From 1759e5c6aa44edc538c0d6af6703f419901e53f7 Mon Sep 17 00:00:00 2001 From: Adrien E Date: Mon, 16 Sep 2024 08:24:56 +0000 Subject: [PATCH] Get new rules --- .../files/rules/AwsComplianceSetRules.yaml | 133 +++++++++ .../files/rules/AzureComplianceSetRules.yaml | 111 ++++++++ .../files/rules/BenchmarkOffice365.yaml | 266 ++++++++++++++++++ .../files/rules/BenchmarkWorkspace.yaml | 102 +++++++ kexa-chart/files/rules/Deployement.yaml | 137 +++++++++ kexa-chart/files/rules/Economy.yaml | 156 ++++++++++ .../files/rules/GcpComplianceSetRules.yaml | 71 +++++ kexa-chart/files/rules/HTTPRules.yaml | 118 ++++++++ .../files/rules/KubeComplianceSetRules.yaml | 107 +++++++ kexa-chart/files/rules/Kubernete.yaml | 191 +++++++++++++ .../files/rules/OperationalExcellence.yaml | 125 ++++++++ kexa-chart/files/rules/Performance.yaml | 65 +++++ kexa-chart/files/rules/PostDeployement.yaml | 84 ++++++ kexa-chart/files/rules/PreDeployement.yaml | 97 +++++++ kexa-chart/files/rules/SecretsRotation.yaml | 169 +++++++++++ kexa-chart/files/rules/Security.yaml | 126 +++++++++ kexa-chart/files/rules/StorageSecurity.yaml | 207 ++++++++++++++ .../files/rules/crossCloudDisksChecks.yaml | 125 ++++++++ .../files/rules/helmConfigurations.yaml | 145 ++++++++++ kexa-chart/files/rules/helmConsumptions.yaml | 78 +++++ kexa-chart/files/rules/helmStatus.yaml | 79 ++++++ 21 files changed, 2692 insertions(+) create mode 100644 kexa-chart/files/rules/AwsComplianceSetRules.yaml create mode 100644 kexa-chart/files/rules/AzureComplianceSetRules.yaml create mode 100644 kexa-chart/files/rules/BenchmarkOffice365.yaml create mode 100644 kexa-chart/files/rules/BenchmarkWorkspace.yaml create mode 100644 kexa-chart/files/rules/Deployement.yaml create mode 100644 kexa-chart/files/rules/Economy.yaml create mode 100644 kexa-chart/files/rules/GcpComplianceSetRules.yaml create mode 100644 kexa-chart/files/rules/HTTPRules.yaml create mode 100644 kexa-chart/files/rules/KubeComplianceSetRules.yaml create mode 100644 kexa-chart/files/rules/Kubernete.yaml create mode 100644 kexa-chart/files/rules/OperationalExcellence.yaml create mode 100644 kexa-chart/files/rules/Performance.yaml create mode 100644 kexa-chart/files/rules/PostDeployement.yaml create mode 100644 kexa-chart/files/rules/PreDeployement.yaml create mode 100644 kexa-chart/files/rules/SecretsRotation.yaml create mode 100644 kexa-chart/files/rules/Security.yaml create mode 100644 kexa-chart/files/rules/StorageSecurity.yaml create mode 100644 kexa-chart/files/rules/crossCloudDisksChecks.yaml create mode 100644 kexa-chart/files/rules/helmConfigurations.yaml create mode 100644 kexa-chart/files/rules/helmConsumptions.yaml create mode 100644 kexa-chart/files/rules/helmStatus.yaml diff --git a/kexa-chart/files/rules/AwsComplianceSetRules.yaml b/kexa-chart/files/rules/AwsComplianceSetRules.yaml new file mode 100644 index 0000000..74243e7 --- /dev/null +++ b/kexa-chart/files/rules/AwsComplianceSetRules.yaml @@ -0,0 +1,133 @@ +- version: 1.0.0 + date: 02-23-2024 + alert: + fatal: + enabled: true + type: + - log + #- email + to: + - myEmail@gmail.com + error: + enabled: true + type: + - log + #- email + #- sms + to: + - myEmail@gmail.com + warning: + enabled: true + type: + - log + #- email + to: + - myEmail@gmail.com + info: + enabled: true + type: + - log + #- email + to: + - myEmail@gmail.com + global: + enabled: true + type: + - log + #- webhook + #- sms + #- email + to: + #- http://127.0.0.1:5000/test + - myEmail@gmail.com + conditions: + - level: 0 + min: 1 + - level: 1 + min: 1 + - level: 2 + min: 1 + - level: 3 + min: 1 + rules: + - name: "aws-rg-tagsvalue-check-for-expiration-date" + description: "this rule is to check if tags contain an expiration date (separate with \"-\")" + applied: false + level: 1 + cloudProvider: aws + objectName: KexaAwsCustoms.tagsValueListing + conditions: + - property: name + condition: REGEX + value: '\b\d{1,4}[-]\d{1,4}[-]\d{1,4}\b' + # need to define behavior + - name: "aws-resources-tags-key-value-check" + description: "this rule is to check if tags and their value match your tagging policy" + applied: false + level: 1 + cloudProvider: aws + objectName: KexaAwsCustoms.resourcesTags + conditions: + - property: Tags + condition: ALL + value: + - operator: OR + criteria: + - operator: AND + criteria: + - property: Key + condition : EQUAL + value : Name + - property: Value + condition: DIFFERENT + value: null + - operator: AND + criteria: + - property: Key + condition : EQUAL + value : Environment + - property: Value + condition : REGEX + value : ^(prod|dev)$ + - operator: AND + criteria: + - property: Key + condition : EQUAL + value : AmazonECSManaged + - property: Value + condition : REGEX + value : ^(true|false)$ + # need to define behavior + - name: "aws-user-tags-check" + description: "this rule is to check if tags contain an expiration date (separate with \"-\")" + applied: false + level: 1 + cloudProvider: aws + objectName: IAMClient.UserTags + conditions: + - property: Tags + condition: ALL + value: + - property: Key + condition : REGEX + value : ^AKIA + - property: Value + condition: DIFFERENT + value: 'titi' + # need to define behavior + - name: "aws-instance-profile-tags-check" + description: "this rule is to check if tags contain an expiration date (separate with \"-\")" + applied: false + level: 1 + cloudProvider: aws + objectName: IAMClient.InstanceProfileTags + conditions: + - property: Tags + condition: ALL + value: + - property: Key + condition : REGEX + value : ^AKIA + - property: Value + condition: DIFFERENT + value: 'titi' \ No newline at end of file diff --git a/kexa-chart/files/rules/AzureComplianceSetRules.yaml b/kexa-chart/files/rules/AzureComplianceSetRules.yaml new file mode 100644 index 0000000..af0debd --- /dev/null +++ b/kexa-chart/files/rules/AzureComplianceSetRules.yaml @@ -0,0 +1,111 @@ +- version: 1.0.0 + date: 02-23-2024 + alert: + fatal: + enabled: true + type: + - log + #- email + to: + - myEmail@gmail.com + error: + enabled: true + type: + - log + #- email + #- sms + to: + - myEmail@gmail.com + warning: + enabled: true + type: + - log + #- email + to: + - myEmail@gmail.com + info: + enabled: true + type: + - log + #- email + to: + - myEmail@gmail.com + global: + enabled: true + type: + - log + #- webhook + #- sms + #- email + to: + #- http://127.0.0.1:5000/test + - myEmail@gmail.com + conditions: + - level: 0 + min: 1 + - level: 1 + min: 1 + - level: 2 + min: 1 + - level: 3 + min: 1 + rules: + # Azure tag/value checking + - name: "azure-tags-check" + description: "this rule is to check on azure tags for a specific pattern" + applied: true + level: 1 + cloudProvider: azure + objectName: ResourceManagementClient.tagsOperations + conditions: + - operator: OR + criteria: + - operator: AND + criteria: + - property: tagName + condition: EQUAL + value: environment + - property: values + condition: ALL + value: + - property: tagValue + condition: REGEX + value : ^(npr|prd)$ + - operator: AND + criteria: + - property: tagName + condition: EQUAL + value: billing + - property: values + condition: ALL + value: + - property: tagValue + condition: REGEX + value : ^(project1|project2)$ + # Azure naming convention : resouceType-WorkloadApplication-Environment-Region-Instance + # Example : pip-sharepoint-prod-westus-001 + - name: "azure-resources-name-convention-check" + description: "this rule is to check on azure resources name for a Azure naming convention pattern" + applied: true + level: 1 + cloudProvider: azure + objectName: ResourceManagementClient.resources + conditions: + - property: name + condition: REGEX + value: '^[a-zA-Z0-9]+-[a-zA-Z0-9]+-[a-zA-Z0-9]+-[a-zA-Z0-9]+-[a-zA-Z0-9]+$' + - name: "azure-check-logs" + description: "this rule is to check logs" + applied: true + level: 1 + cloudProvider: azure + objectName: OperationalInsightsManagementClient.operationStatuses + conditions: + - operator: OR + criteria: + - property: tagName + condition: REGEX + value: 'ExpirationDate' + - property: tagName + condition: REGEX + value: 'expirationdate' \ No newline at end of file diff --git a/kexa-chart/files/rules/BenchmarkOffice365.yaml