Rules Index¶
CI/CD - Supply Chain¶
Cloud Misconfigurations¶
AWS Infrastructure¶
| Name | Id | Description |
|---|---|---|
| AWS Athena Encryption Off | aws-athena-encryption-off | Ensure Athena Workgroup should enforce configuration to prevent client disabling encryption |
| AWS Cloudtrail All Regions | aws-cloudtrail-all-regions | Ensure CloudTrail is enabled in all Regions |
| AWS Cloudtrail Validation Off | aws-cloudtrail-validation-off | Ensure CloudTrail log file validation is enabled |
| AWS Cloudwatch Log Retention | aws-cloudwatch-log-retention | Ensure cloudwatch log groups specify retention days |
| AWS Database Backup Off | aws-db-backup-off | Ensure that database backup is enabled |
| AWS Database No Version Upgrade | aws-db-no-version-upgrade | Ensured that database auto-upgrade is enabled |
| AWS EC2 Public IP | aws-ec2-public-ip | EC2 instance should not have public IP. |
| AWS ECR Scanning Off | aws-ecr-scanning-off | Ensure ECR image scanning on push is enabled |
| AWS ECR Tags Mutable | aws-ecr-tags-mutable | Ensure ECR Image Tags are immutable |
| AWS ECS Container Insights Off | aws-ecs-container-insights-off | Ensure container insights are enabled on ECS cluster |
| AWS IAM Password Policy | aws-iam-password-policy | Ensure that IAM password policy has sufficient complexity based on industry best practices |
| AWS IAM Policy Lax Full Admin | aws-iam-policy-lax-full-admin | Ensure IAM policies that allow full "*-*" administrative privileges are not created |
| AWS IAM Policy On Users | aws-iam-policy-on-users | Ensure IAM policies are attached only to groups or roles |
| AWS IAM Wildcard Actions | aws-iam-wildcard-actions | Ensure no IAM policies documents allow "*" as a statement's actions |
| AWS KMS Key Rotation | aws-kms-key-rotation | Ensure rotation for customer created CMKs is enabled |
| AWS Load Balancer Allow Invalid Headers | aws-lb-allow-invalid-headers | Ensure that the load balancer drops invalid HTTP headers |
| AWS Legacy Instance Meta | aws-legacy-instance-meta | Ensure Instance Metadata Service Version 1 is not enabled |
| AWS Network Https Off | aws-network-https-off | Ensure the the networking resource enforces the use of HTTPS |
| AWS Network Insecure TLS | aws-network-insecure-tls | Ensure that load balancer is using TLS 1.2 |
| AWS Network Public RDP | aws-network-public-rdp | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 (RDP) |
| AWS Network Public SSH | aws-network-public-ssh | Ensure that the resource or security group allow ingress from 0.0.0.0:0 to port 22 (SSH) |
| AWS S3 Logging Off | aws-resource-logging-off | Ensure that the resource has some form of audit logging enabled to help with forensics |
| AWS Resource Outside VPC | aws-resource-outside-vpc | Ensure that the resource is configured inside a VPC |
| AWS Resource Public Access | aws-resource-public-access | Ensure that all data stored in the managed service is not publicly accessible |
| AWS Resource Public Policy | aws-resource-public-policy | Ensure that the resource policy is not set to public |
| AWS Resource Unencrypted At Rest | aws-resource-unencrypted-at-rest | Ensure that all data stored in the managed service is securely encrypted at rest |
| AWS Resource Unencrypted In Transit | aws-resource-unencrypted-in-transit | Ensure that data going to and from the managed service is securely encrypted at transit |
| AWS S3 Public Access | aws-s3-public-access | Ensure the S3 bucket does not allow Read or Write permissions to anyone on the Internet |
| AWS S3 Public Policy | aws-s3-public-policy | Ensure S3 bucket does not allow an action with any Principal (i.e. anyone on the Internet) |
| AWS S3 Unencrypted At Rest | aws-s3-unencrypted-at-rest | Ensure all data stored in the S3 bucket is securely encrypted at rest |
| AWS VPC Assign Public Ip | aws-vpc-assign-public-ip | Ensure VPC subnets do not assign public IP by default |
