diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 5d33c0060e..c62b1fe59b 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -77,7 +77,7 @@ repos: files: deploy/cloudformation/.*yml - repo: https://github.com/aws-cloudformation/cfn-lint - rev: v1.22.1 + rev: v1.22.2 hooks: - id: cfn-python-lint files: deploy/cloudformation/.*.yml diff --git a/bin/.aws-iam-authenticator-0.6.28.pkg b/bin/.aws-iam-authenticator-0.6.29.pkg similarity index 100% rename from bin/.aws-iam-authenticator-0.6.28.pkg rename to bin/.aws-iam-authenticator-0.6.29.pkg diff --git a/bin/.awscli-2.22.17.pkg b/bin/.awscli-2.22.22.pkg similarity index 100% rename from bin/.awscli-2.22.17.pkg rename to bin/.awscli-2.22.22.pkg diff --git a/bin/.elastic-package-0.107.2.pkg b/bin/.elastic-package-0.108.0.pkg similarity index 100% rename from bin/.elastic-package-0.107.2.pkg rename to bin/.elastic-package-0.108.0.pkg diff --git a/bin/.gcloud-503.0.0.pkg b/bin/.gcloud-504.0.1.pkg similarity index 100% rename from bin/.gcloud-503.0.0.pkg rename to bin/.gcloud-504.0.1.pkg diff --git a/bin/.gh-2.63.2.pkg b/bin/.gh-2.64.0.pkg similarity index 100% rename from bin/.gh-2.63.2.pkg rename to bin/.gh-2.64.0.pkg diff --git a/bin/.kind-0.25.0.pkg b/bin/.kind-0.26.0.pkg similarity index 100% rename from bin/.kind-0.25.0.pkg rename to bin/.kind-0.26.0.pkg diff --git a/bin/.opa-0.70.0.pkg b/bin/.opa-1.0.0.pkg similarity index 100% rename from bin/.opa-0.70.0.pkg rename to bin/.opa-1.0.0.pkg diff --git a/bin/aws b/bin/aws index 24193ae778..bbdb26ef25 120000 --- a/bin/aws +++ b/bin/aws @@ -1 +1 @@ -.awscli-2.22.17.pkg \ No newline at end of file +.awscli-2.22.22.pkg \ No newline at end of file diff --git a/bin/aws-iam-authenticator b/bin/aws-iam-authenticator index eddbbde787..6c4f829f7a 120000 --- a/bin/aws-iam-authenticator +++ b/bin/aws-iam-authenticator @@ -1 +1 @@ -.aws-iam-authenticator-0.6.28.pkg \ No newline at end of file +.aws-iam-authenticator-0.6.29.pkg \ No newline at end of file diff --git a/bin/aws_completer b/bin/aws_completer index 24193ae778..bbdb26ef25 120000 --- a/bin/aws_completer +++ b/bin/aws_completer @@ -1 +1 @@ -.awscli-2.22.17.pkg \ No newline at end of file +.awscli-2.22.22.pkg \ No newline at end of file diff --git a/bin/bq b/bin/bq index bf0a7cd1f9..f292161a65 120000 --- a/bin/bq +++ b/bin/bq @@ -1 +1 @@ -.gcloud-503.0.0.pkg \ No newline at end of file +.gcloud-504.0.1.pkg \ No newline at end of file diff --git a/bin/docker-credential-gcloud b/bin/docker-credential-gcloud index bf0a7cd1f9..f292161a65 120000 --- a/bin/docker-credential-gcloud +++ b/bin/docker-credential-gcloud @@ -1 +1 @@ -.gcloud-503.0.0.pkg \ No newline at end of file +.gcloud-504.0.1.pkg \ No newline at end of file diff --git a/bin/elastic-package b/bin/elastic-package index 31a412cfc0..4dbb18d2d0 120000 --- a/bin/elastic-package +++ b/bin/elastic-package @@ -1 +1 @@ -.elastic-package-0.107.2.pkg \ No newline at end of file +.elastic-package-0.108.0.pkg \ No newline at end of file diff --git a/bin/gcloud b/bin/gcloud index bf0a7cd1f9..f292161a65 120000 --- a/bin/gcloud +++ b/bin/gcloud @@ -1 +1 @@ -.gcloud-503.0.0.pkg \ No newline at end of file +.gcloud-504.0.1.pkg \ No newline at end of file diff --git a/bin/gh b/bin/gh index dcdb03ffc0..dbf5454c0c 120000 --- a/bin/gh +++ b/bin/gh @@ -1 +1 @@ -.gh-2.63.2.pkg \ No newline at end of file +.gh-2.64.0.pkg \ No newline at end of file diff --git a/bin/git-credential-gcloud.sh b/bin/git-credential-gcloud.sh index bf0a7cd1f9..f292161a65 120000 --- a/bin/git-credential-gcloud.sh +++ b/bin/git-credential-gcloud.sh @@ -1 +1 @@ -.gcloud-503.0.0.pkg \ No newline at end of file +.gcloud-504.0.1.pkg \ No newline at end of file diff --git a/bin/gsutil b/bin/gsutil index bf0a7cd1f9..f292161a65 120000 --- a/bin/gsutil +++ b/bin/gsutil @@ -1 +1 @@ -.gcloud-503.0.0.pkg \ No newline at end of file +.gcloud-504.0.1.pkg \ No newline at end of file diff --git a/bin/kind b/bin/kind index 283ee865f5..5404aaa542 120000 --- a/bin/kind +++ b/bin/kind @@ -1 +1 @@ -.kind-0.25.0.pkg \ No newline at end of file +.kind-0.26.0.pkg \ No newline at end of file diff --git a/bin/opa b/bin/opa index f2c02f5e68..32e66cdf03 120000 --- a/bin/opa +++ b/bin/opa @@ -1 +1 @@ -.opa-0.70.0.pkg \ No newline at end of file +.opa-1.0.0.pkg \ No newline at end of file diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_1_15/test.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_1_15/test.rego index 869badf607..539c8f7746 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_1_15/test.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_1_15/test.rego @@ -19,7 +19,7 @@ test_not_evaluated if { not_eval with input as test_data.not_evaluated_iam_user } -rule_input(inline_policies, attached_policies) = test_data.generate_iam_user_with_policies(inline_policies, attached_policies) +rule_input(inline_policies, attached_policies) := test_data.generate_iam_user_with_policies(inline_policies, attached_policies) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_1_7/rule.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_1_7/rule.rego index 38151509c6..6cf2e74294 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_1_7/rule.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_1_7/rule.rego @@ -7,7 +7,7 @@ import future.keywords.if # Eliminate use of the 'root' user for administrative and daily tasks # daily interpret as a day (24h) -finding = result if { +finding := result if { # filter data_adapter.is_root_user diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_2_3_2/rule.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_2_3_2/rule.rego index 7e2e7d5f8e..ad1e567f1c 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_2_3_2/rule.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_2_3_2/rule.rego @@ -4,7 +4,7 @@ import data.compliance.lib.common as lib_common import data.compliance.policy.aws_rds.data_adapter import future.keywords.if -finding = result if { +finding := result if { data_adapter.is_rds result := lib_common.generate_result_without_expected( diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_2_3_3/test.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_2_3_3/test.rego index c889dc5afe..76ee103095 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_2_3_3/test.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_2_3_3/test.rego @@ -37,7 +37,7 @@ test_not_evaluated if { not_eval with input as rule_input(true, [test_data.generate_rds_db_instance_subnet_with_route("0.0.0.0/0", "igw-12345678"), {"ID": "subnet-abcdef12", "RouteTable": null}]) } -rule_input(publicly_accessible, subnets) = test_data.generate_rds_db_instance(true, true, publicly_accessible, subnets) +rule_input(publicly_accessible, subnets) := test_data.generate_rds_db_instance(true, true, publicly_accessible, subnets) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_3_1/rule.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_3_1/rule.rego index c17be9f1e7..b51a88c8c9 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_3_1/rule.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_3_1/rule.rego @@ -5,9 +5,9 @@ import data.compliance.policy.aws_cloudtrail.data_adapter import data.compliance.policy.aws_cloudtrail.trail import future.keywords.if -default rule_evaluation = false +default rule_evaluation := false -finding = result if { +finding := result if { # filter data_adapter.is_multi_trails_type diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_3_7/rule.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_3_7/rule.rego index d8174e5ca0..8aa8f71907 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_3_7/rule.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_3_7/rule.rego @@ -4,10 +4,10 @@ import data.compliance.lib.common import data.compliance.policy.aws_cloudtrail.data_adapter import future.keywords.if -default rule_evaluation = false +default rule_evaluation := false # Ensure CloudTrail logs are encrypted at rest using KMS CMKs. -finding = result if { +finding := result if { # filter data_adapter.is_single_trail diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_3_8/test.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_3_8/test.rego index 70d83199c1..36265d5764 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_3_8/test.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_3_8/test.rego @@ -6,7 +6,7 @@ import data.compliance.policy.aws_kms.ensure_symmetric_key_rotation_enabled as a import data.lib.test import future.keywords.if -finding = audit.finding +finding := audit.finding test_violation if { eval_fail with input as rule_input(false) @@ -20,7 +20,7 @@ test_not_evaluated if { not_eval with input as test_data.not_evaluated_trail } -rule_input(symmetric_default_enabled) = test_data.generate_kms_resource(symmetric_default_enabled) +rule_input(symmetric_default_enabled) := test_data.generate_kms_resource(symmetric_default_enabled) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_4_12/test.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_4_12/test.rego index ce29dc700e..a1b617c57a 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_4_12/test.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_4_12/test.rego @@ -29,7 +29,7 @@ test_pass if { }]) } -rule_input(entry) = test_data.generate_monitoring_resources(entry) +rule_input(entry) := test_data.generate_monitoring_resources(entry) eval_pass if { test.assert_pass(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_4_2/rule.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_4_2/rule.rego index fa459dd650..0de4026c8e 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_4_2/rule.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_4_2/rule.rego @@ -6,9 +6,9 @@ import data.compliance.policy.aws_cloudtrail.pattern import data.compliance.policy.aws_cloudtrail.trail import future.keywords.if -default rule_evaluation = false +default rule_evaluation := false -finding = result if { +finding := result if { # filter data_adapter.is_multi_trails_type @@ -19,7 +19,7 @@ finding = result if { ) } -required_patterns = [ +required_patterns := [ # { ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") } pattern.complex_expression("&&", [ pattern.simple_expression("$.eventName", "=", "\"ConsoleLogin\""), @@ -34,4 +34,4 @@ required_patterns = [ ]), ] -rule_evaluation = trail.at_least_one_trail_satisfied(required_patterns) +rule_evaluation := trail.at_least_one_trail_satisfied(required_patterns) diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_4_3/test.