From 57b9856ea9737fa94e8094075a0c5fe9425f9873 Mon Sep 17 00:00:00 2001 From: Adrien E Date: Mon, 16 Sep 2024 08:32:14 +0000 Subject: [PATCH] Get new rules --- .../files/rules/perProvider/awsSetRules.yaml | 176 ++++++++ .../rules/perProvider/azureSetRules.yaml | 238 +++++++++++ .../files/rules/perProvider/driveRules.yaml | 95 +++++ .../files/rules/perProvider/gcpSetRules.yaml | 110 +++++ .../rules/perProvider/githubSetRules.yaml | 97 +++++ .../perProvider/googleDriveSetRules.yaml | 95 +++++ .../perProvider/googleWorkspaceSetRules.yaml | 102 +++++ .../files/rules/perProvider/helmSetRules.yaml | 210 ++++++++++ .../files/rules/perProvider/httpSetRules.yaml | 115 ++++++ .../rules/perProvider/kubernetesSetRules.yaml | 390 ++++++++++++++++++ .../files/rules/perProvider/o365SetRules.yaml | 95 +++++ 11 files changed, 1723 insertions(+) create mode 100644 kexa-chart/files/rules/perProvider/awsSetRules.yaml create mode 100644 kexa-chart/files/rules/perProvider/azureSetRules.yaml create mode 100644 kexa-chart/files/rules/perProvider/driveRules.yaml create mode 100644 kexa-chart/files/rules/perProvider/gcpSetRules.yaml create mode 100644 kexa-chart/files/rules/perProvider/githubSetRules.yaml create mode 100644 kexa-chart/files/rules/perProvider/googleDriveSetRules.yaml create mode 100644 kexa-chart/files/rules/perProvider/googleWorkspaceSetRules.yaml create mode 100644 kexa-chart/files/rules/perProvider/helmSetRules.yaml create mode 100644 kexa-chart/files/rules/perProvider/httpSetRules.yaml create mode 100644 kexa-chart/files/rules/perProvider/kubernetesSetRules.yaml create mode 100644 kexa-chart/files/rules/perProvider/o365SetRules.yaml diff --git a/kexa-chart/files/rules/perProvider/awsSetRules.yaml b/kexa-chart/files/rules/perProvider/awsSetRules.yaml new file mode 100644 index 0000000..2f31b1e --- /dev/null +++ b/kexa-chart/files/rules/perProvider/awsSetRules.yaml @@ -0,0 +1,176 @@ +- version: 1.0.0 + date: 07-18-2023 + alert: + fatal: + enabled: true + type: + - log + #- email + to: + - myEmail@gmail.com + error: + enabled: true + type: + - log + #- email + #- sms + to: + - myEmail@gmail.com + warning: + enabled: true + type: + - log + #- email + to: + - myEmail@gmail.com + info: + enabled: true + type: + - log + #- email + to: + - myEmail@gmail.com + global: + enabled: true + type: + - log + #- webhook + #- sms + #- email + to: + #- http://127.0.0.1:5000/test + - myEmail@gmail.com + conditions: + - level: 0 + min: 1 + - level: 1 + min: 1 + - level: 2 + min: 1 + - level: 3 + min: 1 + rules: + - name: "aws-ec2-volume-unattached" + description: "this rule is to check if an ec2 volume is unattached" + applied: true + level: 1 + cloudProvider: aws + objectName: EC2Client.Volumes + conditions: + - property: Attachments + condition: COUNT_SUP + value: 0 + - name: "ec2-volume-check-create-less-2-month-expiration" + description: "this rule is to check for a ec2 volume create date inferior than 2 months" + applied: true + level: 2 + cloudProvider: aws + objectName: EC2Client.Volumes + conditions: + - property: CreateTime + condition: DATE_INF + value: 0 0 0 0 0 2 0 + date: "YYYY-MM-DDThh:mm:ss.SSSZ" + - name: "aws-tagsvalue-check-for-expiration-date" + description: "this rule is to check if tags contain an expiration date (separate with \"-\")" + applied: true + level: 1 + cloudProvider: aws + objectName: KexaAwsCustoms.tagsValueListing + conditions: + - property: name + condition: REGEX + value: '\b\d{1,4}[-]\d{1,4}[-]\d{1,4}\b' + - name: "ec2-security-groups-source-defined" + description: "this rule is to check if a ec2 SG has a defined source (not 0.0.0.0)" + applied: true + level: 1 + cloudProvider: aws + objectName: EC2Client.SecurityGroups + conditions: + - property: IpPermissions + condition: ALL + value: + - property: IpRanges + condition: ALL + value: + - property: CidrIp + condition: DIFFERENT + value: "0.0.0.0/0" + - name: "aws-ec2-public-ip-address" + description : "this rule is to check if an ec2 ip address is public" + applied: true + level: 2 + cloudProvider: aws + objectName: EC2Client.Instances + conditions: + - property: Instances + condition: ALL + value: + - property: PublicIpAddress + condition: EQUAL + value: null + # storage rule + - name: "aws-bucket-public-access-block" + description: "this rule is to verify if the public access block is enabled on the bucket" + applied: true + level: 1 + cloudProvider: aws + objectName: S3Client.PublicAccessBlock + conditions: + - operator: AND + criteria: + - property: PublicAccessBlockConfiguration.BlockPublicAcls + condition: EQUAL + value: true + - property: PublicAccessBlockConfiguration.IgnorePublicAcls + condition: EQUAL + value: true + - property: PublicAccessBlockConfiguration.BlockPublicPolicy + condition: EQUAL + value: true + - property: PublicAccessBlockConfiguration.RestrictPublicBuckets + condition: EQUAL + value: true + - name: "aws-bucket-enryption-enable" + description: "this rule is to verify if the bucket is encrypted" + applied: true + level: 1 + cloudProvider: aws + objectName: S3Client.BucketEncryption + conditions: + - property: ServerSideEncryptionConfiguration.Rules + condition: COUNT_SUP_OR_EQUAL + value: 1 + - name: "aws-bucket-encryption-using-kms" + description: "this rule is to verify if the bucket is encrypted using KMS" + applied: true + level: 1 + cloudProvider: aws + objectName: S3Client.BucketEncryption + conditions: + - property: ServerSideEncryptionConfiguration.Rules + condition: ALL + value: + - property: ApplyServerSideEncryptionByDefault + condition: OR + value: + - property: SSEAlgorithm + condition: EQUAL + value: aws:kms:dsse + - property: SSEAlgorithm + condition: EQUAL + value: aws:kms + - name: "aws-bucket-key-enabled-to-reduce-encryption-cost" + description: "this rule is to verify if the bucket key is enabled to reduce encryption cost" + applied: true + level: 1 + cloudProvider: aws + objectName: S3Client.BucketEncryption + conditions: + - property: ServerSideEncryptionConfiguration.Rules + condition: ALL + value: + - property: ApplyServerSideEncryptionByDefault.BucketKeyEnabled + condition: EQUAL + value: true \ No newline at end of file diff --git a/kexa-chart/files/rules/perProvider/azureSetRules.yaml b/kexa-chart/files/rules/perProvider/azureSetRules.yaml new file mode 100644 index 0000000..9fae786 --- /dev/null +++ b/kexa-chart/files/rules/perProvider/azureSetRules.yaml @@ -0,0 +1,238 @@ +- version: 1.0.0 + date: 07-18-2023 + alert: + fatal: + enabled: true + type: + - log + #- email + to: + - myEmail@gmail.com + error: + enabled: true + type: + - log + #- email + #- sms + to: + - myEmail@gmail.com + warning: + enabled: true + type: + - log + #- email + to: + - myEmail@gmail.com + info: + enabled: true + type: + - log + #- email + to: + - myEmail@gmail.com + global: + enabled: true + type: + - log + #- webhook + #- sms + #- email + to: + #- http://127.0.0.1:5000/test + - myEmail@gmail.com + conditions: + - level: 0 + min: 1 + - level: 1 + min: 1 + - level: 2 + min: 1 + - level: 3 + min: 1 + rules: + - name: "check-vm-reservation" + description : "check if VM have a reservation" + applied: true + level: 0 + cloudProvider: azure + objectName : ComputeManagementClient.virtualMachines + conditions: + - property: priority + condition: REGEX + value: (?i)reservation + - name: "azure-is-disk-orphan" + description : "this rules is to check if disk is orphan" + applied: true + level: 1 + cloudProvider: azure + objectName : ComputeManagementClient.disks + conditions: + - property : diskState + condition : DIFFERENT + value : Unattached + - name: "aks-has-scaleSet" + description : "check if aks have a scaleSet" + applied: true + level: 0 + cloudProvider: azure + objectName : ContainerServiceClient.managedClusters + conditions: + - property: agentPoolProfiles + condition: ALL + value: + - property: scaleSetEvictionPolicy + condition: EQUAL + value: Delete + - name: "azure-orphan-nsg" + description : "this rules is to check if nsg is orphan" + applied: true + level: 1 + cloudProvider: azure + objectName : NetworkManagementClient.networkSecurityGroups + conditions: + - operator: OR + criteria: + - property : networkInterfaces + condition : COUNT_SUP_OR_EQUAL + value : 1 + - property : subnets + condition : COUNT_SUP_OR_EQUAL + value : 1 + - name: "Orphan virtualNetwork" + description : "this rules is to check if virtualNetwork is orphan" + applied: true + level: 1 + cloudProvider: azure + objectName : NetworkManagementClient.virtualNetworks + conditions: + - property : subnets + condition : COUNT_SUP_OR_EQUAL + value : 1 + - name: "azure-virtual-network-minimum-subnets" + description : "check if NSG have a minimum of subnets" + applied: true + level: 1 + cloudProvider: azure + objectName : NetworkManagementClient.virtualNetworks + conditions: + - property: subnets + condition: COUNT_SUP + value: 0 + - name: "aks-is-scaleset-down" + description : "check if aks have a scaleSet down" + applied: true + level: 0 + cloudProvider: azure + objectName : ContainerServiceClient.managedClusters + conditions: + - property: agentPoolProfiles + condition: ALL + value: + - property: scaleSetEvictionPolicy + condition: EQUAL + value: Delete + - name: "azure-check-aks-cluster-conformity" + description : "this rules is to check if aks cluster are conform to the norms" + applied: false + level: 2 + cloudProvider: azure + objectName : ContainerServiceClient.managedClusters + conditions: + - property : tags.environment + condition : REGEX + value : ^(DEV|NPR|PROD)$ + - property : tags.author + condition : DIFFERENT + value : NULL + - property : tags.billing + condition : REGEX + value : ^(VADOR|YODA|LUKE)$ + - property : sku.tier + condition : EQUAL + value : Free + - property : publicNetworkAccess + condition : EQUAL + value : Enable + - property : autoScalerProfile.scaleDownDelayAfterAdd + condition : DIFFERENT + value : NULL + - name: "azure-disk-not-public-or-encrypted" + description : "this rules is to check if disk is either not public or encrypted by default" + applied: false + level: 2 + cloudProvider: azure + objectName : ComputeManagementClient.disks + conditions: + - operator : OR + criteria: + - property : networkAccessPolicy + condition : DIFFERENT + value : AllowAll + - property : encryption.type + condition : EQUAL + value : EncryptionAtRestWithPlatformKey + - name: "azure-nsg-valid-subnet" + description : "check if NSG have a valid subnet" + applied: true + level: 1 + cloudProvider: azure + objectName : ContainerServiceClient.managedClusters + conditions: + - property: agentPoolProfiles + condition: COUNT + value: 2 + - name: "not-under-use-VM" + description: "this rule is if a VM is under-used (50% > CPU or 50%>RAM over 2 weeks) " + applied: true + level: 1 + cloudProvider: azure + objectName: KexaAzure.vm + conditions: + - operator: OR + criteria: + - property: instanceView.percentageCPU.mean + condition: SUP + value: 50 + - property: instanceView.availableMemoryBytes.mean + condition: SUP + value: 50 + - name: "azure-storage-account-no-public-access" + description: "this rule is to