From 681ca1d83c94a1ccaef9a26dcc8d53e5edae176b Mon Sep 17 00:00:00 2001 From: sanaayousaf Date: Tue, 22 Nov 2022 11:25:24 +0000 Subject: [PATCH 1/7] added policy to check image scan enable or not for ecr --- avd_docs/aws/ecr/AVD-AWS-0191/docs.md | 13 ++++++++++ .../kubernetes/general/AVD-KSV-01010/docs.md | 2 +- .../kubernetes/general/AVD-KSV-0107/docs.md | 5 +++- .../kubernetes/general/AVD-KSV-0108/docs.md | 4 +-- .../kubernetes/general/AVD-KSV-0109/docs.md | 2 +- .../policies/aws/ecr/enable_image_scans.rego | 25 +++++++++++++++++++ .../aws/ecr/enable_image_scans_test.rego | 11 ++++++++ 7 files changed, 57 insertions(+), 5 deletions(-) create mode 100644 avd_docs/aws/ecr/AVD-AWS-0191/docs.md create mode 100644 internal/rules/policies/cloud/policies/aws/ecr/enable_image_scans.rego create mode 100644 internal/rules/policies/cloud/policies/aws/ecr/enable_image_scans_test.rego diff --git a/avd_docs/aws/ecr/AVD-AWS-0191/docs.md b/avd_docs/aws/ecr/AVD-AWS-0191/docs.md new file mode 100644 index 000000000..d26218f5b --- /dev/null +++ b/avd_docs/aws/ecr/AVD-AWS-0191/docs.md @@ -0,0 +1,13 @@ + +Ensure ECR repository has image scans disabled. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html + + diff --git a/avd_docs/kubernetes/general/AVD-KSV-01010/docs.md b/avd_docs/kubernetes/general/AVD-KSV-01010/docs.md index 1cee68f20..f69f12cad 100644 --- a/avd_docs/kubernetes/general/AVD-KSV-01010/docs.md +++ b/avd_docs/kubernetes/general/AVD-KSV-01010/docs.md @@ -2,7 +2,7 @@ Storing sensitive content such as usernames and email addresses in configMaps is unsafe ### Impact -Unsafe storage of sensitive content in configMaps could lead to the information being compromised. + {{ remediationActions }} diff --git a/avd_docs/kubernetes/general/AVD-KSV-0107/docs.md b/avd_docs/kubernetes/general/AVD-KSV-0107/docs.md index e8258523c..6af76b2a2 100644 --- a/avd_docs/kubernetes/general/AVD-KSV-0107/docs.md +++ b/avd_docs/kubernetes/general/AVD-KSV-0107/docs.md @@ -1,5 +1,5 @@ -apiVersion and kind has been deprecated +apiVersion '' and kind '' has been deprecated on: '' and planned for removal on:'' ### Impact @@ -7,4 +7,7 @@ apiVersion and kind has been deprecated {{ remediationActions }} +### Links +- + diff --git a/avd_docs/kubernetes/general/AVD-KSV-0108/docs.md b/avd_docs/kubernetes/general/AVD-KSV-0108/docs.md index 8d55a3498..9c1e77234 100644 --- a/avd_docs/kubernetes/general/AVD-KSV-0108/docs.md +++ b/avd_docs/kubernetes/general/AVD-KSV-0108/docs.md @@ -2,8 +2,8 @@ Services with external IP addresses allows direct access from the internet and might expose risk for CVE-2020-8554 ### Impact -Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, an attacker who is able to patch the status (which is considered a privileged operation and should not typically be granted to users) of a LoadBalancer service can set the status.loadBalancer.ingress.ip to similar effect. -https://www.cvedetails.com/cve/CVE-2020-8554/ + + {{ remediationActions }} diff --git a/avd_docs/kubernetes/general/AVD-KSV-0109/docs.md b/avd_docs/kubernetes/general/AVD-KSV-0109/docs.md index d215353f0..70bba0fb1 100644 --- a/avd_docs/kubernetes/general/AVD-KSV-0109/docs.md +++ b/avd_docs/kubernetes/general/AVD-KSV-0109/docs.md @@ -2,7 +2,7 @@ Storing secrets in configMaps is unsafe ### Impact -Unsafe storage of secret content in configMaps could lead to the information being compromised. + {{ remediationActions }} diff --git a/internal/rules/policies/cloud/policies/aws/ecr/enable_image_scans.rego b/internal/rules/policies/cloud/policies/aws/ecr/enable_image_scans.rego new file mode 100644 index 000000000..f59f5465f --- /dev/null +++ b/internal/rules/policies/cloud/policies/aws/ecr/enable_image_scans.rego @@ -0,0 +1,25 @@ +# METADATA +# title: "ECR Image Scans" +# description: "Ensure ECR repository has image scans disabled." +# scope: package +# schemas: +# - input: schema.input +# related_resources: +# - https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html +# custom: +# avd_id: AVD-AWS-0191 +# provider: aws +# service: ecr +# severity: HIGH +# short_code: enable-image-scans +# recommended_action: "Repository image scans should be enabled to ensure vulnerable software can be discovered and remediated as soon as possible." +# input: +# selector: +# - type: cloud +package builtin.aws.ecr.aws0191 + +deny[res] { + repo := input.aws.ecr.repositories[_] + not repo.imagescanning.scanonpush.value + res := result.new("Image scanning is not enabled.", repo.imagescanning.scanonpush) +} diff --git a/internal/rules/policies/cloud/policies/aws/ecr/enable_image_scans_test.rego b/internal/rules/policies/cloud/policies/aws/ecr/enable_image_scans_test.rego new file mode 100644 index 000000000..e81812559 --- /dev/null +++ b/internal/rules/policies/cloud/policies/aws/ecr/enable_image_scans_test.rego @@ -0,0 +1,11 @@ +package builtin.aws.ecr.aws0191 + +test_detects_when_disabled { + r := deny with input as {"aws": {"ecr": {"repositories": [{"imagescanning": {"scanonpush": {"value": false}}}]}}} + count(r) == 1 +} + +test_when_enabled { + r := deny with input as {"aws": {"ecr": {"repositories": [{"imagescanning": {"scanonpush": {"value": true}}}]}}} + count(r) == 0 +} \ No newline at end of file From adaa3484cea1189bf39eb53b8d85484b872449fe Mon Sep 17 00:00:00 2001 From: SanaYousaf <78966921+SanaaYousaf@users.noreply.github.com> Date: Fri, 25 Nov 2022 13:55:02 +0000 Subject: [PATCH 2/7] Update avd_docs/kubernetes/general/AVD-KSV-0109/docs.md --- avd_docs/kubernetes/general/AVD-KSV-0109/docs.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/avd_docs/kubernetes/general/AVD-KSV-0109/docs.md b/avd_docs/kubernetes/general/AVD-KSV-0109/docs.md index 70bba0fb1..d215353f0 100644 --- a/avd_docs/kubernetes/general/AVD-KSV-0109/docs.md +++ b/avd_docs/kubernetes/general/AVD-KSV-0109/docs.md @@ -2,7 +2,7 @@ Storing secrets in configMaps is unsafe ### Impact - +Unsafe storage of secret content in configMaps could lead to the information being compromised. {{ remediationActions }} From 00f58817718181ac343a9af300ac09084338bb1e Mon Sep 17 00:00:00 2001 From: SanaYousaf <78966921+SanaaYousaf@users.noreply.github.com> Date: Fri, 25 Nov 2022 13:55:31 +0000 Subject: [PATCH 3/7] Update avd_docs/kubernetes/general/AVD-KSV-0107/docs.md --- avd_docs/kubernetes/general/AVD-KSV-0107/docs.md | 3 --- 1 file changed, 3 deletions(-) diff --git a/avd_docs/kubernetes/general/AVD-KSV-0107/docs.md b/avd_docs/kubernetes/general/AVD-KSV-0107/docs.md index 6af76b2a2..ff069441c 100644 --- a/avd_docs/kubernetes/general/AVD-KSV-0107/docs.md +++ b/avd_docs/kubernetes/general/AVD-KSV-0107/docs.md @@ -7,7 +7,4 @@ apiVersion '' and kind '' has been deprecated on: '' and planned for removal on: {{ remediationActions }} -### Links -- - From 97111d43b498645c01c1b9217ed3b9beafa5567c Mon Sep 17 00:00:00 2001 From: SanaYousaf <78966921+SanaaYousaf@users.noreply.github.com> Date: Fri, 25 Nov 2022 13:56:07 +0000 Subject: [PATCH 4/7] Update avd_docs/kubernetes/general/AVD-KSV-0107/docs.md --- avd_docs/kubernetes/general/AVD-KSV-0107/docs.