-incident review and lessons learned.", | ||
| checks: [ | ||
| { id: "SOC2-012-C1", description: "Documented IR plan with roles", status: "not-implemented" }, | ||
| { id: "SOC2-012-C2", description: "Annual tabletop exercises", status: "not-implemented" }, | ||
| { id: "SOC2-012-C3", description: "24/7 monitoring and on-call", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "SOC2-013", | ||
| name: "Security — Change Management", | ||
| description: "Implement formal change management procedures for all system, software, and configuration changes.", | ||
| category: "change-management", | ||
| framework: "SOC2", | ||
| status: "not-implemented", | ||
| severity: "high", | ||
| implementation_guidance: "All changes require ticket, impact analysis, and approval. Peer code review required. Testing in non-production environment. Deployment windows. Rollback plan documented. Segregation of duties (developer ≠ deployer). Post-deployment verification.", | ||
| checks: [ | ||
| { id: "SOC2-013-C1", description: "Change request and approval workflow", status: "not-implemented" }, | ||
| { id: "SOC2-013-C2", description: "Peer review and testing required", status: "not-implemented" }, | ||
| { id: "SOC2-013-C3", description: "Rollback plan documented", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "SOC2-014", | ||
| name: "Security — Risk Assessment Process", | ||
| description: "Conduct periodic risk assessments to identify, analyze, and mitigate risks to the system and data.", | ||
| category: "risk-management", | ||
| framework: "SOC2", | ||
| status: "not-implemented", | ||
| severity: "high", | ||
| implementation_guidance: "Annual enterprise risk assessment. Risk register with owner, severity, mitigation. Vendor/third-party risk assessment. Track risk to closure. Risk acceptance requires documented sign-off. Integrate risk into change management process.", | ||
| checks: [ | ||
| { id: "SOC2-014-C1", description: "Annual risk assessment performed", status: "not-implemented" }, | ||
| { id: "SOC2-014-C2", description: "Risk register maintained with mitigations", status: "not-implemented" }, | ||
| { id: "SOC2-014-C3", description: "Vendor/third-party risk assessments", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| ]; | ||
| return { | ||
| id: "soc2", | ||
| name: "SOC 2 Type II Policy Pack", | ||
| description: "AICPA SOC 2 Trust Services Criteria controls covering Security, Availability, Processing Integrity, Confidentiality, and Privacy.", | ||
| version: "1.0.0", | ||
| project_types: ["saas", "api-backend", "ai-application", "generic-web-application", "healthcare-system"], | ||
| controls, | ||
| frameworks: ["SOC2"], | ||
| }; | ||
| } |
| import type { PolicyPack } from "@greenarmor/ges-core"; | ||
| export declare function createZeroTrustPolicyPack(): PolicyPack; |
| export function createZeroTrustPolicyPack() { | ||
| const controls = [ | ||
| { | ||
| id: "ZTA-001", | ||
| name: "Identity-Based Authentication (No Implicit Trust)", | ||
| description: "All access decisions must be identity-based. No implicit trust based on network location, IP, or perimeter.", | ||
| category: "identity", | ||
| framework: "ZTA", | ||
| status: "not-implemented", | ||
| severity: "critical", | ||
| implementation_guidance: "Implement identity-aware proxy (IAP) or zero-trust access broker. Authenticate every request regardless of source. Use SSO with MFA. No trust based on VPN presence or internal IP. Enforce per-request authorization. Device identity in addition to user identity.", | ||
| checks: [ | ||
| { id: "ZTA-001-C1", description: "Every request authenticated regardless of source", status: "not-implemented" }, | ||
| { id: "ZTA-001-C2", description: "SSO with MFA implemented", status: "not-implemented" }, | ||
| { id: "ZTA-001-C3", description: "No trust based on IP or VPN", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "ZTA-002", | ||
| name: "Continuous Verification (Not One-Time Auth)", | ||
| description: "Authentication must be continuous — verify identity and trust on every request, not just at session start.", | ||
| category: "identity", | ||
| framework: "ZTA", | ||
| status: "not-implemented", | ||
| severity: "high", | ||