check on azure storage account for public access" + applied: false + level: 1 + cloudProvider: azure + objectName: StorageManagementClient.storageAccounts + conditions: + - property: publicNetworkAccess + condition: DIFFERENT + value: 'Enabled' + - name: "azure-storage-account-encryption-enabled" + description: "this rule is to check on azure storage account for encryption enabled" + applied: true + level: 1 + cloudProvider: azure + objectName: StorageManagementClient.storageAccounts + conditions: + - operator: AND + criteria: + - property: encryption.services.file.enabled + condition: EQUAL + value: true + - property: encryption.services.blob.enabled + condition: EQUAL + value: true + - name: "azure-storage-account-encryption-using-kms" + description: "this rule is to check on azure storage account for encryption using kms" + applied: true + level: 1 + cloudProvider: azure + objectName: StorageManagementClient.storageAccounts + conditions: + - operator: AND + criteria: + - property: encryption.services.file.keySource + condition: EQUAL + value: 'Microsoft.Keyvault' + - property: encryption.services.blob.keySource + condition: EQUAL + value: 'Microsoft.Keyvault' \ No newline at end of file diff --git a/kexa-chart/files/rules/perProvider/driveRules.yaml b/kexa-chart/files/rules/perProvider/driveRules.yaml new file mode 100644 index 0000000..a7bcc65 --- /dev/null +++ b/kexa-chart/files/rules/perProvider/driveRules.yaml @@ -0,0 +1,95 @@ +- version: 1.0.0 + date: 06-12-2023 + alert: + fatal: + enabled: true + type: + - log + #- email + to: + - myEmail@gmail.com + error: + enabled: true + type: + - log + #- email + #- sms + to: + - myEmail@gmail.com + warning: + enabled: true + type: + - log + #- email + to: + - myEmail@gmail.com + info: + enabled: true + type: + - log + #- email + to: + - myEmail@gmail.com + global: + enabled: false + type: + - log + #- webhook + #- sms + #- email + to: + #- http://127.0.0.1:5000/test + - myEmail@gmail.com + conditions: + - level: 0 + min: 1 + - level: 1 + min: 1 + - level: 2 + min: 1 + - level: 3 + min: 1 + rules: + - name: "check-regex-drive-file-name" + description : "compare drive file name to regex for compliance" + applied: true + level: 0 + cloudProvider: googleDrive + objectName : files + conditions: + - property: name + condition: REGEX + value: /^(PUBLIC|PRIVATE)\s[A-Za-z]+/ + - name: "is-drive-file-private" + description : "this rule is to check if drive files are private" + applied: true + level: 0 + cloudProvider: googleDrive + objectName : files + conditions: + - operator: NAND + criteria: + - property : shared + condition : DIFFERENT + value : false + - property : name + condition : REGEX + value : /PRIVATE\s[A-Za-z]+/ + - name: "is-file-shared-only-by-domaine" + description : "this rule is to check if a file is shared only by domain" + applied: true + level: 0 + cloudProvider: googleDrive + objectName : files + conditions: + - property : permissions + condition : ALL + value : + - operator: NAND + criteria: + - property : type + condition : EQUAL + value : user + - property : role + condition : DIFFERENT + value : owner \ No newline at end of file diff --git a/kexa-chart/files/rules/perProvider/gcpSetRules.yaml b/kexa-chart/files/rules/perProvider/gcpSetRules.yaml new file mode 100644 index 0000000..1a23e9c --- /dev/null +++ b/kexa-chart/files/rules/perProvider/gcpSetRules.yaml @@ -0,0 +1,110 @@ +- version: 1.0.0 + date: 07-18-2023 + alert: + fatal: + enabled: true + type: + - log + #- email + to: + - myEmail@gmail.com + error: + enabled: true + type: + - log + #- email + #- sms + to: + - myEmail@gmail.com + warning: + enabled: true + type: + - log + #- email + to: + - myEmail@gmail.com + info: + enabled: true + type: + - log + #- email + to: + - myEmail@gmail.com + global: + enabled: true + type: + - log + #- webhook + #- sms + #- email + to: + #- http://127.0.0.1:5000/test + - myEmail@gmail.com + conditions: + - level: 0 + min: 1 + - level: 1 + min: 1 + - level: 2 + min: 1 + - level: 3 + min: 1 + rules: + - name: "gcp-disk-check-create-date-2-month-expiration" + description: "this rule is to check for a persistent disk create date is inferior than 2 months ago" + applied: true + level: 2 + cloudProvider: gcp + objectName: disk + conditions: + - property: creationTimestamp + condition: DATE_INF + value: 0 0 0 2 0 0 0 + date: "YYYY-MM-DDThh:mm:ss.SSSZ" + - name: "gcp-storage-bucket-public-access-block-enforced" + description: "this rule is to verify if the public access block is enabled on the bucket" + applied: true + level: 1 + cloudProvider: gcp + objectName: bucket + conditions: + - operator: AND + criteria: + - property: metadata.iamConfiguration.publicAccessPrevention + condition: EQUAL + value: 'enforced' + - name: "gcp-storage-bucket-public-access-block-enforced-or-inherited" + description: "this rule is to verify if the public access block is enabled on the bucket" + applied: true + level: 1 + cloudProvider: gcp + objectName: bucket + conditions: + - operator: OR + criteria: + - property: metadata.iamConfiguration.publicAccessPrevention + condition: EQUAL + value: 'enforced' + - property: metadata.iamConfiguration.publicAccessPrevention + condition: EQUAL + value: 'inherited' + - name: "gcp-storage-bucket-policy-only-access" + description: "this rule is to verify if the bucket is policy only access" + applied: true + level: 1 + cloudProvider: gcp + objectName: bucket + conditions: + - property: metadata.iamConfiguration.bucketPolicyOnly.enabled + condition: EQUAL + value: true + - name: "gcp-storage-bucket-level-access" + description: "this rule is to verify if the bucket is policy only" + applied: true + level: 1 + cloudProvider: gcp + objectName: bucket + conditions: + - property: metadata.iamConfiguration.uniformBucketLevelAccess.enabled + condition: EQUAL + value: true \ No newline at end of file diff --git a/kexa-chart/files/rules/perProvider/githubSetRules.yaml b/kexa-chart/files/rules/perProvider/githubSetRules.yaml new file mode 100644 index 0000000..400c818 --- /dev/null +++ b/kexa-chart/files/rules/perProvider/githubSetRules.yaml @@ -0,0 +1,97 @@ +- version: 1.0.0 + date: 07-18-2023 + alert: + fatal: + enabled: true + type: + - log + #- email + to: + - myEmail@gmail.com + error: + enabled: true + type: + - log + #- email + #- sms + to: + - myEmail@gmail.com + warning: + enabled: true + type: + - log + #- email + to: + - myEmail@gmail.com + info: + enabled: true + type: + - log + #- email + to: + - myEmail@gmail.com + global: + enabled: true + type: + - log + #- webhook + #- sms + #- email + to: + #- http://127.0.0.1:5000/test + - myEmail@gmail.com + conditions: + - level: 0 + min: 1 + - level: 1 + min: 1 + - level: 2 + min: 1 + - level: 3 + min: 1 + rules: + - name: "git-is-repository-private" + description: "this rules is to check if git repo is private" + applied: true + level: 0 + cloudProvider: github + objectName: repositories + conditions: + - property: private + condition: EQUAL + value: true + - name: "git-is-branch-protected" + description: "this rules is to check if git branch is protected" + applied: true + level: 0 + cloudProvider: github + objectName: branches + conditions: + - operator: NAND + criteria: + - property : protected + condition : DIFFERENT + value : true + - property : name + condition : EQUAL + value : master + - name: "git-count-repo-orga" + description : "this rules is to count the number of repo in a git organization" + applied: false + level: 0 + cloudProvider: github + objectName : repositories + conditions: + - property : topics + condition : COUNT + value : 0 + - name: "git-runner-are-online" + description : "this rules is to check if git runner are online" + applied: true + level: 0 + cloudProvider: github + objectName : runners + conditions: + - property : status + condition : DIFFERENT + value : offline \ No newline at end of file diff --git a/kexa-chart/files/rules/perProvider/googleDriveSetRules.yaml b/kexa-chart/files/rules/perProvider/googleDriveSetRules.yaml new file mode 100644 index 0000000..e5e06c4 --- /dev/null +++ b/kexa-chart/files/rules/perProvider/googleDriveSetRules.yaml @@ -0,0 +1,95 @@ +- version: 1.0.0 + date: 07-18-2023 + alert: + fatal: + enabled: true + type: + - log + #- email + to: + - myEmail@gmail.com + error: + enabled: true + type: + - log + #- email + #- sms + to: + - myEmail@gmail.com + warning: + enabled: true + type: + - log + #- email + to: + - myEmail@gmail.com + info: + enabled: true + type: + - log + #- email + to: + - myEmail@gmail.com + global: + enabled: true + type: + - log + #- webhook + #- sms + #- email + to: + #- http://127.0.0.1:5000/test + - myEmail@gmail.com + conditions: + - level: 0 + min: 1 + - level: 1 + min: 1 + - level: 2 + min: 1 + - level: 3 + min: 1 + rules: + - name: "check-regex-drive-file-name" + description : "compare drive file name to regex for compliance" + applied: true + level: 0 + cloudProvider: googleDrive + objectName : files + conditions: + - property: name + condition: REGEX + value: /^(PUBLIC|PRIVATE)\s[A-Za-z]+/ + - name: "is-drive-file-private" + description : "this rule is to check if drive files are private" + applied: true + level: 0 + cloudProvider: googleDrive + objectName : files + conditions: + - operator: NAND + criteria: + - property : shared + condition : DIFFERENT + value : false + - property : name + condition : REGEX + value : /PRIVATE\s[A-Za-z]+/ + - name: "is-file-shared-only-by-domaine" + description : "this rule is to check if a file is shared only by domain" + applied: true + level: 0 + cloudProvider: googleDrive + objectName : files + conditions: + - property : permissions + condition : ALL + value : + - operator: NAND + criteria: + - property : type + condition : EQUAL + value : user + - property : role + condition : DIFFERENT + value : owner \ No newline at end of file diff --git a/kexa-chart/files/rules/perProvider/googleWorkspaceSetRules.yaml b/kexa-chart/files/rules/perProvider/googleWorkspaceSetRules.yaml new file mode 100644 index 0000000..524a1d1 --- /dev/null +++ b/kexa-chart/files/rules/perProvider/googleWorkspaceSetRules.yaml @@ -0,0 +1,102 @@ +- version: 1.0.0 + date: 07-18-2023 + alert: + fatal: + enabled: true + type: + - log + #- email + to: + - myEmail@gmail.com + error: + enabled: true + type: + - log + #- email + #- sms + to: + - myEmail@gmail.com + warning: + enabled: true + type: + - log + #- email + to: + - myEmail@gmail.com + info: + enabled: true + type: + - log + #- email + to: + - myEmail@gmail.com + global: + enabled: true + type: + - log + #- webhook + #- sms + #- email + to: + #- http://127.0.0.1:5000/test + - myEmail@gmail.com + conditions: + - level: 0 + min: 1 + - level: 1 + min: 1 + - level: 2 + min: 1 + - level: 3 + min: 1 + rules: + - name: "workspace-user-mfa-activated" + description: "verify if mfa is activated on user account" + applied: true + level: 2 + cloudProvider: googleWorkspace + objectName: user + conditions: + - property: isEnrolledIn2Sv + condition: EQUAL + value: true + - name: "workspace-user-mfa-enforced" + description: "verify if mfa is enforced for user account" + applied: true + level: 2 + cloudProvider: googleWorkspace + objectName: user + conditions: + - property: isEnforcedIn2Sv + condition: EQUAL + value: true + - name: "workspace-user-change-passwd-next-login" + description: "verify if there is at least one super admin for OU" + applied: true + level: 2 + cloudProvider: googleWorkspace + objectName: user + conditions: + - property: changePasswordAtNextLogin + condition: EQUAL + value: true + - name: "workspace-at-least-one-super-admin" + description: "verify if there is at least one super admin for OU" + applied: true + level: 2 + cloudProvider: googleWorkspace + objectName: user + conditions: + - property: totalSuperAdmin + condition: SUP_OR_EQUAL + value: 1 + - name: "workspace-no-more-than-four-super-admin" + description: "verify if there is no more than four super admin for OU" + applied: true + level: 2 + cloudProvider: googleWorkspace + objectName: user + conditions: + - property: totalSuperAdmin + condition: INF_OR_EQUAL + value: 4 \ No newline at end of file diff --git a/kexa-chart/files/rules/perProvider/helmSetRules.yaml b/kexa-chart/files/rules/perProvider/helmSetRules.yaml new file mode 100644 index 0000000..026cb30 --- /dev/null +++ b/kexa-chart/files/rules/perProvider/helmSetRules.yaml @@ -0,0 +1,210 @@ +- version: 1.0.0 + date: 07-18-2023 + alert: + fatal: + enabled: true + type: + - log + #- email + to: + - myEmail@gmail.com + error: + enabled: true + type: + - log + #- email + #- sms + to: + - myEmail@gmail.com + warning: + enabled: true + type: + - log + #- email + to: + - myEmail@gmail.com + info: + enabled: true + type: + - log + #- email + to: + - myEmail@gmail.com + global: + enabled: true + type: + - log + #- webhook + #- sms + #- email + to: + #- http://127.0.0.1:5000/test + - myEmail@gmail.com + conditions: + - level: 0 + min: 1 + - level: 1 + min: 1 + - level: 2 + min: 1 + - level: 3 + min: 1 + rules: + - name: "helm-chart-deployed" + description : "this rule is to verify if the helm chart is deployed" + applied: true + level: 1 + cloudProvider: helm + objectName : chart + conditions: + - property : details.status + condition : EQUAL + value : deployed + - name: "helm-chart-last-deployed-X-month" + description : "this rule is to verify if the helm chart has been deployed in the last X month" + applied: true + level: 1 + cloudProvider: helm + objectName : chart + conditions: + - property : details.lastDeployed + condition: DATE_INF + value: 0 0 0 0 0 3 0 # last 3 months + date: "YYYY-MM-DDThh:mm:ss.SSSZ" + - name: "helm-chart-max-revisions" + description : "this rule is to verify if the helm chart has less than 10 revisions" + applied: true + level: 0 + cloudProvider: helm + objectName : chart + conditions: + - property : details.revisions + condition : INF_OR_EQUAL + value : 10 + - name: "helm-chart-auto-scaling-target-cpu" + description : "this rule is to verify if autoscaling target cpu is not greater than 50" + applied: true + level: 0 + cloudProvider: helm + objectName : chart + conditions: + - operator: NAND + criteria: + - property : details.computedValues.autoscaling + condition : DIFFERENT + value : null + - property : details.computedValues.autoscaling.targetCPU + condition : SUP + value : 50 + - name: "helm-chart-auto-scaling-target-memory" + description : "this rule is to verify if autoscaling target memory is not greater than 50" + applied: true + level: 0 + cloudProvider: helm + objectName : chart + conditions: + - operator: NAND + criteria: + - property : details.computedValues.autoscaling + condition : DIFFERENT + value : null + - property : details.computedValues.autoscaling.targetMemory + condition : SUP + value : 50 + - name: "helm-chart-auto-scaling-enabled" + description : "this rule is to verify if autoscaling is enabled" + applied: true + level: 1 + cloudProvider: helm + objectName : chart + conditions: + - operator: NAND + criteria: + - property : details.computedValues.autoscaling + condition : DIFFERENT + value : null + - property : details.computedValues.autoscaling.enabled + condition : EQUAL + value : false + - name: "helm-chart-auto-scaling-min-replicas" + description : "this rule is to verify if autoscaling min replicas is greater than 0" + applied: true + level: 0 + cloudProvider: helm + objectName : chart + conditions: + - operator: NAND + criteria: + - property : details.computedValues.autoscaling + condition : DIFFERENT + value : null + - property : details.computedValues.autoscaling.minReplicas + condition : INF_OR_EQUAL + value : 0 + - name: "helm-chart-auto-scaling-max-replicas" + description : "this rule is to verify if autoscaling max replicas is less than 10" + applied: true + level: 0 + cloudProvider: helm + objectName : chart + conditions: + - operator: NAND + criteria: + - property : details.computedValues.autoscaling + condition : DIFFERENT + value : null + - property : details.computedValues.autoscaling.maxReplicas + condition : SUP + value : 10 + - name: "helm-chart-do-not-allow-empty-password" + description : "this rule is to ensure that the helm chart does not allow empty passwords" + applied: true + level: 2 + cloudProvider: helm + objectName : chart + conditions: + - property : details.allowEmptyPassword + condition : EQUAL + value : false + # This may not be working if the repository is not locally accessible or not found in artefact hub + - name: "helm-chart-no-major-version-difference" + description : "this rule is to ensure that the helm chart has no major version