Merge pull request #1030 from vishnusomank/cis

[Update] CIS Linux policies
kubearmor · Jan 12, 2023 · b827a50 · b827a50
2 parents 3ae5d88 + 2a81bf9
commit b827a50
Show file tree

Hide file tree

Showing 15 changed files with 364 additions and 8 deletions.
diff --git a/MySQL/system/metadata.yaml b/MySQL/system/metadata.yaml
@@ -1,4 +1,4 @@
-version: v0.1.7
+version: v0.1.8
 policyRules:
 - name: user-grp-mod
   precondition: 

diff --git a/elastic/system/metadata.yaml b/elastic/system/metadata.yaml
@@ -1,4 +1,4 @@
-version: v0.1.7
+version: v0.1.8
 policyRules:
 - name: elasticsearch-indices-dir
   precondition: 

diff --git a/generic/system/ksp-cis-audit-file-system-mounts.yaml b/generic/system/ksp-cis-audit-file-system-mounts.yaml
@@ -0,0 +1,23 @@
+apiVersion: security.kubearmor.com/v1
+kind: KubeArmorPolicy
+metadata:
+  name: ksp-cis-audit-file-system-mounts
+spec:
+  selector:
+    matchLabels:
+      app: wordpress  
+  action: Audit
+  process:
+    matchPaths:
+    - path: /bin/mount
+    - path: /usr/bin/mount
+    - path: /bin/umount
+    - path: /usr/bin/umount
+  message: Alert! file system mount detected
+  severity: 5
+  tags: 
+    - CIS
+    - CIS_Linux
+    - CIS_4_Logging_and_Aduditing
+    - CIS_4.1.1_Data_Retention
+    - CIS_4.1.14_file_system_mount
diff --git a/generic/system/ksp-cis-commandline-warning-banner.yaml b/generic/system/ksp-cis-commandline-warning-banner.yaml
@@ -0,0 +1,24 @@
+apiVersion: security.kubearmor.com/v1
+kind: KubeArmorPolicy
+metadata:
+  name: ksp-cis-commandline-warning-banner
+spec:
+  selector:
+    matchLabels:
+      app: wordpress  
+  action: Block
+  file:
+    matchPaths:
+    - path: /etc/motd
+      readOnly: true
+    - path: /etc/issue
+      readOnly: true
+    - path: /etc/issue.net
+      readOnly: true
+  message: Alert! write to warning banner file for standard command line login detected
+  severity: 5
+  tags: 
+    - CIS
+    - CIS_Linux
+    - CIS_1.7_Warning_Banners
+    - CIS_1.7.1_Command_Line_Warning_Banners
diff --git a/generic/system/ksp-cis-deny-access-control-permission-modification.yaml b/generic/system/ksp-cis-deny-access-control-permission-modification.yaml
@@ -0,0 +1,23 @@
+apiVersion: security.kubearmor.com/v1
+kind: KubeArmorPolicy
+metadata:
+  name: ksp-cis-deny-access-control-permission-modification
+spec:
+  selector:
+    matchLabels:
+      app: wordpress  
+  action: Block
+  process:
+    matchPaths:
+    - path: /usr/bin/chmod
+    - path: /usr/bin/chown
+    - path: /bin/chmod
+    - path: /bin/chown
+  message: Alert! access control permission modification detected
+  severity: 5
+  tags: 
+    - CIS
+    - CIS_Linux
+    - CIS_4_Logging_and_Aduditing
+    - CIS_4.1.1_Data_Retention
+    - CIS_4.1.11_system_access_control_permission
diff --git a/generic/system/ksp-cis-deny-changes-to-system-administration-scope.yaml b/generic/system/ksp-cis-deny-changes-to-system-administration-scope.yaml
@@ -0,0 +1,21 @@
+apiVersion: security.kubearmor.com/v1
+kind: KubeArmorPolicy
+metadata:
+  name: ksp-cis-deny-changes-to-system-administration-scope
+spec:
+  selector:
+    matchLabels:
+      app: wordpress  
+  action: Block
+  file:
+    matchPaths:
+    - path: /etc/sudoers
+      readOnly: true
+  message: Alert! Modification to changes to system administration scope detected
+  severity: 5
+  tags: 
+    - CIS
+    - CIS_Linux
+    - CIS_4_Logging_and_Aduditing
+    - CIS_4.1.1_Data_Retention
+    - CIS_4.1.16_system_administration_scope
diff --git a/generic/system/ksp-cis-deny-modification-of-system-files.yaml b/generic/system/ksp-cis-deny-modification-of-system-files.yaml
@@ -0,0 +1,36 @@
+apiVersion: security.kubearmor.com/v1
+kind: KubeArmorPolicy
+metadata:
+  name: ksp-cis-deny-modification-of-system-files
+spec:
+  selector:
+    matchLabels:
+      app: wordpress  
+  action: Block
+  file:
+    matchPaths:
+    - path: /etc/group
+      readOnly: true