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_4_3/test.rego index b155ddeab0..eac23b4470 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_4_3/test.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_4_3/test.rego @@ -91,7 +91,7 @@ test_fail if { ]) } -rule_input(entry) = test_data.generate_monitoring_resources(entry) +rule_input(entry) := test_data.generate_monitoring_resources(entry) eval_pass if { test.assert_pass(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_5_4/test.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_5_4/test.rego index fc40bf23a9..7fcba3f9ee 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_5_4/test.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_5_4/test.rego @@ -24,7 +24,7 @@ test_not_evaluated if { not_eval with input as rule_input({"GroupName": "custom", "IpPermissionsEgress": [{}]}) } -rule_input(entry) = test_data.generate_security_group(entry) +rule_input(entry) := test_data.generate_security_group(entry) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_azure/rules/cis_2_1_19/rule.rego b/security-policies/bundle/compliance/cis_azure/rules/cis_2_1_19/rule.rego index 0155607405..c12053188a 100644 --- a/security-policies/bundle/compliance/cis_azure/rules/cis_2_1_19/rule.rego +++ b/security-policies/bundle/compliance/cis_azure/rules/cis_2_1_19/rule.rego @@ -5,7 +5,7 @@ import data.compliance.policy.azure.data_adapter import future.keywords.if import future.keywords.in -finding = result if { +finding := result if { # filter data_adapter.is_security_contacts @@ -16,7 +16,7 @@ finding = result if { ) } -default owner_enabled = false +default owner_enabled := false owner_enabled if { # Ensure at least one Security Contact Settings exists and owner is selected. diff --git a/security-policies/bundle/compliance/cis_azure/rules/cis_3_15/rule.rego b/security-policies/bundle/compliance/cis_azure/rules/cis_3_15/rule.rego index d4bdb24c5e..e9e1272085 100644 --- a/security-policies/bundle/compliance/cis_azure/rules/cis_3_15/rule.rego +++ b/security-policies/bundle/compliance/cis_azure/rules/cis_3_15/rule.rego @@ -5,7 +5,7 @@ import data.compliance.policy.azure.data_adapter import data.compliance.policy.azure.storage_account.ensure_tls_version as audit import future.keywords.if -finding = result if { +finding := result if { # filter data_adapter.is_storage_account diff --git a/security-policies/bundle/compliance/cis_azure/rules/cis_3_5/rule.rego b/security-policies/bundle/compliance/cis_azure/rules/cis_3_5/rule.rego index 80bae67ee3..383b295ef6 100644 --- a/security-policies/bundle/compliance/cis_azure/rules/cis_3_5/rule.rego +++ b/security-policies/bundle/compliance/cis_azure/rules/cis_3_5/rule.rego @@ -5,7 +5,7 @@ import data.compliance.policy.azure.data_adapter import data.compliance.policy.azure.storage_account.ensure_service_log as audit import future.keywords.if -finding = result if { +finding := result if { # filter data_adapter.is_storage_account @@ -16,7 +16,7 @@ finding = result if { ) } -default logs_are_enabled = false +default logs_are_enabled := false logs_are_enabled if { audit.service_diagnostic_settings_log_rwd_enabled(data_adapter.resource.extension.queueDiagnosticSettings) diff --git a/security-policies/bundle/compliance/cis_azure/rules/cis_3_7/rule.rego b/security-policies/bundle/compliance/cis_azure/rules/cis_3_7/rule.rego index bd86db5c96..4db9b868cf 100644 --- a/security-policies/bundle/compliance/cis_azure/rules/cis_3_7/rule.rego +++ b/security-policies/bundle/compliance/cis_azure/rules/cis_3_7/rule.rego @@ -5,7 +5,7 @@ import data.compliance.policy.azure.data_adapter import data.compliance.policy.azure.storage_account.ensure_public_access as audit import future.keywords.if -finding = result if { +finding := result if { # filter data_adapter.is_storage_account diff --git a/security-policies/bundle/compliance/cis_azure/rules/cis_4_3_6/rule.rego b/security-policies/bundle/compliance/cis_azure/rules/cis_4_3_6/rule.rego index 3c7defd63b..3762408a3e 100644 --- a/security-policies/bundle/compliance/cis_azure/rules/cis_4_3_6/rule.rego +++ b/security-policies/bundle/compliance/cis_azure/rules/cis_4_3_6/rule.rego @@ -4,7 +4,7 @@ import data.compliance.lib.common import data.compliance.policy.azure.data_adapter import future.keywords.if -finding = result if { +finding := result if { # filter data_adapter.is_postgresql_single_server_db @@ -15,7 +15,7 @@ finding = result if { ) } -default log_retention_long_enough = false +default log_retention_long_enough := false log_retention_long_enough if { some i diff --git a/security-policies/bundle/compliance/cis_azure/rules/cis_5_2_5/rule.rego b/security-policies/bundle/compliance/cis_azure/rules/cis_5_2_5/rule.rego index 354b02f5cf..7ab005ccaf 100644 --- a/security-policies/bundle/compliance/cis_azure/rules/cis_5_2_5/rule.rego +++ b/security-policies/bundle/compliance/cis_azure/rules/cis_5_2_5/rule.rego @@ -5,7 +5,7 @@ import data.compliance.policy.azure.activity_log_alert.activity_log_alert_operat import data.compliance.policy.azure.data_adapter import future.keywords.if -finding = result if { +finding := result if { # filter data_adapter.is_activity_log_alerts diff --git a/security-policies/bundle/compliance/cis_azure/rules/cis_5_2_7/test.rego b/security-policies/bundle/compliance/cis_azure/rules/cis_5_2_7/test.rego index 4ded479566..da76ee2299 100644 --- a/security-policies/bundle/compliance/cis_azure/rules/cis_5_2_7/test.rego +++ b/security-policies/bundle/compliance/cis_azure/rules/cis_5_2_7/test.rego @@ -44,13 +44,13 @@ not_eval if { # test data # alert rule that does not match the rule by operation and category -mismatch_alert = test_data.generate_activity_log_alert("mismatch_opreation", "mismatch_category") +mismatch_alert := test_data.generate_activity_log_alert("mismatch_opreation", "mismatch_category") # alert rule that does not match the rule by operation -mismatch_alert_only_operation = test_data.generate_activity_log_alert("mismatch_opreation", "Administrative") +mismatch_alert_only_operation := test_data.generate_activity_log_alert("mismatch_opreation", "Administrative") # alert rule that does not match the rule by category -mismatch_alert_only_category = test_data.generate_activity_log_alert("Microsoft.Sql/servers/firewallRules/write", "mismatch_category") +mismatch_alert_only_category := test_data.generate_activity_log_alert("Microsoft.Sql/servers/firewallRules/write", "mismatch_category") # alert rule that matches the rule -matching_alert = test_data.generate_activity_log_alert("Microsoft.Sql/servers/firewallRules/write", "Administrative") +matching_alert := test_data.generate_activity_log_alert("Microsoft.Sql/servers/firewallRules/write", "Administrative") diff --git a/security-policies/bundle/compliance/cis_azure/rules/cis_6_1/rule.rego b/security-policies/bundle/compliance/cis_azure/rules/cis_6_1/rule.rego index 58262b593d..9e156c2169 100644 --- a/security-policies/bundle/compliance/cis_azure/rules/cis_6_1/rule.rego +++ b/security-policies/bundle/compliance/cis_azure/rules/cis_6_1/rule.rego @@ -5,7 +5,7 @@ import data.compliance.policy.azure.data_adapter import data.compliance.policy.azure.virtual_machine.network_rules as audit import future.keywords.if -finding = result if { +finding := result if { # filter data_adapter.is_vm diff --git a/security-policies/bundle/compliance/cis_azure/rules/cis_6_2/rule.rego b/security-policies/bundle/compliance/cis_azure/rules/cis_6_2/rule.rego index e60e310b04..faa2e68649 100644 --- a/security-policies/bundle/compliance/cis_azure/rules/cis_6_2/rule.rego +++ b/security-policies/bundle/compliance/cis_azure/rules/cis_6_2/rule.rego @@ -5,7 +5,7 @@ import data.compliance.policy.azure.data_adapter import data.compliance.policy.azure.virtual_machine.network_rules as audit import future.keywords.if -finding = result if { +finding := result if { # filter data_adapter.is_vm diff --git a/security-policies/bundle/compliance/cis_azure/test_data.rego b/security-policies/bundle/compliance/cis_azure/test_data.rego index b9061a3fd3..a5d2322954 100644 --- a/security-policies/bundle/compliance/cis_azure/test_data.rego +++ b/security-policies/bundle/compliance/cis_azure/test_data.rego @@ -1,21 +1,21 @@ package cis_azure.test_data -not_eval_resource = { +not_eval_resource := { "type": "azure-resource-type", "subType": "azure-resource-subtype", "resource": {}, } -generate_disk_encryption_settings(type) = {"encryption": { +generate_disk_encryption_settings(type) := {"encryption": { "diskEncryptionSetId": "/subscriptions/dead-beef/resourceGroups/RESOURCEGROUP/providers/Microsoft.Compute/diskEncryptionSets/double-disk-encryption-set", "type": type, }} -generate_attached_disk_with_encryption(settings) = generate_disk_with_encryption("Attached", settings) +generate_attached_disk_with_encryption(settings) := generate_disk_with_encryption("Attached", settings) -generate_unattached_disk_with_encryption(settings) = generate_disk_with_encryption("Unattached", settings) +generate_unattached_disk_with_encryption(settings) := generate_disk_with_encryption("Unattached", settings) -generate_disk_with_encryption(state, settings) = { +generate_disk_with_encryption(state, settings) := { "subType": "azure-disk", "resource": { "id": "/subscriptions/dead-beef/resourceGroups/resourceGroup/providers/Microsoft.Compute/disks/unattached-disk", @@ -45,32 +45,32 @@ generate_disk_with_encryption(state, settings) = { }, } -generate_storage_account_with_property(key, value) = { +generate_storage_account_with_property(key, value) := { "subType": "azure-storage-account", "resource": {"properties": {key: value}}, } -generate_storage_account_with_extensions(properties, extension) = { +generate_storage_account_with_extensions(properties, extension) := { "subType": "azure-storage-account", "resource": {"properties": properties, "extension": extension}, } -generate_azure_asset(type, properties) = { +generate_azure_asset(type, properties) := { "subType": type, "resource": {"properties": properties}, } -generate_azure_asset_with_ext(type, properties, ext) = { +generate_azure_asset_with_ext(type, properties, ext) := { "subType": type, "resource": {"properties": properties, "extension": ext}, } -generate_azure_asset_resource(type, properties) = { +generate_azure_asset_resource(type, properties) := { "subType": type, "resource": properties, } -generate_azure_sku_asset_with_properties(type, properties) = { +generate_azure_sku_asset_with_properties(type, properties) := { "subType": type, "resource": { "sku": properties, @@ -78,62 +78,62 @@ generate_azure_sku_asset_with_properties(type, properties) = { }, } -generate_azure_non_sku_asset(type) = { +generate_azure_non_sku_asset(type) := { "subType": type, "resource": {"properties": {}}, } -not_eval_storage_account_empty = { +not_eval_storage_account_empty := { "subType": "azure-storage-account", "resource": {"properties": {}}, } -not_eval_non_exist_type = { +not_eval_non_exist_type := { "subType": "azure-non-exist", "resource": {"properties": {}}, } -generate_postgresql_server_with_ssl_enforcement(enabled) = { +generate_postgresql_server_with_ssl_enforcement(enabled) := { "subType": "azure-postgresql-server-db", "resource": {"properties": {"sslEnforcement": enabled}}, } -generate_postgresql_server_with_extension(ext) = { +generate_postgresql_server_with_extension(ext) := { "subType": "azure-postgresql-server-db", "resource": {"extension": ext}, } -generate_postgresql_server_with_infrastructure_encryption(enabled) = { +generate_postgresql_server_with_infrastructure_encryption(enabled) := { "subType": "azure-postgresql-server-db", "resource": {"properties": {"infrastructureEncryption": enabled}}, } -generate_flexible_postgresql_server_with_extension(ext) = { +generate_flexible_postgresql_server_with_extension(ext) := { "subType": "azure-flexible-postgresql-server-db", "resource": {"extension": ext}, } -generate_mysql_server_with_ssl_enforcement(enabled) = { +generate_mysql_server_with_ssl_enforcement(enabled) := { "subType": "azure-mysql-server-db", "resource": {"properties": {"sslEnforcement": enabled}}, } -generate_flexible_mysql_server_with_extension(extension) = { +generate_flexible_mysql_server_with_extension(extension) := { "subType": "azure-flexible-mysql-server-db", "resource": {"extension": extension}, } -generate_activity_log_alerts_no_alerts = { +generate_activity_log_alerts_no_alerts := { "subType": "azure-activity-log-alert", "resource": [], } -generate_activity_log_alerts(rules) = { +generate_activity_log_alerts(rules) := { "subType": "azure-activity-log-alert", "resource": rules, } -generate_activity_log_alert(operation_name, category) = { +generate_activity_log_alert(operation_name, category) := { "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/activityLogAlerts/providers/microsoft.insights/activityLogAlerts/activityLogAlert", "subType": "microsoft.insights/activitylogalerts", "kind": "activityLogAlert", @@ -160,18 +160,18 @@ generate_activity_log_alert(operation_name, category) = { }, } -valid_managed_disk = { +valid_managed_disk := { "id": "/subscriptions/sub-id/resourceGroups/cloudbeat-resource-group-1695893762/providers/Microsoft.Compute/disks/cloudbeatVM_OsDisk_1_e736df07f12142a9a2784ea8de9084ce", "resourceGroup": "cloudbeat-resource-group-1695893762", "storageAccountType": "Standard_LRS", } -generate_vm(managed_disk) = generate_vm_full(managed_disk, {}) +generate_vm(managed_disk) := generate_vm_full(managed_disk, {}) -generate_vm_with_extension(extension) = generate_vm_full({}, extension) +generate_vm_with_extension(extension) := generate_vm_full({}, extension) # regal ignore:rule-length -generate_vm_full(managed_disk, extension) = { +generate_vm_full(managed_disk, extension) := { "subType": "azure-vm", "resource": { "extendedLocation": null, @@ -254,17 +254,17 @@ generate_vm_full(managed_disk, extension) = { }, } -generate_insights_components_empty = { +generate_insights_components_empty := { "subType": "azure-insights-component", "resource": [], } -generate_insights_components(rules) = { +generate_insights_components(rules) := { "subType": "azure-insights-component", "resource": rules, } -generate_insights_component(resource_group, name) = { +generate_insights_component(resource_group, name) := { "id": sprintf("/subscriptions/00000000-0000-0000-0000-000000000001/resourceGroups/%s/providers/microsoft.insights/components/%s", [resource_group, name]), "name": name, "type": "microsoft.insights/components", @@ -294,17 +294,17 @@ generate_insights_component(resource_group, name) = { }, } -generate_diagnostic_settings_empty = { +generate_diagnostic_settings_empty := { "subType": "azure-diagnostic-settings", "resource": [], } -generate_diagnostic_settings(rules) = { +generate_diagnostic_settings(rules) := { "subType": "azure-diagnostic-settings", "resource": rules, } -generate_diagnostic_setting_element(sub_id, resource_group, name, logs) = { +generate_diagnostic_setting_element(sub_id, resource_group, name, logs) := { "id": sprintf("/subscriptions/%s/providers/microsoft.insights/diagnosticSettings/%s", [sub_id, name]), "name": name, "properties": { @@ -315,7 +315,7 @@ generate_diagnostic_setting_element(sub_id, resource_group, name, logs) = { }, } -generate_diagnostic_setting_element_logs(flags) = [ +generate_diagnostic_setting_element_logs(flags) := [ generate_diagnostic_setting_element_log("Administrative", flags.Administrative), generate_diagnostic_setting_element_log("Security", flags.Security), generate_diagnostic_setting_element_log("Policy", flags.Policy), @@ -326,7 +326,7 @@ generate_diagnostic_setting_element_logs(flags) = [ generate_diagnostic_setting_element_log("ResourceHealth", false), ] -generate_diagnostic_setting_element_log(category, enabled) = { +generate_diagnostic_setting_element_log(category, enabled) := { "category": category, "categoryGroup": null, "enabled": enabled, @@ -336,9 +336,9 @@ generate_diagnostic_setting_element_log(category, enabled) = { }, } -generate_key_vault_extension_key(attributes) = {"properties": {"attributes": attributes}} +generate_key_vault_extension_key(attributes) := {"properties": {"attributes": attributes}} -generate_key_vault_rbac(extension) = { +generate_key_vault_rbac(extension) := { "subType": "azure-vault", "resource": { "properties": {"enableRbacAuthorization": true}, @@ -346,7 +346,7 @@ generate_key_vault_rbac(extension) = { }, } -generate_key_vault(properties, extension) = { +generate_key_vault(properties, extension) := { "subType": "azure-vault", "resource": { "properties": properties, @@ -354,17 +354,17 @@ generate_key_vault(properties, extension) = { }, } -generate_security_contacts(resources) = { +generate_security_contacts(resources) := { "subType": "azure-security-contacts", "resource": resources, } -generate_single_security_contact(name, properties) = { +generate_single_security_contact(name, properties) := { "name": name, "properties": properties, } -generate_security_auto_provisioning_settings(resources) = { +generate_security_auto_provisioning_settings(resources) := { "subType": "azure-security-auto-provisioning-settings", "resource": resources, } diff --git a/security-policies/bundle/compliance/cis_eks/rules/cis_3_1_3/rule.rego b/security-policies/bundle/compliance/cis_eks/rules/cis_3_1_3/rule.rego index c433dbd0a1..a10bc76bb0 100644 --- a/security-policies/bundle/compliance/cis_eks/rules/cis_3_1_3/rule.rego +++ b/security-policies/bundle/compliance/cis_eks/rules/cis_3_1_3/rule.rego @@ -3,7 +3,7 @@ package compliance.cis_eks.rules.cis_3_1_3 import data.compliance.policy.file.ensure_permissions as audit import future.keywords.if -finding = result if { +finding := result if { audit.filename_filter("kubelet-config.json") result := audit.finding(audit.file_permission_match(6, 4, 4)) } diff --git a/security-policies/bundle/compliance/cis_eks/rules/cis_3_2_11/test.rego b/security-policies/bundle/compliance/cis_eks/rules/cis_3_2_11/test.rego index a7a604c7ad..ed1d6a6967 100644 --- a/security-policies/bundle/compliance/cis_eks/rules/cis_3_2_11/test.rego +++ b/security-policies/bundle/compliance/cis_eks/rules/cis_3_2_11/test.rego @@ -27,13 +27,13 @@ test_not_evaluated if { not_eval with input as test_data.process_input("some_process", []) } -rule_input(argument) = test_data.process_input("kubelet", [argument]) +rule_input(argument) := test_data.process_input("kubelet", [argument]) -rule_input_with_external(argument, external_data) = test_data.process_input_with_external_data("kubelet", [argument], external_data) +rule_input_with_external(argument, external_data) := test_data.process_input_with_external_data("kubelet", [argument], external_data) -create_process_config(rotateCertificates) = {"config": {"featureGates": {"RotateKubeletServerCertificate": rotateCertificates}}} +create_process_config(rotateCertificates) := {"config": {"featureGates": {"RotateKubeletServerCertificate": rotateCertificates}}} -create_process_config_without_proprerty = {"config": {"featureGates": {}}} +create_process_config_without_proprerty := {"config": {"featureGates": {}}} eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_eks/rules/cis_3_2_5/rule.rego b/security-policies/bundle/compliance/cis_eks/rules/cis_3_2_5/rule.rego index df1f595fa2..12232de113 100644 --- a/security-policies/bundle/compliance/cis_eks/rules/cis_3_2_5/rule.rego +++ b/security-policies/bundle/compliance/cis_eks/rules/cis_3_2_5/rule.rego @@ -4,23 +4,23 @@ import data.compliance.policy.process.ensure_arguments_and_config as audit import future.keywords.if # Ensure that the --streaming-connection-idle-timeout argument is not set to 0 -default rule_evaluation = true +default rule_evaluation := true -rule_evaluation = false if { +rule_evaluation := false if { audit.process_contains_key_with_value("--streaming-connection-idle-timeout", "0") } -rule_evaluation = false if { +rule_evaluation := false if { audit.process_contains_key_with_value("--streaming-connection-idle-timeout", "0s") } # In case both flags and configuration file are specified, the executable argument takes precedence. -rule_evaluation = false if { +rule_evaluation := false if { audit.not_process_arg_comparison("--streaming-connection-idle-timeout", ["streamingConnectionIdleTimeout"], "0") } -rule_evaluation = false if { +rule_evaluation := false if { audit.not_process_arg_comparison("--streaming-connection-idle-timeout", ["streamingConnectionIdleTimeout"], "0s") } -finding = audit.finding(rule_evaluation) +finding := audit.finding(rule_evaluation) diff --git a/security-policies/bundle/compliance/cis_eks/rules/cis_3_2_8/test.rego b/security-policies/bundle/compliance/cis_eks/rules/cis_3_2_8/test.rego index 4dc6a796fa..2b478e7313 100644 --- a/security-policies/bundle/compliance/cis_eks/rules/cis_3_2_8/test.rego +++ b/security-policies/bundle/compliance/cis_eks/rules/cis_3_2_8/test.rego @@ -18,9 +18,9 @@ test_not_evaluated if { not_eval with input as test_data.process_input("some_process", []) } -rule_input(argument) = test_data.process_input_with_external_data("kubelet", [argument], {}) +rule_input(argument) := test_data.process_input_with_external_data("kubelet", [argument], {}) -rule_input_with_external(argument, external_data) = test_data.process_input_with_external_data("kubelet", [argument], external_data) +rule_input_with_external(argument, external_data) := test_data.process_input_with_external_data("kubelet", [argument], external_data) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_eks/rules/cis_3_2_9/rule.rego b/security-policies/bundle/compliance/cis_eks/rules/cis_3_2_9/rule.rego index cbbe53a752..c01386fb24 100644 --- a/security-policies/bundle/compliance/cis_eks/rules/cis_3_2_9/rule.rego +++ b/security-policies/bundle/compliance/cis_eks/rules/cis_3_2_9/rule.rego @@ -5,7 +5,7 @@ import future.keywords.if # Ensure that the --event-qps argument is set to 0 or a level which # ensures appropriate event capture -default rule_evaluation = false +default rule_evaluation := false rule_evaluation if { audit.process_contains_key_with_value("--event-qps", "0") @@ -15,4 +15,4 @@ rule_evaluation if { audit.not_process_key_comparison("--event-qps", ["eventRecordQPS"], 0) } -finding = audit.finding(rule_evaluation) +finding := audit.finding(rule_evaluation) diff --git a/security-policies/bundle/compliance/cis_eks/rules/cis_4_2_6/test.rego b/security-policies/bundle/compliance/cis_eks/rules/cis_4_2_6/test.rego index 9db7836fe4..36c7376ba9 100644 --- a/security-policies/bundle/compliance/cis_eks/rules/cis_4_2_6/test.rego +++ b/security-policies/bundle/compliance/cis_eks/rules/cis_4_2_6/test.rego @@ -19,9 +19,9 @@ test_not_evaluated if { not finding with input as {"type": "no-kube-api"} } -rule_input(resource) = test_data.kube_api_input(resource) +rule_input(resource) := test_data.kube_api_input(resource) -violating_psp = { +violating_psp := { "kind": "Pod", "metadata": {"uid": "00000aa0-0aa0-00aa-00aa-00aa000a0000"}, "spec": {"runAsUser": { @@ -33,13 +33,13 @@ violating_psp = { }}, } -violating_psp2 = { +violating_psp2 := { "kind": "Pod", "metadata": {"uid": "00000aa0-0aa0-00aa-00aa-00aa000a0000"}, "spec": {"containers": [{"name": "container_1", "securityContext": {"runAsUser": 0}}]}, } -violating_psp3 = { +violating_psp3 := { "kind": "Pod", "metadata": {"uid": "00000aa0-0aa0-00aa-00aa-00aa000a0000"}, "spec": { @@ -54,7 +54,7 @@ violating_psp3 = { }, } -non_violating_psp = { +non_violating_psp := { "kind": "Pod", "metadata": {"uid": "00000aa0-0aa0-00aa-00aa-00aa000a0000"}, "spec": {"runAsUser": { @@ -66,7 +66,7 @@ non_violating_psp = { }}, } -non_violating_psp2 = { +non_violating_psp2 := { "kind": "Pod", "metadata": {"uid": "00000aa0-0aa0-00aa-00aa-00aa000a0000"}, "spec": {"runAsUser": {"rule": "MustRunAsNonRoot"}}, diff --git a/security-policies/bundle/compliance/cis_eks/rules/cis_4_2_8/test.rego b/security-policies/bundle/compliance/cis_eks/rules/cis_4_2_8/test.rego index 6284f0973f..b471c856b9 100644 --- a/security-policies/bundle/compliance/cis_eks/rules/cis_4_2_8/test.rego +++ b/security-policies/bundle/compliance/cis_eks/rules/cis_4_2_8/test.rego @@ -17,21 +17,21 @@ test_not_evaluated if { not finding with input as {"type": "no-kube-api"} } -rule_input(resource) = test_data.kube_api_input(resource) +rule_input(resource) := test_data.kube_api_input(resource) -violating_psp = { +violating_psp := { "kind": "Pod", "metadata": {"uid": "00000aa0-0aa0-00aa-00aa-00aa000a0000"}, "spec": {"allowedCapabilities": ["ALL"]}, } -non_violating_psp = { +non_violating_psp := { "kind": "Pod", "metadata": {"uid": "00000aa0-0aa0-00aa-00aa-00aa000a0000"}, "spec": {}, } -non_violating_psp2 = { +non_violating_psp2 := { "kind": "Pod", "metadata": {"uid": "00000aa0-0aa0-00aa-00aa-00aa000a0000"}, "spec": {"allowedCapabilities": []}, diff --git a/security-policies/bundle/compliance/cis_eks/rules/cis_5_4_1/test.rego b/security-policies/bundle/compliance/cis_eks/rules/cis_5_4_1/test.rego index d86961ab12..a93a18676a 100644 --- a/security-policies/bundle/compliance/cis_eks/rules/cis_5_4_1/test.rego +++ b/security-policies/bundle/compliance/cis_eks/rules/cis_5_4_1/test.rego @@ -19,12 +19,12 @@ test_not_evaluated if { not finding with input as test_data.not_evaluated_input } -violating_input_private_access_disabled = test_data.generate_eks_input_with_vpc_config(false, true, ["132.1.50.0/0"]) +violating_input_private_access_disabled := test_data.generate_eks_input_with_vpc_config(false, true, ["132.1.50.0/0"]) -violating_input_public_invalid_filter = test_data.generate_eks_input_with_vpc_config(true, true, ["0.0.0.0/0"]) +violating_input_public_invalid_filter := test_data.generate_eks_input_with_vpc_config(true, true, ["0.0.0.0/0"]) -violating_input_private_access_disabled_and_public_access_enabled_valid_filter = test_data.generate_eks_input_with_vpc_config(false, true, ["132.1.50.0/0"]) +violating_input_private_access_disabled_and_public_access_enabled_valid_filter := test_data.generate_eks_input_with_vpc_config(false, true, ["132.1.50.0/0"]) -valid_input_public_access_disabled_and_private_endpoint_endabled = test_data.generate_eks_input_with_vpc_config(true, false, ["0.0.0.0/0"]) +valid_input_public_access_disabled_and_private_endpoint_endabled := test_data.generate_eks_input_with_vpc_config(true, false, ["0.0.0.0/0"]) -non_violating_input = test_data.generate_eks_input_with_vpc_config(true, true, ["203.0.113.5/32"]) +non_violating_input := test_data.generate_eks_input_with_vpc_config(true, true, ["203.0.113.5/32"]) diff --git a/security-policies/bundle/compliance/cis_eks/rules/cis_5_4_2/rule.rego b/security-policies/bundle/compliance/cis_eks/rules/cis_5_4_2/rule.rego index 4ae9c20672..e1a816d018 100644 --- a/security-policies/bundle/compliance/cis_eks/rules/cis_5_4_2/rule.rego +++ b/security-policies/bundle/compliance/cis_eks/rules/cis_5_4_2/rule.rego @@ -2,4 +2,4 @@ package compliance.cis_eks.rules.cis_5_4_2 import data.compliance.policy.aws_eks.ensure_private_access as audit -finding = audit.finding(false) +finding := audit.finding(false) diff --git a/security-policies/bundle/compliance/cis_gcp/rules/cis_1_17/rule.rego b/security-policies/bundle/compliance/cis_gcp/rules/cis_1_17/rule.rego index 46cb75225a..39c7ca057f 100644 --- a/security-policies/bundle/compliance/cis_gcp/rules/cis_1_17/rule.rego +++ b/security-policies/bundle/compliance/cis_gcp/rules/cis_1_17/rule.rego @@ -4,9 +4,9 @@ import data.compliance.lib.common import data.compliance.policy.gcp.data_adapter import future.keywords.if -default has_cusomter_encrypted_key = false +default has_cusomter_encrypted_key := false -finding = result if { +finding := result if { data_adapter.is_dataproc_cluster result := common.generate_result_without_expected( diff --git a/security-policies/bundle/compliance/cis_gcp/rules/cis_1_8/rule.rego b/security-policies/bundle/compliance/cis_gcp/rules/cis_1_8/rule.rego index fa637bb1b7..c10850da74 100644 --- a/security-policies/bundle/compliance/cis_gcp/rules/cis_1_8/rule.rego +++ b/security-policies/bundle/compliance/cis_gcp/rules/cis_1_8/rule.rego @@ -19,7 +19,7 @@ members_with_both_roles contains m if { m in user.members } -finding = result if { +finding := result if { data_adapter.is_cloud_resource_manager_project data_adapter.has_policy diff --git a/security-policies/bundle/compliance/cis_gcp/rules/cis_1_9/test.rego b/security-policies/bundle/compliance/cis_gcp/rules/cis_1_9/test.rego index 866b937248..ca5d858f4d 100644 --- a/security-policies/bundle/compliance/cis_gcp/rules/cis_1_9/test.rego +++ b/security-policies/bundle/compliance/cis_gcp/rules/cis_1_9/test.rego @@ -22,7 +22,7 @@ test_not_evaluated if { not_eval with input as test_data.not_eval_resource } -rule_input(members, nextRotationTime, rotationPeriod, primary) = test_data.generate_kms_resource(members, nextRotationTime, rotationPeriod, primary) +rule_input(members, nextRotationTime, rotationPeriod, primary) := test_data.generate_kms_resource(members, nextRotationTime, rotationPeriod, primary) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_gcp/rules/cis_2_11/rule.rego b/security-policies/bundle/compliance/cis_gcp/rules/cis_2_11/rule.rego index 900bdedb7e..248953f752 100644 --- a/security-policies/bundle/compliance/cis_gcp/rules/cis_2_11/rule.rego +++ b/security-policies/bundle/compliance/cis_gcp/rules/cis_2_11/rule.rego @@ -4,4 +4,4 @@ import data.compliance.policy.gcp.monitoring.ensure_log_metric_and_alarm_exists pattern := `protoPayload.methodName="cloudsql.instances.update"` -finding = audit.finding(pattern) +finding := audit.finding(pattern) diff --git a/security-policies/bundle/compliance/cis_gcp/rules/cis_2_13/rule.rego b/security-policies/bundle/compliance/cis_gcp/rules/cis_2_13/rule.rego index 111d7edab6..579a8391b2 100644 --- a/security-policies/bundle/compliance/cis_gcp/rules/cis_2_13/rule.rego +++ b/security-policies/bundle/compliance/cis_gcp/rules/cis_2_13/rule.rego @@ -6,7 +6,7 @@ import future.keywords.if import future.keywords.in # Ensure Cloud Asset Inventory Is Enabled -finding = result if { +finding := result if { data_adapter.is_services_usage result := common.generate_result_without_expected( @@ -19,4 +19,4 @@ is_asset_inventory_enabled if { some service in input.resource.services service.resource.data.name == "cloudasset.googleapis.com" service.resource.data.state == "ENABLED" -} else = false +} else := false diff --git a/security-policies/bundle/compliance/cis_gcp/rules/cis_2_4/rule.rego b/security-policies/bundle/compliance/cis_gcp/rules/cis_2_4/rule.rego index bd3db1be63..8d376eb393 100644 --- a/security-policies/bundle/compliance/cis_gcp/rules/cis_2_4/rule.rego +++ b/security-policies/bundle/compliance/cis_gcp/rules/cis_2_4/rule.rego @@ -9,4 +9,4 @@ AND protoPayload.serviceData.policyDelta.bindingDeltas.role="roles/owner") OR (protoPayload.serviceData.policyDelta.bindingDeltas.action="ADD" AND protoPayload.serviceData.policyDelta.bindingDeltas.role="roles/owner")` -finding = audit.finding(pattern) +finding := audit.finding(pattern) diff --git a/security-policies/bundle/compliance/cis_gcp/rules/cis_3_1/rule.rego b/security-policies/bundle/compliance/cis_gcp/rules/cis_3_1/rule.rego index 35667c6dcb..9672c99ba7 100644 --- a/security-policies/bundle/compliance/cis_gcp/rules/cis_3_1/rule.rego +++ b/security-policies/bundle/compliance/cis_gcp/rules/cis_3_1/rule.rego @@ -5,7 +5,7 @@ import data.compliance.policy.gcp.data_adapter import future.keywords.if # Ensure That the Default Network Does Not Exist in a Project. -finding = result if { +finding := result if { # filter data_adapter.is_compute_network @@ -18,4 +18,4 @@ finding = result if { is_not_default_network if { not data_adapter.resource.data.name == "default" -} else = false +} else := false diff --git a/security-policies/bundle/compliance/cis_gcp/rules/cis_5_2/test.rego b/security-policies/bundle/compliance/cis_gcp/rules/cis_5_2/test.rego index 0bba8ff30c..deae4d7c37 100644 --- a/security-policies/bundle/compliance/cis_gcp/rules/cis_5_2/test.rego +++ b/security-policies/bundle/compliance/cis_gcp/rules/cis_5_2/test.rego @@ -18,7 +18,7 @@ test_not_evaluated if { not_eval with input as test_data.not_eval_resource } -rule_input(isBucketLevelAccessEnabled) = test_data.generate_gcs_resource([], isBucketLevelAccessEnabled) +rule_input(isBucketLevelAccessEnabled) := test_data.generate_gcs_resource([], isBucketLevelAccessEnabled) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_gcp/rules/cis_6_2_7/rule.rego b/security-policies/bundle/compliance/cis_gcp/rules/cis_6_2_7/rule.rego index 5d390077ba..40636b3070 100644 --- a/security-policies/bundle/compliance/cis_gcp/rules/cis_6_2_7/rule.rego +++ b/security-policies/bundle/compliance/cis_gcp/rules/cis_6_2_7/rule.rego @@ -5,10 +5,10 @@ import data.compliance.policy.gcp.data_adapter import data.compliance.policy.gcp.sql.ensure_db_flag as audit import future.keywords.if -default is_flag_as_expected = false +default is_flag_as_expected := false # Ensure That the ‘Log_min_duration_statement’ Database Flag for Cloud SQL PostgreSQL Instance Is Set to ‘-1′. -finding = result if { +finding := result if { # filter data_adapter.is_cloud_sql data_adapter.is_postgres_sql diff --git a/security-policies/bundle/compliance/cis_gcp/rules/cis_6_7/rule.rego b/security-policies/bundle/compliance/cis_gcp/rules/cis_6_7/rule.rego index 8ea02eb303..2fe26321f4 100644 --- a/security-policies/bundle/compliance/cis_gcp/rules/cis_6_7/rule.rego +++ b/security-policies/bundle/compliance/cis_gcp/rules/cis_6_7/rule.rego @@ -4,7 +4,7 @@ import data.compliance.lib.common import data.compliance.policy.gcp.data_adapter import future.keywords.if -finding = result if { +finding := result if { data_adapter.is_sql_instance result := common.generate_result_without_expected( @@ -15,4 +15,4 @@ finding = result if { backup_enabled if { data_adapter.resource.data.settings.backupConfiguration.enabled == true -} else = false +} else := false diff --git a/security-policies/bundle/compliance/cis_gcp/test_data.rego b/security-policies/bundle/compliance/cis_gcp/test_data.rego index ae81561850..b99a790fff 100644 --- a/security-policies/bundle/compliance/cis_gcp/test_data.rego +++ b/security-policies/bundle/compliance/cis_gcp/test_data.rego @@ -1,6 +1,6 @@ package cis_gcp.test_data -generate_gcp_asset(type, subtype, resource, iam_policy) = { +generate_gcp_asset(type, subtype, resource, iam_policy) := { "resource": { "resource": resource, "iam_policy": iam_policy, @@ -9,14 +9,14 @@ generate_gcp_asset(type, subtype, resource, iam_policy) = { "subType": subtype, } -generate_iam_policy(members, role) = generate_gcp_asset( +generate_iam_policy(members, role) := generate_gcp_asset( "key-management", "gcp-iam-service-account", {}, {"bindings": [{"role": role, "members": members}]}, ) -generate_monitoring_asset(log_metrics, alerts) = { +generate_monitoring_asset(log_metrics, alerts) := { "resource": { "log_metrics": log_metrics, "alerts": alerts, @@ -25,60 +25,60 @@ generate_monitoring_asset(log_metrics, alerts) = { "subType": "gcp-monitoring", } -generate_policies_asset(policies) = { +generate_policies_asset(policies) := { "resource": policies, "type": "project-managment", "subType": "gcp-policies", } -generate_serviceusage_asset(services) = { +generate_serviceusage_asset(services) := { "resource": {"services": services}, "type": "monitoring", "subType": "gcp-service-usage", } -generate_logging_asset(sinks) = { +generate_logging_asset(sinks) := { "resource": {"log_sinks": sinks}, "type": "logging", "subType": "gcp-logging", } -generate_kms_resource(members, rotationPeriod, nextRotationTime, primary) = generate_gcp_asset( +generate_kms_resource(members, rotationPeriod, nextRotationTime, primary) := generate_gcp_asset( "key-management", "gcp-cloudkms-crypto-key", {"data": {"nextRotationTime": nextRotationTime, "rotationPeriod": rotationPeriod, "primary": primary}}, {"bindings": [{"role": "roles/cloudkms.cryptoKeyEncrypterDecrypter", "members": members}]}, ) -generate_gcs_resource(members, isBucketLevelAccessEnabled) = generate_gcp_asset( +generate_gcs_resource(members, isBucketLevelAccessEnabled) := generate_gcp_asset( "cloud-storage", "gcp-storage-bucket", {"data": {"iamConfiguration": {"uniformBucketLevelAccess": {"enabled": isBucketLevelAccessEnabled}}}}, {"bindings": [{"role": "roles/storage.objectViewer", "members": members}]}, ) -generate_bq_resource(config, subType, members) = generate_gcp_asset( +generate_bq_resource(config, subType, members) := generate_gcp_asset( "cloud-storage", subType, {"data": {"defaultEncryptionConfiguration": config}}, {"bindings": [{"role": "roles/bigquery.dataViewer", "members": members}]}, ) -generate_compute_resource(subType, info) = generate_gcp_asset( +generate_compute_resource(subType, info) := generate_gcp_asset( "cloud-compute", subType, {"data": info}, {}, ) -not_eval_resource = generate_gcp_asset( +not_eval_resource := generate_gcp_asset( "key-management", "non-existing-subtype", {}, {}, ) -no_policy_resource = generate_gcp_asset( +no_policy_resource := generate_gcp_asset( "key-management", "gcp-iam", {}, diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_1/rule.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_1/rule.rego index caeb349bcd..92753dbc0b 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_1/rule.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_1/rule.rego @@ -3,7 +3,7 @@ package compliance.cis_k8s.rules.cis_1_1_1 import data.compliance.policy.file.ensure_permissions as audit import future.keywords.if -finding = result if { +finding := result if { audit.filename_filter("kube-apiserver.yaml") result := audit.finding(audit.file_permission_match(6, 4, 4)) } diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_14/rule.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_14/rule.rego index 5453875b4b..862d6f4af6 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_14/rule.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_14/rule.rego @@ -3,7 +3,7 @@ package compliance.cis_k8s.rules.cis_1_1_14 import data.compliance.policy.file.ensure_ownership as audit import future.keywords.if -finding = result if { +finding := result if { audit.filename_filter("admin.conf") result := audit.finding("root", "root") } diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_14/test.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_14/test.rego index b8e9117576..83c5a722f3 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_14/test.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_14/test.rego @@ -18,7 +18,7 @@ test_not_evaluated if { not finding with input as rule_input("file.txt", "root", "root") } -rule_input(filename, user, group) = filesystem_input if { +rule_input(filename, user, group) := filesystem_input if { filemode := "644" filesystem_input = test_data.filesystem_input(filename, filemode, user, group) } diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_15/rule.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_15/rule.rego index 05f1ec72a3..802f39cf52 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_15/rule.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_15/rule.rego @@ -3,7 +3,7 @@ package compliance.cis_k8s.rules.cis_1_1_15 import data.compliance.policy.file.ensure_permissions as audit import future.keywords.if -finding = result if { +finding := result if { audit.filename_filter("scheduler.conf") result := audit.finding(audit.file_permission_match(6, 4, 4)) } diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_17/test.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_17/test.rego index c2cf164f5a..59232c6143 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_17/test.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_17/test.rego @@ -16,7 +16,7 @@ test_not_evaluated if { not finding with input as rule_input("file.txt", "644") } -rule_input(filename, filemode) = filesystem_input if { +rule_input(filename, filemode) := filesystem_input if { user := "root" group := "root" filesystem_input = test_data.filesystem_input(filename, filemode, user, group) diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_18/rule.