difference" + applied: true + level: 1 + cloudProvider: helm + objectName : chart + conditions: + - property : details.versionDifference.major + condition : EQUAL + value : 0 + # This may not be working if the repository is not locally accessible or not found in artefact hub + - name: "helm-chart-no-minor-version-difference" + description : "this rule is to ensure that the helm chart has no major version difference" + applied: false + level: 1 + cloudProvider: helm + objectName : chart + conditions: + - property : details.versionDifference.major + condition : EQUAL + value : 0 + - property : details.versionDifference.minor + condition : EQUAL + value : 0 + # This may not be working if the repository is not locally accessible or not found in artefact hub + - name: "helm-chart-no-version-difference" + description : "this rule is to ensure that the helm chart is using the latest version" + applied: false + level: 1 + cloudProvider: helm + objectName : chart + conditions: + - property : details.versionDifference.major + condition : EQUAL + value : 0 + - property : details.versionDifference.minor + condition : EQUAL + value : 0 + - property : details.versionDifference.patch + condition : EQUAL + value : 0 \ No newline at end of file diff --git a/kexa-chart/files/rules/perProvider/httpSetRules.yaml b/kexa-chart/files/rules/perProvider/httpSetRules.yaml new file mode 100644 index 0000000..6692a59 --- /dev/null +++ b/kexa-chart/files/rules/perProvider/httpSetRules.yaml @@ -0,0 +1,115 @@ +- version: 1.0.0 + date: 07-18-2023 + alert: + fatal: + enabled: true + type: + - log + #- email + to: + - myEmail@gmail.com + error: + enabled: true + type: + - log + #- email + #- sms + to: + - myEmail@gmail.com + warning: + enabled: true + type: + - log + #- email + to: + - myEmail@gmail.com + info: + enabled: true + type: + - log + #- email + to: + - myEmail@gmail.com + global: + enabled: true + type: + - log + #- webhook + #- sms + #- email + to: + #- http://127.0.0.1:5000/test + - myEmail@gmail.com + conditions: + - level: 0 + min: 1 + - level: 1 + min: 1 + - level: 2 + min: 1 + - level: 3 + min: 1 + rules: + - name: "http-request-date-in-body" + description : "request date in body" + applied: true + level: 0 + loudMessage: "date is present in body" + cloudProvider: http + objectName : request + conditions: + - property : body.date + condition : DIFFERENT + value : null + - name: "http-request-certificate" + description : "check if certificate is present" + applied: true + level: 0 + cloudProvider: http + objectName : request + conditions: + - property : certificate.issuer.CN + condition : EQUAL + value : "Kubernetes Ingress Controller Fake Certificate" + - property : certificate.valid_to + condition : DATE_INF + value : 0 0 0 0 0 0 + date: "MMM DD HH:mm:ss YYYY GMT" + - name: "http-request-certificate" + description : "request certificate expire in 15 days" + applied: true + level: 0 + cloudProvider: http + objectName : request + conditions: + - property : certificate.valid_to + condition : DATE_INF + value : 0 0 0 -15 0 0 + date: "MMM DD HH:mm:ss YYYY GMT" + - name: "http-request-header" + description : "http requested header" + applied: true + level: 0 + loud: true + loudMessage: "header is present" + cloudProvider: http + objectName : request + conditions: + - property : headers.content-type + condition : INCLUDE + value : "application/json" + - name: "http-request-response-code" + description : "check for a specific response code" + applied: true + level: 0 + cloudProvider: http + objectName : request + conditions: + - operator : OR + criteria: + - property : code + condition : EQUAL + value : 200 + - property : code + condition : EQUAL + value : 201 \ No newline at end of file diff --git a/kexa-chart/files/rules/perProvider/kubernetesSetRules.yaml b/kexa-chart/files/rules/perProvider/kubernetesSetRules.yaml new file mode 100644 index 0000000..3bed931 --- /dev/null +++ b/kexa-chart/files/rules/perProvider/kubernetesSetRules.yaml @@ -0,0 +1,390 @@ +- version: 1.0.0 + date: 07-18-2023 + alert: + fatal: + enabled: true + type: + - log + #- email + to: + - myEmail@gmail.com + error: + enabled: true + type: + - log + #- email + to: + - myEmail@gmail.com + warning: + enabled: true + type: + - log + #- email + to: + - myEmail@gmail.com + info: + enabled: true + type: + - log + #- email + to: + - myEmail@gmail.com + global: + enabled: true + type: + - log + # - email + to: + - myEmail@gmail.com + conditions: + - level: 0 + min: 1 + - level: 1 + min: 1 + - level: 2 + min: 1 + - level: 3 + min: 1 + rules: + ######################## + # GENERAL # + ######################## + #change the namespace name to your namespace + - name: "kube-namespace-exist-api-4urcloud" + description : "this rules is to check if namespace exist and notifiable if exist" + applied: false + level: 0 + cloudProvider: kubernetes + objectName : namespaces + conditions: + - property : metadata.name + condition : DIFFERENT + value : 4urcloudwebsitepublic + #change the namespace name to your namespace + - name: "kube-all-pods-running-kexawebsite" + description : "this rules is to check if all pods are running for a namespace" + applied: false + level: 1 + cloudProvider: kubernetes + objectName : pods + conditions: + - operator: NAND + criteria: + - property : status.phase + condition : DIFFERENT + value : Running + - property : metadata.namespace + condition : EQUAL + value : kexawebsitepublic + # this is an example of pod autoscaler rule + - name: "kube-hozizontal-pod-autoscaler-min-max-replicas" + description : "this rules is to verify horizontal pod autoscaler min and max replicas" + applied: false + level: 1 + cloudProvider: kubernetes + objectName : hpa + conditions: + - property : spec.minReplicas + condition : SUP_OR_EQUAL + value: 1 + - property : spec.maxReplicas + condition : INF_OR_EQUAL + value: 2 + - name: "kub-all-my-helm-is-deploy" + description : "this rules is to check if some helm are not deployed" + applied: false + level: 1 + cloudProvider: kubernetes + objectName : helm + conditions: + - property : status + condition : EQUAL + value : deployed + + ############################# + # STORAGES & VOLUMES # + ############################# + - name: "kube-storage-class-allow-expansion" + description : "this rules is to verify storage class allow expansion" + applied: false + level: 2 + cloudProvider: kubernetes + objectName : storageclass + conditions: + - property : allowVolumeExpansion + condition : EQUAL + value: true + # this is an example of storage class disk parameters rule + - name: "kube-storage-class-disk-parameters" + description : "this rules is to verify storage class disk parameters" + applied: false + level: 1 + cloudProvider: kubernetes + objectName : storageclass + conditions: + - property : parameters.cachingMode + condition : EQUAL + value: 'None' + - property : parameters.DiskIOPSReadWrite + condition : SUP_OR_EQUAL + value: '1000' + - property : parameters.DiskMBpsReadWrite + condition : SUP_OR_EQUAL + value: '1000' + - name: "kube-is-persistent-volume-bounded" + description : "this rules is to verify that persistent volume is bounded" + applied: false + level: 1 + cloudProvider: kubernetes + objectName : persistentvolume + conditions: + - property : status.phase + condition : EQUAL + value : 'Bound' + # LINKEDIN HERE + - name: "kube-is-persistent-volume-not-pending" + description : "this rules is to verify that persistent volume is not pending" + applied: false + level: 1 + cloudProvider: kubernetes + objectName : persistentvolume + conditions: + - property : status.phase + condition : DIFFERENT + value : 'Pending' + - name: "kube-pod-stuck-terminating-state" + description : "this rules is to check if a pod is stuck in terminating state" + applied: false + level: 1 + cloudProvider: kubernetes + objectName : pods + conditions: + - property : status.phase + condition : DIFFERENT + value : Terminating + - name: "kube-persistent-volume-verify-storage-class" + description : "this rules is to verify for a persistent volume storage class" + applied: false + level: 1 + cloudProvider: kubernetes + objectName : persistentvolume + conditions: + - property : spec.storageClassName + condition : EQUAL + value : 'premium2-disk-sc' + - name: "kube-volume-mounts-read-only" + description : "this rules is to verify volume mounts are read only" + applied: false + level: 2 + cloudProvider: kubernetes + objectName : pods + conditions: + - property : spec.containers + condition : ALL + value: + - property: volumeMounts + condition: ALL + value: + - property : readOnly + condition : EQUAL + value : true + + ######################### + # PODS CONSUMPTION # + ######################### + # pods memory % consumption alert + - name: "kube-pods-memory-limitation" + description : "this rules is to verify pods memory limitation" + applied: false + level: 2 + cloudProvider: kubernetes + objectName : podsConsumption + conditions: + - property : MemoryUsage + condition : INF + value: 599428096 + # pods CPU % consumption alert + - name: "kube-pods-cpu-limitation" + description : "this rules is to verify cpu usage limitation" + applied: false + level: 2 + cloudProvider: kubernetes + objectName : podsConsumption + conditions: + - property : CPUUsage + condition : INF + value: 0.02 + + ######################### + # PODS STATE CONDITIONS # + ######################### + - name: "kube-pod-stuck-pending-state" + description : "this rules is to check if a pod is stuck in pending state" + applied: false + level: 1 + cloudProvider: kubernetes + objectName : pods + conditions: + - property : status.phase + condition : DIFFERENT + value : Pending + - name: "kube-pod-not-ready-to-start-container" + description : "this rules is to check if pod is ready to start container" + applied: false + level: 0 + cloudProvider: kubernetes + objectName : pods + conditions: + - property : status.formattedConditions.Initialized.PodReadyToStartContainers.status + condition : EQUAL + value: 'True' + - name: "kube-pod-not-initialized" + description : "this rules is to check if pod is ready to start container" + applied: false + level: 1 + cloudProvider: kubernetes + objectName : pods + conditions: + - property : status.formattedConditions.Initialized.status + condition : EQUAL + value: 'True' + - name: "kube-pod-not-ready" + description : "this rules is to check if pod is ready" + applied: false + level: 1 + cloudProvider: kubernetes + objectName : pods + conditions: + - property : status.formattedConditions.Ready.status + condition : EQUAL + value: 'True' + - name: "kube-pod-containers-not-ready" + description : "this rules is to check if pod is ready" + applied: false + level: 1 + cloudProvider: kubernetes + objectName : pods + conditions: + - property : status.formattedConditions.ContainersReady.status + condition : EQUAL + value: 'True' + - name: "kube-pod-not-scheduled" + description : "this rules is to check if pod is ready" + applied: false + level: 1 + cloudProvider: kubernetes + objectName : pods + conditions: + - property : status.formattedConditions.PodScheduled.status + condition : EQUAL + value: 'True' + + + ######################### + # NODE STATE CONDITIONS # + ######################### + - name: "kube-node-network-unavailable" + description : "this rules is to check if route controller is ok" + applied: false + level: 1 + cloudProvider: kubernetes + objectName : node + conditions: + - property: status.formattedConditions.NetworkUnavailable.status + condition : EQUAL + value: 'False' + - name: "kube-node-kernel-deadlock" + description : "this rules is to check if kernel is in deadlock state" + applied: false + level: 1 + cloudProvider: kubernetes + objectName : node + conditions: + - property: status.formattedConditions.KernelDeadlock.status + condition : EQUAL + value: 'False' + - name: "kube-node-frequent-kubelet-restart" + description : "this rules is to check if there is frequent kubelet restart" + applied: false + level: 1 + cloudProvider: kubernetes + objectName : node + conditions: + - property: status.formattedConditions.FrequentKubeletRestart.status + condition : EQUAL + value: 'False' + - name: "kube-node-container-runtime-is-up" + description : "this rules is to check if container runtime is up" + applied: false + level: 1 + cloudProvider: kubernetes + objectName : node + conditions: + - property: status.formattedConditions.ContainerRuntimeProblem.status + condition : EQUAL + value: 'False' + - name: "kube-node-file-system-is-ok" + description : "this rules is to check if therre is a file corruption problem" + applied: false + level: 1 + cloudProvider: kubernetes + objectName : node + conditions: + - property: status.formattedConditions.FilesystemCorruptionProblem.status + condition : EQUAL + value: 'False' + - name: "kube-node-frequent-docker-restart" + description : "this rules is to check if there is frequent docker restart" + applied: false + level: 1 + cloudProvider: kubernetes + objectName : node + conditions: + - property: status.formattedConditions.FrequentDockerRestart.status + condition : EQUAL + value: 'False' + - name: "kube-node-frequent-container-restart" + description : "this rules is to check if there is frequent container restart" + applied: false + level: 1 + cloudProvider: kubernetes + objectName : node + conditions: + - property: status.formattedConditions.FrequentContainerdRestart.status + condition : EQUAL + value: 'False' + - name: "kube-node-memory-pressure" + description : "this rules is to check kubelet has sufficient memory available" + applied: false + level: 1 + cloudProvider: kubernetes + objectName : node + conditions: + - property: status.formattedConditions.MemoryPressure.status + condition : EQUAL + value: 'False' + - name: "kube-node-disk-pressure" + description : "this rules is to check if there is disk pressure" + applied: false + level: 1 + cloudProvider: kubernetes + objectName : node + conditions: + - property: status.formattedConditions.DiskPressure.status + condition : EQUAL + value: 'False' + + #################################################################################################### + # EVENTS RULES https://github.com/kubernetes/kubernetes/blob/master/pkg/kubelet/events/event.go # + #################################################################################################### + + - name: "kube-event-image-pull-fail" + description : "this rules is to check if there is event of image pull fail" + applied: false + level: 1 + cloudProvider: kubernetes + objectName : event + conditions: + - property: reason + condition : DIFFERENT + value: 'FailedToPullImage' diff --git a/kexa-chart/files/rules/perProvider/o365SetRules.yaml b/kexa-chart/files/rules/perProvider/o365SetRules.yaml new file mode 100644 index 0000000..a4013f9 --- /dev/null +++ b/kexa-chart/files/rules/perProvider/o365SetRules.yaml @@ -0,0 +1,95 @@ +- version: 1.0.0 + date: 07-18-2023 + alert: + fatal: + enabled: true + type: + - log + #- email + to: + - myEmail@gmail.com + error: + enabled: true + type: + - log + #- email + #- sms + to: + - myEmail@gmail.com + warning: + enabled: true + type: + - log + #- email + to: + - myEmail@gmail.com + info: + enabled: true + type: + - log + #- email + to: + - myEmail@gmail.com + global: + enabled: true + type: + - log + #- webhook + #- sms + #- email + to: + #- http://127.0.0.1:5000/test + - myEmail@gmail.com + conditions: + - level: 0 + min: 1 + - level: 1 + min: 1 + - level: 2 + min: 1 + - level: 3 + min: 1 + rules: + - name: "o365-is-skus-not-used" + description: "this rule is if a subscribed sku is not being used" + applied: true + level: 1 + cloudProvider: o365 + objectName: sku + conditions: + - property: consumedUnits + condition: SUP + value: 0 + - name: "o365-check-jobtitle-defined" + description: "this rule is to check for non defined job title" + applied: true + level: 1 + cloudProvider: o365 + objectName: user + conditions: + - property: jobTitle + condition: DIFFERENT + value: null + - name: "o365-is-simple-member" + description: "this rule is to check for simple members" + applied: true + level: 1 + cloudProvider: o365 + objectName: user + conditions: + - property: userType + condition: EQUAL + value: Member + - name: "o365-is-mfa-activated-on-user" + description: "check if at least 2 auth factors are active" + applied: true + level: 2 + cloudProvider: o365 + objectName: auth_methods + conditions: + - property: methods + condition: ONE + value: + - property: dataType + condition: EQUAL + value: "#microsoft.graph.microsoftAuthenticatorAuthenticationMethod" \ No newline at end of file