From 5b75958a6899a14b8422247de4fc8fec972a440f Mon Sep 17 00:00:00 2001 From: avanti vyas Date: Wed, 28 Jul 2021 22:54:53 +0530 Subject: [PATCH 1/2] adding new docker policies --- .../rego/docker/docker_run/AC_DOCKER_0002.json | 16 ++++++++++++++++ .../rego/docker/docker_run/AC_DOCKER_0003.json | 17 +++++++++++++++++ .../rego/docker/docker_run/AC_DOCKER_0005.json | 17 +++++++++++++++++ .../rego/docker/docker_run/lastUserRoot.rego | 6 ++++++ .../opa/rego/docker/docker_run/runUsingApt.rego | 7 +++++++ .../docker/docker_run/runUsingDnfUpdate.rego | 8 ++++++++ 6 files changed, 71 insertions(+) create mode 100644 pkg/policies/opa/rego/docker/docker_run/AC_DOCKER_0002.json create mode 100644 pkg/policies/opa/rego/docker/docker_run/AC_DOCKER_0003.json create mode 100644 pkg/policies/opa/rego/docker/docker_run/AC_DOCKER_0005.json create mode 100644 pkg/policies/opa/rego/docker/docker_run/lastUserRoot.rego create mode 100644 pkg/policies/opa/rego/docker/docker_run/runUsingApt.rego create mode 100644 pkg/policies/opa/rego/docker/docker_run/runUsingDnfUpdate.rego diff --git a/pkg/policies/opa/rego/docker/docker_run/AC_DOCKER_0002.json b/pkg/policies/opa/rego/docker/docker_run/AC_DOCKER_0002.json new file mode 100644 index 000000000..2a1da3b11 --- /dev/null +++ b/pkg/policies/opa/rego/docker/docker_run/AC_DOCKER_0002.json @@ -0,0 +1,16 @@ +{ + "name": "runUsingApt", + "file": "runUsingApt.rego", + "policy_type": "docker", + "resource_type": "docker", + "template_args": { + "prefix": "", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Ensure apt is not used with RUN command for Docker file", + "reference_id": "AC_DOCKER_0001", + "category": "Infrastructure Security", + "id": "AC_DOCKER_0002", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/docker/docker_run/AC_DOCKER_0003.json b/pkg/policies/opa/rego/docker/docker_run/AC_DOCKER_0003.json new file mode 100644 index 000000000..4eece364e --- /dev/null +++ b/pkg/policies/opa/rego/docker/docker_run/AC_DOCKER_0003.json @@ -0,0 +1,17 @@ +{ + "name": "runUsingDnfUpdate", + "file": "runUsingDnfUpdate.rego", + "policy_type": "docker", + "resource_type": "docker", + "template_args": { + "prefix": "", + "suffix": "", + "name": "runUsingDnfUpdate" + }, + "severity": "MEDIUM", + "description": "Ensure dnf Update is not used for Docker file", + "reference_id": "AC_DOCKER_0003", + "category": "Infrastructure Security", + "id": "AC_DOCKER_0003", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/docker/docker_run/AC_DOCKER_0005.json b/pkg/policies/opa/rego/docker/docker_run/AC_DOCKER_0005.json new file mode 100644 index 000000000..b565a5dd6 --- /dev/null +++ b/pkg/policies/opa/rego/docker/docker_run/AC_DOCKER_0005.json @@ -0,0 +1,17 @@ +{ + "name": "lastUserRoot", + "file": "lastUserRoot.rego", + "policy_type": "docker", + "resource_type": "docker", + "template_args": { + "prefix": "", + "suffix": "", + "name": "lastUserRoot" + }, + "severity": "MEDIUM", + "description": "Ensure root with RUN command is not used for Docker file", + "reference_id": "AC_DOCKER_0005", + "category": "Infrastructure Security", + "id": "AC_DOCKER_0005", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/docker/docker_run/lastUserRoot.rego b/pkg/policies/opa/rego/docker/docker_run/lastUserRoot.rego new file mode 100644 index 000000000..7d3f519b1 --- /dev/null +++ b/pkg/policies/opa/rego/docker/docker_run/lastUserRoot.rego @@ -0,0 +1,6 @@ +package accurics + +{{.prefix}}{{.name}}{{.suffix}}[cmd.id]{ + cmd := input.user[count(input.user) - 1] + cmd.config == "root" +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/docker/docker_run/runUsingApt.rego b/pkg/policies/opa/rego/docker/docker_run/runUsingApt.rego new file mode 100644 index 000000000..88c0cb3b9 --- /dev/null +++ b/pkg/policies/opa/rego/docker/docker_run/runUsingApt.rego @@ -0,0 +1,7 @@ +package accurics + +{{.prefix}}{{.name}}{{.suffix}}[cmd.id]{ + cmd := input.run[_] + config := cmd.config + contains(config, "apt") +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/docker/docker_run/runUsingDnfUpdate.rego b/pkg/policies/opa/rego/docker/docker_run/runUsingDnfUpdate.rego new file mode 100644 index 000000000..8cb721e24 --- /dev/null +++ b/pkg/policies/opa/rego/docker/docker_run/runUsingDnfUpdate.rego @@ -0,0 +1,8 @@ +package accurics + +{{.prefix}}{{.name}}{{.suffix}}[cmd.id]{ + cmd := input.run[_] + config := cmd.config + commands = ["dnf update", "dnf upgrade", "dnf