Merge pull request #3 from Avanti19/avanti_docker_policies

Avanti docker policies for run instruction

pkg/policies/opa/rego/docker/docker_from/AC_DOCKER_0001.json

@@ -5,7 +5,8 @@
     "resource_type": "from",
     "template_args": {
         "prefix": "",
-        "suffix": ""
+        "suffix": "",
+        "name": "docFilePlatformFlag"
     },
     "severity": "MEDIUM",
     "description": "Ensure platform flag with FROM command is not used for Docker file",

pkg/policies/opa/rego/docker/docker_run/AC_DOCKER_0002.json

@@ -0,0 +1,17 @@
+{
+    "name": "runUsingApt",
+    "file": "runUsingApt.rego",
+    "policy_type": "docker",
+    "resource_type": "run",
+    "template_args": {
+        "prefix": "",
+        "suffix": "",
+        "name": "runUsingApt"
+    },
+    "severity": "MEDIUM",
+    "description": "Ensure apt is not used with RUN command for Docker file",
+    "reference_id": "AC_DOCKER_0001",
+    "category": "Infrastructure Security",
+    "id": "AC_DOCKER_0002",
+    "version": 1
+}

pkg/policies/opa/rego/docker/docker_run/AC_DOCKER_0003.json

@@ -0,0 +1,17 @@
+{
+    "name": "runUsingDnfUpdate",
+    "file": "runUsingDnfUpdate.rego",
+    "policy_type": "docker",
+    "resource_type": "run",
+    "template_args": {
+        "prefix": "",
+        "suffix": "",
+        "name": "runUsingDnfUpdate"
+    },
+    "severity": "MEDIUM",
+    "description": "Ensure dnf Update is not used for Docker file",
+    "reference_id": "AC_DOCKER_0003",
+    "category": "Infrastructure Security",
+    "id": "AC_DOCKER_0003",
+    "version": 1
+}

pkg/policies/opa/rego/docker/docker_run/AC_DOCKER_0004.json

@@ -0,0 +1,17 @@
+{
+    "name": "yumInstallAllowInput",
+    "file": "yumInstallAllowInput.rego",
+    "policy_type": "docker",
+    "resource_type": "run",
+    "template_args": {
+        "prefix": "",
+        "suffix": "",
+        "name": "yumInstallAllowInput"
+    },
+    "severity": "MEDIUM",
+    "description": "Ensure yum install allow manual input with RUN command for Docker file",
+    "reference_id": "AC_DOCKER_0004",
+    "category": "Infrastructure Security",
+    "id": "AC_DOCKER_0004",
+    "version": 1
+}

pkg/policies/opa/rego/docker/docker_run/AC_DOCKER_0005.json

@@ -0,0 +1,17 @@
+{
+    "name": "lastUserRoot",
+    "file": "lastUserRoot.rego",
+    "policy_type": "docker",
+    "resource_type": "run",
+    "template_args": {
+        "prefix": "",
+        "suffix": "",
+        "name": "lastUserRoot"
+    },
+    "severity": "MEDIUM",
+    "description": "Ensure root with RUN command is not used for Docker file",
+    "reference_id": "AC_DOCKER_0005",
+    "category": "Infrastructure Security",
+    "id": "AC_DOCKER_0005",
+    "version": 1
+}

pkg/policies/opa/rego/docker/docker_run/lastUserRoot.rego

@@ -0,0 +1,6 @@
+package accurics
+
+{{.prefix}}{{.name}}{{.suffix}}[cmd.id]{
+    cmd := input.user[count(input.user) - 1]
+    cmd.config == "root"
+}

pkg/policies/opa/rego/docker/docker_run/runUsingApt.rego

@@ -0,0 +1,7 @@
+package accurics
+
+{{.prefix}}{{.name}}{{.suffix}}[cmd.id]{
+	cmd := input.run[_]
+    config := cmd.config
+    contains(config, "apt")
+}

pkg/policies/opa/rego/docker/docker_run/runUsingDnfUpdate.rego

@@ -0,0 +1,8 @@
+package accurics
+
+{{.prefix}}{{.name}}{{.suffix}}[cmd.id]{
+	cmd := input.run[_]
+    config := cmd.config
+    commands = ["dnf update", "dnf upgrade", "dnf upgrade-minimal"]
+    contains(config, commands[_])
+}

pkg/policies/opa/rego/docker/docker_run/yumInstallAllowInput.rego

@@ -0,0 +1,18 @@
+package accurics
+
+{{.prefix}}{{.name}}{{.suffix}}[cmd.id]{
+	cmd := input.run[_]
+    config := cmd.config
+    checkYumInstall(config)
+    not checkManualInput(config)
+}
+
+checkYumInstall(config) {
+	re_match(`yum (-(-)?[a-zA-Z]+ *)*(group|local)?install`, config)
+}
+
+checkManualInput(config) {
+	commands := ["-y", "yes", "--assumeyes"]
+    checkCmd := commands[_]
+    contains(config, checkCmd)
+}