+    - path: /etc/group-
+      readOnly: true
+    - path: /etc/gshadow
+      readOnly: true
+    - path: /etc/gshadow-
+      readOnly: true
+    - path: /etc/passwd
+      readOnly: true
+    - path: /etc/passwd-
+      readOnly: true
+    - path: /etc/shadow
+      readOnly: true
+    - path: /etc/shadow-
+      readOnly: true
+    - path: /etc/shadow-
+      readOnly: true
+  message: Alert! System file modification detected
+  severity: 2
+  tags: 
+    - CIS
+    - CIS_Linux
+    - CIS_6_System_Maintenance
+    - CIS_6.1_System_File_Permissions
diff --git a/generic/system/ksp-cis-deny-modification-to-system-mandatory-access-controls.yaml b/generic/system/ksp-cis-deny-modification-to-system-mandatory-access-controls.yaml
@@ -0,0 +1,28 @@
+apiVersion: security.kubearmor.com/v1
+kind: KubeArmorPolicy
+metadata:
+  name: ksp-cis-deny-modification-to-system-mandatory-access-controls
+spec:
+  selector:
+    matchLabels:
+      app: wordpress  
+  action: Block
+  file:
+    matchDirectories:
+    - dir: /etc/selinux/
+      readOnly: true
+      recursive: true
+    - dir: /etc/apparmor/
+      readOnly: true
+      recursive: true
+    - dir: /etc/apparmor.d/
+      readOnly: true
+      recursive: true
+  message: Alert! Modification to system mandatory access controls detected
+  severity: 5
+  tags: 
+    - CIS
+    - CIS_Linux
+    - CIS_4_Logging_and_Aduditing
+    - CIS_4.1.1_Data_Retention
+    - CIS_4.1.8_system_mandatory_access_controls
diff --git a/generic/system/ksp-cis-deny-modification-to-system-network-env.yaml b/generic/system/ksp-cis-deny-modification-to-system-network-env.yaml
@@ -0,0 +1,27 @@
+apiVersion: security.kubearmor.com/v1
+kind: KubeArmorPolicy
+metadata:
+  name: ksp-cis-deny-modification-to-system-network-env
+spec:
+  selector:
+    matchLabels:
+      app: wordpress  
+  action: Block
+  file:
+    matchPaths:
+    - path: /etc/issue
+      readOnly: true
+    - path: /etc/issue.net
+      readOnly: true
+    - path: /etc/hosts
+      readOnly: true
+    - path: /etc/sysconfig/network
+      readOnly: true
+  message: Alert! Modification to system network files detected
+  severity: 5
+  tags: 
+    - CIS
+    - CIS_Linux
+    - CIS_4_Logging_and_Aduditing
+    - CIS_4.1.1_Data_Retention
+    - CIS_4.1.7_system_network_environment
diff --git a/generic/system/ksp-cis-deny-service-clients.yaml b/generic/system/ksp-cis-deny-service-clients.yaml
@@ -0,0 +1,21 @@
+apiVersion: security.kubearmor.com/v1
+kind: KubeArmorPolicy
+metadata:
+  name: ksp-cis-deny-service-clients
+spec:
+  selector:
+    matchLabels:
+      app: wordpress  
+  action: Block
+  process:
+    matchPaths:
+    - path: /usr/bin/talk
+    - path: /usr/bin/telnet
+    - path: /bin/talk
+    - path: /bin/telnet
+  message: Alert! insecure service client binaries invoked
+  severity: 5
+  tags: 
+    - CIS
+    - CIS_Linux
+    - CIS_2.3_Service_Clients
diff --git a/generic/system/ksp-file-integrity-monitoring.yaml b/generic/system/ksp-file-integrity-monitoring.yaml
@@ -4,7 +4,7 @@ metadata:
   name: file-integrity-monitoring
   namespace: default
 spec:
-  tags: ["NIST", "NIST_800-53_AU-2", "NIST_800-53_SI-4" , "MITRE", "MITRE_T1036_masquerading"]
+  tags: ["NIST", "NIST_800-53_AU-2", "NIST_800-53_SI-4" , "MITRE", "MITRE_T1036_masquerading", "MITRE_T1565_data_manipulation"]
   message: "Detected and prevented compromise to File integrity"
   severity: 1
   selector:

diff --git a/generic/system/ksp-nist-si-4-detect-access-to-cron-job-files.yaml b/generic/system/ksp-nist-si-4-detect-access-to-cron-job-files.yaml
@@ -8,7 +8,7 @@ metadata:
   name: ksp-nist-si-4-detect-access-to-cron-job-files
   namespace: default # Change your namespace
 spec:
-  tags: ["NIST", "SI-4","NIST_800-53_SI-4"]
+  tags: ["NIST", "SI-4","NIST_800-53_SI-4","CIS","CIS_Linux","CIS_5.1_Configure_Cron"]
   message: "Alert! Access to cron job files/directories detected."
   selector:
     matchLabels: