From 7ff6a9b62e94558567b780f606edc058e5b0b6a9 Mon Sep 17 00:00:00 2001 From: sanaayousaf Date: Thu, 24 Nov 2022 14:09:45 +0000 Subject: [PATCH 1/7] added policy to check enable-at_rest_encryption for elasticache --- avd_docs/aws/elasticache/AVD-AWS-0197/docs.md | 13 ++++++++++ .../kubernetes/general/AVD-KSV-01010/docs.md | 2 +- .../kubernetes/general/AVD-KSV-0107/docs.md | 5 +++- .../kubernetes/general/AVD-KSV-0108/docs.md | 4 +-- .../kubernetes/general/AVD-KSV-0109/docs.md | 2 +- .../enable_at_rest_encryption.rego | 25 +++++++++++++++++++ .../enable_at_rest_encryption_test.rego | 11 ++++++++ 7 files changed, 57 insertions(+), 5 deletions(-) create mode 100644 avd_docs/aws/elasticache/AVD-AWS-0197/docs.md create mode 100644 internal/rules/policies/cloud/policies/aws/elasticache/enable_at_rest_encryption.rego create mode 100644 internal/rules/policies/cloud/policies/aws/elasticache/enable_at_rest_encryption_test.rego diff --git a/avd_docs/aws/elasticache/AVD-AWS-0197/docs.md b/avd_docs/aws/elasticache/AVD-AWS-0197/docs.md new file mode 100644 index 000000000..050517bb6 --- /dev/null +++ b/avd_docs/aws/elasticache/AVD-AWS-0197/docs.md @@ -0,0 +1,13 @@ + +Ensure that your Amazon ElastiCache Redis clusters are encrypted to increase data security. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/at-rest-encryption.html + + diff --git a/avd_docs/kubernetes/general/AVD-KSV-01010/docs.md b/avd_docs/kubernetes/general/AVD-KSV-01010/docs.md index 1cee68f20..f69f12cad 100644 --- a/avd_docs/kubernetes/general/AVD-KSV-01010/docs.md +++ b/avd_docs/kubernetes/general/AVD-KSV-01010/docs.md @@ -2,7 +2,7 @@ Storing sensitive content such as usernames and email addresses in configMaps is unsafe ### Impact -Unsafe storage of sensitive content in configMaps could lead to the information being compromised. + {{ remediationActions }} diff --git a/avd_docs/kubernetes/general/AVD-KSV-0107/docs.md b/avd_docs/kubernetes/general/AVD-KSV-0107/docs.md index e8258523c..6af76b2a2 100644 --- a/avd_docs/kubernetes/general/AVD-KSV-0107/docs.md +++ b/avd_docs/kubernetes/general/AVD-KSV-0107/docs.md @@ -1,5 +1,5 @@ -apiVersion and kind has been deprecated +apiVersion '' and kind '' has been deprecated on: '' and planned for removal on:'' ### Impact @@ -7,4 +7,7 @@ apiVersion and kind has been deprecated {{ remediationActions }} +### Links +- + diff --git a/avd_docs/kubernetes/general/AVD-KSV-0108/docs.md b/avd_docs/kubernetes/general/AVD-KSV-0108/docs.md index 8d55a3498..9c1e77234 100644 --- a/avd_docs/kubernetes/general/AVD-KSV-0108/docs.md +++ b/avd_docs/kubernetes/general/AVD-KSV-0108/docs.md @@ -2,8 +2,8 @@ Services with external IP addresses allows direct access from the internet and might expose risk for CVE-2020-8554 ### Impact -Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, an attacker who is able to patch the status (which is considered a privileged operation and should not typically be granted to users) of a LoadBalancer service can set the status.loadBalancer.ingress.ip to similar effect. -https://www.cvedetails.com/cve/CVE-2020-8554/ + + {{ remediationActions }} diff --git a/avd_docs/kubernetes/general/AVD-KSV-0109/docs.md b/avd_docs/kubernetes/general/AVD-KSV-0109/docs.md index d215353f0..70bba0fb1 100644 --- a/avd_docs/kubernetes/general/AVD-KSV-0109/docs.md +++ b/avd_docs/kubernetes/general/AVD-KSV-0109/docs.md @@ -2,7 +2,7 @@ Storing secrets in configMaps is unsafe ### Impact -Unsafe storage of secret content in configMaps could lead to the information being compromised. + {{ remediationActions }} diff --git a/internal/rules/policies/cloud/policies/aws/elasticache/enable_at_rest_encryption.rego