-
Notifications
You must be signed in to change notification settings - Fork 130
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: add policy to oslogin is enabled for VMs (#406)
* Ensure oslogin is enabled for a Project * Fixed all test files and constraint name for compute-enable-os-login * added correct description * added description message for OSlogin * description message is updated in templates
- Loading branch information
1 parent
f797171
commit f42d51f
Showing
9 changed files
with
686 additions
and
0 deletions.
There are no files selected for viewing
79 changes: 79 additions & 0 deletions
79
policies/templates/gcp_compute_enable_oslogin_project_v1.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,79 @@ | ||
# Copyright 2021 Google LLC | ||
# | ||
# Licensed under the Apache License, Version 2.0 (the "License"); | ||
# you may not use this file except in compliance with the License. | ||
# You may obtain a copy of the License at | ||
# | ||
# http://www.apache.org/licenses/LICENSE-2.0 | ||
# | ||
# Unless required by applicable law or agreed to in writing, software | ||
# distributed under the License is distributed on an "AS IS" BASIS, | ||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
# See the License for the specific language governing permissions and | ||
# limitations under the License. | ||
# | ||
apiVersion: templates.gatekeeper.sh/v1alpha1 | ||
kind: ConstraintTemplate | ||
metadata: | ||
name: gcp-compute-enable-oslogin-project-v1 | ||
spec: | ||
crd: | ||
spec: | ||
names: | ||
kind: GCPComputeRequireOSLoginConstraintV1 | ||
validation: | ||
openAPIV3Schema: | ||
properties: {} | ||
|
||
targets: | ||
validation.gcp.forsetisecurity.org: | ||
rego: | #INLINE("validator/compute_enable_oslogin_project.rego") | ||
# | ||
# Copyright 2021 Google LLC | ||
# | ||
# Licensed under the Apache License, Version 2.0 (the "License"); | ||
# you may not use this file except in compliance with the License. | ||
# You may obtain a copy of the License at | ||
# | ||
# http://www.apache.org/licenses/LICENSE-2.0 | ||
# | ||
# Unless required by applicable law or agreed to in writing, software | ||
# distributed under the License is distributed on an "AS IS" BASIS, | ||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
# See the License for the specific language governing permissions and | ||
# limitations under the License. | ||
# | ||
package templates.gcp.GCPComputeRequireOSLoginConstraintV1 | ||
import data.validator.gcp.lib as lib | ||
deny[{ | ||
"msg": message, | ||
"details": metadata, | ||
}] { | ||
constraint := input.constraint | ||
lib.get_constraint_params(constraint, params) | ||
asset := input.asset | ||
asset.asset_type == "compute.googleapis.com/Instance" | ||
instance := asset.resource.data | ||
meta := lib.get_default(instance, "metadata", {"items": []}) | ||
key = "enable-oslogin" | ||
# check if key is available and values are as expected | ||
not metadata_enable_oslogin(meta) | ||
message := sprintf("On this resource %v Ensure that required key '%v' is present and value is true.", [asset.name, key]) | ||
metadata := {"resource": asset.name, "key_in_violation": key} | ||
} | ||
# All other cases for metadata items are violations | ||
default metadata_enable_oslogin(meta) = false | ||
# check for enable_oslogin under metadata items - no violation | ||
metadata_enable_oslogin(meta) { | ||
metadatum := meta.items[_] | ||
metadatum.key == "enable-oslogin" | ||
metadatum.value == "true" | ||
} | ||
#ENDINLINE |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,28 @@ | ||