b/kexa-chart/files/rules/BenchmarkOffice365.yaml new file mode 100644 index 0000000..6267085 --- /dev/null +++ b/kexa-chart/files/rules/BenchmarkOffice365.yaml @@ -0,0 +1,266 @@ +- version: 1.0.0 + date: 07-18-2023 + alert: + fatal: + enabled: true + type: + - log + #- email + to: + - myEmail@gmail.com + error: + enabled: true + type: + - log + #- email + #- sms + to: + - myEmail@gmail.com + warning: + enabled: true + type: + - log + #- email + to: + - myEmail@gmail.com + info: + enabled: true + type: + - log + #- email + to: + - myEmail@gmail.com + global: + enabled: true + type: + - log + #- webhook + #- sms + #- email + to: + #- http://127.0.0.1:5000/test + - myEmail@gmail.com + conditions: + - level: 0 + min: 1 + - level: 1 + min: 1 + - level: 2 + min: 1 + - level: 3 + min: 1 + rules: + - name: "o365-between-two-and-four-global-admins" + description: "verify there is at least two and no more than four global administrator" + remediation: "Set at least two and a maximum of four Global Administrator users" + applied: true + level: 2 + cloudProvider: o365 + objectName: directory_role + conditions: + - operator: OR + criteria: + - property: displayName + condition: DIFFERENT + value: "Global Administrator" + - operator: AND + criteria: + - property: assignedUsers + condition: COUNT_SUP_OR_EQUAL + value: 2 + - property: assignedUsers + condition: COUNT_INF_OR_EQUAL + value: 4 + - name: "o365-is-group-public" + description: "verify if public groups exist" + remediation: "Set the visibility of this group to 'Private' or 'Hidden membership'" + applied: true + level: 1 + cloudProvider: o365 + objectName: group + conditions: + - operator: OR + criteria: + - property: visibility + condition: DIFFERENT + value: "Public" + - name: "o365-is-user-mfa-activated" + description: "verify if mfa is activated for users" + remediation: "test" + applied: true + level: 2 + cloudProvider: o365 + objectName: auth_methods + conditions: + - property: methods + condition: SOME + value: + - property: dataType + condition: EQUAL + value: "#microsoft.graph.microsoftAuthenticatorAuthenticationMethod" + - name: "o365-do-timeout-exist" + description: "verify if there is active timeout policies" + applied: true + level: 2 + cloudProvider: o365 + objectName: policy + conditions: + - property: . + condition: SOME + value: + - property: displayName + condition: EQUAL + value: ActivityBasedTimeoutPolicy + - name: "o365-is-idle-timeout-set-3h" + description: "verify if idle timeout for inactive user is set to three hours" + applied: true + level: 2 + cloudProvider: o365 + objectName: policy + conditions: + - operator: XOR + criteria: + - property: displayName + condition: DIFFERENT + value: ActivityBasedTimeoutPolicy + - property: definition.ActivityBasedTimeoutPolicy.ApplicationPolicies + condition: ALL + value: + - property: WebSessionIdleTimeout + condition: EQUAL + value: 03:00:00 + - name: "o365-security-default" + description: "verify if security default policy is disabled" + applied: true + level: 2 + cloudProvider: o365 + objectName: policy + conditions: + - operator: NAND + criteria: + - property: displayName + condition: EQUAL + value: 'Security Defaults' + - property: isEnabled + condition: EQUAL + value: true + - name: "o365-is-microsoft-auth-enable" + description: "verify if microsoft authenticator is enabled" + applied: true + level: 2 + cloudProvider: o365 + objectName: policy + conditions: + - operator: XOR + criteria: + - property: displayName + condition: DIFFERENT + value: 'Authentication Methods Policy' + - property: authenticationMethodConfigurations + condition: SOME + value: + - property: id + condition: EQUAL + value: 'MicrosoftAuthenticator' + - property: state + condition: EQUAL + value: 'disabled' + - name: "o365-default-user-cannot-create-tenant" + description: "ensure that default user is not allowed to create tenant" + applied: true + level: 2 + cloudProvider: o365 + objectName: policy + conditions: + - operator: NAND + criteria: + - property: displayName + condition: EQUAL + value: 'Authorization Policy' + - property: defaultUserRolePermissions.allowedToCreateTenants + condition: EQUAL + value: true + - name: "o365-conditional-access-block-inheritance-auth" + description: "ensure that the authentication inheritance blocking policy is enable and active" + applied: true + level: 2 + cloudProvider: o365 + objectName: conditional_access + conditions: + - property: . + condition: SOME + value: + - operator: AND + criteria: + - property: templateId + condition: EQUAL + value: '0b2282f9-2862-4178-88b5-d79340b36cb8' + - property: state + condition: EQUAL + value: 'enabled' + - name: "o365-conditional-access-users-mfa" + description: "ensure that the MFA is enforced for all users" + applied: true + level: 2 + cloudProvider: o365 + objectName: conditional_access + conditions: + - property: . + condition: SOME + value: + - operator: AND + criteria: + - property: templateId + condition: EQUAL + value: 'a3d0a415-b068-4326-9251-f9cdf9feeb64' + - property: state + condition: EQUAL + value: 'enabled' + - name: "o365-conditional-access-admins-mfa" + description: "ensure that the MFA is enforced for all users in admins roles" + applied: true + level: 2 + cloudProvider: o365 + objectName: conditional_access + conditions: + - property: . + condition: SOME + value: + - operator: AND + criteria: + - property: templateId + condition: EQUAL + value: 'c7503427-338e-4c5e-902d-abe252abfb43' + - property: state + condition: EQUAL + value: 'enabled' + - name: "o365-sharepoint-external-user-cannot-reshare" + description: "ensure that sharepoint external user cannot reshare files" + applied: true + level: 2 + cloudProvider: o365 + objectName: sharepoint_settings + conditions: + - property: isResharingByExternalUsersEnabled + condition: EQUAL + value: false + - name: "o365-sharepoint-external-sharing-disabled" + description: "ensure that sharepoint external sharing is disabled" + applied: true + level: 2 + cloudProvider: o365 + objectName: sharepoint_settings + conditions: + - property: sharingCapability + condition: EQUAL + value: 'disabled' + - name: "o365-sharepoint-sync-restricted-unmanaged-device" + description: "ensure that sync is restricted for unmanaged devices" + applied: true + level: 2 + cloudProvider: o365 + objectName: sharepoint_settings + conditions: + - property: isUnmanagedSyncAppForTenantRestricted + condition: EQUAL + value: true \ No newline at end of file diff --git a/kexa-chart/files/rules/BenchmarkWorkspace.yaml b/kexa-chart/files/rules/BenchmarkWorkspace.yaml new file mode 100644 index 0000000..524a1d1 --- /dev/null +++ b/kexa-chart/files/rules/BenchmarkWorkspace.yaml @@ -0,0 +1,102 @@ +- version: 1.0.0 + date: 07-18-2023 + alert: + fatal: + enabled: true + type: + - log + #- email + to: + - myEmail@gmail.com + error: + enabled: true + type: + - log + #- email + #- sms + to: + - myEmail@gmail.com + warning: + enabled: true + type: + - log + #- email + to: + - myEmail@gmail.com + info: + enabled: true + type: + - log + #- email + to: + - myEmail@gmail.com + global: + enabled: true + type: + - log + #- webhook + #- sms + #- email + to: + #- http://127.0.0.1:5000/test + - myEmail@gmail.com + conditions: + - level: 0 + min: 1 + - level: 1 + min: 1 + - level: 2 + min: 1 + - level: 3 + min: 1 + rules: + - name: "workspace-user-mfa-activated" + description: "verify if mfa is activated on user account" + applied: true + level: 2 + cloudProvider: googleWorkspace + objectName: user + conditions: + - property: isEnrolledIn2Sv + condition: EQUAL + value: true + - name: "workspace-user-mfa-enforced" + description: "verify if mfa is enforced for user account" + applied: true + level: 2 + cloudProvider: googleWorkspace + objectName: user + conditions: + - property: isEnforcedIn2Sv + condition: EQUAL + value: true + - name: "workspace-user-change-passwd-next-login" + description: "verify if there is at least one super admin for OU" + applied: true + level: 2 + cloudProvider: googleWorkspace + objectName: user + conditions: + - property: changePasswordAtNextLogin + condition: EQUAL + value: true + - name: "workspace-at-least-one-super-admin" + description: "verify if there is at least one super admin for OU" + applied: true + level: 2 + cloudProvider: googleWorkspace + objectName: user + conditions: + - property: totalSuperAdmin + condition: SUP_OR_EQUAL + value: 1 + - name: "workspace-no-more-than-four-super-admin" + description: "verify if there is no more than four super admin for OU" + applied: true + level: 2 + cloudProvider: googleWorkspace + objectName: user + conditions: + - property: totalSuperAdmin + condition: INF_OR_EQUAL + value: 4 \ No newline at end of file diff --git a/kexa-chart/files/rules/Deployement.yaml b/kexa-chart/files/rules/Deployement.yaml new file mode 100644 index 0000000..1a4075d --- /dev/null +++ b/kexa-chart/files/rules/Deployement.yaml @@ -0,0 +1,137 @@ +- version: 1.0.0 + date: 07-18-2023 + alert: + fatal: + enabled: false + type: + - log + #- email + to: + - myEmail@gmail.com + error: + enabled: false + type: + - log + #- email + to: + - myEmail@gmail.com + warning: + enabled: false + type: + - log + #- email + to: + - myEmail@gmail.com + info: + enabled: false + type: + - log + #- email + to: + - myEmail@gmail.com + global: + enabled: true + type: + - log + #- email + to: + - myEmail@gmail.com + conditions: + - level: 0 + min: 1 + - level: 1 + min: 1 + - level: 2 + min: 1 + - level: 3 + min: 1 + rules: + - name: "git-is-repository-private" + description: "this rules is to check if git repo is private" + applied: true + level: 0 + cloudProvider: github + objectName: repositories + conditions: + - property: private + condition: EQUAL + value: true + - name: "git-is-branch-protectec" + description: "this rules is to check if git branch is protected" + applied: true + level: 0 + cloudProvider: github + objectName: branches + conditions: + - operator: NAND + criteria: + - property : protected + condition : DIFFERENT + value : true + - property : name + condition : EQUAL + value : master + - name: "http-request-date-in-body" + description : "request date in body" + applied: true + level: 0 + loudMessage: "date is present in body" + cloudProvider: http + objectName : request + conditions: + - property : body.date + condition : DIFFERENT + value : null + - name: "http-request-certificate" + description : "check if certificate is present" + applied: true + level: 0 + cloudProvider: http + objectName : request + conditions: + - property : certificate.issuer.CN + condition : EQUAL + value : "Kubernetes Ingress Controller Fake Certificate" + - property : certificate.valid_to + condition : DATE_INF + value : 0 0 0 0 0 0 + date: "MMM DD HH:mm:ss YYYY GMT" + - name: "http-request-header" + description : "http requested header" + applied: true + level: 0 + loud: true + loudMessage: "header is present" + cloudProvider: http + objectName : request + conditions: + - property : headers.content-type + condition : INCLUDE + value : "application/json" + #change the namespace name to your namespace + - name: "namespace-exist-api-4urcloud" + description : "this rules is to check if namespace exist and notifiable if exist" + applied: true + level: 0 + cloudProvider: kubernetes + objectName : namespaces + conditions: + - property : metadata.name + condition : DIFFERENT + value : 4urcloudwebsitepublic + #change the namespace name to your namespace + - name: "all-pods-running-kexawebsite" + description : "this rules is to check if all pods are running for a namespace" + applied: true + level: 2 + cloudProvider: kubernetes + objectName : pods + conditions: + - operator: NAND + criteria: + - property : status.phase + condition : DIFFERENT + value : Running + - property : metadata.namespace + condition : EQUAL + value : kexawebsitepublic \ No newline at end of file diff --git a/kexa-chart/files/rules/Economy.yaml b/kexa-chart/files/rules/Economy.yaml new file mode 100644 index 0000000..5d21ad0 --- /dev/null +++ b/kexa-chart/files/rules/Economy.yaml @@ -0,0 +1,156 @@ +- version: 1.0.0 + date: 07-18-2023 + alert: + fatal: + enabled: false + type: + - log + #- email + to: + - myEmail@gmail.com + error: + enabled: false + type: + - log + #- email + #- sms + to: + - myEmail@gmail.com + warning: + enabled: false + type: + - log + #- email + to: + - myEmail@gmail.com + info: + enabled: false + type: + - log + #- email + to: + - myEmail@gmail.com + global: + enabled: true + type: + - log + #- webhook + #- sms + #- email + to: + #- http://127.0.0.1:5000/test + - myEmail@gmail.com + conditions: + - level: 0 + min: 1 + - level: 1 + min: 1 + - level: 2 + min: 1 + - level: 3 + min: 1 + rules: + - name: "check-vm-reservation" + description : "check if VM have a reservation" + applied: true + level: 0 + cloudProvider: azure + objectName : ComputeManagementClient.virtualMachines + conditions: + - property: priority + condition: REGEX + value: (?i)reservation + - name: "azure-is-disk-orphan" + description : "this rules is to check if disk is orphan" + applied: true + level: 1 + cloudProvider: azure + objectName : ComputeManagementClient.disks + conditions: + - property : diskState + condition : DIFFERENT + value : Unattached + - name: "aks-has-scaleSet" + description : "check if aks have a scaleSet" + applied: true + level: 0 + cloudProvider: azure + objectName : ContainerServiceClient.managedClusters + conditions: + - property: agentPoolProfiles + condition: ALL + value: + - property: scaleSetEvictionPolicy + condition: EQUAL + value: Delete + - name: "azure-orphan-nsg" + description : "this rules is to check if nsg is orphan" + applied: true + level: 1 + cloudProvider: azure + objectName : NetworkManagementClient.networkSecurityGroups + conditions: + - operator: OR + criteria: + - property : networkInterfaces + condition : COUNT_SUP_OR_EQUAL + value : 1 + - property : subnets + condition : COUNT_SUP_OR_EQUAL + value : 1 + - name: "Orphan virtualNetwork" + description : "this rules is to check if virtualNetwork is orphan" + applied: true + level: 1 + cloudProvider: azure + objectName : NetworkManagementClient.virtualNetworks + conditions: + - property : subnets + condition : COUNT_SUP_OR_EQUAL + value : 1 + - name: "aws-ec2-volume-unattached" + description: "this rule is to check if an ec2 volume is unattached" + applied: true + level: 1 + cloudProvider: aws + objectName: EC2Client.Volumes + conditions: + - property: Attachments + condition: COUNT_SUP + value: 0 + - name: "gcp-disk-check-create-date-2-month-expiration" + description: "this rule is to check for a persistent disk create date is inferior than 2 months ago" + applied: true + level: 2 + cloudProvider: gcp + objectName: disk + conditions: + - property: creationTimestamp + condition: DATE_INF + value: 0 0 0 2 0 0 0 + date: "YYYY-MM-DDThh:mm:ss.SSSZ" + - name: "o365-is-skus-not-used" + description: "this rule is if a subscribed sku is not being used" + applied: true + level: 1 + cloudProvider: o365 + objectName: sku + conditions: + - property: consumedUnits + condition: SUP + value: 0 + - name: "not-under-use-VM" + description: "this rule is if a VM is under-used (50% > CPU or 50%>RAM over 2 weeks) " + applied: true + level: 1 + cloudProvider: azure + objectName: KexaAzure.vm + conditions: + - operator: OR + criteria: + - property: instanceView.percentageCPU.mean + condition: SUP + value: 50 + - property: instanceView.availableMemoryBytes.mean + condition: SUP + value: 50 \ No newline at end of file diff --git a/kexa-chart/files/rules/GcpComplianceSetRules.yaml b/kexa-chart/files/rules/GcpComplianceSetRules.yaml new file mode 100644 index 0000000..cc78558 --- /dev/null +++ b/kexa-chart/files/rules/GcpComplianceSetRules.yaml @@ -0,0 +1,71 @@ +- version: 1.0.0 + date: 02-23-2024 + alert: + fatal: + enabled: true + type: + - log + #- email + to: + - myEmail@gmail.com + error: + enabled: true + type: + - log + #- email + #- sms + to: + - myEmail@gmail.com + warning: + enabled: true + type: + - log + #- email + to: + - myEmail@gmail.com + info: + enabled: true + type: + - log + #- email + to: + - myEmail@gmail.com + global: + enabled: true + type: + - log + #- webhook + #- sms + #- email + to: + #- http://127.0.0.1:5000/test + - myEmail@gmail.com + conditions: + - level: 0 + min: 1 + - level: 1 + min: 1 + - level: 