diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_1_10/rule.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_1_10/rule.rego index 89bbe9e8eb..d38d03902f 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_1_10/rule.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_1_10/rule.rego @@ -6,7 +6,7 @@ import data.compliance.policy.aws_iam.ensure_enabled_mfa as audit import future.keywords.if # Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password. -finding = result if { +finding := result if { # filter data_adapter.is_iam_user diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_1_10/test.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_1_10/test.rego index b5efde0e48..9e3a200381 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_1_10/test.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_1_10/test.rego @@ -19,7 +19,7 @@ test_not_evaluated if { not_eval with input as test_data.not_evaluated_iam_user } -rule_input(access_keys, mfa_active, password_enabled, last_access, password_last_changed) = test_data.generate_iam_user(access_keys, mfa_active, password_enabled, last_access, password_last_changed) +rule_input(access_keys, mfa_active, password_enabled, last_access, password_last_changed) := test_data.generate_iam_user(access_keys, mfa_active, password_enabled, last_access, password_last_changed) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_1_11/rule.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_1_11/rule.rego index fa88db2ace..e4eda87922 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_1_11/rule.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_1_11/rule.rego @@ -6,7 +6,7 @@ import data.compliance.policy.aws_iam.ensure_access_keys_use as audit import future.keywords.if # Do not setup access keys during initial user setup for all IAM users that have a console password. -finding = result if { +finding := result if { # filter data_adapter.is_iam_user diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_1_11/test.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_1_11/test.rego index e616479a02..71c2b5a8cf 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_1_11/test.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_1_11/test.rego @@ -22,7 +22,7 @@ test_not_evaluated if { not_eval with input as test_data.not_evaluated_iam_user } -rule_input(access_keys, mfa_active, password_enabled, last_access, password_last_changed) = test_data.generate_iam_user(access_keys, mfa_active, password_enabled, last_access, password_last_changed) +rule_input(access_keys, mfa_active, password_enabled, last_access, password_last_changed) := test_data.generate_iam_user(access_keys, mfa_active, password_enabled, last_access, password_last_changed) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_1_12/rule.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_1_12/rule.rego index 1654e7b4fd..d002cdcd4d 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_1_12/rule.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_1_12/rule.rego @@ -6,7 +6,7 @@ import data.compliance.policy.aws_iam.validate_credentials as audit import future.keywords.if # Ensure credentials unused for 45 days or greater are disabled -finding = result if { +finding := result if { # filter data_adapter.is_iam_user diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_1_12/test.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_1_12/test.rego index 483ef72d34..ca8977ce6e 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_1_12/test.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_1_12/test.rego @@ -29,7 +29,7 @@ test_not_evaluated if { not_eval with input as test_data.not_evaluated_iam_user } -rule_input(access_keys, mfa_active, password_enabled, last_access, password_last_changed) = test_data.generate_iam_user(access_keys, mfa_active, password_enabled, last_access, password_last_changed) +rule_input(access_keys, mfa_active, password_enabled, last_access, password_last_changed) := test_data.generate_iam_user(access_keys, mfa_active, password_enabled, last_access, password_last_changed) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_1_13/rule.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_1_13/rule.rego index 2a0b9041c3..71b079cc8b 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_1_13/rule.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_1_13/rule.rego @@ -5,7 +5,7 @@ import data.compliance.policy.aws_iam.data_adapter import future.keywords.if # Ensure that there is only a single active access key per user. -finding = result if { +finding := result if { # filter data_adapter.is_iam_user diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_1_13/test.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_1_13/test.rego index 8a06f8f8e7..f61f900496 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_1_13/test.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_1_13/test.rego @@ -20,7 +20,7 @@ test_not_evaluated if { not_eval with input as test_data.not_evaluated_iam_user } -rule_input(access_keys, mfa_active, password_enabled, last_access, password_last_changed) = test_data.generate_iam_user(access_keys, mfa_active, password_enabled, last_access, password_last_changed) +rule_input(access_keys, mfa_active, password_enabled, last_access, password_last_changed) := test_data.generate_iam_user(access_keys, mfa_active, password_enabled, last_access, password_last_changed) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_1_14/rule.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_1_14/rule.rego index 9869619e1f..2868b90cd7 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_1_14/rule.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_1_14/rule.rego @@ -6,7 +6,7 @@ import data.compliance.policy.aws_iam.verify_keys_rotation as audit import future.keywords.if # Ensure access keys are rotated every 90 days or less -finding = result if { +finding := result if { # filter data_adapter.is_iam_user diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_1_14/test.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_1_14/test.rego index da192c230f..fb8a8fc5b9 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_1_14/test.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_1_14/test.rego @@ -21,7 +21,7 @@ test_not_evaluated if { not_eval with input as test_data.not_evaluated_iam_user } -rule_input(access_keys, mfa_active, password_enabled, last_access, password_last_changed) = test_data.generate_iam_user(access_keys, mfa_active, password_enabled, last_access, password_last_changed) +rule_input(access_keys, mfa_active, password_enabled, last_access, password_last_changed) := test_data.generate_iam_user(access_keys, mfa_active, password_enabled, last_access, password_last_changed) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_1_15/rule.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_1_15/rule.rego index 121cc10856..72f2b29321 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_1_15/rule.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_1_15/rule.rego @@ -5,7 +5,7 @@ import data.compliance.policy.aws_iam.data_adapter import future.keywords.if # Ensure IAM Users Receive Permissions Only Through Groups -finding = result if { +finding := result if { # filter data_adapter.is_iam_user diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_1_15/test.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_1_15/test.rego index 869badf607..539c8f7746 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_1_15/test.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_1_15/test.rego @@ -19,7 +19,7 @@ test_not_evaluated if { not_eval with input as test_data.not_evaluated_iam_user } -rule_input(inline_policies, attached_policies) = test_data.generate_iam_user_with_policies(inline_policies, attached_policies) +rule_input(inline_policies, attached_policies) := test_data.generate_iam_user_with_policies(inline_policies, attached_policies) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_1_16/rule.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_1_16/rule.rego index 97e76984b1..a2e122f592 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_1_16/rule.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_1_16/rule.rego @@ -22,4 +22,4 @@ policy_is_permissive if { statement.Effect == "Allow" "*" in common.ensure_array(statement.Action) "*" in common.ensure_array(statement.Resource) -} else = false +} else := false diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_1_16/test.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_1_16/test.rego index 3b83ef8a01..ae1714438e 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_1_16/test.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_1_16/test.rego @@ -4,7 +4,7 @@ import data.compliance.cis_aws.data_adapter import data.lib.test import future.keywords.if -generate_input(statements) = { +generate_input(statements) := { "subType": "aws-policy", "resource": {"document": {"Statement": statements}}, } diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_1_17/rule.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_1_17/rule.rego index 38fa4f70dc..ddaa290c6f 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_1_17/rule.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_1_17/rule.rego @@ -6,7 +6,7 @@ import future.keywords.if import future.keywords.in # Ensure a support role has been created to manage incidents with AWS Support -finding = result if { +finding := result if { # filter data_adapter.is_aws_support_access @@ -22,4 +22,4 @@ aws_support_has_attached_roles if { # a sanity test. some role in data_adapter.roles role.RoleId != "" -} else = false +} else := false diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_1_17/test.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_1_17/test.rego index 7233bc7739..3c0e502477 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_1_17/test.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_1_17/test.rego @@ -4,7 +4,7 @@ import data.compliance.cis_aws.data_adapter import data.lib.test import future.keywords.if -generate_input(roles) = { +generate_input(roles) := { "subType": "aws-policy", "resource": { "Arn": "arn:aws:iam::aws:policy/AWSSupportAccess", diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_1_19/rule.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_1_19/rule.rego index a244e17894..c2757222d0 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_1_19/rule.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_1_19/rule.rego @@ -5,9 +5,9 @@ import data.compliance.policy.aws_iam.data_adapter import future.keywords.every import future.keywords.if -default rule_evaluation = false +default rule_evaluation := false -finding = result if { +finding := result if { data_adapter.is_server_certificate result := common.generate_result_without_expected( diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_1_19/test.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_1_19/test.rego index 56fe04eaa1..b017c9f2be 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_1_19/test.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_1_19/test.rego @@ -5,16 +5,16 @@ import data.compliance.lib.common import data.lib.test import future.keywords.if -generate_certificate_resource(certificates) = { +generate_certificate_resource(certificates) := { "subType": "aws-iam-server-certificate", "resource": {"certificates": certificates}, } -generate_expiration(expiration) = {"Expiration": expiration} +generate_expiration(expiration) := {"Expiration": expiration} -last_year = common.create_date_from_ns(time.add_date(time.now_ns(), -1, 0, 0)) +last_year := common.create_date_from_ns(time.add_date(time.now_ns(), -1, 0, 0)) -next_year = common.create_date_from_ns(time.add_date(time.now_ns(), 1, 0, 0)) +next_year := common.create_date_from_ns(time.add_date(time.now_ns(), 1, 0, 0)) test_violation if { # fails when an expired certificate exists diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_1_20/rule.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_1_20/rule.rego index 2c071b43f3..a9900e451c 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_1_20/rule.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_1_20/rule.rego @@ -7,7 +7,7 @@ import future.keywords.if import future.keywords.in # Ensure that IAM Access analyzer is enabled for all regions -finding = result if { +finding := result if { # filter data_adapter.is_access_analyzers @@ -24,4 +24,4 @@ analyzer_exists if { analyzer.Region == region analyzer.Status == "ACTIVE" } -} else = false +} else := false diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_1_20/test.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_1_20/test.rego index f53b16df0a..2650c9a39e 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_1_20/test.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_1_20/test.rego @@ -4,7 +4,7 @@ import data.compliance.cis_aws.data_adapter import data.lib.test import future.keywords.if -generate_input(analyzers, regions) = { +generate_input(analyzers, regions) := { "type": "identity-management", "subType": "aws-access-analyzers", "resource": { @@ -13,7 +13,7 @@ generate_input(analyzers, regions) = { }, } -analyzer(arn, status, region) = { +analyzer(arn, status, region) := { "Arn": arn, "CreatedAt": "2023-01-09T15:06:39Z", "Name": "Analyzer", diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_1_4/rule.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_1_4/rule.rego index a77c7b6860..ce24d50e91 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_1_4/rule.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_1_4/rule.rego @@ -5,7 +5,7 @@ import data.compliance.policy.aws_iam.data_adapter import future.keywords.if # Ensure no 'root' user account access key exists. -finding = result if { +finding := result if { # filter data_adapter.is_root_user diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_1_4/test.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_1_4/test.rego index 037efaebb3..1e8bd6d910 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_1_4/test.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_1_4/test.rego @@ -20,7 +20,7 @@ test_not_evaluated if { not_eval with input as test_data.not_evaluated_iam_user } -rule_input(access_keys, mfa_active, last_access, mfa_devices) = test_data.generate_root_user(access_keys, mfa_active, last_access, mfa_devices) +rule_input(access_keys, mfa_active, last_access, mfa_devices) := test_data.generate_root_user(access_keys, mfa_active, last_access, mfa_devices) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_1_5/rule.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_1_5/rule.rego index ce30b9f08e..c46d784fa9 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_1_5/rule.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_1_5/rule.rego @@ -5,7 +5,7 @@ import data.compliance.policy.aws_iam.data_adapter import future.keywords.if # Ensure MFA is enabled for the 'root' user account. -finding = result if { +finding := result if { # filter data_adapter.is_root_user diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_1_5/test.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_1_5/test.rego index 203faa0de2..cf9f039335 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_1_5/test.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_1_5/test.rego @@ -17,7 +17,7 @@ test_not_evaluated if { not_eval with input as test_data.not_evaluated_iam_user } -rule_input(access_keys, mfa_active, last_access, mfa_devices) = test_data.generate_root_user(access_keys, mfa_active, last_access, mfa_devices) +rule_input(access_keys, mfa_active, last_access, mfa_devices) := test_data.generate_root_user(access_keys, mfa_active, last_access, mfa_devices) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_1_6/rule.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_1_6/rule.rego index 74591a865d..5394b6d30b 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_1_6/rule.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_1_6/rule.rego @@ -6,7 +6,7 @@ import data.compliance.policy.aws_iam.ensure_hardware_mfa as audit import future.keywords.if # Ensure hardware MFA is enabled for the 'root' user account. -finding = result if { +finding := result if { # filter data_adapter.is_root_user diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_1_6/test.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_1_6/test.rego index 922a323837..802e52c76b 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_1_6/test.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_1_6/test.rego @@ -19,7 +19,7 @@ test_not_evaluated if { not_eval with input as test_data.not_evaluated_iam_user } -rule_input(access_keys, mfa_active, last_access, mfa_devices) = test_data.generate_root_user(access_keys, mfa_active, last_access, mfa_devices) +rule_input(access_keys, mfa_active, last_access, mfa_devices) := test_data.generate_root_user(access_keys, mfa_active, last_access, mfa_devices) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_1_7/rule.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_1_7/rule.rego index 38151509c6..6cf2e74294 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_1_7/rule.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_1_7/rule.rego @@ -7,7 +7,7 @@ import future.keywords.if # Eliminate use of the 'root' user for administrative and daily tasks # daily interpret as a day (24h) -finding = result if { +finding := result if { # filter data_adapter.is_root_user diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_1_7/test.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_1_7/test.rego index 59dcaba930..1a903eeca1 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_1_7/test.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_1_7/test.rego @@ -23,7 +23,7 @@ test_not_evaluated if { not_eval with input as test_data.not_evaluated_iam_user } -rule_input(access_keys, mfa_active, last_access, mfa_devices) = test_data.generate_root_user(access_keys, mfa_active, last_access, mfa_devices) +rule_input(access_keys, mfa_active, last_access, mfa_devices) := test_data.generate_root_user(access_keys, mfa_active, last_access, mfa_devices) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_1_8/rule.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_1_8/rule.rego index 4dec8789db..a4be3e1383 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_1_8/rule.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_1_8/rule.rego @@ -4,9 +4,9 @@ import data.compliance.lib.common import data.compliance.policy.aws_iam.data_adapter import future.keywords.if -default rule_evaluation = false +default rule_evaluation := false -finding = result if { +finding := result if { # filter data_adapter.is_pwd_policy diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_1_8/test.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_1_8/test.rego index 962141ecac..f9990c44ae 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_1_8/test.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_1_8/test.rego @@ -19,7 +19,7 @@ test_not_evaluated if { not_eval with input as test_data.not_evaluated_pwd_policy } -rule_input(pwd_len, reuse_count) = test_data.generate_password_policy(pwd_len, reuse_count) +rule_input(pwd_len, reuse_count) := test_data.generate_password_policy(pwd_len, reuse_count) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_1_9/rule.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_1_9/rule.rego index 5ad476fb21..35c428734a 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_1_9/rule.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_1_9/rule.rego @@ -4,10 +4,10 @@ import data.compliance.lib.common import data.compliance.policy.aws_iam.data_adapter import future.keywords.if -default rule_evaluation = false +default rule_evaluation := false # Ensure that the number of previous passwords that IAM users are prevented from reusing is 24. -finding = result if { +finding := result if { # filter data_adapter.is_pwd_policy diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_1_9/test.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_1_9/test.rego index 02ee9f88d1..a517805653 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_1_9/test.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_1_9/test.rego @@ -18,7 +18,7 @@ test_not_evaluated if { not_eval with input as test_data.not_evaluated_pwd_policy } -rule_input(pwd_len, reuse_count) = test_data.generate_password_policy(pwd_len, reuse_count) +rule_input(pwd_len, reuse_count) := test_data.generate_password_policy(pwd_len, reuse_count) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_2_1_1/rule.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_2_1_1/rule.rego index 7e753e6e53..f9591c4586 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_2_1_1/rule.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_2_1_1/rule.rego @@ -2,4 +2,4 @@ package compliance.cis_aws.rules.cis_2_1_1 import data.compliance.policy.aws_s3.ensure_encryption_at_rest as audit -finding = audit.finding +finding := audit.finding diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_2_1_1/test.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_2_1_1/test.rego index 287098a5b3..b99122c509 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_2_1_1/test.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_2_1_1/test.rego @@ -21,7 +21,7 @@ test_not_evaluated if { not_eval with input as rule_input("my bucket", null) } -rule_input(name, sse_algorithm) = test_data.generate_s3_bucket(name, sse_algorithm, null, null, null, null) +rule_input(name, sse_algorithm) := test_data.generate_s3_bucket(name, sse_algorithm, null, null, null, null) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_2_1_2/rule.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_2_1_2/rule.rego index 5a987ea8d9..a898e8bcc8 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_2_1_2/rule.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_2_1_2/rule.rego @@ -2,4 +2,4 @@ package compliance.cis_aws.rules.cis_2_1_2 import data.compliance.policy.aws_s3.ensure_bucket_policy_deny_http as audit -finding = audit.finding +finding := audit.finding diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_2_1_2/test.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_2_1_2/test.rego index 30cbea25fa..a941772a80 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_2_1_2/test.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_2_1_2/test.rego @@ -36,7 +36,7 @@ test_not_evaluated if { not_eval with input as test_data.s3_bucket_without_policy } -rule_input(effect, principal, action, is_secure_transport) = test_data.generate_s3_bucket("Bucket", "", [test_data.generate_s3_bucket_policy_statement(effect, principal, action, is_secure_transport)], null, null, null) +rule_input(effect, principal, action, is_secure_transport) := test_data.generate_s3_bucket("Bucket", "", [test_data.generate_s3_bucket_policy_statement(effect, principal, action, is_secure_transport)], null, null, null) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_2_1_3/rule.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_2_1_3/rule.rego index 03898c3fb5..375c4e0da4 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_2_1_3/rule.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_2_1_3/rule.rego @@ -2,4 +2,4 @@ package compliance.cis_aws.rules.cis_2_1_3 import data.compliance.policy.aws_s3.ensure_mfa_delete_enabled as audit -finding = audit.finding +finding := audit.finding diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_2_1_3/test.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_2_1_3/test.rego index 72e8374d72..bdb1651e40 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_2_1_3/test.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_2_1_3/test.rego @@ -20,7 +20,7 @@ test_not_evaluated if { not_eval with input as test_data.generate_s3_bucket("Bucket", "", null, null, null, null) } -rule_input(enabled, mfa_delete) = test_data.generate_s3_bucket("Bucket", "", null, test_data.generate_s3_bucket_versioning(enabled, mfa_delete), null, null) +rule_input(enabled, mfa_delete) := test_data.generate_s3_bucket("Bucket", "", null, test_data.generate_s3_bucket_versioning(enabled, mfa_delete), null, null) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_2_1_5/rule.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_2_1_5/rule.rego index a471a0c603..847665ed3d 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_2_1_5/rule.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_2_1_5/rule.rego @@ -2,4 +2,4 @@ package compliance.cis_aws.rules.cis_2_1_5 import data.compliance.policy.aws_s3.ensure_block_public_access as audit -finding = audit.finding +finding := audit.finding diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_2_1_5/test.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_2_1_5/test.rego index d1b7d93d9a..d05e736832 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_2_1_5/test.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_2_1_5/test.rego @@ -41,7 +41,7 @@ test_not_evaluated if { not_eval with input as test_data.not_evaluated_s3_bucket } -rule_input(block_public_acls, block_public_policy, ignore_public_acls, restrict_public_buckets, account_block_public_acls, account_block_public_policy, account_ignore_public_acls, account_restrict_public_buckets) = test_data.generate_s3_bucket("Bucket", "", null, null, test_data.generate_s3_public_access_block_configuration(block_public_acls, block_public_policy, ignore_public_acls, restrict_public_buckets), test_data.generate_s3_public_access_block_configuration(account_block_public_acls, account_block_public_policy, account_ignore_public_acls, account_restrict_public_buckets)) +rule_input(block_public_acls, block_public_policy, ignore_public_acls, restrict_public_buckets, account_block_public_acls, account_block_public_policy, account_ignore_public_acls, account_restrict_public_buckets) := test_data.generate_s3_bucket("Bucket", "", null, null, test_data.generate_s3_public_access_block_configuration(block_public_acls, block_public_policy, ignore_public_acls, restrict_public_buckets), test_data.generate_s3_public_access_block_configuration(account_block_public_acls, account_block_public_policy, account_ignore_public_acls, account_restrict_public_buckets)) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_2_2_1/rule.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_2_2_1/rule.rego index e1aa7fa419..a38a683991 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_2_2_1/rule.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_2_2_1/rule.rego @@ -4,10 +4,10 @@ import data.compliance.lib.common import data.compliance.policy.aws_ec2.data_adapter import future.keywords.if -default rule_evaluation = false +default rule_evaluation := false # Ensure EBS Volume Encryption is Enabled in all Regions -finding = result if { +finding := result if { # filter data_adapter.is_ebs_policy diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_2_2_1/test.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_2_2_1/test.rego index 422d25ff3a..8d8114e5fb 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_2_2_1/test.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_2_2_1/test.rego @@ -18,7 +18,7 @@ test_not_evaluated if { not_eval with input as test_data.not_evaluated_trail } -rule_input(encryption_enabled) = test_data.generate_ebs_encryption_resource(encryption_enabled) +rule_input(encryption_enabled) := test_data.generate_ebs_encryption_resource(encryption_enabled) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_2_3_1/rule.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_2_3_1/rule.rego index c73115ab90..f6a4204435 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_2_3_1/rule.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_2_3_1/rule.rego @@ -4,7 +4,7 @@ import data.compliance.lib.common as lib_common import data.compliance.policy.aws_rds.data_adapter import future.keywords.if -finding = result if { +finding := result if { data_adapter.is_rds result := lib_common.generate_result_without_expected( diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_2_3_1/test.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_2_3_1/test.rego index c86a779f15..bc42b26c74 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_2_3_1/test.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_2_3_1/test.rego @@ -17,7 +17,7 @@ test_not_evaluated if { not_eval with input as test_data.not_evaluated_rds_db_instance } -rule_input(encryption_enabled) = test_data.generate_rds_db_instance(encryption_enabled, true, false, []) +rule_input(encryption_enabled) := test_data.generate_rds_db_instance(encryption_enabled, true, false, []) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_2_3_2/rule.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_2_3_2/rule.rego index 7e2e7d5f8e..ad1e567f1c 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_2_3_2/rule.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_2_3_2/rule.rego @@ -4,7 +4,7 @@ import data.compliance.lib.common as lib_common import data.compliance.policy.aws_rds.data_adapter import future.keywords.if -finding = result if { +finding := result if { data_adapter.is_rds result := lib_common.generate_result_without_expected( diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_2_3_2/test.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_2_3_2/test.rego index a13e12c514..9d58eef07e 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_2_3_2/test.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_2_3_2/test.rego @@ -17,7 +17,7 @@ test_not_evaluated if { not_eval with input as test_data.not_evaluated_rds_db_instance } -rule_input(auto_minor_version_upgrade_enabled) = test_data.generate_rds_db_instance(true, auto_minor_version_upgrade_enabled, false, []) +rule_input(auto_minor_version_upgrade_enabled) := test_data.generate_rds_db_instance(true, auto_minor_version_upgrade_enabled, false, []) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_2_3_3/rule.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_2_3_3/rule.rego index 99c033d6a8..7413a22bf2 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_2_3_3/rule.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_2_3_3/rule.rego @@ -2,4 +2,4 @@ package compliance.cis_aws.rules.cis_2_3_3 import data.compliance.policy.aws_rds.ensure_no_public_access as audit -finding = audit.finding +finding := audit.finding diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_2_3_3/test.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_2_3_3/test.rego index c889dc5afe..76ee103095 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_2_3_3/test.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_2_3_3/test.rego @@ -37,7 +37,7 @@ test_not_evaluated if { not_eval with input as rule_input(true, [test_data.generate_rds_db_instance_subnet_with_route("0.0.0.0/0", "igw-12345678"), {"ID": "subnet-abcdef12", "RouteTable": null}]) } -rule_input(publicly_accessible, subnets) = test_data.generate_rds_db_instance(true, true, publicly_accessible, subnets) +rule_input(publicly_accessible, subnets) := test_data.generate_rds_db_instance(true, true, publicly_accessible, subnets) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_3_1/rule.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_3_1/rule.rego index c17be9f1e7..b51a88c8c9 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_3_1/rule.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_3_1/rule.rego @@ -5,9 +5,9 @@ import data.compliance.policy.aws_cloudtrail.data_adapter import data.compliance.policy.aws_cloudtrail.trail import future.keywords.if -default rule_evaluation = false +default rule_evaluation := false -finding = result if { +finding := result if { # filter data_adapter.is_multi_trails_type diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_3_1/test.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_3_1/test.rego index 358d4511c7..c7ada03895 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_3_1/test.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_3_1/test.rego @@ -59,7 +59,7 @@ test_pass if { ]) } -rule_input(entry) = test_data.generate_monitoring_resources(entry) +rule_input(entry) := test_data.generate_monitoring_resources(entry) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_3_10/rule.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_3_10/rule.rego index 59107bdfef..ac086cfe32 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_3_10/rule.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_3_10/rule.rego @@ -6,7 +6,7 @@ import data.compliance.policy.aws_cloudtrail.verify_s3_object_logging as audit import future.keywords.if # Ensure that Object-level logging for write events is enabled for S3 bucket. -finding = result if { +finding := result if { # filter data_adapter.is_single_trail @@ -17,4 +17,4 @@ finding = result if { ) } -rule_evaluation = audit.ensure_s3_object_logging(["All", "WriteOnly"]) +rule_evaluation := audit.ensure_s3_object_logging(["All", "WriteOnly"]) diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_3_10/test.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_3_10/test.rego index 50cb0c4476..b76d47b15a 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_3_10/test.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_3_10/test.rego @@ -5,9 +5,9 @@ import data.compliance.cis_aws.data_adapter import data.lib.test import future.keywords.if -s3_object_type = "AWS::S3::Object" +s3_object_type := "AWS::S3::Object" -not_s3_object_type = "AWS::S3ObjectLambda::AccessPoint" +not_s3_object_type := "AWS::S3ObjectLambda::AccessPoint" test_violation if { eval_fail with input as rule_input(null, true) @@ -30,7 +30,7 @@ test_not_evaluated if { not_eval with input as test_data.not_evaluated_trail } -rule_input(entries, is_multi_region) = test_data.generate_event_selectors(entries, is_multi_region) +rule_input(entries, is_multi_region) := test_data.generate_event_selectors(entries, is_multi_region) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_3_11/rule.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_3_11/rule.rego index 7ef6129417..e627be090b 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_3_11/rule.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_3_11/rule.rego @@ -6,7 +6,7 @@ import data.compliance.policy.aws_cloudtrail.verify_s3_object_logging as audit import future.keywords.if # Ensure that Object-level logging for read events is enabled for S3 bucket. -finding = result if { +finding := result if { # filter data_adapter.is_single_trail @@ -17,4 +17,4 @@ finding = result if { ) } -rule_eveluation = audit.ensure_s3_object_logging(["All", "ReadOnly"]) +rule_eveluation := audit.ensure_s3_object_logging(["All", "ReadOnly"]) diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_3_11/test.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_3_11/test.rego index b2cdac4651..dc5f3bb3d3 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_3_11/test.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_3_11/test.rego @@ -5,9 +5,9 @@ import data.compliance.cis_aws.data_adapter import data.lib.test import future.keywords.if -s3_object_type = "AWS::S3::Object" +s3_object_type := "AWS::S3::Object" -not_s3_object_type = "AWS::S3ObjectLambda::AccessPoint" +not_s3_object_type := "AWS::S3ObjectLambda::AccessPoint" test_violation if { eval_fail with input as rule_input(null, true) @@ -30,7 +30,7 @@ test_not_evaluated if { not_eval with input as test_data.not_evaluated_trail } -rule_input(entries, is_multi_region) = test_data.generate_event_selectors(entries, is_multi_region) +rule_input(entries, is_multi_region) := test_data.generate_event_selectors(entries, is_multi_region) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_3_2/rule.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_3_2/rule.rego index a4a74dcfab..f35e53ee97 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_3_2/rule.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_3_2/rule.rego @@ -5,7 +5,7 @@ import data.compliance.policy.aws_cloudtrail.data_adapter import future.keywords.if # Ensure CloudTrail log file validation is enabled. -finding = result if { +finding := result if { # filter data_adapter.is_single_trail diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_3_2/test.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_3_2/test.rego index ea15622f71..4b7a2d73b7 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_3_2/test.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_3_2/test.rego @@ -17,7 +17,7 @@ test_not_evaluated if { not_eval with input as test_data.not_evaluated_trail } -rule_input(is_log_validation_enabled, cloudwatch_log_group_arn, log_delivery_time, is_bucket_logging_enabled, kms_key_id) = test_data.generate_enriched_trail(is_log_validation_enabled, cloudwatch_log_group_arn, log_delivery_time, is_bucket_logging_enabled, kms_key_id) +rule_input(is_log_validation_enabled, cloudwatch_log_group_arn, log_delivery_time, is_bucket_logging_enabled, kms_key_id) := test_data.generate_enriched_trail(is_log_validation_enabled, cloudwatch_log_group_arn, log_delivery_time, is_bucket_logging_enabled, kms_key_id) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_3_3/rule.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_3_3/rule.rego index 5e1b9c8362..5a38e9757c 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_3_3/rule.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_3_3/rule.rego @@ -6,7 +6,7 @@ import data.compliance.policy.aws_cloudtrail.no_public_bucket_access as audit import future.keywords.if # Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible. -finding = result if { +finding := result if { # filter data_adapter.is_single_trail diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_3_3/test.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_3_3/test.rego index 176436dabc..2a902d76d7 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_3_3/test.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_3_3/test.rego @@ -5,9 +5,9 @@ import data.compliance.cis_aws.data_adapter import data.lib.test import future.keywords.if -forbidden_principal1 = "http://acs.amazonaws.com/groups/global/AllUsers" +forbidden_principal1 := "http://acs.amazonaws.com/groups/global/AllUsers" -forbidden_principal2 = "http://acs.amazonaws.com/groups/global/AuthenticatedUsers" +forbidden_principal2 := "http://acs.amazonaws.com/groups/global/AuthenticatedUsers" test_violation if { # Fail with forbidden principal @@ -40,7 +40,7 @@ test_not_evaluated if { not_eval with input as test_data.not_evaluated_trail } -rule_input(principal_uri, policy_statement) = test_data.generate_trail_bucket_info(principal_uri, policy_statement) +rule_input(principal_uri, policy_statement) := test_data.generate_trail_bucket_info(principal_uri, policy_statement) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_3_4/rule.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_3_4/rule.rego index 8fcef08f8c..69ec52106c 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_3_4/rule.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_3_4/rule.rego @@ -6,7 +6,7 @@ import data.compliance.policy.aws_cloudtrail.ensure_cloudwatch as audit import future.keywords.if # Ensure CloudTrail trails are integrated with CloudWatch Logs. -finding = result if { +finding := result if { # filter data_adapter.is_single_trail diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_3_4/test.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_3_4/test.rego index ede8188400..84631b5ead 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_3_4/test.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_3_4/test.rego @@ -22,7 +22,7 @@ test_not_evaluated if { not_eval with input as test_data.not_evaluated_trail } -rule_input(is_log_validation_enabled, cloudwatch_log_group_arn, log_delivery_time, is_bucket_logging_enabled, kms_key_id) = test_data.generate_enriched_trail(is_log_validation_enabled, cloudwatch_log_group_arn, log_delivery_time, is_bucket_logging_enabled, kms_key_id) +rule_input(is_log_validation_enabled, cloudwatch_log_group_arn, log_delivery_time, is_bucket_logging_enabled, kms_key_id) := test_data.generate_enriched_trail(is_log_validation_enabled, cloudwatch_log_group_arn, log_delivery_time, is_bucket_logging_enabled, kms_key_id) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_3_5/rule.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_3_5/rule.rego index e6ecbfd525..40ed2464f4 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_3_5/rule.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_3_5/rule.rego @@ -2,4 +2,4 @@ package compliance.cis_aws.rules.cis_3_5 import data.compliance.policy.aws_config.ensure_config_enabled as audit -finding = audit.finding +finding := audit.finding diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_3_5/test.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_3_5/test.rego index 228e0a5c74..60d759139f 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_3_5/test.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_3_5/test.rego @@ -6,7 +6,7 @@ import data.compliance.policy.aws_config.ensure_config_enabled as audit import data.lib.test import future.keywords.if -finding = audit.finding +finding := audit.finding test_violation if { # single region, single recorder config @@ -29,7 +29,7 @@ test_not_evaluated if { not_eval with input as test_data.not_evaluated_trail } -rule_input(all_supported_enabled, include_global_resource_types_enabled) = test_data.generate_aws_configservice_with_resource([{"recorders": [test_data.generate_aws_configservice_recorder(all_supported_enabled, include_global_resource_types_enabled)]}]) +rule_input(all_supported_enabled, include_global_resource_types_enabled) := test_data.generate_aws_configservice_with_resource([{"recorders": [test_data.generate_aws_configservice_recorder(all_supported_enabled, include_global_resource_types_enabled)]}]) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_3_6/rule.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_3_6/rule.rego index 372a595f05..b6ff7e3a69 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_3_6/rule.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_3_6/rule.rego @@ -4,14 +4,14 @@ import data.compliance.lib.common import data.compliance.policy.aws_cloudtrail.data_adapter import future.keywords.if -default rule_evaluation = false +default rule_evaluation := false rule_evaluation if { data_adapter.trail_bucket_info.logging.Enabled == true } # Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket -finding = result if { +finding := result if { # filter data_adapter.is_single_trail diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_3_6/test.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_3_6/test.rego index b734cce7b9..78ae6e241b 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_3_6/test.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_3_6/test.rego @@ -19,7 +19,7 @@ test_not_evaluated if { not_eval with input as test_data.not_evaluated_trail } -rule_input(is_log_validation_enabled, cloudwatch_log_group_arn, log_delivery_time, is_bucket_logging_enabled, kms_key_id) = test_data.generate_enriched_trail(is_log_validation_enabled, cloudwatch_log_group_arn, log_delivery_time, is_bucket_logging_enabled, kms_key_id) +rule_input(is_log_validation_enabled, cloudwatch_log_group_arn, log_delivery_time, is_bucket_logging_enabled, kms_key_id) := test_data.generate_enriched_trail(is_log_validation_enabled, cloudwatch_log_group_arn, log_delivery_time, is_bucket_logging_enabled, kms_key_id) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_3_7/rule.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_3_7/rule.rego index d8174e5ca0..8aa8f71907 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_3_7/rule.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_3_7/rule.rego @@ -4,10 +4,10 @@ import data.compliance.lib.common import data.compliance.policy.aws_cloudtrail.data_adapter import future.keywords.if -default rule_evaluation = false +default rule_evaluation := false # Ensure CloudTrail logs are encrypted at rest using KMS CMKs. -finding = result if { +finding := result if { # filter data_adapter.is_single_trail diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_3_7/test.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_3_7/test.rego index 29eb343e20..f19a57c9f5 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_3_7/test.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_3_7/test.rego @@ -18,7 +18,7 @@ test_not_evaluated if { not_eval with input as test_data.not_evaluated_trail } -rule_input(is_log_validation_enabled, cloudwatch_log_group_arn, log_delivery_time, is_bucket_logging_enabled, kms_key_id) = test_data.generate_enriched_trail(is_log_validation_enabled, cloudwatch_log_group_arn, log_delivery_time, is_bucket_logging_enabled, kms_key_id) +rule_input(is_log_validation_enabled, cloudwatch_log_group_arn, log_delivery_time, is_bucket_logging_enabled, kms_key_id) := test_data.generate_enriched_trail(is_log_validation_enabled, cloudwatch_log_group_arn, log_delivery_time, is_bucket_logging_enabled, kms_key_id) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_3_8/rule.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_3_8/rule.rego index ae4a5b367c..a33644d23d 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_3_8/rule.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_3_8/rule.rego @@ -2,4 +2,4 @@ package compliance.cis_aws.rules.cis_3_8 import data.compliance.policy.aws_kms.ensure_symmetric_key_rotation_enabled as audit -finding = audit.finding +finding := audit.finding diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_3_8/test.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_3_8/test.rego index 70d83199c1..36265d5764 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_3_8/test.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_3_8/test.rego @@ -6,7 +6,7 @@ import data.compliance.policy.aws_kms.ensure_symmetric_key_rotation_enabled as a import data.lib.test import future.keywords.if -finding = audit.finding +finding := audit.finding test_violation if { eval_fail with input as rule_input(false) @@ -20,7 +20,7 @@ test_not_evaluated if { not_eval with input as test_data.not_evaluated_trail } -rule_input(symmetric_default_enabled) = test_data.generate_kms_resource(symmetric_default_enabled) +rule_input(symmetric_default_enabled) := test_data.generate_kms_resource(symmetric_default_enabled) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_3_9/rule.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_3_9/rule.rego index 3a0b25d49a..5577083213 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_3_9/rule.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_3_9/rule.rego @@ -4,10 +4,10 @@ import data.compliance.lib.common import data.compliance.policy.aws_ec2.data_adapter import future.keywords.if -default rule_evaluation = false +default rule_evaluation := false # Ensure VPC flow logging is enabled in all VPCs. -finding = result if { +finding := result if { # filter data_adapter.is_vpc_policy diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_3_9/test.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_3_9/test.rego index d3ad676fc3..cf8b038c69 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_3_9/test.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_3_9/test.rego @@ -18,7 +18,7 @@ test_not_evaluated if { not_eval with input as test_data.not_evaluated_trail } -rule_input(flow_logs) = test_data.generate_vpc_resource(flow_logs) +rule_input(flow_logs) := test_data.generate_vpc_resource(flow_logs) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_4_1/rule.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_4_1/rule.rego index 5a587c2126..fe92fc94eb 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_4_1/rule.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_4_1/rule.rego @@ -6,9 +6,9 @@ import data.compliance.policy.aws_cloudtrail.pattern import data.compliance.policy.aws_cloudtrail.trail import future.keywords.if -default rule_evaluation = false +default rule_evaluation := false -finding = result if { +finding := result if { # filter data_adapter.is_multi_trails_type @@ -20,11 +20,11 @@ finding = result if { } # { ($.errorCode = \"*UnauthorizedOperation\") || ($.errorCode = \"AccessDenied*\") || ($.sourceIPAddress!=\"delivery.logs.amazonaws.com\") || ($.eventName!=\"HeadBucket\") } -required_pattern = pattern.complex_expression("||", [ +required_pattern := pattern.complex_expression("||", [ pattern.simple_expression("$.errorCode", "=", "\"*UnauthorizedOperation\""), pattern.simple_expression("$.errorCode", "=", "\"AccessDenied*\""), pattern.simple_expression("$.sourceIPAddress", "!=", "\"delivery.logs.amazonaws.com\""), pattern.simple_expression("$.eventName", "!=", "\"HeadBucket\""), ]) -rule_evaluation = trail.at_least_one_trail_satisfied([required_pattern]) +rule_evaluation := trail.at_least_one_trail_satisfied([required_pattern]) diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_4_1/test.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_4_1/test.rego index 8486da3507..e5426ac7a5 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_4_1/test.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_4_1/test.rego @@ -6,21 +6,21 @@ import data.compliance.policy.aws_cloudtrail.pattern import data.lib.test import future.keywords.if -equal_pattern = pattern.complex_expression("||", [ +equal_pattern := pattern.complex_expression("||", [ pattern.simple_expression("$.errorCode", "=", "\"*UnauthorizedOperation\""), pattern.simple_expression("$.errorCode", "=", "\"AccessDenied*\""), pattern.simple_expression("$.sourceIPAddress", "!=", "\"delivery.logs.amazonaws.com\""), pattern.simple_expression("$.eventName", "!=", "\"HeadBucket\""), ]) -valid_different_order_pattern = pattern.complex_expression("||", [ +valid_different_order_pattern := pattern.complex_expression("||", [ pattern.simple_expression("$.eventName", "!=", "\"HeadBucket\""), pattern.simple_expression("$.errorCode", "=", "\"AccessDenied*\""), pattern.simple_expression("\"delivery.logs.amazonaws.com\"", "!=", "$.sourceIPAddress"), pattern.simple_expression("$.errorCode", "=", "\"*UnauthorizedOperation\""), ]) -missing_wildcard_pattern = pattern.complex_expression("||", [ +missing_wildcard_pattern := pattern.complex_expression("||", [ pattern.simple_expression("$.errorCode", "=", "\"UnauthorizedOperation\""), pattern.simple_expression("$.errorCode", "=", "\"AccessDenied*\""), pattern.simple_expression("$.sourceIPAddress", "!=", "\"delivery.logs.amazonaws.com\""), @@ -189,7 +189,7 @@ test_pass if { ]) } -rule_input(entry) = test_data.generate_monitoring_resources(entry) +rule_input(entry) := test_data.generate_monitoring_resources(entry) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_4_10/rule.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_4_10/rule.rego index 1bc26ebafa..1d914c888b 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_4_10/rule.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_4_10/rule.rego @@ -6,9 +6,9 @@ import data.compliance.policy.aws_cloudtrail.pattern import data.compliance.policy.aws_cloudtrail.trail import future.keywords.if -default rule_evaluation = false +default rule_evaluation := false -finding = result if { +finding := result if { # filter data_adapter.is_multi_trails_type @@ -20,7 +20,7 @@ finding = result if { } # { ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup) } -required_patterns = [pattern.complex_expression("||", [ +required_patterns := [pattern.complex_expression("||", [ pattern.simple_expression("$.eventName", "=", "AuthorizeSecurityGroupIngress"), pattern.simple_expression("$.eventName", "=", "AuthorizeSecurityGroupEgress"), pattern.simple_expression("$.eventName", "=", "RevokeSecurityGroupIngress"), @@ -29,4 +29,4 @@ required_patterns = [pattern.complex_expression("||", [ pattern.simple_expression("$.eventName", "=", "DeleteSecurityGroup"), ])] -rule_evaluation = trail.at_least_one_trail_satisfied(required_patterns) +rule_evaluation := trail.at_least_one_trail_satisfied(required_patterns) diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_4_10/test.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_4_10/test.rego index 03129b1685..2934c74dad 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_4_10/test.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_4_10/test.rego @@ -29,7 +29,7 @@ test_pass if { }]) } -rule_input(entry) = test_data.generate_monitoring_resources(entry) +rule_input(entry) := test_data.generate_monitoring_resources(entry) eval_pass if { test.assert_pass(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_4_11/rule.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_4_11/rule.rego index 32c95a3ade..2afafc8d36 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_4_11/rule.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_4_11/rule.rego @@ -6,9 +6,9 @@ import data.compliance.policy.aws_cloudtrail.pattern import data.compliance.policy.aws_cloudtrail.trail import future.keywords.if -default rule_evaluation = false +default rule_evaluation := false -finding = result if { +finding := result if { # filter data_adapter.is_multi_trails_type @@ -20,7 +20,7 @@ finding = result if { } # { ($.eventName = CreateNetworkAcl) || ($.eventName = CreateNetworkAclEntry) || ($.eventName = DeleteNetworkAcl) || ($.eventName = DeleteNetworkAclEntry) || ($.eventName = ReplaceNetworkAclEntry) || ($.eventName = ReplaceNetworkAclAssociation) } -required_patterns = [pattern.complex_expression("||", [ +required_patterns := [pattern.complex_expression("||", [ pattern.simple_expression("$.eventName", "=", "CreateNetworkAcl"), pattern.simple_expression("$.eventName", "=", "CreateNetworkAclEntry"), pattern.simple_expression("$.eventName", "=", "DeleteNetworkAcl"), @@ -29,4 +29,4 @@ required_patterns = [pattern.complex_expression("||", [ pattern.simple_expression("$.eventName", "=", "ReplaceNetworkAclAssociation"), ])] -rule_evaluation = trail.at_least_one_trail_satisfied(required_patterns) +rule_evaluation := trail.at_least_one_trail_satisfied(required_patterns) diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_4_11/test.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_4_11/test.rego index 86e334ca44..6717ed2be5 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_4_11/test.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_4_11/test.rego @@ -30,7 +30,7 @@ test_pass if { }]) } -rule_input(entry) = test_data.generate_monitoring_resources(entry) +rule_input(entry) := test_data.generate_monitoring_resources(entry) eval_pass if { test.assert_pass(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_4_12/rule.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_4_12/rule.rego index 59ac174e48..1326d448c3 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_4_12/rule.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_4_12/rule.rego @@ -6,9 +6,9 @@ import data.compliance.policy.aws_cloudtrail.pattern import data.compliance.policy.aws_cloudtrail.trail import future.keywords.if -default rule_evaluation = false +default rule_evaluation := false -finding = result if { +finding := result if { # filter data_adapter.is_multi_trails_type @@ -20,7 +20,7 @@ finding = result if { } # { ($.eventName = CreateCustomerGateway) || ($.eventName = DeleteCustomerGateway) || ($.eventName = AttachInternetGateway) || ($.eventName = CreateInternetGateway) || ($.eventName = DeleteInternetGateway) || ($.eventName = DetachInternetGateway) } -required_patterns = [pattern.complex_expression("||", [ +required_patterns := [pattern.complex_expression("||", [ pattern.simple_expression("$.eventName", "=", "CreateCustomerGateway"), pattern.simple_expression("$.eventName", "=", "DeleteCustomerGateway"), pattern.simple_expression("$.eventName", "=", "AttachInternetGateway"), @@ -29,4 +29,4 @@ required_patterns = [pattern.complex_expression("||", [ pattern.simple_expression("$.eventName", "=", "DetachInternetGateway"), ])] -rule_evaluation = trail.at_least_one_trail_satisfied(required_patterns) +rule_evaluation := trail.at_least_one_trail_satisfied(required_patterns) diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_4_12/test.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_4_12/test.rego index ce29dc700e..a1b617c57a 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_4_12/test.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_4_12/test.rego @@ -29,7 +29,7 @@ test_pass if { }]) } -rule_input(entry) = test_data.generate_monitoring_resources(entry) +rule_input(entry) := test_data.generate_monitoring_resources(entry) eval_pass if { test.assert_pass(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_4_13/rule.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_4_13/rule.rego index 608479b6c8..1d458927b5 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_4_13/rule.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_4_13/rule.rego @@ -6,9 +6,9 @@ import data.compliance.policy.aws_cloudtrail.pattern import data.compliance.policy.aws_cloudtrail.trail import future.keywords.if -default rule_evaluation = false +default rule_evaluation := false -finding = result if { +finding := result if { # filter data_adapter.is_multi_trails_type @@ -20,7 +20,7 @@ finding = result if { } # { ($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DisassociateRouteTable) } -required_patterns = [pattern.complex_expression("||", [ +required_patterns := [pattern.complex_expression("||", [ pattern.simple_expression("$.eventName", "=", "CreateRoute"), pattern.simple_expression("$.eventName", "=", "CreateRouteTable"), pattern.simple_expression("$.eventName", "=", "ReplaceRoute"), @@ -30,4 +30,4 @@ required_patterns = [pattern.complex_expression("||", [ pattern.simple_expression("$.eventName", "=", "DisassociateRouteTable"), ])] -rule_evaluation = trail.at_least_one_trail_satisfied(required_patterns) +rule_evaluation := trail.at_least_one_trail_satisfied(required_patterns) diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_4_13/test.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_4_13/test.rego index caac3c635f..442e558bab 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_4_13/test.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_4_13/test.rego @@ -30,7 +30,7 @@ test_pass if { }]) } -rule_input(entry) = test_data.generate_monitoring_resources(entry) +rule_input(entry) := test_data.generate_monitoring_resources(entry) eval_pass if { test.assert_pass(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_4_14/rule.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_4_14/rule.rego index aadc10a73b..fb24494f1c 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_4_14/rule.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_4_14/rule.rego @@ -6,9 +6,9 @@ import data.compliance.policy.aws_cloudtrail.pattern import data.compliance.policy.aws_cloudtrail.trail import future.keywords.if -default rule_evaluation = false +default rule_evaluation := false -finding = result if { +finding := result if { # filter data_adapter.is_multi_trails_type @@ -20,7 +20,7 @@ finding = result if { } # { ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) } -required_patterns = [pattern.complex_expression("||", [ +required_patterns := [pattern.complex_expression("||", [ pattern.simple_expression("$.eventName", "=", "CreateVpc"), pattern.simple_expression("$.eventName", "=", "DeleteVpc"), pattern.simple_expression("$.eventName", "=", "ModifyVpcAttribute"), @@ -34,4 +34,4 @@ required_patterns = [pattern.complex_expression("||", [ pattern.simple_expression("$.eventName", "=", "EnableVpcClassicLink"), ])] -rule_evaluation = trail.at_least_one_trail_satisfied(required_patterns) +rule_evaluation := trail.at_least_one_trail_satisfied(required_patterns) diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_4_14/test.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_4_14/test.rego index 28851ab86c..fd1ce9de38 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_4_14/test.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_4_14/test.rego @@ -34,7 +34,7 @@ test_pass if { }]) } -rule_input(entry) = test_data.generate_monitoring_resources(entry) +rule_input(entry) := test_data.generate_monitoring_resources(entry) eval_pass if { test.assert_pass(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_4_15/rule.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_4_15/rule.rego index 5ae76935b4..e6bbd006c7 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_4_15/rule.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_4_15/rule.rego @@ -6,9 +6,9 @@ import data.compliance.policy.aws_cloudtrail.pattern import data.compliance.policy.aws_cloudtrail.trail import future.keywords.if -default rule_evaluation = false +default rule_evaluation := false -finding = result if { +finding := result if { # filter data_adapter.is_multi_trails_type @@ -20,7 +20,7 @@ finding = result if { } # { ($.eventSource = organizations.amazonaws.com) && (($.eventName = \"AcceptHandshake\") || ($.eventName = \"AttachPolicy\") || ($.eventName = \"CreateAccount\") || ($.eventName = \"CreateOrganizationalUnit\") || ($.eventName = \"CreatePolicy\") || ($.eventName = \"DeclineHandshake\") || ($.eventName = \"DeleteOrganization\") || ($.eventName = \"DeleteOrganizationalUnit\") || ($.eventName = \"DeletePolicy\") || ($.eventName = \"DetachPolicy\") || ($.eventName = \"DisablePolicyType\") || ($.eventName = \"EnablePolicyType\") || ($.eventName = \"InviteAccountToOrganization\") || ($.eventName = \"LeaveOrganization\") || ($.eventName = \"MoveAccount\") || ($.eventName = \"RemoveAccountFromOrganization\") || ($.eventName = \"UpdatePolicy\") || ($.eventName = \"UpdateOrganizationalUnit\")) } -required_patterns = [pattern.complex_expression("&&", [ +required_patterns := [pattern.complex_expression("&&", [ pattern.simple_expression("$.eventSource", "=", "organizations.amazonaws.com"), pattern.complex_expression("||", [ pattern.simple_expression("$.eventName", "=", "\"AcceptHandshake\""), @@ -44,4 +44,4 @@ required_patterns = [pattern.complex_expression("&&", [ ]), ])] -rule_evaluation = trail.at_least_one_trail_satisfied(required_patterns) +rule_evaluation := trail.at_least_one_trail_satisfied(required_patterns) diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_4_15/test.