# Copyright 2021 Google LLC | ||
# | ||
# Licensed under the Apache License, Version 2.0 (the "License"); | ||
# you may not use this file except in compliance with the License. | ||
# You may obtain a copy of the License at | ||
# | ||
# http://www.apache.org/licenses/LICENSE-2.0 | ||
# | ||
# Unless required by applicable law or agreed to in writing, software | ||
# distributed under the License is distributed on an "AS IS" BASIS, | ||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
# See the License for the specific language governing permissions and | ||
# limitations under the License. | ||
# | ||
apiVersion: constraints.gatekeeper.sh/v1alpha1 | ||
kind: GCPComputeRequireOSLoginConstraintV1 | ||
metadata: | ||
name: compute-enable-oslogin-project | ||
annotations: | ||
bundles.validator.forsetisecurity.org/cis-v1.1: 4.04 | ||
description: Verifies that all VMs in a project have OS login enabled. | ||
|
||
spec: | ||
severity: high | ||
match: | ||
gcp: | ||
target: ["organization/*"] | ||
parameters: {} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,48 @@ | ||
# | ||
# Copyright 2021 Google LLC | ||
# | ||
# Licensed under the Apache License, Version 2.0 (the "License"); | ||
# you may not use this file except in compliance with the License. | ||
# You may obtain a copy of the License at | ||
# | ||
# http://www.apache.org/licenses/LICENSE-2.0 | ||
# | ||
# Unless required by applicable law or agreed to in writing, software | ||
# distributed under the License is distributed on an "AS IS" BASIS, | ||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
# See the License for the specific language governing permissions and | ||
# limitations under the License. | ||
# | ||
|
||
package templates.gcp.GCPComputeRequireOSLoginConstraintV1 | ||
|
||
import data.validator.gcp.lib as lib | ||
|
||
deny[{ | ||
"msg": message, | ||
"details": metadata, | ||
}] { | ||
constraint := input.constraint | ||
lib.get_constraint_params(constraint, params) | ||
asset := input.asset | ||
asset.asset_type == "compute.googleapis.com/Instance" | ||
instance := asset.resource.data | ||
meta := lib.get_default(instance, "metadata", {"items": []}) | ||
key = "enable-oslogin" | ||
|
||
# check if key is available and values are as expected | ||
not metadata_enable_oslogin(meta) | ||
|
||
message := sprintf("On this resource %v Ensure that required key '%v' is present and value is true.", [asset.name, key]) | ||
metadata := {"resource": asset.name, "key_in_violation": key} | ||
} | ||
|
||
# All other cases for metadata items are violations | ||
default metadata_enable_oslogin(meta) = false | ||
|
||
# check for enable_oslogin under metadata items - no violation | ||
metadata_enable_oslogin(meta) { | ||
metadatum := meta.items[_] | ||
metadatum.key == "enable-oslogin" | ||
metadatum.value == "true" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,60 @@ | ||
# | ||
# Copyright 2021 Google LLC | ||
# | ||
# Licensed under the Apache License, Version 2.0 (the "License"); | ||
# you may not use this file except in compliance with the License. | ||
# You may obtain a copy of the License at | ||
# | ||
# http://www.apache.org/licenses/LICENSE-2.0 | ||
# | ||
# Unless required by applicable law or agreed to in writing, software | ||
# distributed under the License is distributed on an "AS IS" BASIS, | ||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
# See the License for the specific language governing permissions and | ||
# limitations under the License. | ||
# | ||
package templates.gcp.GCPComputeRequireOSLoginConstraintV1 | ||
|
||
import data.validator.gcp.lib as lib | ||
import data.validator.test_utils as test_utils | ||
|
||