| AWS VPC Endpoint Auto Accept | aws-vpc-endpoint-auto-accept | Ensure that VPC Endpoint Service is configured for Manual Acceptance |
Azure Infrastructure¶
| Name | Id | Description |
|---|---|---|
| Azure AKS Api Iprange | azure-aks-api-iprange | Ensure AKS has an API Server Authorized IP Ranges enabled |
| Azure AKS Logging Enable | azure-aks-logging-enable | Ensure AKS logging to Azure Monitoring is Configured |
| Azure AKS Networkpolicy | azure-aks-networkpolicy | Ensure AKS cluster has Network Policy configured |
| Azure AKS Private Cluster | azure-aks-private-cluster | Ensure that AKS enables private clusters |
| Azure AKS RBAC Enabled | azure-aks-rbac-enabled | Ensure RBAC is enabled on AKS clusters |
| Azure App Service Ad Enabled | azure-appsvc-ad-enabled | Ensure that Register with Azure Active Directory is enabled on App Service |
| Azure App Service Auth Enabled | azure-appsvc-auth-enabled | Ensure App Service Authentication is set on Azure App Service |
| Azure App Service Cors Restrictive | azure-appsvc-cors-restrictive | Ensure that CORS disallows every resource to access app services |
| Azure App Service Disable Debug | azure-appsvc-disable-debug | Ensure that remote debugging is not enabled for app services |
| Azure App Service FTP Disabled | azure-appsvc-ftp-disabled | Ensure FTP deployments are disabled |
| Azure App Service HTTP Redirect | azure-appsvc-http-redirect | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service |
| Azure App Service HTTP TLS Version | azure-appsvc-http-tls-version | Ensure web app is using the latest version of TLS encryption |
| Azure App Service Http Version | azure-appsvc-http-version | Ensure that 'HTTP Version' is the latest if used to run the web app |
| Azure Automation Variable Encrypted | azure-automn-variable-encrypted | Ensure that Automation account variables are encrypted |
| Azure Batch Keyvault | azure-batch-keyvault | Ensure that Azure Batch account uses key vault to encrypt data |
| Azure Dashboard Disable | azure-dashboard-disable | Ensure Kube Dashboard is disabled |
| Azure Database Audit Enabled | azure-db-audit-enabled | Ensure that 'Auditing' is set to 'On' for SQL servers |
| Azure Database Audit Retention | azure-db-audit-retention | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers |
| Azure Database Public Ingress | azure-db-public-ingress | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) |
| Azure Function App Auth Enabled | azure-funcapp-auth-enabled | Ensure that function apps enables Authentication |
| Azure Function App Http Version | azure-funcapp-http-version | Ensure that 'HTTP Version' is the latest, if used to run the Function app |
| Azure Function App Https Only | azure-funcapp-https-only | Ensure that Function apps is only accessible over HTTPS |
| Azure Machine Scaleset Auth | azure-machine-scaleset-auth | Ensure Azure linux scale set does not use basic authentication |
| Azure Machine Scaleset Encrypt | azure-machine-scaleset-encrypt | Ensure that Virtual machine scale sets have encryption at host enabled |
| Azure Machine Sensitive Data | azure-machine-sensitive-data | Ensure that no sensitive credentials are exposed in VM custom_data |
| Azure MariaDB Public Ingress | azure-mariadb-public-ingress | Ensure 'public network access enabled' is set to 'False' for MariaDB servers |
| Azure MariaDB SSL Enabled | azure-mariadb-ssl-enabled | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MariaDB servers |
| Azure Monitor Audit Activities | azure-monitor-audit-activities | Ensure audit profile captures all the activities |
| Azure Monitor Log Retention | azure-monitor-log-retention | Ensure that Activity Log Retention is set 365 days or greater |
| Azure MSSQL Audit Retention | azure-mssql-audit-retention | Ensure an audit log retention period greater than 90 days. |
| Azure MSSQL Email Service | azure-mssql-email-service | Ensure that 'Email service and co-administrators' is 'Enabled' for MSSQL servers |
