we introduced three new rego checks to the oss. These checks are curr…

…ently part of the commercial but not included in the oss.

Additionally, there are certain checks in the oss where two checks are combined into a single check.
However, in the commercial, these checks are treated as two separate checks.
Therefore, we will be splitting the combined checks from the oss into two distinct checks to align with the commercial implementation.

we introduced three new rego checks to the oss. These checks are currently part of the commercial but not included in the oss.
Additionally, there are certain checks in the oss where two checks are combined into a single check.
However, in the commercial, these checks are treated as two separate checks.
Therefore, we will be splitting the combined checks from the oss into two distinct checks to align with the commercial implementation.
Resolves: SLK-69409

avd_docs/aws/iam/AVD-AWS-0342/docs.md

@@ -1,10 +1,8 @@
 
-In iam:PassRole the service carrying out the actions is "provided" a role by the calling principal and implicitly takes on that role to carry out the actions (instead of executing sts:AssumeRole).
-       The privileges attached to the role are distinct from those of the primary ordering the action and may even be larger and can cause security issues.
-
+Ensures any IAM pass role attched to roles are flagged and warned.
 
 ### Impact
-Compromise on security of aws resources.
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/azure/storage/AVD-AZU-0011/Terraform.md

@@ -6,6 +6,7 @@ Use a more recent TLS/SSL policy for the load balancer
    name                     = "storageaccountname"
    resource_group_name      = azurerm_resource_group.example.name
    location                 = azurerm_resource_group.example.location
+   min_tls_version          = "TLS1_2"
  }
  
 ```

avd_docs/google/iam/AVD-GCP-0068/Terraform.md

@@ -1,11 +1,18 @@
 
-Set conditions on this provider, for example by restricting it to only be allowed from repositories in your GitHub organization.
+Set conditions on this provider, for example by restricting it to only be allowed from repositories in your GitHub organization
 
 ```hcl
- resource "google_iam_workload_identity_pool_provider" "github" {
-    project                            = "example-project"
-    workload_identity_pool_id          = "example-pool"
-    workload_identity_pool_provider_id = "example-provider"
+  resource "google_iam_workload_identity_pool" "github" {
+    provider = google
+    project  = data.google_project.project.project_id
+    workload_identity_pool_id = "github"
+  }
+  
+  resource "google_iam_workload_identity_pool_provider" "github" {
+    provider = google
+    project  = data.google_project.project.project_id
+    workload_identity_pool_id          = google_iam_workload_identity_pool.github-actions[0].workload_identity_pool_id
+    workload_identity_pool_provider_id = "github"
   
     attribute_condition = "assertion.repository_owner=='your-github-organization'"
 