# Importing the test data | ||
import data.test.fixtures.compute_enable_oslogin.assets.compute.instance_no_violation as fixture_compute_instance_no_violation | ||
import data.test.fixtures.compute_enable_oslogin.assets.compute.instance_violation as fixture_compute_instance_violation | ||
import data.test.fixtures.compute_enable_oslogin.assets.compute.no_instances as fixture_compute_no_instance | ||
import data.test.fixtures.compute_enable_oslogin.assets.compute.no_metadata as fixture_compute_instance_no_metadata | ||
|
||
import data.test.fixtures.compute_enable_oslogin.constraints as fixture_constraint | ||
|
||
template_name := "GCPComputeRequireOSLoginConstraintV1" | ||
|
||
#### Testing for GCE instances | ||
|
||
#1. No instances at all | ||
test_enable_oslogin_project_compute_no_instances { | ||
expected_resource_names := {"//dns.googleapis.com/projects/186783260185/managedZones/correct"} | ||
test_utils.check_test_violations_count(fixture_compute_no_instance, [fixture_constraint], template_name, 1) | ||
} | ||
|
||
#2. One instance with correct key | ||
test_enable_oslogin_project_compute_instance_no_violations { | ||
expected_resource_names := {"//compute.googleapis.com/projects/my-test-project/zones/us-central1-f/instances/test-jumphost"} | ||
test_utils.check_test_violations_count(fixture_compute_instance_no_violation, [fixture_constraint], template_name, 1) | ||
} | ||
|
||
#3. One instance without correct key | ||
test_enable_oslogin_project_compute_instance_violations { | ||
expected_resource_names := {"//compute.googleapis.com/projects/my-test-project/zones/us-central1-f/instances/test-jumphost-violation"} | ||
test_utils.check_test_violations_count(fixture_compute_instance_violation, [fixture_constraint], template_name, 1) | ||
} | ||
|
||
#4. An instance without metadata configured at all (metadata_config doesn't exist). | ||
test_enable_oslogin_project_compute_instance_no_metadata { | ||
expected_resource_names := {"//compute.googleapis.com/projects/my-test-project/zones/us-central1-f/instances/test-jumphost"} | ||
expected_field_name := "key_in_violation" | ||
expected_field_values := {"enable-oslogin"} | ||
test_utils.check_test_violations_count(fixture_compute_instance_no_metadata, [fixture_constraint], template_name, 1) | ||
test_utils.check_test_violations_resources(fixture_compute_instance_no_metadata, [fixture_constraint], template_name, expected_resource_names) | ||
test_utils.check_test_violations_signature(fixture_compute_instance_no_metadata, [fixture_constraint], template_name) | ||
test_utils.check_test_violations_metadata(fixture_compute_instance_no_metadata, [fixture_constraint], template_name, expected_field_name, expected_field_values) | ||
} |
163 changes: 163 additions & 0 deletions
163
...dator/test/fixtures/compute_enable_oslogin/assets/compute/instance_no_violation/data.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,163 @@ | ||
[ | ||
{ | ||
"name": "//compute.googleapis.com/projects/my-test-project/zones/us-central1-f/instances/test-jumphost", | ||
"asset_type": "compute.googleapis.com/Instance", | ||
"ancestry_path": "organization/614830067722/folder/561421552790/project/my-test-project", | ||
"resource": { | ||
"version": "v1", | ||
"discovery_document_uri": "https://www.googleapis.com/discovery/v1/apis/compute/v1/rest", | ||
"discovery_name": "Instance", | ||
"parent": "//cloudresourcemanager.googleapis.com/projects/my-test-project", | ||
"data": { | ||
"canIpForward": false, | ||
"deletionProtection": false, | ||
"disks": [{ | ||
"autoDelete": true, | ||
"boot": true, | ||
"initializeParams": { | ||
"diskSizeGb": "20", | ||
"diskType": "projects/my-test-project/zones/us-central1-f/diskTypes/pd-standard", | ||