| Azure MSSQL Send Alerts | azure-mssql-send-alerts | Ensure that 'Send Alerts To' is enabled for MSSQL servers |
| Azure MSSQL Threat Types | azure-mssql-threat-types | Ensure that 'Threat Detection types' is set to 'All' |
| Azure MSSQL TLS Version | azure-mssql-tls-version | Ensure MSSQL is using the latest version of TLS encryption |
| Azure MySQL Enforce SSL | azure-mysql-enforce-ssl | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server |
| Azure MySQL Public Ingress | azure-mysql-public-ingress | Ensure 'public network access enabled' is set to 'False' for mySQL servers |
| Azure MySQL Tls Version | azure-mysql-tls-version | Ensure MySQL is using the latest version of TLS encryption |
| Azure Network Log Retention | azure-network-log-retention | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' |
| Azure Network Public RDP | azure-network-public-rdp | Ensure that RDP access is restricted from the internet |
| Azure Network Public UDP | azure-network-public-udp | Ensure that UDP Services are restricted from the Internet |
| Azure PSQL Enforce SSL | azure-psql-enforce-ssl | Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server |
| Azure PSQL Param Conn Throttling | azure-psql-param-conn-throttling | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server |
| Azure PSQL Public Ingress | azure-psql-public-ingress | Ensure that PostgreSQL server disables public network access |
| Azure Security Center Email Alerts | azure-seccntr-email-alerts | Ensure that 'Send email notification for high severity alerts' is set to 'On' |
| Azure Storage Public Access | azure-storage-public-access | Ensure that 'Public access level' is set to Private for blob containers |
| Azure Storage Public Ingress | azure-storage-public-ingress | Ensure default network access rule for Storage Accounts is set to deny |
| Azure Storage Secure Transfer | azure-storage-secure-xfer | Ensure that 'Secure transfer required' is set to 'Enabled' |
| Azure Storage TLS Version | azure-storage-tls-version | Ensure Storage Account is using the latest version of TLS encryption |
| Azure Storage Trusted Microsoft Service | azure-storage-trust-msft | Ensure 'Trusted Microsoft Services' is enabled for Storage Account access |
| Azure Storage Sync Public Ingress | azure-storsync-public-ingress | Ensure that Azure File Sync disables public network access |
| Azure Vault Allow Firewall | azure-vault-allow-firewall | Ensure that key vault allows firewall rules settings |
| Azure Vault Key Expiry | azure-vault-key-expiry | Ensure that the expiration date is set on all keys |
| Azure Vault Purge Protection | azure-vault-purge-protection | Ensure that key vault enables purge protection |
| Azure Vault Secret Expiry | azure-vault-secret-expiry | Ensure that the expiration date is set on all secrets |
GCP Infrastructure¶
| Name | Id | Description |
|---|---|---|
| GCP BigQuery Anonymous Or Publicly Accessible | gcp-bq-anon-or-public | Ensure that BigQuery datasets are not anonymously or publicly accessible |
| GCP GCE Default Service Account | gcp-gce-default-svcacct | Ensure that instances are not configured to use the default service account |
| GCP GCE Firewall Unrestricted RDP Access | gcp-gce-fw-public-rdp | Ensure Google compute firewall ingress does not allow unrestricted rdp access |
| GCP GCE Firewall Public SSH Access | gcp-gce-fw-public-ssh | Ensure Google compute firewall ingress does not allow unrestricted ssh access |
| GCP GCE IP Forwarding On | gcp-gce-ip-fwd-on | Ensure that IP forwarding is not enabled on Instances |
| GCP GCE Instance Public IP | gcp-gce-public-ip | Ensure that Compute instances do not have public IP addresses |
| GCP GCE Serialport On | gcp-gce-serialport-on | Ensure 'Enable connecting to serial ports' is not enabled for VM Instance |
| GCP GCS Anon Or Public Access | gcp-gcs-anon-or-public | Ensure that Cloud Storage bucket is not anonymously or publicly accessible |
