add first drop of gcp policies

pkg/policies/opa/rego/gcp/github_repository/accurics.gcp.IAM.145.json

@@ -0,0 +1,10 @@
+{
+    "name": "privateRepoEnabled",
+    "file": "privateRepoEnabled.rego",
+    "templateArgs": null,
+    "severity": "MEDIUM",
+    "description": "Repository is Not Private.",
+    "referenceId": "accurics.gcp.IAM.145",
+    "category": "Identity \u0026 Access Management",
+    "version": 1
+}

pkg/policies/opa/rego/gcp/github_repository/privateRepoEnabled.rego

@@ -0,0 +1,7 @@
+package accurics
+
+privateRepoEnabled[api.id]
+{
+    api := input.github_repository[_]
+    not api.config.private == true
+}

pkg/policies/opa/rego/gcp/google_bigquery_dataset/accurics.gcp.IAM.106.json

@@ -0,0 +1,10 @@
+{
+    "name": "bqDatasetPubliclyAccessible",
+    "file": "bqDatasetPubliclyAccessible.rego",
+    "templateArgs": null,
+    "severity": "HIGH",
+    "description": "BigQuery datasets may be anonymously or publicly accessible.",
+    "referenceId": "accurics.gcp.IAM.106",
+    "category": "Identity \u0026 Access Management",
+    "version": 1
+}

pkg/policies/opa/rego/gcp/google_bigquery_dataset/bqDatasetPubliclyAccessible.rego

@@ -0,0 +1,7 @@
+package accurics
+
+bqDatasetPubliclyAccessible[api.id]{
+    api := input.google_bigquery_dataset[_]
+    data := api.config.access[_]
+    data.special_group == "allAuthenticatedUsers"
+}

pkg/policies/opa/rego/gcp/google_compute_disk/accurics.gcp.EKM.131.json

@@ -0,0 +1,10 @@
+{
+    "name": "vmEncryptedwithCsek",
+    "file": "vmEncryptedwithCsek.rego",
+    "templateArgs": null,
+    "severity": "MEDIUM",
+    "description": "Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK) .",
+    "referenceId": "accurics.gcp.EKM.131",
+    "category": "Encryption \u0026 Key Management",
+    "version": 1
+}

pkg/policies/opa/rego/gcp/google_compute_disk/vmEncryptedwithCsek.rego

@@ -0,0 +1,7 @@
+package accurics
+
+vmEncryptedwithCsek[api.id]
+{
+     api := input.google_compute_disk[_]
+     not api.config.disk_encryption_key == null
+}

pkg/policies/opa/rego/gcp/google_compute_firewall/accurics.gcp.NS.017.json

@@ -0,0 +1,13 @@
+{
+    "name": "port22Open",
+    "file": "portIsOpen.rego",
+    "templateArgs": {
+        "name": "port22Open",
+        "port_number": "22"
+    },
+    "severity": "MEDIUM",
+    "description": "Ensure that SSH access is restricted from the internet",
+    "referenceId": "accurics.gcp.NS.017",
+    "category": "Network Security",
+    "version": 1
+}

pkg/policies/opa/rego/gcp/google_compute_firewall/accurics.gcp.NS.111.json

@@ -0,0 +1,13 @@
+{
+    "name": "port3389Open",
+    "file": "portIsOpen.rego",
+    "templateArgs": {
+        "name": "port3389Open",
+        "port_number": "3389"
+    },
+    "severity": "MEDIUM",
+    "description": "Ensure that SSH access is restricted from the internet",
+    "referenceId": "accurics.gcp.NS.111",
+    "category": "Network Security",
+    "version": 1
+}

pkg/policies/opa/rego/gcp/google_compute_firewall/accurics.gcp.NS.123.json

@@ -0,0 +1,10 @@
+{
+    "name": "unrestrictedRdpAccess",
+    "file": "unrestrictedRdpAccess.rego",
+    "templateArgs": null,
+    "severity": "MEDIUM",
+    "description": "Ensure Google compute firewall ingress does not allow unrestricted rdp access.",
+    "referenceId": "accurics.gcp.NS.123",
+    "category": "Network Security ",
+    "version": 1
+}

pkg/policies/opa/rego/gcp/google_compute_firewall/portIsOpen.rego

@@ -0,0 +1,10 @@
+package accurics
+
+{{.name}}[rule.id] {
+  rule := input.google_compute_firewall[_]
+  config := rule.config
+  config.direction == "INGRESS"
+  config.source_ranges[_] == "0.0.0.0/0"
+  fire_rule := config.allow[_]
+  fire_rule.ports[_] == "{{.port_number}}"
+}

pkg/policies/opa/rego/gcp/google_compute_firewall/unrestrictedRdpAccess.rego

@@ -0,0 +1,11 @@
+package accurics
+
+unrestrictedRdpAccess[api.id]
+{
+     api := input.google_compute_firewall[_]
+     data := api.config
+     data.direction == "INGRESS"
+     fire_rule := data.allow[_]
+     fire_rule.protocol == "tcp"
+     fire_rule.ports[_] == "3389"
+}

pkg/policies/opa/rego/gcp/google_compute_instance/accurics.gcp.EKM.132.json

@@ -0,0 +1,10 @@
+{
+    "name": "encryptedwithCsek",
+    "file": "encryptedwithCsek.rego",
+    "templateArgs": null,
+    "severity": "MEDIUM",
+    "description": "Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK) .",
+    "referenceId": "accurics.gcp.EKM.132",
+    "category": "Encryption \u0026 Key Management",
+    "version": 1
+}