b/internal/rules/policies/cloud/policies/aws/elasticache/enable_at_rest_encryption.rego new file mode 100644 index 000000000..24748592e --- /dev/null +++ b/internal/rules/policies/cloud/policies/aws/elasticache/enable_at_rest_encryption.rego @@ -0,0 +1,25 @@ +# METADATA +# title: "ElastiCache Redis Cluster Encryption At-Rest" +# description: "Ensure that your Amazon ElastiCache Redis clusters are encrypted to increase data security." +# scope: package +# schemas: +# - input: schema.input +# related_resources: +# - https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/at-rest-encryption.html +# custom: +# avd_id: AVD-AWS-0197 +# provider: aws +# service: elasticache +# severity: HIGH +# short_code: enable-at-rest-encryption +# recommended_action: "Enable encryption for ElastiCache cluster data-at-rest" +# input: +# selector: +# - type: cloud +package builtin.aws.elasticache.aws0197 + +deny[res] { + group := input.aws.elasticache.replicationgroups[_] + not group.atrestencryptionenabled.value + res := result.new("Replication group does not have at-rest encryption enabled.", group.atrestencryptionenabled) +} diff --git a/internal/rules/policies/cloud/policies/aws/elasticache/enable_at_rest_encryption_test.rego b/internal/rules/policies/cloud/policies/aws/elasticache/enable_at_rest_encryption_test.rego new file mode 100644 index 000000000..d1500d1d0 --- /dev/null +++ b/internal/rules/policies/cloud/policies/aws/elasticache/enable_at_rest_encryption_test.rego @@ -0,0 +1,11 @@ +package builtin.aws.elasticache.aws0197 + +test_detects_when_disabled { + r := deny with input as {"aws": {"elasticache": {"replicationgroups": [{"atrestencryptionenabled": {"value": false}}]}}} + count(r) == 1 +} + +test_when_enabled { + r := deny with input as {"aws": {"elasticache": {"replicationgroups": [{"atrestencryptionenabled": {"value": true}}]}}} + count(r) == 0 +} \ No newline at end of file From 00b063bf7a05bc019cff5f3cec8d5ac18f48780d Mon Sep 17 00:00:00 2001 From: SanaYousaf <78966921+SanaaYousaf@users.noreply.github.com> Date: Fri, 25 Nov 2022 14:24:26 +0000 Subject: [PATCH 2/7] Update avd_docs/kubernetes/general/AVD-KSV-0109/docs.md --- avd_docs/kubernetes/general/AVD-KSV-0109/docs.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/avd_docs/kubernetes/general/AVD-KSV-0109/docs.md b/avd_docs/kubernetes/general/AVD-KSV-0109/docs.md index 70bba0fb1..d215353f0 100644 --- a/avd_docs/kubernetes/general/AVD-KSV-0109/docs.md +++ b/avd_docs/kubernetes/general/AVD-KSV-0109/docs.md @@ -2,7 +2,7 @@ Storing secrets in configMaps is unsafe ### Impact - +Unsafe storage of secret content in configMaps could lead to the information being compromised. {{ remediationActions }} From 80242264896d0673744f66be09f3abce40954b33 Mon Sep 17 00:00:00 2001 From: SanaYousaf <78966921+SanaaYousaf@users.noreply.github.com> Date: Fri, 25 Nov 2022 14:24:53 +0000 Subject: [PATCH 3/7] Update avd_docs/kubernetes/general/AVD-KSV-0107/docs.md --- avd_docs/kubernetes/general/AVD-KSV-0107/docs.md | 3 --- 1 file changed, 3 deletions(-) diff --git a/avd_docs/kubernetes/general/AVD-KSV-0107/docs.md b/avd_docs/kubernetes/general/AVD-KSV-0107/docs.md index 6af76b2a2..ff069441c 100644 --- a/avd_docs/kubernetes/general/AVD-KSV-0107/docs.md +++ b/avd_docs/kubernetes/general/AVD-KSV-0107/docs.md @@ -7,7 +7,4 @@ apiVersion '' and kind '' has been deprecated on: '' and planned for removal on: {{ remediationActions }} -### Links -- - From c152dff57480339ef5983f7870a20ade7102b473 Mon Sep 17 00:00:00 2001 From: SanaYousaf <78966921+SanaaYousaf@users.noreply.github.com> Date: Fri, 25 Nov 2022 14:25:38 +0000 Subject: [PATCH 4/7] Update avd_docs/kubernetes/general/AVD-KSV-0108/docs.md --- avd_docs/kubernetes/general/AVD-KSV-0108/docs.