| GCP GCS Access Logs Off | gcp-gcs-logs-off | Bucket should log access |
| GCP IAM Service Account Admin Role | gcp-iam-svcacct-admin-role | Ensure that Service Account has no Admin privileges |
| GCP IAM Service Account Allow Sudo | gcp-iam-svcacct-allo-sudo | Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level |
| GCP K8S Basic Auth On | gcp-k8s-basic-auth-on | Ensure GKE basic auth is disabled |
| GCP K8S Legacy Instance Metadata On | gcp-k8s-legacy-instance-metadata-on | Ensure legacy Compute Engine instance metadata APIs are Disabled |
| GCP K8S Legacy RBAC On | gcp-k8s-legacy-rbac-on | Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters |
| GCP K8S Metadata Server Off | gcp-k8s-metadata-server-off | Ensure the GKE Metadata Server is Enabled |
| GCP K8S Stackdriver Monitor Off | gcp-k8s-stackdriver-monitor-off | Ensure Stackdriver Monitoring is set to Enabled on Kubernetes Engine Clusters |
| GCP K8S Strackdriver Logs Off | gcp-k8s-strackdriver-logs-off | Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters |
| GCP KMS Bad Key Rotation | gcp-kms-bad-key-rotation | Ensure KMS encryption keys are rotated within a period of 90 days |
| GCP Load Balancer Weak SSL Ciphers | gcp-lb-ssl-weak-ciphers | Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites |
| GCP Default Service Account in Project | gcp-res-man-default-svcacct | Ensure Default Service account is not used at a project level |
| GCP Cloud SQL Backup Disabled | gcp-sql-backup-off | Ensure all Cloud SQL database instance have backup configuration enabled |
| GCP MySQL Local_Infile On | gcp-sql-mysql-local_infile-on | Ensure MySQL database 'local_infile' flag is set to 'off' |
| GCP Cloud SQL Public Access | gcp-sql-public-access | Ensure that Cloud SQL database Instances are not open to the world |
| GCP Cloud SQL Public IP | gcp-sql-public-ip | Ensure SQL database do not have public IP |
| GCP SQL SSL Disabled | gcp-sql-ssl-off | Ensure all Cloud SQL database instance requires all incoming connections to use SSL |
Kubernetes (K8S)¶
| Name | Id | Description |
|---|---|---|
| K8S Dashboard Present | k8s-dashboard-present | Ensure the Kubernetes dashboard is not deployed |
| K8S Docker Daemon | k8s-docker-daemon | Do not expose the docker daemon socket to containers |
| K8S Host Namespace | k8s-host-namespace | Containers should not share the host namespaces |
| K8S Immutable Image | k8s-immutable-image | Image Tag should be fixed - not latest or blank |
| K8S Podsecuritypolicy Defined | k8s-podsecuritypolicy-defined | Ensure that if a Pod Security Policy exists, it enforces best practices. |
| K8S Rbac Wildcards | k8s-rbac-wildcards | Minimize wildcard use in Roles and ClusterRoles |
| K8S Resources Defined | k8s-resources-defined | CPU, Memory requests and limit should be set |
| K8S Securitycontext Capabilities | k8s-securitycontext-capabilities | Minimize the admission of containers with added capability |
| K8S Securitycontext Defined | k8s-securitycontext-defined | Apply security context to your pods and containers |
| K8S Securitycontext Privileged | k8s-securitycontext-privileged | Container should not be privileged |
| K8S Serviceaccount Default | k8s-serviceaccount-default | Ensure that default service accounts are not actively used |
| K8S Tiller Present | k8s-tiller-present | Ensure that Tiller (Helm v2) is not deployed |
X509 Certficiates¶
| Name | Id | Description |
|---|---|---|
| Cert Expired | x509-cert-expired | x509 certificate has expired and is no longer valid |
| Cert Expires Soon | x509-cert-expires-soon | x509 certificate will expire in the near future |
| Cert Insecure Signing Algorithm | x509-cert-insecure-signing-algorithm | x509 certificate uses a weak cryptographic algorithm |
| Cert Insufficient Key Length | x509-cert-insufficient-key-length | x509 certificate Public Key length that is considered insecure. |