| implementation_guidance: "Implement short-lived tokens (5-15 min) with silent refresh. Re-evaluate device posture on each request. Step-up authentication for sensitive actions. Continuous session risk scoring. Invalidate sessions on posture change or suspicious behavior.", | ||
| checks: [ | ||
| { id: "ZTA-002-C1", description: "Short-lived tokens with silent refresh", status: "not-implemented" }, | ||
| { id: "ZTA-002-C2", description: "Per-request trust evaluation", status: "not-implemented" }, | ||
| { id: "ZTA-002-C3", description: "Step-up auth for sensitive actions", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "ZTA-003", | ||
| name: "Device Posture Validation", | ||
| description: "Assess device security posture (OS version, encryption, EDR status) before granting access.", | ||
| category: "device", | ||
| framework: "ZTA", | ||
| status: "not-implemented", | ||
| severity: "high", | ||
| implementation_guidance: "Deploy MDM/EDR that reports device posture. Check OS version, patch level, disk encryption, EDR status, jailbreak/root status. Enforce minimum posture requirements. Deny access from non-compliant devices. Allow grace period with remediation notification.", | ||
| checks: [ | ||
| { id: "ZTA-003-C1", description: "MDM/EDR deployed for posture reporting", status: "not-implemented" }, | ||
| { id: "ZTA-003-C2", description: "Minimum posture requirements enforced", status: "not-implemented" }, | ||
| { id: "ZTA-003-C3", description: "Non-compliant device access blocked", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "ZTA-004", | ||
| name: "Micro-Segmentation (No Flat Network)", | ||
| description: "Network must be segmented into small zones with explicit allow-list policies between them.", | ||
| category: "network", | ||
| framework: "ZTA", | ||
| status: "not-implemented", | ||
| severity: "high", | ||
| implementation_guidance: "Replace flat network with micro-segments per service/workload. Use service mesh (Istio, Linkerd) for east-west traffic control. Default-deny all inter-service communication. Define explicit allow rules per service pair. Use identity-based network policies (Calico, Cilium).", | ||
| checks: [ | ||
| { id: "ZTA-004-C1", description: "Services in separate micro-segments", status: "not-implemented" }, | ||
| { id: "ZTA-004-C2", description: "Default-deny inter-service traffic", status: "not-implemented" }, | ||
| { id: "ZTA-004-C3", description: "Service mesh for traffic control", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "ZTA-005", | ||
| name: "Software-Defined Perimeter", | ||
| description: "Implement a software-defined perimeter that hides services from unauthorized users and devices.", | ||
| category: "network", | ||
| framework: "ZTA", | ||
| status: "not-implemented", | ||
| severity: "medium", | ||
| implementation_guidance: "Deploy SDP controller (e.g., Cloudflare Access, Zscaler ZTNA, Tailscale, Twingrid). Services respond only to authenticated and authorized clients. Single-packet authorization before TCP handshake. No DNS or port visibility for unauthorized users.", | ||
| checks: [ | ||
| { id: "ZTA-005-C1", description: "SDP controller deployed", status: "not-implemented" }, | ||
| { id: "ZTA-005-C2", description: "Services hidden from unauthorized users", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "ZTA-006", | ||
| name: "Encrypt All Traffic (Internal and External)", | ||
| description: "All network traffic — internal and external — must be encrypted with mutual TLS or equivalent.", | ||
| category: "encryption", | ||
| framework: "ZTA", | ||
| status: "not-implemented", | ||
| severity: "critical", | ||
| implementation_guidance: "Use mutual TLS (mTLS) for all service-to-service communication via service mesh. TLS 1.2+ for all external endpoints. Internal certificate authority for mTLS certificate issuance and rotation. No plaintext protocols (HTTP, Redis without TLS, internal DB connections without TLS).", | ||
| checks: [ | ||
| { id: "ZTA-006-C1", description: "mTLS for all service-to-service communication", status: "not-implemented" }, | ||
| { id: "ZTA-006-C2", description: "TLS 1.2+ for all external endpoints", status: "not-implemented" }, | ||
| { id: "ZTA-006-C3", description: "Automatic certificate rotation", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "ZTA-007", | ||