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/avd_docs/kubernetes/general/AVD-KSV-0108/docs.md b/avd_docs/kubernetes/general/AVD-KSV-0108/docs.md index 9c1e77234..58feb86a3 100644 --- a/avd_docs/kubernetes/general/AVD-KSV-0108/docs.md +++ b/avd_docs/kubernetes/general/AVD-KSV-0108/docs.md @@ -2,7 +2,8 @@ Services with external IP addresses allows direct access from the internet and might expose risk for CVE-2020-8554 ### Impact - +Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, an attacker who is able to patch the status (which is considered a privileged operation and should not typically be granted to users) of a LoadBalancer service can set the status.loadBalancer.ingress.ip to similar effect. +https://www.cvedetails.com/cve/CVE-2020-8554/ {{ remediationActions }} From 75a7f753f25e5810918ed7bc3561950db80271e4 Mon Sep 17 00:00:00 2001 From: SanaYousaf <78966921+SanaaYousaf@users.noreply.github.com> Date: Fri, 25 Nov 2022 14:26:03 +0000 Subject: [PATCH 5/7] Update avd_docs/kubernetes/general/AVD-KSV-0108/docs.md --- avd_docs/kubernetes/general/AVD-KSV-0108/docs.md | 1 - 1 file changed, 1 deletion(-) diff --git a/avd_docs/kubernetes/general/AVD-KSV-0108/docs.md b/avd_docs/kubernetes/general/AVD-KSV-0108/docs.md index 58feb86a3..8d55a3498 100644 --- a/avd_docs/kubernetes/general/AVD-KSV-0108/docs.md +++ b/avd_docs/kubernetes/general/AVD-KSV-0108/docs.md @@ -4,7 +4,6 @@ Services with external IP addresses allows direct access from the internet and m ### Impact Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, an attacker who is able to patch the status (which is considered a privileged operation and should not typically be granted to users) of a LoadBalancer service can set the status.loadBalancer.ingress.ip to similar effect. https://www.cvedetails.com/cve/CVE-2020-8554/ - {{ remediationActions }} From 8f28d687f18d68824bf746e9fd5b4fd73d8c9f4b Mon Sep 17 00:00:00 2001 From: SanaYousaf <78966921+SanaaYousaf@users.noreply.github.com> Date: Fri, 25 Nov 2022 14:26:33 +0000 Subject: [PATCH 6/7] Update avd_docs/kubernetes/general/AVD-KSV-01010/docs.md --- avd_docs/kubernetes/general/AVD-KSV-01010/docs.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/avd_docs/kubernetes/general/AVD-KSV-01010/docs.md b/avd_docs/kubernetes/general/AVD-KSV-01010/docs.md index f69f12cad..1cee68f20 100644 --- a/avd_docs/kubernetes/general/AVD-KSV-01010/docs.md +++ b/avd_docs/kubernetes/general/AVD-KSV-01010/docs.md @@ -2,7 +2,7 @@ Storing sensitive content such as usernames and email addresses in configMaps is unsafe ### Impact - +Unsafe storage of sensitive content in configMaps could lead to the information being compromised. {{ remediationActions }} From 558f745f4945b7a3fd4a8c3eb4437d98382206c9 Mon Sep 17 00:00:00 2001 From: SanaYousaf <78966921+SanaaYousaf@users.noreply.github.com> Date: Fri, 25 Nov 2022 14:27:00 +0000 Subject: [PATCH 7/7] Update avd_docs/kubernetes/general/AVD-KSV-0107/docs.md --- avd_docs/kubernetes/general/AVD-KSV-0107/docs.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/avd_docs/kubernetes/general/AVD-KSV-0107/docs.md b/avd_docs/kubernetes/general/AVD-KSV-0107/docs.md index ff069441c..e8258523c 100644 --- a/avd_docs/kubernetes/general/AVD-KSV-0107/docs.md +++ b/avd_docs/kubernetes/general/AVD-KSV-0107/docs.md @@ -1,5 +1,5 @@ -apiVersion '' and kind '' has been deprecated on: '' and planned for removal on:'' +apiVersion and kind has been deprecated ### Impact