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_18/rule.rego index d8e07be1aa..ef593381eb 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_18/rule.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_18/rule.rego @@ -3,7 +3,7 @@ package compliance.cis_k8s.rules.cis_1_1_18 import data.compliance.policy.file.ensure_ownership as audit import future.keywords.if -finding = result if { +finding := result if { audit.filename_filter("controller-manager.conf") result := audit.finding("root", "root") } diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_2/test.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_2/test.rego index ad790c9d6a..9aa5a7b0cf 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_2/test.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_2/test.rego @@ -18,7 +18,7 @@ test_not_evaluated if { not finding with input as rule_input("file.txt", "root", "root") } -rule_input(filename, user, group) = filesystem_input if { +rule_input(filename, user, group) := filesystem_input if { filemode := "644" filesystem_input = test_data.filesystem_input(filename, filemode, user, group) } diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_4/rule.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_4/rule.rego index e495d5f8eb..11d1a70f13 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_4/rule.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_4/rule.rego @@ -3,7 +3,7 @@ package compliance.cis_k8s.rules.cis_1_1_4 import data.compliance.policy.file.ensure_ownership as audit import future.keywords.if -finding = result if { +finding := result if { audit.filename_filter("kube-controller-manager.yaml") result := audit.finding("root", "root") } diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_8/test.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_8/test.rego index 880996287a..3f564d4748 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_8/test.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_8/test.rego @@ -18,7 +18,7 @@ test_not_evaluated if { not finding with input as rule_input("file.txt", "root", "root") } -rule_input(filename, user, group) = filesystem_input if { +rule_input(filename, user, group) := filesystem_input if { filemode := "644" filesystem_input = test_data.filesystem_input(filename, filemode, user, group) } diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_12/test.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_12/test.rego index 42d49559e0..8b3fc7cfe5 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_12/test.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_12/test.rego @@ -20,7 +20,7 @@ test_not_evaluated if { not_eval with input as test_data.process_input("some_process", []) } -rule_input(argument) = test_data.process_input("kube-apiserver", [argument]) +rule_input(argument) := test_data.process_input("kube-apiserver", [argument]) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_14/test.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_14/test.rego index ff05a464cc..94652597c3 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_14/test.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_14/test.rego @@ -20,7 +20,7 @@ test_not_evaluated if { not_eval with input as test_data.process_input("some_process", []) } -rule_input(argument) = test_data.process_input("kube-apiserver", [argument]) +rule_input(argument) := test_data.process_input("kube-apiserver", [argument]) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_2/rule.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_2/rule.rego index 1bb2784224..04ccf9b756 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_2/rule.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_2/rule.rego @@ -3,7 +3,7 @@ package compliance.cis_k8s.rules.cis_1_2_2 import data.compliance.policy.process.ensure_arguments_contain_key as audit import future.keywords.if -finding = result if { +finding := result if { audit.apiserver_filter result := audit.finding(audit.not_contains("--token-auth-file")) } diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_2/test.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_2/test.rego index 05e1ecf8a2..798a4ab5bb 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_2/test.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_2/test.rego @@ -17,7 +17,7 @@ test_not_evaluated if { not_eval with input as test_data.process_input("some_process", []) } -rule_input(argument) = test_data.process_input("kube-apiserver", [argument]) +rule_input(argument) := test_data.process_input("kube-apiserver", [argument]) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_22/rule.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_22/rule.rego index 204dbe3b4f..0b4ead81ee 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_22/rule.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_22/rule.rego @@ -2,4 +2,4 @@ package compliance.cis_k8s.rules.cis_1_2_22 import data.compliance.policy.process.ensure_arguments_goe as audit -finding = audit.finding("--audit-log-maxsize", 100) +finding := audit.finding("--audit-log-maxsize", 100) diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_22/test.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_22/test.rego index 62b28c725a..f0550fa8c3 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_22/test.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_22/test.rego @@ -19,7 +19,7 @@ test_not_evaluated if { not_eval with input as test_data.process_input("some_process", []) } -rule_input(argument) = test_data.process_input("kube-apiserver", [argument]) +rule_input(argument) := test_data.process_input("kube-apiserver", [argument]) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_32/rule.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_32/rule.rego index 4ba313fd1f..33fa52c0bf 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_32/rule.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_32/rule.rego @@ -4,17 +4,17 @@ import data.compliance.policy.process.ensure_ciphers as audit import future.keywords.if # Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Manual) -default rule_evaluation = true +default rule_evaluation := true -rule_evaluation = false if { +rule_evaluation := false if { not audit.process_args["--tls-cipher-suites"] } -rule_evaluation = false if { +rule_evaluation := false if { audit.is_process_args_includes_non_supported_cipher(supported_ciphers) } -supported_ciphers = [ +supported_ciphers := [ "TLS_AES_128_GCM_SHA256", "TLS_AES_256_GCM_SHA384", "TLS_CHACHA20_POLY1305_SHA256", @@ -38,7 +38,7 @@ supported_ciphers = [ "TLS_RSA_WITH_AES_256_GCM_SHA384", ] -finding = result if { +finding := result if { audit.apiserver_filter result := audit.finding(rule_evaluation) } diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_32/test.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_32/test.rego index df09230753..d96c09a98b 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_32/test.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_32/test.rego @@ -21,7 +21,7 @@ test_not_evaluated if { not_eval with input as test_data.process_input("some_process", []) } -rule_input(argument) = test_data.process_input("kube-apiserver", [argument]) +rule_input(argument) := test_data.process_input("kube-apiserver", [argument]) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_8/test.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_8/test.rego index 979304c13a..d272835d57 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_8/test.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_8/test.rego @@ -19,7 +19,7 @@ test_not_evaluated if { not_eval with input as test_data.process_input("some_process", []) } -rule_input(argument) = test_data.process_input("kube-apiserver", [argument]) +rule_input(argument) := test_data.process_input("kube-apiserver", [argument]) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_4_1/test.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_4_1/test.rego index f214912cfd..7e9ad87d85 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_4_1/test.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_4_1/test.rego @@ -18,7 +18,7 @@ test_not_evaluated if { not_eval with input as test_data.process_input("some_process", []) } -rule_input(argument) = test_data.process_input("kube-scheduler", [argument]) +rule_input(argument) := test_data.process_input("kube-scheduler", [argument]) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_2_1/rule.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_2_1/rule.rego index 95dd2c02dc..511f77c1a5 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_2_1/rule.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_2_1/rule.rego @@ -3,7 +3,7 @@ package compliance.cis_k8s.rules.cis_2_1 import data.compliance.policy.process.ensure_appropriate_arguments as audit import future.keywords.if -finding = result if { +finding := result if { audit.etcd_filter result := audit.finding([ "--cert-file", diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_2_5/test.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_2_5/test.rego index 18d6fd0f87..bb8d3a89f8 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_2_5/test.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_2_5/test.rego @@ -18,7 +18,7 @@ test_not_evaluated if { not_eval with input as test_data.process_input("some_process", []) } -rule_input(argument) = test_data.process_input("etcd", [argument]) +rule_input(argument) := test_data.process_input("etcd", [argument]) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_4_1_1/test.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_4_1_1/test.rego index 732ca43931..7186b5c604 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_4_1_1/test.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_4_1_1/test.rego @@ -16,7 +16,7 @@ test_not_evaluated if { not finding with input as rule_input("file.txt", "644") } -rule_input(filename, filemode) = filesystem_input if { +rule_input(filename, filemode) := filesystem_input if { user := "root" group := "root" filesystem_input = test_data.filesystem_input(filename, filemode, user, group) diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_4_1_10/rule.