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_4_15/test.rego index 331e9832d4..571aa0935f 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_4_15/test.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_4_15/test.rego @@ -44,7 +44,7 @@ test_pass if { }]) } -rule_input(entry) = test_data.generate_monitoring_resources(entry) +rule_input(entry) := test_data.generate_monitoring_resources(entry) eval_pass if { test.assert_pass(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_4_16/rule.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_4_16/rule.rego index 2bf06c9fec..4dd4be25ca 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_4_16/rule.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_4_16/rule.rego @@ -4,9 +4,9 @@ import data.compliance.lib.common import data.compliance.policy.aws_securityhub.data_adapter import future.keywords.if -default rule_evaluation = false +default rule_evaluation := false -finding = result if { +finding := result if { # filter data_adapter.is_securityhub_subType @@ -17,4 +17,4 @@ finding = result if { ) } -rule_evaluation = data_adapter.securityhub_resource.Enabled +rule_evaluation := data_adapter.securityhub_resource.Enabled diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_4_16/test.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_4_16/test.rego index 3430179082..91c738de21 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_4_16/test.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_4_16/test.rego @@ -15,7 +15,7 @@ test_pass if { eval_pass with input as rule_input({"Enabled": true}) } -rule_input(entry) = test_data.generate_securityhub(entry) +rule_input(entry) := test_data.generate_securityhub(entry) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_4_2/rule.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_4_2/rule.rego index fa459dd650..0de4026c8e 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_4_2/rule.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_4_2/rule.rego @@ -6,9 +6,9 @@ import data.compliance.policy.aws_cloudtrail.pattern import data.compliance.policy.aws_cloudtrail.trail import future.keywords.if -default rule_evaluation = false +default rule_evaluation := false -finding = result if { +finding := result if { # filter data_adapter.is_multi_trails_type @@ -19,7 +19,7 @@ finding = result if { ) } -required_patterns = [ +required_patterns := [ # { ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") } pattern.complex_expression("&&", [ pattern.simple_expression("$.eventName", "=", "\"ConsoleLogin\""), @@ -34,4 +34,4 @@ required_patterns = [ ]), ] -rule_evaluation = trail.at_least_one_trail_satisfied(required_patterns) +rule_evaluation := trail.at_least_one_trail_satisfied(required_patterns) diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_4_2/test.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_4_2/test.rego index ab6bb3d121..7b6961d1ff 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_4_2/test.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_4_2/test.rego @@ -44,7 +44,7 @@ test_pass if { }]) } -rule_input(entry) = test_data.generate_monitoring_resources(entry) +rule_input(entry) := test_data.generate_monitoring_resources(entry) eval_pass if { test.assert_pass(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_4_3/rule.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_4_3/rule.rego index 5d3568d42e..af293fc1c8 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_4_3/rule.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_4_3/rule.rego @@ -6,9 +6,9 @@ import data.compliance.policy.aws_cloudtrail.pattern import data.compliance.policy.aws_cloudtrail.trail import future.keywords.if -default rule_evaluation = false +default rule_evaluation := false -finding = result if { +finding := result if { # filter data_adapter.is_multi_trails_type @@ -20,10 +20,10 @@ finding = result if { } # { $.userIdentity.type = \"Root\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \"AwsServiceEvent\" } -required_patterns = [pattern.complex_expression("&&", [ +required_patterns := [pattern.complex_expression("&&", [ pattern.simple_expression("$.userIdentity.type", "=", "\"Root\""), pattern.simple_expression("$.userIdentity.invokedBy", "NOT EXISTS", ""), pattern.simple_expression("$.eventType", "!=", "\"AwsServiceEvent\""), ])] -rule_evaluation = trail.at_least_one_trail_satisfied(required_patterns) +rule_evaluation := trail.at_least_one_trail_satisfied(required_patterns) diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_4_3/test.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_4_3/test.rego index b155ddeab0..eac23b4470 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_4_3/test.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_4_3/test.rego @@ -91,7 +91,7 @@ test_fail if { ]) } -rule_input(entry) = test_data.generate_monitoring_resources(entry) +rule_input(entry) := test_data.generate_monitoring_resources(entry) eval_pass if { test.assert_pass(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_4_4/rule.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_4_4/rule.rego index 65fbb59e58..2760518886 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_4_4/rule.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_4_4/rule.rego @@ -6,9 +6,9 @@ import data.compliance.policy.aws_cloudtrail.pattern import data.compliance.policy.aws_cloudtrail.trail import future.keywords.if -default rule_evaluation = false +default rule_evaluation := false -finding = result if { +finding := result if { # filter data_adapter.is_multi_trails_type @@ -20,7 +20,7 @@ finding = result if { } # {($.eventName=DeleteGroupPolicy)||($.eventName=DeleteRolePolicy)||($.eventName=DeleteUserPolicy)||($.eventName=PutGroupPolicy)||($.eventName=PutRolePolicy)||($.eventName=PutUserPolicy)||($.eventName=CreatePolicy)||($.eventName=DeletePolicy)||($.eventName=CreatePolicyVersion)||($.eventName=DeletePolicyVersion)||($.eventName=AttachRolePolicy)||($.eventName=DetachRolePolicy)||($.eventName=AttachUserPolicy)||($.eventName=DetachUserPolicy)||($.eventName=AttachGroupPolicy)||($.eventName=DetachGroupPolicy)} -required_patterns = [pattern.complex_expression("||", [ +required_patterns := [pattern.complex_expression("||", [ pattern.simple_expression("$.eventName", "=", "DeleteGroupPolicy"), pattern.simple_expression("$.eventName", "=", "DeleteRolePolicy"), pattern.simple_expression("$.eventName", "=", "DeleteUserPolicy"), @@ -39,4 +39,4 @@ required_patterns = [pattern.complex_expression("||", [ pattern.simple_expression("$.eventName", "=", "DetachGroupPolicy"), ])] -rule_evaluation = trail.at_least_one_trail_satisfied(required_patterns) +rule_evaluation := trail.at_least_one_trail_satisfied(required_patterns) diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_4_4/test.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_4_4/test.rego index 542c6b68f5..3b22719241 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_4_4/test.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_4_4/test.rego @@ -74,7 +74,7 @@ test_pass if { }]) } -rule_input(entry) = test_data.generate_monitoring_resources(entry) +rule_input(entry) := test_data.generate_monitoring_resources(entry) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_4_5/rule.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_4_5/rule.rego index e81c86e11e..2dfce6bb5e 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_4_5/rule.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_4_5/rule.rego @@ -6,9 +6,9 @@ import data.compliance.policy.aws_cloudtrail.pattern import data.compliance.policy.aws_cloudtrail.trail import future.keywords.if -default rule_evaluation = false +default rule_evaluation := false -finding = result if { +finding := result if { # filter data_adapter.is_multi_trails_type @@ -20,7 +20,7 @@ finding = result if { } # { ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) } -required_patterns = [pattern.complex_expression("||", [ +required_patterns := [pattern.complex_expression("||", [ pattern.simple_expression("$.eventName", "=", "CreateTrail"), pattern.simple_expression("$.eventName", "=", "UpdateTrail"), pattern.simple_expression("$.eventName", "=", "DeleteTrail"), @@ -28,4 +28,4 @@ required_patterns = [pattern.complex_expression("||", [ pattern.simple_expression("$.eventName", "=", "StopLogging"), ])] -rule_evaluation = trail.at_least_one_trail_satisfied(required_patterns) +rule_evaluation := trail.at_least_one_trail_satisfied(required_patterns) diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_4_5/test.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_4_5/test.rego index efbafc6cd9..392b31f158 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_4_5/test.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_4_5/test.rego @@ -28,7 +28,7 @@ test_pass if { }]) } -rule_input(entry) = test_data.generate_monitoring_resources(entry) +rule_input(entry) := test_data.generate_monitoring_resources(entry) eval_pass if { test.assert_pass(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_4_6/rule.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_4_6/rule.rego index e1a90819f3..3ff73bb570 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_4_6/rule.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_4_6/rule.rego @@ -6,9 +6,9 @@ import data.compliance.policy.aws_cloudtrail.pattern import data.compliance.policy.aws_cloudtrail.trail import future.keywords.if -default rule_evaluation = false +default rule_evaluation := false -finding = result if { +finding := result if { # filter data_adapter.is_multi_trails_type @@ -20,9 +20,9 @@ finding = result if { } # { ($.eventName = ConsoleLogin) && ($.errorMessage = \"Failed authentication\") } -required_patterns = [pattern.complex_expression("&&", [ +required_patterns := [pattern.complex_expression("&&", [ pattern.simple_expression("$.eventName", "=", "ConsoleLogin"), pattern.simple_expression("$.errorMessage", "=", "\"Failed authentication\""), ])] -rule_evaluation = trail.at_least_one_trail_satisfied(required_patterns) +rule_evaluation := trail.at_least_one_trail_satisfied(required_patterns) diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_4_6/test.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_4_6/test.rego index 6c43fbe66b..55393c78f8 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_4_6/test.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_4_6/test.rego @@ -25,7 +25,7 @@ test_pass if { }]) } -rule_input(entry) = test_data.generate_monitoring_resources(entry) +rule_input(entry) := test_data.generate_monitoring_resources(entry) eval_pass if { test.assert_pass(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_4_7/rule.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_4_7/rule.rego index 555afd8565..3fa7a1471b 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_4_7/rule.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_4_7/rule.rego @@ -6,9 +6,9 @@ import data.compliance.policy.aws_cloudtrail.pattern import data.compliance.policy.aws_cloudtrail.trail import future.keywords.if -default rule_evaluation = false +default rule_evaluation := false -finding = result if { +finding := result if { # filter data_adapter.is_multi_trails_type @@ -20,7 +20,7 @@ finding = result if { } # {($.eventSource = kms.amazonaws.com) && (($.eventName=DisableKey)||($.eventName=ScheduleKeyDeletion)) } -required_patterns = [pattern.complex_expression("&&", [ +required_patterns := [pattern.complex_expression("&&", [ pattern.simple_expression("$.eventSource", "=", "kms.amazonaws.com"), pattern.complex_expression("||", [ pattern.simple_expression("$.eventName", "=", "DisableKey"), @@ -28,4 +28,4 @@ required_patterns = [pattern.complex_expression("&&", [ ]), ])] -rule_evaluation = trail.at_least_one_trail_satisfied(required_patterns) +rule_evaluation := trail.at_least_one_trail_satisfied(required_patterns) diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_4_7/test.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_4_7/test.rego index d294d58fa6..28227fdc5e 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_4_7/test.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_4_7/test.rego @@ -28,7 +28,7 @@ test_pass if { }]) } -rule_input(entry) = test_data.generate_monitoring_resources(entry) +rule_input(entry) := test_data.generate_monitoring_resources(entry) eval_pass if { test.assert_pass(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_4_8/rule.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_4_8/rule.rego index 3c6a6e9a11..da2a6dc41e 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_4_8/rule.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_4_8/rule.rego @@ -6,9 +6,9 @@ import data.compliance.policy.aws_cloudtrail.pattern import data.compliance.policy.aws_cloudtrail.trail import future.keywords.if -default rule_evaluation = false +default rule_evaluation := false -finding = result if { +finding := result if { # filter data_adapter.is_multi_trails_type @@ -20,7 +20,7 @@ finding = result if { } # { ($.eventSource = s3.amazonaws.com) && (($.eventName = PutBucketAcl) || ($.eventName = PutBucketPolicy) || ($.eventName = PutBucketCors) || ($.eventName = PutBucketLifecycle) || ($.eventName = PutBucketReplication) || ($.eventName = DeleteBucketPolicy) || ($.eventName = DeleteBucketCors) || ($.eventName = DeleteBucketLifecycle) || ($.eventName = DeleteBucketReplication)) } -required_patterns = [pattern.complex_expression("&&", [ +required_patterns := [pattern.complex_expression("&&", [ pattern.simple_expression("$.eventSource", "=", "s3.amazonaws.com"), pattern.complex_expression("||", [ pattern.simple_expression("$.eventName", "=", "PutBucketAcl"), @@ -35,4 +35,4 @@ required_patterns = [pattern.complex_expression("&&", [ ]), ])] -rule_evaluation = trail.at_least_one_trail_satisfied(required_patterns) +rule_evaluation := trail.at_least_one_trail_satisfied(required_patterns) diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_4_8/test.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_4_8/test.rego index 41738b6d99..b690731a49 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_4_8/test.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_4_8/test.rego @@ -35,7 +35,7 @@ test_pass if { }]) } -rule_input(entry) = test_data.generate_monitoring_resources(entry) +rule_input(entry) := test_data.generate_monitoring_resources(entry) eval_pass if { test.assert_pass(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_4_9/rule.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_4_9/rule.rego index 9d928bdf08..69ec8702aa 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_4_9/rule.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_4_9/rule.rego @@ -6,9 +6,9 @@ import data.compliance.policy.aws_cloudtrail.pattern import data.compliance.policy.aws_cloudtrail.trail import future.keywords.if -default rule_evaluation = false +default rule_evaluation := false -finding = result if { +finding := result if { # filter data_adapter.is_multi_trails_type @@ -20,7 +20,7 @@ finding = result if { } # { ($.eventSource = config.amazonaws.com) && (($.eventName=StopConfigurationRecorder)($.eventName=DeleteDeliveryChannel) ||($.eventName=PutDeliveryChannel)||($.eventName=PutConfigurationRecorder)) } -required_patterns = [pattern.complex_expression("&&", [ +required_patterns := [pattern.complex_expression("&&", [ pattern.simple_expression("$.eventSource", "=", "config.amazonaws.com"), pattern.complex_expression("||", [ pattern.simple_expression("$.eventName", "=", "StopConfigurationRecorder"), @@ -30,4 +30,4 @@ required_patterns = [pattern.complex_expression("&&", [ ]), ])] -rule_evaluation = trail.at_least_one_trail_satisfied(required_patterns) +rule_evaluation := trail.at_least_one_trail_satisfied(required_patterns) diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_4_9/test.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_4_9/test.rego index 01e4f3fa81..c387b01850 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_4_9/test.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_4_9/test.rego @@ -30,7 +30,7 @@ test_pass if { }]) } -rule_input(entry) = test_data.generate_monitoring_resources(entry) +rule_input(entry) := test_data.generate_monitoring_resources(entry) eval_pass if { test.assert_pass(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_5_1/rule.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_5_1/rule.rego index fab8d001ad..ca3ddbbfc0 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_5_1/rule.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_5_1/rule.rego @@ -3,4 +3,4 @@ package compliance.cis_aws.rules.cis_5_1 import data.compliance.policy.aws_ec2.ensure_public_ingress as audit # Validate that no network acl allow any traffic to remote server admin ports -finding = audit.finding +finding := audit.finding diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_5_1/test.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_5_1/test.rego index dd35ebd68f..581c48b475 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_5_1/test.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_5_1/test.rego @@ -86,7 +86,7 @@ test_pass if { }) } -rule_input(entry) = test_data.generate_nacl(entry) +rule_input(entry) := test_data.generate_nacl(entry) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_5_2/rule.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_5_2/rule.rego index 7cce320c7a..19ab49276a 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_5_2/rule.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_5_2/rule.rego @@ -2,4 +2,4 @@ package compliance.cis_aws.rules.cis_5_2 import data.compliance.policy.aws_ec2.ensure_security_group_public_ingress_ipv4 as audit -finding = audit.finding +finding := audit.finding diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_5_2/test.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_5_2/test.rego index 720a43184d..394875838c 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_5_2/test.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_5_2/test.rego @@ -50,7 +50,7 @@ test_pass if { }]}) } -rule_input(entry) = test_data.generate_security_group(entry) +rule_input(entry) := test_data.generate_security_group(entry) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_5_3/rule.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_5_3/rule.rego index c662a9b320..2391cfec4f 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_5_3/rule.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_5_3/rule.rego @@ -2,4 +2,4 @@ package compliance.cis_aws.rules.cis_5_3 import data.compliance.policy.aws_ec2.ensure_security_group_public_ingress_ipv6 as audit -finding = audit.finding +finding := audit.finding diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_5_3/test.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_5_3/test.rego index a7233fb2a2..ac68f26c3d 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_5_3/test.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_5_3/test.rego @@ -51,7 +51,7 @@ test_pass if { }]}) } -rule_input(entry) = test_data.generate_security_group(entry) +rule_input(entry) := test_data.generate_security_group(entry) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_5_4/rule.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_5_4/rule.rego index e05016f14c..6d9542530d 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_5_4/rule.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_5_4/rule.rego @@ -2,4 +2,4 @@ package compliance.cis_aws.rules.cis_5_4 import data.compliance.policy.aws_ec2.ensure_default_security_group_restricted as audit -finding = audit.finding +finding := audit.finding diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_5_4/test.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_5_4/test.rego index fc40bf23a9..7fcba3f9ee 100644 --- a/security-policies/bundle/compliance/cis_aws/rules/cis_5_4/test.rego +++ b/security-policies/bundle/compliance/cis_aws/rules/cis_5_4/test.rego @@ -24,7 +24,7 @@ test_not_evaluated if { not_eval with input as rule_input({"GroupName": "custom", "IpPermissionsEgress": [{}]}) } -rule_input(entry) = test_data.generate_security_group(entry) +rule_input(entry) := test_data.generate_security_group(entry) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_aws/test_data.rego b/security-policies/bundle/compliance/cis_aws/test_data.rego index 6da79059ef..bac2aae13b 100644 --- a/security-policies/bundle/compliance/cis_aws/test_data.rego +++ b/security-policies/bundle/compliance/cis_aws/test_data.rego @@ -1,6 +1,6 @@ package cis_aws.test_data -generate_password_policy(pwd_len, reuse_count) = { +generate_password_policy(pwd_len, reuse_count) := { "resource": { "max_age_days": 90, "minimum_length": pwd_len, @@ -14,7 +14,7 @@ generate_password_policy(pwd_len, reuse_count) = { "subType": "aws-password-policy", } -not_evaluated_pwd_policy = { +not_evaluated_pwd_policy := { "type": "some type", "subType": "some sub type", "resource": { @@ -28,7 +28,7 @@ not_evaluated_pwd_policy = { }, } -not_evaluated_iam_user = { +not_evaluated_iam_user := { "type": "identity-management", "subType": "gcp-iam-user", "resource": { @@ -41,7 +41,7 @@ not_evaluated_iam_user = { }, } -generate_iam_user(access_keys, mfa_active, has_logged_in, last_access, password_last_changed) = { +generate_iam_user(access_keys, mfa_active, has_logged_in, last_access, password_last_changed) := { "type": "identity-management", "subType": "aws-iam-user", "resource": { @@ -55,7 +55,7 @@ generate_iam_user(access_keys, mfa_active, has_logged_in, last_access, password_ }, } -generate_iam_user_with_policies(inline_policies, attached_policies) = { +generate_iam_user_with_policies(inline_policies, attached_policies) := { "type": "identity-management", "subType": "aws-iam-user", "resource": { @@ -65,7 +65,7 @@ generate_iam_user_with_policies(inline_policies, attached_policies) = { }, } -generate_root_user(access_keys, mfa_active, last_access, mfa_devices) = { +generate_root_user(access_keys, mfa_active, last_access, mfa_devices) := { "type": "identity-management", "subType": "aws-iam-user", "resource": { @@ -80,7 +80,7 @@ generate_root_user(access_keys, mfa_active, last_access, mfa_devices) = { }, } -generate_nacl(entry) = { +generate_nacl(entry) := { "resource": { "Associations": [], "Entries": [entry], @@ -91,7 +91,7 @@ generate_nacl(entry) = { "subType": "aws-nacl", } -not_evaluated_s3_bucket = { +not_evaluated_s3_bucket := { "resource": { "name": "my-bucket", "sse_algorithm": "AES256", @@ -107,7 +107,7 @@ not_evaluated_s3_bucket = { "subType": "wrong sub type", } -generate_s3_bucket(name, sse_algorithm, bucket_policy_statement, bucket_versioning, public_access_block_configuration, account_public_access_block_configuration) = { +generate_s3_bucket(name, sse_algorithm, bucket_policy_statement, bucket_versioning, public_access_block_configuration, account_public_access_block_configuration) := { "resource": { "name": name, "sse_algorithm": sse_algorithm, @@ -123,7 +123,7 @@ generate_s3_bucket(name, sse_algorithm, bucket_policy_statement, bucket_versioni "subType": "aws-s3", } -generate_s3_bucket_policy_statement(effect, principal, action, is_secure_transport) = { +generate_s3_bucket_policy_statement(effect, principal, action, is_secure_transport) := { "Sid": "Statement1", "Effect": effect, "Principal": principal, @@ -132,12 +132,12 @@ generate_s3_bucket_policy_statement(effect, principal, action, is_secure_transpo "Condition": {"Bool": {"aws:SecureTransport": is_secure_transport}}, } -generate_s3_bucket_versioning(enabled, mfa_delete) = { +generate_s3_bucket_versioning(enabled, mfa_delete) := { "Enabled": enabled, "MfaDelete": mfa_delete, } -s3_bucket_without_policy = { +s3_bucket_without_policy := { "resource": { "name": "my-bucket", "sse_algorithm": "AES256", @@ -147,25 +147,25 @@ s3_bucket_without_policy = { "subType": "aws-s3", } -generate_security_group(entry) = { +generate_security_group(entry) := { "resource": entry, "type": "ec2", "subType": "aws-security-group", } -generate_monitoring_resources(items) = { +generate_monitoring_resources(items) := { "resource": {"Items": items}, "type": "monitoring", "subType": "aws-multi-trails", } -generate_securityhub(sb) = { +generate_securityhub(sb) := { "resource": sb, "type": "monitoring", "subType": "aws-securityhub", } -generate_enriched_trail(is_log_validation_enabled, cloudwatch_log_group_arn, log_delivery_time, is_bucket_logging_enabled, kms_key_id) = { +generate_enriched_trail(is_log_validation_enabled, cloudwatch_log_group_arn, log_delivery_time, is_bucket_logging_enabled, kms_key_id) := { "type": "cloud-audit", "subType": "aws-trail", "resource": { @@ -179,7 +179,7 @@ generate_enriched_trail(is_log_validation_enabled, cloudwatch_log_group_arn, log }, } -create_bucket_acl(principal_uri) = { +create_bucket_acl(principal_uri) := { "Owner": { "ID": "f5c5b99a8f5c5b99a8f5c5b99a8f5c5b99a8f5c5b99a8f5c5b99a8", "DisplayName": "exampleuser", @@ -205,37 +205,37 @@ create_bucket_acl(principal_uri) = { ], } -generate_trail_bucket_info(principal_uri, policy_statements) = { +generate_trail_bucket_info(principal_uri, policy_statements) := { "type": "cloud-audit", "subType": "aws-trail", "resource": {"bucket_info": {"acl": create_bucket_acl(principal_uri), "policy": {"Version": "2012-10-17", "Statement": policy_statements}}}, } -generate_event_selectors(entries, is_multi_region) = { +generate_event_selectors(entries, is_multi_region) := { "type": "cloud-audit", "subType": "aws-trail", "resource": {"Trail": {"IsMultiRegionTrail": is_multi_region}, "EventSelectors": entries}, } -generate_vpc_resource(flow_logs) = { +generate_vpc_resource(flow_logs) := { "resource": {"flow_logs": flow_logs}, "type": "ec2", "subType": "aws-vpc", } -generate_ebs_encryption_resource(encryption_enabled) = { +generate_ebs_encryption_resource(encryption_enabled) := { "resource": {"enabled": encryption_enabled}, "type": "cloud-compute", "subType": "aws-ebs", } -not_evaluated_trail = { +not_evaluated_trail := { "type": "cloud-audit", "subType": "not-an-aws-trail", "resource": {"log_file_validation_enabled": false}, } -not_evaluated_rds_db_instance = { +not_evaluated_rds_db_instance := { "resource": { "identifier": "test-db", "arn": "arn:aws:rds:eu-west-1:704479110758:db:devops-postgres-rds", @@ -248,7 +248,7 @@ not_evaluated_rds_db_instance = { "subType": "wrong sub type", } -generate_rds_db_instance(encryption_enabled, auto_minor_version_upgrade_enabled, publicly_accessible, subnets) = { +generate_rds_db_instance(encryption_enabled, auto_minor_version_upgrade_enabled, publicly_accessible, subnets) := { "resource": { "identifier": "test-db", "arn": "arn:aws:rds:eu-west-1:704479110758:db:devops-postgres-rds", @@ -261,7 +261,7 @@ generate_rds_db_instance(encryption_enabled, auto_minor_version_upgrade_enabled, "subType": "aws-rds", } -generate_rds_db_instance_subnet_with_route(destination_cidr_block, gateway_id) = { +generate_rds_db_instance_subnet_with_route(destination_cidr_block, gateway_id) := { "ID": "subnet-12345678", "RouteTable": { "ID": "rtb-12345678", @@ -272,14 +272,14 @@ generate_rds_db_instance_subnet_with_route(destination_cidr_block, gateway_id) = }, } -generate_s3_public_access_block_configuration(block_public_acls, block_public_policy, ignore_public_acls, restrict_public_buckets) = { +generate_s3_public_access_block_configuration(block_public_acls, block_public_policy, ignore_public_acls, restrict_public_buckets) := { "BlockPublicAcls": block_public_acls, "BlockPublicPolicy": block_public_policy, "IgnorePublicAcls": ignore_public_acls, "RestrictPublicBuckets": restrict_public_buckets, } -generate_kms_resource(symmetric_default_enabled) = { +generate_kms_resource(symmetric_default_enabled) := { "resource": { "key_metadata": { # Only relevent keys are included @@ -292,18 +292,18 @@ generate_kms_resource(symmetric_default_enabled) = { "subType": "aws-kms", } -generate_aws_configservice_with_resource(resource) = { +generate_aws_configservice_with_resource(resource) := { "resource": resource, "type": "cloud-config", "subType": "aws-config", } -generate_aws_configservice_recorder(all_supported_enabled, include_global_resource_types_enabled) = {"ConfigurationRecorder": {"RecordingGroup": { +generate_aws_configservice_recorder(all_supported_enabled, include_global_resource_types_enabled) := {"ConfigurationRecorder": {"RecordingGroup": { "AllSupported": all_supported_enabled, "IncludeGlobalResourceTypes": include_global_resource_types_enabled, }}} -aws_configservice_disabled_region_recorder = generate_aws_configservice_with_resource([ +aws_configservice_disabled_region_recorder := generate_aws_configservice_with_resource([ {"recorders": [ generate_aws_configservice_recorder(true, true), generate_aws_configservice_recorder(false, false), @@ -314,4 +314,4 @@ aws_configservice_disabled_region_recorder = generate_aws_configservice_with_res ]}, ]) -aws_configservice_empty_recorders = generate_aws_configservice_with_resource([{"recorders": []}]) +aws_configservice_empty_recorders := generate_aws_configservice_with_resource([{"recorders": []}]) diff --git a/security-policies/bundle/compliance/cis_azure/rules/cis_1_23/rule.rego b/security-policies/bundle/compliance/cis_azure/rules/cis_1_23/rule.rego index 75a10f7d33..b394aee42f 100644 --- a/security-policies/bundle/compliance/cis_azure/rules/cis_1_23/rule.rego +++ b/security-policies/bundle/compliance/cis_azure/rules/cis_1_23/rule.rego @@ -5,7 +5,7 @@ import data.compliance.policy.azure.data_adapter import future.keywords.if import future.keywords.in -finding = result if { +finding := result if { # filter data_adapter.is_custom_role_definition @@ -34,4 +34,4 @@ has_administrator_subscription_scope if { evaluation_results if { not has_administrator_subscription_scope -} else = false +} else := false diff --git a/security-policies/bundle/compliance/cis_azure/rules/cis_2_1_15/rule.rego b/security-policies/bundle/compliance/cis_azure/rules/cis_2_1_15/rule.rego index 9ebb6a8b8e..f0a72f38c0 100644 --- a/security-policies/bundle/compliance/cis_azure/rules/cis_2_1_15/rule.rego +++ b/security-policies/bundle/compliance/cis_azure/rules/cis_2_1_15/rule.rego @@ -5,7 +5,7 @@ import data.compliance.policy.azure.data_adapter import future.keywords.if import future.keywords.in -finding = result if { +finding := result if { # filter data_adapter.is_security_auto_provisioning_settings @@ -16,7 +16,7 @@ finding = result if { ) } -default auto_provisioning_on = false +default auto_provisioning_on := false auto_provisioning_on if { # Ensure at least one Auto Provisioning Settings exists and autoProvision is set to on. diff --git a/security-policies/bundle/compliance/cis_azure/rules/cis_2_1_18/rule.rego b/security-policies/bundle/compliance/cis_azure/rules/cis_2_1_18/rule.rego index c3d0eed158..644d434bd4 100644 --- a/security-policies/bundle/compliance/cis_azure/rules/cis_2_1_18/rule.rego +++ b/security-policies/bundle/compliance/cis_azure/rules/cis_2_1_18/rule.rego @@ -5,7 +5,7 @@ import data.compliance.policy.azure.data_adapter import future.keywords.if import future.keywords.in -finding = result if { +finding := result if { # filter data_adapter.is_security_contacts @@ -16,7 +16,7 @@ finding = result if { ) } -default owner_enabled = false +default owner_enabled := false owner_enabled if { # Ensure at least one Security Contact Settings exists and owner is selected. diff --git a/security-policies/bundle/compliance/cis_azure/rules/cis_2_1_18/test.rego b/security-policies/bundle/compliance/cis_azure/rules/cis_2_1_18/test.rego index d26ee773e3..2c020e515d 100644 --- a/security-policies/bundle/compliance/cis_azure/rules/cis_2_1_18/test.rego +++ b/security-policies/bundle/compliance/cis_azure/rules/cis_2_1_18/test.rego @@ -104,4 +104,4 @@ not_eval if { not finding with data.benchmark_data_adapter as data_adapter } -prop_notification_by_role(notificationsByRole) = {"notificationsByRole": notificationsByRole} +prop_notification_by_role(notificationsByRole) := {"notificationsByRole": notificationsByRole} diff --git a/security-policies/bundle/compliance/cis_azure/rules/cis_2_1_19/rule.rego b/security-policies/bundle/compliance/cis_azure/rules/cis_2_1_19/rule.rego index 0155607405..c12053188a 100644 --- a/security-policies/bundle/compliance/cis_azure/rules/cis_2_1_19/rule.rego +++ b/security-policies/bundle/compliance/cis_azure/rules/cis_2_1_19/rule.rego @@ -5,7 +5,7 @@ import data.compliance.policy.azure.data_adapter import future.keywords.if import future.keywords.in -finding = result if { +finding := result if { # filter data_adapter.is_security_contacts @@ -16,7 +16,7 @@ finding = result if { ) } -default owner_enabled = false +default owner_enabled := false owner_enabled if { # Ensure at least one Security Contact Settings exists and owner is selected. diff --git a/security-policies/bundle/compliance/cis_azure/rules/cis_2_1_19/test.rego b/security-policies/bundle/compliance/cis_azure/rules/cis_2_1_19/test.rego index 094127891d..85a3bb6bd7 100644 --- a/security-policies/bundle/compliance/cis_azure/rules/cis_2_1_19/test.rego +++ b/security-policies/bundle/compliance/cis_azure/rules/cis_2_1_19/test.rego @@ -77,4 +77,4 @@ not_eval if { not finding with data.benchmark_data_adapter as data_adapter } -prop_notification_by_role(notificationsByRole) = {"notificationsByRole": notificationsByRole} +prop_notification_by_role(notificationsByRole) := {"notificationsByRole": notificationsByRole} diff --git a/security-policies/bundle/compliance/cis_azure/rules/cis_2_1_20/rule.rego b/security-policies/bundle/compliance/cis_azure/rules/cis_2_1_20/rule.rego index 4cf8c76089..8f2d2f4955 100644 --- a/security-policies/bundle/compliance/cis_azure/rules/cis_2_1_20/rule.rego +++ b/security-policies/bundle/compliance/cis_azure/rules/cis_2_1_20/rule.rego @@ -5,7 +5,7 @@ import data.compliance.policy.azure.data_adapter import future.keywords.if import future.keywords.in -finding = result if { +finding := result if { # filter data_adapter.is_security_contacts @@ -16,7 +16,7 @@ finding = result if { ) } -default notification_alert_high = false +default notification_alert_high := false notification_alert_high if { # Ensure at least one Security Contact Settings exists and alertNotifications severity is set to high, low, or medium. diff --git a/security-policies/bundle/compliance/cis_azure/rules/cis_2_1_20/test.rego b/security-policies/bundle/compliance/cis_azure/rules/cis_2_1_20/test.rego index 0c7a2a2e08..32edd90d51 100644 --- a/security-policies/bundle/compliance/cis_azure/rules/cis_2_1_20/test.rego +++ b/security-policies/bundle/compliance/cis_azure/rules/cis_2_1_20/test.rego @@ -96,4 +96,4 @@ not_eval if { not finding with data.benchmark_data_adapter as data_adapter } -prop_notification_sources(notificationsSource) = {"notificationsSources": notificationsSource} +prop_notification_sources(notificationsSource) := {"notificationsSources": notificationsSource} diff --git a/security-policies/bundle/compliance/cis_azure/rules/cis_3_1/rule.rego b/security-policies/bundle/compliance/cis_azure/rules/cis_3_1/rule.rego index 99ceaebd86..68d7b48887 100644 --- a/security-policies/bundle/compliance/cis_azure/rules/cis_3_1/rule.rego +++ b/security-policies/bundle/compliance/cis_azure/rules/cis_3_1/rule.rego @@ -5,7 +5,7 @@ import data.compliance.policy.azure.data_adapter import data.compliance.policy.azure.storage_account.ensure_secure_transfer as audit import future.keywords.if -finding = result if { +finding := result if { # filter data_adapter.is_storage_account diff --git a/security-policies/bundle/compliance/cis_azure/rules/cis_3_10/rule.rego b/security-policies/bundle/compliance/cis_azure/rules/cis_3_10/rule.rego index 1e85fcb049..1df5a219e7 100644 --- a/security-policies/bundle/compliance/cis_azure/rules/cis_3_10/rule.rego +++ b/security-policies/bundle/compliance/cis_azure/rules/cis_3_10/rule.rego @@ -5,7 +5,7 @@ import data.compliance.policy.azure.data_adapter import data.compliance.policy.azure.storage_account.ensure_connection as audit import future.keywords.if -finding = result if { +finding := result if { # filter data_adapter.is_storage_account diff --git a/security-policies/bundle/compliance/cis_azure/rules/cis_3_11/rule.rego b/security-policies/bundle/compliance/cis_azure/rules/cis_3_11/rule.rego index 662692646d..583125dd70 100644 --- a/security-policies/bundle/compliance/cis_azure/rules/cis_3_11/rule.rego +++ b/security-policies/bundle/compliance/cis_azure/rules/cis_3_11/rule.rego @@ -4,7 +4,7 @@ import data.compliance.lib.common import data.compliance.policy.azure.data_adapter import future.keywords.if -finding = result if { +finding := result if { # filter data_adapter.is_storage_account _ = data_adapter.resource.extension.blobService @@ -16,7 +16,7 @@ finding = result if { ) } -default soft_delete_is_enabled = false +default soft_delete_is_enabled := false soft_delete_is_enabled if { is_policy_valid(data_adapter.resource.extension.blobService.properties.deleteRetentionPolicy) @@ -26,4 +26,4 @@ soft_delete_is_enabled if { is_policy_valid(policy) if { policy.enabled == true policy.days > 0 -} else = false +} else := false diff --git a/security-policies/bundle/compliance/cis_azure/rules/cis_3_11/test.rego b/security-policies/bundle/compliance/cis_azure/rules/cis_3_11/test.rego index e90d3fe28f..2d6033a89d 100644 --- a/security-policies/bundle/compliance/cis_azure/rules/cis_3_11/test.rego +++ b/security-policies/bundle/compliance/cis_azure/rules/cis_3_11/test.rego @@ -130,17 +130,17 @@ not_eval if { not finding with data.benchmark_data_adapter as data_adapter } -generate_blob_service(delete_retention_policy, container_delete_retention_policy) = {"blobService": {"properties": { +generate_blob_service(delete_retention_policy, container_delete_retention_policy) := {"blobService": {"properties": { "deleteRetentionPolicy": delete_retention_policy, "containerDeleteRetentionPolicy": container_delete_retention_policy, }}} -generate_delete_retention_policy(enabled, days) = { +generate_delete_retention_policy(enabled, days) := { "enabled": enabled, "days": days, } -generate_container_delete_retention_policy(enabled, days) = { +generate_container_delete_retention_policy(enabled, days) := { "enabled": enabled, "days": days, } diff --git a/security-policies/bundle/compliance/cis_azure/rules/cis_3_13/rule.rego b/security-policies/bundle/compliance/cis_azure/rules/cis_3_13/rule.rego index 6cf136d612..b2ec3f2480 100644 --- a/security-policies/bundle/compliance/cis_azure/rules/cis_3_13/rule.rego +++ b/security-policies/bundle/compliance/cis_azure/rules/cis_3_13/rule.rego @@ -5,7 +5,7 @@ import data.compliance.policy.azure.data_adapter import data.compliance.policy.azure.storage_account.ensure_service_log as audit import future.keywords.if -finding = result if { +finding := result if { # filter data_adapter.is_storage_account @@ -16,7 +16,7 @@ finding = result if { ) } -default logs_are_enabled = false +default logs_are_enabled := false logs_are_enabled if { audit.service_diagnostic_settings_log_rwd_enabled(data_adapter.resource.extension.blobDiagnosticSettings) diff --git a/security-policies/bundle/compliance/cis_azure/rules/cis_3_14/rule.rego b/security-policies/bundle/compliance/cis_azure/rules/cis_3_14/rule.rego index 729b6c6de2..65886fca97 100644 --- a/security-policies/bundle/compliance/cis_azure/rules/cis_3_14/rule.rego +++ b/security-policies/bundle/compliance/cis_azure/rules/cis_3_14/rule.rego @@ -5,7 +5,7 @@ import data.compliance.policy.azure.data_adapter import data.compliance.policy.azure.storage_account.ensure_service_log as audit import future.keywords.if -finding = result if { +finding := result if { # filter data_adapter.is_storage_account @@ -16,7 +16,7 @@ finding = result if { ) } -default logs_are_enabled = false +default logs_are_enabled := false logs_are_enabled if { audit.service_diagnostic_settings_log_rwd_enabled(data_adapter.resource.extension.tableDiagnosticSettings) diff --git a/security-policies/bundle/compliance/cis_azure/rules/cis_3_15/rule.rego b/security-policies/bundle/compliance/cis_azure/rules/cis_3_15/rule.rego index d4bdb24c5e..e9e1272085 100644 --- a/security-policies/bundle/compliance/cis_azure/rules/cis_3_15/rule.rego +++ b/security-policies/bundle/compliance/cis_azure/rules/cis_3_15/rule.rego @@ -5,7 +5,7 @@ import data.compliance.policy.azure.data_adapter import data.compliance.policy.azure.storage_account.ensure_tls_version as audit import future.keywords.if -finding = result if { +finding := result if { # filter data_adapter.is_storage_account diff --git a/security-policies/bundle/compliance/cis_azure/rules/cis_3_2/rule.rego b/security-policies/bundle/compliance/cis_azure/rules/cis_3_2/rule.rego index 1c7b5f0866..1745cdcbbf 100644 --- a/security-policies/bundle/compliance/cis_azure/rules/cis_3_2/rule.rego +++ b/security-policies/bundle/compliance/cis_azure/rules/cis_3_2/rule.rego @@ -5,7 +5,7 @@ import data.compliance.policy.azure.data_adapter import data.compliance.policy.azure.storage_account.ensure_encryption as audit import future.keywords.if -finding = result if { +finding := result if { # filter data_adapter.is_storage_account diff --git a/security-policies/bundle/compliance/cis_azure/rules/cis_3_5/rule.rego b/security-policies/bundle/compliance/cis_azure/rules/cis_3_5/rule.rego index 80bae67ee3..383b295ef6 100644 --- a/security-policies/bundle/compliance/cis_azure/rules/cis_3_5/rule.rego +++ b/security-policies/bundle/compliance/cis_azure/rules/cis_3_5/rule.rego @@ -5,7 +5,7 @@ import data.compliance.policy.azure.data_adapter import data.compliance.policy.azure.storage_account.ensure_service_log as audit import future.keywords.if -finding = result if { +finding := result if { # filter data_adapter.is_storage_account @@ -16,7 +16,7 @@ finding = result if { ) } -default logs_are_enabled = false +default logs_are_enabled := false logs_are_enabled if { audit.service_diagnostic_settings_log_rwd_enabled(data_adapter.resource.extension.queueDiagnosticSettings) diff --git a/security-policies/bundle/compliance/cis_azure/rules/cis_3_7/rule.rego b/security-policies/bundle/compliance/cis_azure/rules/cis_3_7/rule.rego index bd86db5c96..4db9b868cf 100644 --- a/security-policies/bundle/compliance/cis_azure/rules/cis_3_7/rule.rego +++ b/security-policies/bundle/compliance/cis_azure/rules/cis_3_7/rule.rego @@ -5,7 +5,7 @@ import data.compliance.policy.azure.data_adapter import data.compliance.policy.azure.storage_account.ensure_public_access as audit import future.keywords.if -finding = result if { +finding := result if { # filter data_adapter.is_storage_account diff --git a/security-policies/bundle/compliance/cis_azure/rules/cis_3_8/rule.rego b/security-policies/bundle/compliance/cis_azure/rules/cis_3_8/rule.rego index 724c52a377..b5386bd34d 100644 --- a/security-policies/bundle/compliance/cis_azure/rules/cis_3_8/rule.rego +++ b/security-policies/bundle/compliance/cis_azure/rules/cis_3_8/rule.rego @@ -5,7 +5,7 @@ import data.compliance.policy.azure.data_adapter import data.compliance.policy.azure.storage_account.ensure_default_network_access as audit import future.keywords.if -finding = result if { +finding := result if { # filter data_adapter.is_storage_account diff --git a/security-policies/bundle/compliance/cis_azure/rules/cis_3_9/rule.rego b/security-policies/bundle/compliance/cis_azure/rules/cis_3_9/rule.rego index 145beb3ae4..e59a616f45 100644 --- a/security-policies/bundle/compliance/cis_azure/rules/cis_3_9/rule.rego +++ b/security-policies/bundle/compliance/cis_azure/rules/cis_3_9/rule.rego @@ -5,7 +5,7 @@ import data.compliance.policy.azure.data_adapter import data.compliance.policy.azure.storage_account.ensure_service as audit import future.keywords.if -finding = result if { +finding := result if { # filter data_adapter.is_storage_account diff --git a/security-policies/bundle/compliance/cis_azure/rules/cis_4_1_1/rule.rego b/security-policies/bundle/compliance/cis_azure/rules/cis_4_1_1/rule.rego index b58da0dbc6..1d0c329503 100644 --- a/security-policies/bundle/compliance/cis_azure/rules/cis_4_1_1/rule.rego +++ b/security-policies/bundle/compliance/cis_azure/rules/cis_4_1_1/rule.rego @@ -5,7 +5,7 @@ import data.compliance.policy.azure.data_adapter import future.keywords.every import future.keywords.if -finding = result if { +finding := result if { # filter data_adapter.is_sql_server @@ -16,7 +16,7 @@ finding = result if { ) } -default is_audit_enabled = false +default is_audit_enabled := false is_audit_enabled if { data_adapter.resource.extension.sqlBlobAuditPolicy.properties.state == "Enabled" diff --git a/security-policies/bundle/compliance/cis_azure/rules/cis_4_1_2/rule.rego b/security-policies/bundle/compliance/cis_azure/rules/cis_4_1_2/rule.rego index 02f5d68d52..39f2ed1c4d 100644 --- a/security-policies/bundle/compliance/cis_azure/rules/cis_4_1_2/rule.rego +++ b/security-policies/bundle/compliance/cis_azure/rules/cis_4_1_2/rule.rego @@ -5,7 +5,7 @@ import data.compliance.policy.azure.data_adapter import future.keywords.every import future.keywords.if -finding = result if { +finding := result if { # filter data_adapter.is_sql_server @@ -16,7 +16,7 @@ finding = result if { ) } -default sql_access_config_is_permissive = false +default sql_access_config_is_permissive := false sql_access_config_is_permissive if { lower(data_adapter.properties.publicNetworkAccess) == "enabled" @@ -27,7 +27,7 @@ sql_access_config_is_permissive if { data_adapter.resource.extension.sqlFirewallRules[i].properties.startIpAddress == "0.0.0.0" } -default is_public_access_disabled = false +default is_public_access_disabled := false is_public_access_disabled if { not sql_access_config_is_permissive diff --git a/security-policies/bundle/compliance/cis_azure/rules/cis_4_1_3/rule.rego b/security-policies/bundle/compliance/cis_azure/rules/cis_4_1_3/rule.rego index ed6f74ca48..e537ea9ebd 100644 --- a/security-policies/bundle/compliance/cis_azure/rules/cis_4_1_3/rule.rego +++ b/security-policies/bundle/compliance/cis_azure/rules/cis_4_1_3/rule.rego @@ -5,7 +5,7 @@ import data.compliance.policy.azure.data_adapter import future.keywords.every import future.keywords.if -finding = result if { +finding := result if { # filter data_adapter.is_sql_server @@ -16,7 +16,7 @@ finding = result if { ) } -default is_encryption_protector_key_vault = false +default is_encryption_protector_key_vault := false is_encryption_protector_key_vault if { count(data_adapter.resource.extension.sqlEncryptionProtectors) > 0 diff --git a/security-policies/bundle/compliance/cis_azure/rules/cis_4_1_4/rule.rego b/security-policies/bundle/compliance/cis_azure/rules/cis_4_1_4/rule.rego index 383d5f3ea9..683c91eb94 100644 --- a/security-policies/bundle/compliance/cis_azure/rules/cis_4_1_4/rule.rego +++ b/security-policies/bundle/compliance/cis_azure/rules/cis_4_1_4/rule.rego @@ -4,7 +4,7 @@ import data.compliance.lib.common import data.compliance.policy.azure.data_adapter import future.keywords.if -finding = result if { +finding := result if { # filter data_adapter.is_sql_server @@ -17,4 +17,4 @@ finding = result if { is_administrator_configured if { data_adapter.properties.administrators.administratorType == "ActiveDirectory" -} else = false +} else := false diff --git a/security-policies/bundle/compliance/cis_azure/rules/cis_4_1_5/rule.rego b/security-policies/bundle/compliance/cis_azure/rules/cis_4_1_5/rule.rego index 4d23d19ea9..23779a8720 100644 --- a/security-policies/bundle/compliance/cis_azure/rules/cis_4_1_5/rule.rego +++ b/security-policies/bundle/compliance/cis_azure/rules/cis_4_1_5/rule.rego @@ -5,7 +5,7 @@ import data.compliance.policy.azure.data_adapter import future.keywords.every import future.keywords.if -finding = result if { +finding := result if { # filter data_adapter.is_sql_server @@ -16,7 +16,7 @@ finding = result if { ) } -default is_transaparent_data_encryption_enabled_for_all_dbs = false +default is_transaparent_data_encryption_enabled_for_all_dbs := false is_transaparent_data_encryption_enabled_for_all_dbs if { count(data_adapter.resource.extension.sqlTransparentDataEncryptions) > 0 diff --git a/security-policies/bundle/compliance/cis_azure/rules/cis_4_1_6/rule.rego b/security-policies/bundle/compliance/cis_azure/rules/cis_4_1_6/rule.rego index d1fd3190ca..7e7baf3976 100644 --- a/security-policies/bundle/compliance/cis_azure/rules/cis_4_1_6/rule.rego +++ b/security-policies/bundle/compliance/cis_azure/rules/cis_4_1_6/rule.rego @@ -5,7 +5,7 @@ import data.compliance.policy.azure.data_adapter import future.keywords.every import future.keywords.if -finding = result if { +finding := result if { # filter data_adapter.is_sql_server @@ -16,7 +16,7 @@ finding = result if { ) } -default is_retention_long_enough = false +default is_retention_long_enough := false is_retention_long_enough if { data_adapter.resource.extension.sqlBlobAuditPolicy.properties.retentionDays > 90 diff --git a/security-policies/bundle/compliance/cis_azure/rules/cis_4_2_1/rule.rego b/security-policies/bundle/compliance/cis_azure/rules/cis_4_2_1/rule.rego index 8d3503a55c..318fdd30a4 100644 --- a/security-policies/bundle/compliance/cis_azure/rules/cis_4_2_1/rule.rego +++ b/security-policies/bundle/compliance/cis_azure/rules/cis_4_2_1/rule.rego @@ -5,7 +5,7 @@ import data.compliance.policy.azure.data_adapter import future.keywords.every import future.keywords.if -finding = result if { +finding := result if { # filter data_adapter.is_sql_server @@ -16,7 +16,7 @@ finding = result if { ) } -default is_defender_on = false +default is_defender_on := false is_defender_on if { count(data_adapter.resource.extension.sqlAdvancedThreatProtectionSettings) > 0 diff --git a/security-policies/bundle/compliance/cis_azure/rules/cis_4_3_1/rule.rego b/security-policies/bundle/compliance/cis_azure/rules/cis_4_3_1/rule.rego index a611795182..8177bb9a6f 100644 --- a/security-policies/bundle/compliance/cis_azure/rules/cis_4_3_1/rule.rego +++ b/security-policies/bundle/compliance/cis_azure/rules/cis_4_3_1/rule.rego @@ -4,7 +4,7 @@ import data.compliance.lib.common import data.compliance.policy.azure.data_adapter import future.keywords.if -finding = result if { +finding := result if { # filter data_adapter.is_postgresql_single_server_db @@ -17,4 +17,4 @@ finding = result if { ssl_enforcement_enabled if { lower(data_adapter.properties.sslEnforcement) == "enabled" -} else = false +} else := false diff --git a/security-policies/bundle/compliance/cis_azure/rules/cis_4_3_2/rule.rego b/security-policies/bundle/compliance/cis_azure/rules/cis_4_3_2/rule.rego index 3cca5e8e4c..c33de1c1c3 100644 --- a/security-policies/bundle/compliance/cis_azure/rules/cis_4_3_2/rule.rego +++ b/security-policies/bundle/compliance/cis_azure/rules/cis_4_3_2/rule.rego @@ -4,7 +4,7 @@ import data.compliance.lib.common import data.compliance.policy.azure.data_adapter import future.keywords.if -finding = result if { +finding := result if { # filter data_adapter.is_postgresql_server_db @@ -15,7 +15,7 @@ finding = result if { ) } -default config_enabled = false +default config_enabled := false config_enabled if { some i diff --git a/security-policies/bundle/compliance/cis_azure/rules/cis_4_3_3/rule.rego b/security-policies/bundle/compliance/cis_azure/rules/cis_4_3_3/rule.rego index c7a25f658a..2749fa1a9c 100644 --- a/security-policies/bundle/compliance/cis_azure/rules/cis_4_3_3/rule.rego +++ b/security-policies/bundle/compliance/cis_azure/rules/cis_4_3_3/rule.rego @@ -4,7 +4,7 @@ import data.compliance.lib.common import data.compliance.policy.azure.data_adapter import future.keywords.if -finding = result if { +finding := result if { # filter data_adapter.is_postgresql_server_db @@ -15,7 +15,7 @@ finding = result if { ) } -default config_enabled = false +default config_enabled := false config_enabled if { some i diff --git a/security-policies/bundle/compliance/cis_azure/rules/cis_4_3_4/rule.rego b/security-policies/bundle/compliance/cis_azure/rules/cis_4_3_4/rule.rego index 897df564c0..cb5b4035ce 100644 --- a/security-policies/bundle/compliance/cis_azure/rules/cis_4_3_4/rule.rego +++ b/security-policies/bundle/compliance/cis_azure/rules/cis_4_3_4/rule.rego @@ -4,7 +4,7 @@ import data.compliance.lib.common import data.compliance.policy.azure.data_adapter import future.keywords.if -finding = result if { +finding := result if { # filter data_adapter.is_postgresql_server_db @@ -15,7 +15,7 @@ finding = result if { ) } -default config_enabled = false +default config_enabled := false config_enabled if { some i diff --git a/security-policies/bundle/compliance/cis_azure/rules/cis_4_3_5/rule.rego b/security-policies/bundle/compliance/cis_azure/rules/cis_4_3_5/rule.rego index e3f43b6973..3cdc7d4631 100644 --- a/security-policies/bundle/compliance/cis_azure/rules/cis_4_3_5/rule.rego +++ b/security-policies/bundle/compliance/cis_azure/rules/cis_4_3_5/rule.rego @@ -4,7 +4,7 @@ import data.compliance.lib.common import data.compliance.policy.azure.data_adapter import future.keywords.if -finding = result if { +finding := result if { # filter data_adapter.is_postgresql_server_db @@ -15,7 +15,7 @@ finding = result if { ) } -default config_enabled = false +default config_enabled := false config_enabled if { data_adapter.is_postgresql_single_server_db diff --git a/security-policies/bundle/compliance/cis_azure/rules/cis_4_3_6/rule.rego b/security-policies/bundle/compliance/cis_azure/rules/cis_4_3_6/rule.rego index 3c7defd63b..3762408a3e 100644 --- a/security-policies/bundle/compliance/cis_azure/rules/cis_4_3_6/rule.rego +++ b/security-policies/bundle/compliance/cis_azure/rules/cis_4_3_6/rule.rego @@ -4,7 +4,7 @@ import data.compliance.lib.common import data.compliance.policy.azure.data_adapter import future.keywords.if -finding = result if { +finding := result if { # filter data_adapter.is_postgresql_single_server_db @@ -15,7 +15,7 @@ finding = result if { ) } -default log_retention_long_enough = false +default log_retention_long_enough := false log_retention_long_enough if { some i diff --git a/security-policies/bundle/compliance/cis_azure/rules/cis_4_3_7/rule.rego b/security-policies/bundle/compliance/cis_azure/rules/cis_4_3_7/rule.rego index 562f4e07d6..0e5c9af2e7 100644 --- a/security-policies/bundle/compliance/cis_azure/rules/cis_4_3_7/rule.rego +++ b/security-policies/bundle/compliance/cis_azure/rules/cis_4_3_7/rule.rego @@ -4,7 +4,7 @@ import data.compliance.lib.common import data.compliance.policy.azure.data_adapter import future.keywords.if -finding = result if { +finding := result if { # filter data_adapter.is_postgresql_server_db @@ -15,7 +15,7 @@ finding = result if { ) } -default firewall_rules_properly_configured = false +default firewall_rules_properly_configured := false firewall_rules_properly_configured if { not has_allow_all_firewall_rule diff --git a/security-policies/bundle/compliance/cis_azure/rules/cis_4_3_8/rule.rego b/security-policies/bundle/compliance/cis_azure/rules/cis_4_3_8/rule.rego index 0bd1bd77f2..a3f939ff06 100644 --- a/security-policies/bundle/compliance/cis_azure/rules/cis_4_3_8/rule.rego +++ b/security-policies/bundle/compliance/cis_azure/rules/cis_4_3_8/rule.rego @@ -4,7 +4,7 @@ import data.compliance.lib.common import data.compliance.policy.azure.data_adapter import future.keywords.if -finding = result if { +finding := result if { # filter data_adapter.is_postgresql_single_server_db @@ -15,7 +15,7 @@ finding = result if { ) } -default infrastructure_encryption_enabled = false +default infrastructure_encryption_enabled := false infrastructure_encryption_enabled if { lower(data_adapter.properties.infrastructureEncryption) == "enabled" diff --git a/security-policies/bundle/compliance/cis_azure/rules/cis_4_4_1/rule.rego b/security-policies/bundle/compliance/cis_azure/rules/cis_4_4_1/rule.rego index 35f6d47ffa..19d2c623c7 100644 --- a/security-policies/bundle/compliance/cis_azure/rules/cis_4_4_1/rule.rego +++ b/security-policies/bundle/compliance/cis_azure/rules/cis_4_4_1/rule.rego @@ -4,7 +4,7 @@ import data.compliance.lib.common import data.compliance.policy.azure.data_adapter import future.keywords.if -finding = result if { +finding := result if { # filter data_adapter.is_mysql_server_db @@ -17,4 +17,4 @@ finding = result if { ssl_enforcement_enabled if { data_adapter.properties.sslEnforcement == "Enabled" -} else = false +} else := false diff --git a/security-policies/bundle/compliance/cis_azure/rules/cis_4_4_2/rule.rego b/security-policies/bundle/compliance/cis_azure/rules/cis_4_4_2/rule.rego index 4e5985209c..d7caaacf24 100644 --- a/security-policies/bundle/compliance/cis_azure/rules/cis_4_4_2/rule.rego +++ b/security-policies/bundle/compliance/cis_azure/rules/cis_4_4_2/rule.rego @@ -4,7 +4,7 @@ import data.compliance.lib.common import data.compliance.policy.azure.data_adapter import future.keywords.if -finding = result if { +finding := result if { # filter data_adapter.is_flexible_mysql_server_db @@ -15,7 +15,7 @@ finding = result if { ) } -default contains_tls_version_higher_than_1_2 = false +default contains_tls_version_higher_than_1_2 := false contains_tls_version_higher_than_1_2 if { some i diff --git a/security-policies/bundle/compliance/cis_azure/rules/cis_4_5_1/rule.rego b/security-policies/bundle/compliance/cis_azure/rules/cis_4_5_1/rule.rego index f7dd8ad6ae..84211daa45 100644 --- a/security-policies/bundle/compliance/cis_azure/rules/cis_4_5_1/rule.rego +++ b/security-policies/bundle/compliance/cis_azure/rules/cis_4_5_1/rule.rego @@ -4,7 +4,7 @@ import data.compliance.lib.common import data.compliance.policy.azure.data_adapter import future.keywords.if -finding = result if { +finding := result if { # filter data_adapter.is_document_db_database_account @@ -17,4 +17,4 @@ finding = result if { is_virtual_network_filter_enabled if { data_adapter.properties.isVirtualNetworkFilterEnabled -} else = false +} else := false diff --git a/security-policies/bundle/compliance/cis_azure/rules/cis_5_1_2/rule.rego b/security-policies/bundle/compliance/cis_azure/rules/cis_5_1_2/rule.rego index 6127a58c12..662c2e70e6 100644 --- a/security-policies/bundle/compliance/cis_azure/rules/cis_5_1_2/rule.rego +++ b/security-policies/bundle/compliance/cis_azure/rules/cis_5_1_2/rule.rego @@ -5,7 +5,7 @@ import data.compliance.policy.azure.data_adapter import future.keywords.if import future.keywords.in -finding = result if { +finding := result if { # filter data_adapter.is_diagnostic_settings @@ -16,7 +16,7 @@ finding = result if { ) } -default required_categories_enabled = false +default required_categories_enabled := false required_categories_enabled if { diagnostic_settings_category_enabled("Administrative") == true @@ -36,4 +36,4 @@ diagnostic_settings_category_enabled(category) if { log.enabled == true ] count(category_is_enabled) >= 1 -} else = false +} else := false diff --git a/security-policies/bundle/compliance/cis_azure/rules/cis_5_1_2/test.rego b/security-policies/bundle/compliance/cis_azure/rules/cis_5_1_2/test.rego index e94eba80a6..276a817a80 100644 --- a/security-policies/bundle/compliance/cis_azure/rules/cis_5_1_2/test.rego +++ b/security-policies/bundle/compliance/cis_azure/rules/cis_5_1_2/test.rego @@ -39,35 +39,35 @@ not_eval if { not finding with data.benchmark_data_adapter as data_adapter } -component1 = test_data.generate_diagnostic_setting_element( +component1 := test_data.generate_diagnostic_setting_element( "sub1", "rcg1", "name1", test_data.generate_diagnostic_setting_element_logs({"Administrative": false, "Alert": false, "Policy": false, "Security": false}), ) -component2 = test_data.generate_diagnostic_setting_element( +component2 := test_data.generate_diagnostic_setting_element( "sub1", "rcg1", "name2", test_data.generate_diagnostic_setting_element_logs({"Administrative": true, "Alert": false, "Policy": false, "Security": false}), ) -component3 = test_data.generate_diagnostic_setting_element( +component3 := test_data.generate_diagnostic_setting_element( "sub1", "rcg1", "name3", test_data.generate_diagnostic_setting_element_logs({"Administrative": true, "Alert": true, "Policy": true, "Security": true}), ) -component4 = test_data.generate_diagnostic_setting_element( +component4 := test_data.generate_diagnostic_setting_element( "sub1", "rcg1", "name3", test_data.generate_diagnostic_setting_element_logs({"Administrative": true, "Alert": true, "Policy": false, "Security": false}), ) -component5 = test_data.generate_diagnostic_setting_element( +component5 := test_data.generate_diagnostic_setting_element( "sub1", "rcg1", "name3", diff --git a/security-policies/bundle/compliance/cis_azure/rules/cis_5_1_3/rule.rego