@@ -15,10 +22,14 @@ Set conditions on this provider, for example by restricting it to only be allowe
       "attribute.aud"        = "assertion.aud"
       "attribute.repository" = "assertion.repository"
     }
-  }		
+  
+    oidc {
+      issuer_uri = "https://token.actions.githubusercontent.com"
+    }
+  }
+ 
 ```
 
 #### Remediation Links
-
-- https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_workload_identity_pool_provider#attribute_condition
+ - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_workload_identity_pool_provider#attribute_condition
 

avd_docs/google/iam/AVD-GCP-0068/docs.md

@@ -2,10 +2,12 @@
 In GitHub Actions, one can authenticate to Google Cloud by setting values for workload_identity_provider and service_account and requesting a short-lived OIDC token which is then used to execute commands as that Service Account. If you don't specify a condition in the workload identity provider pool configuration, then any GitHub Action can assume this role and act as that Service Account.
 
 ### Impact
-Privilege escalation, impersonation of service accounts
+Allows an external attacker to authenticate as the attached service account and act with its permissions
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}
 
 ### Links
 - https://www.revblock.dev/exploiting-misconfigured-google-cloud-service-accounts-from-github-actions/
+
+

avd_docs/kubernetes/general/AVD-KSV-0041/docs.md

@@ -1,5 +1,5 @@
 
-Check whether role permits managing secrets
+Viewing secrets at the cluster-scope is akin to cluster-admin in most clusters as there are typically at least one service accounts (their token stored in a secret) bound to cluster-admin directly or a role/clusterrole that gives similar permissions.
 
 ### Impact
 <!-- Add Impact here -->

avd_docs/kubernetes/general/AVD-KSV-0046/docs.md

@@ -1,5 +1,5 @@
 
-Check whether role permits specific verb on wildcard resources
+Full control of the cluster resources, and therefore also root on all nodes where workloads can run and has access to all pods, secrets, and data.
 
 ### Impact
 <!-- Add Impact here -->

avd_docs/kubernetes/general/AVD-KSV-0112/docs.md

@@ -0,0 +1,13 @@
+
+Full control of the resources within a namespace.  In some cluster configurations, this is excessive. In others, this is normal (a gitops deployment operator like flux)
+
+### Impact
+<!-- Add Impact here -->
+
+<!-- DO NOT CHANGE -->
+{{ remediationActions }}
+
+### Links
+- https://kubernetes.io/docs/concepts/security/rbac-good-practices/
+
+

avd_docs/kubernetes/general/AVD-KSV-0113/docs.md

@@ -0,0 +1,13 @@
+
+Viewing secrets at the namespace scope can lead to escalation if another service account in that namespace has a higher privileged rolebinding or clusterrolebinding bound.
+
+### Impact
+<!-- Add Impact here -->
+
+<!-- DO NOT CHANGE -->
+{{ remediationActions }}
+
+### Links
+- https://kubernetes.io/docs/concepts/security/rbac-good-practices/
+
+

avd_docs/kubernetes/general/AVD-KSV-0114/docs.md

@@ -0,0 +1,13 @@
+
+Webhooks can silently intercept or actively mutate/block resources as they are being created or updated. This includes secrets and pod specs.
+
+### Impact
+<!-- Add Impact here -->
+
+<!-- DO NOT CHANGE -->
+{{ remediationActions }}
+
+### Links
+- https://kubernetes.io/docs/concepts/security/rbac-good-practices/
+
+

avd_docs/kubernetes/general/AVD-KSV-0115/docs.md

@@ -0,0 +1,13 @@
+
+Ability to add AWS IAM to RBAC bindings via special EKS configmap.
+
+### Impact
+<!-- Add Impact here -->
+
+<!-- DO NOT CHANGE -->
+{{ remediationActions }}
+
+### Links
+- https://kubernetes.io/docs/concepts/security/rbac-good-practices/
+
+

avd_docs/kubernetes/general/AVD-KSV-0116/docs.md

@@ -0,0 +1,13 @@
+
+According to pod security standard 'Non-root groups', containers should be forbidden from running with a root primary or supplementary GID.
+
+### Impact
+<!-- Add Impact here -->
+
+<!-- DO NOT CHANGE -->
+{{ remediationActions }}
+
+### Links
+- https://kubesec.io/basics/containers-securitycontext-runasuser/
+
+

rules/kubernetes/policies/general/any_resource.rego → rules/kubernetes/policies/general/manage_all_resources.rego

@@ -1,6 +1,6 @@
 # METADATA
-# title: "No wildcard resource roles"
-# description: "Check whether role permits specific verb on wildcard resources"
+# title: "Manage all resources"
+# description: "Full control of the cluster resources, and therefore also root on all nodes where workloads can run and has access to all pods, secrets, and data."
 # scope: package
 # schemas:
 # - input: schema["kubernetes"]
@@ -10,8 +10,8 @@
 #   id: KSV046
 #   avd_id: AVD-KSV-0046
 #   severity: CRITICAL
-#   short_code: no-wildcard-resource-role
-#   recommended_action: "Create a role which does not permit specific verb on wildcard resources"
+#   short_code: no-wildcard-resource-clusterrole
+#   recommended_actions: "Remove '*' from 'rules.resources'. Provide specific list of resources to be managed by cluster role"
 #   input:
 #     selector:
 #     - type: kubernetes
@@ -22,7 +22,7 @@ import data.lib.utils
 
 readVerbs := ["create", "update", "delete", "deletecollection", "impersonate", "*", "list", "get"]
 