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/avd_docs/kubernetes/general/AVD-KSV-0107/docs.md b/avd_docs/kubernetes/general/AVD-KSV-0107/docs.md index ff069441c..e8258523c 100644 --- a/avd_docs/kubernetes/general/AVD-KSV-0107/docs.md +++ b/avd_docs/kubernetes/general/AVD-KSV-0107/docs.md @@ -1,5 +1,5 @@ -apiVersion '' and kind '' has been deprecated on: '' and planned for removal on:'' +apiVersion and kind has been deprecated ### Impact From 7a22eac7dd667806330fc205c6d149f4f064ac71 Mon Sep 17 00:00:00 2001 From: SanaYousaf <78966921+SanaaYousaf@users.noreply.github.com> Date: Fri, 25 Nov 2022 13:57:49 +0000 Subject: [PATCH 5/7] Update avd_docs/kubernetes/general/AVD-KSV-01010/docs.md --- avd_docs/kubernetes/general/AVD-KSV-01010/docs.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/avd_docs/kubernetes/general/AVD-KSV-01010/docs.md b/avd_docs/kubernetes/general/AVD-KSV-01010/docs.md index f69f12cad..1cee68f20 100644 --- a/avd_docs/kubernetes/general/AVD-KSV-01010/docs.md +++ b/avd_docs/kubernetes/general/AVD-KSV-01010/docs.md @@ -2,7 +2,7 @@ Storing sensitive content such as usernames and email addresses in configMaps is unsafe ### Impact - +Unsafe storage of sensitive content in configMaps could lead to the information being compromised. {{ remediationActions }} From 082eb946831ca9d1e2332c648b75cdc46af24293 Mon Sep 17 00:00:00 2001 From: SanaYousaf <78966921+SanaaYousaf@users.noreply.github.com> Date: Fri, 25 Nov 2022 13:59:04 +0000 Subject: [PATCH 6/7] Update avd_docs/kubernetes/general/AVD-KSV-0108/docs.md --- avd_docs/kubernetes/general/AVD-KSV-0108/docs.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/avd_docs/kubernetes/general/AVD-KSV-0108/docs.md b/avd_docs/kubernetes/general/AVD-KSV-0108/docs.md index 9c1e77234..58feb86a3 100644 --- a/avd_docs/kubernetes/general/AVD-KSV-0108/docs.md +++ b/avd_docs/kubernetes/general/AVD-KSV-0108/docs.md @@ -2,7 +2,8 @@ Services with external IP addresses allows direct access from the internet and might expose risk for CVE-2020-8554 ### Impact - +Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, an attacker who is able to patch the status (which is considered a privileged operation and should not typically be granted to users) of a LoadBalancer service can set the status.loadBalancer.ingress.ip to similar effect. +https://www.cvedetails.com/cve/CVE-2020-8554/ {{ remediationActions }} From f7e05a8a12cc2aa68f69894b7ff61fff510d96d8 Mon Sep 17 00:00:00 2001 From: SanaYousaf <78966921+SanaaYousaf@users.noreply.github.com> Date: Fri, 25 Nov 2022 13:59:29 +0000 Subject: [PATCH 7/7] Update avd_docs/kubernetes/general/AVD-KSV-0108/docs.md --- avd_docs/kubernetes/general/AVD-KSV-0108/docs.md | 1 - 1 file changed, 1 deletion(-) diff --git a/avd_docs/kubernetes/general/AVD-KSV-0108/docs.md b/avd_docs/kubernetes/general/AVD-KSV-0108/docs.md index 58feb86a3..8d55a3498 100644 --- a/avd_docs/kubernetes/general/AVD-KSV-0108/docs.md +++ b/avd_docs/kubernetes/general/AVD-KSV-0108/docs.md @@ -4,7 +4,6 @@ Services with external IP addresses allows direct access from the internet and m ### Impact Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, an attacker who is able to patch the status (which is considered a privileged operation and should not typically be granted to users) of a LoadBalancer service can set the status.loadBalancer.ingress.ip to similar effect. https://www.cvedetails.com/cve/CVE-2020-8554/ - {{ remediationActions }}