b/security-policies/bundle/compliance/cis_azure/rules/cis_5_1_3/rule.rego index fc026241ee..d14da613ca 100644 --- a/security-policies/bundle/compliance/cis_azure/rules/cis_5_1_3/rule.rego +++ b/security-policies/bundle/compliance/cis_azure/rules/cis_5_1_3/rule.rego @@ -4,7 +4,7 @@ import data.compliance.lib.common import data.compliance.policy.azure.data_adapter import future.keywords.if -finding = result if { +finding := result if { # filter data_adapter.is_storage_account data_adapter.resource.extension.usedForActivityLogs == true @@ -16,7 +16,7 @@ finding = result if { ) } -default is_blob_access_private = false +default is_blob_access_private := false is_blob_access_private if { data_adapter.resource.properties.allowBlobPublicAccess == false diff --git a/security-policies/bundle/compliance/cis_azure/rules/cis_5_1_4/rule.rego b/security-policies/bundle/compliance/cis_azure/rules/cis_5_1_4/rule.rego index 598955d686..99222aa475 100644 --- a/security-policies/bundle/compliance/cis_azure/rules/cis_5_1_4/rule.rego +++ b/security-policies/bundle/compliance/cis_azure/rules/cis_5_1_4/rule.rego @@ -5,7 +5,7 @@ import data.compliance.policy.azure.data_adapter import future.keywords.if # Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key -finding = result if { +finding := result if { # filter data_adapter.is_storage_account @@ -19,9 +19,9 @@ finding = result if { is_customer_managed_key_encrypted if { data_adapter.resource.extension.storageAccount.properties.encryption.keySource == "Microsoft.Keyvault" data_adapter.resource.extension.storageAccount.properties.encryption.keyvaultproperties != null -} else = false +} else := false -evidence = { +evidence := { "storageAccountId": data_adapter.resource.extension.storageAccount.id, "SubscriptionId": data_adapter.resource.extension.storageAccount.subscription_id, "Encryption": { diff --git a/security-policies/bundle/compliance/cis_azure/rules/cis_5_1_5/rule.rego b/security-policies/bundle/compliance/cis_azure/rules/cis_5_1_5/rule.rego index b2f98e4be1..9d3933309f 100644 --- a/security-policies/bundle/compliance/cis_azure/rules/cis_5_1_5/rule.rego +++ b/security-policies/bundle/compliance/cis_azure/rules/cis_5_1_5/rule.rego @@ -4,7 +4,7 @@ import data.compliance.lib.common import data.compliance.policy.azure.data_adapter import future.keywords.if -finding = result if { +finding := result if { # filter data_adapter.is_vault @@ -28,4 +28,4 @@ is_vault_logging_enabled if { logs := entry.logs[i] logs.enabled == true is_audit_category(logs) -} else = false +} else := false diff --git a/security-policies/bundle/compliance/cis_azure/rules/cis_5_2_1/rule.rego b/security-policies/bundle/compliance/cis_azure/rules/cis_5_2_1/rule.rego index a61ac31dde..90573dccaa 100644 --- a/security-policies/bundle/compliance/cis_azure/rules/cis_5_2_1/rule.rego +++ b/security-policies/bundle/compliance/cis_azure/rules/cis_5_2_1/rule.rego @@ -5,7 +5,7 @@ import data.compliance.policy.azure.activity_log_alert.activity_log_alert_operat import data.compliance.policy.azure.data_adapter import future.keywords.if -finding = result if { +finding := result if { # filter data_adapter.is_activity_log_alerts diff --git a/security-policies/bundle/compliance/cis_azure/rules/cis_5_2_1/test.rego b/security-policies/bundle/compliance/cis_azure/rules/cis_5_2_1/test.rego index 232d897fe1..bc2389009c 100644 --- a/security-policies/bundle/compliance/cis_azure/rules/cis_5_2_1/test.rego +++ b/security-policies/bundle/compliance/cis_azure/rules/cis_5_2_1/test.rego @@ -49,13 +49,13 @@ not_eval if { # test data # alert rule that does not match the rule by operation and category -mismatch_alert = test_data.generate_activity_log_alert("mismatch_opreation", "mismatch_category") +mismatch_alert := test_data.generate_activity_log_alert("mismatch_opreation", "mismatch_category") # alert rule that does not match the rule by operation -mismatch_alert_only_operation = test_data.generate_activity_log_alert("mismatch_opreation", "Administrative") +mismatch_alert_only_operation := test_data.generate_activity_log_alert("mismatch_opreation", "Administrative") # alert rule that does not match the rule by category -mismatch_alert_only_category = test_data.generate_activity_log_alert("Microsoft.Authorization/policyAssignments/write", "mismatch_category") +mismatch_alert_only_category := test_data.generate_activity_log_alert("Microsoft.Authorization/policyAssignments/write", "mismatch_category") # alert rule that matches the rule -matching_alert = test_data.generate_activity_log_alert("Microsoft.Authorization/policyAssignments/write", "Administrative") +matching_alert := test_data.generate_activity_log_alert("Microsoft.Authorization/policyAssignments/write", "Administrative") diff --git a/security-policies/bundle/compliance/cis_azure/rules/cis_5_2_10/rule.rego b/security-policies/bundle/compliance/cis_azure/rules/cis_5_2_10/rule.rego index 3ed50b95a3..1ddee0945e 100644 --- a/security-policies/bundle/compliance/cis_azure/rules/cis_5_2_10/rule.rego +++ b/security-policies/bundle/compliance/cis_azure/rules/cis_5_2_10/rule.rego @@ -5,7 +5,7 @@ import data.compliance.policy.azure.activity_log_alert.activity_log_alert_operat import data.compliance.policy.azure.data_adapter import future.keywords.if -finding = result if { +finding := result if { # filter data_adapter.is_activity_log_alerts diff --git a/security-policies/bundle/compliance/cis_azure/rules/cis_5_2_10/test.rego b/security-policies/bundle/compliance/cis_azure/rules/cis_5_2_10/test.rego index c720945e69..21577ea01f 100644 --- a/security-policies/bundle/compliance/cis_azure/rules/cis_5_2_10/test.rego +++ b/security-policies/bundle/compliance/cis_azure/rules/cis_5_2_10/test.rego @@ -49,13 +49,13 @@ not_eval if { # test data # alert rule that does not match the rule by operation and category -mismatch_alert = test_data.generate_activity_log_alert("mismatch_opreation", "mismatch_category") +mismatch_alert := test_data.generate_activity_log_alert("mismatch_opreation", "mismatch_category") # alert rule that does not match the rule by operation -mismatch_alert_only_operation = test_data.generate_activity_log_alert("mismatch_opreation", "Administrative") +mismatch_alert_only_operation := test_data.generate_activity_log_alert("mismatch_opreation", "Administrative") # alert rule that does not match the rule by category -mismatch_alert_only_category = test_data.generate_activity_log_alert("Microsoft.Network/publicIPAddresses/delete", "mismatch_category") +mismatch_alert_only_category := test_data.generate_activity_log_alert("Microsoft.Network/publicIPAddresses/delete", "mismatch_category") # alert rule that matches the rule -matching_alert = test_data.generate_activity_log_alert("Microsoft.Network/publicIPAddresses/delete", "Administrative") +matching_alert := test_data.generate_activity_log_alert("Microsoft.Network/publicIPAddresses/delete", "Administrative") diff --git a/security-policies/bundle/compliance/cis_azure/rules/cis_5_2_2/rule.rego b/security-policies/bundle/compliance/cis_azure/rules/cis_5_2_2/rule.rego index 900827a867..336d091d2a 100644 --- a/security-policies/bundle/compliance/cis_azure/rules/cis_5_2_2/rule.rego +++ b/security-policies/bundle/compliance/cis_azure/rules/cis_5_2_2/rule.rego @@ -5,7 +5,7 @@ import data.compliance.policy.azure.activity_log_alert.activity_log_alert_operat import data.compliance.policy.azure.data_adapter import future.keywords.if -finding = result if { +finding := result if { # filter data_adapter.is_activity_log_alerts diff --git a/security-policies/bundle/compliance/cis_azure/rules/cis_5_2_2/test.rego b/security-policies/bundle/compliance/cis_azure/rules/cis_5_2_2/test.rego index 0fb63aedfe..4fc6d207c5 100644 --- a/security-policies/bundle/compliance/cis_azure/rules/cis_5_2_2/test.rego +++ b/security-policies/bundle/compliance/cis_azure/rules/cis_5_2_2/test.rego @@ -49,13 +49,13 @@ not_eval if { # test data # alert rule that does not match the rule by operation and category -mismatch_alert = test_data.generate_activity_log_alert("mismatch_opreation", "mismatch_category") +mismatch_alert := test_data.generate_activity_log_alert("mismatch_opreation", "mismatch_category") # alert rule that does not match the rule by operation -mismatch_alert_only_operation = test_data.generate_activity_log_alert("mismatch_opreation", "Administrative") +mismatch_alert_only_operation := test_data.generate_activity_log_alert("mismatch_opreation", "Administrative") # alert rule that does not match the rule by category -mismatch_alert_only_category = test_data.generate_activity_log_alert("Microsoft.Authorization/policyAssignments/delete", "mismatch_category") +mismatch_alert_only_category := test_data.generate_activity_log_alert("Microsoft.Authorization/policyAssignments/delete", "mismatch_category") # alert rule that matches the rule -matching_alert = test_data.generate_activity_log_alert("Microsoft.Authorization/policyAssignments/delete", "Administrative") +matching_alert := test_data.generate_activity_log_alert("Microsoft.Authorization/policyAssignments/delete", "Administrative") diff --git a/security-policies/bundle/compliance/cis_azure/rules/cis_5_2_3/rule.rego b/security-policies/bundle/compliance/cis_azure/rules/cis_5_2_3/rule.rego index a8dea2a919..e72081cb01 100644 --- a/security-policies/bundle/compliance/cis_azure/rules/cis_5_2_3/rule.rego +++ b/security-policies/bundle/compliance/cis_azure/rules/cis_5_2_3/rule.rego @@ -5,7 +5,7 @@ import data.compliance.policy.azure.activity_log_alert.activity_log_alert_operat import data.compliance.policy.azure.data_adapter import future.keywords.if -finding = result if { +finding := result if { # filter data_adapter.is_activity_log_alerts diff --git a/security-policies/bundle/compliance/cis_azure/rules/cis_5_2_3/test.rego b/security-policies/bundle/compliance/cis_azure/rules/cis_5_2_3/test.rego index 5e27138fd0..ae976bd4b9 100644 --- a/security-policies/bundle/compliance/cis_azure/rules/cis_5_2_3/test.rego +++ b/security-policies/bundle/compliance/cis_azure/rules/cis_5_2_3/test.rego @@ -49,13 +49,13 @@ not_eval if { # test data # alert rule that does not match the rule by operation and category -mismatch_alert = test_data.generate_activity_log_alert("mismatch_opreation", "mismatch_category") +mismatch_alert := test_data.generate_activity_log_alert("mismatch_opreation", "mismatch_category") # alert rule that does not match the rule by operation -mismatch_alert_only_operation = test_data.generate_activity_log_alert("mismatch_opreation", "Administrative") +mismatch_alert_only_operation := test_data.generate_activity_log_alert("mismatch_opreation", "Administrative") # alert rule that does not match the rule by category -mismatch_alert_only_category = test_data.generate_activity_log_alert("Microsoft.Network/networkSecurityGroups/write", "mismatch_category") +mismatch_alert_only_category := test_data.generate_activity_log_alert("Microsoft.Network/networkSecurityGroups/write", "mismatch_category") # alert rule that matches the rule -matching_alert = test_data.generate_activity_log_alert("Microsoft.Network/networkSecurityGroups/write", "Administrative") +matching_alert := test_data.generate_activity_log_alert("Microsoft.Network/networkSecurityGroups/write", "Administrative") diff --git a/security-policies/bundle/compliance/cis_azure/rules/cis_5_2_4/rule.rego b/security-policies/bundle/compliance/cis_azure/rules/cis_5_2_4/rule.rego index 4bce7fbde9..3f03f7393c 100644 --- a/security-policies/bundle/compliance/cis_azure/rules/cis_5_2_4/rule.rego +++ b/security-policies/bundle/compliance/cis_azure/rules/cis_5_2_4/rule.rego @@ -5,7 +5,7 @@ import data.compliance.policy.azure.activity_log_alert.activity_log_alert_operat import data.compliance.policy.azure.data_adapter import future.keywords.if -finding = result if { +finding := result if { # filter data_adapter.is_activity_log_alerts diff --git a/security-policies/bundle/compliance/cis_azure/rules/cis_5_2_4/test.rego b/security-policies/bundle/compliance/cis_azure/rules/cis_5_2_4/test.rego index f4845878aa..daee2648eb 100644 --- a/security-policies/bundle/compliance/cis_azure/rules/cis_5_2_4/test.rego +++ b/security-policies/bundle/compliance/cis_azure/rules/cis_5_2_4/test.rego @@ -49,13 +49,13 @@ not_eval if { # test data # alert rule that does not match the rule by operation and category -mismatch_alert = test_data.generate_activity_log_alert("mismatch_opreation", "mismatch_category") +mismatch_alert := test_data.generate_activity_log_alert("mismatch_opreation", "mismatch_category") # alert rule that does not match the rule by operation -mismatch_alert_only_operation = test_data.generate_activity_log_alert("mismatch_opreation", "Administrative") +mismatch_alert_only_operation := test_data.generate_activity_log_alert("mismatch_opreation", "Administrative") # alert rule that does not match the rule by category -mismatch_alert_only_category = test_data.generate_activity_log_alert("Microsoft.Network/networkSecurityGroups/delete", "mismatch_category") +mismatch_alert_only_category := test_data.generate_activity_log_alert("Microsoft.Network/networkSecurityGroups/delete", "mismatch_category") # alert rule that matches the rule -matching_alert = test_data.generate_activity_log_alert("Microsoft.Network/networkSecurityGroups/delete", "Administrative") +matching_alert := test_data.generate_activity_log_alert("Microsoft.Network/networkSecurityGroups/delete", "Administrative") diff --git a/security-policies/bundle/compliance/cis_azure/rules/cis_5_2_5/rule.rego b/security-policies/bundle/compliance/cis_azure/rules/cis_5_2_5/rule.rego index 354b02f5cf..7ab005ccaf 100644 --- a/security-policies/bundle/compliance/cis_azure/rules/cis_5_2_5/rule.rego +++ b/security-policies/bundle/compliance/cis_azure/rules/cis_5_2_5/rule.rego @@ -5,7 +5,7 @@ import data.compliance.policy.azure.activity_log_alert.activity_log_alert_operat import data.compliance.policy.azure.data_adapter import future.keywords.if -finding = result if { +finding := result if { # filter data_adapter.is_activity_log_alerts diff --git a/security-policies/bundle/compliance/cis_azure/rules/cis_5_2_5/test.rego b/security-policies/bundle/compliance/cis_azure/rules/cis_5_2_5/test.rego index e43eb21d0f..9fef9c5ef5 100644 --- a/security-policies/bundle/compliance/cis_azure/rules/cis_5_2_5/test.rego +++ b/security-policies/bundle/compliance/cis_azure/rules/cis_5_2_5/test.rego @@ -49,13 +49,13 @@ not_eval if { # test data # alert rule that does not match the rule by operation and category -mismatch_alert = test_data.generate_activity_log_alert("mismatch_opreation", "mismatch_category") +mismatch_alert := test_data.generate_activity_log_alert("mismatch_opreation", "mismatch_category") # alert rule that does not match the rule by operation -mismatch_alert_only_operation = test_data.generate_activity_log_alert("mismatch_opreation", "Security") +mismatch_alert_only_operation := test_data.generate_activity_log_alert("mismatch_opreation", "Security") # alert rule that does not match the rule by category -mismatch_alert_only_category = test_data.generate_activity_log_alert("Microsoft.Security/securitySolutions/write", "mismatch_category") +mismatch_alert_only_category := test_data.generate_activity_log_alert("Microsoft.Security/securitySolutions/write", "mismatch_category") # alert rule that matches the rule -matching_alert = test_data.generate_activity_log_alert("Microsoft.Security/securitySolutions/write", "Security") +matching_alert := test_data.generate_activity_log_alert("Microsoft.Security/securitySolutions/write", "Security") diff --git a/security-policies/bundle/compliance/cis_azure/rules/cis_5_2_6/rule.rego b/security-policies/bundle/compliance/cis_azure/rules/cis_5_2_6/rule.rego index a1119e5a1a..f73981920a 100644 --- a/security-policies/bundle/compliance/cis_azure/rules/cis_5_2_6/rule.rego +++ b/security-policies/bundle/compliance/cis_azure/rules/cis_5_2_6/rule.rego @@ -5,7 +5,7 @@ import data.compliance.policy.azure.activity_log_alert.activity_log_alert_operat import data.compliance.policy.azure.data_adapter import future.keywords.if -finding = result if { +finding := result if { # filter data_adapter.is_activity_log_alerts diff --git a/security-policies/bundle/compliance/cis_azure/rules/cis_5_2_6/test.rego b/security-policies/bundle/compliance/cis_azure/rules/cis_5_2_6/test.rego index 93b196e65f..ad878061a8 100644 --- a/security-policies/bundle/compliance/cis_azure/rules/cis_5_2_6/test.rego +++ b/security-policies/bundle/compliance/cis_azure/rules/cis_5_2_6/test.rego @@ -49,13 +49,13 @@ not_eval if { # test data # alert rule that does not match the rule by operation and category -mismatch_alert = test_data.generate_activity_log_alert("mismatch_opreation", "mismatch_category") +mismatch_alert := test_data.generate_activity_log_alert("mismatch_opreation", "mismatch_category") # alert rule that does not match the rule by operation -mismatch_alert_only_operation = test_data.generate_activity_log_alert("mismatch_opreation", "Security") +mismatch_alert_only_operation := test_data.generate_activity_log_alert("mismatch_opreation", "Security") # alert rule that does not match the rule by category -mismatch_alert_only_category = test_data.generate_activity_log_alert("Microsoft.Security/securitySolutions/delete", "mismatch_category") +mismatch_alert_only_category := test_data.generate_activity_log_alert("Microsoft.Security/securitySolutions/delete", "mismatch_category") # alert rule that matches the rule -matching_alert = test_data.generate_activity_log_alert("Microsoft.Security/securitySolutions/delete", "Security") +matching_alert := test_data.generate_activity_log_alert("Microsoft.Security/securitySolutions/delete", "Security") diff --git a/security-policies/bundle/compliance/cis_azure/rules/cis_5_2_7/rule.rego b/security-policies/bundle/compliance/cis_azure/rules/cis_5_2_7/rule.rego index 236245e0ff..7cd34f7263 100644 --- a/security-policies/bundle/compliance/cis_azure/rules/cis_5_2_7/rule.rego +++ b/security-policies/bundle/compliance/cis_azure/rules/cis_5_2_7/rule.rego @@ -5,7 +5,7 @@ import data.compliance.policy.azure.activity_log_alert.activity_log_alert_operat import data.compliance.policy.azure.data_adapter import future.keywords.if -finding = result if { +finding := result if { # filter data_adapter.is_activity_log_alerts diff --git a/security-policies/bundle/compliance/cis_azure/rules/cis_5_2_7/test.rego b/security-policies/bundle/compliance/cis_azure/rules/cis_5_2_7/test.rego index 4ded479566..da76ee2299 100644 --- a/security-policies/bundle/compliance/cis_azure/rules/cis_5_2_7/test.rego +++ b/security-policies/bundle/compliance/cis_azure/rules/cis_5_2_7/test.rego @@ -44,13 +44,13 @@ not_eval if { # test data # alert rule that does not match the rule by operation and category -mismatch_alert = test_data.generate_activity_log_alert("mismatch_opreation", "mismatch_category") +mismatch_alert := test_data.generate_activity_log_alert("mismatch_opreation", "mismatch_category") # alert rule that does not match the rule by operation -mismatch_alert_only_operation = test_data.generate_activity_log_alert("mismatch_opreation", "Administrative") +mismatch_alert_only_operation := test_data.generate_activity_log_alert("mismatch_opreation", "Administrative") # alert rule that does not match the rule by category -mismatch_alert_only_category = test_data.generate_activity_log_alert("Microsoft.Sql/servers/firewallRules/write", "mismatch_category") +mismatch_alert_only_category := test_data.generate_activity_log_alert("Microsoft.Sql/servers/firewallRules/write", "mismatch_category") # alert rule that matches the rule -matching_alert = test_data.generate_activity_log_alert("Microsoft.Sql/servers/firewallRules/write", "Administrative") +matching_alert := test_data.generate_activity_log_alert("Microsoft.Sql/servers/firewallRules/write", "Administrative") diff --git a/security-policies/bundle/compliance/cis_azure/rules/cis_5_2_8/rule.rego b/security-policies/bundle/compliance/cis_azure/rules/cis_5_2_8/rule.rego index fac7e6db15..296f3e972b 100644 --- a/security-policies/bundle/compliance/cis_azure/rules/cis_5_2_8/rule.rego +++ b/security-policies/bundle/compliance/cis_azure/rules/cis_5_2_8/rule.rego @@ -5,7 +5,7 @@ import data.compliance.policy.azure.activity_log_alert.activity_log_alert_operat import data.compliance.policy.azure.data_adapter import future.keywords.if -finding = result if { +finding := result if { # filter data_adapter.is_activity_log_alerts diff --git a/security-policies/bundle/compliance/cis_azure/rules/cis_5_2_8/test.rego b/security-policies/bundle/compliance/cis_azure/rules/cis_5_2_8/test.rego index d58d7045c0..bc0eed95ef 100644 --- a/security-policies/bundle/compliance/cis_azure/rules/cis_5_2_8/test.rego +++ b/security-policies/bundle/compliance/cis_azure/rules/cis_5_2_8/test.rego @@ -49,13 +49,13 @@ not_eval if { # test data # alert rule that does not match the rule by operation and category -mismatch_alert = test_data.generate_activity_log_alert("mismatch_opreation", "mismatch_category") +mismatch_alert := test_data.generate_activity_log_alert("mismatch_opreation", "mismatch_category") # alert rule that does not match the rule by operation -mismatch_alert_only_operation = test_data.generate_activity_log_alert("mismatch_opreation", "Administrative") +mismatch_alert_only_operation := test_data.generate_activity_log_alert("mismatch_opreation", "Administrative") # alert rule that does not match the rule by category -mismatch_alert_only_category = test_data.generate_activity_log_alert("Microsoft.Sql/servers/firewallRules/delete", "mismatch_category") +mismatch_alert_only_category := test_data.generate_activity_log_alert("Microsoft.Sql/servers/firewallRules/delete", "mismatch_category") # alert rule that matches the rule -matching_alert = test_data.generate_activity_log_alert("Microsoft.Sql/servers/firewallRules/delete", "Administrative") +matching_alert := test_data.generate_activity_log_alert("Microsoft.Sql/servers/firewallRules/delete", "Administrative") diff --git a/security-policies/bundle/compliance/cis_azure/rules/cis_5_2_9/rule.rego b/security-policies/bundle/compliance/cis_azure/rules/cis_5_2_9/rule.rego index b4be9fbd21..87610c3cdb 100644 --- a/security-policies/bundle/compliance/cis_azure/rules/cis_5_2_9/rule.rego +++ b/security-policies/bundle/compliance/cis_azure/rules/cis_5_2_9/rule.rego @@ -5,7 +5,7 @@ import data.compliance.policy.azure.activity_log_alert.activity_log_alert_operat import data.compliance.policy.azure.data_adapter import future.keywords.if -finding = result if { +finding := result if { # filter data_adapter.is_activity_log_alerts diff --git a/security-policies/bundle/compliance/cis_azure/rules/cis_5_2_9/test.rego b/security-policies/bundle/compliance/cis_azure/rules/cis_5_2_9/test.rego index f0045c9bbc..5d17bbd86f 100644 --- a/security-policies/bundle/compliance/cis_azure/rules/cis_5_2_9/test.rego +++ b/security-policies/bundle/compliance/cis_azure/rules/cis_5_2_9/test.rego @@ -49,13 +49,13 @@ not_eval if { # test data # alert rule that does not match the rule by operation and category -mismatch_alert = test_data.generate_activity_log_alert("mismatch_opreation", "mismatch_category") +mismatch_alert := test_data.generate_activity_log_alert("mismatch_opreation", "mismatch_category") # alert rule that does not match the rule by operation -mismatch_alert_only_operation = test_data.generate_activity_log_alert("mismatch_opreation", "Administrative") +mismatch_alert_only_operation := test_data.generate_activity_log_alert("mismatch_opreation", "Administrative") # alert rule that does not match the rule by category -mismatch_alert_only_category = test_data.generate_activity_log_alert("Microsoft.Network/publicIPAddresses/write", "mismatch_category") +mismatch_alert_only_category := test_data.generate_activity_log_alert("Microsoft.Network/publicIPAddresses/write", "mismatch_category") # alert rule that matches the rule -matching_alert = test_data.generate_activity_log_alert("Microsoft.Network/publicIPAddresses/write", "Administrative") +matching_alert := test_data.generate_activity_log_alert("Microsoft.Network/publicIPAddresses/write", "Administrative") diff --git a/security-policies/bundle/compliance/cis_azure/rules/cis_5_3_1/rule.rego b/security-policies/bundle/compliance/cis_azure/rules/cis_5_3_1/rule.rego index afd495be86..ceac064a2b 100644 --- a/security-policies/bundle/compliance/cis_azure/rules/cis_5_3_1/rule.rego +++ b/security-policies/bundle/compliance/cis_azure/rules/cis_5_3_1/rule.rego @@ -5,7 +5,7 @@ import data.compliance.policy.azure.data_adapter import future.keywords.if import future.keywords.in -finding = result if { +finding := result if { # filter data_adapter.is_insights_component @@ -19,4 +19,4 @@ finding = result if { component_exists if { some insights_component in data_adapter.insights_components insights_component.properties.provisioningState == "Succeeded" -} else = false +} else := false diff --git a/security-policies/bundle/compliance/cis_azure/rules/cis_5_3_1/test.rego b/security-policies/bundle/compliance/cis_azure/rules/cis_5_3_1/test.rego index 61b812b485..26d8c4188e 100644 --- a/security-policies/bundle/compliance/cis_azure/rules/cis_5_3_1/test.rego +++ b/security-policies/bundle/compliance/cis_azure/rules/cis_5_3_1/test.rego @@ -35,6 +35,6 @@ not_eval if { not finding with data.benchmark_data_adapter as data_adapter } -component1 = test_data.generate_insights_component("rcg1", "cmp1") +component1 := test_data.generate_insights_component("rcg1", "cmp1") -component2 = test_data.generate_insights_component("rcg2", "cmp2") +component2 := test_data.generate_insights_component("rcg2", "cmp2") diff --git a/security-policies/bundle/compliance/cis_azure/rules/cis_5_5/rule.rego b/security-policies/bundle/compliance/cis_azure/rules/cis_5_5/rule.rego index 375b839c46..5f13f02488 100644 --- a/security-policies/bundle/compliance/cis_azure/rules/cis_5_5/rule.rego +++ b/security-policies/bundle/compliance/cis_azure/rules/cis_5_5/rule.rego @@ -12,9 +12,9 @@ finding := common.generate_result_without_expected( ensure_sku_tier if { data_adapter.resource.sku.tier != "Basic" -} else = false +} else := false -ensure_sku_valid = r if { +ensure_sku_valid := r if { data_adapter.resource.sku != null r = ensure_sku_tier } diff --git a/security-policies/bundle/compliance/cis_azure/rules/cis_6_1/rule.rego b/security-policies/bundle/compliance/cis_azure/rules/cis_6_1/rule.rego index 58262b593d..9e156c2169 100644 --- a/security-policies/bundle/compliance/cis_azure/rules/cis_6_1/rule.rego +++ b/security-policies/bundle/compliance/cis_azure/rules/cis_6_1/rule.rego @@ -5,7 +5,7 @@ import data.compliance.policy.azure.data_adapter import data.compliance.policy.azure.virtual_machine.network_rules as audit import future.keywords.if -finding = result if { +finding := result if { # filter data_adapter.is_vm diff --git a/security-policies/bundle/compliance/cis_azure/rules/cis_6_2/rule.rego b/security-policies/bundle/compliance/cis_azure/rules/cis_6_2/rule.rego index e60e310b04..faa2e68649 100644 --- a/security-policies/bundle/compliance/cis_azure/rules/cis_6_2/rule.rego +++ b/security-policies/bundle/compliance/cis_azure/rules/cis_6_2/rule.rego @@ -5,7 +5,7 @@ import data.compliance.policy.azure.data_adapter import data.compliance.policy.azure.virtual_machine.network_rules as audit import future.keywords.if -finding = result if { +finding := result if { # filter data_adapter.is_vm diff --git a/security-policies/bundle/compliance/cis_azure/rules/cis_6_3/rule.rego b/security-policies/bundle/compliance/cis_azure/rules/cis_6_3/rule.rego index 971684627c..20565e6720 100644 --- a/security-policies/bundle/compliance/cis_azure/rules/cis_6_3/rule.rego +++ b/security-policies/bundle/compliance/cis_azure/rules/cis_6_3/rule.rego @@ -5,7 +5,7 @@ import data.compliance.policy.azure.data_adapter import data.compliance.policy.azure.virtual_machine.network_rules as audit import future.keywords.if -finding = result if { +finding := result if { # filter data_adapter.is_vm @@ -16,7 +16,7 @@ finding = result if { ) } -default udp_ports_closed = false +default udp_ports_closed := false udp_ports_closed if { audit.vm_has_closed_port(data_adapter, "53", "UDP") diff --git a/security-policies/bundle/compliance/cis_azure/rules/cis_6_4/rule.rego b/security-policies/bundle/compliance/cis_azure/rules/cis_6_4/rule.rego index a07c3caa63..a544ba9cd0 100644 --- a/security-policies/bundle/compliance/cis_azure/rules/cis_6_4/rule.rego +++ b/security-policies/bundle/compliance/cis_azure/rules/cis_6_4/rule.rego @@ -5,7 +5,7 @@ import data.compliance.policy.azure.data_adapter import data.compliance.policy.azure.virtual_machine.network_rules as audit import future.keywords.if -finding = result if { +finding := result if { # filter data_adapter.is_vm diff --git a/security-policies/bundle/compliance/cis_azure/rules/cis_6_5/rule.rego b/security-policies/bundle/compliance/cis_azure/rules/cis_6_5/rule.rego index 1cb4b47380..f1521165e8 100644 --- a/security-policies/bundle/compliance/cis_azure/rules/cis_6_5/rule.rego +++ b/security-policies/bundle/compliance/cis_azure/rules/cis_6_5/rule.rego @@ -4,7 +4,7 @@ import data.compliance.lib.common import data.compliance.policy.azure.data_adapter import future.keywords.if -finding = result if { +finding := result if { # filter data_adapter.is_network_watchers_flow_log @@ -18,4 +18,4 @@ finding = result if { ensure_retention_days if { data_adapter.properties.retentionPolicy.enabled data_adapter.properties.retentionPolicy.days >= 90 -} else = false +} else := false diff --git a/security-policies/bundle/compliance/cis_azure/rules/cis_6_6/rule.rego b/security-policies/bundle/compliance/cis_azure/rules/cis_6_6/rule.rego index 352b27e8dc..f5ecadda61 100644 --- a/security-policies/bundle/compliance/cis_azure/rules/cis_6_6/rule.rego +++ b/security-policies/bundle/compliance/cis_azure/rules/cis_6_6/rule.rego @@ -4,7 +4,7 @@ import data.compliance.lib.common import data.compliance.policy.azure.data_adapter import future.keywords.if -finding = result if { +finding := result if { # filter data_adapter.is_network_watcher @@ -20,4 +20,4 @@ ensure_enabled if { some i data_adapter.resource.networkWatchers[i].properties.provisioningState == "Succeeded" -} else = false +} else := false diff --git a/security-policies/bundle/compliance/cis_azure/rules/cis_7_1/rule.rego b/security-policies/bundle/compliance/cis_azure/rules/cis_7_1/rule.rego index 443dc193a4..38040490d3 100644 --- a/security-policies/bundle/compliance/cis_azure/rules/cis_7_1/rule.rego +++ b/security-policies/bundle/compliance/cis_azure/rules/cis_7_1/rule.rego @@ -4,7 +4,7 @@ import data.compliance.lib.common import data.compliance.policy.azure.data_adapter import future.keywords.if -finding = result if { +finding := result if { # filter data_adapter.is_bastion @@ -18,4 +18,4 @@ finding = result if { at_least_one_bastion if { some i data_adapter.bastions[i].id != "" -} else = false +} else := false diff --git a/security-policies/bundle/compliance/cis_azure/rules/cis_7_1/test.rego b/security-policies/bundle/compliance/cis_azure/rules/cis_7_1/test.rego index 3baa14c88b..2c6bd7ba8d 100644 --- a/security-policies/bundle/compliance/cis_azure/rules/cis_7_1/test.rego +++ b/security-policies/bundle/compliance/cis_azure/rules/cis_7_1/test.rego @@ -4,7 +4,7 @@ import data.compliance.policy.azure.data_adapter import data.lib.test import future.keywords.if -valid_bastion = { +valid_bastion := { "extendedLocation": null, "id": "/subscriptions/sub-id/resourceGroups/cloudbeat/providers/Microsoft.Network/bastionHosts/cloudbeat", "identity": null, @@ -51,7 +51,7 @@ valid_bastion = { "zones": null, } -generate_bastions(assets) = { +generate_bastions(assets) := { "subType": "azure-bastion", "resource": assets, } diff --git a/security-policies/bundle/compliance/cis_azure/rules/cis_7_2/rule.rego b/security-policies/bundle/compliance/cis_azure/rules/cis_7_2/rule.rego index bb6042bb63..49229806a1 100644 --- a/security-policies/bundle/compliance/cis_azure/rules/cis_7_2/rule.rego +++ b/security-policies/bundle/compliance/cis_azure/rules/cis_7_2/rule.rego @@ -4,7 +4,7 @@ import data.compliance.lib.common import data.compliance.policy.azure.data_adapter import future.keywords.if -finding = result if { +finding := result if { # filter data_adapter.is_vm @@ -17,4 +17,4 @@ finding = result if { has_managed_disk if { data_adapter.properties.storageProfile.osDisk.managedDisk.id != "" -} else = false +} else := false diff --git a/security-policies/bundle/compliance/cis_azure/rules/cis_7_3/rule.rego b/security-policies/bundle/compliance/cis_azure/rules/cis_7_3/rule.rego index 6b76a11e74..2d4995c793 100644 --- a/security-policies/bundle/compliance/cis_azure/rules/cis_7_3/rule.rego +++ b/security-policies/bundle/compliance/cis_azure/rules/cis_7_3/rule.rego @@ -5,7 +5,7 @@ import data.compliance.policy.azure.data_adapter import data.compliance.policy.azure.disk.ensure_encryption as audit import future.keywords.if -finding = result if { +finding := result if { # filter data_adapter.is_attached_disk diff --git a/security-policies/bundle/compliance/cis_azure/rules/cis_7_4/rule.rego b/security-policies/bundle/compliance/cis_azure/rules/cis_7_4/rule.rego index 6f3297be35..0468952777 100644 --- a/security-policies/bundle/compliance/cis_azure/rules/cis_7_4/rule.rego +++ b/security-policies/bundle/compliance/cis_azure/rules/cis_7_4/rule.rego @@ -5,7 +5,7 @@ import data.compliance.policy.azure.data_adapter import data.compliance.policy.azure.disk.ensure_encryption as audit import future.keywords.if -finding = result if { +finding := result if { # filter data_adapter.is_unattached_disk diff --git a/security-policies/bundle/compliance/cis_azure/rules/cis_8_1/rule.rego b/security-policies/bundle/compliance/cis_azure/rules/cis_8_1/rule.rego index 5342586d9e..b161e5d81b 100644 --- a/security-policies/bundle/compliance/cis_azure/rules/cis_8_1/rule.rego +++ b/security-policies/bundle/compliance/cis_azure/rules/cis_8_1/rule.rego @@ -6,7 +6,7 @@ import data.compliance.policy.azure.disk.ensure_expiration as audit import future.keywords.every import future.keywords.if -finding = result if { +finding := result if { # filter data_adapter.is_vault data_adapter.properties.enableRbacAuthorization diff --git a/security-policies/bundle/compliance/cis_azure/rules/cis_8_2/rule.rego b/security-policies/bundle/compliance/cis_azure/rules/cis_8_2/rule.rego index 821e1093cb..509241d23e 100644 --- a/security-policies/bundle/compliance/cis_azure/rules/cis_8_2/rule.rego +++ b/security-policies/bundle/compliance/cis_azure/rules/cis_8_2/rule.rego @@ -5,7 +5,7 @@ import data.compliance.policy.azure.data_adapter import data.compliance.policy.azure.disk.ensure_expiration as audit import future.keywords.if -finding = result if { +finding := result if { # filter data_adapter.is_vault not data_adapter.properties.enableRbacAuthorization diff --git a/security-policies/bundle/compliance/cis_azure/rules/cis_8_3/rule.rego b/security-policies/bundle/compliance/cis_azure/rules/cis_8_3/rule.rego index 0c44bdc681..1962ec388a 100644 --- a/security-policies/bundle/compliance/cis_azure/rules/cis_8_3/rule.rego +++ b/security-policies/bundle/compliance/cis_azure/rules/cis_8_3/rule.rego @@ -6,7 +6,7 @@ import data.compliance.policy.azure.disk.ensure_expiration as audit import future.keywords.every import future.keywords.if -finding = result if { +finding := result if { # filter data_adapter.is_vault data_adapter.properties.enableRbacAuthorization diff --git a/security-policies/bundle/compliance/cis_azure/rules/cis_8_4/rule.rego b/security-policies/bundle/compliance/cis_azure/rules/cis_8_4/rule.rego index d34fc1935e..83437efcbf 100644 --- a/security-policies/bundle/compliance/cis_azure/rules/cis_8_4/rule.rego +++ b/security-policies/bundle/compliance/cis_azure/rules/cis_8_4/rule.rego @@ -5,7 +5,7 @@ import data.compliance.policy.azure.data_adapter import data.compliance.policy.azure.disk.ensure_expiration as audit import future.keywords.if -finding = result if { +finding := result if { # filter data_adapter.is_vault not data_adapter.properties.enableRbacAuthorization diff --git a/security-policies/bundle/compliance/cis_azure/rules/cis_8_5/rule.rego b/security-policies/bundle/compliance/cis_azure/rules/cis_8_5/rule.rego index 16f930e0f0..8933dd3c6c 100644 --- a/security-policies/bundle/compliance/cis_azure/rules/cis_8_5/rule.rego +++ b/security-policies/bundle/compliance/cis_azure/rules/cis_8_5/rule.rego @@ -4,7 +4,7 @@ import data.compliance.lib.common import data.compliance.policy.azure.data_adapter import future.keywords.if -finding = result if { +finding := result if { # filter data_adapter.is_vault @@ -18,4 +18,4 @@ finding = result if { is_vault_recoverable if { data_adapter.properties.enableSoftDelete data_adapter.properties.enablePurgeProtection -} else = false +} else := false diff --git a/security-policies/bundle/compliance/cis_azure/rules/cis_9_1/rule.rego b/security-policies/bundle/compliance/cis_azure/rules/cis_9_1/rule.rego index 20fcad1d12..56358e5ef7 100644 --- a/security-policies/bundle/compliance/cis_azure/rules/cis_9_1/rule.rego +++ b/security-policies/bundle/compliance/cis_azure/rules/cis_9_1/rule.rego @@ -4,7 +4,7 @@ import data.compliance.lib.common import data.compliance.policy.azure.data_adapter import future.keywords.if -finding = result if { +finding := result if { # filter data_adapter.is_website_asset diff --git a/security-policies/bundle/compliance/cis_azure/rules/cis_9_10/rule.rego b/security-policies/bundle/compliance/cis_azure/rules/cis_9_10/rule.rego index 75ca0f039a..4f9962f6df 100644 --- a/security-policies/bundle/compliance/cis_azure/rules/cis_9_10/rule.rego +++ b/security-policies/bundle/compliance/cis_azure/rules/cis_9_10/rule.rego @@ -4,7 +4,7 @@ import data.compliance.lib.common import data.compliance.policy.azure.data_adapter import future.keywords.if -finding = result if { +finding := result if { # filter data_adapter.is_website_asset diff --git a/security-policies/bundle/compliance/cis_azure/rules/cis_9_2/rule.rego b/security-policies/bundle/compliance/cis_azure/rules/cis_9_2/rule.rego index 1e224898a2..dcf9abd93a 100644 --- a/security-policies/bundle/compliance/cis_azure/rules/cis_9_2/rule.rego +++ b/security-policies/bundle/compliance/cis_azure/rules/cis_9_2/rule.rego @@ -4,7 +4,7 @@ import data.compliance.lib.common import data.compliance.policy.azure.data_adapter import future.keywords.if -finding = result if { +finding := result if { # filter data_adapter.is_website_asset @@ -17,4 +17,4 @@ finding = result if { is_https_only if { data_adapter.properties.httpsOnly == true -} else = false +} else := false diff --git a/security-policies/bundle/compliance/cis_azure/rules/cis_9_3/rule.rego b/security-policies/bundle/compliance/cis_azure/rules/cis_9_3/rule.rego index dbb7fd2555..c484d42057 100644 --- a/security-policies/bundle/compliance/cis_azure/rules/cis_9_3/rule.rego +++ b/security-policies/bundle/compliance/cis_azure/rules/cis_9_3/rule.rego @@ -4,7 +4,7 @@ import data.compliance.lib.common import data.compliance.policy.azure.data_adapter import future.keywords.if -finding = result if { +finding := result if { # filter data_adapter.is_website_asset diff --git a/security-policies/bundle/compliance/cis_azure/rules/cis_9_4/rule.rego b/security-policies/bundle/compliance/cis_azure/rules/cis_9_4/rule.rego index 26c3c45d45..6fba5e546d 100644 --- a/security-policies/bundle/compliance/cis_azure/rules/cis_9_4/rule.rego +++ b/security-policies/bundle/compliance/cis_azure/rules/cis_9_4/rule.rego @@ -4,7 +4,7 @@ import data.compliance.lib.common import data.compliance.policy.azure.data_adapter import future.keywords.if -finding = result if { +finding := result if { # filter data_adapter.is_website_asset @@ -21,4 +21,4 @@ is_client_cert_enabled if { # See: https://github.com/elastic/cloudbeat/issues/1828 data_adapter.properties.clientCertEnabled == true data_adapter.properties.clientCertMode == "Required" -} else = false +} else := false diff --git a/security-policies/bundle/compliance/cis_azure/rules/cis_9_5/rule.rego b/security-policies/bundle/compliance/cis_azure/rules/cis_9_5/rule.rego index 8a777eda87..d564a37a2f 100644 --- a/security-policies/bundle/compliance/cis_azure/rules/cis_9_5/rule.rego +++ b/security-policies/bundle/compliance/cis_azure/rules/cis_9_5/rule.rego @@ -4,9 +4,9 @@ import data.compliance.lib.common import data.compliance.policy.azure.data_adapter import future.keywords.if -default rule_evaluation = false +default rule_evaluation := false -finding = result if { +finding := result if { # filter data_adapter.is_website_asset diff --git a/security-policies/bundle/compliance/cis_azure/rules/cis_9_9/rule.rego b/security-policies/bundle/compliance/cis_azure/rules/cis_9_9/rule.rego index d1c2935ab7..e617788338 100644 --- a/security-policies/bundle/compliance/cis_azure/rules/cis_9_9/rule.rego +++ b/security-policies/bundle/compliance/cis_azure/rules/cis_9_9/rule.rego @@ -4,7 +4,7 @@ import data.compliance.lib.common import data.compliance.policy.azure.data_adapter import future.keywords.if -finding = result if { +finding := result if { # filter data_adapter.is_website_asset @@ -17,4 +17,4 @@ finding = result if { is_latest_http if { data_adapter.site_config.http20Enabled == true -} else = false +} else := false diff --git a/security-policies/bundle/compliance/cis_azure/test_data.rego b/security-policies/bundle/compliance/cis_azure/test_data.rego index b9061a3fd3..a5d2322954 100644 --- a/security-policies/bundle/compliance/cis_azure/test_data.rego +++ b/security-policies/bundle/compliance/cis_azure/test_data.rego @@ -1,21 +1,21 @@ package cis_azure.test_data -not_eval_resource = { +not_eval_resource := { "type": "azure-resource-type", "subType": "azure-resource-subtype", "resource": {}, } -generate_disk_encryption_settings(type) = {"encryption": { +generate_disk_encryption_settings(type) := {"encryption": { "diskEncryptionSetId": "/subscriptions/dead-beef/resourceGroups/RESOURCEGROUP/providers/Microsoft.Compute/diskEncryptionSets/double-disk-encryption-set", "type": type, }} -generate_attached_disk_with_encryption(settings) = generate_disk_with_encryption("Attached", settings) +generate_attached_disk_with_encryption(settings) := generate_disk_with_encryption("Attached", settings) -generate_unattached_disk_with_encryption(settings) = generate_disk_with_encryption("Unattached", settings) +generate_unattached_disk_with_encryption(settings) := generate_disk_with_encryption("Unattached", settings) -generate_disk_with_encryption(state, settings) = { +generate_disk_with_encryption(state, settings) := { "subType": "azure-disk", "resource": { "id": "/subscriptions/dead-beef/resourceGroups/resourceGroup/providers/Microsoft.Compute/disks/unattached-disk", @@ -45,32 +45,32 @@ generate_disk_with_encryption(state, settings) = { }, } -generate_storage_account_with_property(key, value) = { +generate_storage_account_with_property(key, value) := { "subType": "azure-storage-account", "resource": {"properties": {key: value}}, } -generate_storage_account_with_extensions(properties, extension) = { +generate_storage_account_with_extensions(properties, extension) := { "subType": "azure-storage-account", "resource": {"properties": properties, "extension": extension}, } -generate_azure_asset(type, properties) = { +generate_azure_asset(type, properties) := { "subType": type, "resource": {"properties": properties}, } -generate_azure_asset_with_ext(type, properties, ext) = { +generate_azure_asset_with_ext(type, properties, ext) := { "subType": type, "resource": {"properties": properties, "extension": ext}, } -generate_azure_asset_resource(type, properties) = { +generate_azure_asset_resource(type, properties) := { "subType": type, "resource": properties, } -generate_azure_sku_asset_with_properties(type, properties) = { +generate_azure_sku_asset_with_properties(type, properties) := { "subType": type, "resource": { "sku": properties, @@ -78,62 +78,62 @@ generate_azure_sku_asset_with_properties(type, properties) = { }, } -generate_azure_non_sku_asset(type) = { +generate_azure_non_sku_asset(type) := { "subType": type, "resource": {"properties": {}}, } -not_eval_storage_account_empty = { +not_eval_storage_account_empty := { "subType": "azure-storage-account", "resource": {"properties": {}}, } -not_eval_non_exist_type = { +not_eval_non_exist_type := { "subType": "azure-non-exist", "resource": {"properties": {}}, } -generate_postgresql_server_with_ssl_enforcement(enabled) = { +generate_postgresql_server_with_ssl_enforcement(enabled) := { "subType": "azure-postgresql-server-db", "resource": {"properties": {"sslEnforcement": enabled}}, } -generate_postgresql_server_with_extension(ext) = { +generate_postgresql_server_with_extension(ext) := { "subType": "azure-postgresql-server-db", "resource": {"extension": ext}, } -generate_postgresql_server_with_infrastructure_encryption(enabled) = { +generate_postgresql_server_with_infrastructure_encryption(enabled) := { "subType": "azure-postgresql-server-db", "resource": {"properties": {"infrastructureEncryption": enabled}}, } -generate_flexible_postgresql_server_with_extension(ext) = { +generate_flexible_postgresql_server_with_extension(ext) := { "subType": "azure-flexible-postgresql-server-db", "resource": {"extension": ext}, } -generate_mysql_server_with_ssl_enforcement(enabled) = { +generate_mysql_server_with_ssl_enforcement(enabled) := { "subType": "azure-mysql-server-db", "resource": {"properties": {"sslEnforcement": enabled}}, } -generate_flexible_mysql_server_with_extension(extension) = { +generate_flexible_mysql_server_with_extension(extension) := { "subType": "azure-flexible-mysql-server-db", "resource": {"extension": extension}, } -generate_activity_log_alerts_no_alerts = { +generate_activity_log_alerts_no_alerts := { "subType": "azure-activity-log-alert", "resource": [], } -generate_activity_log_alerts(rules) = { +generate_activity_log_alerts(rules) := { "subType": "azure-activity-log-alert", "resource": rules, } -generate_activity_log_alert(operation_name, category) = { +generate_activity_log_alert(operation_name, category) := { "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/activityLogAlerts/providers/microsoft.insights/activityLogAlerts/activityLogAlert", "subType": "microsoft.insights/activitylogalerts", "kind": "activityLogAlert", @@ -160,18 +160,18 @@ generate_activity_log_alert(operation_name, category) = { }, } -valid_managed_disk = { +valid_managed_disk := { "id": "/subscriptions/sub-id/resourceGroups/cloudbeat-resource-group-1695893762/providers/Microsoft.Compute/disks/cloudbeatVM_OsDisk_1_e736df07f12142a9a2784ea8de9084ce", "resourceGroup": "cloudbeat-resource-group-1695893762", "storageAccountType": "Standard_LRS", } -generate_vm(managed_disk) = generate_vm_full(managed_disk, {}) +generate_vm(managed_disk) := generate_vm_full(managed_disk, {}) -generate_vm_with_extension(extension) = generate_vm_full({}, extension) +generate_vm_with_extension(extension) := generate_vm_full({}, extension) # regal ignore:rule-length -generate_vm_full(managed_disk, extension) = { +generate_vm_full(managed_disk, extension) := { "subType": "azure-vm", "resource": { "extendedLocation": null, @@ -254,17 +254,17 @@ generate_vm_full(managed_disk, extension) = { }, } -generate_insights_components_empty = { +generate_insights_components_empty := { "subType": "azure-insights-component", "resource": [], } -generate_insights_components(rules) = { +generate_insights_components(rules) := { "subType": "azure-insights-component", "resource": rules, } -generate_insights_component(resource_group, name) = { +generate_insights_component(resource_group, name) := { "id": sprintf("/subscriptions/00000000-0000-0000-0000-000000000001/resourceGroups/%s/providers/microsoft.insights/components/%s", [resource_group, name]), "name": name, "type": "microsoft.insights/components", @@ -294,17 +294,17 @@ generate_insights_component(resource_group, name) = { }, } -generate_diagnostic_settings_empty = { +generate_diagnostic_settings_empty := { "subType": "azure-diagnostic-settings", "resource": [], } -generate_diagnostic_settings(rules) = { +generate_diagnostic_settings(rules) := { "subType": "azure-diagnostic-settings", "resource": rules, } -generate_diagnostic_setting_element(sub_id, resource_group, name, logs) = { +generate_diagnostic_setting_element(sub_id, resource_group, name, logs) := { "id": sprintf("/subscriptions/%s/providers/microsoft.insights/diagnosticSettings/%s", [sub_id, name]), "name": name, "properties": { @@ -315,7 +315,7 @@ generate_diagnostic_setting_element(sub_id, resource_group, name, logs) = { }, } -generate_diagnostic_setting_element_logs(flags) = [ +generate_diagnostic_setting_element_logs(flags) := [ generate_diagnostic_setting_element_log("Administrative", flags.Administrative), generate_diagnostic_setting_element_log("Security", flags.Security), generate_diagnostic_setting_element_log("Policy", flags.Policy), @@ -326,7 +326,7 @@ generate_diagnostic_setting_element_logs(flags) = [ generate_diagnostic_setting_element_log("ResourceHealth", false), ] -generate_diagnostic_setting_element_log(category, enabled) = { +generate_diagnostic_setting_element_log(category, enabled) := { "category": category, "categoryGroup": null, "enabled": enabled, @@ -336,9 +336,9 @@ generate_diagnostic_setting_element_log(category, enabled) = { }, } -generate_key_vault_extension_key(attributes) = {"properties": {"attributes": attributes}} +generate_key_vault_extension_key(attributes) := {"properties": {"attributes": attributes}} -generate_key_vault_rbac(extension) = { +generate_key_vault_rbac(extension) := { "subType": "azure-vault", "resource": { "properties": {"enableRbacAuthorization": true}, @@ -346,7 +346,7 @@ generate_key_vault_rbac(extension) = { }, } -generate_key_vault(properties, extension) = { +generate_key_vault(properties, extension) := { "subType": "azure-vault", "resource": { "properties": properties, @@ -354,17 +354,17 @@ generate_key_vault(properties, extension) = { }, } -generate_security_contacts(resources) = { +generate_security_contacts(resources) := { "subType": "azure-security-contacts", "resource": resources, } -generate_single_security_contact(name, properties) = { +generate_single_security_contact(name, properties) := { "name": name, "properties": properties, } -generate_security_auto_provisioning_settings(resources) = { +generate_security_auto_provisioning_settings(resources) := { "subType": "azure-security-auto-provisioning-settings", "resource": resources, } diff --git a/security-policies/bundle/compliance/cis_eks/rules/cis_2_1_1/rule.rego b/security-policies/bundle/compliance/cis_eks/rules/cis_2_1_1/rule.rego index 51db2c215f..5158a6307f 100644 --- a/security-policies/bundle/compliance/cis_eks/rules/cis_2_1_1/rule.rego +++ b/security-policies/bundle/compliance/cis_eks/rules/cis_2_1_1/rule.rego @@ -2,4 +2,4 @@ package compliance.cis_eks.rules.cis_2_1_1 import data.compliance.policy.aws_eks.ensure_logs_enabled as audit -finding = audit.finding +finding := audit.finding diff --git a/security-policies/bundle/compliance/cis_eks/rules/cis_2_1_1/test.rego b/security-policies/bundle/compliance/cis_eks/rules/cis_2_1_1/test.rego index 924a1db550..d91b6a8744 100644 --- a/security-policies/bundle/compliance/cis_eks/rules/cis_2_1_1/test.rego +++ b/security-policies/bundle/compliance/cis_eks/rules/cis_2_1_1/test.rego @@ -17,7 +17,7 @@ test_not_evaluated if { not finding with input as test_data.not_evaluated_input } -violating_input_all_logs_disabled = result if { +violating_input_all_logs_disabled := result if { logging = {"ClusterLogging": [{ "Enabled": false, "Types": [ @@ -32,7 +32,7 @@ violating_input_all_logs_disabled = result if { result = generate_eks_input_with_log(logging) } -violating_input_some_disabled = result if { +violating_input_some_disabled := result if { logging = {"ClusterLogging": [ { "Enabled": false, @@ -54,7 +54,7 @@ violating_input_some_disabled = result if { result = generate_eks_input_with_log(logging) } -non_violating_input = result if { +non_violating_input := result if { logging = {"ClusterLogging": [{ "Enabled": true, "Types": [ @@ -69,7 +69,7 @@ non_violating_input = result if { result = generate_eks_input_with_log(logging) } -generate_eks_input_with_log(logging) = result if { +generate_eks_input_with_log(logging) := result if { encryption_config = {"EncryptionConfig : null"} result = test_data.generate_eks_input(logging, encryption_config, true, true, []) } diff --git a/security-policies/bundle/compliance/cis_eks/rules/cis_3_1_1/rule.rego b/security-policies/bundle/compliance/cis_eks/rules/cis_3_1_1/rule.rego index c4424449e5..6bc03c2cd4 100644 --- a/security-policies/bundle/compliance/cis_eks/rules/cis_3_1_1/rule.rego +++ b/security-policies/bundle/compliance/cis_eks/rules/cis_3_1_1/rule.rego @@ -3,7 +3,7 @@ package compliance.cis_eks.rules.cis_3_1_1 import data.compliance.policy.file.ensure_permissions as audit import future.keywords.if -finding = result if { +finding := result if { audit.filename_filter("kubeconfig") result := audit.finding(audit.file_permission_match(6, 4, 4)) } diff --git a/security-policies/bundle/compliance/cis_eks/rules/cis_3_1_1/test.rego b/security-policies/bundle/compliance/cis_eks/rules/cis_3_1_1/test.rego index bbba4f936d..167022d6f6 100644 --- a/security-policies/bundle/compliance/cis_eks/rules/cis_3_1_1/test.rego +++ b/security-policies/bundle/compliance/cis_eks/rules/cis_3_1_1/test.rego @@ -16,7 +16,7 @@ test_not_evaluated if { not finding with input as rule_input("file.txt", "644") } -rule_input(filename, filemode) = filesystem_input if { +rule_input(filename, filemode) := filesystem_input if { user := "root" group := "root" filesystem_input = test_data.filesystem_input(filename, filemode, user, group) diff --git a/security-policies/bundle/compliance/cis_eks/rules/cis_3_1_2/rule.rego b/security-policies/bundle/compliance/cis_eks/rules/cis_3_1_2/rule.rego index 09a9aa6ad6..72f9f8eae5 100644 --- a/security-policies/bundle/compliance/cis_eks/rules/cis_3_1_2/rule.rego +++ b/security-policies/bundle/compliance/cis_eks/rules/cis_3_1_2/rule.rego @@ -3,7 +3,7 @@ package compliance.cis_eks.rules.cis_3_1_2 import data.compliance.policy.file.ensure_ownership as audit import future.keywords.if -finding = result if { +finding := result if { audit.filename_filter("kubeconfig") result := audit.finding("root", "root") } diff --git a/security-policies/bundle/compliance/cis_eks/rules/cis_3_1_2/test.rego b/security-policies/bundle/compliance/cis_eks/rules/cis_3_1_2/test.rego index c7a5d92d96..30119f4777 100644 --- a/security-policies/bundle/compliance/cis_eks/rules/cis_3_1_2/test.rego +++ b/security-policies/bundle/compliance/cis_eks/rules/cis_3_1_2/test.rego @@ -18,7 +18,7 @@ test_not_evaluated if { not finding with input as rule_input("file.txt", "root", "root") } -rule_input(filename, user, group) = filesystem_input if { +rule_input(filename, user, group) := filesystem_input if { filemode := "644" filesystem_input = test_data.filesystem_input(filename, filemode, user, group) } diff --git a/security-policies/bundle/compliance/cis_eks/rules/cis_3_1_3/rule.rego b/security-policies/bundle/compliance/cis_eks/rules/cis_3_1_3/rule.rego index c433dbd0a1..a10bc76bb0 100644 --- a/security-policies/bundle/compliance/cis_eks/rules/cis_3_1_3/rule.rego +++ b/security-policies/bundle/compliance/cis_eks/rules/cis_3_1_3/rule.rego @@ -3,7 +3,7 @@ package compliance.cis_eks.rules.cis_3_1_3 import data.compliance.policy.file.ensure_permissions as audit import future.keywords.if -finding = result if { +finding := result if { audit.filename_filter("kubelet-config.json") result := audit.finding(audit.file_permission_match(6, 4, 4)) } diff --git a/security-policies/bundle/compliance/cis_eks/rules/cis_3_1_3/test.rego b/security-policies/bundle/compliance/cis_eks/rules/cis_3_1_3/test.rego index b8a0331caf..fee5214e79 100644 --- a/security-policies/bundle/compliance/cis_eks/rules/cis_3_1_3/test.rego +++ b/security-policies/bundle/compliance/cis_eks/rules/cis_3_1_3/test.rego @@ -16,7 +16,7 @@ test_not_evaluated if { not finding with input as rule_input("file.txt", "644") } -rule_input(filename, filemode) = filesystem_input if { +rule_input(filename, filemode) := filesystem_input if { user := "root" group := "root" filesystem_input = test_data.filesystem_input(filename, filemode, user, group) diff --git a/security-policies/bundle/compliance/cis_eks/rules/cis_3_1_4/rule.rego b/security-policies/bundle/compliance/cis_eks/rules/cis_3_1_4/rule.rego index da546d9fcc..f96ab1f7da 100644 --- a/security-policies/bundle/compliance/cis_eks/rules/cis_3_1_4/rule.rego +++ b/security-policies/bundle/compliance/cis_eks/rules/cis_3_1_4/rule.rego @@ -3,7 +3,7 @@ package compliance.cis_eks.rules.cis_3_1_4 import data.compliance.policy.file.ensure_ownership as audit import future.keywords.if -finding = result if { +finding := result if { audit.filename_filter("kubelet-config.json") result := audit.finding("root", "root") } diff --git a/security-policies/bundle/compliance/cis_eks/rules/cis_3_1_4/test.rego b/security-policies/bundle/compliance/cis_eks/rules/cis_3_1_4/test.rego index 714d8dcbab..abcc8597f8 100644 --- a/security-policies/bundle/compliance/cis_eks/rules/cis_3_1_4/test.rego +++ b/security-policies/bundle/compliance/cis_eks/rules/cis_3_1_4/test.rego @@ -18,7 +18,7 @@ test_not_evaluated if { not finding with input as rule_input("file.txt", "root", "root") } -rule_input(filename, user, group) = filesystem_input if { +rule_input(filename, user, group) := filesystem_input if { filemode := "644" filesystem_input = test_data.filesystem_input(filename, filemode, user, group) } diff --git a/security-policies/bundle/compliance/cis_eks/rules/cis_3_2_1/rule.rego b/security-policies/bundle/compliance/cis_eks/rules/cis_3_2_1/rule.rego index 5997ac08d4..ac2d42909a 100644 --- a/security-policies/bundle/compliance/cis_eks/rules/cis_3_2_1/rule.rego +++ b/security-policies/bundle/compliance/cis_eks/rules/cis_3_2_1/rule.rego @@ -4,7 +4,7 @@ import data.compliance.policy.process.ensure_arguments_and_config as audit import future.keywords.if # Ensure that the --anonymous-auth argument is set to false (Automated) -default rule_evaluation = false +default rule_evaluation := false rule_evaluation if { audit.process_contains_key_with_value("--anonymous-auth", "false") @@ -16,4 +16,4 @@ rule_evaluation if { audit.not_process_arg_comparison("--anonymous-auth", ["authentication", "anonymous", "enabled"], false) } -finding = audit.finding(rule_evaluation) +finding := audit.finding(rule_evaluation) diff --git a/security-policies/bundle/compliance/cis_eks/rules/cis_3_2_1/test.rego b/security-policies/bundle/compliance/cis_eks/rules/cis_3_2_1/test.rego index cef1e078b4..4c9f54b61d 100644 --- a/security-policies/bundle/compliance/cis_eks/rules/cis_3_2_1/test.rego +++ b/security-policies/bundle/compliance/cis_eks/rules/cis_3_2_1/test.rego @@ -24,11 +24,11 @@ test_not_evaluated if { not_eval with input as test_data.process_input("some_process", []) } -rule_input(argument) = test_data.process_input_with_external_data("kubelet", [argument], {}) +rule_input(argument) := test_data.process_input_with_external_data("kubelet", [argument], {}) -rule_input_with_external(argument, external_data) = test_data.process_input_with_external_data("kubelet", [argument], external_data) +rule_input_with_external(argument, external_data) := test_data.process_input_with_external_data("kubelet", [argument], external_data) -create_process_config(anonymous_enabled) = {"config": {"authentication": { +create_process_config(anonymous_enabled) := {"config": {"authentication": { "x509": {"clientCAFile": "/etc/kubernetes/pki/ca.crt"}, "anonymous": {"enabled": anonymous_enabled}, "webhook": { diff --git a/security-policies/bundle/compliance/cis_eks/rules/cis_3_2_10/rule.rego b/security-policies/bundle/compliance/cis_eks/rules/cis_3_2_10/rule.rego index 3e8a06433f..d206e94833 100644 --- a/security-policies/bundle/compliance/cis_eks/rules/cis_3_2_10/rule.rego +++ b/security-policies/bundle/compliance/cis_eks/rules/cis_3_2_10/rule.rego @@ -4,15 +4,15 @@ import data.compliance.policy.process.ensure_arguments_and_config as audit import future.keywords.if # Verify that the --rotate-certificates argument is not present, or is set to true. -default rule_evaluation = true +default rule_evaluation := true -rule_evaluation = false if { +rule_evaluation := false if { audit.process_contains_key_with_value("--rotate-certificates", "false") } # In case both flags and configuration file are specified, the executable argument takes precedence. -rule_evaluation = false if { +rule_evaluation := false if { audit.not_process_arg_comparison("--rotate-certificates", ["rotateCertificates"], false) } -finding = audit.finding(rule_evaluation) +finding := audit.finding(rule_evaluation) diff --git a/security-policies/bundle/compliance/cis_eks/rules/cis_3_2_10/test.rego b/security-policies/bundle/compliance/cis_eks/rules/cis_3_2_10/test.rego index 49b35a7042..d0c9543c57 100644 --- a/security-policies/bundle/compliance/cis_eks/rules/cis_3_2_10/test.rego +++ b/security-policies/bundle/compliance/cis_eks/rules/cis_3_2_10/test.rego @@ -23,11 +23,11 @@ test_not_evaluated if { not_eval with input as