2 + min: 1 + - level: 3 + min: 1 + rules: + # WorkloadName Tags checking + - name: "gcp-tags-check" + description: "this rule is to check on gcp tags for a specific pattern" + applied: false + level: 1 + cloudProvider: gcp + objectName: tags_keys + conditions: + - operator: XNOR + criteria: + - property: tagName + condition: REGEX + value: 'WorkloadName' + - property: values + condition: ALL + value: + - property: value + condition: REGEX + value : ^(ControlCharts|OtherValue|AnotherValue)$ \ No newline at end of file diff --git a/kexa-chart/files/rules/HTTPRules.yaml b/kexa-chart/files/rules/HTTPRules.yaml new file mode 100644 index 0000000..6e51d6c --- /dev/null +++ b/kexa-chart/files/rules/HTTPRules.yaml @@ -0,0 +1,118 @@ +- version: 1.0.0 + date: 06-12-2023 + alert: + fatal: + enabled: true + type: + - log + #- email + to: + - myEmail@gmail.com + error: + enabled: true + type: + - log + #- email + #- sms + to: + - myEmail@gmail.com + warning: + enabled: true + type: + - log + #- email + to: + - myEmail@gmail.com + info: + enabled: true + type: + - log + #- email + to: + - myEmail@gmail.com + global: + enabled: true + type: + - log + #- webhook + #- sms + #- email + to: + #- http://127.0.0.1:5000/test + - myEmail@gmail.com + conditions: + - level: 0 + min: 1 + - level: 1 + min: 1 + - level: 2 + min: 1 + - level: 3 + min: 1 + rules: + - name: "http-request-response-code" + description : "check for a specific response code" + applied: true + level: 0 + cloudProvider: http + objectName : request + conditions: + - operator : OR + criteria: + - property : code + condition : EQUAL + value : 200 + - property : code + condition : EQUAL + value : 201 + - name: "http-request-date-in-body" + description : "check if date is in body" + applied: true + level: 0 + cloudProvider: http + objectName : request + conditions: + - operator: NAND + criteria : + - property : body.date + condition : DATE_INF_OR_EQUAL + value : 0 0 0 0 0 0 + date: "YYYY-MM-DDThh:mm:ss.SSSZ" + - operator : OR + criteria: + - property : code + condition : EQUAL + value : 200 + - property : code + condition : EQUAL + value : 201 + - name: "http-request-certificate" + description : "request certificate" + applied: true + level: 0 + cloudProvider: http + objectName : request + conditions: + - property : certificate.issuer.CN + condition : EQUAL + value : "Kubernetes Ingress Controller Fake Certificate" + - name: "http-request-header" + description : "request header content" + applied: true + level: 0 + cloudProvider: http + objectName : request + conditions: + - property : headers.content-type + condition : INCLUDE + value : "application/json" + - name: "http-TLS-version" + description : "check TLS version is superior to 1.2" + applied: true + level: 1 + cloudProvider: http + objectName : request + conditions: + - property : tls.protocolVersion + condition : REGEX + value : "TLSv1.[2-9]" diff --git a/kexa-chart/files/rules/KubeComplianceSetRules.yaml b/kexa-chart/files/rules/KubeComplianceSetRules.yaml new file mode 100644 index 0000000..a072619 --- /dev/null +++ b/kexa-chart/files/rules/KubeComplianceSetRules.yaml @@ -0,0 +1,107 @@ +- version: 1.0.0 + date: 07-18-2023 + alert: + fatal: + enabled: false + type: + - log + #- email + to: + - myEmail@gmail.com + error: + enabled: false + type: + - log + #- email + to: + - myEmail@gmail.com + warning: + enabled: false + type: + - log + #- email + to: + - myEmail@gmail.com + info: + enabled: false + type: + - log + #- email + to: + - myEmail@gmail.com + global: + enabled: true + type: + - log + #- email + to: + - myEmail@gmail.com + conditions: + - level: 0 + min: 1 + - level: 1 + min: 1 + - level: 2 + min: 1 + - level: 3 + min: 1 + rules: + # pod name compliance + - name: "kube-pods-name-compliance" + description: "this rules is to check compliance of pods names" + applied: false + level: 1 + cloudProvider: kubernetes + objectName: pods + conditions: + - property: metadata.name + condition: REGEX + value: ^[a-zA-Z0-9]$ + # namespace name compliance + - name: "kube-namespace-name-compliance" + description: "this rules is to check compliance of namespace names" + applied: false + level: 0 + cloudProvider: kubernetes + objectName : namespaces + conditions: + - property: metadata.name + condition: REGEX + value: ^(4urcloudwebsitepublic|4urcloudbackend)$ + # pod labels compliance + - name: "kube-pods-labels-compliance" + description: "this rules is to check compliance of pods labels" + applied: true + level: 1 + cloudProvider: kubernetes + objectName: pods + conditions: + - property: metadata.labels + condition: ALL + value: + - operator: OR + criteria: + - operator: AND + criteria: + - property: key + condition: EQUAL + value: app + - property: value + condition: REGEX + value: ^(aks|csi-azuredisk-node|konnectivity-agent)$ + - operator: AND + criteria: + - property: key + condition: EQUAL + value: controller-revision-hash + - property: value + condition: REGEX + value: ^[0-9a-fA-F]+$ + - operator: AND + criteria: + - property: key + condition: EQUAL + value: kubernetes.azure.com/managedby + - property: value + condition: REGEX + value: ^(aks|other)$ \ No newline at end of file diff --git a/kexa-chart/files/rules/Kubernete.yaml b/kexa-chart/files/rules/Kubernete.yaml new file mode 100644 index 0000000..b8bd313 --- /dev/null +++ b/kexa-chart/files/rules/Kubernete.yaml @@ -0,0 +1,191 @@ +- version: 1.0.0 + date: 07-18-2023 + alert: + fatal: + enabled: true + type: + - log + #- email + to: + - myEmail@gmail.com + error: + enabled: true + type: + - log + #- email + to: + - myEmail@gmail.com + warning: + enabled: true + type: + - log + #- email + to: + - myEmail@gmail.com + info: + enabled: true + type: + - log + #- email + to: + - myEmail@gmail.com + global: + enabled: true + type: + - log + # - email + to: + - myEmail@gmail.com + conditions: + - level: 0 + min: 1 + - level: 1 + min: 1 + - level: 2 + min: 1 + - level: 3 + min: 1 + rules: + #change the namespace name to your namespace + - name: "namespace-exist-api-4urcloud" + description : "this rules is to check if namespace exist and notifiable if exist" + applied: false + level: 0 + cloudProvider: kubernetes + objectName : namespaces + conditions: + - property : metadata.name + condition : DIFFERENT + value : 4urcloudwebsitepublic + #change the namespace name to your namespace + - name: "all-pods-running-kexawebsite" + description : "this rules is to check if all pods are running for a namespace" + applied: false + level: 2 + cloudProvider: kubernetes + objectName : pods + conditions: + - operator: NAND + criteria: + - property : status.phase + condition : DIFFERENT + value : Running + - property : metadata.namespace + condition : EQUAL + value : kexawebsitepublic + - name: "kube-is-persistent-volume-bounded" + description : "this rules is to verify that persistent volume is bounded" + applied: false + level: 2 + cloudProvider: kubernetes + objectName : persistentvolume + conditions: + - property : status.phase + condition : EQUAL + value : 'Bound' + - name: "kube-persistent-volume-verify-storage-class" + description : "this rules is to verify for a persistent volume storage class" + applied: false + level: 2 + cloudProvider: kubernetes + objectName : persistentvolume + conditions: + - property : spec.storageClassName + condition : EQUAL + value : 'premium2-disk-sc' + - name: "kube-volume-mounts-read-only" + description : "this rules is to verify volume mounts are read only" + applied: false + level: 2 + cloudProvider: kubernetes + objectName : pods + conditions: + - property : spec.containers + condition : ALL + value: + - property: volumeMounts + condition: ALL + value: + - property : readOnly + condition : EQUAL + value : true + - name: "kube-storage-class-allow-expansion" + description : "this rules is to verify storage class allow expansion" + applied: false + level: 2 + cloudProvider: kubernetes + objectName : storageclass + conditions: + - property : allowVolumeExpansion + condition : EQUAL + value: true + # this is an example of storage class disk parameters rule + - name: "kube-storage-class-disk-parameters" + description : "this rules is to verify