| name: "Least-Privilege Dynamic Access Policies", | ||
| description: "Access policies must enforce least privilege and be dynamically evaluated based on user, device, and context.", | ||
| category: "access-control", | ||
| framework: "ZTA", | ||
| status: "not-implemented", | ||
| severity: "high", | ||
| implementation_guidance: "Use policy engines (OPA, Cedar) for dynamic authorization. Evaluate user identity, device posture, time, location, and risk score per request. Define fine-grained policies per resource and action. Default deny. Just-in-time access elevation with approval workflow. Regular policy audit.", | ||
| checks: [ | ||
| { id: "ZTA-007-C1", description: "Dynamic policy engine (OPA/Cedar) deployed", status: "not-implemented" }, | ||
| { id: "ZTA-007-C2", description: "Context-aware per-request evaluation", status: "not-implemented" }, | ||
| { id: "ZTA-007-C3", description: "Just-in-time access elevation", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "ZTA-008", | ||
| name: "Data Classification and Labeling", | ||
| description: "Data must be classified and labeled so access policies can be applied based on data sensitivity.", | ||
| category: "data", | ||
| framework: "ZTA", | ||
| status: "not-implemented", | ||
| severity: "high", | ||
| implementation_guidance: "Implement data classification scheme (Public, Internal, Confidential, Restricted). Tag data at creation (database columns, S3 objects, documents). Enforce access policies based on classification. Encrypt restricted data. Audit access to classified data. DLP scanning for classification enforcement.", | ||
| checks: [ | ||
| { id: "ZTA-008-C1", description: "Data classification scheme defined", status: "not-implemented" }, | ||
| { id: "ZTA-008-C2", description: "Data tagged at creation", status: "not-implemented" }, | ||
| { id: "ZTA-008-C3", description: "Access policies based on classification", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "ZTA-009", | ||
| name: "Continuous Monitoring and Logging", | ||
| description: "Monitor and log all access decisions, authentication events, and network traffic for security analysis.", | ||
| category: "monitoring", | ||
| framework: "ZTA", | ||
| status: "not-implemented", | ||
| severity: "critical", | ||
| implementation_guidance: "Log all authentication, authorization, and access events. Centralize logs in SIEM (Splunk, ELK, Loki). Real-time anomaly detection. Alert on policy violations and suspicious patterns. Retain logs per compliance requirements. Regular log review and correlation.", | ||
| checks: [ | ||
| { id: "ZTA-009-C1", description: "All access decisions logged", status: "not-implemented" }, | ||
| { id: "ZTA-009-C2", description: "Centralized SIEM with anomaly detection", status: "not-implemented" }, | ||
| { id: "ZTA-009-C3", description: "Alert on policy violations", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "ZTA-010", | ||
| name: "Automated Policy Decision Point", | ||
| description: "Use an automated policy decision point (PDP) that evaluates context and makes real-time access decisions.", | ||
| category: "automation", | ||
| framework: "ZTA", | ||
| status: "not-implemented", | ||
| severity: "medium", | ||
| implementation_guidance: "Deploy a PDP (OPA, Cedar, custom service) that receives context (user, device, resource, action, environment) and returns allow/deny decisions. Integrate with policy enforcement points (PEP) at API gateways, service mesh, and identity providers. Version and test policy changes. Audit all decisions.", | ||
| checks: [ | ||
| { id: "ZTA-010-C1", description: "PDP deployed and integrated with PEPs", status: "not-implemented" }, | ||
| { id: "ZTA-010-C2", description: "Policy changes versioned and tested", status: "not-implemented" }, | ||
| { id: "ZTA-010-C3", description: "All decisions auditable", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| ]; | ||
| return { | ||
| id: "zero-trust", | ||
| name: "NIST SP 800-207 Zero Trust Architecture Policy Pack", | ||
| description: "NIST Zero Trust Architecture controls covering identity, device, network, application workload, data, visibility, and automation pillars.", | ||
| version: "1.0.0", | ||
| project_types: ["saas", "api-backend", "government-system", "generic-web-application"], | ||