test_data.process_input("some_process", []) } -rule_input(argument) = test_data.process_input("kubelet", [argument]) +rule_input(argument) := test_data.process_input("kubelet", [argument]) -rule_input_with_external(argument, external_data) = test_data.process_input_with_external_data("kubelet", [argument], external_data) +rule_input_with_external(argument, external_data) := test_data.process_input_with_external_data("kubelet", [argument], external_data) -create_process_config(rotateCertificates) = {"config": {"rotateCertificates": rotateCertificates}} +create_process_config(rotateCertificates) := {"config": {"rotateCertificates": rotateCertificates}} eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_eks/rules/cis_3_2_11/rule.rego b/security-policies/bundle/compliance/cis_eks/rules/cis_3_2_11/rule.rego index 159e2e33b3..5ef35258c0 100644 --- a/security-policies/bundle/compliance/cis_eks/rules/cis_3_2_11/rule.rego +++ b/security-policies/bundle/compliance/cis_eks/rules/cis_3_2_11/rule.rego @@ -4,7 +4,7 @@ import data.compliance.policy.process.ensure_arguments_and_config as audit import future.keywords.if # Verify that the RotateKubeletServerCertificate argument is set to true -default rule_evaluation = false +default rule_evaluation := false rule_evaluation if { audit.process_contains_key_with_value("--feature-gates", "RotateKubeletServerCertificate=true") @@ -19,4 +19,4 @@ rule_evaluation if { audit.not_process_contains_variable("--feature-gates", "RotateKubeletServerCertificate", ["featureGates", "RotateKubeletServerCertificate"]) } -finding = audit.finding(rule_evaluation) +finding := audit.finding(rule_evaluation) diff --git a/security-policies/bundle/compliance/cis_eks/rules/cis_3_2_11/test.rego b/security-policies/bundle/compliance/cis_eks/rules/cis_3_2_11/test.rego index a7a604c7ad..ed1d6a6967 100644 --- a/security-policies/bundle/compliance/cis_eks/rules/cis_3_2_11/test.rego +++ b/security-policies/bundle/compliance/cis_eks/rules/cis_3_2_11/test.rego @@ -27,13 +27,13 @@ test_not_evaluated if { not_eval with input as test_data.process_input("some_process", []) } -rule_input(argument) = test_data.process_input("kubelet", [argument]) +rule_input(argument) := test_data.process_input("kubelet", [argument]) -rule_input_with_external(argument, external_data) = test_data.process_input_with_external_data("kubelet", [argument], external_data) +rule_input_with_external(argument, external_data) := test_data.process_input_with_external_data("kubelet", [argument], external_data) -create_process_config(rotateCertificates) = {"config": {"featureGates": {"RotateKubeletServerCertificate": rotateCertificates}}} +create_process_config(rotateCertificates) := {"config": {"featureGates": {"RotateKubeletServerCertificate": rotateCertificates}}} -create_process_config_without_proprerty = {"config": {"featureGates": {}}} +create_process_config_without_proprerty := {"config": {"featureGates": {}}} eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_eks/rules/cis_3_2_2/rule.rego b/security-policies/bundle/compliance/cis_eks/rules/cis_3_2_2/rule.rego index f5adaccfdf..9a14330f31 100644 --- a/security-policies/bundle/compliance/cis_eks/rules/cis_3_2_2/rule.rego +++ b/security-policies/bundle/compliance/cis_eks/rules/cis_3_2_2/rule.rego @@ -5,7 +5,7 @@ import future.keywords.if # Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated) # If the --authorization-mode argument is present check that it is not set to AlwaysAllow. -default rule_evaluation = false +default rule_evaluation := false is_authorization_allow_all if { audit.process_arg_not_key_value("--authorization-mode", "--authorization-mode", "AlwaysAllow") @@ -22,4 +22,4 @@ rule_evaluation if { audit.process_filter_variable_multi_comparison(["authorization", "mode"], ["authorization", "mode"], "AlwaysAllow") } -finding = audit.finding(rule_evaluation) +finding := audit.finding(rule_evaluation) diff --git a/security-policies/bundle/compliance/cis_eks/rules/cis_3_2_2/test.rego b/security-policies/bundle/compliance/cis_eks/rules/cis_3_2_2/test.rego index fc5e93232b..3a1755f4fb 100644 --- a/security-policies/bundle/compliance/cis_eks/rules/cis_3_2_2/test.rego +++ b/security-policies/bundle/compliance/cis_eks/rules/cis_3_2_2/test.rego @@ -22,11 +22,11 @@ test_not_evaluated if { not_eval with input as test_data.process_input("some_process", []) } -rule_input(argument) = test_data.process_input("kubelet", [argument]) +rule_input(argument) := test_data.process_input("kubelet", [argument]) -rule_input_with_external(argument, external_data) = test_data.process_input_with_external_data("kubelet", [argument], external_data) +rule_input_with_external(argument, external_data) := test_data.process_input_with_external_data("kubelet", [argument], external_data) -create_process_config(authz_mode) = {"config": {"authorization": { +create_process_config(authz_mode) := {"config": {"authorization": { "mode": authz_mode, "webhook": { "cacheAuthorizedTTL": "0s", diff --git a/security-policies/bundle/compliance/cis_eks/rules/cis_3_2_3/rule.rego b/security-policies/bundle/compliance/cis_eks/rules/cis_3_2_3/rule.rego index e8988a828c..b685c470a1 100644 --- a/security-policies/bundle/compliance/cis_eks/rules/cis_3_2_3/rule.rego +++ b/security-policies/bundle/compliance/cis_eks/rules/cis_3_2_3/rule.rego @@ -3,7 +3,7 @@ package compliance.cis_eks.rules.cis_3_2_3 import data.compliance.policy.process.ensure_arguments_and_config as audit import future.keywords.if -default rule_evaluation = false +default rule_evaluation := false rule_evaluation if { audit.process_contains_key("--client-ca-file") @@ -16,4 +16,4 @@ rule_evaluation if { } # Ensure that the --client-ca-file argument is set as appropriate (Automated) -finding = audit.finding(rule_evaluation) +finding := audit.finding(rule_evaluation) diff --git a/security-policies/bundle/compliance/cis_eks/rules/cis_3_2_3/test.rego b/security-policies/bundle/compliance/cis_eks/rules/cis_3_2_3/test.rego index 66020b3efa..4bda8e593f 100644 --- a/security-policies/bundle/compliance/cis_eks/rules/cis_3_2_3/test.rego +++ b/security-policies/bundle/compliance/cis_eks/rules/cis_3_2_3/test.rego @@ -20,11 +20,11 @@ test_not_evaluated if { not_eval with input as test_data.process_input("some_process", []) } -rule_input(argument) = test_data.process_input("kubelet", [argument]) +rule_input(argument) := test_data.process_input("kubelet", [argument]) -rule_input_with_external(argument, external_data) = test_data.process_input_with_external_data("kubelet", [argument], external_data) +rule_input_with_external(argument, external_data) := test_data.process_input_with_external_data("kubelet", [argument], external_data) -create_process_config(client_CA_path) = {"config": {"authentication": { +create_process_config(client_CA_path) := {"config": {"authentication": { "x509": {"clientCAFile": client_CA_path}, "anonymous": {"enabled": false}, "webhook": { @@ -33,7 +33,7 @@ create_process_config(client_CA_path) = {"config": {"authentication": { }, }}} -create_process_config_empty = {"config": {"authentication": { +create_process_config_empty := {"config": {"authentication": { "x509": {}, "anonymous": {"enabled": false}, "webhook": { diff --git a/security-policies/bundle/compliance/cis_eks/rules/cis_3_2_4/rule.rego b/security-policies/bundle/compliance/cis_eks/rules/cis_3_2_4/rule.rego index 501267d0fd..ee1286e9d2 100644 --- a/security-policies/bundle/compliance/cis_eks/rules/cis_3_2_4/rule.rego +++ b/security-policies/bundle/compliance/cis_eks/rules/cis_3_2_4/rule.rego @@ -4,7 +4,7 @@ import data.compliance.policy.process.ensure_arguments_and_config as audit import future.keywords.if # Verify that the --read-only-port argument is set to 0 -default rule_evaluation = false +default rule_evaluation := false rule_evaluation if { audit.process_contains_key_with_value("--read-only-port", "0") @@ -15,4 +15,4 @@ rule_evaluation if { audit.not_process_arg_comparison("--read-only-port", ["readOnlyPort"], 0) } -finding = audit.finding(rule_evaluation) +finding := audit.finding(rule_evaluation) diff --git a/security-policies/bundle/compliance/cis_eks/rules/cis_3_2_4/test.rego b/security-policies/bundle/compliance/cis_eks/rules/cis_3_2_4/test.rego index 51e793099f..86a1e4912b 100644 --- a/security-policies/bundle/compliance/cis_eks/rules/cis_3_2_4/test.rego +++ b/security-policies/bundle/compliance/cis_eks/rules/cis_3_2_4/test.rego @@ -25,11 +25,11 @@ test_not_evaluated if { not_eval with input as test_data.process_input("some_process", []) } -rule_input(argument) = test_data.process_input_with_external_data("kubelet", [argument], {}) +rule_input(argument) := test_data.process_input_with_external_data("kubelet", [argument], {}) -rule_input_with_external(argument, external_data) = test_data.process_input_with_external_data("kubelet", [argument], external_data) +rule_input_with_external(argument, external_data) := test_data.process_input_with_external_data("kubelet", [argument], external_data) -create_process_config(port) = {"config": {"readOnlyPort": port}} +create_process_config(port) := {"config": {"readOnlyPort": port}} eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_eks/rules/cis_3_2_5/rule.rego b/security-policies/bundle/compliance/cis_eks/rules/cis_3_2_5/rule.rego index df1f595fa2..12232de113 100644 --- a/security-policies/bundle/compliance/cis_eks/rules/cis_3_2_5/rule.rego +++ b/security-policies/bundle/compliance/cis_eks/rules/cis_3_2_5/rule.rego @@ -4,23 +4,23 @@ import data.compliance.policy.process.ensure_arguments_and_config as audit import future.keywords.if # Ensure that the --streaming-connection-idle-timeout argument is not set to 0 -default rule_evaluation = true +default rule_evaluation := true -rule_evaluation = false if { +rule_evaluation := false if { audit.process_contains_key_with_value("--streaming-connection-idle-timeout", "0") } -rule_evaluation = false if { +rule_evaluation := false if { audit.process_contains_key_with_value("--streaming-connection-idle-timeout", "0s") } # In case both flags and configuration file are specified, the executable argument takes precedence. -rule_evaluation = false if { +rule_evaluation := false if { audit.not_process_arg_comparison("--streaming-connection-idle-timeout", ["streamingConnectionIdleTimeout"], "0") } -rule_evaluation = false if { +rule_evaluation := false if { audit.not_process_arg_comparison("--streaming-connection-idle-timeout", ["streamingConnectionIdleTimeout"], "0s") } -finding = audit.finding(rule_evaluation) +finding := audit.finding(rule_evaluation) diff --git a/security-policies/bundle/compliance/cis_eks/rules/cis_3_2_5/test.rego b/security-policies/bundle/compliance/cis_eks/rules/cis_3_2_5/test.rego index 69a1e7329a..abdf79b69e 100644 --- a/security-policies/bundle/compliance/cis_eks/rules/cis_3_2_5/test.rego +++ b/security-policies/bundle/compliance/cis_eks/rules/cis_3_2_5/test.rego @@ -28,11 +28,11 @@ test_not_evaluated if { not_eval with input as test_data.process_input("some_process", []) } -rule_input(argument) = test_data.process_input_with_external_data("kubelet", [argument], {}) +rule_input(argument) := test_data.process_input_with_external_data("kubelet", [argument], {}) -rule_input_with_external(argument, external_data) = test_data.process_input_with_external_data("kubelet", [argument], external_data) +rule_input_with_external(argument, external_data) := test_data.process_input_with_external_data("kubelet", [argument], external_data) -create_process_config(connection_timeout) = {"config": {"streamingConnectionIdleTimeout": connection_timeout}} +create_process_config(connection_timeout) := {"config": {"streamingConnectionIdleTimeout": connection_timeout}} eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_eks/rules/cis_3_2_6/rule.rego b/security-policies/bundle/compliance/cis_eks/rules/cis_3_2_6/rule.rego index 97f72fdaed..7bc335a3ac 100644 --- a/security-policies/bundle/compliance/cis_eks/rules/cis_3_2_6/rule.rego +++ b/security-policies/bundle/compliance/cis_eks/rules/cis_3_2_6/rule.rego @@ -3,7 +3,7 @@ package compliance.cis_eks.rules.cis_3_2_6 import data.compliance.policy.process.ensure_arguments_and_config as audit import future.keywords.if -default rule_evaluation = false +default rule_evaluation := false # Ensure that the --protect-kernel-defaults argument is set to true rule_evaluation if { @@ -16,4 +16,4 @@ rule_evaluation if { audit.not_process_arg_variable("--protect-kernel-defaults", ["protectKernelDefaults"]) } -finding = audit.finding(rule_evaluation) +finding := audit.finding(rule_evaluation) diff --git a/security-policies/bundle/compliance/cis_eks/rules/cis_3_2_6/test.rego b/security-policies/bundle/compliance/cis_eks/rules/cis_3_2_6/test.rego index 09624f7fd2..4e130bdff0 100644 --- a/security-policies/bundle/compliance/cis_eks/rules/cis_3_2_6/test.rego +++ b/security-policies/bundle/compliance/cis_eks/rules/cis_3_2_6/test.rego @@ -22,11 +22,11 @@ test_not_evaluated if { not_eval with input as test_data.process_input("some_process", []) } -rule_input(argument) = test_data.process_input("kubelet", [argument]) +rule_input(argument) := test_data.process_input("kubelet", [argument]) -rule_input_with_external(argument, external_data) = test_data.process_input_with_external_data("kubelet", [argument], external_data) +rule_input_with_external(argument, external_data) := test_data.process_input_with_external_data("kubelet", [argument], external_data) -create_process_config(kernel_protection_enabled) = {"config": {"protectKernelDefaults": kernel_protection_enabled}} +create_process_config(kernel_protection_enabled) := {"config": {"protectKernelDefaults": kernel_protection_enabled}} eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_eks/rules/cis_3_2_7/rule.rego b/security-policies/bundle/compliance/cis_eks/rules/cis_3_2_7/rule.rego index 86a175f716..1bb6af59ea 100644 --- a/security-policies/bundle/compliance/cis_eks/rules/cis_3_2_7/rule.rego +++ b/security-policies/bundle/compliance/cis_eks/rules/cis_3_2_7/rule.rego @@ -3,17 +3,17 @@ package compliance.cis_eks.rules.cis_3_2_7 import data.compliance.policy.process.ensure_arguments_and_config as audit import future.keywords.if -default rule_evaluation = true +default rule_evaluation := true # Ensure that the --make-iptables-util-chains argument is set to true (Automated) -rule_evaluation = false if { +rule_evaluation := false if { audit.process_contains_key_with_value("--make-iptables-util-chains", "false") } # In case both flags and configuration file are specified, the executable argument takes precedence. # Checks that the entry for makeIPTablesUtilChains is set to true. -rule_evaluation = false if { +rule_evaluation := false if { audit.not_process_arg_comparison("--make-iptables-util-chains", ["makeIPTablesUtilChains"], false) } -finding = audit.finding(rule_evaluation) +finding := audit.finding(rule_evaluation) diff --git a/security-policies/bundle/compliance/cis_eks/rules/cis_3_2_7/test.rego b/security-policies/bundle/compliance/cis_eks/rules/cis_3_2_7/test.rego index eebcffce0a..bc3f0acb28 100644 --- a/security-policies/bundle/compliance/cis_eks/rules/cis_3_2_7/test.rego +++ b/security-policies/bundle/compliance/cis_eks/rules/cis_3_2_7/test.rego @@ -25,11 +25,11 @@ test_not_evaluated if { not_eval with input as test_data.process_input("some_process", []) } -rule_input(argument) = test_data.process_input("kubelet", [argument]) +rule_input(argument) := test_data.process_input("kubelet", [argument]) -rule_input_with_external(argument, external_data) = test_data.process_input_with_external_data("kubelet", [argument], external_data) +rule_input_with_external(argument, external_data) := test_data.process_input_with_external_data("kubelet", [argument], external_data) -create_process_config(makeIPTablesUtilChains) = {"config": {"makeIPTablesUtilChains": makeIPTablesUtilChains}} +create_process_config(makeIPTablesUtilChains) := {"config": {"makeIPTablesUtilChains": makeIPTablesUtilChains}} eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_eks/rules/cis_3_2_8/rule.rego b/security-policies/bundle/compliance/cis_eks/rules/cis_3_2_8/rule.rego index e2a71aecee..2f511d8049 100644 --- a/security-policies/bundle/compliance/cis_eks/rules/cis_3_2_8/rule.rego +++ b/security-policies/bundle/compliance/cis_eks/rules/cis_3_2_8/rule.rego @@ -4,11 +4,11 @@ import data.compliance.policy.process.ensure_arguments_and_config as audit import future.keywords.if # Ensure that the --hostname-override argument is not set. -default rule_evaluation = true +default rule_evaluation := true # Note This setting is not configurable via the Kubelet config file. -rule_evaluation = false if { +rule_evaluation := false if { audit.process_contains_key("--hostname-override") } -finding = audit.finding(rule_evaluation) +finding := audit.finding(rule_evaluation) diff --git a/security-policies/bundle/compliance/cis_eks/rules/cis_3_2_8/test.rego b/security-policies/bundle/compliance/cis_eks/rules/cis_3_2_8/test.rego index 4dc6a796fa..2b478e7313 100644 --- a/security-policies/bundle/compliance/cis_eks/rules/cis_3_2_8/test.rego +++ b/security-policies/bundle/compliance/cis_eks/rules/cis_3_2_8/test.rego @@ -18,9 +18,9 @@ test_not_evaluated if { not_eval with input as test_data.process_input("some_process", []) } -rule_input(argument) = test_data.process_input_with_external_data("kubelet", [argument], {}) +rule_input(argument) := test_data.process_input_with_external_data("kubelet", [argument], {}) -rule_input_with_external(argument, external_data) = test_data.process_input_with_external_data("kubelet", [argument], external_data) +rule_input_with_external(argument, external_data) := test_data.process_input_with_external_data("kubelet", [argument], external_data) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_eks/rules/cis_3_2_9/rule.rego b/security-policies/bundle/compliance/cis_eks/rules/cis_3_2_9/rule.rego index cbbe53a752..c01386fb24 100644 --- a/security-policies/bundle/compliance/cis_eks/rules/cis_3_2_9/rule.rego +++ b/security-policies/bundle/compliance/cis_eks/rules/cis_3_2_9/rule.rego @@ -5,7 +5,7 @@ import future.keywords.if # Ensure that the --event-qps argument is set to 0 or a level which # ensures appropriate event capture -default rule_evaluation = false +default rule_evaluation := false rule_evaluation if { audit.process_contains_key_with_value("--event-qps", "0") @@ -15,4 +15,4 @@ rule_evaluation if { audit.not_process_key_comparison("--event-qps", ["eventRecordQPS"], 0) } -finding = audit.finding(rule_evaluation) +finding := audit.finding(rule_evaluation) diff --git a/security-policies/bundle/compliance/cis_eks/rules/cis_3_2_9/test.rego b/security-policies/bundle/compliance/cis_eks/rules/cis_3_2_9/test.rego index 4ede53ce46..cd076a1fc0 100644 --- a/security-policies/bundle/compliance/cis_eks/rules/cis_3_2_9/test.rego +++ b/security-policies/bundle/compliance/cis_eks/rules/cis_3_2_9/test.rego @@ -24,11 +24,11 @@ test_not_evaluated if { not_eval with input as test_data.process_input("some_process", []) } -rule_input(argument) = test_data.process_input_with_external_data("kubelet", [argument], {}) +rule_input(argument) := test_data.process_input_with_external_data("kubelet", [argument], {}) -rule_input_with_external(argument, external_data) = test_data.process_input_with_external_data("kubelet", [argument], external_data) +rule_input_with_external(argument, external_data) := test_data.process_input_with_external_data("kubelet", [argument], external_data) -create_process_config(eventRecordQPS) = {"config": {"eventRecordQPS": eventRecordQPS}} +create_process_config(eventRecordQPS) := {"config": {"eventRecordQPS": eventRecordQPS}} eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_eks/rules/cis_4_2_1/test.rego b/security-policies/bundle/compliance/cis_eks/rules/cis_4_2_1/test.rego index b4d6d8dd2d..1b04cf5edf 100644 --- a/security-policies/bundle/compliance/cis_eks/rules/cis_4_2_1/test.rego +++ b/security-policies/bundle/compliance/cis_eks/rules/cis_4_2_1/test.rego @@ -20,15 +20,15 @@ test_not_evaluated if { not finding with input as {"type": "no-kube-api"} } -rule_input(resource) = test_data.kube_api_input(resource) +rule_input(resource) := test_data.kube_api_input(resource) -violating_psp = { +violating_psp := { "kind": "Pod", "metadata": {"uid": "00000aa0-0aa0-00aa-00aa-00aa000a0000"}, "spec": {"containers": [{"name": "container_1", "securityContext": {"privileged": true}}]}, } -violating_psp2 = { +violating_psp2 := { "kind": "Pod", "metadata": {"uid": "00000aa0-0aa0-00aa-00aa-00aa000a0000"}, "spec": {"containers": [ @@ -37,7 +37,7 @@ violating_psp2 = { ]}, } -violating_psp3 = { +violating_psp3 := { "kind": "Pod", "metadata": {"uid": "00000aa0-0aa0-00aa-00aa-00aa000a0000"}, "spec": {"containers": [ @@ -46,7 +46,7 @@ violating_psp3 = { ]}, } -violating_psp4 = { +violating_psp4 := { "kind": "Pod", "metadata": {"uid": "00000aa0-0aa0-00aa-00aa-00aa000a0000"}, "spec": {"containers": [ @@ -56,13 +56,13 @@ violating_psp4 = { ]}, } -non_violating_psp = { +non_violating_psp := { "kind": "Pod", "metadata": {"uid": "00000aa0-0aa0-00aa-00aa-00aa000a0000"}, "spec": {"containers": [{"name": "container_1", "securityContext": {"privileged": false}}]}, } -non_violating_psp2 = { +non_violating_psp2 := { "kind": "Pod", "metadata": {"uid": "00000aa0-0aa0-00aa-00aa-00aa000a0000"}, "spec": {"containers": [{"name": "container_1", "securityContext": {}}]}, diff --git a/security-policies/bundle/compliance/cis_eks/rules/cis_4_2_2/test.rego b/security-policies/bundle/compliance/cis_eks/rules/cis_4_2_2/test.rego index 6e8364a846..a05e466b63 100644 --- a/security-policies/bundle/compliance/cis_eks/rules/cis_4_2_2/test.rego +++ b/security-policies/bundle/compliance/cis_eks/rules/cis_4_2_2/test.rego @@ -17,21 +17,21 @@ test_not_evaluated if { not finding with input as {"type": "no-kube-api"} } -rule_input(resource) = test_data.kube_api_input(resource) +rule_input(resource) := test_data.kube_api_input(resource) -violating_psp = { +violating_psp := { "kind": "Pod", "metadata": {"uid": "00000aa0-0aa0-00aa-00aa-00aa000a0000"}, "spec": {"hostPID": true}, } -non_violating_psp = { +non_violating_psp := { "kind": "Pod", "metadata": {"uid": "00000aa0-0aa0-00aa-00aa-00aa000a0000"}, "spec": {}, } -non_violating_psp2 = { +non_violating_psp2 := { "kind": "Pod", "metadata": {"uid": "00000aa0-0aa0-00aa-00aa-00aa000a0000"}, "spec": {"hostPID": false}, diff --git a/security-policies/bundle/compliance/cis_eks/rules/cis_4_2_3/test.rego b/security-policies/bundle/compliance/cis_eks/rules/cis_4_2_3/test.rego index e6818f2626..b160c1c584 100644 --- a/security-policies/bundle/compliance/cis_eks/rules/cis_4_2_3/test.rego +++ b/security-policies/bundle/compliance/cis_eks/rules/cis_4_2_3/test.rego @@ -17,21 +17,21 @@ test_not_evaluated if { not finding with input as {"type": "no-kube-api"} } -rule_input(resource) = test_data.kube_api_input(resource) +rule_input(resource) := test_data.kube_api_input(resource) -violating_psp = { +violating_psp := { "kind": "Pod", "metadata": {"uid": "00000aa0-0aa0-00aa-00aa-00aa000a0000"}, "spec": {"hostIPC": true}, } -non_violating_psp = { +non_violating_psp := { "kind": "Pod", "metadata": {"uid": "00000aa0-0aa0-00aa-00aa-00aa000a0000"}, "spec": {}, } -non_violating_psp2 = { +non_violating_psp2 := { "kind": "Pod", "metadata": {"uid": "00000aa0-0aa0-00aa-00aa-00aa000a0000"}, "spec": {"hostIPC": false}, diff --git a/security-policies/bundle/compliance/cis_eks/rules/cis_4_2_4/test.rego b/security-policies/bundle/compliance/cis_eks/rules/cis_4_2_4/test.rego index 48b8d6dab5..22c0d3b433 100644 --- a/security-policies/bundle/compliance/cis_eks/rules/cis_4_2_4/test.rego +++ b/security-policies/bundle/compliance/cis_eks/rules/cis_4_2_4/test.rego @@ -17,21 +17,21 @@ test_not_evaluated if { not finding with input as {"type": "no-kube-api"} } -rule_input(resource) = test_data.kube_api_input(resource) +rule_input(resource) := test_data.kube_api_input(resource) -violating_psp = { +violating_psp := { "kind": "Pod", "metadata": {"uid": "00000aa0-0aa0-00aa-00aa-00aa000a0000"}, "spec": {"hostNetwork": true}, } -non_violating_psp = { +non_violating_psp := { "kind": "Pod", "metadata": {"uid": "00000aa0-0aa0-00aa-00aa-00aa000a0000"}, "spec": {}, } -non_violating_psp2 = { +non_violating_psp2 := { "kind": "Pod", "metadata": {"uid": "00000aa0-0aa0-00aa-00aa-00aa000a0000"}, "spec": {"hostNetwork": false}, diff --git a/security-policies/bundle/compliance/cis_eks/rules/cis_4_2_5/test.rego b/security-policies/bundle/compliance/cis_eks/rules/cis_4_2_5/test.rego index e8fc8313b8..bfd7b2acd3 100644 --- a/security-policies/bundle/compliance/cis_eks/rules/cis_4_2_5/test.rego +++ b/security-policies/bundle/compliance/cis_eks/rules/cis_4_2_5/test.rego @@ -20,15 +20,15 @@ test_not_evaluated if { not finding with input as {"type": "no-kube-api"} } -rule_input(resource) = test_data.kube_api_input(resource) +rule_input(resource) := test_data.kube_api_input(resource) -violating_psp = { +violating_psp := { "kind": "Pod", "metadata": {"uid": "00000aa0-0aa0-00aa-00aa-00aa000a0000"}, "spec": {"containers": [{"name": "container_1", "securityContext": {"allowPrivilegeEscalation": true}}]}, } -violating_psp2 = { +violating_psp2 := { "kind": "Pod", "metadata": {"uid": "00000aa0-0aa0-00aa-00aa-00aa000a0000"}, "spec": {"containers": [ @@ -37,7 +37,7 @@ violating_psp2 = { ]}, } -violating_psp3 = { +violating_psp3 := { "kind": "Pod", "metadata": {"uid": "00000aa0-0aa0-00aa-00aa-00aa000a0000"}, "spec": {"containers": [ @@ -46,7 +46,7 @@ violating_psp3 = { ]}, } -violating_psp4 = { +violating_psp4 := { "kind": "Pod", "metadata": {"uid": "00000aa0-0aa0-00aa-00aa-00aa000a0000"}, "spec": {"containers": [ @@ -56,13 +56,13 @@ violating_psp4 = { ]}, } -non_violating_psp = { +non_violating_psp := { "kind": "Pod", "metadata": {"uid": "00000aa0-0aa0-00aa-00aa-00aa000a0000"}, "spec": {"containers": [{"name": "container_1", "securityContext": {"allowPrivilegeEscalation": false}}]}, } -non_violating_psp2 = { +non_violating_psp2 := { "kind": "Pod", "metadata": {"uid": "00000aa0-0aa0-00aa-00aa-00aa000a0000"}, "spec": {"containers": [{"name": "container_1", "securityContext": {}}]}, diff --git a/security-policies/bundle/compliance/cis_eks/rules/cis_4_2_6/test.rego b/security-policies/bundle/compliance/cis_eks/rules/cis_4_2_6/test.rego index 9db7836fe4..36c7376ba9 100644 --- a/security-policies/bundle/compliance/cis_eks/rules/cis_4_2_6/test.rego +++ b/security-policies/bundle/compliance/cis_eks/rules/cis_4_2_6/test.rego @@ -19,9 +19,9 @@ test_not_evaluated if { not finding with input as {"type": "no-kube-api"} } -rule_input(resource) = test_data.kube_api_input(resource) +rule_input(resource) := test_data.kube_api_input(resource) -violating_psp = { +violating_psp := { "kind": "Pod", "metadata": {"uid": "00000aa0-0aa0-00aa-00aa-00aa000a0000"}, "spec": {"runAsUser": { @@ -33,13 +33,13 @@ violating_psp = { }}, } -violating_psp2 = { +violating_psp2 := { "kind": "Pod", "metadata": {"uid": "00000aa0-0aa0-00aa-00aa-00aa000a0000"}, "spec": {"containers": [{"name": "container_1", "securityContext": {"runAsUser": 0}}]}, } -violating_psp3 = { +violating_psp3 := { "kind": "Pod", "metadata": {"uid": "00000aa0-0aa0-00aa-00aa-00aa000a0000"}, "spec": { @@ -54,7 +54,7 @@ violating_psp3 = { }, } -non_violating_psp = { +non_violating_psp := { "kind": "Pod", "metadata": {"uid": "00000aa0-0aa0-00aa-00aa-00aa000a0000"}, "spec": {"runAsUser": { @@ -66,7 +66,7 @@ non_violating_psp = { }}, } -non_violating_psp2 = { +non_violating_psp2 := { "kind": "Pod", "metadata": {"uid": "00000aa0-0aa0-00aa-00aa-00aa000a0000"}, "spec": {"runAsUser": {"rule": "MustRunAsNonRoot"}}, diff --git a/security-policies/bundle/compliance/cis_eks/rules/cis_4_2_7/test.rego b/security-policies/bundle/compliance/cis_eks/rules/cis_4_2_7/test.rego index d7b8777a6c..07d7440a69 100644 --- a/security-policies/bundle/compliance/cis_eks/rules/cis_4_2_7/test.rego +++ b/security-policies/bundle/compliance/cis_eks/rules/cis_4_2_7/test.rego @@ -22,4 +22,4 @@ test_not_evaluated if { not finding with input as {"type": "k8s_object", "resource": {"kind": "Node"}} } -rule_input(resource) = test_data.kube_api_input(resource) +rule_input(resource) := test_data.kube_api_input(resource) diff --git a/security-policies/bundle/compliance/cis_eks/rules/cis_4_2_8/test.rego b/security-policies/bundle/compliance/cis_eks/rules/cis_4_2_8/test.rego index 6284f0973f..b471c856b9 100644 --- a/security-policies/bundle/compliance/cis_eks/rules/cis_4_2_8/test.rego +++ b/security-policies/bundle/compliance/cis_eks/rules/cis_4_2_8/test.rego @@ -17,21 +17,21 @@ test_not_evaluated if { not finding with input as {"type": "no-kube-api"} } -rule_input(resource) = test_data.kube_api_input(resource) +rule_input(resource) := test_data.kube_api_input(resource) -violating_psp = { +violating_psp := { "kind": "Pod", "metadata": {"uid": "00000aa0-0aa0-00aa-00aa-00aa000a0000"}, "spec": {"allowedCapabilities": ["ALL"]}, } -non_violating_psp = { +non_violating_psp := { "kind": "Pod", "metadata": {"uid": "00000aa0-0aa0-00aa-00aa-00aa000a0000"}, "spec": {}, } -non_violating_psp2 = { +non_violating_psp2 := { "kind": "Pod", "metadata": {"uid": "00000aa0-0aa0-00aa-00aa-00aa000a0000"}, "spec": {"allowedCapabilities": []}, diff --git a/security-policies/bundle/compliance/cis_eks/rules/cis_4_2_9/test.rego b/security-policies/bundle/compliance/cis_eks/rules/cis_4_2_9/test.rego index a92d59538a..0153e0441a 100644 --- a/security-policies/bundle/compliance/cis_eks/rules/cis_4_2_9/test.rego +++ b/security-policies/bundle/compliance/cis_eks/rules/cis_4_2_9/test.rego @@ -19,27 +19,27 @@ test_not_evaluated if { not finding with input as test_data.not_evaluated_kube_api_input } -rule_input(resource) = test_data.kube_api_input(resource) +rule_input(resource) := test_data.kube_api_input(resource) -violating_psp = { +violating_psp := { "kind": "Pod", "metadata": {"uid": "00000aa0-0aa0-00aa-00aa-00aa000a0000"}, "spec": {"containers": [{"securityContext": {"capabilities": {"add": ["NET_RAW"]}}}]}, } -non_violating_psp = { +non_violating_psp := { "kind": "Pod", "metadata": {"uid": "00000aa0-0aa0-00aa-00aa-00aa000a0000"}, "spec": {"containers": [{"securityContext": {}}]}, } -non_violating_psp2 = { +non_violating_psp2 := { "kind": "Pod", "metadata": {"uid": "00000aa0-0aa0-00aa-00aa-00aa000a0000"}, "spec": {"containers": [{"securityContext": {"capabilities": {}}}]}, } -non_violating_psp3 = { +non_violating_psp3 := { "kind": "Pod", "metadata": {"uid": "00000aa0-0aa0-00aa-00aa-00aa000a0000"}, "spec": {"containers": [{"securityContext": {"capabilities": {"drop": ["ALL"]}}}]}, diff --git a/security-policies/bundle/compliance/cis_eks/rules/cis_5_1_1/rule.rego b/security-policies/bundle/compliance/cis_eks/rules/cis_5_1_1/rule.rego index efb44d73ff..c1b60bc9d2 100644 --- a/security-policies/bundle/compliance/cis_eks/rules/cis_5_1_1/rule.rego +++ b/security-policies/bundle/compliance/cis_eks/rules/cis_5_1_1/rule.rego @@ -3,4 +3,4 @@ package compliance.cis_eks.rules.cis_5_1_1 import data.compliance.policy.aws_ecr.ensure_image_scan as audit # Check if image ScanOnPush is enabled -finding = audit.finding +finding := audit.finding diff --git a/security-policies/bundle/compliance/cis_eks/rules/cis_5_1_1/test.rego b/security-policies/bundle/compliance/cis_eks/rules/cis_5_1_1/test.rego index de5a272951..610111136f 100644 --- a/security-policies/bundle/compliance/cis_eks/rules/cis_5_1_1/test.rego +++ b/security-policies/bundle/compliance/cis_eks/rules/cis_5_1_1/test.rego @@ -16,6 +16,6 @@ test_not_evaluated if { not finding with input as test_data.not_evaluated_input } -violating_input_scan_on_push_disabled = test_data.generate_ecr_input_with_one_repo(false) +violating_input_scan_on_push_disabled := test_data.generate_ecr_input_with_one_repo(false) -valid_input = test_data.generate_ecr_input_with_one_repo(true) +valid_input := test_data.generate_ecr_input_with_one_repo(true) diff --git a/security-policies/bundle/compliance/cis_eks/rules/cis_5_3_1/rule.rego b/security-policies/bundle/compliance/cis_eks/rules/cis_5_3_1/rule.rego index 42f9278a9a..4fc54ec8e3 100644 --- a/security-policies/bundle/compliance/cis_eks/rules/cis_5_3_1/rule.rego +++ b/security-policies/bundle/compliance/cis_eks/rules/cis_5_3_1/rule.rego @@ -2,4 +2,4 @@ package compliance.cis_eks.rules.cis_5_3_1 import data.compliance.policy.aws_eks.ensure_encryption as audit -finding = audit.finding +finding := audit.finding diff --git a/security-policies/bundle/compliance/cis_eks/rules/cis_5_3_1/test.rego b/security-policies/bundle/compliance/cis_eks/rules/cis_5_3_1/test.rego index b4dc188333..9f5f4f91cc 100644 --- a/security-policies/bundle/compliance/cis_eks/rules/cis_5_3_1/test.rego +++ b/security-policies/bundle/compliance/cis_eks/rules/cis_5_3_1/test.rego @@ -18,7 +18,7 @@ test_not_evaluated if { not finding with input as test_data.not_evaluated_input } -violating_input_no_encryption_configuration = { +violating_input_no_encryption_configuration := { "type": "caas", "subType": "aws-eks", "resource": {"Cluster": { @@ -42,16 +42,16 @@ violating_input_no_encryption_configuration = { }}, } -violating_input_empty_encryption_array = generate_eks_input_with_encryption_config([]) +violating_input_empty_encryption_array := generate_eks_input_with_encryption_config([]) -violating_input_null_encryption_array = generate_eks_input_with_encryption_config(null) +violating_input_null_encryption_array := generate_eks_input_with_encryption_config(null) -non_violating_input = generate_eks_input_with_encryption_config([{ +non_violating_input := generate_eks_input_with_encryption_config([{ "Provider": {}, "Resources": [], }]) -generate_eks_input_with_encryption_config(encryption_config) = result if { +generate_eks_input_with_encryption_config(encryption_config) := result if { logging = {"ClusterLogging": [ { "Enabled": false, diff --git a/security-policies/bundle/compliance/cis_eks/rules/cis_5_4_1/rule.rego b/security-policies/bundle/compliance/cis_eks/rules/cis_5_4_1/rule.rego index 127a7ac197..c17030e32d 100644 --- a/security-policies/bundle/compliance/cis_eks/rules/cis_5_4_1/rule.rego +++ b/security-policies/bundle/compliance/cis_eks/rules/cis_5_4_1/rule.rego @@ -2,4 +2,4 @@ package compliance.cis_eks.rules.cis_5_4_1 import data.compliance.policy.aws_eks.ensure_private_access as audit -finding = audit.finding(true) +finding := audit.finding(true) diff --git a/security-policies/bundle/compliance/cis_eks/rules/cis_5_4_1/test.rego b/security-policies/bundle/compliance/cis_eks/rules/cis_5_4_1/test.rego index d86961ab12..a93a18676a 100644 --- a/security-policies/bundle/compliance/cis_eks/rules/cis_5_4_1/test.rego +++ b/security-policies/bundle/compliance/cis_eks/rules/cis_5_4_1/test.rego @@ -19,12 +19,12 @@ test_not_evaluated if { not finding with input as test_data.not_evaluated_input } -violating_input_private_access_disabled = test_data.generate_eks_input_with_vpc_config(false, true, ["132.1.50.0/0"]) +violating_input_private_access_disabled := test_data.generate_eks_input_with_vpc_config(false, true, ["132.1.50.0/0"]) -violating_input_public_invalid_filter = test_data.generate_eks_input_with_vpc_config(true, true, ["0.0.0.0/0"]) +violating_input_public_invalid_filter := test_data.generate_eks_input_with_vpc_config(true, true, ["0.0.0.0/0"]) -violating_input_private_access_disabled_and_public_access_enabled_valid_filter = test_data.generate_eks_input_with_vpc_config(false, true, ["132.1.50.0/0"]) +violating_input_private_access_disabled_and_public_access_enabled_valid_filter := test_data.generate_eks_input_with_vpc_config(false, true, ["132.1.50.0/0"]) -valid_input_public_access_disabled_and_private_endpoint_endabled = test_data.generate_eks_input_with_vpc_config(true, false, ["0.0.0.0/0"]) +valid_input_public_access_disabled_and_private_endpoint_endabled := test_data.generate_eks_input_with_vpc_config(true, false, ["0.0.0.0/0"]) -non_violating_input = test_data.generate_eks_input_with_vpc_config(true, true, ["203.0.113.5/32"]) +non_violating_input := test_data.generate_eks_input_with_vpc_config(true, true, ["203.0.113.5/32"]) diff --git a/security-policies/bundle/compliance/cis_eks/rules/cis_5_4_2/rule.rego b/security-policies/bundle/compliance/cis_eks/rules/cis_5_4_2/rule.rego index 4ae9c20672..e1a816d018 100644 --- a/security-policies/bundle/compliance/cis_eks/rules/cis_5_4_2/rule.rego +++ b/security-policies/bundle/compliance/cis_eks/rules/cis_5_4_2/rule.rego @@ -2,4 +2,4 @@ package compliance.cis_eks.rules.cis_5_4_2 import data.compliance.policy.aws_eks.ensure_private_access as audit -finding = audit.finding(false) +finding := audit.finding(false) diff --git a/security-policies/bundle/compliance/cis_eks/rules/cis_5_4_2/test.rego b/security-policies/bundle/compliance/cis_eks/rules/cis_5_4_2/test.rego index b52e9ffbb2..2a04a17659 100644 --- a/security-policies/bundle/compliance/cis_eks/rules/cis_5_4_2/test.rego +++ b/security-policies/bundle/compliance/cis_eks/rules/cis_5_4_2/test.rego @@ -20,14 +20,14 @@ test_not_evaluated if { not finding with input as test_data.not_evaluated_input } -violating_input_private_access_disabled = test_data.generate_eks_input_with_vpc_config(false, true, ["132.1.50.0/0"]) +violating_input_private_access_disabled := test_data.generate_eks_input_with_vpc_config(false, true, ["132.1.50.0/0"]) -violating_input_public_access_enabled = test_data.generate_eks_input_with_vpc_config(false, true, ["0.0.0.0/0"]) +violating_input_public_access_enabled := test_data.generate_eks_input_with_vpc_config(false, true, ["0.0.0.0/0"]) -violating_input_private_access_enabled_but_public_access_enabled_and_invalid_filter = test_data.generate_eks_input_with_vpc_config(true, true, ["0.0.0.0/0"]) +violating_input_private_access_enabled_but_public_access_enabled_and_invalid_filter := test_data.generate_eks_input_with_vpc_config(true, true, ["0.0.0.0/0"]) -violating_input_private_access_enabled_but_public_access_enabled_with_valid_filter = test_data.generate_eks_input_with_vpc_config(true, true, ["203.0.113.5/32"]) +violating_input_private_access_enabled_but_public_access_enabled_with_valid_filter := test_data.generate_eks_input_with_vpc_config(true, true, ["203.0.113.5/32"]) -non_violating_input = test_data.generate_eks_input_with_vpc_config(true, false, ["0.0.0.0/0"]) +non_violating_input := test_data.generate_eks_input_with_vpc_config(true, false, ["0.0.0.0/0"]) -non_violating_input_public_disabled_and_invalid_filter = test_data.generate_eks_input_with_vpc_config(true, false, ["203.0.113.5/32"]) +non_violating_input_public_disabled_and_invalid_filter := test_data.generate_eks_input_with_vpc_config(true, false, ["203.0.113.5/32"]) diff --git a/security-policies/bundle/compliance/cis_eks/rules/cis_5_4_3/rule.rego b/security-policies/bundle/compliance/cis_eks/rules/cis_5_4_3/rule.rego index 3914fd90ad..a20488f703 100644 --- a/security-policies/bundle/compliance/cis_eks/rules/cis_5_4_3/rule.rego +++ b/security-policies/bundle/compliance/cis_eks/rules/cis_5_4_3/rule.rego @@ -4,12 +4,12 @@ import data.compliance.policy.kube_api.ensure_external_ip as audit import future.keywords.if # Ensure there cluster node don't have a public IP -default rule_evaluation = true +default rule_evaluation := true # Verify that the node doesn't have an external IP -rule_evaluation = false if { +rule_evaluation := false if { audit.verify_external_ip } # Ensure there cluster node don't have a public IP -finding = audit.finding(rule_evaluation) +finding := audit.finding(rule_evaluation) diff --git a/security-policies/bundle/compliance/cis_eks/rules/cis_5_4_3/test.rego b/security-policies/bundle/compliance/cis_eks/rules/cis_5_4_3/test.rego index c7bd7b1c43..24c1436f09 100644 --- a/security-policies/bundle/compliance/cis_eks/rules/cis_5_4_3/test.rego +++ b/security-policies/bundle/compliance/cis_eks/rules/cis_5_4_3/test.rego @@ -18,9 +18,9 @@ test_not_evaluated if { not finding with input as eks_test_data.not_evaluated_input } -rule_input(resource) = test_data.kube_api_input(resource) +rule_input(resource) := test_data.kube_api_input(resource) -violating_input_public_ip_and_public_address = { +violating_input_public_ip_and_public_address := { "kind": "Node", "status": {"addresses": [ { @@ -46,7 +46,7 @@ violating_input_public_ip_and_public_address = { ]}, } -valid_input_no_external_IP = { +valid_input_no_external_IP := { "kind": "Node", "status": {"addresses": [ { @@ -68,7 +68,7 @@ valid_input_no_external_IP = { ]}, } -valid_input_external_IP_set_to_local_host = { +valid_input_external_IP_set_to_local_host := { "kind": "Node", "status": {"addresses": [ { diff --git a/security-policies/bundle/compliance/cis_eks/rules/cis_5_4_5/rule.rego b/security-policies/bundle/compliance/cis_eks/rules/cis_5_4_5/rule.rego index bb623fbcfb..5092bbba28 100644 --- a/security-policies/bundle/compliance/cis_eks/rules/cis_5_4_5/rule.rego +++ b/security-policies/bundle/compliance/cis_eks/rules/cis_5_4_5/rule.rego @@ -3,4 +3,4 @@ package compliance.cis_eks.rules.cis_5_4_5 import data.compliance.policy.aws_elb.ensure_certificates as audit # Ensure there Kuberenetes endpoint private access is enabled -finding = audit.finding +finding := audit.finding diff --git a/security-policies/bundle/compliance/cis_eks/test_data.rego b/security-policies/bundle/compliance/cis_eks/test_data.rego index 02e2753948..a61e765da2 100644 --- a/security-policies/bundle/compliance/cis_eks/test_data.rego +++ b/security-policies/bundle/compliance/cis_eks/test_data.rego @@ -2,7 +2,7 @@ package cis_eks.test_data import future.keywords.if -generate_eks_input(logging, encryption_config, endpoint_private_access, endpoint_public_access, public_access_cidrs) = { +generate_eks_input(logging, encryption_config, endpoint_private_access, endpoint_public_access, public_access_cidrs) := { "type": "caas", "subType": "aws-eks", "resource": {"Cluster": { @@ -32,7 +32,7 @@ generate_eks_input(logging, encryption_config, endpoint_private_access, endpoint }}, } -generate_eks_input_with_vpc_config(endpoint_private_access, endpoint_public_access, public_access_cidrs) = result if { +generate_eks_input_with_vpc_config(endpoint_private_access, endpoint_public_access, public_access_cidrs) := result if { logging = {"ClusterLogging": [ { "Enabled": false, @@ -55,7 +55,7 @@ generate_eks_input_with_vpc_config(endpoint_private_access, endpoint_public_acce result = generate_eks_input(logging, encryption_config, endpoint_private_access, endpoint_public_access, public_access_cidrs) } -generate_ecr_input_with_one_repo(image_scan_on_push) = { +generate_ecr_input_with_one_repo(image_scan_on_push) := { "resource": { "CreatedAt": "2022-03-31T11:56:19Z", "ImageScanningConfiguration": {"ScanOnPush": image_scan_on_push}, @@ -70,7 +70,7 @@ generate_ecr_input_with_one_repo(image_scan_on_push) = { } # regal ignore:rule-length -generate_elb_input_with_two_load_balancers(first_protocol, first_ssl_cert, sec_protocol, sec_ssl_cert) = { +generate_elb_input_with_two_load_balancers(first_protocol, first_ssl_cert, sec_protocol, sec_ssl_cert) := { "resource": { "AvailabilityZones": [ "us-east-2b", @@ -136,7 +136,7 @@ generate_elb_input_with_two_load_balancers(first_protocol, first_ssl_cert, sec_p "subType": "aws-elb", } -not_evaluated_input = { +not_evaluated_input := { "type": "some type", "subType": "some sub type", "resource": {"Cluster": { diff --git a/security-policies/bundle/compliance/cis_gcp/rules/cis_1_10/rule.rego b/security-policies/bundle/compliance/cis_gcp/rules/cis_1_10/rule.rego index d0aceae531..2386a9892d 100644 --- a/security-policies/bundle/compliance/cis_gcp/rules/cis_1_10/rule.rego +++ b/security-policies/bundle/compliance/cis_gcp/rules/cis_1_10/rule.rego @@ -2,4 +2,4 @@ package compliance.cis_gcp.rules.cis_1_10 import data.compliance.policy.gcp.kms.ensure_key_rotation as audit -finding = audit.finding +finding := audit.finding diff --git a/security-policies/bundle/compliance/cis_gcp/rules/cis_1_10/test.rego b/security-policies/bundle/compliance/cis_gcp/rules/cis_1_10/test.rego index b8c2fc3d59..2fac86427e 100644 --- a/security-policies/bundle/compliance/cis_gcp/rules/cis_1_10/test.rego +++ b/security-policies/bundle/compliance/cis_gcp/rules/cis_1_10/test.rego @@ -27,7 +27,7 @@ test_not_evaluated if { not_eval with input as rule_input(["test.user@google.com"], "", "", {"state": "DISABLED"}) } -rule_input(members, rotationPeriod, nextRotationTime, primary) = test_data.generate_kms_resource(members, rotationPeriod, nextRotationTime, primary) +rule_input(members, rotationPeriod, nextRotationTime, primary) := test_data.generate_kms_resource(members, rotationPeriod, nextRotationTime, primary) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_gcp/rules/cis_1_11/rule.rego b/security-policies/bundle/compliance/cis_gcp/rules/cis_1_11/rule.rego index eeacf386ef..40e06a5c47 100644 --- a/security-policies/bundle/compliance/cis_gcp/rules/cis_1_11/rule.rego +++ b/security-policies/bundle/compliance/cis_gcp/rules/cis_1_11/rule.rego @@ -5,9 +5,9 @@ import data.compliance.policy.gcp.data_adapter import data.compliance.policy.gcp.iam.ensure_admin_without_multiple_roles as audit import future.keywords.if -default admin_has_other_role = false +default admin_has_other_role := false -finding = result if { +finding := result if { data_adapter.is_cloud_resource_manager_project data_adapter.has_policy diff --git a/security-policies/bundle/compliance/cis_gcp/rules/cis_1_12/rule.rego b/security-policies/bundle/compliance/cis_gcp/rules/cis_1_12/rule.rego index 399a583d57..5be9bd66f2 100644 --- a/security-policies/bundle/compliance/cis_gcp/rules/cis_1_12/rule.rego +++ b/security-policies/bundle/compliance/cis_gcp/rules/cis_1_12/rule.rego @@ -4,7 +4,7 @@ import data.compliance.lib.common import data.compliance.policy.gcp.data_adapter import future.keywords.if -finding = result if { +finding := result if { data_adapter.is_api_key is_project_apikey := startswith(data_adapter.resource.data.name, "projects/") diff --git a/security-policies/bundle/compliance/cis_gcp/rules/cis_1_14/rule.rego b/security-policies/bundle/compliance/cis_gcp/rules/cis_1_14/rule.rego index 4cc17f2540..f16e7e3971 100644 --- a/security-policies/bundle/compliance/cis_gcp/rules/cis_1_14/rule.rego +++ b/security-policies/bundle/compliance/cis_gcp/rules/cis_1_14/rule.rego @@ -5,9 +5,9 @@ import data.compliance.policy.gcp.data_adapter import future.keywords.if import future.keywords.in -default has_valid_apikey_restrictions = false +default has_valid_apikey_restrictions := false -finding = result if { +finding := result if { data_adapter.is_api_key result := common.generate_result_without_expected( diff --git a/security-policies/bundle/compliance/cis_gcp/rules/cis_1_15/rule.rego b/security-policies/bundle/compliance/cis_gcp/rules/cis_1_15/rule.rego index 759a0d47e8..a477d72fae 100644 --- a/security-policies/bundle/compliance/cis_gcp/rules/cis_1_15/rule.rego +++ b/security-policies/bundle/compliance/cis_gcp/rules/cis_1_15/rule.rego @@ -5,9 +5,9 @@ import data.compliance.policy.gcp.data_adapter import future.keywords.contains import future.keywords.if -duration = sprintf("%dh", [90 * 24]) # 90 days converted to hours +duration := sprintf("%dh", [90 * 24]) # 90 days converted to hours -finding = result if { +finding := result if { data_adapter.is_api_key result := common.generate_result_without_expected( @@ -19,4 +19,4 @@ finding = result if { key_created_within_last_90_days if { date := time.parse_rfc3339_ns(data_adapter.resource.data.createTime) common.date_within_duration(date, duration) -} else = false +} else := false diff --git a/security-policies/bundle/compliance/cis_gcp/rules/cis_1_17/rule.rego b/security-policies/bundle/compliance/cis_gcp/rules/cis_1_17/rule.rego index 46cb75225a..39c7ca057f 100644 --- a/security-policies/bundle/compliance/cis_gcp/rules/cis_1_17/rule.rego +++ b/security-policies/bundle/compliance/cis_gcp/rules/cis_1_17/rule.rego @@ -4,9 +4,9 @@ import data.compliance.lib.common import data.compliance.policy.gcp.data_adapter import future.keywords.if -default has_cusomter_encrypted_key = false +default has_cusomter_encrypted_key := false -finding = result if { +finding := result if { data_adapter.is_dataproc_cluster result := common.generate_result_without_expected( diff --git a/security-policies/bundle/compliance/cis_gcp/rules/cis_1_4/rule.rego b/security-policies/bundle/compliance/cis_gcp/rules/cis_1_4/rule.rego index bd740a9664..765fd85112 100644 --- a/security-policies/bundle/compliance/cis_gcp/rules/cis_1_4/rule.rego +++ b/security-policies/bundle/compliance/cis_gcp/rules/cis_1_4/rule.rego @@ -5,7 +5,7 @@ import data.compliance.policy.gcp.data_adapter import data.compliance.policy.gcp.iam.ensure_policy_not_managed_by_user as audit import future.keywords.if -finding = result if { +finding := result if { data_adapter.is_iam_service_account data_adapter.has_policy diff --git a/security-policies/bundle/compliance/cis_gcp/rules/cis_1_5/rule.rego b/security-policies/bundle/compliance/cis_gcp/rules/cis_1_5/rule.rego index a9f7a9f920..a8d5d9ab5d 100644 --- a/security-policies/bundle/compliance/cis_gcp/rules/cis_1_5/rule.rego +++ b/security-policies/bundle/compliance/cis_gcp/rules/cis_1_5/rule.rego @@ -21,7 +21,7 @@ service_accounts := [{"members": filtered_members, "role": v.role} | count(filtered_members) > 0 ] -finding = result if { +finding := result if { data_adapter.is_cloud_resource_manager_project data_adapter.has_policy count(service_accounts) > 0 @@ -34,7 +34,7 @@ finding = result if { # maps the service accounts array to an object with keys as roles and values as members # this makes it easier to see which service accounts has which role -evidence = admin_roles if { +evidence := admin_roles if { admin_roles := {role: members | entry := service_accounts[_] role := entry.role @@ -42,7 +42,7 @@ evidence = admin_roles if { regex.match(`(.*Admin|.*admin|roles/(editor|owner))`, role) } count(admin_roles) > 0 -} else = {role: members | +} else := {role: members | entry := service_accounts[_] role := entry.role members := entry.members diff --git a/security-policies/bundle/compliance/cis_gcp/rules/cis_1_6/rule.rego b/security-policies/bundle/compliance/cis_gcp/rules/cis_1_6/rule.rego index 97eb28f9da..7e28a50418 100644 --- a/security-policies/bundle/compliance/cis_gcp/rules/cis_1_6/rule.rego +++ b/security-policies/bundle/compliance/cis_gcp/rules/cis_1_6/rule.rego @@ -5,7 +5,7 @@ import data.compliance.policy.gcp.data_adapter import data.compliance.policy.gcp.iam.ensure_role_not_service_account_user as audit import future.keywords.if -finding = result if { +finding := result if { data_adapter.is_cloud_resource_manager_project data_adapter.has_policy diff --git a/security-policies/bundle/compliance/cis_gcp/rules/cis_1_7/rule.rego b/security-policies/bundle/compliance/cis_gcp/rules/cis_1_7/rule.rego index 6ac5cd21b2..0cfad0e562 100644 --- a/security-policies/bundle/compliance/cis_gcp/rules/cis_1_7/rule.rego +++ b/security-policies/bundle/compliance/cis_gcp/rules/cis_1_7/rule.rego @@ -4,9 +4,9 @@ import data.compliance.lib.common import data.compliance.policy.gcp.data_adapter import future.keywords.if -duration = sprintf("%dh", [90 * 24]) # 90 days converted to hours +duration := sprintf("%dh", [90 * 24]) # 90 days converted to hours -finding = result if { +finding := result if { data_adapter.is_iam_service_account_key result := common.generate_result_without_expected( @@ -18,4 +18,4 @@ finding = result if { key_created_within_last_90_days if { date := time.parse_rfc3339_ns(data_adapter.resource.data.validAfterTime) common.date_within_duration(date, duration) -} else = false +} else := false diff --git a/security-policies/bundle/compliance/cis_gcp/rules/cis_1_8/rule.rego b/security-policies/bundle/compliance/cis_gcp/rules/cis_1_8/rule.rego index fa637bb1b7..c10850da74 100644 --- a/security-policies/bundle/compliance/cis_gcp/rules/cis_1_8/rule.rego +++ b/security-policies/bundle/compliance/cis_gcp/rules/cis_1_8/rule.rego @@ -19,7 +19,7 @@ members_with_both_roles contains m if { m in user.members } -finding = result if { +finding := result if { data_adapter.is_cloud_resource_manager_project data_adapter.has_policy diff --git a/security-policies/bundle/compliance/cis_gcp/rules/cis_1_9/rule.rego b/security-policies/bundle/compliance/cis_gcp/rules/cis_1_9/rule.rego index a520b521da..a1d0ec9a47 100644 --- a/security-policies/bundle/compliance/cis_gcp/rules/cis_1_9/rule.rego +++ b/security-policies/bundle/compliance/cis_gcp/rules/cis_1_9/rule.rego @@ -7,7 +7,7 @@ import data.compliance.policy.gcp.iam.ensure_no_public_access as audit import future.keywords.if # Ensure That Cloud KMS Cryptokeys Are Not Anonymously or Publicly Accessible. -finding = result if { +finding := result if { # filter data_adapter.is_cloudkms_crypto_key diff --git a/security-policies/bundle/compliance/cis_gcp/rules/cis_1_9/test.rego b/security-policies/bundle/compliance/cis_gcp/rules/cis_1_9/test.rego index 866b937248..ca5d858f4d 100644 --- a/security-policies/bundle/compliance/cis_gcp/rules/cis_1_9/test.rego +++ b/security-policies/bundle/compliance/cis_gcp/rules/cis_1_9/test.rego @@ -22,7 +22,7 @@ test_not_evaluated if { not_eval with input as test_data.not_eval_resource } -rule_input(members, nextRotationTime, rotationPeriod, primary) = test_data.generate_kms_resource(members, nextRotationTime, rotationPeriod, primary) +rule_input(members, nextRotationTime, rotationPeriod, primary) := test_data.generate_kms_resource(members, nextRotationTime, rotationPeriod, primary) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_gcp/rules/cis_2_1/rule.rego b/security-policies/bundle/compliance/cis_gcp/rules/cis_2_1/rule.rego index 4c04693c46..cbe9b7beb4 100644 --- a/security-policies/bundle/compliance/cis_gcp/rules/cis_2_1/rule.rego +++ b/security-policies/bundle/compliance/cis_gcp/rules/cis_2_1/rule.rego @@ -5,7 +5,7 @@ import data.compliance.policy.gcp.data_adapter import future.keywords.if import future.keywords.in -finding = result if { +finding := result if { data_adapter.is_policies_resource result := common.generate_result_without_expected( @@ -18,7 +18,7 @@ cloud_logging_is_configured if { policy := input.resource[_].iam_policy has_read_write_logs(policy) not has_exempted_members(policy) -} else = false +} else := false has_read_write_logs(policy) if { log_types := {t | t = policy.audit_configs[i].audit_log_configs[j].log_type} @@ -26,9 +26,9 @@ has_read_write_logs(policy) if { 2 in log_types # "DATA_WRITE" 3 in log_types # "DATA_READ" policy.audit_configs[_].service == "allServices" -} else = false +} else := false has_exempted_members(policy) if { configs := policy.audit_configs[_].audit_log_configs[_] count(configs.exempted_members) > 0 -} else = false +} else := false diff --git a/security-policies/bundle/compliance/cis_gcp/rules/cis_2_10/rule.rego b/security-policies/bundle/compliance/cis_gcp/rules/cis_2_10/rule.rego index da5e0fb68a..e830dac023 100644 --- a/security-policies/bundle/compliance/cis_gcp/rules/cis_2_10/rule.rego +++ b/security-policies/bundle/compliance/cis_gcp/rules/cis_2_10/rule.rego @@ -5,4 +5,4 @@ import data.compliance.policy.gcp.monitoring.ensure_log_metric_and_alarm_exists pattern := `resource.type="gcs_bucket" AND protoPayload.methodName="storage.setIamPermissions"` -finding = audit.finding(pattern) +finding := audit.finding(pattern) diff --git a/security-policies/bundle/compliance/cis_gcp/rules/cis_2_10/test.rego b/security-policies/bundle/compliance/cis_gcp/rules/cis_2_10/test.rego index b0505bcfec..672fded186 100644 --- a/security-policies/bundle/compliance/cis_gcp/rules/cis_2_10/test.rego +++ b/security-policies/bundle/compliance/cis_gcp/rules/cis_2_10/test.rego @@ -27,7 +27,7 @@ test_not_evaluated if { not_eval with input as test_data.not_eval_resource } -rule_input(log_metrics, alerts) = test_data.generate_monitoring_asset(log_metrics, alerts) +rule_input(log_metrics, alerts) := test_data.generate_monitoring_asset(log_metrics, alerts) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_gcp/rules/cis_2_11/rule.rego b/security-policies/bundle/compliance/cis_gcp/rules/cis_2_11/rule.rego index 900bdedb7e..248953f752 100644 --- a/security-policies/bundle/compliance/cis_gcp/rules/cis_2_11/rule.rego +++ b/security-policies/bundle/compliance/cis_gcp/rules/cis_2_11/rule.rego @@ -4,4 +4,4 @@ import data.compliance.policy.gcp.monitoring.ensure_log_metric_and_alarm_exists pattern := `protoPayload.methodName="cloudsql.instances.update"` -finding = audit.finding(pattern) +finding := audit.finding(pattern) diff --git a/security-policies/bundle/compliance/cis_gcp/rules/cis_2_11/test.rego b/security-policies/bundle/compliance/cis_gcp/rules/cis_2_11/test.rego index e68aae788d..6389a5c96e 100644 --- a/security-policies/bundle/compliance/cis_gcp/rules/cis_2_11/test.rego +++ b/security-policies/bundle/compliance/cis_gcp/rules/cis_2_11/test.rego @@ -24,7 +24,7 @@ test_not_evaluated if { not_eval with input as test_data.not_eval_resource } -rule_input(log_metrics, alerts) = test_data.generate_monitoring_asset(log_metrics, alerts) +rule_input(log_metrics, alerts) := test_data.generate_monitoring_asset(log_metrics, alerts) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_gcp/rules/cis_2_12/rule.rego b/security-policies/bundle/compliance/cis_gcp/rules/cis_2_12/rule.rego index 490a02b1cf..917c9b959e 100644 --- a/security-policies/bundle/compliance/cis_gcp/rules/cis_2_12/rule.rego +++ b/security-policies/bundle/compliance/cis_gcp/rules/cis_2_12/rule.rego @@ -5,7 +5,7 @@ import data.compliance.policy.gcp.data_adapter import future.keywords.if # Ensure That Cloud DNS Logging Is Enabled for All VPC Networks. -finding = result if { +finding := result if { data_adapter.is_compute_network result := common.generate_result_without_expected( @@ -16,4 +16,4 @@ finding = result if { is_dns_logging_enabled if { data_adapter.resource.data.enabledDnsLogging == true -} else = false +} else := false diff --git a/security-policies/bundle/compliance/cis_gcp/rules/cis_2_12/test.rego b/security-policies/bundle/compliance/cis_gcp/rules/cis_2_12/test.rego index 88db46eff6..8ddf6bc52a 100644 --- a/security-policies/bundle/compliance/cis_gcp/rules/cis_2_12/test.rego +++ b/security-policies/bundle/compliance/cis_gcp/rules/cis_2_12/test.rego @@ -5,9 +5,9 @@ import data.compliance.policy.gcp.data_adapter import data.lib.test import future.keywords.if -type = "cloud-compute" +type := "cloud-compute" -subtype = "gcp-compute-network" +subtype := "gcp-compute-network" test_violation if { eval_fail with input as test_data.generate_gcp_asset(type, subtype, {"data": {}}, null) diff --git a/security-policies/bundle/compliance/cis_gcp/rules/cis_2_13/rule.rego b/security-policies/bundle/compliance/cis_gcp/rules/cis_2_13/rule.rego index 111d7edab6..579a8391b2 100644 --- a/security-policies/bundle/compliance/cis_gcp/rules/cis_2_13/rule.rego +++ b/security-policies/bundle/compliance/cis_gcp/rules/cis_2_13/rule.rego @@ -6,7 +6,7 @@ import future.keywords.if import future.keywords.in # Ensure Cloud Asset Inventory Is Enabled -finding = result if { +finding := result if { data_adapter.is_services_usage result := common.generate_result_without_expected( @@ -19,4 +19,4 @@ is_asset_inventory_enabled if { some service in input.resource.services service.resource.data.name == "cloudasset.googleapis.com" service.resource.data.state == "ENABLED" -} else = false +} else := false diff --git a/security-policies/bundle/compliance/cis_gcp/rules/cis_2_16/rule.rego b/security-policies/bundle/compliance/cis_gcp/rules/cis_2_16/rule.rego index 192a152494..85dc3a2646 100644 --- a/security-policies/bundle/compliance/cis_gcp/rules/cis_2_16/rule.rego +++ b/security-policies/bundle/compliance/cis_gcp/rules/cis_2_16/rule.rego @@ -4,7 +4,7 @@ import data.compliance.lib.common import data.compliance.policy.gcp.data_adapter import future.keywords.if -finding = result if { +finding := result if { data_adapter.is_backend_service data_adapter.is_https_lb @@ -16,4 +16,4 @@ finding = result if { is_logging_enabled if { data_adapter.resource.data.logConfig.enable -} else = false +} else := false diff --git a/security-policies/bundle/compliance/cis_gcp/rules/cis_2_16/test.rego b/security-policies/bundle/compliance/cis_gcp/rules/cis_2_16/test.rego index c66e2bd1cc..8fa584c4dd 100644 --- a/security-policies/bundle/compliance/cis_gcp/rules/cis_2_16/test.rego +++ b/security-policies/bundle/compliance/cis_gcp/rules/cis_2_16/test.rego @@ -5,9 +5,9 @@ import data.compliance.policy.gcp.data_adapter import data.lib.test import future.keywords.if -type = "cloud-compute" +type := "cloud-compute" -subtype = "gcp-compute-region-backend-service" +subtype := "gcp-compute-region-backend-service" test_violation if { eval_fail with input as test_data.generate_gcp_asset(type, subtype, {"data": {"protocol": "HTTPS"}}, null) diff --git a/security-policies/bundle/compliance/cis_gcp/rules/cis_2_2/rule.rego b/security-policies/bundle/compliance/cis_gcp/rules/cis_2_2/rule.rego index 531fe577cf..4849f541db 100644 --- a/security-policies/bundle/compliance/cis_gcp/rules/cis_2_2/rule.rego +++ b/security-policies/bundle/compliance/cis_gcp/rules/cis_2_2/rule.rego @@ -6,7 +6,7 @@ import future.keywords.if import future.keywords.in # Ensure That Sinks Are Configured for All Log Entries. -finding = result if { +finding := result if { data_adapter.is_logging_asset result := common.generate_result_without_expected( @@ -20,4 +20,4 @@ finding = result if { is_sink_without_filter if { some sink in input.resource.log_sinks not