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_4_1_10/rule.rego index 490cda3e93..fe1920ceb4 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_4_1_10/rule.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_4_1_10/rule.rego @@ -3,7 +3,7 @@ package compliance.cis_k8s.rules.cis_4_1_10 import data.compliance.policy.file.ensure_ownership as audit import future.keywords.if -finding = result if { +finding := result if { audit.filename_filter("kubelet.conf") result := audit.finding("root", "root") } diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_4_1_2/test.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_4_1_2/test.rego index 212dd421f6..d425bbd452 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_4_1_2/test.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_4_1_2/test.rego @@ -18,7 +18,7 @@ test_not_evaluated if { not finding with input as rule_input("file.txt", "root", "root") } -rule_input(filename, user, group) = filesystem_input if { +rule_input(filename, user, group) := filesystem_input if { filemode := "644" filesystem_input = test_data.filesystem_input(filename, filemode, user, group) } diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_4_1_5/test.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_4_1_5/test.rego index ab534742e5..3d1a42d76d 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_4_1_5/test.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_4_1_5/test.rego @@ -16,7 +16,7 @@ test_not_evaluated if { not finding with input as rule_input("file.txt", "644") } -rule_input(filename, filemode) = filesystem_input if { +rule_input(filename, filemode) := filesystem_input if { user := "root" group := "root" filesystem_input = test_data.filesystem_input(filename, filemode, user, group) diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_1/test.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_1/test.rego index b1b8be93f1..b6361bd92b 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_1/test.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_1/test.rego @@ -24,11 +24,11 @@ test_not_evaluated if { not_eval with input as test_data.process_input("some_process", []) } -rule_input(argument) = test_data.process_input_with_external_data("kubelet", [argument], {}) +rule_input(argument) := test_data.process_input_with_external_data("kubelet", [argument], {}) -rule_input_with_external(argument, external_data) = test_data.process_input_with_external_data("kubelet", [argument], external_data) +rule_input_with_external(argument, external_data) := test_data.process_input_with_external_data("kubelet", [argument], external_data) -create_process_config(anonymous_enabled) = {"config": {"authentication": { +create_process_config(anonymous_enabled) := {"config": {"authentication": { "x509": {"clientCAFile": "/etc/kubernetes/pki/ca.crt"}, "anonymous": {"enabled": anonymous_enabled}, "webhook": { diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_10/rule.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_10/rule.rego index 2628abe6f1..0d5cee7502 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_10/rule.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_10/rule.rego @@ -4,7 +4,7 @@ import data.compliance.policy.process.ensure_arguments_and_config as audit import future.keywords.if # Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate -default rule_evaluation = false +default rule_evaluation := false rule_evaluation if { audit.process_arg_multi("--tls-cert-file", "--tls-private-key-file") @@ -14,4 +14,4 @@ rule_evaluation if { audit.process_variable_multi(["tlsCertFile"], ["tlsPrivateKeyFile"]) } -finding = audit.finding(rule_evaluation) +finding := audit.finding(rule_evaluation) diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_11/rule.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_11/rule.rego index ad906a0c45..52f482dc2f 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_11/rule.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_11/rule.rego @@ -4,15 +4,15 @@ import data.compliance.policy.process.ensure_arguments_and_config as audit import future.keywords.if # Verify that the --rotate-certificates argument is not present, or is set to true. -default rule_evaluation = true +default rule_evaluation := true -rule_evaluation = false if { +rule_evaluation := false if { audit.process_contains_key_with_value("--rotate-certificates", "false") } # In case both flags and configuration file are specified, the executable argument takes precedence. -rule_evaluation = false if { +rule_evaluation := false if { audit.not_process_arg_comparison("--rotate-certificates", ["rotateCertificates"], false) } -finding = audit.finding(rule_evaluation) +finding := audit.finding(rule_evaluation) diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_12/rule.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_12/rule.rego index 57a761165f..b7c2d20ec4 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_12/rule.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_12/rule.rego @@ -4,7 +4,7 @@ import data.compliance.policy.process.ensure_arguments_and_config as audit import future.keywords.if # Verify that the RotateKubeletServerCertificate argument is set to true -default rule_evaluation = false +default rule_evaluation := false rule_evaluation if { audit.not_process_contains_key_with_value("--feature-gates", "RotateKubeletServerCertificate=false") @@ -27,4 +27,4 @@ rule_evaluation if { audit.get_from_config(["serverTLSBootstrap"]) } -finding = audit.finding(rule_evaluation) +finding := audit.finding(rule_evaluation) diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_2/rule.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_2/rule.rego index 1622019bd6..e6ab47d432 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_2/rule.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_2/rule.rego @@ -5,7 +5,7 @@ import future.keywords.if # Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated) # If the --authorization-mode argument is present check that it is not set to AlwaysAllow. -default rule_evaluation = false +default rule_evaluation := false rule_evaluation if { is_authorization_allow_all @@ -22,4 +22,4 @@ rule_evaluation if { audit.process_filter_variable_multi_comparison(["authorization", "mode"], ["authorization", "mode"], "AlwaysAllow") } -finding = audit.finding(rule_evaluation) +finding := audit.finding(rule_evaluation) diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_3/rule.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_3/rule.rego index b2fada442b..7ae3525f0b 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_3/rule.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_3/rule.rego @@ -4,7 +4,7 @@ import data.compliance.policy.process.ensure_arguments_and_config as audit import future.keywords.if # Ensure that the --client-ca-file argument is set as appropriate (Automated) -default rule_evaluation = false +default rule_evaluation := false rule_evaluation if { audit.process_contains_key("--client-ca-file") @@ -16,4 +16,4 @@ rule_evaluation if { audit.get_from_config(["authentication", "x509", "clientCAFile"]) } -finding = audit.finding(rule_evaluation) +finding := audit.finding(rule_evaluation) diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_3/test.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_3/test.rego index a184b9e5e0..06d9fd72d8 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_3/test.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_3/test.rego @@ -19,11 +19,11 @@ test_not_evaluated if { not_eval with input as test_data.process_input("some_process", []) } -rule_input(argument) = test_data.process_input("kubelet", [argument]) +rule_input(argument) := test_data.process_input("kubelet", [argument]) -rule_input_with_external(argument, external_data) = test_data.process_input_with_external_data("kubelet", [argument], external_data) +rule_input_with_external(argument, external_data) := test_data.process_input_with_external_data("kubelet", [argument], external_data) -create_process_config(client_CA_path) = {"config": {"authentication": { +create_process_config(client_CA_path) := {"config": {"authentication": { "x509": {"clientCAFile": client_CA_path}, "anonymous": {"enabled": false}, "webhook": { diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_7/rule.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_7/rule.rego index 039a9af4a2..a56c585b1c 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_7/rule.