Add some more example policies

trufflesecurity · Aug 17, 2023 · 449059c · 449059c
1 parent 65f066a
commit 449059c
Show file tree

Hide file tree

Showing 13 changed files with 48 additions and 0 deletions.
diff --git a/policy/gcp/cloud-sql-connect.rego b/policy/gcp/cloud-sql-connect.rego
@@ -0,0 +1,15 @@
+package cloud_sql_connect
+
+violation[{"msg": msg, "details": {"project": project, "actor": actor, "instance": instance}}] {
+	input.protoPayload.methodName == "cloudsql.instances.connect"
+
+	project = input.resource.labels.project_id
+	project == "example"
+
+    instance = input.resource.labels.database_id
+
+	actor = input.protoPayload.authenticationInfo.principalEmail
+	actor != "[email protected]"
+
+	msg = "unexpected connection to cloudsql instance"
+}
diff --git a/policy/gcp/firewall_rule_created.rego b/policy/gcp/firewall_rule_created.rego
@@ -0,0 +1,11 @@
+package firewall_rule_created
+
+violation[{"msg": msg, "details": {"project": project, "actor": actor, "name": name}}] {
+	input.protoPayload.request["@type"] == "type.googleapis.com/compute.firewalls.insert"
+
+	project = input.resource.labels.project_id
+	name = input.protoPayload.request.name
+	actor = input.protoPayload.authenticationInfo.principalEmail
+
+	msg = "firewall rule created"
+}
diff --git a/policy/gcp/gke-rbac-deny.rego b/policy/gcp/gke-rbac-deny.rego
@@ -0,0 +1,12 @@
+package gke_rbac_deny
+
+violation[{"msg": msg, "details": {"cluster": cluster, "actor": actor, "method": method}}] {
+	input.labels["authorization.k8s.io/decision"] == "deny"
+
+	project = input.resource.labels.project_id
+	actor = input.protoPayload.authenticationInfo.principalEmail
+	cluster = input.resource.labels.cluster_name
+	method = input.protoPayload.methodName
+
+	msg = "GKE RBAC deny"
+}
diff --git a/policy/gcp/mitre_collection.rego → policy/gcp/mitre/mitre_collection.rego b/policy/gcp/mitre_collection.rego → policy/gcp/mitre/mitre_collection.rego
diff --git a/policy/gcp/mitre_discovery.rego → policy/gcp/mitre/mitre_discovery.rego b/policy/gcp/mitre_discovery.rego → policy/gcp/mitre/mitre_discovery.rego
diff --git a/policy/gcp/mitre_evasion.rego → policy/gcp/mitre/mitre_evasion.rego b/policy/gcp/mitre_evasion.rego → policy/gcp/mitre/mitre_evasion.rego
diff --git a/policy/gcp/mitre_exfiltration.rego → policy/gcp/mitre/mitre_exfiltration.rego b/policy/gcp/mitre_exfiltration.rego → policy/gcp/mitre/mitre_exfiltration.rego
diff --git a/policy/gcp/mitre_impact.rego → policy/gcp/mitre/mitre_impact.rego b/policy/gcp/mitre_impact.rego → policy/gcp/mitre/mitre_impact.rego
diff --git a/policy/gcp/mitre_lateral_movement.rego → policy/gcp/mitre/mitre_lateral_movement.rego b/policy/gcp/mitre_lateral_movement.rego → policy/gcp/mitre/mitre_lateral_movement.rego
diff --git a/policy/gcp/mitre_persistence.rego → policy/gcp/mitre/mitre_persistence.rego b/policy/gcp/mitre_persistence.rego → policy/gcp/mitre/mitre_persistence.rego
diff --git a/policy/gcp/mitre_privilege_escalation.rego → ...gcp/mitre/mitre_privilege_escalation.rego b/policy/gcp/mitre_privilege_escalation.rego → ...gcp/mitre/mitre_privilege_escalation.rego
diff --git a/policy/gcp/service_account_keys.rego b/policy/gcp/service_account_keys.rego
@@ -0,0 +1,10 @@
+package service_account_keys
+
+violation[{"msg": msg, "details": {"actor": actor, "service_account": svcAcct}}] {
+	input.protoPayload.methodName == "google.iam.admin.v1.CreateServiceAccountKey"
+
+	svcAcct = input.resource.labels.email_id
+	actor = input.protoPayload.authenticationInfo.principalEmail
+
+	msg = "service account key created"
+}
diff --git a/policy/gcp/template.rego → policy/gcp/template.rego.example b/policy/gcp/template.rego → policy/gcp/template.rego.example