sink.resource.data.filter -} else = false +} else := false diff --git a/security-policies/bundle/compliance/cis_gcp/rules/cis_2_3/rule.rego b/security-policies/bundle/compliance/cis_gcp/rules/cis_2_3/rule.rego index f2b8c7229b..a8e9774558 100644 --- a/security-policies/bundle/compliance/cis_gcp/rules/cis_2_3/rule.rego +++ b/security-policies/bundle/compliance/cis_gcp/rules/cis_2_3/rule.rego @@ -4,10 +4,10 @@ import data.compliance.lib.common import data.compliance.policy.gcp.data_adapter import future.keywords.if -default is_retention_policy_valid = false +default is_retention_policy_valid := false # Ensure That Retention Policies on Cloud Storage Buckets Used for Exporting Logs Are Configured Using Bucket Lock. -finding = result if { +finding := result if { data_adapter.is_log_bucket result := common.generate_result_without_expected( diff --git a/security-policies/bundle/compliance/cis_gcp/rules/cis_2_4/rule.rego b/security-policies/bundle/compliance/cis_gcp/rules/cis_2_4/rule.rego index bd3db1be63..8d376eb393 100644 --- a/security-policies/bundle/compliance/cis_gcp/rules/cis_2_4/rule.rego +++ b/security-policies/bundle/compliance/cis_gcp/rules/cis_2_4/rule.rego @@ -9,4 +9,4 @@ AND protoPayload.serviceData.policyDelta.bindingDeltas.role="roles/owner") OR (protoPayload.serviceData.policyDelta.bindingDeltas.action="ADD" AND protoPayload.serviceData.policyDelta.bindingDeltas.role="roles/owner")` -finding = audit.finding(pattern) +finding := audit.finding(pattern) diff --git a/security-policies/bundle/compliance/cis_gcp/rules/cis_2_4/test.rego b/security-policies/bundle/compliance/cis_gcp/rules/cis_2_4/test.rego index f305bd6f90..2277b2cd6a 100644 --- a/security-policies/bundle/compliance/cis_gcp/rules/cis_2_4/test.rego +++ b/security-policies/bundle/compliance/cis_gcp/rules/cis_2_4/test.rego @@ -24,7 +24,7 @@ test_not_evaluated if { not_eval with input as test_data.not_eval_resource } -rule_input(log_metrics, alerts) = test_data.generate_monitoring_asset(log_metrics, alerts) +rule_input(log_metrics, alerts) := test_data.generate_monitoring_asset(log_metrics, alerts) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_gcp/rules/cis_2_5/rule.rego b/security-policies/bundle/compliance/cis_gcp/rules/cis_2_5/rule.rego index 3b3f62edc8..ccc2b7e365 100644 --- a/security-policies/bundle/compliance/cis_gcp/rules/cis_2_5/rule.rego +++ b/security-policies/bundle/compliance/cis_gcp/rules/cis_2_5/rule.rego @@ -4,4 +4,4 @@ import data.compliance.policy.gcp.monitoring.ensure_log_metric_and_alarm_exists pattern := `protoPayload.methodName="SetIamPolicy" AND protoPayload.serviceData.policyDelta.auditConfigDeltas:*` -finding = audit.finding(pattern) +finding := audit.finding(pattern) diff --git a/security-policies/bundle/compliance/cis_gcp/rules/cis_2_5/test.rego b/security-policies/bundle/compliance/cis_gcp/rules/cis_2_5/test.rego index d76421fd23..17b1d26157 100644 --- a/security-policies/bundle/compliance/cis_gcp/rules/cis_2_5/test.rego +++ b/security-policies/bundle/compliance/cis_gcp/rules/cis_2_5/test.rego @@ -24,7 +24,7 @@ test_not_evaluated if { not_eval with input as test_data.not_eval_resource } -rule_input(log_metrics, alerts) = test_data.generate_monitoring_asset(log_metrics, alerts) +rule_input(log_metrics, alerts) := test_data.generate_monitoring_asset(log_metrics, alerts) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_gcp/rules/cis_2_6/rule.rego b/security-policies/bundle/compliance/cis_gcp/rules/cis_2_6/rule.rego index 9a6310efd7..9af7c50124 100644 --- a/security-policies/bundle/compliance/cis_gcp/rules/cis_2_6/rule.rego +++ b/security-policies/bundle/compliance/cis_gcp/rules/cis_2_6/rule.rego @@ -7,4 +7,4 @@ pattern := `resource.type="iam_role" protoPayload.methodName="google.iam.admin.v1.DeleteRole" OR protoPayload.methodName="google.iam.admin.v1.UpdateRole")` -finding = audit.finding(pattern) +finding := audit.finding(pattern) diff --git a/security-policies/bundle/compliance/cis_gcp/rules/cis_2_6/test.rego b/security-policies/bundle/compliance/cis_gcp/rules/cis_2_6/test.rego index 9531175267..ab1ae4ac58 100644 --- a/security-policies/bundle/compliance/cis_gcp/rules/cis_2_6/test.rego +++ b/security-policies/bundle/compliance/cis_gcp/rules/cis_2_6/test.rego @@ -24,7 +24,7 @@ test_not_evaluated if { not_eval with input as test_data.not_eval_resource } -rule_input(log_metrics, alerts) = test_data.generate_monitoring_asset(log_metrics, alerts) +rule_input(log_metrics, alerts) := test_data.generate_monitoring_asset(log_metrics, alerts) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_gcp/rules/cis_2_7/rule.rego b/security-policies/bundle/compliance/cis_gcp/rules/cis_2_7/rule.rego index 1076be05d1..673e1dde0d 100644 --- a/security-policies/bundle/compliance/cis_gcp/rules/cis_2_7/rule.rego +++ b/security-policies/bundle/compliance/cis_gcp/rules/cis_2_7/rule.rego @@ -7,4 +7,4 @@ pattern := `resource.type="gce_firewall_rule" OR protoPayload.methodName:"compute.firewalls.insert" OR protoPayload.methodName:"compute.firewalls.delete")` -finding = audit.finding(pattern) +finding := audit.finding(pattern) diff --git a/security-policies/bundle/compliance/cis_gcp/rules/cis_2_7/test.rego b/security-policies/bundle/compliance/cis_gcp/rules/cis_2_7/test.rego index c83b511709..ece7e55adc 100644 --- a/security-policies/bundle/compliance/cis_gcp/rules/cis_2_7/test.rego +++ b/security-policies/bundle/compliance/cis_gcp/rules/cis_2_7/test.rego @@ -24,7 +24,7 @@ test_not_evaluated if { not_eval with input as test_data.not_eval_resource } -rule_input(log_metrics, alerts) = test_data.generate_monitoring_asset(log_metrics, alerts) +rule_input(log_metrics, alerts) := test_data.generate_monitoring_asset(log_metrics, alerts) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_gcp/rules/cis_2_8/rule.rego b/security-policies/bundle/compliance/cis_gcp/rules/cis_2_8/rule.rego index 71720a993e..7b6d0680f7 100644 --- a/security-policies/bundle/compliance/cis_gcp/rules/cis_2_8/rule.rego +++ b/security-policies/bundle/compliance/cis_gcp/rules/cis_2_8/rule.rego @@ -6,4 +6,4 @@ pattern := `resource.type="gce_route" AND (protoPayload.methodName:"compute.routes.delete" OR protoPayload.methodName:"compute.routes.insert")` -finding = audit.finding(pattern) +finding := audit.finding(pattern) diff --git a/security-policies/bundle/compliance/cis_gcp/rules/cis_2_8/test.rego b/security-policies/bundle/compliance/cis_gcp/rules/cis_2_8/test.rego index eecb3ba980..2034af0440 100644 --- a/security-policies/bundle/compliance/cis_gcp/rules/cis_2_8/test.rego +++ b/security-policies/bundle/compliance/cis_gcp/rules/cis_2_8/test.rego @@ -24,7 +24,7 @@ test_not_evaluated if { not_eval with input as test_data.not_eval_resource } -rule_input(log_metrics, alerts) = test_data.generate_monitoring_asset(log_metrics, alerts) +rule_input(log_metrics, alerts) := test_data.generate_monitoring_asset(log_metrics, alerts) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_gcp/rules/cis_2_9/rule.rego b/security-policies/bundle/compliance/cis_gcp/rules/cis_2_9/rule.rego index 74e531a870..42f8cd302b 100644 --- a/security-policies/bundle/compliance/cis_gcp/rules/cis_2_9/rule.rego +++ b/security-policies/bundle/compliance/cis_gcp/rules/cis_2_9/rule.rego @@ -9,4 +9,4 @@ pattern := `resource.type="gce_network" OR protoPayload.methodName:"compute.networks.removePeering" OR protoPayload.methodName:"compute.networks.addPeering")` -finding = audit.finding(pattern) +finding := audit.finding(pattern) diff --git a/security-policies/bundle/compliance/cis_gcp/rules/cis_2_9/test.rego b/security-policies/bundle/compliance/cis_gcp/rules/cis_2_9/test.rego index 8276a0390b..0c9cf1ac88 100644 --- a/security-policies/bundle/compliance/cis_gcp/rules/cis_2_9/test.rego +++ b/security-policies/bundle/compliance/cis_gcp/rules/cis_2_9/test.rego @@ -24,7 +24,7 @@ test_not_evaluated if { not_eval with input as test_data.not_eval_resource } -rule_input(log_metrics, alerts) = test_data.generate_monitoring_asset(log_metrics, alerts) +rule_input(log_metrics, alerts) := test_data.generate_monitoring_asset(log_metrics, alerts) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_gcp/rules/cis_3_1/rule.rego b/security-policies/bundle/compliance/cis_gcp/rules/cis_3_1/rule.rego index 35667c6dcb..9672c99ba7 100644 --- a/security-policies/bundle/compliance/cis_gcp/rules/cis_3_1/rule.rego +++ b/security-policies/bundle/compliance/cis_gcp/rules/cis_3_1/rule.rego @@ -5,7 +5,7 @@ import data.compliance.policy.gcp.data_adapter import future.keywords.if # Ensure That the Default Network Does Not Exist in a Project. -finding = result if { +finding := result if { # filter data_adapter.is_compute_network @@ -18,4 +18,4 @@ finding = result if { is_not_default_network if { not data_adapter.resource.data.name == "default" -} else = false +} else := false diff --git a/security-policies/bundle/compliance/cis_gcp/rules/cis_3_1/test.rego b/security-policies/bundle/compliance/cis_gcp/rules/cis_3_1/test.rego index 9515072ccf..952bb9946a 100644 --- a/security-policies/bundle/compliance/cis_gcp/rules/cis_3_1/test.rego +++ b/security-policies/bundle/compliance/cis_gcp/rules/cis_3_1/test.rego @@ -5,9 +5,9 @@ import data.compliance.policy.gcp.data_adapter import data.lib.test import future.keywords.if -type = "cloud-compute" +type := "cloud-compute" -subtype = "gcp-compute-network" +subtype := "gcp-compute-network" test_violation if { eval_fail with input as test_data.generate_gcp_asset(type, subtype, {"data": {"name": "default"}}, null) diff --git a/security-policies/bundle/compliance/cis_gcp/rules/cis_3_2/rule.rego b/security-policies/bundle/compliance/cis_gcp/rules/cis_3_2/rule.rego index d17aab6f01..d03ba5ec40 100644 --- a/security-policies/bundle/compliance/cis_gcp/rules/cis_3_2/rule.rego +++ b/security-policies/bundle/compliance/cis_gcp/rules/cis_3_2/rule.rego @@ -6,7 +6,7 @@ import future.keywords.if import future.keywords.in # Ensure Legacy Networks Do Not Exist for Older Projects -finding = result if { +finding := result if { data_adapter.is_compute_network result := common.generate_result_without_expected( @@ -18,4 +18,4 @@ finding = result if { is_not_legacy_network if { # When autoCreateSubnetworks is set to false a legacy network is being created (https://cloud.google.com/compute/docs/reference/rest/v1/networks). data_adapter.resource.data.autoCreateSubnetworks -} else = false +} else := false diff --git a/security-policies/bundle/compliance/cis_gcp/rules/cis_3_2/test.rego b/security-policies/bundle/compliance/cis_gcp/rules/cis_3_2/test.rego index 26ef6dcbda..ce3a4fa7cc 100644 --- a/security-policies/bundle/compliance/cis_gcp/rules/cis_3_2/test.rego +++ b/security-policies/bundle/compliance/cis_gcp/rules/cis_3_2/test.rego @@ -5,9 +5,9 @@ import data.compliance.policy.gcp.data_adapter import data.lib.test import future.keywords.if -type = "cloud-compute" +type := "cloud-compute" -subtype = "gcp-compute-network" +subtype := "gcp-compute-network" test_violation if { eval_fail with input as test_data.generate_gcp_asset(type, subtype, {"data": {}}, null) diff --git a/security-policies/bundle/compliance/cis_gcp/rules/cis_3_3/rule.rego b/security-policies/bundle/compliance/cis_gcp/rules/cis_3_3/rule.rego index 9b913a5b4d..ae132290a6 100644 --- a/security-policies/bundle/compliance/cis_gcp/rules/cis_3_3/rule.rego +++ b/security-policies/bundle/compliance/cis_gcp/rules/cis_3_3/rule.rego @@ -4,10 +4,10 @@ import data.compliance.lib.common import data.compliance.policy.gcp.data_adapter import future.keywords.if -default is_dnssec_enabled = false +default is_dnssec_enabled := false # Ensure That DNSSEC Is Enabled for Cloud DNS. -finding = result if { +finding := result if { # filter data_adapter.is_dns_managed_zone diff --git a/security-policies/bundle/compliance/cis_gcp/rules/cis_3_3/test.rego b/security-policies/bundle/compliance/cis_gcp/rules/cis_3_3/test.rego index 7c4344b42a..b1a392f3d6 100644 --- a/security-policies/bundle/compliance/cis_gcp/rules/cis_3_3/test.rego +++ b/security-policies/bundle/compliance/cis_gcp/rules/cis_3_3/test.rego @@ -5,9 +5,9 @@ import data.compliance.policy.gcp.data_adapter import data.lib.test import future.keywords.if -type = "cloud-dns" +type := "cloud-dns" -subtype = "gcp-dns-managed-zone" +subtype := "gcp-dns-managed-zone" test_violation if { eval_fail with input as test_data.generate_gcp_asset(type, subtype, {"data": {"visibility": "PUBLIC"}}, null) diff --git a/security-policies/bundle/compliance/cis_gcp/rules/cis_3_4/rule.rego b/security-policies/bundle/compliance/cis_gcp/rules/cis_3_4/rule.rego index 1cbf18eb3d..0da720d2a3 100644 --- a/security-policies/bundle/compliance/cis_gcp/rules/cis_3_4/rule.rego +++ b/security-policies/bundle/compliance/cis_gcp/rules/cis_3_4/rule.rego @@ -3,4 +3,4 @@ package compliance.cis_gcp.rules.cis_3_4 import data.compliance.policy.gcp.dns.ensure_no_sha1 as audit # Ensure That RSASHA1 Is Not Used for the Key-Signing Key in Cloud DNS DNSSEC. -finding = audit.finding("KEY_SIGNING") +finding := audit.finding("KEY_SIGNING") diff --git a/security-policies/bundle/compliance/cis_gcp/rules/cis_3_4/test.rego b/security-policies/bundle/compliance/cis_gcp/rules/cis_3_4/test.rego index 5f4862752a..88c436da3e 100644 --- a/security-policies/bundle/compliance/cis_gcp/rules/cis_3_4/test.rego +++ b/security-policies/bundle/compliance/cis_gcp/rules/cis_3_4/test.rego @@ -5,9 +5,9 @@ import data.compliance.policy.gcp.data_adapter import data.lib.test import future.keywords.if -type = "cloud-dns" +type := "cloud-dns" -subtype = "gcp-dns-managed-zone" +subtype := "gcp-dns-managed-zone" test_violation if { eval_fail with input as test_data.generate_gcp_asset(type, subtype, {"data": {"dnssecConfig": {"defaultKeySpecs": [{"algorithm": "RSASHA256", "keyType": "ZONE_SIGNING"}, {"algorithm": "RSASHA1", "keyType": "KEY_SIGNING"}]}, "visibility": "PUBLIC"}}, null) diff --git a/security-policies/bundle/compliance/cis_gcp/rules/cis_3_5/rule.rego b/security-policies/bundle/compliance/cis_gcp/rules/cis_3_5/rule.rego index 5f56a07dff..b4f89ae060 100644 --- a/security-policies/bundle/compliance/cis_gcp/rules/cis_3_5/rule.rego +++ b/security-policies/bundle/compliance/cis_gcp/rules/cis_3_5/rule.rego @@ -3,4 +3,4 @@ package compliance.cis_gcp.rules.cis_3_5 import data.compliance.policy.gcp.dns.ensure_no_sha1 as audit # Ensure That RSASHA1 Is Not Used for the Zone-Signing Key in Cloud DNS DNSSEC. -finding = audit.finding("ZONE_SIGNING") +finding := audit.finding("ZONE_SIGNING") diff --git a/security-policies/bundle/compliance/cis_gcp/rules/cis_3_5/test.rego b/security-policies/bundle/compliance/cis_gcp/rules/cis_3_5/test.rego index beb013367d..720b077ee9 100644 --- a/security-policies/bundle/compliance/cis_gcp/rules/cis_3_5/test.rego +++ b/security-policies/bundle/compliance/cis_gcp/rules/cis_3_5/test.rego @@ -5,9 +5,9 @@ import data.compliance.policy.gcp.data_adapter import data.lib.test import future.keywords.if -type = "cloud-dns" +type := "cloud-dns" -subtype = "gcp-dns-managed-zone" +subtype := "gcp-dns-managed-zone" test_violation if { eval_fail with input as test_data.generate_gcp_asset(type, subtype, {"data": {"dnssecConfig": {"defaultKeySpecs": [{"algorithm": "RSASHA1", "keyType": "ZONE_SIGNING"}, {"algorithm": "RSASHA256", "keyType": "KEY_SIGNING"}]}, "visibility": "PUBLIC"}}, null) diff --git a/security-policies/bundle/compliance/cis_gcp/rules/cis_3_6/rule.rego b/security-policies/bundle/compliance/cis_gcp/rules/cis_3_6/rule.rego index 34974f9a09..9103893284 100644 --- a/security-policies/bundle/compliance/cis_gcp/rules/cis_3_6/rule.rego +++ b/security-policies/bundle/compliance/cis_gcp/rules/cis_3_6/rule.rego @@ -5,7 +5,7 @@ import data.compliance.policy.gcp.compute.ensure_fw_rule as audit import data.compliance.policy.gcp.data_adapter import future.keywords.if -finding = result if { +finding := result if { # filter data_adapter.is_firewall_rule diff --git a/security-policies/bundle/compliance/cis_gcp/rules/cis_3_6/test.rego b/security-policies/bundle/compliance/cis_gcp/rules/cis_3_6/test.rego index 3278ee68b0..cb93ea19d7 100644 --- a/security-policies/bundle/compliance/cis_gcp/rules/cis_3_6/test.rego +++ b/security-policies/bundle/compliance/cis_gcp/rules/cis_3_6/test.rego @@ -5,9 +5,9 @@ import data.compliance.policy.gcp.data_adapter import data.lib.test import future.keywords.if -type = "cloud-compute" +type := "cloud-compute" -subtype = "gcp-compute-firewall" +subtype := "gcp-compute-firewall" test_violation if { # specific port diff --git a/security-policies/bundle/compliance/cis_gcp/rules/cis_3_7/rule.rego b/security-policies/bundle/compliance/cis_gcp/rules/cis_3_7/rule.rego index bf7605d582..184c6d0b23 100644 --- a/security-policies/bundle/compliance/cis_gcp/rules/cis_3_7/rule.rego +++ b/security-policies/bundle/compliance/cis_gcp/rules/cis_3_7/rule.rego @@ -5,7 +5,7 @@ import data.compliance.policy.gcp.compute.ensure_fw_rule as audit import data.compliance.policy.gcp.data_adapter import future.keywords.if -finding = result if { +finding := result if { # filter data_adapter.is_firewall_rule diff --git a/security-policies/bundle/compliance/cis_gcp/rules/cis_3_7/test.rego b/security-policies/bundle/compliance/cis_gcp/rules/cis_3_7/test.rego index 16dc010aaa..7b302b7e63 100644 --- a/security-policies/bundle/compliance/cis_gcp/rules/cis_3_7/test.rego +++ b/security-policies/bundle/compliance/cis_gcp/rules/cis_3_7/test.rego @@ -5,9 +5,9 @@ import data.compliance.policy.gcp.data_adapter import data.lib.test import future.keywords.if -type = "cloud-compute" +type := "cloud-compute" -subtype = "gcp-compute-firewall" +subtype := "gcp-compute-firewall" test_violation if { # specific port diff --git a/security-policies/bundle/compliance/cis_gcp/rules/cis_3_8/rule.rego b/security-policies/bundle/compliance/cis_gcp/rules/cis_3_8/rule.rego index 9c81b42a72..b0b9c03810 100644 --- a/security-policies/bundle/compliance/cis_gcp/rules/cis_3_8/rule.rego +++ b/security-policies/bundle/compliance/cis_gcp/rules/cis_3_8/rule.rego @@ -4,7 +4,7 @@ import data.compliance.lib.common import data.compliance.policy.gcp.data_adapter import future.keywords.if -finding = result if { +finding := result if { data_adapter.is_subnetwork not_internal_https_load_balancer @@ -20,7 +20,7 @@ is_flow_log_configured if { data_adapter.resource.data.logConfig.aggregationInterval == "INTERVAL_5_SEC" data_adapter.resource.data.logConfig.flowSampling == 1 data_adapter.resource.data.logConfig.enable == true -} else = false +} else := false not_internal_https_load_balancer if { not data_adapter.resource.data.purpose == "INTERNAL_HTTPS_LOAD_BALANCER" diff --git a/security-policies/bundle/compliance/cis_gcp/rules/cis_4_1/rule.rego b/security-policies/bundle/compliance/cis_gcp/rules/cis_4_1/rule.rego index 375212e7c0..9e04317030 100644 --- a/security-policies/bundle/compliance/cis_gcp/rules/cis_4_1/rule.rego +++ b/security-policies/bundle/compliance/cis_gcp/rules/cis_4_1/rule.rego @@ -7,7 +7,7 @@ import data.compliance.policy.gcp.data_adapter import future.keywords.if # Ensure That Instances Are Not Configured To Use the Default Service Account. -finding = result if { +finding := result if { # filter data_adapter.is_compute_instance diff --git a/security-policies/bundle/compliance/cis_gcp/rules/cis_4_1/test.rego b/security-policies/bundle/compliance/cis_gcp/rules/cis_4_1/test.rego index ca0d49c239..97dc033053 100644 --- a/security-policies/bundle/compliance/cis_gcp/rules/cis_4_1/test.rego +++ b/security-policies/bundle/compliance/cis_gcp/rules/cis_4_1/test.rego @@ -22,7 +22,7 @@ test_not_evaluated if { not_eval with input as test_data.not_eval_resource } -rule_input(info) = test_data.generate_compute_resource("gcp-compute-instance", info) +rule_input(info) := test_data.generate_compute_resource("gcp-compute-instance", info) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_gcp/rules/cis_4_11/rule.rego b/security-policies/bundle/compliance/cis_gcp/rules/cis_4_11/rule.rego index 4134e00098..dd59ae8829 100644 --- a/security-policies/bundle/compliance/cis_gcp/rules/cis_4_11/rule.rego +++ b/security-policies/bundle/compliance/cis_gcp/rules/cis_4_11/rule.rego @@ -5,10 +5,10 @@ import data.compliance.policy.gcp.common as gcp_common import data.compliance.policy.gcp.data_adapter import future.keywords.if -default is_confidential_computing_enabled = false +default is_confidential_computing_enabled := false # Ensure That Compute Instances Have Confidential Computing Enabled. -finding = result if { +finding := result if { # filter data_adapter.is_compute_instance diff --git a/security-policies/bundle/compliance/cis_gcp/rules/cis_4_11/test.rego b/security-policies/bundle/compliance/cis_gcp/rules/cis_4_11/test.rego index 50566bf0c8..d2c564a2f1 100644 --- a/security-policies/bundle/compliance/cis_gcp/rules/cis_4_11/test.rego +++ b/security-policies/bundle/compliance/cis_gcp/rules/cis_4_11/test.rego @@ -5,9 +5,9 @@ import data.compliance.policy.gcp.data_adapter import data.lib.test import future.keywords.if -eval_machine_type = "https://www.googleapis.com/compute/v1/projects/elastic-security-dev/zones/us-west1-b/machineTypes/n2d-standard-8" +eval_machine_type := "https://www.googleapis.com/compute/v1/projects/elastic-security-dev/zones/us-west1-b/machineTypes/n2d-standard-8" -non_eval_machine_type = "https://www.googleapis.com/compute/v1/projects/elastic-security-dev/zones/us-west1-b/machineTypes/n1d-standard-8" +non_eval_machine_type := "https://www.googleapis.com/compute/v1/projects/elastic-security-dev/zones/us-west1-b/machineTypes/n1d-standard-8" test_violation if { eval_fail with input as rule_input({"machineType": eval_machine_type}) @@ -23,7 +23,7 @@ test_not_evaluated if { not_eval with input as rule_input({"confidentialInstanceConfig": {"enableConfidentialCompute": true}, "machineType": non_eval_machine_type}) } -rule_input(info) = test_data.generate_compute_resource("gcp-compute-instance", info) +rule_input(info) := test_data.generate_compute_resource("gcp-compute-instance", info) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_gcp/rules/cis_4_2/rule.rego b/security-policies/bundle/compliance/cis_gcp/rules/cis_4_2/rule.rego index e7289b3c52..0978bbc421 100644 --- a/security-policies/bundle/compliance/cis_gcp/rules/cis_4_2/rule.rego +++ b/security-policies/bundle/compliance/cis_gcp/rules/cis_4_2/rule.rego @@ -7,7 +7,7 @@ import data.compliance.policy.gcp.data_adapter import future.keywords.if # Ensure That Instances Are Not Configured To Use the Default Service Account With Full Access to All Cloud APIs. -finding = result if { +finding := result if { # filter data_adapter.is_compute_instance diff --git a/security-policies/bundle/compliance/cis_gcp/rules/cis_4_2/test.rego b/security-policies/bundle/compliance/cis_gcp/rules/cis_4_2/test.rego index 57da8a0a03..46fc5adeb2 100644 --- a/security-policies/bundle/compliance/cis_gcp/rules/cis_4_2/test.rego +++ b/security-policies/bundle/compliance/cis_gcp/rules/cis_4_2/test.rego @@ -23,7 +23,7 @@ test_not_evaluated if { not_eval with input as test_data.not_eval_resource } -rule_input(info) = test_data.generate_compute_resource("gcp-compute-instance", info) +rule_input(info) := test_data.generate_compute_resource("gcp-compute-instance", info) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_gcp/rules/cis_4_3/rule.rego b/security-policies/bundle/compliance/cis_gcp/rules/cis_4_3/rule.rego index 8632149bc5..4f33089b9e 100644 --- a/security-policies/bundle/compliance/cis_gcp/rules/cis_4_3/rule.rego +++ b/security-policies/bundle/compliance/cis_gcp/rules/cis_4_3/rule.rego @@ -6,7 +6,7 @@ import data.compliance.policy.gcp.data_adapter import future.keywords.if # Ensure “Block Project-Wide SSH Keys” Is Enabled for VM Instances -finding = result if { +finding := result if { # filter data_adapter.is_compute_instance diff --git a/security-policies/bundle/compliance/cis_gcp/rules/cis_4_3/test.rego b/security-policies/bundle/compliance/cis_gcp/rules/cis_4_3/test.rego index 12b38bd588..2d21370c0b 100644 --- a/security-policies/bundle/compliance/cis_gcp/rules/cis_4_3/test.rego +++ b/security-policies/bundle/compliance/cis_gcp/rules/cis_4_3/test.rego @@ -19,7 +19,7 @@ test_not_evaluated if { not_eval with input as test_data.not_eval_resource } -rule_input(info) = test_data.generate_compute_resource("gcp-compute-instance", info) +rule_input(info) := test_data.generate_compute_resource("gcp-compute-instance", info) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_gcp/rules/cis_4_4/rule.rego b/security-policies/bundle/compliance/cis_gcp/rules/cis_4_4/rule.rego index 0ac6fdd323..2c10e089f2 100644 --- a/security-policies/bundle/compliance/cis_gcp/rules/cis_4_4/rule.rego +++ b/security-policies/bundle/compliance/cis_gcp/rules/cis_4_4/rule.rego @@ -6,7 +6,7 @@ import data.compliance.policy.gcp.data_adapter import future.keywords.if # Ensure Oslogin Is Enabled for a Project -finding = result if { +finding := result if { # filter data_adapter.is_compute_instance @@ -20,4 +20,4 @@ finding = result if { ) } -is_oslogin_enabled = audit.is_instance_metadata_valid("enable-oslogin", "true") +is_oslogin_enabled := audit.is_instance_metadata_valid("enable-oslogin", "true") diff --git a/security-policies/bundle/compliance/cis_gcp/rules/cis_4_4/test.rego b/security-policies/bundle/compliance/cis_gcp/rules/cis_4_4/test.rego index 60d6dc8b14..2e8bfc85cc 100644 --- a/security-policies/bundle/compliance/cis_gcp/rules/cis_4_4/test.rego +++ b/security-policies/bundle/compliance/cis_gcp/rules/cis_4_4/test.rego @@ -19,7 +19,7 @@ test_not_evaluated if { not_eval with input as rule_input({"name": "gke-node", "metadata": {"items": [{"key": "enable-oslogin", "value": "false"}]}}) } -rule_input(info) = test_data.generate_compute_resource("gcp-compute-instance", info) +rule_input(info) := test_data.generate_compute_resource("gcp-compute-instance", info) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_gcp/rules/cis_4_5/rule.rego b/security-policies/bundle/compliance/cis_gcp/rules/cis_4_5/rule.rego index 39df1f9f42..7687534fd1 100644 --- a/security-policies/bundle/compliance/cis_gcp/rules/cis_4_5/rule.rego +++ b/security-policies/bundle/compliance/cis_gcp/rules/cis_4_5/rule.rego @@ -7,7 +7,7 @@ import data.compliance.policy.gcp.data_adapter import future.keywords.if # Ensure ‘Enable Connecting to Serial Ports’ Is Not Enabled for VM Instance -finding = result if { +finding := result if { # filter data_adapter.is_compute_instance diff --git a/security-policies/bundle/compliance/cis_gcp/rules/cis_4_5/test.rego b/security-policies/bundle/compliance/cis_gcp/rules/cis_4_5/test.rego index ed377965a4..4ad355c933 100644 --- a/security-policies/bundle/compliance/cis_gcp/rules/cis_4_5/test.rego +++ b/security-policies/bundle/compliance/cis_gcp/rules/cis_4_5/test.rego @@ -20,7 +20,7 @@ test_not_evaluated if { not_eval with input as test_data.not_eval_resource } -rule_input(info) = test_data.generate_compute_resource("gcp-compute-instance", info) +rule_input(info) := test_data.generate_compute_resource("gcp-compute-instance", info) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_gcp/rules/cis_4_6/rule.rego b/security-policies/bundle/compliance/cis_gcp/rules/cis_4_6/rule.rego index aa81248901..52ade7db78 100644 --- a/security-policies/bundle/compliance/cis_gcp/rules/cis_4_6/rule.rego +++ b/security-policies/bundle/compliance/cis_gcp/rules/cis_4_6/rule.rego @@ -5,10 +5,10 @@ import data.compliance.lib.common import data.compliance.policy.gcp.data_adapter import future.keywords.if -default is_ip_forwarding_enabled = false +default is_ip_forwarding_enabled := false # Ensure That IP Forwarding Is Not Enabled on Instances -finding = result if { +finding := result if { # filter data_adapter.is_compute_instance diff --git a/security-policies/bundle/compliance/cis_gcp/rules/cis_4_6/test.rego b/security-policies/bundle/compliance/cis_gcp/rules/cis_4_6/test.rego index b96f44eaef..7777781acd 100644 --- a/security-policies/bundle/compliance/cis_gcp/rules/cis_4_6/test.rego +++ b/security-policies/bundle/compliance/cis_gcp/rules/cis_4_6/test.rego @@ -18,7 +18,7 @@ test_not_evaluated if { not_eval with input as rule_input({"name": "gke-node", "canIpForward": true}) } -rule_input(info) = test_data.generate_compute_resource("gcp-compute-instance", info) +rule_input(info) := test_data.generate_compute_resource("gcp-compute-instance", info) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_gcp/rules/cis_4_7/rule.rego b/security-policies/bundle/compliance/cis_gcp/rules/cis_4_7/rule.rego index da12ab119b..dc7b5636b3 100644 --- a/security-policies/bundle/compliance/cis_gcp/rules/cis_4_7/rule.rego +++ b/security-policies/bundle/compliance/cis_gcp/rules/cis_4_7/rule.rego @@ -5,7 +5,7 @@ import data.compliance.policy.gcp.data_adapter import future.keywords.if # Ensure VM Disks for Critical VMs Are Encrypted With Customer-Supplied Encryption Keys (CSEK) -finding = result if { +finding := result if { # filter data_adapter.is_compute_disk @@ -18,4 +18,4 @@ finding = result if { is_disk_encrypted_with_csek if { data_adapter.resource.data.diskEncryptionKey.sha256 != "" -} else = false +} else := false diff --git a/security-policies/bundle/compliance/cis_gcp/rules/cis_4_8/rule.rego b/security-policies/bundle/compliance/cis_gcp/rules/cis_4_8/rule.rego index 33607ed9cb..c249c6e371 100644 --- a/security-policies/bundle/compliance/cis_gcp/rules/cis_4_8/rule.rego +++ b/security-policies/bundle/compliance/cis_gcp/rules/cis_4_8/rule.rego @@ -5,7 +5,7 @@ import data.compliance.policy.gcp.data_adapter import future.keywords.if # Ensure Compute Instances Are Launched With Shielded VM Enabled. -finding = result if { +finding := result if { # filter data_adapter.is_compute_instance @@ -20,4 +20,4 @@ is_shielded_vm if { cfg := data_adapter.resource.data.shieldedInstanceConfig cfg.enableIntegrityMonitoring cfg.enableVtpm -} else = false +} else := false diff --git a/security-policies/bundle/compliance/cis_gcp/rules/cis_4_8/test.rego b/security-policies/bundle/compliance/cis_gcp/rules/cis_4_8/test.rego index 2037a60cc4..c9659dbab6 100644 --- a/security-policies/bundle/compliance/cis_gcp/rules/cis_4_8/test.rego +++ b/security-policies/bundle/compliance/cis_gcp/rules/cis_4_8/test.rego @@ -19,7 +19,7 @@ test_not_evaluated if { not_eval with input as test_data.not_eval_resource } -rule_input(info) = test_data.generate_compute_resource("gcp-compute-instance", info) +rule_input(info) := test_data.generate_compute_resource("gcp-compute-instance", info) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_gcp/rules/cis_4_9/rule.rego b/security-policies/bundle/compliance/cis_gcp/rules/cis_4_9/rule.rego index 2962c61ed5..79c023d0bc 100644 --- a/security-policies/bundle/compliance/cis_gcp/rules/cis_4_9/rule.rego +++ b/security-policies/bundle/compliance/cis_gcp/rules/cis_4_9/rule.rego @@ -7,7 +7,7 @@ import future.keywords.if import future.keywords.in # Ensure That Compute Instances Do Not Have Public IP Addresses. -finding = result if { +finding := result if { # filter data_adapter.is_compute_instance @@ -21,4 +21,4 @@ finding = result if { is_publicly_exposed if { some networkInterface in data_adapter.resource.data.networkInterfaces networkInterface.accessConfigs -} else = false +} else := false diff --git a/security-policies/bundle/compliance/cis_gcp/rules/cis_4_9/test.rego b/security-policies/bundle/compliance/cis_gcp/rules/cis_4_9/test.rego index c199d9ac4c..2c9c5cbeba 100644 --- a/security-policies/bundle/compliance/cis_gcp/rules/cis_4_9/test.rego +++ b/security-policies/bundle/compliance/cis_gcp/rules/cis_4_9/test.rego @@ -19,7 +19,7 @@ test_not_evaluated if { not_eval with input as test_data.not_eval_resource } -rule_input(info) = test_data.generate_compute_resource("gcp-compute-instance", info) +rule_input(info) := test_data.generate_compute_resource("gcp-compute-instance", info) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_gcp/rules/cis_5_1/rule.rego b/security-policies/bundle/compliance/cis_gcp/rules/cis_5_1/rule.rego index 900724086c..640432e83c 100644 --- a/security-policies/bundle/compliance/cis_gcp/rules/cis_5_1/rule.rego +++ b/security-policies/bundle/compliance/cis_gcp/rules/cis_5_1/rule.rego @@ -7,7 +7,7 @@ import data.compliance.policy.gcp.iam.ensure_no_public_access as audit import future.keywords.if # Ensure That Cloud Storage Bucket Is Not Anonymously or Publicly Accessible. -finding = result if { +finding := result if { # filter data_adapter.is_storage_bucket diff --git a/security-policies/bundle/compliance/cis_gcp/rules/cis_5_1/test.rego b/security-policies/bundle/compliance/cis_gcp/rules/cis_5_1/test.rego index 9817ed383f..c0ee2d9ed9 100644 --- a/security-policies/bundle/compliance/cis_gcp/rules/cis_5_1/test.rego +++ b/security-policies/bundle/compliance/cis_gcp/rules/cis_5_1/test.rego @@ -22,7 +22,7 @@ test_not_evaluated if { not_eval with input as test_data.not_eval_resource } -rule_input(members) = test_data.generate_gcs_resource(members, false) +rule_input(members) := test_data.generate_gcs_resource(members, false) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_gcp/rules/cis_5_2/rule.rego b/security-policies/bundle/compliance/cis_gcp/rules/cis_5_2/rule.rego index dd2307c10e..06a29d0d69 100644 --- a/security-policies/bundle/compliance/cis_gcp/rules/cis_5_2/rule.rego +++ b/security-policies/bundle/compliance/cis_gcp/rules/cis_5_2/rule.rego @@ -4,10 +4,10 @@ import data.compliance.lib.common import data.compliance.policy.gcp.data_adapter import future.keywords.if -default rule_evaluation = false +default rule_evaluation := false # Ensure That Cloud Storage Buckets Have Uniform Bucket- Level Access Enabled. -finding = result if { +finding := result if { # filter data_adapter.is_storage_bucket diff --git a/security-policies/bundle/compliance/cis_gcp/rules/cis_5_2/test.rego b/security-policies/bundle/compliance/cis_gcp/rules/cis_5_2/test.rego index 0bba8ff30c..deae4d7c37 100644 --- a/security-policies/bundle/compliance/cis_gcp/rules/cis_5_2/test.rego +++ b/security-policies/bundle/compliance/cis_gcp/rules/cis_5_2/test.rego @@ -18,7 +18,7 @@ test_not_evaluated if { not_eval with input as test_data.not_eval_resource } -rule_input(isBucketLevelAccessEnabled) = test_data.generate_gcs_resource([], isBucketLevelAccessEnabled) +rule_input(isBucketLevelAccessEnabled) := test_data.generate_gcs_resource([], isBucketLevelAccessEnabled) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_gcp/rules/cis_6_1_2/rule.rego b/security-policies/bundle/compliance/cis_gcp/rules/cis_6_1_2/rule.rego index 75e51b830c..48e349bb3a 100644 --- a/security-policies/bundle/compliance/cis_gcp/rules/cis_6_1_2/rule.rego +++ b/security-policies/bundle/compliance/cis_gcp/rules/cis_6_1_2/rule.rego @@ -4,7 +4,7 @@ import data.compliance.lib.common import data.compliance.policy.gcp.data_adapter import future.keywords.if -finding = result if { +finding := result if { data_adapter.is_cloud_sql data_adapter.is_cloud_my_sql @@ -18,4 +18,4 @@ skip_show_database_enabled if { flags := data_adapter.resource.data.settings.databaseFlags[_] flags.name == "skip_show_database" flags.value == "on" -} else = false +} else := false diff --git a/security-policies/bundle/compliance/cis_gcp/rules/cis_6_1_3/rule.rego b/security-policies/bundle/compliance/cis_gcp/rules/cis_6_1_3/rule.rego index 736d7bf5e5..12ae76668e 100644 --- a/security-policies/bundle/compliance/cis_gcp/rules/cis_6_1_3/rule.rego +++ b/security-policies/bundle/compliance/cis_gcp/rules/cis_6_1_3/rule.rego @@ -4,7 +4,7 @@ import data.compliance.lib.common import data.compliance.policy.gcp.data_adapter import future.keywords.if -finding = result if { +finding := result if { data_adapter.is_cloud_sql data_adapter.is_cloud_my_sql @@ -18,4 +18,4 @@ is_local_infile_flag_disabled if { flags := data_adapter.resource.data.settings.databaseFlags[_] flags.name == "local_infile" flags.value == "off" -} else = false +} else := false diff --git a/security-policies/bundle/compliance/cis_gcp/rules/cis_6_2_1/rule.rego b/security-policies/bundle/compliance/cis_gcp/rules/cis_6_2_1/rule.rego index 28fe5ada85..fa35038f7e 100644 --- a/security-policies/bundle/compliance/cis_gcp/rules/cis_6_2_1/rule.rego +++ b/security-policies/bundle/compliance/cis_gcp/rules/cis_6_2_1/rule.rego @@ -5,10 +5,10 @@ import data.compliance.policy.gcp.data_adapter import data.compliance.policy.gcp.sql.ensure_db_flag as audit import future.keywords.if -default is_flag_as_expected = false +default is_flag_as_expected := false # Ensure ‘Log_error_verbosity’ Database Flag for Cloud SQL PostgreSQL Instance Is Set to ‘DEFAULT’ or Stricter -finding = result if { +finding := result if { # filter data_adapter.is_cloud_sql data_adapter.is_postgres_sql diff --git a/security-policies/bundle/compliance/cis_gcp/rules/cis_6_2_2/rule.rego b/security-policies/bundle/compliance/cis_gcp/rules/cis_6_2_2/rule.rego index 8cf012100d..4ba4f171d7 100644 --- a/security-policies/bundle/compliance/cis_gcp/rules/cis_6_2_2/rule.rego +++ b/security-policies/bundle/compliance/cis_gcp/rules/cis_6_2_2/rule.rego @@ -6,7 +6,7 @@ import data.compliance.policy.gcp.sql.ensure_db_flag as audit import future.keywords.if # Ensure That the ‘Log_connections’ Database Flag for Cloud SQL PostgreSQL Instance Is Set to ‘On’ -finding = result if { +finding := result if { # filter data_adapter.is_cloud_sql data_adapter.is_postgres_sql diff --git a/security-policies/bundle/compliance/cis_gcp/rules/cis_6_2_3/rule.rego b/security-policies/bundle/compliance/cis_gcp/rules/cis_6_2_3/rule.rego index 6a47822e4b..6bf5a251f6 100644 --- a/security-policies/bundle/compliance/cis_gcp/rules/cis_6_2_3/rule.rego +++ b/security-policies/bundle/compliance/cis_gcp/rules/cis_6_2_3/rule.rego @@ -6,7 +6,7 @@ import data.compliance.policy.gcp.sql.ensure_db_flag as audit import future.keywords.if # Ensure That the ‘Log_disconnections’ Database Flag for Cloud SQL PostgreSQL Instance Is Set to ‘On’ -finding = result if { +finding := result if { # filter data_adapter.is_cloud_sql data_adapter.is_postgres_sql diff --git a/security-policies/bundle/compliance/cis_gcp/rules/cis_6_2_4/rule.rego b/security-policies/bundle/compliance/cis_gcp/rules/cis_6_2_4/rule.rego index a1da0cb249..b7625a0f03 100644 --- a/security-policies/bundle/compliance/cis_gcp/rules/cis_6_2_4/rule.rego +++ b/security-policies/bundle/compliance/cis_gcp/rules/cis_6_2_4/rule.rego @@ -6,7 +6,7 @@ import data.compliance.policy.gcp.sql.ensure_db_flag as audit import future.keywords.if # Ensure ‘Log_statement’ Database Flag for Cloud SQL PostgreSQL Instance Is Set Appropriately. -finding = result if { +finding := result if { # filter data_adapter.is_cloud_sql data_adapter.is_postgres_sql diff --git a/security-policies/bundle/compliance/cis_gcp/rules/cis_6_2_5/rule.rego b/security-policies/bundle/compliance/cis_gcp/rules/cis_6_2_5/rule.rego index 5348a763de..dac9c7805b 100644 --- a/security-policies/bundle/compliance/cis_gcp/rules/cis_6_2_5/rule.rego +++ b/security-policies/bundle/compliance/cis_gcp/rules/cis_6_2_5/rule.rego @@ -5,10 +5,10 @@ import data.compliance.policy.gcp.data_adapter import data.compliance.policy.gcp.sql.ensure_db_flag as audit import future.keywords.if -default is_flag_as_expected = false +default is_flag_as_expected := false # Ensure that the ‘Log_min_messages’ Flag for a Cloud SQL PostgreSQL Instance is set at minimum to 'Warning'. -finding = result if { +finding := result if { # filter data_adapter.is_cloud_sql data_adapter.is_postgres_sql diff --git a/security-policies/bundle/compliance/cis_gcp/rules/cis_6_2_6/rule.rego b/security-policies/bundle/compliance/cis_gcp/rules/cis_6_2_6/rule.rego index 79c99c3509..dc2928d5a6 100644 --- a/security-policies/bundle/compliance/cis_gcp/rules/cis_6_2_6/rule.rego +++ b/security-policies/bundle/compliance/cis_gcp/rules/cis_6_2_6/rule.rego @@ -5,10 +5,10 @@ import data.compliance.policy.gcp.data_adapter import data.compliance.policy.gcp.sql.ensure_db_flag as audit import future.keywords.if -default is_flag_as_expected = false +default is_flag_as_expected := false # Ensure ‘Log_min_error_statement’ Database Flag for Cloud SQL PostgreSQL Instance Is Set to ‘Error’ or Stricter. -finding = result if { +finding := result if { # filter data_adapter.is_cloud_sql data_adapter.is_postgres_sql diff --git a/security-policies/bundle/compliance/cis_gcp/rules/cis_6_2_7/rule.rego b/security-policies/bundle/compliance/cis_gcp/rules/cis_6_2_7/rule.rego index 5d390077ba..40636b3070 100644 --- a/security-policies/bundle/compliance/cis_gcp/rules/cis_6_2_7/rule.rego +++ b/security-policies/bundle/compliance/cis_gcp/rules/cis_6_2_7/rule.rego @@ -5,10 +5,10 @@ import data.compliance.policy.gcp.data_adapter import data.compliance.policy.gcp.sql.ensure_db_flag as audit import future.keywords.if -default is_flag_as_expected = false +default is_flag_as_expected := false # Ensure That the ‘Log_min_duration_statement’ Database Flag for Cloud SQL PostgreSQL Instance Is Set to ‘-1′. -finding = result if { +finding := result if { # filter data_adapter.is_cloud_sql data_adapter.is_postgres_sql diff --git a/security-policies/bundle/compliance/cis_gcp/rules/cis_6_2_8/rule.rego b/security-policies/bundle/compliance/cis_gcp/rules/cis_6_2_8/rule.rego index c4d80a77f1..655a79ea40 100644 --- a/security-policies/bundle/compliance/cis_gcp/rules/cis_6_2_8/rule.rego +++ b/security-policies/bundle/compliance/cis_gcp/rules/cis_6_2_8/rule.rego @@ -6,7 +6,7 @@ import data.compliance.policy.gcp.sql.ensure_db_flag as audit import future.keywords.if # Ensure That 'cloudsql.enable_pgaudit' Database Flag for each Cloud Sql Postgresql Instance Is Set to 'on' For Centralized Logging. -finding = result if { +finding := result if { # filter data_adapter.is_cloud_sql data_adapter.is_postgres_sql diff --git a/security-policies/bundle/compliance/cis_gcp/rules/cis_6_2_9/rule.rego b/security-policies/bundle/compliance/cis_gcp/rules/cis_6_2_9/rule.rego index ecbed95176..9681109547 100644 --- a/security-policies/bundle/compliance/cis_gcp/rules/cis_6_2_9/rule.rego +++ b/security-policies/bundle/compliance/cis_gcp/rules/cis_6_2_9/rule.rego @@ -6,7 +6,7 @@ import data.compliance.policy.gcp.sql.ensure_private_ip as audit import future.keywords.if # Ensure Instance IP assignment is set to private. -finding = result if { +finding := result if { # filter data_adapter.is_cloud_sql data_adapter.is_postgres_sql diff --git a/security-policies/bundle/compliance/cis_gcp/rules/cis_6_3_1/rule.rego b/security-policies/bundle/compliance/cis_gcp/rules/cis_6_3_1/rule.rego index 8b7121a728..1c36429101 100644 --- a/security-policies/bundle/compliance/cis_gcp/rules/cis_6_3_1/rule.rego +++ b/security-policies/bundle/compliance/cis_gcp/rules/cis_6_3_1/rule.rego @@ -6,7 +6,7 @@ import data.compliance.policy.gcp.data_adapter import data.compliance.policy.gcp.sql.ensure_db_flag as audit import future.keywords.if -finding = result if { +finding := result if { # filter data_adapter.is_cloud_sql data_adapter.is_sql_server diff --git a/security-policies/bundle/compliance/cis_gcp/rules/cis_6_3_2/rule.rego b/security-policies/bundle/compliance/cis_gcp/rules/cis_6_3_2/rule.rego index 4df022630f..d37ac3d178 100644 --- a/security-policies/bundle/compliance/cis_gcp/rules/cis_6_3_2/rule.rego +++ b/security-policies/bundle/compliance/cis_gcp/rules/cis_6_3_2/rule.rego @@ -6,7 +6,7 @@ import data.compliance.policy.gcp.data_adapter import data.compliance.policy.gcp.sql.ensure_db_flag as audit import future.keywords.if -finding = result if { +finding := result if { # filter data_adapter.is_cloud_sql data_adapter.is_sql_server diff --git a/security-policies/bundle/compliance/cis_gcp/rules/cis_6_3_3/rule.rego b/security-policies/bundle/compliance/cis_gcp/rules/cis_6_3_3/rule.rego index a31d350f20..44874e26bc 100644 --- a/security-policies/bundle/compliance/cis_gcp/rules/cis_6_3_3/rule.rego +++ b/security-policies/bundle/compliance/cis_gcp/rules/cis_6_3_3/rule.rego @@ -6,7 +6,7 @@ import data.compliance.policy.gcp.data_adapter import data.compliance.policy.gcp.sql.ensure_db_flag as audit import future.keywords.if -finding = result if { +finding := result if { # filter data_adapter.is_cloud_sql data_adapter.is_sql_server @@ -18,4 +18,4 @@ finding = result if { ) } -is_flag_limited = audit.is_flag_limited("user connections") +is_flag_limited := audit.is_flag_limited("user connections") diff --git a/security-policies/bundle/compliance/cis_gcp/rules/cis_6_3_4/rule.rego b/security-policies/bundle/compliance/cis_gcp/rules/cis_6_3_4/rule.rego index df580972bf..64a33784f8 100644 --- a/security-policies/bundle/compliance/cis_gcp/rules/cis_6_3_4/rule.rego +++ b/security-policies/bundle/compliance/cis_gcp/rules/cis_6_3_4/rule.rego @@ -6,7 +6,7 @@ import data.compliance.policy.gcp.data_adapter import data.compliance.policy.gcp.sql.ensure_db_flag as audit import future.keywords.if -finding = result if { +finding := result if { # filter data_adapter.is_cloud_sql data_adapter.is_sql_server @@ -18,4 +18,4 @@ finding = result if { ) } -is_flag_exists = audit.is_flag_exists("user options") +is_flag_exists := audit.is_flag_exists("user options") diff --git a/security-policies/bundle/compliance/cis_gcp/rules/cis_6_3_5/rule.rego b/security-policies/bundle/compliance/cis_gcp/rules/cis_6_3_5/rule.rego index 8d2dd60380..7828f11550 100644 --- a/security-policies/bundle/compliance/cis_gcp/rules/cis_6_3_5/rule.rego +++ b/security-policies/bundle/compliance/cis_gcp/rules/cis_6_3_5/rule.rego @@ -6,7 +6,7 @@ import data.compliance.policy.gcp.data_adapter import data.compliance.policy.gcp.sql.ensure_db_flag as audit import future.keywords.if -finding = result if { +finding := result if { # filter data_adapter.is_cloud_sql data_adapter.is_sql_server diff --git a/security-policies/bundle/compliance/cis_gcp/rules/cis_6_3_6/rule.rego b/security-policies/bundle/compliance/cis_gcp/rules/cis_6_3_6/rule.rego index d7baf559fe..d319723bb2 100644 --- a/security-policies/bundle/compliance/cis_gcp/rules/cis_6_3_6/rule.rego +++ b/security-policies/bundle/compliance/cis_gcp/rules/cis_6_3_6/rule.rego @@ -5,7 +5,7 @@ import data.compliance.policy.gcp.data_adapter import data.compliance.policy.gcp.sql.ensure_db_flag as audit import future.keywords.if -finding = result if { +finding := result if { # filter data_adapter.is_cloud_sql data_adapter.is_sql_server diff --git a/security-policies/bundle/compliance/cis_gcp/rules/cis_6_3_7/rule.rego b/security-policies/bundle/compliance/cis_gcp/rules/cis_6_3_7/rule.rego index 1d48014ec5..8067d95f75 100644 --- a/security-policies/bundle/compliance/cis_gcp/rules/cis_6_3_7/rule.rego +++ b/security-policies/bundle/compliance/cis_gcp/rules/cis_6_3_7/rule.rego @@ -6,7 +6,7 @@ import data.compliance.policy.gcp.data_adapter import data.compliance.policy.gcp.sql.ensure_db_flag as audit import future.keywords.if -finding = result if { +finding := result if { # filter data_adapter.is_cloud_sql data_adapter.is_sql_server diff --git a/security-policies/bundle/compliance/cis_gcp/rules/cis_6_4/rule.rego b/security-policies/bundle/compliance/cis_gcp/rules/cis_6_4/rule.rego index afc8b5fc79..dd369cafa0 100644 --- a/security-policies/bundle/compliance/cis_gcp/rules/cis_6_4/rule.rego +++ b/security-policies/bundle/compliance/cis_gcp/rules/cis_6_4/rule.rego @@ -5,7 +5,7 @@ import data.compliance.policy.gcp.data_adapter import future.keywords.if import future.keywords.in -finding = result if { +finding := result if { data_adapter.is_sql_instance is_relevant_sql_instance @@ -17,7 +17,7 @@ finding = result if { ssl_is_required if { data_adapter.resource.data.settings.ipConfiguration.requireSsl == true -} else = false +} else := false is_relevant_sql_instance if { startswith(data_adapter.resource.data.databaseVersion, "POSTGRES") @@ -25,4 +25,4 @@ is_relevant_sql_instance if { startswith(data_adapter.resource.data.databaseVersion, "MYSQL") } else if { startswith(data_adapter.resource.data.databaseVersion, "SQLSERVER_2017") -} else = false +} else := false diff --git a/security-policies/bundle/compliance/cis_gcp/rules/cis_6_5/rule.rego b/security-policies/bundle/compliance/cis_gcp/rules/cis_6_5/rule.rego index 1ee421ac50..af9e4656bb 100644 --- a/security-policies/bundle/compliance/cis_gcp/rules/cis_6_5/rule.rego +++ b/security-policies/bundle/compliance/cis_gcp/rules/cis_6_5/rule.rego @@ -6,7 +6,7 @@ import data.compliance.policy.gcp.data_adapter import future.keywords.if import future.keywords.in -finding = result if { +finding := result if { data_adapter.is_sql_instance result := common.generate_result_without_expected( @@ -22,4 +22,4 @@ is_publicly_accessible if { [{"value": ""}], ) networks[i].value == "0.0.0.0/0" -} else = false +} else := false diff --git a/security-policies/bundle/compliance/cis_gcp/rules/cis_6_6/rule.rego b/security-policies/bundle/compliance/cis_gcp/rules/cis_6_6/rule.rego index 7f36f74d6e..70126dcae5 100644 --- a/security-policies/bundle/compliance/cis_gcp/rules/cis_6_6/rule.rego +++ b/security-policies/bundle/compliance/cis_gcp/rules/cis_6_6/rule.rego @@ -5,7 +5,7 @@ import data.compliance.policy.gcp.data_adapter import data.compliance.policy.gcp.sql.ensure_private_ip as audit import future.keywords.if -finding = result if { +finding := result if { data_adapter.is_sql_instance is_clous_sql_instance_second_gen diff --git a/security-policies/bundle/compliance/cis_gcp/rules/cis_6_7/rule.rego b/security-policies/bundle/compliance/cis_gcp/rules/cis_6_7/rule.rego index 8ea02eb303..2fe26321f4 100644 --- a/security-policies/bundle/compliance/cis_gcp/rules/cis_6_7/rule.rego +++ b/security-policies/bundle/compliance/cis_gcp/rules/cis_6_7/rule.rego @@ -4,7 +4,7 @@ import data.compliance.lib.common import data.compliance.policy.gcp.data_adapter import future.keywords.if -finding = result if { +finding := result if { data_adapter.is_sql_instance result := common.generate_result_without_expected( @@ -15,4 +15,4 @@ finding = result if { backup_enabled if { data_adapter.resource.data.settings.backupConfiguration.enabled == true -} else = false +} else := false diff --git a/security-policies/bundle/compliance/cis_gcp/rules/cis_7_1/rule.rego b/security-policies/bundle/compliance/cis_gcp/rules/cis_7_1/rule.rego index 0a1833e030..2c961d1344 100644 --- a/security-policies/bundle/compliance/cis_gcp/rules/cis_7_1/rule.rego +++ b/security-policies/bundle/compliance/cis_gcp/rules/cis_7_1/rule.rego @@ -7,7 +7,7 @@ import data.compliance.policy.gcp.iam.ensure_no_public_access as audit import future.keywords.if # Ensure That BigQuery Datasets Are Not Anonymously or Publicly Accessible. -finding = result if { +finding := result if { # filter data_adapter.is_bigquery_dataset diff --git a/security-policies/bundle/compliance/cis_gcp/rules/cis_7_1/test.rego b/security-policies/bundle/compliance/cis_gcp/rules/cis_7_1/test.rego index c26575ad9a..830bb7c7a9 100644 --- a/security-policies/bundle/compliance/cis_gcp/rules/cis_7_1/test.rego +++ b/security-policies/bundle/compliance/cis_gcp/rules/cis_7_1/test.rego @@ -22,7 +22,7 @@ test_not_evaluated if { not_eval with input as test_data.not_eval_resource } -rule_input(members) = test_data.generate_bq_resource(null, "gcp-bigquery-dataset", members) +rule_input(members) := test_data.generate_bq_resource(null, "gcp-bigquery-dataset", members) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_gcp/rules/cis_7_2/rule.rego b/security-policies/bundle/compliance/cis_gcp/rules/cis_7_2/rule.rego index a346b1d1ff..2a02e55e6e 100644 --- a/security-policies/bundle/compliance/cis_gcp/rules/cis_7_2/rule.rego +++ b/security-policies/bundle/compliance/cis_gcp/rules/cis_7_2/rule.rego @@ -6,7 +6,7 @@ import data.compliance.policy.gcp.data_adapter import future.keywords.if # Ensure That All BigQuery Tables Are Encrypted With Customer-Managed Encryption Keys (CMEK). -finding = result if { +finding := result if { # filter data_adapter.is_bigquery_table diff --git a/security-policies/bundle/compliance/cis_gcp/rules/cis_7_2/test.rego b/security-policies/bundle/compliance/cis_gcp/rules/cis_7_2/test.rego index d64f903763..89b7c163f4 100644 --- a/security-policies/bundle/compliance/cis_gcp/rules/cis_7_2/test.rego +++ b/security-policies/bundle/compliance/cis_gcp/rules/cis_7_2/test.rego @@ -18,7 +18,7 @@ test_not_evaluated if { not_eval with input as test_data.not_eval_resource } -rule_input(config) = test_data.generate_bq_resource(config, "gcp-bigquery-table", []) +rule_input(config) := test_data.generate_bq_resource(config, "gcp-bigquery-table", []) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_gcp/rules/cis_7_3/rule.rego b/security-policies/bundle/compliance/cis_gcp/rules/cis_7_3/rule.rego index 183de4b92f..73f56b8c83 100644 --- a/security-policies/bundle/compliance/cis_gcp/rules/cis_7_3/rule.rego +++ b/security-policies/bundle/compliance/cis_gcp/rules/cis_7_3/rule.rego @@ -6,7 +6,7 @@ import data.compliance.policy.gcp.data_adapter import future.keywords.if # Ensure That a Default Customer-Managed Encryption Key (CMEK) Is Specified for All BigQuery Data Sets. -finding = result if { +finding := result if { # filter data_adapter.is_bigquery_dataset diff --git a/security-policies/bundle/compliance/cis_gcp/rules/cis_7_3/test.rego b/security-policies/bundle/compliance/cis_gcp/rules/cis_7_3/test.rego index 4b09468dc8..afe8b9bbdd 100644 --- a/security-policies/bundle/compliance/cis_gcp/rules/cis_7_3/test.rego +++ b/security-policies/bundle/compliance/cis_gcp/rules/cis_7_3/test.rego @@ -18,7 +18,7 @@ test_not_evaluated if { not_eval with input as test_data.not_eval_resource } -rule_input(config) = test_data.generate_bq_resource(config, "gcp-bigquery-dataset", []) +rule_input(config) := test_data.generate_bq_resource(config, "gcp-bigquery-dataset", []) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_gcp/test_data.rego b/security-policies/bundle/compliance/cis_gcp/test_data.rego index ae81561850..b99a790fff 100644 --- a/security-policies/bundle/compliance/cis_gcp/test_data.rego +++ b/security-policies/bundle/compliance/cis_gcp/test_data.rego @@ -1,6 +1,6 @@ package cis_gcp.test_data -generate_gcp_asset(type, subtype, resource, iam_policy) = { +generate_gcp_asset(type, subtype, resource, iam_policy) := { "resource": { "resource": resource, "iam_policy": iam_policy, @@ -9,14 +9,14 @@ generate_gcp_asset(type, subtype, resource, iam_policy) = { "subType": subtype, } -generate_iam_policy(members, role) = generate_gcp_asset( +generate_iam_policy(members, role) := generate_gcp_asset( "key-management", "gcp-iam-service-account", {}, {"bindings": [{"role": role, "members": members}]}, ) -generate_monitoring_asset(log_metrics, alerts) = { +generate_monitoring_asset(log_metrics, alerts) := { "resource": { "log_metrics": log_metrics, "alerts": alerts, @@ -25,60 +25,60 @@ generate_monitoring_asset(log_metrics, alerts) = { "subType": "gcp-monitoring", } -generate_policies_asset(policies) = { +generate_policies_asset(policies) := { "resource": policies, "type": "project-managment", "subType": "gcp-policies", } -generate_serviceusage_asset(services) = { +generate_serviceusage_asset(services) := { "resource": {"services": services}, "type": "monitoring", "subType": "gcp-service-usage", } -generate_logging_asset(sinks) = { +generate_logging_asset(sinks) := { "resource": {"log_sinks": sinks}, "type": "logging", "subType": "gcp-logging", } -generate_kms_resource(members, rotationPeriod, nextRotationTime, primary) = generate_gcp_asset( +generate_kms_resource(members, rotationPeriod, nextRotationTime, primary) := generate_gcp_asset( "key-management", "gcp-cloudkms-crypto-key", {"data": {"nextRotationTime": nextRotationTime, "rotationPeriod": rotationPeriod, "primary": primary}}, {"bindings": [{"role": "roles/cloudkms.cryptoKeyEncrypterDecrypter", "members": members}]}, ) -generate_gcs_resource(members, isBucketLevelAccessEnabled) = generate_gcp_asset( +generate_gcs_resource(members, isBucketLevelAccessEnabled) := generate_gcp_asset( "cloud-storage", "gcp-storage-bucket", {"data": {"iamConfiguration": {"uniformBucketLevelAccess": {"enabled": isBucketLevelAccessEnabled}}}}, {"bindings": [{"role": "roles/storage.objectViewer", "members": members}]}, ) -generate_bq_resource(config, subType, members) = generate_gcp_asset( +generate_bq_resource(config, subType, members) := generate_gcp_asset( "cloud-storage", subType, {"data": {"defaultEncryptionConfiguration": config}}, {"bindings": [{"role": "roles/bigquery.dataViewer", "members": members}]}, ) -generate_compute_resource(subType, info) = generate_gcp_asset( +generate_compute_resource(subType, info) := generate_gcp_asset( "cloud-compute", subType, {"data": info}, {}, ) -not_eval_resource = generate_gcp_asset( +not_eval_resource := generate_gcp_asset( "key-management", "non-existing-subtype", {}, {}, ) -no_policy_resource = generate_gcp_asset( +no_policy_resource := generate_gcp_asset( "key-management", "gcp-iam", {}, diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_1/rule.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_1/rule.rego index caeb349bcd..92753dbc0b 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_1/rule.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_1/rule.rego @@ -3,7 +3,7 @@ package compliance.cis_k8s.rules.cis_1_1_1 import data.compliance.policy.file.ensure_permissions as audit import future.keywords.if -finding = result if { +finding := result if { audit.filename_filter("kube-apiserver.yaml") result := audit.finding(audit.file_permission_match(6, 4, 4)) } diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_1/test.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_1/test.rego index 172bda30e6..e4f1735ff5 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_1/test.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_1/test.rego @@ -16,7 +16,7 @@ test_not_evaluated if { not finding with input as rule_input("file.txt", "644") } -rule_input(filename, filemode) = filesystem_input if { +rule_input(filename, filemode) := filesystem_input if { user := "root" group := "root" filesystem_input = test_data.filesystem_input(filename, filemode, user, group) diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_11/rule.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_11/rule.rego index 7b48ebd167..1bb55dfa6c 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_11/rule.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_11/rule.rego @@ -3,7 +3,7 @@ package compliance.cis_k8s.rules.cis_1_1_11 import data.compliance.policy.file.ensure_permissions as audit import future.keywords.if -finding = result if { +finding := result if { audit.path_filter("/var/lib/etcd/") result := audit.finding(audit.file_permission_match(7, 0, 0)) } diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_11/test.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_11/test.rego index 97856ecdcc..eba29898f4 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_11/test.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_11/test.rego @@ -20,7 +20,7 @@ test_not_evaluated if { not finding with input as rule_input("var/lib/etcdd/some_file.txt", "710") } -rule_input(filename, filemode) = filesystem_input if { +rule_input(filename, filemode) := filesystem_input if { user := "root" group := "root" filesystem_input = test_data.filesystem_input(filename, filemode, user, group) diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_12/rule.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_12/rule.rego index a51040167b..e0187f367c 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_12/rule.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_12/rule.rego @@ -3,7 +3,7 @@ package compliance.cis_k8s.rules.cis_1_1_12 import data.compliance.policy.file.ensure_ownership as audit import future.keywords.if -finding = result if { +finding := result if { audit.path_filter("/var/lib/etcd/") result := audit.finding("etcd", "etcd") } diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_12/test.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_12/test.rego index 087af9241d..739014f0fd 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_12/test.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_12/test.rego @@ -22,7 +22,7 @@ test_not_evaluated if { not finding with input as rule_input("var/lib/etcdd/some_file.txt", "root", "root") } -rule_input(filename, user, group) = filesystem_input if { +rule_input(filename, user, group) := filesystem_input if { filemode := "644" filesystem_input = test_data.filesystem_input(filename, filemode, user, group) } diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_13/rule.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_13/rule.rego index 58e2895c1d..7ec5e7446d 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_13/rule.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_13/rule.rego @@ -3,7 +3,7 @@ package compliance.cis_k8s.rules.cis_1_1_13 import data.compliance.policy.file.ensure_permissions as audit import future.keywords.if -finding = result if { +finding := result if { audit.filename_filter("admin.conf") result := audit.finding(audit.file_permission_match(6, 0, 0)) } diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_13/test.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_13/test.rego index 666418c504..830c10e447 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_13/test.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_13/test.rego @@ -20,7 +20,7 @@ test_not_evaluated if { not finding with input as rule_input("file.txt", "644") } -rule_input(filename, filemode) = filesystem_input if { +rule_input(filename, filemode) := filesystem_input if { user := "root" group := "root" filesystem_input = test_data.filesystem_input(filename, filemode, user, group) diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_14/rule.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_14/rule.rego index 5453875b4b..862d6f4af6 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_14/rule.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_14/rule.rego @@ -3,7 +3,7 @@ package compliance.cis_k8s.rules.cis_1_1_14 import data.compliance.policy.file.ensure_ownership as audit import future.keywords.if -finding = result if { +finding := result if { audit.filename_filter("admin.conf") result := audit.finding("root", "root") } diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_14/test.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_14/test.rego index b8e9117576..83c5a722f3 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_14/test.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_14/test.rego @@ -18,7 +18,7 @@ test_not_evaluated if { not finding with input as rule_input("file.txt", "root", "root") } -rule_input(filename, user, group) = filesystem_input if { +rule_input(filename, user, group) := filesystem_input if { filemode := "644" filesystem_input = test_data.filesystem_input(filename, filemode, user, group) } diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_15/rule.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_15/rule.rego index 05f1ec72a3..802f39cf52 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_15/rule.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_15/rule.rego @@ -3,7 +3,7 @@ package compliance.cis_k8s.rules.cis_1_1_15 import data.compliance.policy.file.ensure_permissions as audit import future.keywords.if -finding = result if { +finding := result if { audit.filename_filter("scheduler.conf") result := audit.finding(audit.file_permission_match(6, 4, 4)) } diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_15/test.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_15/test.rego index 9436c810ce..0a9ef65909 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_15/test.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_15/test.rego @@ -16,7 +16,7 @@ test_not_evaluated if { not finding with input as rule_input("file.txt", "644") } -rule_input(filename, filemode) = filesystem_input if { +rule_input(filename, filemode) := filesystem_input if { user := "root" group := "root" filesystem_input = test_data.filesystem_input(filename, filemode, user, group) diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_16/rule.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_16/rule.rego index 6df664d7a1..d8f139edd0 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_16/rule.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_16/rule.rego @@ -3,7 +3,7 @@ package compliance.cis_k8s.rules.cis_1_1_16 import data.compliance.policy.file.ensure_ownership as audit import future.keywords.if -finding = result if { +finding := result if { audit.filename_filter("scheduler.conf") result := audit.finding("root", "root") } diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_16/test.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_16/test.rego index ec127c08cd..b744413386 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_16/test.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_16/test.rego @@ -18,7 +18,7 @@ test_not_evaluated if { not finding with input as rule_input("file.txt", "root", "root") } -rule_input(filename, user, group) = filesystem_input if { +rule_input(filename, user, group) := filesystem_input if { filemode := "644" filesystem_input = test_data.filesystem_input(filename, filemode, user, group) } diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_17/rule.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_17/rule.rego index 5d6ebd2ef7..3eeed94c39 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_17/rule.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_17/rule.rego @@ -3,7 +3,7 @@ package compliance.cis_k8s.rules.cis_1_1_17 import data.compliance.policy.file.ensure_permissions as audit import future.keywords.if -finding = result if { +finding := result if { audit.filename_filter("controller-manager.conf") result := audit.finding(audit.file_permission_match(6, 4, 4)) } diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_17/test.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_17/test.rego index c2cf164f5a..59232c6143 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_17/test.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_17/test.rego @@ -16,7 +16,7 @@ test_not_evaluated if { not finding with input as rule_input("file.txt", "644") } -rule_input(filename, filemode) = filesystem_input if { +rule_input(filename, filemode) := filesystem_input if { user := "root" group := "root" filesystem_input = test_data.filesystem_input(filename, filemode, user, group) diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_18/rule.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_18/rule.rego index d8e07be1aa..ef593381eb 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_18/rule.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_18/rule.rego @@ -3,7 +3,7 @@ package compliance.cis_k8s.rules.cis_1_1_18 import data.compliance.policy.file.ensure_ownership as audit import future.keywords.if -finding = result if { +finding := result if { audit.filename_filter("controller-manager.conf") result := audit.finding("root", "root") } diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_18/test.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_18/test.rego index f477ba93ef..581e2f98f7 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_18/test.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_18/test.rego @@ -18,7 +18,7 @@ test_not_evaluated if { not finding with input as rule_input("file.txt", "root", "root") } -rule_input(filename, user, group) = filesystem_input if { +rule_input(filename, user, group) := filesystem_input if { filemode := "644" filesystem_input = test_data.filesystem_input(filename, filemode, user, group) } diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_19/rule.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_19/rule.rego index f8bb6c7dbf..23eb082915 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_19/rule.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_19/rule.rego @@ -3,7 +3,7 @@ package compliance.cis_k8s.rules.cis_1_1_19 import data.compliance.policy.file.ensure_ownership as audit import future.keywords.if -finding = result if { +finding := result if { audit.path_filter("/etc/kubernetes/pki/") result := audit.finding("root", "root") } diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_19/test.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_19/test.rego index 2662062f3e..5b31e994ee 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_19/test.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_19/test.rego @@ -24,7 +24,7 @@ test_not_evaluated if { not finding with input as rule_input("etc/kubernetes/pkii/file.txt", "root", "root") } -rule_input(filename, user, group) = filesystem_input if { +rule_input(filename, user, group) := filesystem_input if { filemode := "644" filesystem_input = test_data.filesystem_input(filename, filemode, user, group) } diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_2/rule.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_2/rule.rego index 6908d54103..5ee7dd54bf 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_2/rule.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_2/rule.rego @@ -3,7 +3,7 @@ package compliance.cis_k8s.rules.cis_1_1_2 import data.compliance.policy.file.ensure_ownership as audit import future.keywords.if -finding = result if { +finding := result if { audit.filename_filter("kube-apiserver.yaml") result := audit.finding("root", "root") } diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_2/test.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_2/test.rego index ad790c9d6a..9aa5a7b0cf 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_2/test.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_2/test.rego @@ -18,7 +18,7 @@ test_not_evaluated if { not finding with input as rule_input("file.txt", "root", "root") } -rule_input(filename, user, group) = filesystem_input if { +rule_input(filename, user, group) := filesystem_input if { filemode := "644" filesystem_input = test_data.filesystem_input(filename, filemode, user, group) } diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_20/rule.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_20/rule.rego index c320d30136..5b079d392a 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_20/rule.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_20/rule.rego @@ -3,7 +3,7 @@ package compliance.cis_k8s.rules.cis_1_1_20 import data.compliance.policy.file.ensure_permissions as audit import future.keywords.if -finding = result if { +finding := result if { audit.path_filter("/etc/kubernetes/pki") audit.filename_suffix_filter(".crt") result := audit.finding(audit.file_permission_match(6, 4, 4)) diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_20/test.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_20/test.rego index 744f3c33e8..230596f86b 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_20/test.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_20/test.rego @@ -16,7 +16,7 @@ test_not_evaluated if { not finding with input as rule_input("/etc/kubernetes/pki/client.key", "644") } -rule_input(filename, filemode) = filesystem_input if { +rule_input(filename, filemode) := filesystem_input if { user := "root" group := "root" filesystem_input = test_data.filesystem_input(filename, filemode, user, group) diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_21/rule.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_21/rule.rego index c36a67d1d0..0fe05e9452 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_21/rule.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_21/rule.rego @@ -3,7 +3,7 @@ package compliance.cis_k8s.rules.cis_1_1_21 import data.compliance.policy.file.ensure_permissions as audit import future.keywords.if -finding = result if { +finding := result if { audit.path_filter("/etc/kubernetes/pki") audit.filename_suffix_filter(".key") result := audit.finding(audit.file_permission_match_exact(6, 0, 0)) diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_21/test.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_21/test.rego index 4aae3ad5a3..5d95ac4374 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_21/test.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_21/test.rego @@ -16,7 +16,7 @@ test_not_evaluated if { not finding with input as rule_input("/etc/kubernetes/pki/client.crt", "600") } -rule_input(filename, filemode) = filesystem_input if { +rule_input(filename, filemode) := filesystem_input if { user := "root" group := "root" filesystem_input = test_data.filesystem_input(filename, filemode, user, group) diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_3/rule.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_3/rule.rego index c667256180..ace40daa8e 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_3/rule.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_3/rule.rego @@ -3,7 +3,7 @@ package compliance.cis_k8s.rules.cis_1_1_3 import data.compliance.policy.file.ensure_permissions as audit import future.keywords.if -finding = result if { +finding := result if { audit.filename_filter("kube-controller-manager.yaml") result := audit.finding(audit.file_permission_match(6, 4, 4)) } diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_3/test.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_3/test.rego index 77c9d5be99..cf21b5617a 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_3/test.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_3/test.rego @@ -16,7 +16,7 @@ test_not_evaluated if { not finding with input as rule_input("file.txt", "644") } -rule_input(filename, filemode) = filesystem_input if { +rule_input(filename, filemode) := filesystem_input if { user := "root" group := "root" filesystem_input = test_data.filesystem_input(filename, filemode, user, group) diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_4/rule.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_4/rule.rego index e495d5f8eb..11d1a70f13 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_4/rule.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_4/rule.rego @@ -3,7 +3,7 @@ package compliance.cis_k8s.rules.cis_1_1_4 import data.compliance.policy.file.ensure_ownership as audit import future.keywords.if -finding = result if { +finding := result if { audit.filename_filter("kube-controller-manager.yaml") result := audit.finding("root", "root") } diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_4/test.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_4/test.rego index a9098aabef..108caae8e6 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_4/test.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_4/test.rego @@ -18,7 +18,7 @@ test_not_evaluated if { not finding with input as rule_input("file.txt", "root", "root") } -rule_input(filename, user, group) = filesystem_input if { +rule_input(filename, user, group) := filesystem_input if { filemode := "644" filesystem_input = test_data.filesystem_input(filename, filemode, user, group) } diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_5/rule.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_5/rule.rego index de5df21bf4..ea452845f2 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_5/rule.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_5/rule.rego @@ -3,7 +3,7 @@ package compliance.cis_k8s.rules.cis_1_1_5 import data.compliance.policy.file.ensure_permissions as audit import future.keywords.if -finding = result if { +finding := result if { audit.filename_filter("kube-scheduler.yaml") result := audit.finding(audit.file_permission_match(6, 4, 4)) } diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_5/test.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_5/test.rego index debdb3a8c2..ec12c1b90b 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_5/test.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_5/test.rego @@ -16,7 +16,7 @@ test_not_evaluated if { not finding with input as rule_input("file.txt", "644") } -rule_input(filename, filemode) = filesystem_input if { +rule_input(filename, filemode) := filesystem_input if { user := "root" group := "root" filesystem_input = test_data.filesystem_input(filename, filemode, user, group) diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_6/rule.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_6/rule.rego index 071ad0df95..e152e63721 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_6/rule.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_6/rule.rego @@ -3,7 +3,7 @@ package compliance.cis_k8s.rules.cis_1_1_6 import data.compliance.policy.file.ensure_ownership as audit import future.keywords.if -finding = result if { +finding := result if { audit.filename_filter("kube-scheduler.yaml") result := audit.finding("root", "root") } diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_6/test.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_6/test.rego index f9a439ac74..00102d31a1 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_6/test.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_6/test.rego @@ -18,7 +18,7 @@ test_not_evaluated if { not finding with input as rule_input("file.txt", "root", "root") } -rule_input(filename, user, group) = filesystem_input if { +rule_input(filename, user, group) := filesystem_input if { filemode := "644" filesystem_input = test_data.filesystem_input(filename, filemode, user, group) } diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_7/rule.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_7/rule.rego index b72fca3493..5b5d022db0 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_7/rule.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_7/rule.rego @@ -3,7 +3,7 @@ package compliance.cis_k8s.rules.cis_1_1_7 import data.compliance.policy.file.ensure_permissions as audit import future.keywords.if -finding = result if { +finding := result if { audit.filename_filter("etcd.yaml") result := audit.finding(audit.file_permission_match(6, 4, 4)) } diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_7/test.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_7/test.rego index 952a663e9b..f07276c139 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_7/test.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_7/test.rego @@ -16,7 +16,7 @@ test_not_evaluated if { not finding with input as rule_input("file.txt", "644") } -rule_input(filename, filemode) = filesystem_input if { +rule_input(filename, filemode) := filesystem_input if { user := "root" group := "root" filesystem_input = test_data.filesystem_input(filename, filemode, user, group) diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_8/rule.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_8/rule.rego index a4373a4921..b4327c2ce8 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_8/rule.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_8/rule.rego @@ -3,7 +3,7 @@ package compliance.cis_k8s.rules.cis_1_1_8 import data.compliance.policy.file.ensure_ownership as audit import future.keywords.if -finding = result if { +finding := result if { audit.filename_filter("etcd.yaml") result := audit.finding("root", "root") } diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_8/test.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_8/test.rego index 880996287a..3f564d4748 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_8/test.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_1_8/test.rego @@ -18,7 +18,7 @@ test_not_evaluated if { not finding with input as rule_input("file.txt", "root", "root") } -rule_input(filename, user, group) = filesystem_input if { +rule_input(filename, user, group) := filesystem_input if { filemode := "644" filesystem_input = test_data.filesystem_input(filename, filemode, user, group) } diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_10/test.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_10/test.rego index 87d207fade..d79fc921b2 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_10/test.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_10/test.rego @@ -20,7 +20,7 @@ test_not_evaluated if { not_eval with input as test_data.process_input("some_process", []) } -rule_input(argument) = test_data.process_input("kube-apiserver", [argument]) +rule_input(argument) := test_data.process_input("kube-apiserver", [argument]) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_11/test.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_11/test.rego index 9b5f7cd33f..6313489751 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_11/test.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_11/test.rego @@ -19,7 +19,7 @@ test_not_evaluated if { not_eval with input as test_data.process_input("some_process", []) } -rule_input(argument) = test_data.process_input("kube-apiserver", [argument]) +rule_input(argument) := test_data.process_input("kube-apiserver", [argument]) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_12/test.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_12/test.rego index 42d49559e0..8b3fc7cfe5 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_12/test.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_12/test.rego @@ -20,7 +20,7 @@ test_not_evaluated if { not_eval with input as test_data.process_input("some_process", []) } -rule_input(argument) = test_data.process_input("kube-apiserver", [argument]) +rule_input(argument) := test_data.process_input("kube-apiserver", [argument]) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_13/test.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_13/test.rego index 9b9afcb683..f663432d94 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_13/test.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_13/test.rego @@ -21,7 +21,7 @@ test_not_evaluated if { not_eval with input as test_data.process_input("some_process", []) } -rule_input(argument) = test_data.process_input("kube-apiserver", [argument]) +rule_input(argument) := test_data.process_input("kube-apiserver", [argument]) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_14/test.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_14/test.rego index ff05a464cc..94652597c3 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_14/test.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_14/test.rego @@ -20,7 +20,7 @@ test_not_evaluated if { not_eval with input as test_data.process_input("some_process", []) } -rule_input(argument) = test_data.process_input("kube-apiserver", [argument]) +rule_input(argument) := test_data.process_input("kube-apiserver", [argument]) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_15/test.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_15/test.rego index 0f850973f8..e79517da48 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_15/test.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_15/test.rego @@ -20,7 +20,7 @@ test_not_evaluated if { not_eval with input as test_data.process_input("some_process", []) } -rule_input(argument) = test_data.process_input("kube-apiserver", [argument]) +rule_input(argument) := test_data.process_input("kube-apiserver", [argument]) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_16/test.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_16/test.rego index da315333b9..62d206ecfb 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_16/test.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_16/test.rego @@ -20,7 +20,7 @@ test_not_evaluated if { not_eval with input as test_data.process_input("some_process", []) } -rule_input(argument) = test_data.process_input("kube-apiserver", [argument]) +rule_input(argument) := test_data.process_input("kube-apiserver", [argument]) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_17/rule.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_17/rule.rego index 9f73ec3f8c..83dc93934c 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_17/rule.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_17/rule.rego @@ -3,7 +3,7 @@ package compliance.cis_k8s.rules.cis_1_2_17 import data.compliance.policy.process.ensure_arguments_contain_key_value as audit import future.keywords.if -finding = result if { +finding := result if { audit.apiserver_filter result := audit.finding(audit.arg_not_contains("--secure-port", "0")) } diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_17/test.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_17/test.rego index 0f928a92ad..b355017e01 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_17/test.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_17/test.rego @@ -19,7 +19,7 @@ test_not_evaluated if { not_eval with input as test_data.process_input("some_process", []) } -rule_input(argument) = test_data.process_input("kube-apiserver", [argument]) +rule_input(argument) := test_data.process_input("kube-apiserver", [argument]) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_18/rule.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_18/rule.rego index 70abb142b0..15a6118d55 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_18/rule.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_18/rule.rego @@ -3,7 +3,7 @@ package compliance.cis_k8s.rules.cis_1_2_18 import data.compliance.policy.process.ensure_arguments_contain_key_value as audit import future.keywords.if -finding = result if { +finding := result if { audit.apiserver_filter result := audit.finding(audit.arg_contains("--profiling", "false")) } diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_18/test.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_18/test.rego index 482e777391..ae9535d3a7 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_18/test.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_18/test.rego @@ -18,7 +18,7 @@ test_not_evaluated if { not_eval with input as test_data.process_input("some_process", []) } -rule_input(argument) = test_data.process_input("kube-apiserver", [argument]) +rule_input(argument) := test_data.process_input("kube-apiserver", [argument]) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_19/rule.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_19/rule.rego index fc4313640f..69c5d8357a 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_19/rule.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_19/rule.rego @@ -3,7 +3,7 @@ package compliance.cis_k8s.rules.cis_1_2_19 import data.compliance.policy.process.ensure_arguments_contain_key as audit import future.keywords.if -finding = result if { +finding := result if { audit.apiserver_filter result := audit.finding(audit.arg_contains("--audit-log-path")) } diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_19/test.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_19/test.rego index 30694cba7d..b2cbf67fe2 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_19/test.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_19/test.rego @@ -17,7 +17,7 @@ test_not_evaluated if { not_eval with input as test_data.process_input("some_process", []) } -rule_input(argument) = test_data.process_input("kube-apiserver", [argument]) +rule_input(argument) := test_data.process_input("kube-apiserver", [argument]) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_2/rule.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_2/rule.rego index 975905c706..91a2bba13d 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_2/rule.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_2/rule.rego @@ -3,7 +3,7 @@ package compliance.cis_k8s.rules.cis_1_2_2 import data.compliance.policy.process.ensure_arguments_contain_key as audit import future.keywords.if -finding = result if { +finding := result if { audit.apiserver_filter result := audit.finding(audit.arg_not_contains("--token-auth-file")) } diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_2/test.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_2/test.rego index 05e1ecf8a2..798a4ab5bb 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_2/test.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_2/test.rego @@ -17,7 +17,7 @@ test_not_evaluated if { not_eval with input as test_data.process_input("some_process", []) } -rule_input(argument) = test_data.process_input("kube-apiserver", [argument]) +rule_input(argument) := test_data.process_input("kube-apiserver", [argument]) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_20/rule.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_20/rule.rego index 4d094a3b42..8c644390d6 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_20/rule.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_20/rule.rego @@ -2,4 +2,4 @@ package compliance.cis_k8s.rules.cis_1_2_20 import data.compliance.policy.process.ensure_arguments_goe as audit -finding = audit.finding("--audit-log-maxage", 30) +finding := audit.finding("--audit-log-maxage", 30) diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_20/test.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_20/test.rego index 3c3e81af5a..a8bd5f5c65 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_20/test.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_20/test.rego @@ -19,7 +19,7 @@ test_not_evaluated if { not_eval with input as test_data.process_input("some_process", []) } -rule_input(argument) = test_data.process_input("kube-apiserver", [argument]) +rule_input(argument) := test_data.process_input("kube-apiserver", [argument]) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_21/rule.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_21/rule.rego index 03728cc43c..cb6865a993 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_21/rule.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_21/rule.rego @@ -2,4 +2,4 @@ package compliance.cis_k8s.rules.cis_1_2_21 import data.compliance.policy.process.ensure_arguments_goe as audit -finding = audit.finding("--audit-log-maxbackup", 10) +finding := audit.finding("--audit-log-maxbackup", 10) diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_21/test.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_21/test.rego index c33dc16a49..98a3d21683 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_21/test.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_21/test.rego @@ -19,7 +19,7 @@ test_not_evaluated if { not_eval with input as test_data.process_input("some_process", []) } -rule_input(argument) = test_data.process_input("kube-apiserver", [argument]) +rule_input(argument) := test_data.process_input("kube-apiserver", [argument]) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_22/rule.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_22/rule.rego index 204dbe3b4f..0b4ead81ee 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_22/rule.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_22/rule.rego @@ -2,4 +2,4 @@ package compliance.cis_k8s.rules.cis_1_2_22 import data.compliance.policy.process.ensure_arguments_goe as audit -finding = audit.finding("--audit-log-maxsize", 100) +finding := audit.finding("--audit-log-maxsize", 100) diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_22/test.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_22/test.rego index 62b28c725a..f0550fa8c3 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_22/test.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_22/test.rego @@ -19,7 +19,7 @@ test_not_evaluated if { not_eval with input as test_data.process_input("some_process", []) } -rule_input(argument) = test_data.process_input("kube-apiserver", [argument]) +rule_input(argument) := test_data.process_input("kube-apiserver", [argument]) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_23/rule.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_23/rule.rego index 6d90ccad5e..cb4092d0c1 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_23/rule.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_23/rule.rego @@ -2,4 +2,4 @@ package compliance.cis_k8s.rules.cis_1_2_23 import data.compliance.policy.process.ensure_arguments_lte as audit -finding = audit.finding("--request-timeout", "60s") +finding := audit.finding("--request-timeout", "60s") diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_23/test.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_23/test.rego index ff0b357352..340f9155fb 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_23/test.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_23/test.rego @@ -21,7 +21,7 @@ test_not_evaluated if { not_eval with input as test_data.process_input("some_process", []) } -rule_input(argument) = test_data.process_input("kube-apiserver", [argument]) +rule_input(argument) := test_data.process_input("kube-apiserver", [argument]) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_24/rule.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_24/rule.rego index edc13d0653..7e2b4219dd 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_24/rule.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_24/rule.rego @@ -2,4 +2,4 @@ package compliance.cis_k8s.rules.cis_1_2_24 import data.compliance.policy.process.ensure_arguments_if_contain_equal as audit -finding = audit.finding +finding := audit.finding diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_24/test.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_24/test.rego index 648d7ccfab..467a857e46 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_24/test.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_24/test.rego @@ -18,7 +18,7 @@ test_not_evaluated if { not_eval with input as test_data.process_input("some_process", []) } -rule_input(argument) = test_data.process_input("kube-apiserver", [argument]) +rule_input(argument) := test_data.process_input("kube-apiserver", [argument]) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_25/rule.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_25/rule.rego index e34ebd471c..2c4000ddf4 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_25/rule.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_25/rule.rego @@ -3,7 +3,7 @@ package compliance.cis_k8s.rules.cis_1_2_25 import data.compliance.policy.process.ensure_arguments_contain_key as audit import future.keywords.if -finding = result if { +finding := result if { audit.apiserver_filter result := audit.finding(audit.arg_contains("--service-account-key-file")) } diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_25/test.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_25/test.rego index 148444b6a9..615aa149e6 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_25/test.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_25/test.rego @@ -17,7 +17,7 @@ test_not_evaluated if { not_eval with input as test_data.process_input("some_process", []) } -rule_input(argument) = test_data.process_input("kube-apiserver", [argument]) +rule_input(argument) := test_data.process_input("kube-apiserver", [argument]) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_26/rule.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_26/rule.rego index 24644237b2..6dffefa886 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_26/rule.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_26/rule.rego @@ -3,7 +3,7 @@ package compliance.cis_k8s.rules.cis_1_2_26 import data.compliance.policy.process.ensure_appropriate_arguments as audit import future.keywords.if -finding = result if { +finding := result if { audit.apiserver_filter result := audit.finding([ "--etcd-certfile", diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_26/test.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_26/test.rego index cadf3dd920..05beba0e26 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_26/test.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_26/test.rego @@ -19,7 +19,7 @@ test_not_evaluated if { not_eval with input as test_data.process_input("some_process", [""]) } -rule_input(argument) = test_data.process_input("kube-apiserver", argument) +rule_input(argument) := test_data.process_input("kube-apiserver", argument) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_27/rule.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_27/rule.rego index 222b52f090..7d2b8174f7 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_27/rule.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_27/rule.rego @@ -3,7 +3,7 @@ package compliance.cis_k8s.rules.cis_1_2_27 import data.compliance.policy.process.ensure_appropriate_arguments as audit import future.keywords.if -finding = result if { +finding := result if { audit.apiserver_filter result := audit.finding([ "--tls-cert-file", diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_27/test.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_27/test.rego index ea4326632b..59f36f6144 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_27/test.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_27/test.rego @@ -19,7 +19,7 @@ test_not_evaluated if { not_eval with input as test_data.process_input("some_process", [""]) } -rule_input(argument) = test_data.process_input("kube-apiserver", argument) +rule_input(argument) := test_data.process_input("kube-apiserver", argument) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_28/rule.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_28/rule.rego index 80cdac4cc4..c72933fcd7 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_28/rule.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_28/rule.rego @@ -3,7 +3,7 @@ package compliance.cis_k8s.rules.cis_1_2_28 import data.compliance.policy.process.ensure_arguments_contain_key as audit import future.keywords.if -finding = result if { +finding := result if { audit.apiserver_filter result := audit.finding(audit.arg_contains("--client-ca-file")) } diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_28/test.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_28/test.rego index 12af60f4e2..c12d6602ec 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_28/test.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_28/test.rego @@ -17,7 +17,7 @@ test_not_evaluated if { not_eval with input as test_data.process_input("some_process", []) } -rule_input(argument) = test_data.process_input("kube-apiserver", [argument]) +rule_input(argument) := test_data.process_input("kube-apiserver", [argument]) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_29/rule.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_29/rule.rego index c5d8870232..dad6e208a0 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_29/rule.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_29/rule.rego @@ -3,7 +3,7 @@ package compliance.cis_k8s.rules.cis_1_2_29 import data.compliance.policy.process.ensure_arguments_contain_key as audit import future.keywords.if -finding = result if { +finding := result if { audit.apiserver_filter result := audit.finding(audit.arg_contains("--etcd-cafile")) } diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_29/test.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_29/test.rego index 963d197589..31b926faf1 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_29/test.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_29/test.rego @@ -17,7 +17,7 @@ test_not_evaluated if { not_eval with input as test_data.process_input("some_process", []) } -rule_input(argument) = test_data.process_input("kube-apiserver", [argument]) +rule_input(argument) := test_data.process_input("kube-apiserver", [argument]) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_32/rule.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_32/rule.rego index 4ba313fd1f..33fa52c0bf 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_32/rule.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_32/rule.rego @@ -4,17 +4,17 @@ import data.compliance.policy.process.ensure_ciphers as audit import future.keywords.if # Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Manual) -default rule_evaluation = true +default rule_evaluation := true -rule_evaluation = false if { +rule_evaluation := false if { not audit.process_args["--tls-cipher-suites"] } -rule_evaluation = false if { +rule_evaluation := false if { audit.is_process_args_includes_non_supported_cipher(supported_ciphers) } -supported_ciphers = [ +supported_ciphers := [ "TLS_AES_128_GCM_SHA256", "TLS_AES_256_GCM_SHA384", "TLS_CHACHA20_POLY1305_SHA256", @@ -38,7 +38,7 @@ supported_ciphers = [ "TLS_RSA_WITH_AES_256_GCM_SHA384", ] -finding = result if { +finding := result if { audit.apiserver_filter result := audit.finding(rule_evaluation) } diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_32/test.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_32/test.rego index df09230753..d96c09a98b 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_32/test.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_32/test.rego @@ -21,7 +21,7 @@ test_not_evaluated if { not_eval with input as test_data.process_input("some_process", []) } -rule_input(argument) = test_data.process_input("kube-apiserver", [argument]) +rule_input(argument) := test_data.process_input("kube-apiserver", [argument]) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_4/rule.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_4/rule.rego index 6968dc1d84..2c171b4a9b 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_4/rule.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_4/rule.rego @@ -3,7 +3,7 @@ package compliance.cis_k8s.rules.cis_1_2_4 import data.compliance.policy.process.ensure_arguments_contain_key_value as audit import future.keywords.if -finding = result if { +finding := result if { audit.apiserver_filter result := audit.finding(audit.arg_not_contains("--kubelet-https", "false")) } diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_4/test.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_4/test.rego index 166c36457d..c932ceb7b8 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_4/test.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_4/test.rego @@ -18,7 +18,7 @@ test_not_evaluated if { not_eval with input as test_data.process_input("some_process", []) } -rule_input(argument) = test_data.process_input("kube-apiserver", [argument]) +rule_input(argument) := test_data.process_input("kube-apiserver", [argument]) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_5/rule.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_5/rule.rego index e009c13135..e6f7fbd8ed 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_5/rule.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_5/rule.rego @@ -3,7 +3,7 @@ package compliance.cis_k8s.rules.cis_1_2_5 import data.compliance.policy.process.ensure_appropriate_arguments as audit import future.keywords.if -finding = result if { +finding := result if { audit.apiserver_filter result := audit.finding([ "--kubelet-client-certificate", diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_5/test.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_5/test.rego index 6d81c9a0b6..86bbfb99ef 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_5/test.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_5/test.rego @@ -19,7 +19,7 @@ test_not_evaluated if { not_eval with input as test_data.process_input("some_process", [""]) } -rule_input(argument) = test_data.process_input("kube-apiserver", argument) +rule_input(argument) := test_data.process_input("kube-apiserver", argument) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_6/rule.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_6/rule.rego index f2fcd446f5..6d1c5bf05d 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_6/rule.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_6/rule.rego @@ -3,7 +3,7 @@ package compliance.cis_k8s.rules.cis_1_2_6 import data.compliance.policy.process.ensure_arguments_contain_key as audit import future.keywords.if -finding = result if { +finding := result if { audit.apiserver_filter result := audit.finding(audit.arg_contains("--kubelet-certificate-authority")) } diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_6/test.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_6/test.rego index f411a6dcc3..aa0fe39243 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_6/test.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_6/test.rego @@ -17,7 +17,7 @@ test_not_evaluated if { not_eval with input as test_data.process_input("some_process", []) } -rule_input(argument) = test_data.process_input("kube-apiserver", [argument]) +rule_input(argument) := test_data.process_input("kube-apiserver", [argument]) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_7/test.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_7/test.rego index 86d32b481c..17a40ec54b 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_7/test.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_7/test.rego @@ -19,7 +19,7 @@ test_not_evaluated if { not_eval with input as test_data.process_input("some_process", []) } -rule_input(argument) = test_data.process_input("kube-apiserver", [argument]) +rule_input(argument) := test_data.process_input("kube-apiserver", [argument]) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_8/test.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_8/test.rego index 979304c13a..d272835d57 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_8/test.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_8/test.rego @@ -19,7 +19,7 @@ test_not_evaluated if { not_eval with input as test_data.process_input("some_process", []) } -rule_input(argument) = test_data.process_input("kube-apiserver", [argument]) +rule_input(argument) := test_data.process_input("kube-apiserver", [argument]) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_9/test.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_9/test.rego index 2edec7038b..9e9af693bf 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_9/test.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_2_9/test.rego @@ -19,7 +19,7 @@ test_not_evaluated if { not_eval with input as test_data.process_input("some_process", []) } -rule_input(argument) = test_data.process_input("kube-apiserver", [argument]) +rule_input(argument) := test_data.process_input("kube-apiserver", [argument]) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_3_2/rule.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_3_2/rule.rego index 938978598d..35a0a2e766 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_3_2/rule.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_3_2/rule.rego @@ -3,7 +3,7 @@ package compliance.cis_k8s.rules.cis_1_3_2 import data.compliance.policy.process.ensure_arguments_contain_key_value as audit import future.keywords.if -finding = result if { +finding := result if { audit.controller_manager_filter result := audit.finding(audit.arg_contains("--profiling", "false")) } diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_3_2/test.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_3_2/test.rego index c0cfe2e349..61e2f39c92 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_3_2/test.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_3_2/test.rego @@ -18,7 +18,7 @@ test_not_evaluated if { not_eval with input as test_data.process_input("some_process", []) } -rule_input(argument) = test_data.process_input("kube-controller", [argument]) +rule_input(argument) := test_data.process_input("kube-controller", [argument]) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_3_3/rule.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_3_3/rule.rego index 8306a300ba..9c560cf4d1 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_3_3/rule.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_3_3/rule.rego @@ -3,7 +3,7 @@ package compliance.cis_k8s.rules.cis_1_3_3 import data.compliance.policy.process.ensure_arguments_contain_key_value as audit import future.keywords.if -finding = result if { +finding := result if { audit.controller_manager_filter result := audit.finding(audit.arg_contains("--use-service-account-credentials", "true")) } diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_3_3/test.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_3_3/test.rego index c3597841b1..d047a8d01b 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_3_3/test.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_3_3/test.rego @@ -18,7 +18,7 @@ test_not_evaluated if { not_eval with input as test_data.process_input("some_process", []) } -rule_input(argument) = test_data.process_input("kube-controller", [argument]) +rule_input(argument) := test_data.process_input("kube-controller", [argument]) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_3_4/rule.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_3_4/rule.rego index 67979fb6f5..fbe4b6e411 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_3_4/rule.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_3_4/rule.rego @@ -3,7 +3,7 @@ package compliance.cis_k8s.rules.cis_1_3_4 import data.compliance.policy.process.ensure_arguments_contain_key as audit import future.keywords.if -finding = result if { +finding := result if { audit.controller_manager_filter result := audit.finding(audit.arg_contains("--service-account-private-key-file")) } diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_3_4/test.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_3_4/test.rego index 413e82b3ff..3cebefb2be 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_3_4/test.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_3_4/test.rego @@ -17,7 +17,7 @@ test_not_evaluated if { not_eval with input as test_data.process_input("some_process", []) } -rule_input(argument) = test_data.process_input("kube-controller", [argument]) +rule_input(argument) := test_data.process_input("kube-controller", [argument]) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_3_5/rule.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_3_5/rule.rego index 54635794b3..bd8ddd18d4 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_3_5/rule.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_3_5/rule.rego @@ -3,7 +3,7 @@ package compliance.cis_k8s.rules.cis_1_3_5 import data.compliance.policy.process.ensure_arguments_contain_key as audit import future.keywords.if -finding = result if { +finding := result if { audit.controller_manager_filter result := audit.finding(audit.arg_contains("--root-ca-file")) } diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_3_5/test.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_3_5/test.rego index b1f88cba8a..05711d5887 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_3_5/test.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_3_5/test.rego @@ -17,7 +17,7 @@ test_not_evaluated if { not_eval with input as test_data.process_input("some_process", []) } -rule_input(argument) = test_data.process_input("kube-controller", [argument]) +rule_input(argument) := test_data.process_input("kube-controller", [argument]) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_3_6/rule.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_3_6/rule.rego index 655d851c84..b2921f902e 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_3_6/rule.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_3_6/rule.rego @@ -3,7 +3,7 @@ package compliance.cis_k8s.rules.cis_1_3_6 import data.compliance.policy.process.ensure_arguments_contain_key_value as audit import future.keywords.if -finding = result if { +finding := result if { audit.controller_manager_filter result := audit.finding(audit.arg_contains("--feature-gates", "RotateKubeletServerCertificate=true")) } diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_3_6/test.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_3_6/test.rego index 0a30714bee..3c8f0fab8a 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_3_6/test.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_3_6/test.rego @@ -18,7 +18,7 @@ test_not_evaluated if { not_eval with input as test_data.process_input("some_process", []) } -rule_input(argument) = test_data.process_input("kube-controller", [argument]) +rule_input(argument) := test_data.process_input("kube-controller", [argument]) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_3_7/rule.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_3_7/rule.rego index 4d71e43f24..781d5503c4 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_3_7/rule.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_3_7/rule.rego @@ -3,7 +3,7 @@ package compliance.cis_k8s.rules.cis_1_3_7 import data.compliance.policy.process.ensure_arguments_contain_key_value as audit import future.keywords.if -finding = result if { +finding := result if { audit.controller_manager_filter result := audit.finding(audit.arg_contains("--bind-address", "127.0.0.1")) } diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_3_7/test.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_3_7/test.rego index f393e78e02..0deaf2b9db 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_3_7/test.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_3_7/test.rego @@ -18,7 +18,7 @@ test_not_evaluated if { not_eval with input as test_data.process_input("some_process", []) } -rule_input(argument) = test_data.process_input("kube-controller", [argument]) +rule_input(argument) := test_data.process_input("kube-controller", [argument]) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_4_1/rule.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_4_1/rule.rego index 8b4c243311..53327e34bf 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_4_1/rule.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_4_1/rule.rego @@ -3,7 +3,7 @@ package compliance.cis_k8s.rules.cis_1_4_1 import data.compliance.policy.process.ensure_arguments_contain_key_value as audit import future.keywords.if -finding = result if { +finding := result if { audit.scheduler_filter result := audit.finding(audit.arg_contains("--profiling", "false")) } diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_4_1/test.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_4_1/test.rego index f214912cfd..7e9ad87d85 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_4_1/test.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_4_1/test.rego @@ -18,7 +18,7 @@ test_not_evaluated if { not_eval with input as test_data.process_input("some_process", []) } -rule_input(argument) = test_data.process_input("kube-scheduler", [argument]) +rule_input(argument) := test_data.process_input("kube-scheduler", [argument]) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_4_2/rule.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_4_2/rule.rego index 61ef43887f..c8501d69ce 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_4_2/rule.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_4_2/rule.rego @@ -3,7 +3,7 @@ package compliance.cis_k8s.rules.cis_1_4_2 import data.compliance.policy.process.ensure_arguments_contain_key_value as audit import future.keywords.if -finding = result if { +finding := result if { audit.scheduler_filter result := audit.finding(audit.arg_contains("--bind-address", "127.0.0.1")) } diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_4_2/test.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_4_2/test.rego index 334610dc7a..c369f8bb22 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_1_4_2/test.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_1_4_2/test.rego @@ -18,7 +18,7 @@ test_not_evaluated if { not_eval with input as test_data.process_input("some_process", []) } -rule_input(argument) = test_data.process_input("kube-scheduler", [argument]) +rule_input(argument) := test_data.process_input("kube-scheduler", [argument]) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_2_1/rule.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_2_1/rule.rego index 95dd2c02dc..511f77c1a5 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_2_1/rule.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_2_1/rule.rego @@ -3,7 +3,7 @@ package compliance.cis_k8s.rules.cis_2_1 import data.compliance.policy.process.ensure_appropriate_arguments as audit import future.keywords.if -finding = result if { +finding := result if { audit.etcd_filter result := audit.finding([ "--cert-file", diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_2_1/test.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_2_1/test.rego index cd87c9d1f1..fe07223922 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_2_1/test.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_2_1/test.rego @@ -19,7 +19,7 @@ test_not_evaluated if { not_eval with input as test_data.process_input("some_process", []) } -rule_input(argument) = test_data.process_input("etcd", [argument]) +rule_input(argument) := test_data.process_input("etcd", [argument]) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_2_2/rule.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_2_2/rule.rego index c1ef4ab786..55b4a693b8 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_2_2/rule.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_2_2/rule.rego @@ -3,7 +3,7 @@ package compliance.cis_k8s.rules.cis_2_2 import data.compliance.policy.process.ensure_arguments_contain_key_value as audit import future.keywords.if -finding = result if { +finding := result if { audit.etcd_filter result := audit.finding(audit.arg_contains("--client-cert-auth", "true")) } diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_2_2/test.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_2_2/test.rego index 735c670bdf..104f2da268 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_2_2/test.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_2_2/test.rego @@ -18,7 +18,7 @@ test_not_evaluated if { not_eval with input as test_data.process_input("some_process", []) } -rule_input(argument) = test_data.process_input("etcd", [argument]) +rule_input(argument) := test_data.process_input("etcd", [argument]) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_2_3/rule.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_2_3/rule.rego index 5f6bafbe81..530b46cbac 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_2_3/rule.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_2_3/rule.rego @@ -3,7 +3,7 @@ package compliance.cis_k8s.rules.cis_2_3 import data.compliance.policy.process.ensure_arguments_contain_key_value as audit import future.keywords.if -finding = result if { +finding := result if { audit.etcd_filter result := audit.finding(audit.arg_not_contains("--auto-tls", "true")) } diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_2_3/test.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_2_3/test.rego index 3023819cf6..72c147b9d3 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_2_3/test.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_2_3/test.rego @@ -18,7 +18,7 @@ test_not_evaluated if { not_eval with input as test_data.process_input("some_process", []) } -rule_input(argument) = test_data.process_input("etcd", [argument]) +rule_input(argument) := test_data.process_input("etcd", [argument]) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_2_4/rule.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_2_4/rule.rego index 1cab72b4b6..a00e08e35b 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_2_4/rule.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_2_4/rule.rego @@ -3,7 +3,7 @@ package compliance.cis_k8s.rules.cis_2_4 import data.compliance.policy.process.ensure_appropriate_arguments as audit import future.keywords.if -finding = result if { +finding := result if { audit.etcd_filter result := audit.finding([ "--peer-cert-file", diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_2_4/test.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_2_4/test.rego index 8c8aede371..01efb58962 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_2_4/test.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_2_4/test.rego @@ -19,7 +19,7 @@ test_not_evaluated if { not_eval with input as test_data.process_input("some_process", [""]) } -rule_input(argument) = test_data.process_input("etcd", argument) +rule_input(argument) := test_data.process_input("etcd", argument) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_2_5/rule.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_2_5/rule.rego index ab7b7b9a22..8a8e7a43d3 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_2_5/rule.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_2_5/rule.rego @@ -3,7 +3,7 @@ package compliance.cis_k8s.rules.cis_2_5 import data.compliance.policy.process.ensure_arguments_contain_key_value as audit import future.keywords.if -finding = result if { +finding := result if { audit.etcd_filter result := audit.finding(audit.arg_contains("--peer-client-cert-auth", "true")) } diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_2_5/test.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_2_5/test.rego index 18d6fd0f87..bb8d3a89f8 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_2_5/test.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_2_5/test.rego @@ -18,7 +18,7 @@ test_not_evaluated if { not_eval with input as test_data.process_input("some_process", []) } -rule_input(argument) = test_data.process_input("etcd", [argument]) +rule_input(argument) := test_data.process_input("etcd", [argument]) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_2_6/rule.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_2_6/rule.rego index 664d30104c..87efc36dce 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_2_6/rule.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_2_6/rule.rego @@ -3,7 +3,7 @@ package compliance.cis_k8s.rules.cis_2_6 import data.compliance.policy.process.ensure_arguments_contain_key_value as audit import future.keywords.if -finding = result if { +finding := result if { audit.etcd_filter result := audit.finding(audit.arg_not_contains("--peer-auto-tls", "true")) } diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_2_6/test.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_2_6/test.rego index 4e15d12c43..9e2925a282 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_2_6/test.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_2_6/test.rego @@ -18,7 +18,7 @@ test_not_evaluated if { not_eval with input as test_data.process_input("some_process", []) } -rule_input(argument) = test_data.process_input("etcd", [argument]) +rule_input(argument) := test_data.process_input("etcd", [argument]) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_4_1_1/rule.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_4_1_1/rule.rego index d0b2080fe2..bf3289d6c9 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_4_1_1/rule.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_4_1_1/rule.rego @@ -3,7 +3,7 @@ package compliance.cis_k8s.rules.cis_4_1_1 import data.compliance.policy.file.ensure_permissions as audit import future.keywords.if -finding = result if { +finding := result if { audit.filename_filter("10-kubeadm.conf") result := audit.finding(audit.file_permission_match(6, 4, 4)) } diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_4_1_1/test.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_4_1_1/test.rego index 732ca43931..7186b5c604 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_4_1_1/test.