storage class disk parameters" + applied: false + level: 2 + cloudProvider: kubernetes + objectName : storageclass + conditions: + - property : parameters.cachingMode + condition : EQUAL + value: 'None' + - property : parameters.DiskIOPSReadWrite + condition : SUP_OR_EQUAL + value: '1000' + - property : parameters.DiskMBpsReadWrite + condition : SUP_OR_EQUAL + value: '1000' + # this is an example of pod autoscaler rule + - name: "kube-hozizontal-pod-autoscaler-min-max-replicas" + description : "this rules is to verify horizontal pod autoscaler min and max replicas" + applied: false + level: 2 + cloudProvider: kubernetes + objectName : hpa + conditions: + - property : spec.minReplicas + condition : SUP_OR_EQUAL + value: 1 + - property : spec.maxReplicas + condition : INF_OR_EQUAL + value: 2 + # this is an example of pod autoscaler rule + - name: "kube-hozizontal-pod-autoscaler-min-max-replicas" + description : "this rules is to verify horizontal pod autoscaler min and max replicas" + applied: false + level: 2 + cloudProvider: kubernetes + objectName : podLogs + conditions: + - property : logs + condition : ALL + value: + - property : message + condition : DIFFERENT + value: 'error' + - property : message + condition : DIFFERENT + value: 'warning' + # pods consumption + - name: "kube-pods-memory-limitation" + description : "this rules is to verify pods memory limitation" + applied: true + level: 2 + cloudProvider: kubernetes + objectName : podsConsumption + conditions: + - property : MemoryUsage + condition : INF + value: 599428096 + # pods consumption + - name: "kube-pods-cpu-limitation" + description : "this rules is to verify cpu usage limitation" + applied: true + level: 2 + cloudProvider: kubernetes + objectName : podsConsumption + conditions: + - property : CPUUsage + condition : INF + value: 0.02 \ No newline at end of file diff --git a/kexa-chart/files/rules/OperationalExcellence.yaml b/kexa-chart/files/rules/OperationalExcellence.yaml new file mode 100644 index 0000000..f27c8c4 --- /dev/null +++ b/kexa-chart/files/rules/OperationalExcellence.yaml @@ -0,0 +1,125 @@ +- version: 1.0.0 + date: 07-18-2023 + alert: + fatal: + enabled: false + type: + - log + #- email + to: + - myEmail@gmail.com + error: + enabled: false + type: + - log + #- email + #- sms + to: + - myEmail@gmail.com + warning: + enabled: false + type: + - log + #- email + to: + - myEmail@gmail.com + info: + enabled: false + type: + - log + #- email + to: + - myEmail@gmail.com + global: + enabled: true + type: + - log + #- webhook + #- sms + #- email + to: + #- http://127.0.0.1:5000/test + - myEmail@gmail.com + conditions: + - level: 0 + min: 1 + - level: 1 + min: 1 + - level: 2 + min: 1 + - level: 3 + min: 1 + rules: + - name: "azure-virtual-network-minimum-subnets" + description : "check if NSG have a minimum of subnets" + applied: true + level: 1 + cloudProvider: azure + objectName : NetworkManagementClient.virtualNetworks + conditions: + - property: subnets + condition: COUNT_SUP + value: 0 + - name: "ec2-volume-check-create-less-2-month-expiration" + description: "this rule is to check for a ec2 volume create date inferior than 2 months" + applied: true + level: 2 + cloudProvider: aws + objectName: EC2Client.Volumes + conditions: + - property: CreateTime + condition: DATE_INF + value: 0 0 0 0 0 2 0 + date: "YYYY-MM-DDThh:mm:ss.SSSZ" + - name: "aws-tagsvalue-check-for-expiration-date" + description: "this rule is to check if tags contain an expiration date (separate with \"-\")" + applied: true + level: 1 + cloudProvider: aws + objectName: KexaAwsCustoms.tagsValueListing + conditions: + - property: name + condition: REGEX + value: '\b\d{1,4}[-]\d{1,4}[-]\d{1,4}\b' + - name: "o365-check-jobtitle-defined" + description: "this rule is to check for non defined job title" + applied: true + level: 1 + cloudProvider: o365 + objectName: user + conditions: + - property: jobTitle + condition: DIFFERENT + value: null + - name: "o365-is-simple-member" + description: "this rule is to check for simple members" + applied: true + level: 1 + cloudProvider: o365 + objectName: user + conditions: + - property: userType + condition: EQUAL + value: Member + - name: "az-job-ml-check" + description: "this rule is to check for ml job if they are not failed" + applied: true + level: 1 + cloudProvider: azure + objectName: KexaAzure.mlJobs + conditions: + - operator: NAND + criteria: + - property: workspace + condition: EQUAL + value: "Test-Kexa-Machine-Learning" #name of the workspace + - property: properties.displayName + condition: EQUAL + value: "hello-world-example" #name of the job + - property: properties.status + condition: EQUAL + value: Failed + - property: properties.properties.StartTimeUtc + condition: DATE_INF + value: 0 0 0 1 0 0 + date: "YYYY-MM-DD hh:mm:ss" \ No newline at end of file diff --git a/kexa-chart/files/rules/Performance.yaml b/kexa-chart/files/rules/Performance.yaml new file mode 100644 index 0000000..fbe48f2 --- /dev/null +++ b/kexa-chart/files/rules/Performance.yaml @@ -0,0 +1,65 @@ +- version: 1.0.0 + date: 07-18-2023 + alert: + fatal: + enabled: false + type: + - log + #- email + to: + - myEmail@gmail.com + error: + enabled: false + type: + - log + #- email + #- sms + to: + - myEmail@gmail.com + warning: + enabled: false + type: + - log + #- email + to: + - myEmail@gmail.com + info: + enabled: false + type: + - log + #- email + to: + - myEmail@gmail.com + global: + enabled: true + type: + - log + #- webhook + #- sms + #- email + to: + #- http://127.0.0.1:5000/test + - myEmail@gmail.com + conditions: + - level: 0 + min: 1 + - level: 1 + min: 1 + - level: 2 + min: 1 + - level: 3 + min: 1 + rules: + - name: "aks-is-scaleset-down" + description : "check if aks have a scaleSet down" + applied: true + level: 0 + cloudProvider: azure + objectName : ContainerServiceClient.managedClusters + conditions: + - property: agentPoolProfiles + condition: ALL + value: + - property: scaleSetEvictionPolicy + condition: EQUAL + value: Delete \ No newline at end of file diff --git a/kexa-chart/files/rules/PostDeployement.yaml b/kexa-chart/files/rules/PostDeployement.yaml new file mode 100644 index 0000000..66b9895 --- /dev/null +++ b/kexa-chart/files/rules/PostDeployement.yaml @@ -0,0 +1,84 @@ +- version: 2.0.0 + date: 10-25-2023 + alert: + fatal: + enabled: false + type: + - log + #- email + to: + - email@mail.com + error: + enabled: false + type: + - log + #- email + to: + - email@mail.com + warning: + enabled: false + type: + - log + #- email + to: + - email@mail.com + info: + enabled: false + type: + - log + #- email + to: + - email@mail.com + global: + enabled: true + type: + - log + #- email + to: + - email@mail.com + conditions: + - level: 0 + min: 1 + - level: 1 + min: 1 + - level: 2 + min: 1 + - level: 3 + min: 1 + rules: + - name: "http-request-date-in-body" + description : "request date in body" + applied: true + level: 0 + cloudProvider: http + objectName : request + conditions: + - operator: NAND + criteria : + - property : body.date + condition : EQUAL + value : null + - name: "http-request-certificate" + description : "request certificate" + applied: true + level: 0 + cloudProvider: http + objectName : request + conditions: + - property : certificate.issuer.CN + condition : EQUAL + value : "Kubernetes Ingress Controller Fake Certificate" + - property : certificate.valid_to + condition : DATE_INF + value : 0 0 0 0 0 0 + date: "MMM DD HH:mm:ss YYYY GMT" + - name: "http-request-header" + description : "request header content" + applied: true + level: 0 + cloudProvider: http + objectName : request + conditions: + - property : headers.content-type + condition : INCLUDE + value : "application/json" \ No newline at end of file diff --git a/kexa-chart/files/rules/PreDeployement.yaml b/kexa-chart/files/rules/PreDeployement.yaml new file mode 100644 index 0000000..0e5200e --- /dev/null +++ b/kexa-chart/files/rules/PreDeployement.yaml @@ -0,0 +1,97 @@ +- version: 1.0.0 + date: 10-26-2023 + alert: + fatal: + enabled: false + type: + - log + #- email + to: + - email@mail.com + error: + enabled: false + type: + - log + #- email + to: + - email@mail.com + warning: + enabled: false + type: + - log + #- email + to: + - email@mail.com + info: + enabled: false + type: + - log + #- email + to: + - email@mail.com + global: + enabled: true + type: + - log + #- email + to: + - email@mail.com + conditions: + - level: 0 + min: 1 + - level: 1 + min: 1 + - level: 2 + min: 1 + - level: 3 + min: 1 + rules: + - name: "git-is-repository-private" + description: "this rules is to check if my git repo is private" + applied: true + level: 1 + cloudProvider: github + objectName: repositories + conditions: + - operator: NAND + criteria: + - property: private + condition: EQUAL + value: false + - property: full_name + condition: EQUAL + #change the name with your repo name + value: 4urcloud/Kexa_website + - name: "git-is-branch-protected" + description: "this rules is to check if my git branch is protected" + applied: true + level: 1 + cloudProvider: github + objectName: branches + conditions: + - operator: OR + criteria: + - property: repo + condition: DIFFERENT + #change the name with your repo name + value: Kexa_website + - property : name + condition : DIFFERENT + value : main + - property : protected + condition : EQUAL + value : true + - name: "kub-alert-if-namespace-not-exist" + description : "this rules is to check if namespace exist and notifiable if not" + applied: true + level: 0 + cloudProvider: kubernetes + objectName : namespaces + conditions: + - property : . + condition: SOME + value: + - property : metadata.name + condition : EQUAL + #change the name with your namespace + value : kexawebsitepublic \ No newline at end of file diff --git a/kexa-chart/files/rules/SecretsRotation.yaml b/kexa-chart/files/rules/SecretsRotation.yaml new file mode 100644 index 0000000..b3b5e37 --- /dev/null +++ b/kexa-chart/files/rules/SecretsRotation.yaml @@ -0,0 +1,169 @@ +- version: 1.0.0 + date: 07-18-2023 + alert: + fatal: + enabled: false + type: + - log + #- teams + to: + error: + enabled: false + type: + - log + #- email + - teams + to: + warning: + enabled: false + type: + - log + #- teams + to: + info: + enabled: false + type: + - log + #- teams + to: + global: + enabled: true + type: + - log + #- teams + to: + #- http://127.0.0.1:5000/test + conditions: + - level: 0 + min: 1 + - level: 1 + min: 1 + - level: 2 + min: 1 + - level: 3 + min: 1 + rules: + #################### + # AZURE # + #################### + # Azure + - name: "azure-vault-no-public-network-access" + description: "this rule is to ensure vault network public access is disabled" + applied: false + level: 1 + cloudProvider: azure + objectName: KexaAzure.vaults + conditions: + - property: properties.publicNetworkAccess + condition: EQUAL + value: 'Disabled' + # Azure + - name: "azure-ensure-rbac-enabled" + description: "this rule is to ensure rbac is enabled for kayvaults" + applied: false + level: 1 + cloudProvider: azure + objectName: KexaAzure.vaults + conditions: + - property: properties.enableRbacAuthorization + condition: EQUAL + value: true + # Azure + - name: "azure-ensure-use-private-endpoint" + description: "this rule is to ensure private endpoints are used for Keyvault" + applied: false + level: 1 + cloudProvider: azure + objectName: KexaAzure.vaults + conditions: + - property: properties.privateEndpointConnections + condition: ALL + value: + - property: id + condition: DIFFERENT + value: null + # Azure + - name: "azure-ensure-keyvault-recoverable" + description: "this rule is to ensure keyvaults are recoverable" + applied: false + level: 1 + cloudProvider: azure + objectName: KexaAzure.vaults + conditions: + - property: properties.enablePurgeProtection + condition: EQUAL + value: true + # Azure + - name: "azure-secrets-ensure-expiration" + description: "this rule is to ensure every secrets has an expiration date" + applied: false + level: 1 + cloudProvider: azure + objectName: KexaAzure.secrets + conditions: + - property: properties.attributes.expires + condition: DIFFERENT + value: null + # Azure + - name: "azure-vault-keys-rotation" + description: "this rule is to ensure every keys has a rotation defined" + applied: false + level: 1 + cloudProvider: azure + objectName: KexaAzure.KeyvaultKeys + conditions: + - property: properties.rotationPolicy + condition: DIFFERENT + value: null + # Azure + - name: "azure-vault-keys-expiration-date" + description: "this rule is to ensure every keys has a expiration date" + applied: false + level: 1 + cloudProvider: azure + objectName: KexaAzure.KeyvaultKeys + conditions: + - property: properties.attributes.expires + condition: DIFFERENT + value: null + #################### + # AWS # + #################### + # AWS + - name: "aws-acceskey-rotate-time-limit" + description: "this rule is to check if an access key as exceeded the rotate time limit" + applied: true + level: 1 + cloudProvider: aws + objectName: IAMClient.AccessKeys + conditions: + - property: CreateDate + condition: DATE_INF + value: 0 0 0 0 0 1 0 + date: "YYYY-MM-DDThh:mm:ss.SSSZ" + # AWS + - name: "aws-iam-accesskey-last-used" + description: "this rule is to check for acceskeys unused for 1 month" + applied: true + level: 0 + cloudProvider: aws + objectName: IAMClient.AccessKeyLastUsed + conditions: + - property: AccessKeyLastUsed.LastUsedDate + condition: DATE_INF + value: 0 0 0 0 0 1 0 + date: "YYYY-MM-DDThh:mm:ss.SSSZ" + #################### + # GCP # + #################### + # GCP + - name: "gcp-ensure-iam-rotation" + description: "this rule is to ensure IAM rotation is enabled" + applied: false + level: 1 + cloudProvider: gcp + objectName: secret + conditions: + - property: rotation + condition: EQUAL + value: true \ No newline at end of file diff --git a/kexa-chart/files/rules/Security.yaml b/kexa-chart/files/rules/Security.yaml new file mode 100644 index 0000000..2237da0 --- /dev/null +++ b/kexa-chart/files/rules/Security.yaml @@ -0,0 +1,126 @@ +- version: 1.0.0 + date: 07-18-2023 + alert: + fatal: + enabled: false + type: + - log + #- email + to: + - myEmail@gmail.com + error: + enabled: false + type: + - log + #- email + #- sms + to: + - myEmail@gmail.com + warning: + enabled: false + type: + - log + #- email + to: + - myEmail@gmail.com + info: + enabled: false + type: + - log + #- email + to: + - myEmail@gmail.com + global: + enabled: true + type: + - log + #- webhook + #- sms + #- email + to: + #- http://127.0.0.1:5000/test + - myEmail@gmail.com + conditions: + - level: 0 + min: 1 + - level: 1 + min: 1 + - level: 2 + min: 1 + - level: 3 + min: 1 + rules: + - name: "azure-nsg-valid-subnet" + description : "check if NSG have a valid subnet" + applied: true + level: 1 + cloudProvider: azure + objectName : ContainerServiceClient.managedClusters + conditions: + - property: agentPoolProfiles + condition: COUNT + value: 2 + - name: "git-is-repository-private" + description: "this rules is to check if git repo is private" + applied: true + level: 0 + cloudProvider: github + objectName: repositories + conditions: + - property: private + condition: EQUAL + value: true + - name: "git-is-branch-protected" + description: "this rules is to check if git branch is protected" + applied: true + level: 0 + cloudProvider: github + objectName: branches + conditions: + - operator: NAND + criteria: + - property : protected + condition : DIFFERENT + value : true + - property : name + condition : EQUAL + value : master + - name: "ec2-security-groups-source-defined" + description: "this rule is to check if a ec2 SG has a defined source (not 0.0.0.0)" + applied: true + level: 1 + cloudProvider: aws + objectName: EC2Client.SecurityGroups + conditions: + - property: IpPermissions + condition: ALL + value: + - property: IpRanges + condition: ALL + value: + - property: CidrIp + condition: DIFFERENT + value: "0.0.0.0/0" + - name: "aws-ec2-public-ip-address" + description : "this rule is to check if an ec2 ip address is public" + applied: true + level: 2 + cloudProvider: aws + objectName: EC2Client.Instances + conditions: + - property: PublicIpAddress + condition: EQUAL + value: null + - name: "o365-is-mfa-activated-on-user" + description: "check if at least 2 auth factors are active" + applied: true + level: 2 + cloudProvider: o365 + objectName: auth_methods + conditions: + - property: methods + condition: ONE + value: + - property: dataType + condition: EQUAL + value: "#microsoft.graph.microsoftAuthenticatorAuthenticationMethod" \ No newline at end of file diff --git a/kexa-chart/files/rules/StorageSecurity.yaml b/kexa-chart/files/rules/StorageSecurity.yaml new file mode 100644 index 0000000..25379b4 --- /dev/null +++ b/kexa-chart/files/rules/StorageSecurity.yaml @@ -0,0 +1,207 @@ +- version: 1.0.0 + date: 07-18-2023 + alert: + fatal: + enabled: false + type: + - log + #- teams + to: + #- hook + error: + enabled: false + type: + - log + #- teams + to: + #- hook + warning: + enabled: false + type: + - log + #- teams + to: + #- hook + info: + enabled: false + type: + - log + #- teams + to: + #- hook + global: + enabled: true + type: + - log + #- teams + to: + #- hook + conditions: + - level: 0 + min: 1 + - level: 1 + min: 1 + - level: 2 + min: 1 + - level: 3 + min: 1 + rules: + #################### + # AWS # + #################### + - name: "aws-bucket-public-access-block" + description: "this rule is to verify if the public access block is enabled on the bucket" + applied: true + level: 1 + cloudProvider: aws + objectName: S3Client.PublicAccessBlock + conditions: + - operator: AND + criteria: + - property: PublicAccessBlockConfiguration.BlockPublicAcls + condition: EQUAL + value: true + - property: PublicAccessBlockConfiguration.IgnorePublicAcls + condition: EQUAL + value: true + - property: PublicAccessBlockConfiguration.BlockPublicPolicy + condition: EQUAL + value: true + - property: PublicAccessBlockConfiguration.RestrictPublicBuckets + condition: EQUAL + value: true + - name: "aws-bucket-enryption-enable" + description: "this rule is to verify if the bucket is encrypted" + applied: true + level: 1 + cloudProvider: aws + objectName: S3Client.BucketEncryption + conditions: + - property: ServerSideEncryptionConfiguration.Rules + condition: COUNT_SUP_OR_EQUAL + value: 1 + - name: "aws-bucket-encryption-using-kms" + description: "this rule is to verify if the bucket is encrypted using KMS" + applied: true + level: 1 + cloudProvider: aws + objectName: S3Client.BucketEncryption + conditions: + - property: ServerSideEncryptionConfiguration.Rules + condition: ALL + value: + - property: ApplyServerSideEncryptionByDefault + condition: OR + value: + - property: SSEAlgorithm + condition: EQUAL + value: aws:kms:dsse + - property: SSEAlgorithm + condition: EQUAL + value: aws:kms + - name: "aws-bucket-key-enabled-to-reduce-encryption-cost" + description: "this rule is to verify if the bucket key is enabled to reduce encryption cost" + applied: true + level: 1 + cloudProvider: aws + objectName: S3Client.BucketEncryption + conditions: + - property: ServerSideEncryptionConfiguration.Rules + condition: ALL + value: + - property: ApplyServerSideEncryptionByDefault.BucketKeyEnabled + condition: EQUAL + value: true + #################### + # AZ # + #################### + - name: "azure-storage-account-no-public-access" + description: "this rule is to check on azure storage account for public access" + applied: true + level: 1 + cloudProvider: azure + objectName: StorageManagementClient.storageAccounts + conditions: + - property: publicNetworkAccess + condition: DIFFERENT + value: 'Enabled' + - name: "azure-storage-account-encryption-enabled" + description: "this rule is to check on azure storage account for encryption enabled" + applied: true + level: 1 + cloudProvider: azure + objectName: StorageManagementClient.storageAccounts + conditions: + - operator: AND + criteria: + - property: encryption.services.file.enabled + condition: EQUAL + value: true + - property: encryption.services.blob.enabled + condition: EQUAL + value: true + - name: "azure-storage-account-encryption-using-kms" + description: "this rule is to check on azure storage account for encryption using kms" + applied: true + level: 1 + cloudProvider: azure + objectName: StorageManagementClient.storageAccounts + conditions: + - operator: AND + criteria: + - property: encryption.services.file.keySource + condition: EQUAL + value: 'Microsoft.Keyvault' + - property: encryption.services.blob.keySource + condition: EQUAL + value: 'Microsoft.Keyvault' + #################### + # GCP # + #################### + - name: "gcp-storage-bucket-public-access-block-enforced" + description: "this rule is to verify if the public access block is enabled on the bucket" + applied: true + level: 1 + cloudProvider: gcp + objectName: bucket + conditions: + - operator: AND + criteria: + - property: metadata.iamConfiguration.publicAccessPrevention + condition: EQUAL + value: 'enforced' + - name: "gcp-storage-bucket-public-access-block-enforced-or-inherited" + description: "this rule is to verify if the public access block is enabled on the bucket" + applied: true + level: 1 + cloudProvider: gcp + objectName: bucket + conditions: + - operator: OR + criteria: + - property: metadata.iamConfiguration.publicAccessPrevention + condition: EQUAL + value: 'enforced' + - property: metadata.iamConfiguration.publicAccessPrevention + condition: EQUAL + value: 'inherited' + - name: "gcp-storage-bucket-policy-only-access" + description: "this rule is to verify if the bucket is policy only access" + applied: true + level: 1 + cloudProvider: gcp + objectName: bucket + conditions: + - property: metadata.iamConfiguration.bucketPolicyOnly.enabled + condition: EQUAL + value: true + - name: "gcp-storage-bucket-level-access" + description: "this rule is to verify if the bucket is policy only" + applied: true + level: 1 + cloudProvider: gcp + objectName: bucket + conditions: + - property: metadata.iamConfiguration.uniformBucketLevelAccess.enabled + condition: EQUAL + value: true \ No newline at end of file diff --git a/kexa-chart/files/rules/crossCloudDisksChecks.yaml b/kexa-chart/files/rules/crossCloudDisksChecks.yaml new file mode 100644 index 0000000..9638c25 --- /dev/null +++ b/kexa-chart/files/rules/crossCloudDisksChecks.yaml @@ -0,0 +1,125 @@ +- version: 1.0.0 + date: 07-18-2023 + alert: + fatal: + enabled: true + type: + - log + #- teams + to: + #- 'https://XXXXXXXXXXXXXXXXXXXXXXXXxx' + error: + enabled: true + type: + - log + #- teams + to: + #- 'https://XXXXXXXXXXXXXXXXXXXXXXXXxx' + warning: + enabled: true + type: + - log + #- teams + to: + #- 'https://XXXXXXXXXXXXXXXXXXXXXXXXxx' + info: + enabled: true + type: + - log + #- teams + to: + #- 'https://XXXXXXXXXXXXXXXXXXXXXXXXxx' + global: + enabled: true + type: + - log + #- teams + to: + #- 'https://XXXXXXXXXXXXXXXXXXXXXXXXxx' + conditions: + - level: 0 + min: 1 + - level: 1 + min: 1 + - level: 2 + min: 1 + - level: 3 + min: 1 + rules: + - name: "gcp-disk-unattached" + description: "this rule is to check if a disk has no users (attached to no instance)" + applied: true + level: 1 + cloudProvider: gcp + objectName: disk + conditions: + - property: users + condition: COUNT_SUP + value: 0 + - name: "aws-ec2-volume-unattached" + description: "this rule is to check if an ec2 volume is unattached" + applied: true + level: 1 + cloudProvider: aws + objectName: EC2Client.Volumes + conditions: + - property: Attachments + condition: COUNT_SUP + value: 0 + - name: "azure-disk-unattached" + description : "this rules is to check if disk is orphan (unattached)" + applied: true + level: 1 + cloudProvider: azure + objectName : ComputeManagementClient.disks + conditions: + - property : diskState + condition : DIFFERENT + value : Unattached + - name: "gcp-disk-check-create-date-2-month-expiration" + description: "this rule is to check for a persistent disk create date is inferior than 2 months ago" + applied: false + level: 1 + cloudProvider: gcp + objectName: disk + conditions: + - property: creationTimestamp + condition: DATE_INF + value: 0 0 0 2 0 0 0 + date: "YYYY-MM-DDThh:mm:ss.SSSZ" + - name: "ec2-volume-check-create-less-2-month-expiration" + description: "this rule is to check for a ec2 volume create date inferior than 2 months" + applied: false + level: 1 + cloudProvider: aws + objectName: EC2Client.Volumes + conditions: + - property: CreateTime + condition: DATE_INF + value: 0 