"sourceImage": "projects/centos-cloud/global/images/centos-8-v20210512" | ||
}, | ||
"mode": "READ_WRITE" | ||
}], | ||
"displayDevice": { | ||
"enableDisplay": false | ||
}, | ||
"machineType": "projects/my-test-project/zones/us-central1-f/machineTypes/e2-micro", | ||
"metadata": { | ||
"items": [{ | ||
"key": "block-project-ssh-keys", | ||
"value": "true" | ||
}, { | ||
"key": "enable-oslogin", | ||
"value": "true" | ||
}, { | ||
"key": "environment", | ||
"value": "dev" | ||
}, { | ||
"key": "name", | ||
"value": "test-jumphost" | ||
}, { | ||
"key": "serial-port-enable", | ||
"value": "false" | ||
}, { | ||
"key": "startup-script", | ||
"value": "echo instance created through terraform \u003e /readme.txt" | ||
}] | ||
}, | ||
"name": "test-jumphost", | ||
"networkInterfaces": [{ | ||
"accessConfigs": [{ | ||
"type": "ONE_TO_ONE_NAT" | ||
}], | ||
"subnetwork": "projects/my-test-project/regions/us-central1/subnetworks/primary-dmz-subnet" | ||
}], | ||
"scheduling": { | ||
"automaticRestart": true | ||
}, | ||
"serviceAccounts": [{ | ||
"email": "default", | ||
"scopes": ["https://www.googleapis.com/auth/cloud-platform"] | ||
}], | ||
"shieldedInstanceConfig": { | ||
"enableIntegrityMonitoring": true, | ||
"enableSecureBoot": false, | ||
|
||
"enableVtpm": true | ||
}, | ||
"tags": { | ||
"items": ["ingress-inet", "egress-inet"] | ||
} | ||
} | ||
} | ||
}, | ||
{ | ||
"name": "//compute.googleapis.com/projects/my-test-project/zones/us-central1-f/instances/test-jumphost-violation", | ||
"asset_type": "compute.googleapis.com/Instance", | ||
"ancestry_path": "organization/614830067722/folder/561421552790/project/my-test-project", | ||
"resource": { | ||
"version": "v1", | ||
"discovery_document_uri": "https://www.googleapis.com/discovery/v1/apis/compute/v1/rest", | ||
"discovery_name": "Instance", | ||
"parent": "//cloudresourcemanager.googleapis.com/projects/my-test-project", | ||
"data": { | ||
"canIpForward": false, | ||
"deletionProtection": false, | ||
"disks": [ | ||
{ | ||
"autoDelete": true, | ||
"boot": true, | ||
"initializeParams": { | ||
"diskSizeGb": "20", | ||
"diskType": "projects/my-test-project/zones/us-central1-f/diskTypes/pd-standard", | ||
"sourceImage": "projects/centos-cloud/global/images/centos-8-v20210512" | ||
}, | ||
"mode": "READ_WRITE" | ||
} | ||
], | ||
"displayDevice": { | ||
"enableDisplay": false | ||
}, | ||
"machineType": "projects/my-test-project/zones/us-central1-f/machineTypes/e2-micro", | ||
"metadata": { | ||
"items": [ | ||
{ | ||
"key": "enable-oslogin", | ||
"value": "false" | ||
}, | ||
{ | ||
"key": "environment", | ||
"value": "dev" | ||
}, | ||
{ | ||
"key": "name", | ||
"value": "test-jumphost-violation" | ||
}, | ||
{ | ||
"key": "serial-port-enable", | ||
"value": "false" | ||
}, | ||
{ | ||
"key": "startup-script", | ||
"value": "echo instance created through terraform \u003e /readme.txt" | ||
} | ||
] | ||
}, | ||
"name": "test-jumphost-violation", | ||
"networkInterfaces": [ | ||
{ | ||
"accessConfigs": [ | ||
{ | ||
"type": "ONE_TO_ONE_NAT" | ||
} | ||
], | ||
"subnetwork": "projects/my-test-project/regions/us-central1/subnetworks/primary-dmz-subnet" | ||
} | ||
], | ||
"scheduling": { | ||
"automaticRestart": true | ||
}, | ||
"serviceAccounts": [ | ||
{ | ||
"email": "default", | ||
"scopes": [ | ||
"https://www.googleapis.com/auth/cloud-platform" | ||
] | ||
} | ||
], | ||
"shieldedInstanceConfig": { | ||
"enableIntegrityMonitoring": true, | ||
"enableSecureBoot": false, | ||
"enableVtpm": true | ||
}, | ||
"tags": { | ||
"items": [ | ||
"ingress-inet", | ||
"egress-inet" | ||
] | ||
} | ||
} | ||
} | ||
} | ||
] |
Oops, something went wrong.