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_4_1_1/test.rego @@ -16,7 +16,7 @@ test_not_evaluated if { not finding with input as rule_input("file.txt", "644") } -rule_input(filename, filemode) = filesystem_input if { +rule_input(filename, filemode) := filesystem_input if { user := "root" group := "root" filesystem_input = test_data.filesystem_input(filename, filemode, user, group) diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_4_1_10/rule.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_4_1_10/rule.rego index 490cda3e93..fe1920ceb4 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_4_1_10/rule.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_4_1_10/rule.rego @@ -3,7 +3,7 @@ package compliance.cis_k8s.rules.cis_4_1_10 import data.compliance.policy.file.ensure_ownership as audit import future.keywords.if -finding = result if { +finding := result if { audit.filename_filter("kubelet.conf") result := audit.finding("root", "root") } diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_4_1_10/test.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_4_1_10/test.rego index f60754fb3c..1bdf10662a 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_4_1_10/test.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_4_1_10/test.rego @@ -18,7 +18,7 @@ test_not_evaluated if { not finding with input as rule_input("file.txt", "root", "root") } -rule_input(filename, user, group) = filesystem_input if { +rule_input(filename, user, group) := filesystem_input if { filemode := "644" filesystem_input = test_data.filesystem_input(filename, filemode, user, group) } diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_4_1_2/rule.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_4_1_2/rule.rego index cc298f198a..4c9c4b5f5c 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_4_1_2/rule.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_4_1_2/rule.rego @@ -3,7 +3,7 @@ package compliance.cis_k8s.rules.cis_4_1_2 import data.compliance.policy.file.ensure_ownership as audit import future.keywords.if -finding = result if { +finding := result if { audit.filename_filter("10-kubeadm.conf") result := audit.finding("root", "root") } diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_4_1_2/test.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_4_1_2/test.rego index 212dd421f6..d425bbd452 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_4_1_2/test.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_4_1_2/test.rego @@ -18,7 +18,7 @@ test_not_evaluated if { not finding with input as rule_input("file.txt", "root", "root") } -rule_input(filename, user, group) = filesystem_input if { +rule_input(filename, user, group) := filesystem_input if { filemode := "644" filesystem_input = test_data.filesystem_input(filename, filemode, user, group) } diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_4_1_5/rule.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_4_1_5/rule.rego index a7fb6a3eb5..bd0076fe42 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_4_1_5/rule.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_4_1_5/rule.rego @@ -3,7 +3,7 @@ package compliance.cis_k8s.rules.cis_4_1_5 import data.compliance.policy.file.ensure_permissions as audit import future.keywords.if -finding = result if { +finding := result if { audit.filename_filter("kubelet.conf") result := audit.finding(audit.file_permission_match(6, 4, 4)) } diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_4_1_5/test.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_4_1_5/test.rego index ab534742e5..3d1a42d76d 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_4_1_5/test.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_4_1_5/test.rego @@ -16,7 +16,7 @@ test_not_evaluated if { not finding with input as rule_input("file.txt", "644") } -rule_input(filename, filemode) = filesystem_input if { +rule_input(filename, filemode) := filesystem_input if { user := "root" group := "root" filesystem_input = test_data.filesystem_input(filename, filemode, user, group) diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_4_1_6/rule.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_4_1_6/rule.rego index e719cf6b27..73ec8038fa 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_4_1_6/rule.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_4_1_6/rule.rego @@ -3,7 +3,7 @@ package compliance.cis_k8s.rules.cis_4_1_6 import data.compliance.policy.file.ensure_ownership as audit import future.keywords.if -finding = result if { +finding := result if { audit.filename_filter("kubelet.conf") result := audit.finding("root", "root") } diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_4_1_6/test.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_4_1_6/test.rego index f40d17353a..7a6a121954 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_4_1_6/test.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_4_1_6/test.rego @@ -18,7 +18,7 @@ test_not_evaluated if { not finding with input as rule_input("file.txt", "root", "root") } -rule_input(filename, user, group) = filesystem_input if { +rule_input(filename, user, group) := filesystem_input if { filemode := "644" filesystem_input = test_data.filesystem_input(filename, filemode, user, group) } diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_4_1_9/rule.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_4_1_9/rule.rego index de0774365c..6ad347ac9d 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_4_1_9/rule.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_4_1_9/rule.rego @@ -3,7 +3,7 @@ package compliance.cis_k8s.rules.cis_4_1_9 import data.compliance.policy.file.ensure_permissions as audit import future.keywords.if -finding = result if { +finding := result if { audit.filename_filter("config.yaml") result := audit.finding(audit.file_permission_match(6, 4, 4)) } diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_4_1_9/test.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_4_1_9/test.rego index d9376ad2fa..91cae1f546 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_4_1_9/test.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_4_1_9/test.rego @@ -16,7 +16,7 @@ test_not_evaluated if { not finding with input as rule_input("file.txt", "644") } -rule_input(filename, filemode) = filesystem_input if { +rule_input(filename, filemode) := filesystem_input if { user := "root" group := "root" filesystem_input = test_data.filesystem_input(filename, filemode, user, group) diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_1/rule.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_1/rule.rego index 93630ad883..6d275d2eca 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_1/rule.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_1/rule.rego @@ -3,7 +3,7 @@ package compliance.cis_k8s.rules.cis_4_2_1 import data.compliance.policy.process.ensure_arguments_and_config as audit import future.keywords.if -default rule_evaluation = false +default rule_evaluation := false rule_evaluation if { audit.process_contains_key_with_value("--anonymous-auth", "false") @@ -15,4 +15,4 @@ rule_evaluation if { audit.not_process_arg_comparison("--anonymous-auth", ["authentication", "anonymous", "enabled"], false) } -finding = audit.finding(rule_evaluation) +finding := audit.finding(rule_evaluation) diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_1/test.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_1/test.rego index b1b8be93f1..b6361bd92b 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_1/test.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_1/test.rego @@ -24,11 +24,11 @@ test_not_evaluated if { not_eval with input as test_data.process_input("some_process", []) } -rule_input(argument) = test_data.process_input_with_external_data("kubelet", [argument], {}) +rule_input(argument) := test_data.process_input_with_external_data("kubelet", [argument], {}) -rule_input_with_external(argument, external_data) = test_data.process_input_with_external_data("kubelet", [argument], external_data) +rule_input_with_external(argument, external_data) := test_data.process_input_with_external_data("kubelet", [argument], external_data) -create_process_config(anonymous_enabled) = {"config": {"authentication": { +create_process_config(anonymous_enabled) := {"config": {"authentication": { "x509": {"clientCAFile": "/etc/kubernetes/pki/ca.crt"}, "anonymous": {"enabled": anonymous_enabled}, "webhook": { diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_10/rule.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_10/rule.rego index 2628abe6f1..0d5cee7502 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_10/rule.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_10/rule.rego @@ -4,7 +4,7 @@ import data.compliance.policy.process.ensure_arguments_and_config as audit import future.keywords.if # Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate -default rule_evaluation = false +default rule_evaluation := false rule_evaluation if { audit.process_arg_multi("--tls-cert-file", "--tls-private-key-file") @@ -14,4 +14,4 @@ rule_evaluation if { audit.process_variable_multi(["tlsCertFile"], ["tlsPrivateKeyFile"]) } -finding = audit.finding(rule_evaluation) +finding := audit.finding(rule_evaluation) diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_10/test.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_10/test.rego index e4abfe6d9e..74d30ecfd5 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_10/test.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_10/test.rego @@ -21,11 +21,11 @@ test_not_evaluated if { not_eval with input as test_data.process_input("some_process", [""]) } -rule_input(argument) = test_data.process_input_with_external_data("kubelet", [argument], {}) +rule_input(argument) := test_data.process_input_with_external_data("kubelet", [argument], {}) -rule_input_with_external(argument, external_data) = test_data.process_input_with_external_data("kubelet", [argument], external_data) +rule_input_with_external(argument, external_data) := test_data.process_input_with_external_data("kubelet", [argument], external_data) -create_process_config(tlsCertFile, tlsPrivateKeyFile) = {"config": {"tlsCertFile": tlsCertFile, "tlsPrivateKeyFile": tlsPrivateKeyFile}} +create_process_config(tlsCertFile, tlsPrivateKeyFile) := {"config": {"tlsCertFile": tlsCertFile, "tlsPrivateKeyFile": tlsPrivateKeyFile}} eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_11/rule.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_11/rule.rego index ad906a0c45..52f482dc2f 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_11/rule.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_11/rule.rego @@ -4,15 +4,15 @@ import data.compliance.policy.process.ensure_arguments_and_config as audit import future.keywords.if # Verify that the --rotate-certificates argument is not present, or is set to true. -default rule_evaluation = true +default rule_evaluation := true -rule_evaluation = false if { +rule_evaluation := false if { audit.process_contains_key_with_value("--rotate-certificates", "false") } # In case both flags and configuration file are specified, the executable argument takes precedence. -rule_evaluation = false if { +rule_evaluation := false if { audit.not_process_arg_comparison("--rotate-certificates", ["rotateCertificates"], false) } -finding = audit.finding(rule_evaluation) +finding := audit.finding(rule_evaluation) diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_11/test.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_11/test.rego index 35c5da2901..aa6139d591 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_11/test.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_11/test.rego @@ -23,11 +23,11 @@ test_not_evaluated if { not_eval with input as test_data.process_input("some_process", []) } -rule_input(argument) = test_data.process_input("kubelet", [argument]) +rule_input(argument) := test_data.process_input("kubelet", [argument]) -rule_input_with_external(argument, external_data) = test_data.process_input_with_external_data("kubelet", [argument], external_data) +rule_input_with_external(argument, external_data) := test_data.process_input_with_external_data("kubelet", [argument], external_data) -create_process_config(rotateCertificates) = {"config": {"rotateCertificates": rotateCertificates}} +create_process_config(rotateCertificates) := {"config": {"rotateCertificates": rotateCertificates}} eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_12/rule.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_12/rule.rego index 57a761165f..b7c2d20ec4 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_12/rule.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_12/rule.rego @@ -4,7 +4,7 @@ import data.compliance.policy.process.ensure_arguments_and_config as audit import future.keywords.if # Verify that the RotateKubeletServerCertificate argument is set to true -default rule_evaluation = false +default rule_evaluation := false rule_evaluation if { audit.not_process_contains_key_with_value("--feature-gates", "RotateKubeletServerCertificate=false") @@ -27,4 +27,4 @@ rule_evaluation if { audit.get_from_config(["serverTLSBootstrap"]) } -finding = audit.finding(rule_evaluation) +finding := audit.finding(rule_evaluation) diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_12/test.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_12/test.rego index dbae519c2d..978b85c993 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_12/test.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_12/test.rego @@ -30,11 +30,11 @@ test_not_evaluated if { not_eval with input as test_data.process_input("some_process", []) } -rule_input(argument) = test_data.process_input("kubelet", [argument]) +rule_input(argument) := test_data.process_input("kubelet", [argument]) -rule_input_with_external(argument, external_data) = test_data.process_input_with_external_data("kubelet", [argument], external_data) +rule_input_with_external(argument, external_data) := test_data.process_input_with_external_data("kubelet", [argument], external_data) -create_process_config(rotateCertificates, serverTLSBootstrap) = {"config": {"serverTLSBootstrap": serverTLSBootstrap, "featureGates": {"RotateKubeletServerCertificate": rotateCertificates}}} +create_process_config(rotateCertificates, serverTLSBootstrap) := {"config": {"serverTLSBootstrap": serverTLSBootstrap, "featureGates": {"RotateKubeletServerCertificate": rotateCertificates}}} eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_13/rule.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_13/rule.rego index 56e329f2ce..5e7a7bf099 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_13/rule.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_13/rule.rego @@ -4,19 +4,19 @@ import data.compliance.policy.process.ensure_ciphers as audit import future.keywords.if # Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers -default rule_evaluation = true +default rule_evaluation := true # Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers -rule_evaluation = false if { +rule_evaluation := false if { audit.is_process_args_includes_non_supported_cipher(supported_ciphers) } # In case both flags and configuration file are specified, the executable argument takes precedence. -rule_evaluation = false if { +rule_evaluation := false if { audit.is_process_config_includes_non_supported_cipher(supported_ciphers) } -supported_ciphers = [ +supported_ciphers := [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305", @@ -27,7 +27,7 @@ supported_ciphers = [ "TLS_RSA_WITH_AES_128_GCM_SHA256", ] -finding = result if { +finding := result if { audit.kubelet_filter result := audit.finding(rule_evaluation) } diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_13/test.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_13/test.rego index 576df45a9f..7fb8236853 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_13/test.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_13/test.rego @@ -25,11 +25,11 @@ test_not_evaluated if { not_eval with input as test_data.process_input("some_process", []) } -rule_input(argument) = test_data.process_input("kubelet", [argument]) +rule_input(argument) := test_data.process_input("kubelet", [argument]) -rule_input_with_external(argument, external_data) = test_data.process_input_with_external_data("kubelet", [argument], external_data) +rule_input_with_external(argument, external_data) := test_data.process_input_with_external_data("kubelet", [argument], external_data) -create_process_config(cipherSuites) = {"config": {"TLSCipherSuites": cipherSuites}} +create_process_config(cipherSuites) := {"config": {"TLSCipherSuites": cipherSuites}} eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_2/rule.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_2/rule.rego index 1622019bd6..e6ab47d432 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_2/rule.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_2/rule.rego @@ -5,7 +5,7 @@ import future.keywords.if # Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated) # If the --authorization-mode argument is present check that it is not set to AlwaysAllow. -default rule_evaluation = false +default rule_evaluation := false rule_evaluation if { is_authorization_allow_all @@ -22,4 +22,4 @@ rule_evaluation if { audit.process_filter_variable_multi_comparison(["authorization", "mode"], ["authorization", "mode"], "AlwaysAllow") } -finding = audit.finding(rule_evaluation) +finding := audit.finding(rule_evaluation) diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_2/test.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_2/test.rego index 6a52f3e2a9..6573d5ec04 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_2/test.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_2/test.rego @@ -22,11 +22,11 @@ test_not_evaluated if { not_eval with input as test_data.process_input("some_process", []) } -rule_input(argument) = test_data.process_input("kubelet", [argument]) +rule_input(argument) := test_data.process_input("kubelet", [argument]) -rule_input_with_external(argument, external_data) = test_data.process_input_with_external_data("kubelet", [argument], external_data) +rule_input_with_external(argument, external_data) := test_data.process_input_with_external_data("kubelet", [argument], external_data) -create_process_config(authz_mode) = {"config": {"authorization": { +create_process_config(authz_mode) := {"config": {"authorization": { "mode": authz_mode, "webhook": { "cacheAuthorizedTTL": "0s", diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_3/rule.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_3/rule.rego index b2fada442b..7ae3525f0b 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_3/rule.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_3/rule.rego @@ -4,7 +4,7 @@ import data.compliance.policy.process.ensure_arguments_and_config as audit import future.keywords.if # Ensure that the --client-ca-file argument is set as appropriate (Automated) -default rule_evaluation = false +default rule_evaluation := false rule_evaluation if { audit.process_contains_key("--client-ca-file") @@ -16,4 +16,4 @@ rule_evaluation if { audit.get_from_config(["authentication", "x509", "clientCAFile"]) } -finding = audit.finding(rule_evaluation) +finding := audit.finding(rule_evaluation) diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_3/test.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_3/test.rego index a184b9e5e0..06d9fd72d8 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_3/test.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_3/test.rego @@ -19,11 +19,11 @@ test_not_evaluated if { not_eval with input as test_data.process_input("some_process", []) } -rule_input(argument) = test_data.process_input("kubelet", [argument]) +rule_input(argument) := test_data.process_input("kubelet", [argument]) -rule_input_with_external(argument, external_data) = test_data.process_input_with_external_data("kubelet", [argument], external_data) +rule_input_with_external(argument, external_data) := test_data.process_input_with_external_data("kubelet", [argument], external_data) -create_process_config(client_CA_path) = {"config": {"authentication": { +create_process_config(client_CA_path) := {"config": {"authentication": { "x509": {"clientCAFile": client_CA_path}, "anonymous": {"enabled": false}, "webhook": { diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_4/rule.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_4/rule.rego index e02f2540bb..3af55af1f4 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_4/rule.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_4/rule.rego @@ -4,7 +4,7 @@ import data.compliance.policy.process.ensure_arguments_and_config as audit import future.keywords.if # Verify that the --read-only-port argument is set to 0 -default rule_evaluation = false +default rule_evaluation := false rule_evaluation if { audit.process_contains_key_with_value("--read-only-port", "0") @@ -15,4 +15,4 @@ rule_evaluation if { audit.not_process_arg_comparison("--read-only-port", ["readOnlyPort"], 0) } -finding = audit.finding(rule_evaluation) +finding := audit.finding(rule_evaluation) diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_4/test.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_4/test.rego index 7766023886..a9284ac7ee 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_4/test.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_4/test.rego @@ -23,11 +23,11 @@ test_not_evaluated if { not_eval with input as test_data.process_input("some_process", []) } -rule_input(argument) = test_data.process_input_with_external_data("kubelet", [argument], {}) +rule_input(argument) := test_data.process_input_with_external_data("kubelet", [argument], {}) -rule_input_with_external(argument, external_data) = test_data.process_input_with_external_data("kubelet", [argument], external_data) +rule_input_with_external(argument, external_data) := test_data.process_input_with_external_data("kubelet", [argument], external_data) -create_process_config(port) = {"config": {"readOnlyPort": port}} +create_process_config(port) := {"config": {"readOnlyPort": port}} eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_5/rule.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_5/rule.rego index f51caefff5..2be7577466 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_5/rule.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_5/rule.rego @@ -4,15 +4,15 @@ import data.compliance.policy.process.ensure_arguments_and_config as audit import future.keywords.if # Ensure that the --streaming-connection-idle-timeout argument is not set to 0 -default rule_evaluation = true +default rule_evaluation := true -rule_evaluation = false if { +rule_evaluation := false if { audit.process_contains_key_with_value("--streaming-connection-idle-timeout", "0") } # In case both flags and configuration file are specified, the executable argument takes precedence. -rule_evaluation = false if { +rule_evaluation := false if { audit.not_process_arg_comparison("--streaming-connection-idle-timeout", ["streamingConnectionIdleTimeout"], 0) } -finding = audit.finding(rule_evaluation) +finding := audit.finding(rule_evaluation) diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_5/test.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_5/test.rego index 61e95a55a4..75466884cb 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_5/test.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_5/test.rego @@ -24,11 +24,11 @@ test_not_evaluated if { not_eval with input as test_data.process_input("some_process", []) } -rule_input(argument) = test_data.process_input_with_external_data("kubelet", [argument], {}) +rule_input(argument) := test_data.process_input_with_external_data("kubelet", [argument], {}) -rule_input_with_external(argument, external_data) = test_data.process_input_with_external_data("kubelet", [argument], external_data) +rule_input_with_external(argument, external_data) := test_data.process_input_with_external_data("kubelet", [argument], external_data) -create_process_config(connection_timeout) = {"config": {"streamingConnectionIdleTimeout": connection_timeout}} +create_process_config(connection_timeout) := {"config": {"streamingConnectionIdleTimeout": connection_timeout}} eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_6/rule.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_6/rule.rego index 9db49378b9..c8b2510125 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_6/rule.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_6/rule.rego @@ -4,7 +4,7 @@ import data.compliance.policy.process.ensure_arguments_and_config as audit import future.keywords.if # Ensure that the protectKernelDefaults argument is set to true -default rule_evaluation = false +default rule_evaluation := false # Ensure that the --protect-kernel-defaults argument is set to true rule_evaluation if { @@ -16,4 +16,4 @@ rule_evaluation if { audit.not_process_arg_variable("--protect-kernel-defaults", ["protectKernelDefaults"]) } -finding = audit.finding(rule_evaluation) +finding := audit.finding(rule_evaluation) diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_6/test.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_6/test.rego index e1abca5e5e..f7f9f01a9f 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_6/test.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_6/test.rego @@ -22,11 +22,11 @@ test_not_evaluated if { not_eval with input as test_data.process_input("some_process", []) } -rule_input(argument) = test_data.process_input("kubelet", [argument]) +rule_input(argument) := test_data.process_input("kubelet", [argument]) -rule_input_with_external(argument, external_data) = test_data.process_input_with_external_data("kubelet", [argument], external_data) +rule_input_with_external(argument, external_data) := test_data.process_input_with_external_data("kubelet", [argument], external_data) -create_process_config(kernel_protection_enabled) = {"config": {"protectKernelDefaults": kernel_protection_enabled}} +create_process_config(kernel_protection_enabled) := {"config": {"protectKernelDefaults": kernel_protection_enabled}} eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_7/rule.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_7/rule.rego index 039a9af4a2..a56c585b1c 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_7/rule.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_7/rule.rego @@ -4,16 +4,16 @@ import data.compliance.policy.process.ensure_arguments_and_config as audit import future.keywords.if # Ensure that the --make-iptables-util-chains argument is set to true (Automated) -default rule_evaluation = true +default rule_evaluation := true -rule_evaluation = false if { +rule_evaluation := false if { audit.process_contains_key_with_value("--make-iptables-util-chains", "false") } # In case both flags and configuration file are specified, the executable argument takes precedence. # Checks that the entry for makeIPTablesUtilChains is set to true. -rule_evaluation = false if { +rule_evaluation := false if { audit.not_process_arg_comparison("--make-iptables-util-chains", ["makeIPTablesUtilChains"], false) } -finding = audit.finding(rule_evaluation) +finding := audit.finding(rule_evaluation) diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_7/test.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_7/test.rego index f4f62bf9f8..0901ec597b 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_7/test.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_7/test.rego @@ -23,11 +23,11 @@ test_not_evaluated if { not_eval with input as test_data.process_input("some_process", []) } -rule_input(argument) = test_data.process_input("kubelet", [argument]) +rule_input(argument) := test_data.process_input("kubelet", [argument]) -rule_input_with_external(argument, external_data) = test_data.process_input_with_external_data("kubelet", [argument], external_data) +rule_input_with_external(argument, external_data) := test_data.process_input_with_external_data("kubelet", [argument], external_data) -create_process_config(makeIPTablesUtilChains) = {"config": {"makeIPTablesUtilChains": makeIPTablesUtilChains}} +create_process_config(makeIPTablesUtilChains) := {"config": {"makeIPTablesUtilChains": makeIPTablesUtilChains}} eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_8/rule.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_8/rule.rego index f30cbc6d82..36b1da249a 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_8/rule.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_8/rule.rego @@ -4,11 +4,11 @@ import data.compliance.policy.process.ensure_arguments_and_config as audit import future.keywords.if # Ensure that the --hostname-override argument is not set. -default rule_evaluation = true +default rule_evaluation := true # Note This setting is not configurable via the Kubelet config file. -rule_evaluation = false if { +rule_evaluation := false if { audit.process_contains_key("--hostname-override") } -finding = audit.finding(rule_evaluation) +finding := audit.finding(rule_evaluation) diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_8/test.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_8/test.rego index 29bba7af4a..4ae977cfa4 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_8/test.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_8/test.rego @@ -18,9 +18,9 @@ test_not_evaluated if { not_eval with input as test_data.process_input("some_process", []) } -rule_input(argument) = test_data.process_input_with_external_data("kubelet", [argument], {}) +rule_input(argument) := test_data.process_input_with_external_data("kubelet", [argument], {}) -rule_input_with_external(argument, external_data) = test_data.process_input_with_external_data("kubelet", [argument], external_data) +rule_input_with_external(argument, external_data) := test_data.process_input_with_external_data("kubelet", [argument], external_data) eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_9/rule.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_9/rule.rego index c5c8596575..9f8bf2801d 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_9/rule.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_9/rule.rego @@ -4,7 +4,7 @@ import data.compliance.policy.process.ensure_arguments_and_config as audit import future.keywords.if # Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture -default rule_evaluation = false +default rule_evaluation := false rule_evaluation if { audit.process_contains_key_with_value("--event-qps", "0") @@ -14,4 +14,4 @@ rule_evaluation if { audit.not_process_key_comparison("--event-qps", ["eventRecordQPS"], 0) } -finding = audit.finding(rule_evaluation) +finding := audit.finding(rule_evaluation) diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_9/test.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_9/test.rego index 9e8ce55e6a..a5ca6198d3 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_9/test.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_4_2_9/test.rego @@ -24,11 +24,11 @@ test_not_evaluated if { not_eval with input as test_data.process_input("some_process", []) } -rule_input(argument) = test_data.process_input_with_external_data("kubelet", [argument], {}) +rule_input(argument) := test_data.process_input_with_external_data("kubelet", [argument], {}) -rule_input_with_external(argument, external_data) = test_data.process_input_with_external_data("kubelet", [argument], external_data) +rule_input_with_external(argument, external_data) := test_data.process_input_with_external_data("kubelet", [argument], external_data) -create_process_config(eventRecordQPS) = {"config": {"eventRecordQPS": eventRecordQPS}} +create_process_config(eventRecordQPS) := {"config": {"eventRecordQPS": eventRecordQPS}} eval_fail if { test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_5_1_3/test.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_5_1_3/test.rego index 35764f809a..83eb1eb405 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_5_1_3/test.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_5_1_3/test.rego @@ -43,6 +43,6 @@ test_not_evaluated if { not finding with input as test_data.not_evaluated_kube_api_input } -rule_input(kind, rules) = test_data.kube_api_role_input(kind, rules) +rule_input(kind, rules) := test_data.kube_api_role_input(kind, rules) -rule(api_group, resource, verb) = test_data.kube_api_role_rule(api_group, resource, verb) +rule(api_group, resource, verb) := test_data.kube_api_role_rule(api_group, resource, verb) diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_5_2_10/test.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_5_2_10/test.rego index 9ce1121140..4c6e1f5e27 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_5_2_10/test.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_5_2_10/test.rego @@ -19,27 +19,27 @@ test_not_evaluated if { not finding with input as test_data.not_evaluated_kube_api_input } -rule_input(resource) = test_data.kube_api_input(resource) +rule_input(resource) := test_data.kube_api_input(resource) -violating_psp = { +violating_psp := { "kind": "Pod", "metadata": {"uid": "00000aa0-0aa0-00aa-00aa-00aa000a0000"}, "spec": {"containers": [{"securityContext": {"capabilities": {"add": ["NET_RAW"]}}}]}, } -non_violating_psp = { +non_violating_psp := { "kind": "Pod", "metadata": {"uid": "00000aa0-0aa0-00aa-00aa-00aa000a0000"}, "spec": {"containers": [{"securityContext": {}}]}, } -non_violating_psp2 = { +non_violating_psp2 := { "kind": "Pod", "metadata": {"uid": "00000aa0-0aa0-00aa-00aa-00aa000a0000"}, "spec": {"containers": [{"securityContext": {"capabilities": {}}}]}, } -non_violating_psp3 = { +non_violating_psp3 := { "kind": "Pod", "metadata": {"uid": "00000aa0-0aa0-00aa-00aa-00aa000a0000"}, "spec": {"containers": [{"securityContext": {"capabilities": {"drop": ["ALL"]}}}]}, diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_5_2_2/test.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_5_2_2/test.rego index d96bcd2122..057ecc30a5 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_5_2_2/test.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_5_2_2/test.rego @@ -24,15 +24,15 @@ test_not_evaluated if { not finding with input as {"type": "no-kube-api"} } -rule_input(resource) = test_data.kube_api_input(resource) +rule_input(resource) := test_data.kube_api_input(resource) -violating_psp = { +violating_psp := { "kind": "Pod", "metadata": {"uid": "00000aa0-0aa0-00aa-00aa-00aa000a0000"}, "spec": {"containers": [{"name": "container_1", "securityContext": {"privileged": true}}]}, } -violating_psp2 = { +violating_psp2 := { "kind": "Pod", "metadata": {"uid": "00000aa0-0aa0-00aa-00aa-00aa000a0000"}, "spec": {"containers": [ @@ -41,7 +41,7 @@ violating_psp2 = { ]}, } -violating_psp3 = { +violating_psp3 := { "kind": "Pod", "metadata": {"uid": "00000aa0-0aa0-00aa-00aa-00aa000a0000"}, "spec": {"containers": [ @@ -50,7 +50,7 @@ violating_psp3 = { ]}, } -violating_psp4 = { +violating_psp4 := { "kind": "Pod", "metadata": {"uid": "00000aa0-0aa0-00aa-00aa-00aa000a0000"}, "spec": {"containers": [ @@ -60,7 +60,7 @@ violating_psp4 = { ]}, } -violating_psp5 = { +violating_psp5 := { "kind": "Pod", "metadata": {"uid": "00000aa0-0aa0-00aa-00aa-00aa000a0000"}, "spec": { @@ -73,7 +73,7 @@ violating_psp5 = { }, } -violating_psp6 = { +violating_psp6 := { "kind": "Pod", "metadata": {"uid": "00000aa0-0aa0-00aa-00aa-00aa000a0000"}, "spec": { @@ -85,7 +85,7 @@ violating_psp6 = { }, } -violating_psp7 = { +violating_psp7 := { "kind": "Pod", "metadata": {"uid": "00000aa0-0aa0-00aa-00aa-00aa000a0000"}, "spec": { @@ -98,19 +98,19 @@ violating_psp7 = { }, } -non_violating_psp = { +non_violating_psp := { "kind": "Pod", "metadata": {"uid": "00000aa0-0aa0-00aa-00aa-00aa000a0000"}, "spec": {"containers": [{"name": "container_1", "securityContext": {"privileged": false}}]}, } -non_violating_psp2 = { +non_violating_psp2 := { "kind": "Pod", "metadata": {"uid": "00000aa0-0aa0-00aa-00aa-00aa000a0000"}, "spec": {"containers": [{"name": "container_1", "securityContext": {}}]}, } -non_violating_psp3 = { +non_violating_psp3 := { "kind": "Pod", "metadata": {"uid": "00000aa0-0aa0-00aa-00aa-00aa000a0000"}, "spec": { @@ -119,7 +119,7 @@ non_violating_psp3 = { }, } -non_violating_psp4 = { +non_violating_psp4 := { "kind": "Pod", "metadata": {"uid": "00000aa0-0aa0-00aa-00aa-00aa000a0000"}, "spec": { diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_5_2_3/test.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_5_2_3/test.rego index fa7bf74ddf..533e23a2dc 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_5_2_3/test.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_5_2_3/test.rego @@ -17,21 +17,21 @@ test_not_evaluated if { not finding with input as {"type": "no-kube-api"} } -rule_input(resource) = test_data.kube_api_input(resource) +rule_input(resource) := test_data.kube_api_input(resource) -violating_psp = { +violating_psp := { "kind": "Pod", "metadata": {"uid": "00000aa0-0aa0-00aa-00aa-00aa000a0000"}, "spec": {"hostPID": true}, } -non_violating_psp = { +non_violating_psp := { "kind": "Pod", "metadata": {"uid": "00000aa0-0aa0-00aa-00aa-00aa000a0000"}, "spec": {}, } -non_violating_psp2 = { +non_violating_psp2 := { "kind": "Pod", "metadata": {"uid": "00000aa0-0aa0-00aa-00aa-00aa000a0000"}, "spec": {"hostPID": false}, diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_5_2_4/test.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_5_2_4/test.rego index 06fba92d01..7ddbe975be 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_5_2_4/test.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_5_2_4/test.rego @@ -17,21 +17,21 @@ test_not_evaluated if { not finding with input as {"type": "no-kube-api"} } -rule_input(resource) = test_data.kube_api_input(resource) +rule_input(resource) := test_data.kube_api_input(resource) -violating_psp = { +violating_psp := { "kind": "Pod", "metadata": {"uid": "00000aa0-0aa0-00aa-00aa-00aa000a0000"}, "spec": {"hostIPC": true}, } -non_violating_psp = { +non_violating_psp := { "kind": "Pod", "metadata": {"uid": "00000aa0-0aa0-00aa-00aa-00aa000a0000"}, "spec": {}, } -non_violating_psp2 = { +non_violating_psp2 := { "kind": "Pod", "metadata": {"uid": "00000aa0-0aa0-00aa-00aa-00aa000a0000"}, "spec": {"hostIPC": false}, diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_5_2_5/test.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_5_2_5/test.rego index cebb5b474e..0e4722ff2c 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_5_2_5/test.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_5_2_5/test.rego @@ -17,21 +17,21 @@ test_not_evaluated if { not finding with input as {"type": "no-kube-api"} } -rule_input(resource) = test_data.kube_api_input(resource) +rule_input(resource) := test_data.kube_api_input(resource) -violating_psp = { +violating_psp := { "kind": "Pod", "metadata": {"uid": "00000aa0-0aa0-00aa-00aa-00aa000a0000"}, "spec": {"hostNetwork": true}, } -non_violating_psp = { +non_violating_psp := { "kind": "Pod", "metadata": {"uid": "00000aa0-0aa0-00aa-00aa-00aa000a0000"}, "spec": {}, } -non_violating_psp2 = { +non_violating_psp2 := { "kind": "Pod", "metadata": {"uid": "00000aa0-0aa0-00aa-00aa-00aa000a0000"}, "spec": {"hostNetwork": false}, diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_5_2_6/test.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_5_2_6/test.rego index ac630bdb57..a743cb417c 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_5_2_6/test.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_5_2_6/test.rego @@ -20,15 +20,15 @@ test_not_evaluated if { not finding with input as {"type": "no-kube-api"} } -rule_input(resource) = test_data.kube_api_input(resource) +rule_input(resource) := test_data.kube_api_input(resource) -violating_psp = { +violating_psp := { "kind": "Pod", "metadata": {"uid": "00000aa0-0aa0-00aa-00aa-00aa000a0000"}, "spec": {"containers": [{"name": "container_1", "securityContext": {"allowPrivilegeEscalation": true}}]}, } -violating_psp2 = { +violating_psp2 := { "kind": "Pod", "metadata": {"uid": "00000aa0-0aa0-00aa-00aa-00aa000a0000"}, "spec": {"containers": [ @@ -37,7 +37,7 @@ violating_psp2 = { ]}, } -violating_psp3 = { +violating_psp3 := { "kind": "Pod", "metadata": {"uid": "00000aa0-0aa0-00aa-00aa-00aa000a0000"}, "spec": {"containers": [ @@ -46,7 +46,7 @@ violating_psp3 = { ]}, } -violating_psp4 = { +violating_psp4 := { "kind": "Pod", "metadata": {"uid": "00000aa0-0aa0-00aa-00aa-00aa000a0000"}, "spec": {"containers": [ @@ -56,13 +56,13 @@ violating_psp4 = { ]}, } -non_violating_psp = { +non_violating_psp := { "kind": "Pod", "metadata": {"uid": "00000aa0-0aa0-00aa-00aa-00aa000a0000"}, "spec": {"containers": [{"name": "container_1", "securityContext": {"allowPrivilegeEscalation": false}}]}, } -non_violating_psp2 = { +non_violating_psp2 := { "kind": "Pod", "metadata": {"uid": "00000aa0-0aa0-00aa-00aa-00aa000a0000"}, "spec": {"containers": [{"name": "container_1", "securityContext": {}}]}, diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_5_2_7/test.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_5_2_7/test.rego index 80a1d6cbee..785cbcb751 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_5_2_7/test.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_5_2_7/test.rego @@ -19,9 +19,9 @@ test_not_evaluated if { not finding with input as {"type": "no-kube-api"} } -rule_input(resource) = test_data.kube_api_input(resource) +rule_input(resource) := test_data.kube_api_input(resource) -violating_psp = { +violating_psp := { "kind": "Pod", "metadata": {"uid": "00000aa0-0aa0-00aa-00aa-00aa000a0000"}, "spec": {"runAsUser": { @@ -33,13 +33,13 @@ violating_psp = { }}, } -violating_psp2 = { +violating_psp2 := { "kind": "Pod", "metadata": {"uid": "00000aa0-0aa0-00aa-00aa-00aa000a0000"}, "spec": {"containers": [{"name": "container_1", "securityContext": {"runAsUser": 0}}]}, } -violating_psp3 = { +violating_psp3 := { "kind": "Pod", "metadata": {"uid": "00000aa0-0aa0-00aa-00aa-00aa000a0000"}, "spec": { @@ -54,7 +54,7 @@ violating_psp3 = { }, } -non_violating_psp = { +non_violating_psp := { "kind": "Pod", "metadata": {"uid": "00000aa0-0aa0-00aa-00aa-00aa000a0000"}, "spec": {"runAsUser": { @@ -66,7 +66,7 @@ non_violating_psp = { }}, } -non_violating_psp2 = { +non_violating_psp2 := { "kind": "Pod", "metadata": {"uid": "00000aa0-0aa0-00aa-00aa-00aa000a0000"}, "spec": {"runAsUser": {"rule": "MustRunAsNonRoot"}}, diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_5_2_8/test.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_5_2_8/test.rego index 1dfe7c074d..4fea95ac17 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_5_2_8/test.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_5_2_8/test.rego @@ -21,4 +21,4 @@ test_not_evaluated if { not finding with input as {"type": "k8s_object", "resource": {"kind": "Node"}} } -rule_input(resource) = test_data.kube_api_input(resource) +rule_input(resource) := test_data.kube_api_input(resource) diff --git a/security-policies/bundle/compliance/cis_k8s/rules/cis_5_2_9/test.rego b/security-policies/bundle/compliance/cis_k8s/rules/cis_5_2_9/test.rego index 49da5865dc..5f2c469bcb 100644 --- a/security-policies/bundle/compliance/cis_k8s/rules/cis_5_2_9/test.rego +++ b/security-policies/bundle/compliance/cis_k8s/rules/cis_5_2_9/test.rego @@ -17,21 +17,21 @@ test_not_evaluated if { not finding with input as {"type": "no-kube-api"} } -rule_input(resource) = test_data.kube_api_input(resource) +rule_input(resource) := test_data.kube_api_input(resource) -violating_psp = { +violating_psp := { "kind": "Pod", "metadata": {"uid": "00000aa0-0aa0-00aa-00aa-00aa000a0000"}, "spec": {"allowedCapabilities": ["ALL"]}, } -non_violating_psp = { +non_violating_psp := { "kind": "Pod", "metadata": {"uid": "00000aa0-0aa0-00aa-00aa-00aa000a0000"}, "spec": {}, } -non_violating_psp2 = { +non_violating_psp2 := { "kind": "Pod", "metadata": {"uid": "00000aa0-0aa0-00aa-00aa-00aa000a0000"}, "spec": {"allowedCapabilities": []}, diff --git a/security-policies/bundle/compliance/kubernetes_common/test_data.rego b/security-policies/bundle/compliance/kubernetes_common/test_data.rego index 3b94c5e56d..0a6027662d 100644 --- a/security-policies/bundle/compliance/kubernetes_common/test_data.rego +++ b/security-policies/bundle/compliance/kubernetes_common/test_data.rego @@ -3,19 +3,19 @@ package kubernetes_common.test_data # input test data generater # input data that should not get evaluated -not_evaluated_input = { +not_evaluated_input := { "type": "input", "resource": {"kind": "some_kind"}, } # kube-api input data that should not get evaluated -not_evaluated_kube_api_input = { +not_evaluated_kube_api_input := { "type": "k8s_object", "resource": {"kind": "some_kind"}, } # genrates `file` type input data -filesystem_input(filename, mode, user, group) = { +filesystem_input(filename, mode, user, group) := { "type": "file", "resource": { "path": sprintf("file/path/%s", [filename]), @@ -27,10 +27,10 @@ filesystem_input(filename, mode, user, group) = { } # genrates `process` type input data -process_input(process_name, arguments) = process_input_with_external_data(process_name, arguments, {}) +process_input(process_name, arguments) := process_input_with_external_data(process_name, arguments, {}) # genrates `process` type input data -process_input_with_external_data(process_name, arguments, external_data) = { +process_input_with_external_data(process_name, arguments, external_data) := { "type": "process", "resource": { "command": concat(" ", array.concat([process_name], arguments)), @@ -39,18 +39,18 @@ process_input_with_external_data(process_name, arguments, external_data) = { }, } -kube_api_input(resource) = { +kube_api_input(resource) := { "type": "k8s_object", "resource": resource, } -kube_api_role_rule(api_group, resource, verb) = { +kube_api_role_rule(api_group, resource, verb) := { "apiGroups": api_group, "resources": resource, "verbs": verb, } -kube_api_role_input(kind, rules) = { +kube_api_role_input(kind, rules) := { "type": "k8s_object", "resource": { "kind": kind, @@ -59,7 +59,7 @@ kube_api_role_input(kind, rules) = { }, } -kube_api_pod_input(pod_name, service_account, automount_setting) = { +kube_api_pod_input(pod_name, service_account, automount_setting) := { "type": "k8s_object", "resource": { "kind": "Pod", @@ -72,7 +72,7 @@ kube_api_pod_input(pod_name, service_account, automount_setting) = { }, } -kube_api_service_account_input(name, automount_setting) = { +kube_api_service_account_input(name, automount_setting) := { "type": "k8s_object", "resource": { "kind": "ServiceAccount", @@ -81,7 +81,7 @@ kube_api_service_account_input(name, automount_setting) = { }, } -pod_security_ctx(entry) = { +pod_security_ctx(entry) := { "kind": "Pod", "metadata": {"name": "pod-name"}, "spec": entry, diff --git a/security-policies/bundle/compliance/lib/assert.rego b/security-policies/bundle/compliance/lib/assert.rego index 89c8bde486..c26eb4946a 100644 --- a/security-policies/bundle/compliance/lib/assert.rego +++ b/security-policies/bundle/compliance/lib/assert.rego @@ -11,7 +11,7 @@ is_true(value) if { # regal ignore:equals-pattern-matching is_false(value) if { value == false -} else = false +} else := false all_true(values) if { not some_false(values) @@ -33,4 +33,4 @@ some_true(values) if { array_is_empty(array) if { count(array) == 0 -} else = false +} else := false diff --git a/security-policies/bundle/compliance/lib/common/common.rego b/security-policies/bundle/compliance/lib/common/common.rego index d93d3afdf0..df0fa4e29d 100644 --- a/security-policies/bundle/compliance/lib/common/common.rego +++ b/security-policies/bundle/compliance/lib/common/common.rego @@ -6,33 +6,33 @@ import future.keywords.in # get OPA version opa_version := opa.runtime().version -metadata = { +metadata := { "opa_version": opa_version, "policy_version": "1.0.0", } current_date := create_date_from_ns(time.now_ns()) -past_date = "2021-12-25T12:43:00+00:00" +past_date := "2021-12-25T12:43:00+00:00" -create_date_from_ns(x) = time_str if { +create_date_from_ns(x) := time_str if { date := time.date(x) t := time.clock(x) time_str := sprintf("%d-%02d-%02dT%02d:%02d:%02d+00:00", array.concat(date, t)) } -ConvertDaysToHours(duration) = result if { +ConvertDaysToHours(duration) := result if { suffix := "d" contains(duration, suffix) days := trim_suffix(duration, suffix) result = sprintf("%dh", [to_number(days) * 24]) -} else = duration +} else := duration # set the rule result -calculate_result(evaluation) = "passed" if { +calculate_result(evaluation) := "passed" if { evaluation -} else = "failed" +} else := "failed" # Safely evaluate evidence. In case a key is undefined, it will be defaulted. # keypaths is an object defined as {str: array} @@ -42,22 +42,22 @@ collect_evidence(resource, key_paths) := {key: evidence | } # If value is not an array, enclose it in one -ensure_array(value) = [value] if { +ensure_array(value) := [value] if { not is_array(value) -} else = value +} else := value contains_key(object, key) if { object[key] -} else = false +} else := false contains_key_with_value(object, key, value) if { object[key] = value -} else = false +} else := false # checks if a value is greater or equals to a minimum value greater_or_equal(value, minimum) if { to_number(value) >= minimum -} else = false +} else := false # checks if duration is less than some maximum value # duration: string (https://pkg.go.dev/time#ParseDuration) @@ -65,7 +65,7 @@ duration_lt(duration, max_duration) if { duration_ns := time.parse_duration_ns(duration) max_duration_ns := time.parse_duration_ns(max_duration) duration_ns < max_duration_ns -} else = false +} else := false # checks if duration is less than some maximum value # duration: string (https://pkg.go.dev/time#ParseDuration) @@ -73,7 +73,7 @@ duration_lte(duration, max_duration) if { duration_ns := time.parse_duration_ns(duration) max_duration_ns := time.parse_duration_ns(max_duration) duration_ns <= max_duration_ns -} else = false +} else := false # checks if duration is greater than some minimum value # duration: string (https://pkg.go.dev/time#ParseDuration) @@ -81,7 +81,7 @@ duration_gt(duration, min_duration) if { duration_ns := time.parse_duration_ns(duration) min_duration_ns := time.parse_duration_ns(min_duration) duration_ns > min_duration_ns -} else = false +} else := false # checks if duration is greater or equal to some minimum value # duration: string (https://pkg.go.dev/time#ParseDuration) @@ -89,7 +89,7 @@ duration_gte(duration, min_duration) if { duration_ns := time.parse_duration_ns(duration) min_duration_ns := time.parse_duration_ns(min_duration) duration_ns >= min_duration_ns -} else = false +} else := false # The function determines whether the given date occurs within the provided time period. # date: time in nanoseconds @@ -97,7 +97,7 @@ date_within_duration(date, duration) if { now = time.now_ns() duration_ns := time.parse_duration_ns(duration) date > now - duration_ns -} else = false +} else := false ranges_smaller_than(ranges, value) if { range := ranges[_] diff --git a/security-policies/bundle/compliance/lib/output_validations/output_validations.rego b/security-policies/bundle/compliance/lib/output_validations/output_validations.rego index e62eeba7e8..68a03aa524 100644 --- a/security-policies/bundle/compliance/lib/output_validations/output_validations.rego +++ b/security-policies/bundle/compliance/lib/output_validations/output_validations.rego @@ -28,7 +28,7 @@ validate_common_provider_metadata(metadata) if { validate_metadata(metadata) if { validate_common_provider_metadata(metadata) -} else = false +} else := false # validate every rule metadata test_validate_rule_metadata if { diff --git a/security-policies/bundle/compliance/main.rego b/security-policies/bundle/compliance/main.rego index 529fdbfafb..2b1e64fd28 100644 --- a/security-policies/bundle/compliance/main.rego +++ b/security-policies/bundle/compliance/main.rego @@ -6,11 +6,11 @@ import future.keywords.if # input contains the resource and the configuration # output is findings -resource = input.resource +resource := input.resource # METADATA # entrypoint: true -findings = f if { +findings := f if { # iterate over activated benchmark rules benchmark := input.benchmark @@ -24,7 +24,7 @@ findings = f if { } } -findings = f if { +findings := f if { not input.benchmark # aggregate findings from all benchmarks @@ -37,4 +37,4 @@ findings = f if { } } -metadata = common.metadata +metadata := common.metadata diff --git a/security-policies/bundle/compliance/policy/aws_cloudtrail/data_adapter.rego b/security-policies/bundle/compliance/policy/aws_cloudtrail/data_adapter.rego index 614e9f2767..088073de17 100644 --- a/security-policies/bundle/compliance/policy/aws_cloudtrail/data_adapter.rego +++ b/security-policies/bundle/compliance/policy/aws_cloudtrail/data_adapter.rego @@ -10,12 +10,12 @@ is_single_trail if { input.subType == "aws-trail" } -trail = input.resource.Trail +trail := input.resource.Trail -trail_status = input.resource.Status +trail_status := input.resource.Status -trail_bucket_info = input.resource.bucket_info +trail_bucket_info := input.resource.bucket_info -event_selectors = input.resource.EventSelectors +event_selectors := input.resource.EventSelectors -trail_items = input.resource.Items +trail_items := input.resource.Items diff --git a/security-policies/bundle/compliance/policy/aws_cloudtrail/ensure_cloudwatch_integration.rego b/security-policies/bundle/compliance/policy/aws_cloudtrail/ensure_cloudwatch_integration.rego index efa0a892fd..9a70f5d3fe 100644 --- a/security-policies/bundle/compliance/policy/aws_cloudtrail/ensure_cloudwatch_integration.rego +++ b/security-policies/bundle/compliance/policy/aws_cloudtrail/ensure_cloudwatch_integration.rego @@ -4,7 +4,7 @@ import data.compliance.lib.common import data.compliance.policy.aws_cloudtrail.data_adapter import future.keywords.if -default ensure_cloudwatch_logs_enabled = false +default ensure_cloudwatch_logs_enabled := false ensure_cloudwatch_logs_enabled if { data_adapter.trail.CloudWatchLogsLogGroupArn != "" diff --git a/security-policies/bundle/compliance/policy/aws_cloudtrail/esure_no_public_accessibility.rego b/security-policies/bundle/compliance/policy/aws_cloudtrail/esure_no_public_accessibility.rego index 7bc641089e..e2bc47dd2d 100644 --- a/security-policies/bundle/compliance/policy/aws_cloudtrail/esure_no_public_accessibility.rego +++ b/security-policies/bundle/compliance/policy/aws_cloudtrail/esure_no_public_accessibility.rego @@ -4,7 +4,7 @@ import data.compliance.policy.aws_cloudtrail.data_adapter import future.keywords.if import future.keywords.in -default bucket_is_public = false +default bucket_is_public := false # Bucket is public if any ACL grant grantee is `AllUsers` bucket_is_public if { diff --git a/security-policies/bundle/compliance/policy/aws_cloudtrail/pattern.rego b/security-policies/bundle/compliance/policy/aws_cloudtrail/pattern.rego index a820c9a752..629398f443 100644 --- a/security-policies/bundle/compliance/policy/aws_cloudtrail/pattern.rego +++ b/security-policies/bundle/compliance/policy/aws_cloudtrail/pattern.rego @@ -5,15 +5,15 @@ import future.keywords.if import future.keywords.in # get a filter from a trail has at least one metric filter pattern that matches at least one pattern -get_filter_matched_to_pattern(trail, patterns) = name if { +get_filter_matched_to_pattern(trail, patterns) := name if { some i, j filter := trail.MetricFilters[i] pattern := patterns[j] expressions_equivalent(filter.ParsedFilterPattern, pattern) name := filter.FilterName -} else = "" +} else := "" -complex_expression(op, expressions) = { +complex_expression(op, expressions) := { "ComparisonOperator": "", "Complex": true, "Expressions": expressions, @@ -23,7 +23,7 @@ complex_expression(op, expressions) = { "Simple": false, } -simple_expression(left, op, right) = { +simple_expression(left, op, right) := { "ComparisonOperator": op, "Complex": false, "Expressions": null, @@ -35,7 +35,7 @@ simple_expression(left, op, right) = { # Known limitations on checking expressions equivalence: # - It supports only two levels deep expressions (2 levels are as deep as our uses cases go) -default expressions_equivalent(_, _) = false +default expressions_equivalent(_, _) := false expressions_equivalent(exp1, exp2) if { compare_simple_expressions(exp1, exp2) diff --git a/security-policies/bundle/compliance/policy/aws_cloudtrail/pattern_test.rego b/security-policies/bundle/compliance/policy/aws_cloudtrail/pattern_test.rego index 796ba640dc..556f7b8e24 100644 --- a/security-policies/bundle/compliance/policy/aws_cloudtrail/pattern_test.rego +++ b/security-policies/bundle/compliance/policy/aws_cloudtrail/pattern_test.rego @@ -2,15 +2,15 @@ package compliance.policy.aws_cloudtrail.pattern import future.keywords.if -filter_1 = {"FilterPattern": "a=b", "FilterName": "filter_1"} +filter_1 := {"FilterPattern": "a=b", "FilterName": "filter_1"} -filter_2 = {"FilterPattern": "b=c", "FilterName": "filter_2"} +filter_2 := {"FilterPattern": "b=c", "FilterName": "filter_2"} -pattern_1 = "a=b" +pattern_1 := "a=b" -pattern_2 = "b=c" +pattern_2 := "b=c" -pattern_never_match = "not_match" +pattern_never_match := "not_match" test_pass if { get_filter_matched_to_pattern({"MetricFilters": [filter_1]}, [pattern_1]) diff --git a/security-policies/bundle/compliance/policy/aws_cloudtrail/verify_s3_object_logging.rego b/security-policies/bundle/compliance/policy/aws_cloudtrail/verify_s3_object_logging.rego index 7356acb6fd..6dc48be74e 100644 --- a/security-policies/bundle/compliance/policy/aws_cloudtrail/verify_s3_object_logging.rego +++ b/security-policies/bundle/compliance/policy/aws_cloudtrail/verify_s3_object_logging.rego @@ -21,4 +21,4 @@ ensure_s3_object_logging(allowed_types) if { partialARN := dataResource.Values[k] startswith(partialARN, "arn:aws:s3") -} else = false +} else := false diff --git a/security-policies/bundle/compliance/policy/aws_config/ensure_config_enabled.rego b/security-policies/bundle/compliance/policy/aws_config/ensure_config_enabled.rego index fdbd2f836f..6cdbf88645 100644 --- a/security-policies/bundle/compliance/policy/aws_config/ensure_config_enabled.rego +++ b/security-policies/bundle/compliance/policy/aws_config/ensure_config_enabled.rego @@ -5,7 +5,7 @@ import data.compliance.policy.aws_config.data_adapter import future.keywords.every import future.keywords.if -default rule_evaluation = false +default rule_evaluation := false rule_evaluation if { # every config needs to have at least 1 enabled recorder @@ -16,7 +16,7 @@ rule_evaluation if { } } -finding = result if { +finding := result if { data_adapter.is_configservice result := common.generate_result_without_expected( diff --git a/security-policies/bundle/compliance/policy/aws_ec2/data_adapter.rego b/security-policies/bundle/compliance/policy/aws_ec2/data_adapter.rego index 77d10acd82..8229528eb3 100644 --- a/security-policies/bundle/compliance/policy/aws_ec2/data_adapter.rego +++ b/security-policies/bundle/compliance/policy/aws_ec2/data_adapter.rego @@ -43,6 +43,6 @@ public_ipv4 := [entry | entry := security_groups_ip_permissions[_]; entry.IpRang # all the IpRangesv6 from security groups that has an open inbound for all ipv6 cidr notions public_ipv6 := [entry | entry := security_groups_ip_permissions[_]; entry.Ipv6Ranges[_].CidrIpv6 == "::/0"] -security_group_inbound_rules = input.resource.IpPermissions +security_group_inbound_rules := input.resource.IpPermissions -security_group_outbound_rules = input.resource.IpPermissionsEgress +security_group_outbound_rules := input.resource.IpPermissionsEgress diff --git a/security-policies/bundle/compliance/policy/aws_ec2/ensure_default_security_group_restricted.rego b/security-policies/bundle/compliance/policy/aws_ec2/ensure_default_security_group_restricted.rego index 29e6b20d25..75fbe60b62 100644 --- a/security-policies/bundle/compliance/policy/aws_ec2/ensure_default_security_group_restricted.rego +++ b/security-policies/bundle/compliance/policy/aws_ec2/ensure_default_security_group_restricted.rego @@ -5,9 +5,9 @@ import data.compliance.lib.common import data.compliance.policy.aws_ec2.data_adapter import future.keywords.if -default rule_evaluation = false +default rule_evaluation := false -finding = result if { +finding := result if { # filter data_adapter.is_security_group_policy data_adapter.is_default_security_group diff --git a/security-policies/bundle/compliance/policy/aws_ec2/ensure_public_ingress.rego b/security-policies/bundle/compliance/policy/aws_ec2/ensure_public_ingress.rego index 05fe587809..6d04f3fe3a 100644 --- a/security-policies/bundle/compliance/policy/aws_ec2/ensure_public_ingress.rego +++ b/security-policies/bundle/compliance/policy/aws_ec2/ensure_public_ingress.rego @@ -6,9 +6,9 @@ import data.compliance.policy.aws_ec2.ports import future.keywords.every import future.keywords.if -default rule_evaluation = false +default rule_evaluation := false -finding = result if { +finding := result if { # filter data_adapter.is_nacl_policy diff --git a/security-policies/bundle/compliance/policy/aws_ec2/ensure_security_group_public_ingress_ipv4.rego b/security-policies/bundle/compliance/policy/aws_ec2/ensure_security_group_public_ingress_ipv4.rego index fb72ab39fd..36bc5ec1f6 100644 --- a/security-policies/bundle/compliance/policy/aws_ec2/ensure_security_group_public_ingress_ipv4.rego +++ b/security-policies/bundle/compliance/policy/aws_ec2/ensure_security_group_public_ingress_ipv4.rego @@ -6,9 +6,9 @@ import data.compliance.policy.aws_ec2.ports import future.keywords.every import future.keywords.if -default rule_evaluation = false +default rule_evaluation := false -finding = result if { +finding := result if { # filter data_adapter.is_security_group_policy diff --git a/security-policies/bundle/compliance/policy/aws_ec2/ensure_security_group_public_ingress_ipv6.rego b/security-policies/bundle/compliance/policy/aws_ec2/ensure_security_group_public_ingress_ipv6.rego index 935bf7ccc5..f74c64c09a 100644 --- a/security-policies/bundle/compliance/policy/aws_ec2/ensure_security_group_public_ingress_ipv6.rego +++ b/security-policies/bundle/compliance/policy/aws_ec2/ensure_security_group_public_ingress_ipv6.rego @@ -6,9 +6,9 @@ import data.compliance.policy.aws_ec2.ports import future.keywords.every import future.keywords.if -default rule_evaluation = false +default rule_evaluation := false -finding = result if { +finding := result if { # filter data_adapter.is_security_group_policy diff --git a/security-policies/bundle/compliance/policy/aws_ec2/ports.rego b/security-policies/bundle/compliance/policy/aws_ec2/ports.rego index 403d8c737e..a60ba682fa 100644 --- a/security-policies/bundle/compliance/policy/aws_ec2/ports.rego +++ b/security-policies/bundle/compliance/policy/aws_ec2/ports.rego @@ -4,10 +4,10 @@ import future.keywords.if # Admin ports are network ports that are reserved for use by system administrators to manage servers and other network devices. # These ports are typically used for remote management, monitoring, and control of devices over a network -admin_ports = {22, 23, 25, 53, 80, 110, 143, 389, 443, 465, 587, 636, 993, 995, 3389} +admin_ports := {22, 23, 25, 53, 80, 110, 143, 389, 443, 465, 587, 636, 993, 995, 3389} # check whether a given value (candidate) is within a range of values specified by from and to in_range(from, to, candidate) if { candidate >= from candidate <= to -} else = false +} else := false diff --git a/security-policies/bundle/compliance/policy/aws_ecr/data_adapter.rego b/security-policies/bundle/compliance/policy/aws_ecr/data_adapter.rego index 8c328bca5f..187e0cf212 100644 --- a/security-policies/bundle/compliance/policy/aws_ecr/data_adapter.rego +++ b/security-policies/bundle/compliance/policy/aws_ecr/data_adapter.rego @@ -6,8 +6,8 @@ is_aws_ecr if { input.subType == "aws-ecr" } -cluster = input.resource.Cluster +cluster := input.resource.Cluster -image_scan_config = input.resource.ImageScanningConfiguration +image_scan_config := input.resource.ImageScanningConfiguration -repository_name = input.resource.RepositoryName +repository_name := input.resource.RepositoryName diff --git a/security-policies/bundle/compliance/policy/aws_ecr/ensure_image_scan.rego b/security-policies/bundle/compliance/policy/aws_ecr/ensure_image_scan.rego index e613365091..46bf387ecc 100644 --- a/security-policies/bundle/compliance/policy/aws_ecr/ensure_image_scan.rego +++ b/security-policies/bundle/compliance/policy/aws_ecr/ensure_image_scan.rego @@ -4,7 +4,7 @@ import data.compliance.lib.common as lib_common import data.compliance.policy.aws_ecr.data_adapter import future.keywords.if -finding = result if { +finding := result if { data_adapter.is_aws_ecr rule_evaluation := data_adapter.image_scan_config.ScanOnPush diff --git a/security-policies/bundle/compliance/policy/aws_eks/data_adapter.rego b/security-policies/bundle/compliance/policy/aws_eks/data_adapter.rego index 5b8d68bf78..ab85c0bc7e 100644 --- a/security-policies/bundle/compliance/policy/aws_eks/data_adapter.rego +++ b/security-policies/bundle/compliance/policy/aws_eks/data_adapter.rego @@ -6,4 +6,4 @@ is_aws_eks if { input.subType == "aws-eks" } -cluster = input.resource.Cluster +cluster := input.resource.Cluster diff --git a/security-policies/bundle/compliance/policy/aws_eks/ensure_encryption.rego b/security-policies/bundle/compliance/policy/aws_eks/ensure_encryption.rego index 1ff5699026..a890307b01 100644 --- a/security-policies/bundle/compliance/policy/aws_eks/ensure_encryption.rego +++ b/security-policies/bundle/compliance/policy/aws_eks/ensure_encryption.rego @@ -8,10 +8,10 @@ import future.keywords.if is_encrypted(cluster) if { cluster.EncryptionConfig count(cluster.EncryptionConfig) > 0 -} else = false +} else := false # Ensure there Kuberenetes secrets are encrypted -finding = result if { +finding := result if { # filter data_adapter.is_aws_eks diff --git a/security-policies/bundle/compliance/policy/aws_eks/ensure_logs_enabled.rego b/security-policies/bundle/compliance/policy/aws_eks/ensure_logs_enabled.rego index 3edff91de3..1c6fa774c8 100644 --- a/security-policies/bundle/compliance/policy/aws_eks/ensure_logs_enabled.rego +++ b/security-policies/bundle/compliance/policy/aws_eks/ensure_logs_enabled.rego @@ -6,7 +6,7 @@ import data.compliance.policy.aws_eks.data_adapter import future.keywords.if # Ensure that all audit logs are enabled -finding = result if { +finding := result if { # filter data_adapter.is_aws_eks diff --git a/security-policies/bundle/compliance/policy/aws_eks/ensure_private_access.rego b/security-policies/bundle/compliance/policy/aws_eks/ensure_private_access.rego index f30a19dd40..1f72423186 100644 --- a/security-policies/bundle/compliance/policy/aws_eks/ensure_private_access.rego +++ b/security-policies/bundle/compliance/policy/aws_eks/ensure_private_access.rego @@ -8,7 +8,7 @@ import future.keywords.if is_only_private(cluster, cidr_allowed) if { cluster.ResourcesVpcConfig.EndpointPrivateAccess public_access_is_restricted(cluster, cidr_allowed) -} else = false +} else := false public_access_is_restricted(cluster, _) if { not cluster.ResourcesVpcConfig.EndpointPublicAccess @@ -27,7 +27,7 @@ public_access_is_restricted(cluster, cidr_allowed) if { } # Ensure there Kuberenetes endpoint private access is enabled -finding(cidr_allowed) = result if { +finding(cidr_allowed) := result if { # filter data_adapter.is_aws_eks @@ -47,7 +47,7 @@ finding(cidr_allowed) = result if { ) } -cidr_evidence(config, cidr_allowed) = result if { +cidr_evidence(config, cidr_allowed) := result if { cidr_allowed result := {"public_access_cidrs": config.PublicAccessCidrs} -} else = {} +} else := {} diff --git a/security-policies/bundle/compliance/policy/aws_elb/data_adapter.rego b/security-policies/bundle/compliance/policy/aws_elb/data_adapter.rego index fdd37ad708..e1f507e65d 100644 --- a/security-policies/bundle/compliance/policy/aws_elb/data_adapter.rego +++ b/security-policies/bundle/compliance/policy/aws_elb/data_adapter.rego @@ -6,8 +6,8 @@ is_aws_elb if { input.subType == "aws-elb" } -cluster = input.resource.Cluster +cluster := input.resource.Cluster -listener_descriptions = input.resource.ListenerDescriptions +listener_descriptions := input.resource.ListenerDescriptions -load_balancer_name = input.resource.LoadBalancerName +load_balancer_name := input.resource.LoadBalancerName diff --git a/security-policies/bundle/compliance/policy/aws_iam/common.rego b/security-policies/bundle/compliance/policy/aws_iam/common.rego index cb905cf440..12f9b1c476 100644 --- a/security-policies/bundle/compliance/policy/aws_iam/common.rego +++ b/security-policies/bundle/compliance/policy/aws_iam/common.rego @@ -8,4 +8,4 @@ are_credentials_within_duration(keys, field, duration) if { every key in keys { common.date_within_duration(time.parse_rfc3339_ns(key[field]), duration) } -} else = false +} else := false diff --git a/security-policies/bundle/compliance/policy/aws_iam/data_adapter.rego b/security-policies/bundle/compliance/policy/aws_iam/data_adapter.rego index f3b80f1eeb..51ae1ea432 100644 --- a/security-policies/bundle/compliance/policy/aws_iam/data_adapter.rego +++ b/security-policies/bundle/compliance/policy/aws_iam/data_adapter.rego @@ -34,22 +34,22 @@ is_access_analyzers if { input.subType == "aws-access-analyzers" } -pwd_policy = policy if { +pwd_policy := policy if { is_pwd_policy policy := input.resource } -iam_user = input.resource +iam_user := input.resource -policy_document = input.resource.document +policy_document := input.resource.document -roles = input.resource.roles +roles := input.resource.roles -server_certificates = input.resource.certificates +server_certificates := input.resource.certificates -analyzers = input.resource.Analyzers +analyzers := input.resource.Analyzers -analyzer_regions = input.resource.Regions +analyzer_regions := input.resource.Regions used_active_access_keys contains access_key if { access_key := iam_user.access_keys[_] diff --git a/security-policies/bundle/compliance/policy/aws_iam/ensure_access_keys_use.rego b/security-policies/bundle/compliance/policy/aws_iam/ensure_access_keys_use.rego index 3b8ff01a1d..2db01fee35 100644 --- a/security-policies/bundle/compliance/policy/aws_iam/ensure_access_keys_use.rego +++ b/security-policies/bundle/compliance/policy/aws_iam/ensure_access_keys_use.rego @@ -3,9 +3,9 @@ package compliance.policy.aws_iam.ensure_access_keys_use import data.compliance.policy.aws_iam.data_adapter import future.keywords.if -default ensure_access_keys_use = true +default ensure_access_keys_use := true -ensure_access_keys_use = false if { +ensure_access_keys_use := false if { data_adapter.iam_user.password_enabled key := data_adapter.active_access_keys[_] not key.has_used diff --git a/security-policies/bundle/compliance/policy/aws_iam/ensure_enabled_mfa.rego b/security-policies/bundle/compliance/policy/aws_iam/ensure_enabled_mfa.rego index 5f914e0c71..e0fbf64069 100644 --- a/security-policies/bundle/compliance/policy/aws_iam/ensure_enabled_mfa.rego +++ b/security-policies/bundle/compliance/policy/aws_iam/ensure_enabled_mfa.rego @@ -3,7 +3,7 @@ package compliance.policy.aws_iam.ensure_enabled_mfa import data.compliance.policy.aws_iam.data_adapter import future.keywords.if -default ensure_mfa_device = false +default ensure_mfa_device := false ensure_mfa_device if { data_adapter.iam_user.password_enabled diff --git a/security-policies/bundle/compliance/policy/aws_iam/ensure_hardware_mfa.rego b/security-policies/bundle/compliance/policy/aws_iam/ensure_hardware_mfa.rego index 0f43cc88d9..16f94dad60 100644 --- a/security-policies/bundle/compliance/policy/aws_iam/ensure_hardware_mfa.rego +++ b/security-policies/bundle/compliance/policy/aws_iam/ensure_hardware_mfa.rego @@ -3,7 +3,7 @@ package compliance.policy.aws_iam.ensure_hardware_mfa import data.compliance.policy.aws_iam.data_adapter import future.keywords.if -default ensure_hardware_mfa_device = false +default ensure_hardware_mfa_device := false # Only one MFA device can be received as input, # even if a user has multiple MFA devices linked to their account. diff --git a/security-policies/bundle/compliance/policy/aws_iam/validate_credentials.rego b/security-policies/bundle/compliance/policy/aws_iam/validate_credentials.rego index bd357c7248..0d51da6acc 100644 --- a/security-policies/bundle/compliance/policy/aws_iam/validate_credentials.rego +++ b/security-policies/bundle/compliance/policy/aws_iam/validate_credentials.rego @@ -5,9 +5,9 @@ import data.compliance.policy.aws_iam.common import data.compliance.policy.aws_iam.data_adapter import future.keywords.if -duration = sprintf("%dh", [45 * 24]) # 45 days converted to hours +duration := sprintf("%dh", [45 * 24]) # 45 days converted to hours -default validate_credentials = false +default validate_credentials := false # checks if the user has a password enabled and if the user's last access date is within the specified duration. validate_credentials if { diff --git a/security-policies/bundle/compliance/policy/aws_iam/verify_keys_rotation.rego b/security-policies/bundle/compliance/policy/aws_iam/verify_keys_rotation.rego index 57e60c7312..c4ccf3fe79 100644 --- a/security-policies/bundle/compliance/policy/aws_iam/verify_keys_rotation.rego +++ b/security-policies/bundle/compliance/policy/aws_iam/verify_keys_rotation.rego @@ -4,9 +4,9 @@ import data.compliance.policy.aws_iam.common import data.compliance.policy.aws_iam.data_adapter import future.keywords.if -duration = sprintf("%dh", [90 * 24]) # 90 days converted to hours +duration := sprintf("%dh", [90 * 24]) # 90 days converted to hours -default verify_rotation = false +default verify_rotation := false verify_rotation if { common.are_credentials_within_duration(data_adapter.active_access_keys, "rotation_date", duration) diff --git a/security-policies/bundle/compliance/policy/aws_iam/verify_user_usage.rego b/security-policies/bundle/compliance/policy/aws_iam/verify_user_usage.rego index 49d9885a17..f4f0749da6 100644 --- a/security-policies/bundle/compliance/policy/aws_iam/verify_user_usage.rego +++ b/security-policies/bundle/compliance/policy/aws_iam/verify_user_usage.rego @@ -4,7 +4,7 @@ import data.compliance.policy.aws_iam.common import data.compliance.policy.aws_iam.data_adapter import future.keywords.if -default verify_user_usage = false +default verify_user_usage := false verify_user_usage if { not common.are_credentials_within_duration(data_adapter.active_access_keys, "last_access", "24h") diff --git a/security-policies/bundle/compliance/policy/aws_kms/ensure_symmetric_key_rotation_enabled.rego b/security-policies/bundle/compliance/policy/aws_kms/ensure_symmetric_key_rotation_enabled.rego index 837ec3aa2d..7b4eea7363 100644 --- a/security-policies/bundle/compliance/policy/aws_kms/ensure_symmetric_key_rotation_enabled.rego +++ b/security-policies/bundle/compliance/policy/aws_kms/ensure_symmetric_key_rotation_enabled.rego @@ -4,13 +4,13 @@ import data.compliance.lib.common import data.compliance.policy.aws_kms.data_adapter import future.keywords.if -default rule_evaluation = false +default rule_evaluation := false rule_evaluation if { data_adapter.key_rotation_enabled == true } -finding = result if { +finding := result if { data_adapter.is_kms result := common.generate_result_without_expected( diff --git a/security-policies/bundle/compliance/policy/aws_rds/ensure_no_public_access.rego b/security-policies/bundle/compliance/policy/aws_rds/ensure_no_public_access.rego index d19b0f00f9..12defe8a55 100644 --- a/security-policies/bundle/compliance/policy/aws_rds/ensure_no_public_access.rego +++ b/security-policies/bundle/compliance/policy/aws_rds/ensure_no_public_access.rego @@ -5,7 +5,7 @@ import data.compliance.policy.aws_rds.data_adapter import future.keywords.if import future.keywords.in -default has_public_access = false +default has_public_access := false has_public_access if { data_adapter.publicly_accessible == true @@ -21,7 +21,7 @@ has_subnets_without_route_table if { subnets.RouteTable == null } -finding = result if { +finding := result if { data_adapter.is_rds not has_subnets_without_route_table diff --git a/security-policies/bundle/compliance/policy/aws_s3/ensure_block_public_access.rego b/security-policies/bundle/compliance/policy/aws_s3/ensure_block_public_access.rego index c76b863c8f..00cfc9c023 100644 --- a/security-policies/bundle/compliance/policy/aws_s3/ensure_block_public_access.rego +++ b/security-policies/bundle/compliance/policy/aws_s3/ensure_block_public_access.rego @@ -11,9 +11,9 @@ public_access_block_config_is_blocked(config) if { config.BlockPublicPolicy == true config.IgnorePublicAcls == true config.RestrictPublicBuckets == true -} else = false +} else := false -default rule_evaluation = false +default rule_evaluation := false # If we got public access block config for both account and bucket rule_evaluation if { @@ -39,7 +39,7 @@ rule_evaluation if { public_access_block_config_is_blocked(data_adapter.public_access_block_configuration) } -finding = result if { +finding := result if { data_adapter.is_s3 result := lib_common.generate_result_without_expected( diff --git a/security-policies/bundle/compliance/policy/aws_s3/ensure_bucket_policy_deny_http.rego b/security-policies/bundle/compliance/policy/aws_s3/ensure_bucket_policy_deny_http.rego index b6fc957e22..24f6f30c93 100644 --- a/security-policies/bundle/compliance/policy/aws_s3/ensure_bucket_policy_deny_http.rego +++ b/security-policies/bundle/compliance/policy/aws_s3/ensure_bucket_policy_deny_http.rego @@ -5,7 +5,7 @@ import data.compliance.policy.aws_s3.data_adapter import future.keywords.if import future.keywords.in -default rule_evaluation = false +default rule_evaluation := false rule_evaluation if { some statement in data_adapter.bucket_policy_statements @@ -15,7 +15,7 @@ rule_evaluation if { statement.Principal == "*" } -finding = result if { +finding := result if { data_adapter.is_s3 not data_adapter.bucket_policy == null diff --git a/security-policies/bundle/compliance/policy/aws_s3/ensure_encryption_at_rest.rego b/security-policies/bundle/compliance/policy/aws_s3/ensure_encryption_at_rest.rego index 8266cccae7..32cff3f7b9 100644 --- a/security-policies/bundle/compliance/policy/aws_s3/ensure_encryption_at_rest.rego +++ b/security-policies/bundle/compliance/policy/aws_s3/ensure_encryption_at_rest.rego @@ -4,7 +4,7 @@ import data.compliance.lib.common as lib_common import data.compliance.policy.aws_s3.data_adapter import future.keywords.if -default rule_evaluation = false +default rule_evaluation := false rule_evaluation if { data_adapter.sse_algorithm == "AES256" @@ -14,7 +14,7 @@ rule_evaluation if { data_adapter.sse_algorithm == "aws:kms" } -finding = result if { +finding := result if { data_adapter.is_s3 not data_adapter.sse_algorithm == null diff --git a/security-policies/bundle/compliance/policy/aws_s3/ensure_mfa_delete_enabled.rego b/security-policies/bundle/compliance/policy/aws_s3/ensure_mfa_delete_enabled.rego index 0acb2346c6..64e78449c2 100644 --- a/security-policies/bundle/compliance/policy/aws_s3/ensure_mfa_delete_enabled.rego +++ b/security-policies/bundle/compliance/policy/aws_s3/ensure_mfa_delete_enabled.rego @@ -4,7 +4,7 @@ import data.compliance.lib.common as lib_common import data.compliance.policy.aws_s3.data_adapter import future.keywords.if -default rule_evaluation = false +default rule_evaluation := false rule_evaluation if { bucket_versioning := data_adapter.bucket_versioning @@ -12,7 +12,7 @@ rule_evaluation if { bucket_versioning.MfaDelete == true } -finding = result if { +finding := result if { data_adapter.is_s3 not data_adapter.bucket_versioning == null diff --git a/security-policies/bundle/compliance/policy/aws_securityhub/data_adapter.rego b/security-policies/bundle/compliance/policy/aws_securityhub/data_adapter.rego index 58b2a77da1..dc1f31187c 100644 --- a/security-policies/bundle/compliance/policy/aws_securityhub/data_adapter.rego +++ b/security-policies/bundle/compliance/policy/aws_securityhub/data_adapter.rego @@ -6,4 +6,4 @@ is_securityhub_subType if { input.subType == "aws-securityhub" } -securityhub_resource = input.resource +securityhub_resource := input.resource diff --git a/security-policies/bundle/compliance/policy/azure/activity_log_alert/activity_log_alert_operation_enabled.rego b/security-policies/bundle/compliance/policy/azure/activity_log_alert/activity_log_alert_operation_enabled.rego index dd1d4648c1..6b9be57869 100644 --- a/security-policies/bundle/compliance/policy/azure/activity_log_alert/activity_log_alert_operation_enabled.rego +++ b/security-policies/bundle/compliance/policy/azure/activity_log_alert/activity_log_alert_operation_enabled.rego @@ -30,4 +30,4 @@ activity_log_alert_operation_enabled(operation_names, categories) if { # Ensure there is an action group assigned (Notification to the appropriate personnel) activity_log_alert.properties.actions != null -} else = false +} else := false diff --git a/security-policies/bundle/compliance/policy/azure/data_adapter.rego b/security-policies/bundle/compliance/policy/azure/data_adapter.rego index 05553daaab..5c29b1de6b 100644 --- a/security-policies/bundle/compliance/policy/azure/data_adapter.rego +++ b/security-policies/bundle/compliance/policy/azure/data_adapter.rego @@ -2,11 +2,11 @@ package compliance.policy.azure.data_adapter import future.keywords.if -resource = input.resource +resource := input.resource -properties = resource.properties +properties := resource.properties -identity = resource.identity +identity := resource.identity is_bastion if { input.subType == "azure-bastion" @@ -25,9 +25,9 @@ is_vault if { input.subType == "azure-vault" } -role_definitions = resource +role_definitions := resource -bastions = resource +bastions := resource is_disk if { input.subType == "azure-disk" @@ -47,15 +47,15 @@ is_vm if { input.subType = "azure-vm" } -private_endpoint_connections = properties.privateEndpointConnections +private_endpoint_connections := properties.privateEndpointConnections -network_acls = properties.networkAcls +network_acls := properties.networkAcls -site_config = properties.siteConfig +site_config := properties.siteConfig -activity_log_alerts = resource +activity_log_alerts := resource -diagnostic_settings = resource +diagnostic_settings := resource is_storage_account if { input.subType == "azure-storage-account" @@ -125,7 +125,7 @@ is_document_db_database_account if { input.subType == "azure-document-db-database-account" } -insights_components = resource +insights_components := resource is_insights_component if { input.subType == "azure-insights-component" diff --git a/security-policies/bundle/compliance/policy/azure/disk/ensure_encryption.rego b/security-policies/bundle/compliance/policy/azure/disk/ensure_encryption.rego index 3db503ee8a..95b130e759 100644 --- a/security-policies/bundle/compliance/policy/azure/disk/ensure_encryption.rego +++ b/security-policies/bundle/compliance/policy/azure/disk/ensure_encryption.rego @@ -3,9 +3,9 @@ package compliance.policy.azure.disk.ensure_encryption import data.compliance.policy.azure.data_adapter import future.keywords.if -encryption_type = data_adapter.properties.encryption.type +encryption_type := data_adapter.properties.encryption.type -default is_encryption_enabled = false +default is_encryption_enabled := false is_encryption_enabled if { encryption_type == "EncryptionAtRestWithCustomerKey" diff --git a/security-policies/bundle/compliance/policy/azure/keyvault/ensure_expiration.rego b/security-policies/bundle/compliance/policy/azure/keyvault/ensure_expiration.rego index f9f1878963..73dfa7199b 100644 --- a/security-policies/bundle/compliance/policy/azure/keyvault/ensure_expiration.rego +++ b/security-policies/bundle/compliance/policy/azure/keyvault/ensure_expiration.rego @@ -9,4 +9,4 @@ all_enabled_items_have_expiration(items) if { every item in enabled { item.properties.attributes.exp > 0 } -} else = false +} else := false diff --git a/security-policies/bundle/compliance/policy/azure/storage_account/ensure_connection.rego b/security-policies/bundle/compliance/policy/azure/storage_account/ensure_connection.rego index 5de89d9a56..5a0183751b 100644 --- a/security-policies/bundle/compliance/policy/azure/storage_account/ensure_connection.rego +++ b/security-policies/bundle/compliance/policy/azure/storage_account/ensure_connection.rego @@ -9,9 +9,9 @@ is_every_private_connections if { # Azure implemented it differently (like previous version of this file) # Simplified and implemented exactly like the PDF audit count(data_adapter.private_endpoint_connections) > 0 -} else = false +} else := false -is_private_connections = r if { +is_private_connections := r if { data_adapter.private_endpoint_connections r = is_every_private_connections } diff --git a/security-policies/bundle/compliance/policy/azure/storage_account/ensure_default_network_access.rego b/security-policies/bundle/compliance/policy/azure/storage_account/ensure_default_network_access.rego index 2075236c42..ef492fd3e7 100644 --- a/security-policies/bundle/compliance/policy/azure/storage_account/ensure_default_network_access.rego +++ b/security-policies/bundle/compliance/policy/azure/storage_account/ensure_default_network_access.rego @@ -5,9 +5,9 @@ import future.keywords.if is_default_network_access_disabled if { data_adapter.network_acls.defaultAction == "Deny" -} else = false +} else := false -is_default_network_access = r if { +is_default_network_access := r if { data_adapter.network_acls r = is_default_network_access_disabled } diff --git a/security-policies/bundle/compliance/policy/azure/storage_account/ensure_encryption.rego b/security-policies/bundle/compliance/policy/azure/storage_account/ensure_encryption.rego index eb149b4ed6..03b16f0e1d 100644 --- a/security-policies/bundle/compliance/policy/azure/storage_account/ensure_encryption.rego +++ b/security-policies/bundle/compliance/policy/azure/storage_account/ensure_encryption.rego @@ -5,4 +5,4 @@ import future.keywords.if is_encryption_enabled if { data_adapter.properties.encryption.requireInfrastructureEncryption -} else = false +} else := false diff --git a/security-policies/bundle/compliance/policy/azure/storage_account/ensure_public_access.rego b/security-policies/bundle/compliance/policy/azure/storage_account/ensure_public_access.rego index ced582e131..5aa8ad94d2 100644 --- a/security-policies/bundle/compliance/policy/azure/storage_account/ensure_public_access.rego +++ b/security-policies/bundle/compliance/policy/azure/storage_account/ensure_public_access.rego @@ -6,9 +6,9 @@ import future.keywords.if verify_public_access if { data_adapter.properties.publicNetworkAccess == "Disabled" -} else = false +} else := false -is_public_access_disabled = r if { +is_public_access_disabled := r if { data_adapter.properties.publicNetworkAccess r = verify_public_access } diff --git a/security-policies/bundle/compliance/policy/azure/storage_account/ensure_secure_transfer.rego b/security-policies/bundle/compliance/policy/azure/storage_account/ensure_secure_transfer.rego index 95320edc6b..9ab5af81b7 100644 --- a/security-policies/bundle/compliance/policy/azure/storage_account/ensure_secure_transfer.rego +++ b/security-policies/bundle/compliance/policy/azure/storage_account/ensure_secure_transfer.rego @@ -5,4 +5,4 @@ import future.keywords.if is_secure_transfer_enabled if { data_adapter.properties.supportsHttpsTrafficOnly -} else = false +} else := false diff --git a/security-policies/bundle/compliance/policy/azure/storage_account/ensure_service.rego b/security-policies/bundle/compliance/policy/azure/storage_account/ensure_service.rego index 0e3ee871f7..3300650772 100644 --- a/security-policies/bundle/compliance/policy/azure/storage_account/ensure_service.rego +++ b/security-policies/bundle/compliance/policy/azure/storage_account/ensure_service.rego @@ -7,9 +7,9 @@ import future.keywords.in is_service_included(service) if { data_adapter.network_acls.defaultAction == "Deny" data_adapter.network_acls.bypass == service -} else = false +} else := false -evaluate_service(service) = r if { +evaluate_service(service) := r if { data_adapter.network_acls r = is_service_included(service) } diff --git a/security-policies/bundle/compliance/policy/azure/storage_account/ensure_service_log.rego b/security-policies/bundle/compliance/policy/azure/storage_account/ensure_service_log.rego index 6cb75646dd..58efbfb16f 100644 --- a/security-policies/bundle/compliance/policy/azure/storage_account/ensure_service_log.rego +++ b/security-policies/bundle/compliance/policy/azure/storage_account/ensure_service_log.rego @@ -11,4 +11,4 @@ service_diagnostic_settings_log_rwd_enabled(serviceDiagnosticSettings) if { log.enabled == true log.category = category } -} else = false +} else := false diff --git a/security-policies/bundle/compliance/policy/azure/storage_account/ensure_tls_version.rego b/security-policies/bundle/compliance/policy/azure/storage_account/ensure_tls_version.rego index b2435bdddf..2487642c20 100644 --- a/security-policies/bundle/compliance/policy/azure/storage_account/ensure_tls_version.rego +++ b/security-policies/bundle/compliance/policy/azure/storage_account/ensure_tls_version.rego @@ -5,9 +5,9 @@ import future.keywords.if is_tls_version(version) if { data_adapter.properties.minimumTlsVersion == version -} else = false +} else := false -is_tls_configured(version) = r if { +is_tls_configured(version) := r if { data_adapter.properties.minimumTlsVersion r = is_tls_version(version) } diff --git a/security-policies/bundle/compliance/policy/azure/virtual_machine/network_rules.rego b/security-policies/bundle/compliance/policy/azure/virtual_machine/network_rules.rego index f75017a618..ef7f826c8c 100644 --- a/security-policies/bundle/compliance/policy/azure/virtual_machine/network_rules.rego +++ b/security-policies/bundle/compliance/policy/azure/virtual_machine/network_rules.rego @@ -4,7 +4,7 @@ import future.keywords.if vm_has_closed_port(vm, targetPort, protocol) if { not vm_has_open_port(vm, targetPort, protocol) -} else = false +} else := false vm_has_open_port(vm, targetPort, protocol) if { some i diff --git a/security-policies/bundle/compliance/policy/file/common.rego b/security-policies/bundle/compliance/policy/file/common.rego index 472d0020e2..2fd94de34c 100644 --- a/security-policies/bundle/compliance/policy/file/common.rego +++ b/security-policies/bundle/compliance/policy/file/common.rego @@ -6,21 +6,21 @@ import future.keywords.if file_ownership_match(user, group, required_user, required_group) if { user == required_user group == required_group -} else = false +} else := false file_permission_match(filemode, user, group, other) if { permissions = parse_permission(filemode) # filemode format {user}{group}{other} e.g. 644 check_permissions(permissions, [user, group, other]) -} else = false +} else := false file_permission_match_exact(filemode, user, group, other) if { permissions = parse_permission(filemode) # filemode format {user}{group}{other} e.g. 644 permissions == [user, group, other] -} else = false +} else := false # return a list of file premission [user, group, other] # cast to numbers @@ -28,10 +28,10 @@ parse_permission(filemode) := [to_number(p) | p := split(filemode, "")[_]] check_permissions(permissions, max_permissions) if { assert.all_true([r | some p; r = bits.and(permissions[p], bits.negate(max_permissions[p])) == 0]) -} else = false +} else := false # check if file is in path file_in_path(path, file_path) if { closed_path := concat("", [file_path, "/"]) # make sure last dir name is closed by "/" contains(closed_path, path) -} else = false +} else := false diff --git a/security-policies/bundle/compliance/policy/file/data_adapter.rego b/security-policies/bundle/compliance/policy/file/data_adapter.rego index 3ce1109587..aff0a7ed28 100644 --- a/security-policies/bundle/compliance/policy/file/data_adapter.rego +++ b/security-policies/bundle/compliance/policy/file/data_adapter.rego @@ -6,27 +6,27 @@ is_filesystem if { input.type == "file" } -filename = file_name if { +filename := file_name if { is_filesystem file_name := input.resource.name } -filemode = file_mode if { +filemode := file_mode if { is_filesystem file_mode := input.resource.mode } -file_path = path if { +file_path := path if { is_filesystem path := input.resource.path } -owner_user = owner if { +owner_user := owner if { is_filesystem owner := input.resource.owner } -owner_group = group if { +owner_group := group if { is_filesystem group := input.resource.group } diff --git a/security-policies/bundle/compliance/policy/file/ensure_ownership.rego b/security-policies/bundle/compliance/policy/file/ensure_ownership.rego index 24aa887be4..54bf48d20f 100644 --- a/security-policies/bundle/compliance/policy/file/ensure_ownership.rego +++ b/security-policies/bundle/compliance/policy/file/ensure_ownership.rego @@ -5,7 +5,7 @@ import data.compliance.policy.file.common as file_common import data.compliance.policy.file.data_adapter import future.keywords.if -finding(owner_user, owner_group) = result if { +finding(owner_user, owner_group) := result if { user = data_adapter.owner_user group = data_adapter.owner_group rule_evaluation := file_common.file_ownership_match(user, group, owner_user, owner_group) diff --git a/security-policies/bundle/compliance/policy/gcp/bq/ensure_cmek_is_used.rego b/security-policies/bundle/compliance/policy/gcp/bq/ensure_cmek_is_used.rego index 8fecf623a3..f248dfe171 100644 --- a/security-policies/bundle/compliance/policy/gcp/bq/ensure_cmek_is_used.rego +++ b/security-policies/bundle/compliance/policy/gcp/bq/ensure_cmek_is_used.rego @@ -3,7 +3,7 @@ package compliance.policy.gcp.bq.ensure_cmek_is_used import data.compliance.policy.gcp.data_adapter import future.keywords.if -default is_cmek_used = false +default is_cmek_used := false is_cmek_used if { data_adapter.resource.data.defaultEncryptionConfiguration.kmsKeyName diff --git a/security-policies/bundle/compliance/policy/gcp/common.rego b/security-policies/bundle/compliance/policy/gcp/common.rego index 05f4a6bcc6..8671cc81a9 100644 --- a/security-policies/bundle/compliance/policy/gcp/common.rego +++ b/security-policies/bundle/compliance/policy/gcp/common.rego @@ -3,7 +3,7 @@ package compliance.policy.gcp.common import future.keywords.if # parse the machine's family type from a machine type URL (e.g. https://www.googleapis.com/compute/v1/projects//zones//machineTypes/) -get_machine_type_family(type_url) = family if { +get_machine_type_family(type_url) := family if { parts := split(type_url, "/") family := parts[count(parts) - 1] } diff --git a/security-policies/bundle/compliance/policy/gcp/compute/assess_instance_metadata.rego b/security-policies/bundle/compliance/policy/gcp/compute/assess_instance_metadata.rego index 0dcf85d326..235605fc85 100644 --- a/security-policies/bundle/compliance/policy/gcp/compute/assess_instance_metadata.rego +++ b/security-policies/bundle/compliance/policy/gcp/compute/assess_instance_metadata.rego @@ -8,4 +8,4 @@ is_instance_metadata_valid(key, expected_val) if { some item in data_adapter.resource.data.metadata.items item.key == key item.value == expected_val -} else = false +} else := false diff --git a/security-policies/bundle/compliance/policy/gcp/compute/ensure_fw_rule.rego b/security-policies/bundle/compliance/policy/gcp/compute/ensure_fw_rule.rego index ecd25d9555..f0d229c0a5 100644 --- a/security-policies/bundle/compliance/policy/gcp/compute/ensure_fw_rule.rego +++ b/security-policies/bundle/compliance/policy/gcp/compute/ensure_fw_rule.rego @@ -6,7 +6,7 @@ import future.keywords.every import future.keywords.if import future.keywords.in -is_valid_fw_rule(port) = false if { +is_valid_fw_rule(port) := false if { some range in data_adapter.resource.data.sourceRanges range == "0.0.0.0/0" data_adapter.resource.data.direction == "INGRESS" @@ -14,7 +14,7 @@ is_valid_fw_rule(port) = false if { some action in data_adapter.resource.data.allowed action.IPProtocol in {"tcp", "all"} is_port_effective(port, object.get(action, ["ports"], [])) -} else = true +} else := true # The ports list can include both ranges, such as 80-90, and individual ports, such as 443. is_port_effective(port, ports) if { diff --git a/security-policies/bundle/compliance/policy/gcp/compute/ensure_no_use_of_default_sa.rego b/security-policies/bundle/compliance/policy/gcp/compute/ensure_no_use_of_default_sa.rego index d5d3db1e10..817d96998f 100644 --- a/security-policies/bundle/compliance/policy/gcp/compute/ensure_no_use_of_default_sa.rego +++ b/security-policies/bundle/compliance/policy/gcp/compute/ensure_no_use_of_default_sa.rego @@ -18,10 +18,10 @@ sa_is_default if { not data_adapter.is_gke_instance(data_adapter.resource.data) some sa in data_adapter.resource.data.serviceAccounts is_default_sa(sa) -} else = false +} else := false sa_is_default_with_full_access if { not data_adapter.is_gke_instance(data_adapter.resource.data) some sa in data_adapter.resource.data.serviceAccounts is_default_sa_with_access(sa) -} else = false +} else := false diff --git a/security-policies/bundle/compliance/policy/gcp/dns/ensure_rsasha1_is_unused.rego b/security-policies/bundle/compliance/policy/gcp/dns/ensure_rsasha1_is_unused.rego index 82ebd8c3b3..50ab3d0116 100644 --- a/security-policies/bundle/compliance/policy/gcp/dns/ensure_rsasha1_is_unused.rego +++ b/security-policies/bundle/compliance/policy/gcp/dns/ensure_rsasha1_is_unused.rego @@ -6,7 +6,7 @@ import data.compliance.policy.gcp.data_adapter import future.keywords.if import future.keywords.in -finding(type) = result if { +finding(type) := result if { # filter data_adapter.is_dns_managed_zone data_adapter.resource.data.visibility == "PUBLIC" @@ -22,4 +22,4 @@ is_sha1_used(type) if { some key_spec in data_adapter.resource.data.dnssecConfig.defaultKeySpecs key_spec.keyType == type key_spec.algorithm == "RSASHA1" -} else = false +} else := false diff --git a/security-policies/bundle/compliance/policy/gcp/iam/ensure_no_public_access.rego b/security-policies/bundle/compliance/policy/gcp/iam/ensure_no_public_access.rego index 19b24d6fb8..41bc5fe6d3 100644 --- a/security-policies/bundle/compliance/policy/gcp/iam/ensure_no_public_access.rego +++ b/security-policies/bundle/compliance/policy/gcp/iam/ensure_no_public_access.rego @@ -3,7 +3,7 @@ package compliance.policy.gcp.iam.ensure_no_public_access import data.compliance.policy.gcp.data_adapter import future.keywords.if -default resource_is_public = false +default resource_is_public := false resource_is_public if { # Check if the IAM policy is not empty diff --git a/security-policies/bundle/compliance/policy/gcp/iam/ensure_not_admin_roles.rego b/security-policies/bundle/compliance/policy/gcp/iam/ensure_not_admin_roles.rego index 194fa0ecf7..7806eedc16 100644 --- a/security-policies/bundle/compliance/policy/gcp/iam/ensure_not_admin_roles.rego +++ b/security-policies/bundle/compliance/policy/gcp/iam/ensure_not_admin_roles.rego @@ -8,4 +8,4 @@ import future.keywords.in is_not_admin_roles(service_accounts) if { admin_roles := {v | v := service_accounts[_].role; regex.match(`(.*Admin|.*admin|roles/(editor|owner))`, v)} count(admin_roles) == 0 -} else = false +} else := false diff --git a/security-policies/bundle/compliance/policy/gcp/iam/ensure_policy_not_managed_by_user.rego b/security-policies/bundle/compliance/policy/gcp/iam/ensure_policy_not_managed_by_user.rego index e9af117b05..3e340af5fd 100644 --- a/security-policies/bundle/compliance/policy/gcp/iam/ensure_policy_not_managed_by_user.rego +++ b/security-policies/bundle/compliance/policy/gcp/iam/ensure_policy_not_managed_by_user.rego @@ -4,7 +4,7 @@ import data.compliance.policy.gcp.data_adapter import future.keywords.every import future.keywords.if -default is_policy_not_managed_by_user = false +default is_policy_not_managed_by_user := false is_policy_not_managed_by_user if { every member in data_adapter.iam_policy.bindings[i].members { diff --git a/security-policies/bundle/compliance/policy/gcp/iam/ensure_role_not_service_account_user.rego b/security-policies/bundle/compliance/policy/gcp/iam/ensure_role_not_service_account_user.rego index 2a5fc5f5e1..74428d58bc 100644 --- a/security-policies/bundle/compliance/policy/gcp/iam/ensure_role_not_service_account_user.rego +++ b/security-policies/bundle/compliance/policy/gcp/iam/ensure_role_not_service_account_user.rego @@ -3,7 +3,7 @@ package compliance.policy.gcp.iam.ensure_role_not_service_account_user import data.compliance.policy.gcp.data_adapter import future.keywords.if -default is_role_not_service_account_user = false +default is_role_not_service_account_user := false is_role_not_service_account_user if { role := data_adapter.iam_policy.bindings[i].role diff --git a/security-policies/bundle/compliance/policy/gcp/iam/ensure_user_not_editor_or_owner.rego b/security-policies/bundle/compliance/policy/gcp/iam/ensure_user_not_editor_or_owner.rego index 2b49410395..52c802ad42 100644 --- a/security-policies/bundle/compliance/policy/gcp/iam/ensure_user_not_editor_or_owner.rego +++ b/security-policies/bundle/compliance/policy/gcp/iam/ensure_user_not_editor_or_owner.rego @@ -3,7 +3,7 @@ package compliance.policy.gcp.iam.ensure_user_not_editor_or_owner import data.compliance.policy.gcp.data_adapter import future.keywords.if -default is_user_owner_or_editor = false +default is_user_owner_or_editor := false is_user_owner_or_editor if { # at least one member that starts with "user:" diff --git a/security-policies/bundle/compliance/policy/gcp/kms/ensure_key_rotation.rego b/security-policies/bundle/compliance/policy/gcp/kms/ensure_key_rotation.rego index 6bcb651e1c..edf674e02c 100644 --- a/security-policies/bundle/compliance/policy/gcp/kms/ensure_key_rotation.rego +++ b/security-policies/bundle/compliance/policy/gcp/kms/ensure_key_rotation.rego @@ -4,11 +4,11 @@ import data.compliance.lib.common import data.compliance.policy.gcp.data_adapter import future.keywords.if -duration = sprintf("%dh", [90 * 24]) # 90 days converted to hours +duration := sprintf("%dh", [90 * 24]) # 90 days converted to hours -default rule_evaluation = false +default rule_evaluation := false -finding = result if { +finding := result if { # filter data_adapter.is_cloudkms_crypto_key diff --git a/security-policies/bundle/compliance/policy/gcp/monitoring/ensure_log_metric_and_alarm_exist.rego b/security-policies/bundle/compliance/policy/gcp/monitoring/ensure_log_metric_and_alarm_exist.rego index 0eff4ab815..1140bec930 100644 --- a/security-policies/bundle/compliance/policy/gcp/monitoring/ensure_log_metric_and_alarm_exist.rego +++ b/security-policies/bundle/compliance/policy/gcp/monitoring/ensure_log_metric_and_alarm_exist.rego @@ -5,7 +5,7 @@ import data.compliance.policy.gcp.data_adapter import future.keywords.if import future.keywords.in -finding(filter) = result if { +finding(filter) := result if { # filter data_adapter.is_monitoring_asset @@ -26,4 +26,4 @@ is_setup_exists(filter) if { some condition in alert.resource.data.conditions condition.conditionThreshold.filter == sprintf("metric.type=\"%s\"", [metric_type]) -} else = false +} else := false diff --git a/security-policies/bundle/compliance/policy/gcp/sql/ensure_db_flag_is_as_expected.rego b/security-policies/bundle/compliance/policy/gcp/sql/ensure_db_flag_is_as_expected.rego index 9e2599b51c..0c463a5cc0 100644 --- a/security-policies/bundle/compliance/policy/gcp/sql/ensure_db_flag_is_as_expected.rego +++ b/security-policies/bundle/compliance/policy/gcp/sql/ensure_db_flag_is_as_expected.rego @@ -12,15 +12,15 @@ is_flag_configured_as_expected(flag_name, expected_vals) if { # not all expected values needs to be present, one is sufficient some expected_val in expected_vals db_flag.value == expected_val -} else = false +} else := false is_flag_exists(flag_name) if { some db_flag in data_adapter.resource.data.settings.databaseFlags db_flag.name == flag_name -} else = false +} else := false is_flag_limited(flag_name) if { some db_flag in data_adapter.resource.data.settings.databaseFlags db_flag.name == flag_name db_flag.value != 0 -} else = false +} else := false diff --git a/security-policies/bundle/compliance/policy/gcp/sql/ensure_private_ip.rego b/security-policies/bundle/compliance/policy/gcp/sql/ensure_private_ip.rego index f8fe5a8a2c..a685e13d19 100644 --- a/security-policies/bundle/compliance/policy/gcp/sql/ensure_private_ip.rego +++ b/security-policies/bundle/compliance/policy/gcp/sql/ensure_private_ip.rego @@ -8,4 +8,4 @@ ip_is_private if { every ipAddress in data_adapter.resource.data.ipAddresses { not ipAddress.type == "PRIMARY" } -} else = false +} else := false diff --git a/security-policies/bundle/compliance/policy/kube_api/data_adapter.rego b/security-policies/bundle/compliance/policy/kube_api/data_adapter.rego index ab77e4d174..88bd746aa1 100644 --- a/security-policies/bundle/compliance/policy/kube_api/data_adapter.rego +++ b/security-policies/bundle/compliance/policy/kube_api/data_adapter.rego @@ -32,14 +32,14 @@ is_kube_pod if { input.resource.kind == "Pod" } -pod = p if { +pod := p if { is_kube_pod p := input.resource } -is_service_account_or_pod = pod +is_service_account_or_pod := pod -is_service_account_or_pod = service_account +is_service_account_or_pod := service_account containers := c if { is_kube_pod @@ -50,4 +50,4 @@ containers := c if { } } -status = input.resource.status +status := input.resource.status diff --git a/security-policies/bundle/compliance/policy/kube_api/ensure_external_ip.rego b/security-policies/bundle/compliance/policy/kube_api/ensure_external_ip.rego index a242927939..faf4297ce6 100644 --- a/security-policies/bundle/compliance/policy/kube_api/ensure_external_ip.rego +++ b/security-policies/bundle/compliance/policy/kube_api/ensure_external_ip.rego @@ -10,13 +10,13 @@ verify_external_ip if { data_adapter.status.addresses[address].address != "0.0.0.0" } -evidence["external_ip"] = result if { +evidence["external_ip"] := result if { not data.rule_evaluation data_adapter.status.addresses[address].type == "ExternalIP" result = data_adapter.status.addresses[address] } -finding(rule_evaluation) = result if { +finding(rule_evaluation) := result if { data_adapter.is_kube_node result_evidence = evidence with data.rule_evaluation as rule_evaluation diff --git a/security-policies/bundle/compliance/policy/kube_api/ensure_service_accounts.rego b/security-policies/bundle/compliance/policy/kube_api/ensure_service_accounts.rego index 80ede4fcd4..da9842c172 100644 --- a/security-policies/bundle/compliance/policy/kube_api/ensure_service_accounts.rego +++ b/security-policies/bundle/compliance/policy/kube_api/ensure_service_accounts.rego @@ -21,7 +21,7 @@ finding(rule_violation) := result if { ) } -default service_account_automount = false +default service_account_automount := false # Review pod and service account objects in the cluster and ensure that automountServiceAccountToken is # set to false @@ -35,7 +35,7 @@ service_account_automount if { service_account.automountServiceAccountToken == true } -default service_account_default = false +default service_account_default := false # no roles or cluster roles bound to default service account apart from the defaults. service_account_default if { diff --git a/security-policies/bundle/compliance/policy/kube_api/minimize_admission.rego b/security-policies/bundle/compliance/policy/kube_api/minimize_admission.rego index 796873bc79..af047b356e 100644 --- a/security-policies/bundle/compliance/policy/kube_api/minimize_admission.rego +++ b/security-policies/bundle/compliance/policy/kube_api/minimize_admission.rego @@ -4,7 +4,7 @@ import data.compliance.lib.common as lib_common import data.compliance.policy.kube_api.data_adapter import future.keywords.if -finding(entity) = result if { +finding(entity) := result if { data_adapter.is_kube_api # set result @@ -19,8 +19,8 @@ finding(entity) = result if { ) } -rule_evaluation(entity) = false if { +rule_evaluation(entity) := false if { some container_type # "containers", "init_containers", "ephemeral_containers" container := data_adapter.containers[container_type][_] lib_common.contains_key_with_value(container.securityContext, entity, true) -} else = true +} else := true diff --git a/security-policies/bundle/compliance/policy/kube_api/minimize_admission_root.rego b/security-policies/bundle/compliance/policy/kube_api/minimize_admission_root.rego index ce7aa9a95e..054f85f84d 100644 --- a/security-policies/bundle/compliance/policy/kube_api/minimize_admission_root.rego +++ b/security-policies/bundle/compliance/policy/kube_api/minimize_admission_root.rego @@ -4,22 +4,22 @@ import data.compliance.lib.common as lib_common import data.compliance.policy.kube_api.data_adapter import future.keywords.if -default rule_evaluation = true +default rule_evaluation := true # Verify that there is at least one PSP which returns MustRunAsNonRoot or MustRunAs with the range of UIDs not including 0. -rule_evaluation = false if { +rule_evaluation := false if { not lib_common.contains_key_with_value(data_adapter.pod.spec.runAsUser, "rule", "MustRunAsNonRoot") lib_common.contains_key_with_value(data_adapter.pod.spec.runAsUser, "rule", "MustRunAs") range := data_adapter.pod.spec.runAsUser.ranges[_] range.min <= 0 } -rule_evaluation = false if { +rule_evaluation := false if { container := data_adapter.containers.app_containers[_] lib_common.contains_key_with_value(container.securityContext, "runAsUser", 0) } -finding = result if { +finding := result if { data_adapter.is_kube_api pod := json.filter(data_adapter.pod, [ diff --git a/security-policies/bundle/compliance/policy/kube_api/minimize_assigned_capabilities.rego b/security-policies/bundle/compliance/policy/kube_api/minimize_assigned_capabilities.rego index 2c44e047a2..d4c9634d91 100644 --- a/security-policies/bundle/compliance/policy/kube_api/minimize_assigned_capabilities.rego +++ b/security-policies/bundle/compliance/policy/kube_api/minimize_assigned_capabilities.rego @@ -6,7 +6,7 @@ import data.compliance.policy.kube_api.data_adapter import future.keywords.every import future.keywords.if -default rule_evaluation = false +default rule_evaluation := false rule_evaluation if { every container in data_adapter.containers.app_containers { diff --git a/security-policies/bundle/compliance/policy/kube_api/minimize_certain_capability.rego b/security-policies/bundle/compliance/policy/kube_api/minimize_certain_capability.rego index 8a6b93e924..f9026fab33 100644 --- a/security-policies/bundle/compliance/policy/kube_api/minimize_certain_capability.rego +++ b/security-policies/bundle/compliance/policy/kube_api/minimize_certain_capability.rego @@ -6,7 +6,7 @@ import future.keywords.in import data.compliance.lib.common import data.compliance.policy.kube_api.data_adapter -default rule_evaluation = false +default rule_evaluation := false rule_evaluation if { container := data_adapter.containers.app_containers[_] diff --git a/security-policies/bundle/compliance/policy/kube_api/minimize_wildcard.rego b/security-policies/bundle/compliance/policy/kube_api/minimize_wildcard.rego index ce5f891b31..d76063ed92 100644 --- a/security-policies/bundle/compliance/policy/kube_api/minimize_wildcard.rego +++ b/security-policies/bundle/compliance/policy/kube_api/minimize_wildcard.rego @@ -6,14 +6,14 @@ import data.compliance.policy.kube_api.data_adapter import future.keywords.if import future.keywords.in -default rule_violation = false +default rule_violation := false rule_violation if { cluster_roles_rule := data_adapter.cluster_roles.rules[i] is_using_wildcards(cluster_roles_rule) } -finding = result if { +finding := result if { data_adapter.is_cluster_roles rule_evaluation := assert.is_false(rule_violation) diff --git a/security-policies/bundle/compliance/policy/process/common.rego b/security-policies/bundle/compliance/policy/process/common.rego index b7b02219b0..f9c914d82d 100644 --- a/security-policies/bundle/compliance/policy/process/common.rego +++ b/security-policies/bundle/compliance/policy/process/common.rego @@ -8,10 +8,10 @@ arg_values_contains(arguments, key, value) if { argument := arguments[key] values := split(argument, ",") value in values -} else = false +} else := false # splits key value string by first occurrence of = -split_key_value(key_value_string, delimiter) = [key, value] if { +split_key_value(key_value_string, delimiter) := [key, value] if { seperator_index := indexof(key_value_string, delimiter) # extract key diff --git a/security-policies/bundle/compliance/policy/process/data_adapter.rego b/security-policies/bundle/compliance/policy/process/data_adapter.rego index f2475d4fdb..d11ee7f47d 100644 --- a/security-policies/bundle/compliance/policy/process/data_adapter.rego +++ b/security-policies/bundle/compliance/policy/process/data_adapter.rego @@ -6,12 +6,12 @@ is_process if { input.type == "process" } -process_name = name if { +process_name := name if { is_process name = input.resource.stat.Name } -process_args_list = args_list if { +process_args_list := args_list if { is_process # Gets all the process arguments of the current process @@ -21,7 +21,7 @@ process_args_list = args_list if { } # Parses a single argument and returns a tuple of the flag and the value -parse_argument(argument) = [flag, value] if { +parse_argument(argument) := [flag, value] if { # We would like to split the argument by the first delimiter # The dilimiter can be either a space or an equal sign splitted_argument := regex.split(`\s|\=`, argument) @@ -31,7 +31,7 @@ parse_argument(argument) = [flag, value] if { value = concat("=", array.slice(splitted_argument, 1, count(splitted_argument) + 1)) } -process_config = config if { +process_config := config if { is_process config := {key: value | value = input.resource.external_data[key]} } diff --git a/security-policies/bundle/compliance/policy/process/data_adapter_test.rego b/security-policies/bundle/compliance/policy/process/data_adapter_test.rego index a511afee4e..c8c454a028 100644 --- a/security-policies/bundle/compliance/policy/process/data_adapter_test.rego +++ b/security-policies/bundle/compliance/policy/process/data_adapter_test.rego @@ -3,7 +3,7 @@ package compliance.policy.process.data_adapter import data.kubernetes_common.test_data import future.keywords.if -supported_delimiters = [" ", "="] +supported_delimiters := [" ", "="] test_is_process if { is_process with input as test_data.process_input("kube-api", []) @@ -34,9 +34,9 @@ test_process_args_list_when_value_contain_delimiters if { result == expected_result } -process_input(extra_elements, delimiter) = test_data.process_input("kube-api", process_cmdLine_input(delimiter, extra_elements)) +process_input(extra_elements, delimiter) := test_data.process_input("kube-api", process_cmdLine_input(delimiter, extra_elements)) -process_cmdLine_input(delimiter, extra_elements) = result if { +process_cmdLine_input(delimiter, extra_elements) := result if { cmd_line_with_placeholders := ["--cloud-provider%0aws", "--config%0/etc/kubernetes/kubelet/kubelet-config.json"] cmd_line_with_extra_elements := array.concat(cmd_line_with_placeholders, extra_elements) result = [res | res = replace(cmd_line_with_extra_elements[_], "%0", delimiter)] diff --git a/security-policies/bundle/compliance/policy/process/ensure_appropriate_arguments.rego b/security-policies/bundle/compliance/policy/process/ensure_appropriate_arguments.rego index ab0678d27f..fbdfde753c 100644 --- a/security-policies/bundle/compliance/policy/process/ensure_appropriate_arguments.rego +++ b/security-policies/bundle/compliance/policy/process/ensure_appropriate_arguments.rego @@ -16,7 +16,7 @@ finding(entities) := lib_common.generate_result_without_expected( rule_evaluation(entities) if { process_args[entities[0]] process_args[entities[1]] -} else = false +} else := false apiserver_filter := data_adapter.is_kube_apiserver diff --git a/security-policies/bundle/compliance/policy/process/ensure_arguments_and_config.rego b/security-policies/bundle/compliance/policy/process/ensure_arguments_and_config.rego index 0d250079a5..0561ed28f9 100644 --- a/security-policies/bundle/compliance/policy/process/ensure_arguments_and_config.rego +++ b/security-policies/bundle/compliance/policy/process/ensure_arguments_and_config.rego @@ -9,7 +9,7 @@ import data.compliance.policy.process.data_adapter process_args := benchmark_data_adapter.process_args -finding(rule_evaluation) = result if { +finding(rule_evaluation) := result if { data_adapter.is_kubelet result := lib_common.generate_result_without_expected( @@ -78,7 +78,7 @@ process_filter_variable_multi_comparison(f_variable, s_variable, value) if { not get_from_config(s_variable) == value } -get_from_config(path) = r if { +get_from_config(path) := r if { # TODO: object.get needs to be provided with a default value to assign # Decided to assign undefined string for non-existing process flag values # Another option was to assign a non-string undefined value via "hack" (assign non-existent variable) diff --git a/security-policies/bundle/compliance/policy/process/ensure_arguments_contain_value.rego b/security-policies/bundle/compliance/policy/process/ensure_arguments_contain_value.rego index 0e61f2349a..6bb536ae14 100644 --- a/security-policies/bundle/compliance/policy/process/ensure_arguments_contain_value.rego +++ b/security-policies/bundle/compliance/policy/process/ensure_arguments_contain_value.rego @@ -9,7 +9,7 @@ import future.keywords.if process_args := benchmark_data_adapter.process_args -finding(rule_evaluation) = result if { +finding(rule_evaluation) := result if { data_adapter.is_kube_apiserver # set result @@ -21,5 +21,4 @@ finding(rule_evaluation) = result if { arg_not_contains(entity, value) := assert.is_false(process_common.arg_values_contains(process_args, entity, value)) - arg_contains(entity, value) := process_common.arg_values_contains(process_args, entity, value) diff --git a/security-policies/bundle/compliance/policy/process/ensure_arguments_goe.rego b/security-policies/bundle/compliance/policy/process/ensure_arguments_goe.rego index c5ec21c1bb..ac8b74ffdc 100644 --- a/security-policies/bundle/compliance/policy/process/ensure_arguments_goe.rego +++ b/security-policies/bundle/compliance/policy/process/ensure_arguments_goe.rego @@ -7,7 +7,7 @@ import future.keywords.if process_args := benchmark_data_adapter.process_args -finding(entity, value) = result if { +finding(entity, value) := result if { data_adapter.is_kube_apiserver # set result @@ -20,4 +20,4 @@ finding(entity, value) = result if { rule_evaluation(entity, value) if { e := process_args[entity] lib_common.greater_or_equal(e, value) -} else = false +} else := false diff --git a/security-policies/bundle/compliance/policy/process/ensure_arguments_if_contain_equal.rego b/security-policies/bundle/compliance/policy/process/ensure_arguments_if_contain_equal.rego index ccf311b769..182f36a201 100644 --- a/security-policies/bundle/compliance/policy/process/ensure_arguments_if_contain_equal.rego +++ b/security-policies/bundle/compliance/policy/process/ensure_arguments_if_contain_equal.rego @@ -9,7 +9,7 @@ import data.compliance.policy.process.data_adapter process_args := benchmark_data_adapter.process_args -default rule_evaluation = false +default rule_evaluation := false rule_evaluation if { lib_common.contains_key_with_value(process_args, "--service-account-lookup", "true") @@ -17,7 +17,7 @@ rule_evaluation if { not "--service-account-lookup" in object.keys(process_args) } -finding = result if { +finding := result if { data_adapter.is_kube_apiserver # set result diff --git a/security-policies/bundle/compliance/policy/process/ensure_arguments_lte.rego b/security-policies/bundle/compliance/policy/process/ensure_arguments_lte.rego index a4f8460c0a..ed37aee0e7 100644 --- a/security-policies/bundle/compliance/policy/process/ensure_arguments_lte.rego +++ b/security-policies/bundle/compliance/policy/process/ensure_arguments_lte.rego @@ -7,7 +7,7 @@ import future.keywords.if process_args := benchmark_data_adapter.process_args -finding(entity, value) = result if { +finding(entity, value) := result if { data_adapter.is_kube_apiserver # set result @@ -17,7 +17,7 @@ finding(entity, value) = result if { ) } -rule_evaluation(entity, value) = false if { +rule_evaluation(entity, value) := false if { e := process_args[entity] lib_common.duration_lte(e, value) -} else = true +} else := true diff --git a/security-policies/bundle/compliance/policy/process/ensure_arguments_not_contain_multiple_values.rego b/security-policies/bundle/compliance/policy/process/ensure_arguments_not_contain_multiple_values.rego index 83cdbe8ece..a994dbdde9 100644 --- a/security-policies/bundle/compliance/policy/process/ensure_arguments_not_contain_multiple_values.rego +++ b/security-policies/bundle/compliance/policy/process/ensure_arguments_not_contain_multiple_values.rego @@ -8,15 +8,15 @@ import future.keywords.if process_args := benchmark_data_adapter.process_args -default rule_evaluation = true +default rule_evaluation := true -rule_evaluation = false if { +rule_evaluation := false if { # Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used (Manual) not process_common.arg_values_contains(process_args, "--enable-admission-plugins", "SecurityContextDeny") not process_common.arg_values_contains(process_args, "--enable-admission-plugins", "PodSecurityPolicy") } -finding = result if { +finding := result if { data_adapter.is_kube_apiserver # set result diff --git a/security-policies/bundle/compliance/policy/process/ensure_arguments_not_contain_value_appropriate.rego b/security-policies/bundle/compliance/policy/process/ensure_arguments_not_contain_value_appropriate.rego index 02afe8398d..02637f97d3 100644 --- a/security-policies/bundle/compliance/policy/process/ensure_arguments_not_contain_value_appropriate.rego +++ b/security-policies/bundle/compliance/policy/process/ensure_arguments_not_contain_value_appropriate.rego @@ -8,7 +8,7 @@ import future.keywords.if process_args := benchmark_data_adapter.process_args -finding(entity, value) = result if { +finding(entity, value) := result if { data_adapter.is_kube_apiserver # set result @@ -21,4 +21,4 @@ finding(entity, value) = result if { rule_evaluation(entity, value) if { process_args[entity] not process_common.arg_values_contains(process_args, entity, value) -} else = false +} else := false diff --git a/security-policies/bundle/compliance/policy/process/ensure_ciphers.rego b/security-policies/bundle/compliance/policy/process/ensure_ciphers.rego index 3d894c80de..4c3d3541fc 100644 --- a/security-policies/bundle/compliance/policy/process/ensure_ciphers.rego +++ b/security-policies/bundle/compliance/policy/process/ensure_ciphers.rego @@ -34,6 +34,6 @@ finding(rule_evaluation) := lib_common.generate_result_without_expected( }, ) -apiserver_filter = data_adapter.is_kube_apiserver +apiserver_filter := data_adapter.is_kube_apiserver -kubelet_filter = data_adapter.is_kubelet +kubelet_filter := data_adapter.is_kubelet