upgrade-minimal"] + contains(config, commands[_]) +} \ No newline at end of file From 3d2fa80f5da54af6c5d1bf1eb7587dbafd453aac Mon Sep 17 00:00:00 2001 From: avanti vyas Date: Thu, 29 Jul 2021 11:48:23 +0530 Subject: [PATCH 2/2] adding new docker policies --- .../docker/docker_from/AC_DOCKER_0001.json | 3 ++- .../rego/docker/docker_run/AC_DOCKER_0002.json | 5 +++-- .../rego/docker/docker_run/AC_DOCKER_0003.json | 2 +- .../rego/docker/docker_run/AC_DOCKER_0004.json | 17 +++++++++++++++++ .../rego/docker/docker_run/AC_DOCKER_0005.json | 2 +- .../docker_run/yumInstallAllowInput.rego | 18 ++++++++++++++++++ 6 files changed, 42 insertions(+), 5 deletions(-) create mode 100644 pkg/policies/opa/rego/docker/docker_run/AC_DOCKER_0004.json create mode 100644 pkg/policies/opa/rego/docker/docker_run/yumInstallAllowInput.rego diff --git a/pkg/policies/opa/rego/docker/docker_from/AC_DOCKER_0001.json b/pkg/policies/opa/rego/docker/docker_from/AC_DOCKER_0001.json index e1b090ec1..1ed87bdda 100644 --- a/pkg/policies/opa/rego/docker/docker_from/AC_DOCKER_0001.json +++ b/pkg/policies/opa/rego/docker/docker_from/AC_DOCKER_0001.json @@ -5,7 +5,8 @@ "resource_type": "from", "template_args": { "prefix": "", - "suffix": "" + "suffix": "", + "name": "docFilePlatformFlag" }, "severity": "MEDIUM", "description": "Ensure platform flag with FROM command is not used for Docker file", diff --git a/pkg/policies/opa/rego/docker/docker_run/AC_DOCKER_0002.json b/pkg/policies/opa/rego/docker/docker_run/AC_DOCKER_0002.json index 2a1da3b11..730590e59 100644 --- a/pkg/policies/opa/rego/docker/docker_run/AC_DOCKER_0002.json +++ b/pkg/policies/opa/rego/docker/docker_run/AC_DOCKER_0002.json @@ -2,10 +2,11 @@ "name": "runUsingApt", "file": "runUsingApt.rego", "policy_type": "docker", - "resource_type": "docker", + "resource_type": "run", "template_args": { "prefix": "", - "suffix": "" + "suffix": "", + "name": "runUsingApt" }, "severity": "MEDIUM", "description": "Ensure apt is not used with RUN command for Docker file", diff --git a/pkg/policies/opa/rego/docker/docker_run/AC_DOCKER_0003.json b/pkg/policies/opa/rego/docker/docker_run/AC_DOCKER_0003.json index 4eece364e..45b751810 100644 --- a/pkg/policies/opa/rego/docker/docker_run/AC_DOCKER_0003.json +++ b/pkg/policies/opa/rego/docker/docker_run/AC_DOCKER_0003.json @@ -2,7 +2,7 @@ "name": "runUsingDnfUpdate", "file": "runUsingDnfUpdate.rego", "policy_type": "docker", - "resource_type": "docker", + "resource_type": "run", "template_args": { "prefix": "", "suffix": "", diff --git a/pkg/policies/opa/rego/docker/docker_run/AC_DOCKER_0004.json b/pkg/policies/opa/rego/docker/docker_run/AC_DOCKER_0004.json new file mode 100644 index 000000000..68804c076 --- /dev/null +++ b/pkg/policies/opa/rego/docker/docker_run/AC_DOCKER_0004.json @@ -0,0 +1,17 @@ +{ + "name": "yumInstallAllowInput", + "file": "yumInstallAllowInput.rego", + "policy_type": "docker", + "resource_type": "run", + "template_args": { + "prefix": "", + "suffix": "", + "name": "yumInstallAllowInput" + }, + "severity": "MEDIUM", + "description": "Ensure yum install allow manual input with RUN command for Docker file", + "reference_id": "AC_DOCKER_0004", + "category": "Infrastructure Security", + "id": "AC_DOCKER_0004", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/docker/docker_run/AC_DOCKER_0005.json b/pkg/policies/opa/rego/docker/docker_run/AC_DOCKER_0005.json index b565a5dd6..0c547cf34 100644 --- a/pkg/policies/opa/rego/docker/docker_run/AC_DOCKER_0005.json +++ b/pkg/policies/opa/rego/docker/docker_run/AC_DOCKER_0005.json @@ -2,7 +2,7 @@ "name": "lastUserRoot", "file": "lastUserRoot.rego", "policy_type": "docker", - "resource_type": "docker", + "resource_type": "run", "template_args": { "prefix": "", "suffix": "", diff --git a/pkg/policies/opa/rego/docker/docker_run/yumInstallAllowInput.rego b/pkg/policies/opa/rego/docker/docker_run/yumInstallAllowInput.rego new file mode 100644 index 000000000..e4d7e5f54 --- /dev/null +++ b/pkg/policies/opa/rego/docker/docker_run/yumInstallAllowInput.rego @@ -0,0 +1,18 @@ +package accurics + +{{.prefix}}{{.name}}{{.suffix}}[cmd.id]{ + cmd := input.run[_] + config := cmd.config + checkYumInstall(config) + not checkManualInput(config) +} + +checkYumInstall(config) { + re_match(`yum (-(-)?[a-zA-Z]+ *)*(group|local)?install`, config) +} + +checkManualInput(config) { + commands := ["-y", "yes", "--assumeyes"] + checkCmd := commands[_] + contains(config, checkCmd) +} \ No newline at end of file