0 0 0 0 2 0 + date: "YYYY-MM-DDThh:mm:ss.SSSZ" + - name: "azure-disk-check-create-less-2-month-expiration" + description : "this rules is to check if disk has been created less than 2 months ago" + applied: false + level: 1 + cloudProvider: azure + objectName : ComputeManagementClient.disks + conditions: + - property: timeCreated + condition: DATE_INF + value: 0 0 0 0 0 2 0 + date: "YYYY-MM-DDThh:mm:ss.SSSZ" + - name: "gcp-disk-unattached-since-X-days" + description: "this rule is to check if a disk has no users since X days" + applied: true + level: 1 # alert level, here it is a warning + cloudProvider: gcp + objectName: disk + conditions: + - property: users + condition: COUNT_SUP + value: 0 + - property: lastAttachTimestamp + condition: DATE_INF + value: 0 0 0 0 15 0 0 # not attached since 15min + date: "YYYY-MM-DDThh:mm:ss.SSSZ" \ No newline at end of file diff --git a/kexa-chart/files/rules/helmConfigurations.yaml b/kexa-chart/files/rules/helmConfigurations.yaml new file mode 100644 index 0000000..f78af43 --- /dev/null +++ b/kexa-chart/files/rules/helmConfigurations.yaml @@ -0,0 +1,145 @@ +- version: 1.0.0 + date: 08-02-2024 + alert: + fatal: + enabled: true + type: + - log + - teams + to: + - 'XXXXXXXXXXXXXXXXXx' + error: + enabled: true + type: + - log + #- teams + to: + - 'XXXXXXXXXXXXXXXXXx' + warning: + enabled: true + type: + - log + #- teams + to: + - 'XXXXXXXXXXXXXXXXXx' + info: + enabled: true + type: + - log + #- email + to: + - 'XXXXXXXXXXXXXXXXXx' + global: + enabled: true + type: + - log + - teams + to: + - 'XXXXXXXXXXXXXXXXXx' + conditions: + - level: 0 + min: 1 + - level: 1 + min: 1 + - level: 2 + min: 1 + - level: 3 + min: 1 + rules: + - name: "helm-chart-auto-scaling-enabled" + description : "this rule is to verify if autoscaling is enabled" + applied: true + level: 1 + cloudProvider: helm + objectName : chart + conditions: + - operator: NAND + criteria: + - property : details.computedValues.autoscaling + condition : DIFFERENT + value : null + - property : details.computedValues.autoscaling.enabled + condition : EQUAL + value : false + - name: "helm-chart-auto-scaling-min-replicas" + description : "this rule is to verify if autoscaling min replicas is greater than 0" + applied: true + level: 0 + cloudProvider: helm + objectName : chart + conditions: + - operator: NAND + criteria: + - property : details.computedValues.autoscaling + condition : DIFFERENT + value : null + - property : details.computedValues.autoscaling.minReplicas + condition : INF_OR_EQUAL + value : 0 + - name: "helm-chart-auto-scaling-max-replicas" + description : "this rule is to verify if autoscaling max replicas is less than 10" + applied: true + level: 0 + cloudProvider: helm + objectName : chart + conditions: + - operator: NAND + criteria: + - property : details.computedValues.autoscaling + condition : DIFFERENT + value : null + - property : details.computedValues.autoscaling.maxReplicas + condition : SUP + value : 10 + - name: "helm-chart-do-not-allow-empty-password" + description : "this rule is to ensure that the helm chart does not allow empty passwords" + applied: true + level: 2 + cloudProvider: helm + objectName : chart + conditions: + - property : details.allowEmptyPassword + condition : EQUAL + value : false + # This may not be working if the repository is not locally accessible or not found in artefact hub + - name: "helm-chart-no-major-version-difference" + description : "this rule is to ensure that the helm chart has no major version difference" + applied: true + level: 1 + cloudProvider: helm + objectName : chart + conditions: + - property : details.versionDifference.major + condition : EQUAL + value : 0 + # This may not be working if the repository is not locally accessible or not found in artefact hub + - name: "helm-chart-no-minor-version-difference" + description : "this rule is to ensure that the helm chart has no major version difference" + applied: false + level: 1 + cloudProvider: helm + objectName : chart + conditions: + - property : details.versionDifference.major + condition : EQUAL + value : 0 + - property : details.versionDifference.minor + condition : EQUAL + value : 0 + # This may not be working if the repository is not locally accessible or not found in artefact hub + - name: "helm-chart-no-version-difference" + description : "this rule is to ensure that the helm chart is using the latest version" + applied: false + level: 1 + cloudProvider: helm + objectName : chart + conditions: + - property : details.versionDifference.major + condition : EQUAL + value : 0 + - property : details.versionDifference.minor + condition : EQUAL + value : 0 + - property : details.versionDifference.patch + condition : EQUAL + value : 0 \ No newline at end of file diff --git a/kexa-chart/files/rules/helmConsumptions.yaml b/kexa-chart/files/rules/helmConsumptions.yaml new file mode 100644 index 0000000..ae831cd --- /dev/null +++ b/kexa-chart/files/rules/helmConsumptions.yaml @@ -0,0 +1,78 @@ +- version: 1.0.0 + date: 08-02-2024 + alert: + fatal: + enabled: true + type: + - log + - teams + to: + - 'XXXXXXXXXXXXXXXXXx' + error: + enabled: true + type: + - log + #- teams + to: + - 'XXXXXXXXXXXXXXXXXx' + warning: + enabled: true + type: + - log + #- teams + to: + - 'XXXXXXXXXXXXXXXXXx' + info: + enabled: true + type: + - log + #- email + to: + - 'XXXXXXXXXXXXXXXXXx' + global: + enabled: true + type: + - log + - teams + to: + - 'XXXXXXXXXXXXXXXXXx' + conditions: + - level: 0 + min: 1 + - level: 1 + min: 1 + - level: 2 + min: 1 + - level: 3 + min: 1 + rules: + - name: "helm-chart-auto-scaling-target-cpu" + description : "this rule is to verify if autoscaling target cpu is not greater than 50" + applied: true + level: 0 + cloudProvider: helm + objectName : chart + conditions: + - operator: NAND + criteria: + - property : details.computedValues.autoscaling + condition : DIFFERENT + value : null + - property : details.computedValues.autoscaling.targetCPU + condition : SUP + value : 50 + - name: "helm-chart-auto-scaling-target-memory" + description : "this rule is to verify if autoscaling target memory is not greater than 50" + applied: true + level: 0 + cloudProvider: helm + objectName : chart + conditions: + - operator: NAND + criteria: + - property : details.computedValues.autoscaling + condition : DIFFERENT + value : null + - property : details.computedValues.autoscaling.targetMemory + condition : SUP + value : 50 \ No newline at end of file diff --git a/kexa-chart/files/rules/helmStatus.yaml b/kexa-chart/files/rules/helmStatus.yaml new file mode 100644 index 0000000..1b998c3 --- /dev/null +++ b/kexa-chart/files/rules/helmStatus.yaml @@ -0,0 +1,79 @@ +- version: 1.0.0 + date: 08-02-2024 + alert: + fatal: + enabled: true + type: + - log + - teams + to: + - 'XXXXXXXXXXXXXXXXXx' + error: + enabled: true + type: + - log + #- teams + to: + - 'XXXXXXXXXXXXXXXXXx' + warning: + enabled: true + type: + - log + #- teams + to: + - 'XXXXXXXXXXXXXXXXXx' + info: + enabled: true + type: + - log + #- email + to: + - 'XXXXXXXXXXXXXXXXXx' + global: + enabled: true + type: + - log + - teams + to: + - 'XXXXXXXXXXXXXXXXXx' + conditions: + - level: 0 + min: 1 + - level: 1 + min: 1 + - level: 2 + min: 1 + - level: 3 + min: 1 + rules: + - name: "helm-chart-deployed" + description : "this rule is to verify if the helm chart is deployed" + applied: true + level: 1 + cloudProvider: helm + objectName : chart + conditions: + - property : details.status + condition : EQUAL + value : deployed + - name: "helm-chart-last-deployed-X-month" + description : "this rule is to verify if the helm chart has been deployed in the last X month" + applied: true + level: 1 + cloudProvider: helm + objectName : chart + conditions: + - property : details.lastDeployed + condition: DATE_INF + value: 0 0 0 0 0 3 0 # last 3 months + date: "YYYY-MM-DDThh:mm:ss.SSSZ" + - name: "helm-chart-max-revisions" + description : "this rule is to verify if the helm chart has less than 10 revisions" + applied: true + level: 0 + cloudProvider: helm + objectName : chart + conditions: + - property : details.revisions + condition : INF_OR_EQUAL + value : 10 \ No newline at end of file