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_7/rule.rego @@ -4,16 +4,16 @@ import data.compliance.policy.process.ensure_arguments_and_config as audit import future.keywords.if # Ensure that the --make-iptables-util-chains argument is set to true (Automated) -default rule_evaluation = true +default rule_evaluation := true -rule_evaluation = false if { +rule_evaluation := false if { audit.process_contains_key_with_value("--make-iptables-util-chains", "false") } # In case both flags and configuration file are specified, the executable argument takes precedence. # Checks that the entry for makeIPTablesUtilChains is set to true. -rule_evaluation = false if { +rule_evaluation := false if { audit.not_process_arg_comparison("--make-iptables-util-chains", ["makeIPTablesUtilChains"], false) } -finding = audit.finding(rule_evaluation) +finding := audit.finding(rule_evaluation) diff --git a/security-policies/bundle/compliance/lib/assert.rego b/security-policies/bundle/compliance/lib/assert.rego index 89c8bde486..c26eb4946a 100644 --- a/security-policies/bundle/compliance/lib/assert.rego +++ b/security-policies/bundle/compliance/lib/assert.rego @@ -11,7 +11,7 @@ is_true(value) if { # regal ignore:equals-pattern-matching is_false(value) if { value == false -} else = false +} else := false all_true(values) if { not some_false(values) @@ -33,4 +33,4 @@ some_true(values) if { array_is_empty(array) if { count(array) == 0 -} else = false +} else := false diff --git a/security-policies/bundle/compliance/policy/aws_ec2/ensure_security_group_public_ingress_ipv4.rego b/security-policies/bundle/compliance/policy/aws_ec2/ensure_security_group_public_ingress_ipv4.rego index fb72ab39fd..36bc5ec1f6 100644 --- a/security-policies/bundle/compliance/policy/aws_ec2/ensure_security_group_public_ingress_ipv4.rego +++ b/security-policies/bundle/compliance/policy/aws_ec2/ensure_security_group_public_ingress_ipv4.rego @@ -6,9 +6,9 @@ import data.compliance.policy.aws_ec2.ports import future.keywords.every import future.keywords.if -default rule_evaluation = false +default rule_evaluation := false -finding = result if { +finding := result if { # filter data_adapter.is_security_group_policy diff --git a/security-policies/bundle/compliance/policy/aws_ecr/data_adapter.rego b/security-policies/bundle/compliance/policy/aws_ecr/data_adapter.rego index 8c328bca5f..187e0cf212 100644 --- a/security-policies/bundle/compliance/policy/aws_ecr/data_adapter.rego +++ b/security-policies/bundle/compliance/policy/aws_ecr/data_adapter.rego @@ -6,8 +6,8 @@ is_aws_ecr if { input.subType == "aws-ecr" } -cluster = input.resource.Cluster +cluster := input.resource.Cluster -image_scan_config = input.resource.ImageScanningConfiguration +image_scan_config := input.resource.ImageScanningConfiguration -repository_name = input.resource.RepositoryName +repository_name := input.resource.RepositoryName diff --git a/security-policies/bundle/compliance/policy/aws_iam/ensure_hardware_mfa.rego b/security-policies/bundle/compliance/policy/aws_iam/ensure_hardware_mfa.rego index 0f43cc88d9..16f94dad60 100644 --- a/security-policies/bundle/compliance/policy/aws_iam/ensure_hardware_mfa.rego +++ b/security-policies/bundle/compliance/policy/aws_iam/ensure_hardware_mfa.rego @@ -3,7 +3,7 @@ package compliance.policy.aws_iam.ensure_hardware_mfa import data.compliance.policy.aws_iam.data_adapter import future.keywords.if -default ensure_hardware_mfa_device = false +default ensure_hardware_mfa_device := false # Only one MFA device can be received as input, # even if a user has multiple MFA devices linked to their account. diff --git a/security-policies/bundle/compliance/policy/azure/activity_log_alert/activity_log_alert_operation_enabled.rego b/security-policies/bundle/compliance/policy/azure/activity_log_alert/activity_log_alert_operation_enabled.rego index dd1d4648c1..6b9be57869 100644 --- a/security-policies/bundle/compliance/policy/azure/activity_log_alert/activity_log_alert_operation_enabled.rego +++ b/security-policies/bundle/compliance/policy/azure/activity_log_alert/activity_log_alert_operation_enabled.rego @@ -30,4 +30,4 @@ activity_log_alert_operation_enabled(operation_names, categories) if { # Ensure there is an action group assigned (Notification to the appropriate personnel) activity_log_alert.properties.actions != null -} else = false +} else := false diff --git a/security-policies/bundle/compliance/policy/azure/disk/ensure_encryption.rego b/security-policies/bundle/compliance/policy/azure/disk/ensure_encryption.rego index 3db503ee8a..95b130e759 100644 --- a/security-policies/bundle/compliance/policy/azure/disk/ensure_encryption.rego +++ b/security-policies/bundle/compliance/policy/azure/disk/ensure_encryption.rego @@ -3,9 +3,9 @@ package compliance.policy.azure.disk.ensure_encryption import data.compliance.policy.azure.data_adapter import future.keywords.if -encryption_type = data_adapter.properties.encryption.type +encryption_type := data_adapter.properties.encryption.type -default is_encryption_enabled = false +default is_encryption_enabled := false is_encryption_enabled if { encryption_type == "EncryptionAtRestWithCustomerKey" diff --git a/security-policies/bundle/compliance/policy/azure/storage_account/ensure_secure_transfer.rego b/security-policies/bundle/compliance/policy/azure/storage_account/ensure_secure_transfer.rego index 95320edc6b..9ab5af81b7 100644 --- a/security-policies/bundle/compliance/policy/azure/storage_account/ensure_secure_transfer.rego +++ b/security-policies/bundle/compliance/policy/azure/storage_account/ensure_secure_transfer.rego @@ -5,4 +5,4 @@ import future.keywords.if is_secure_transfer_enabled if { data_adapter.properties.supportsHttpsTrafficOnly -} else = false +} else := false diff --git a/security-policies/bundle/compliance/policy/azure/storage_account/ensure_service.rego b/security-policies/bundle/compliance/policy/azure/storage_account/ensure_service.rego index 0e3ee871f7..3300650772 100644 --- a/security-policies/bundle/compliance/policy/azure/storage_account/ensure_service.rego +++ b/security-policies/bundle/compliance/policy/azure/storage_account/ensure_service.rego @@ -7,9 +7,9 @@ import future.keywords.in is_service_included(service) if { data_adapter.network_acls.defaultAction == "Deny" data_adapter.network_acls.bypass == service -} else = false +} else := false -evaluate_service(service) = r if { +evaluate_service(service) := r if { data_adapter.network_acls r = is_service_included(service) } diff --git a/security-policies/bundle/compliance/policy/gcp/common.rego b/security-policies/bundle/compliance/policy/gcp/common.rego index 05f4a6bcc6..8671cc81a9 100644 --- a/security-policies/bundle/compliance/policy/gcp/common.rego +++ b/security-policies/bundle/compliance/policy/gcp/common.rego @@ -3,7 +3,7 @@ package compliance.policy.gcp.common import future.keywords.if # parse the machine's family type from a machine type URL (e.g. https://www.googleapis.com/compute/v1/projects//zones//machineTypes/) -get_machine_type_family(type_url) = family if { +get_machine_type_family(type_url) := family if { parts := split(type_url, "/") family := parts[count(parts) - 1] } diff --git a/security-policies/bundle/compliance/policy/gcp/compute/ensure_no_use_of_default_sa.rego b/security-policies/bundle/compliance/policy/gcp/compute/ensure_no_use_of_default_sa.rego index d5d3db1e10..817d96998f 100644 --- a/security-policies/bundle/compliance/policy/gcp/compute/ensure_no_use_of_default_sa.rego +++ b/security-policies/bundle/compliance/policy/gcp/compute/ensure_no_use_of_default_sa.rego @@ -18,10 +18,10 @@ sa_is_default if { not data_adapter.is_gke_instance(data_adapter.resource.data) some sa in data_adapter.resource.data.serviceAccounts is_default_sa(sa) -} else = false +} else := false sa_is_default_with_full_access if { not data_adapter.is_gke_instance(data_adapter.resource.data) some sa in data_adapter.resource.data.serviceAccounts is_default_sa_with_access(sa) -} else = false +} else := false diff --git a/security-policies/bundle/compliance/policy/gcp/iam/ensure_role_not_service_account_user.rego b/security-policies/bundle/compliance/policy/gcp/iam/ensure_role_not_service_account_user.rego index 2a5fc5f5e1..74428d58bc 100644 --- a/security-policies/bundle/compliance/policy/gcp/iam/ensure_role_not_service_account_user.rego +++ b/security-policies/bundle/compliance/policy/gcp/iam/ensure_role_not_service_account_user.rego @@ -3,7 +3,7 @@ package compliance.policy.gcp.iam.ensure_role_not_service_account_user import data.compliance.policy.gcp.data_adapter import future.keywords.if -default is_role_not_service_account_user = false +default is_role_not_service_account_user := false is_role_not_service_account_user if { role := data_adapter.iam_policy.bindings[i].role diff --git a/security-policies/bundle/compliance/policy/gcp/sql/ensure_db_flag_is_as_expected.rego b/security-policies/bundle/compliance/policy/gcp/sql/ensure_db_flag_is_as_expected.rego index 9e2599b51c..0c463a5cc0 100644 --- a/security-policies/bundle/compliance/policy/gcp/sql/ensure_db_flag_is_as_expected.rego +++ b/security-policies/bundle/compliance/policy/gcp/sql/ensure_db_flag_is_as_expected.rego @@ -12,15 +12,15 @@ is_flag_configured_as_expected(flag_name, expected_vals) if { # not all expected values needs to be present, one is sufficient some expected_val in expected_vals db_flag.value == expected_val -} else = false +} else := false is_flag_exists(flag_name) if { some db_flag in data_adapter.resource.data.settings.databaseFlags db_flag.name == flag_name -} else = false +} else := false is_flag_limited(flag_name) if { some db_flag in data_adapter.resource.data.settings.databaseFlags db_flag.name == flag_name db_flag.value != 0 -} else = false +} else := false diff --git a/security-policies/bundle/compliance/policy/kube_api/ensure_service_accounts.rego b/security-policies/bundle/compliance/policy/kube_api/ensure_service_accounts.rego index 80ede4fcd4..da9842c172 100644 --- a/security-policies/bundle/compliance/policy/kube_api/ensure_service_accounts.rego +++ b/security-policies/bundle/compliance/policy/kube_api/ensure_service_accounts.rego @@ -21,7 +21,7 @@ finding(rule_violation) := result if { ) } -default service_account_automount = false +default service_account_automount := false # Review pod and service account objects in the cluster and ensure that automountServiceAccountToken is # set to false @@ -35,7 +35,7 @@ service_account_automount if { service_account.automountServiceAccountToken == true } -default service_account_default = false +default service_account_default := false # no roles or cluster roles bound to default service account apart from the defaults. service_account_default if { diff --git a/security-policies/bundle/compliance/policy/process/ensure_arguments_goe.rego b/security-policies/bundle/compliance/policy/process/ensure_arguments_goe.rego index c5ec21c1bb..ac8b74ffdc 100644 --- a/security-policies/bundle/compliance/policy/process/ensure_arguments_goe.rego +++ b/security-policies/bundle/compliance/policy/process/ensure_arguments_goe.rego @@ -7,7 +7,7 @@ import future.keywords.if process_args := benchmark_data_adapter.process_args -finding(entity, value) = result if { +finding(entity, value) := result if { data_adapter.is_kube_apiserver # set result @@ -20,4 +20,4 @@ finding(entity, value) = result if { rule_evaluation(entity, value) if { e := process_args[entity] lib_common.greater_or_equal(e, value) -} else = false +} else := false