-readKinds := ["Role", "ClusterRole"]
+readKinds := ["ClusterRole"]
 
 resourceAllowSpecificVerbOnAnyResource[input.rules[ru]] {
 	some ru, r, v
@@ -33,6 +33,6 @@ resourceAllowSpecificVerbOnAnyResource[input.rules[ru]] {
 
 deny[res] {
 	badRule := resourceAllowSpecificVerbOnAnyResource[_]
-	msg := "Role permits specific verb on wildcard resource"
+	msg := kubernetes.format(sprintf("%s '%s' shouldn't manage all resources", [kubernetes.kind, kubernetes.name]))
 	res := result.new(msg, badRule)
 }

rules/kubernetes/policies/general/manage_all_resources_at_namespace.rego

@@ -0,0 +1,38 @@
+# METADATA
+# title: "Manage all resources at the namespace"
+# description: "Full control of the resources within a namespace.  In some cluster configurations, this is excessive. In others, this is normal (a gitops deployment operator like flux)"
+# scope: package
+# schemas:
+# - input: schema["kubernetes"]
+# related_resources:
+# - https://kubernetes.io/docs/concepts/security/rbac-good-practices/
+# custom:
+#   id: KSV112
+#   avd_id: AVD-KSV-0112
+#   severity: CRITICAL
+#   short_code: no-wildcard-resource-role
+#   recommended_actions: "Remove '*' from 'rules.resources'. Provide specific list of resources to be managed by role in namespace"
+#   input:
+#     selector:
+#     - type: kubernetes
+package builtin.kubernetes.KSV112
+
+import data.lib.kubernetes
+import data.lib.utils
+
+readVerbs := ["create", "update", "delete", "deletecollection", "impersonate", "*", "list", "get"]
+
+readKinds := ["Role"]
+
+managingAllResourcesAtNamespace[input.rules[ru]] {
+	some ru, r, v
+	input.kind == readKinds[_]
+	input.rules[ru].resources[r] == "*"
+	input.rules[ru].verbs[v] == readVerbs[_]
+}
+
+deny[res] {
+	badRule := managingAllResourcesAtNamespace[_]
+	msg := kubernetes.format(sprintf("%s '%s' shouldn't manage all resources at the namespace '%s'", [kubernetes.kind, kubernetes.name, kubernetes.namespace]))
+	res := result.new(msg, badRule)
+}

rules/kubernetes/policies/general/any_resource_test.rego → rules/kubernetes/policies/general/manage_all_resources_at_the_namespace_test.rego

@@ -1,4 +1,4 @@
-package builtin.kubernetes.KSV046
+package builtin.kubernetes.KSV112
 
 test_resource_verb_role_secrets {
 	r := deny with input as {

rules/kubernetes/policies/general/manage_all_resources_test.rego

@@ -0,0 +1,145 @@
+package builtin.kubernetes.KSV046
+
+test_resource_verb_role_secrets {
+	r := deny with input as {
+		"apiVersion": "rbac.authorization.k8s.io/v1",
+		"kind": "ClusterRole",
+		"metadata": {
+			"namespace": "default",
+			"name": "pod-reader",
+		},
+		"rules": [{
+			"apiGroups": ["*"],
+			"resources": ["*"],
+			"verbs": ["delete"],
+		}],
+	}
+
+	count(r) > 0
+}
+
+test_resource_verb_role_pods {
+	r := deny with input as {
+		"apiVersion": "rbac.authorization.k8s.io/v1",
+		"kind": "ClusterRole",
+		"metadata": {
+			"namespace": "default",
+			"name": "pod-reader",
+		},
+		"rules": [{
+			"apiGroups": ["*"],
+			"resources": ["*"],
+			"verbs": ["deletecollection"],
+		}],
+	}
+
+	count(r) > 0
+}
+
+test_resource_verb_role_deployments {
+	r := deny with input as {
+		"apiVersion": "rbac.authorization.k8s.io/v1",
+		"kind": "ClusterRole",
+		"metadata": {
+			"namespace": "default",
+			"name": "pod-reader",
+		},
+		"rules": [{
+			"apiGroups": ["*"],
+			"resources": ["*"],
+			"verbs": ["create"],
+		}],
+	}
+
+	count(r) > 0
+}
+
+test_resource_verb_role_daemonsets {
+	r := deny with input as {
+		"apiVersion": "rbac.authorization.k8s.io/v1",
+		"kind": "ClusterRole",
+		"metadata": {
+			"namespace": "default",
+			"name": "pod-reader",
+		},
+		"rules": [{
+			"apiGroups": ["*"],
+			"resources": ["*"],
+			"verbs": ["list"],
+		}],
+	}
+
+	count(r) > 0
+}
+
+test_resource_verb_role_statefulsets {
+	r := deny with input as {
+		"apiVersion": "rbac.authorization.k8s.io/v1",
+		"kind": "ClusterRole",
+		"metadata": {
+			"namespace": "default",
+			"name": "pod-reader",
+		},
+		"rules": [{
+			"apiGroups": ["*"],
+			"resources": ["*"],
+			"verbs": ["get"],
+		}],
+	}
+
+	count(r) > 0
+}
+
+test_resource_verb_role_replicationcontrollers {
+	r := deny with input as {
+		"apiVersion": "rbac.authorization.k8s.io/v1",
+		"kind": "ClusterRole",
+		"metadata": {
+			"namespace": "default",
+			"name": "pod-reader",
+		},
+		"rules": [{
+			"apiGroups": ["*"],
+			"resources": ["*"],
+			"verbs": ["impersonate"],
+		}],
+	}
+
+	count(r) > 0
+}
+
+test_resource_resource_role_no_specific_verb {
+	r := deny with input as {
+		"apiVersion": "rbac.authorization.k8s.io/v1",
+		"kind": "ClusterRole",
+		"metadata": {
+			"namespace": "default",
+			"name": "pod-reader",
+		},
+		"rules": [{
+			"apiGroups": ["*"],
+			"resources": ["impersonate"],
+			"verbs": ["aaa"],
+		}],
+	}
+
+	count(r) == 0
+}
+
+test_resource_verb_role_no_any_verb {
+	r := deny with input as {
+		"apiVersion": "rbac.authorization.k8s.io/v1",
+		"kind": "ClusterRole",
+		"metadata": {
+			"namespace": "default",
+			"name": "pod-reader",
+		},
+		"rules": [{
+			"apiGroups": ["*"],
+			"resources": ["*"],
+			"verbs": ["*"],
+		}],
+	}
+
+	count(r) > 0
+}