| controls, | ||
| frameworks: ["ZTA"], | ||
| }; | ||
| } |
+7
-0
@@ -23,3 +23,10 @@ import type { PolicyPack, ProjectType } from "@greenarmor/ges-core"; | ||
| export { createGovernancePolicyPack } from "./packs/governance.js"; | ||
| export { createCISDockerPolicyPack } from "./packs/cis-docker.js"; | ||
| export { createCISKubernetesPolicyPack } from "./packs/cis-kubernetes.js"; | ||
| export { createOWASPMASVSPolicyPack } from "./packs/owasp-masvs.js"; | ||
| export { createOWASPLLMPolicyPack } from "./packs/owasp-llm.js"; | ||
| export { createPCIDSSPolicyPack } from "./packs/pci-dss.js"; | ||
| export { createSOC2PolicyPack } from "./packs/soc2.js"; | ||
| export { createZeroTrustPolicyPack } from "./packs/zero-trust.js"; | ||
| export { PRIVACY_COUNTRIES, getCountryByCode, getCountryPackId, getCountriesByRegion } from "./packs/countries.js"; | ||
| export type { CountryPrivacyPack } from "./packs/countries.js"; |
+30
-0
@@ -18,2 +18,9 @@ import { createGDPRPolicyPack } from "./packs/gdpr.js"; | ||
| import { createGovernancePolicyPack } from "./packs/governance.js"; | ||
| import { createCISDockerPolicyPack } from "./packs/cis-docker.js"; | ||
| import { createCISKubernetesPolicyPack } from "./packs/cis-kubernetes.js"; | ||
| import { createOWASPMASVSPolicyPack } from "./packs/owasp-masvs.js"; | ||
| import { createOWASPLLMPolicyPack } from "./packs/owasp-llm.js"; | ||
| import { createPCIDSSPolicyPack } from "./packs/pci-dss.js"; | ||
| import { createSOC2PolicyPack } from "./packs/soc2.js"; | ||
| import { createZeroTrustPolicyPack } from "./packs/zero-trust.js"; | ||
| const ALL_PACKS = [ | ||
@@ -53,2 +60,10 @@ createGDPRPolicyPack, | ||
| createGovernancePolicyPack, | ||
| // Security Compliance Depth | ||
| createCISDockerPolicyPack, | ||
| createCISKubernetesPolicyPack, | ||
| createOWASPMASVSPolicyPack, | ||
| createOWASPLLMPolicyPack, | ||
| createPCIDSSPolicyPack, | ||
| createSOC2PolicyPack, | ||
| createZeroTrustPolicyPack, | ||
| ]; | ||
@@ -89,2 +104,10 @@ const PACK_MAP = { | ||
| "governance": createGovernancePolicyPack, | ||
| // Security Compliance Depth | ||
| "cis-docker": createCISDockerPolicyPack, | ||
| "cis-kubernetes": createCISKubernetesPolicyPack, | ||
| "owasp-masvs": createOWASPMASVSPolicyPack, | ||
| "owasp-llm": createOWASPLLMPolicyPack, | ||
| "pci-dss": createPCIDSSPolicyPack, | ||
| "soc2": createSOC2PolicyPack, | ||
| "zero-trust": createZeroTrustPolicyPack, | ||
| }; | ||
@@ -121,2 +144,9 @@ export function getAllPacks() { | ||
| export { createGovernancePolicyPack } from "./packs/governance.js"; | ||
| export { createCISDockerPolicyPack } from "./packs/cis-docker.js"; | ||
| export { createCISKubernetesPolicyPack } from "./packs/cis-kubernetes.js"; | ||
| export { createOWASPMASVSPolicyPack } from "./packs/owasp-masvs.js"; | ||
| export { createOWASPLLMPolicyPack } from "./packs/owasp-llm.js"; | ||
| export { createPCIDSSPolicyPack } from "./packs/pci-dss.js"; | ||
| export { createSOC2PolicyPack } from "./packs/soc2.js"; | ||
| export { createZeroTrustPolicyPack } from "./packs/zero-trust.js"; | ||
| export { PRIVACY_COUNTRIES, getCountryByCode, getCountryPackId, getCountriesByRegion } from "./packs/countries.js"; |
@@ -192,3 +192,3 @@ export function createGovernancePolicyPack() { | ||
| "government-system", "healthcare-system", "event-platform", | ||
| "photo-storage-platform", "vulnerability-scanner", | ||
| "photo-storage-platform", | ||
| "generic-web-application", "api-backend", "mobile-application", | ||
@@ -195,0 +195,0 @@ ]; |
@@ -637,3 +637,2 @@ export function createPrivacyCorePolicyPack() { | ||
| "photo-storage-platform", | ||
| "vulnerability-scanner", | ||
| "wallet", | ||
@@ -640,0 +639,0 @@ ], |
+3
-3
| { | ||
| "dependencies": { | ||
| "@greenarmor/ges-compliance-engine": "1.5.8", | ||
| "@greenarmor/ges-core": "1.5.8" | ||
| "@greenarmor/ges-compliance-engine": "1.6.0", | ||
| "@greenarmor/ges-core": "1.6.0" | ||
| }, | ||
@@ -28,3 +28,3 @@ "description": "GESF Policy Engine - Policy packs management and enforcement", | ||
| "types": "./dist/index.d.ts", | ||
| "version": "1.5.8", | ||
| "version": "1.6.0", | ||
| "scripts": { | ||
@@ -31,0 +31,0 @@ "build": "tsc", |
595944
16.86%59
31.11%8819
17.4%+ Added
+ Added
- Removed
- Removed
Updated