pkg/policies/opa/rego/gcp/google_compute_instance/accurics.gcp.IAM.124.json

@@ -0,0 +1,10 @@
+{
+    "name": "defaultServiceAccountUsed",
+    "file": "defaultServiceAccountUsed.rego",
+    "templateArgs": null,
+    "severity": "MEDIUM",
+    "description": "Instances may have been configured to use the default service account with full access to all Cloud APIs",
+    "referenceId": "accurics.gcp.IAM.124",
+    "category": "Identity \u0026 Access Management",
+    "version": 1
+}

pkg/policies/opa/rego/gcp/google_compute_instance/accurics.gcp.IAM.128.json

@@ -0,0 +1,10 @@
+{
+    "name": "osLoginEnabled",
+    "file": "osLoginEnabled.rego",
+    "templateArgs": null,
+    "severity": "MEDIUM",
+    "description": "Ensure that no instance in the project overrides the project setting for enabling OSLogin",
+    "referenceId": "accurics.gcp.IAM.128",
+    "category": "Identity \u0026 Access Management",
+    "version": 1
+}

pkg/policies/opa/rego/gcp/google_compute_instance/accurics.gcp.NS.125.json

@@ -0,0 +1,10 @@
+{
+    "name": "checkVM_NoFullCloudAccess",
+    "file": "checkVM_NoFullCloudAccess.rego",
+    "templateArgs": null,
+    "severity": "HIGH",
+    "description": "Instances may have been configured to use the default service account with full access to all Cloud APIs",
+    "referenceId": "accurics.gcp.NS.125",
+    "category": "Access Control",
+    "version": 1
+}

pkg/policies/opa/rego/gcp/google_compute_instance/accurics.gcp.NS.126.json

@@ -0,0 +1,10 @@
+{
+    "name": "projectWideSshKeysUsed",
+    "file": "projectWideSshKeysUsed.rego",
+    "templateArgs": null,
+    "severity": "MEDIUM",
+    "description": "Ensure 'Block Project-wide SSH keys' is enabled for VM instances.",
+    "referenceId": "accurics.gcp.NS.126",
+    "category": "Network Security",
+    "version": 1
+}

pkg/policies/opa/rego/gcp/google_compute_instance/accurics.gcp.NS.129.json

@@ -0,0 +1,10 @@
+{
+    "name": "serialPortEnabled",
+    "file": "serialPortEnabled.rego",
+    "templateArgs": null,
+    "severity": "MEDIUM",
+    "description": "Ensure 'Enable connecting to serial ports' is not enabled for VM instances.",
+    "referenceId": "accurics.gcp.NS.129",
+    "category": "Network Security",
+    "version": 1
+}

pkg/policies/opa/rego/gcp/google_compute_instance/accurics.gcp.NS.130.json

@@ -0,0 +1,10 @@
+{
+    "name": "checkIpForward",
+    "file": "checkIpForward.rego",
+    "templateArgs": null,
+    "severity": "MEDIUM",
+    "description": "Ensure IP forwarding is not enabled on Instances.",
+    "referenceId": "accurics.gcp.NS.130",
+    "category": "Network Security",
+    "version": 1
+}

pkg/policies/opa/rego/gcp/google_compute_instance/accurics.gcp.NS.133.json

@@ -0,0 +1,10 @@
+{
+    "name": "shieldedVmEenabled",
+    "file": "shieldedVmEenabled.rego",
+    "templateArgs": null,
+    "severity": "MEDIUM",
+    "description": "Ensure Compute instances are launched with Shielded VM enabled.",
+    "referenceId": "accurics.gcp.NS.133",
+    "category": "Network Security ",
+    "version": 1
+}

pkg/policies/opa/rego/gcp/google_compute_instance/checkIpForward.rego

@@ -0,0 +1,7 @@
+package accurics
+
+checkIpForward[api.id]
+{
+     api := input.google_compute_instance[_]
+     not api.config.can_ip_forward == true
+}

pkg/policies/opa/rego/gcp/google_compute_instance/checkVM_NoFullCloudAccess.rego

@@ -0,0 +1,8 @@
+package accurics
+
+checkVM_NoFullCloudAccess[log_object.id] {
+  log_object := input.google_compute_instance[_]
+  service_account := log_object.config.service_account[_]
+  scope := service_account.scopes[_]
+  contains(scope, "cloud-platform")
+}

pkg/policies/opa/rego/gcp/google_compute_instance/defaultServiceAccountUsed.rego

@@ -0,0 +1,9 @@
+package accurics
+
+defaultServiceAccountUsed[api.id]
+{
+     api := input.google_compute_instance[_]
+     data := api.config
+     fire_rule := data.service_account[_]
+     contains(fire_rule.email, "@developer.gserviceaccount.com")
+}

pkg/policies/opa/rego/gcp/google_compute_instance/encryptedwithCsek.rego

@@ -0,0 +1,7 @@
+package accurics
+
+encryptedwithCsek[api.id]
+{
+     api := input.google_compute_disk[_]
+     not api.config.disk_encryption_key == null
+}

pkg/policies/opa/rego/gcp/google_compute_instance/osLoginEnabled.rego

@@ -0,0 +1,17 @@
+package accurics
+
+osLoginEnabled[api.id]
+{
+    api := input.google_compute_instance[_]
+    api.config.metadata != null
+    meta_str := lower(object.get(api.config.metadata,"enable-oslogin","undefined"))
+    meta_str  == "false"
+}
+
+osLoginEnabled[api.id]
+{
+    api := input.google_compute_project_metadata[_]
+    api.config.metadata != null
+    meta_str := lower(object.get(api.config.metadata,"enable-oslogin","undefined"))
+    meta_str  == "false"    
+}

pkg/policies/opa/rego/gcp/google_compute_instance/projectWideSshKeysUsed.rego

@@ -0,0 +1,17 @@
+package accurics
+
+projectWideSshKeysUsed[api.id]
+{
+    api := input.google_compute_instance[_]
+    api.config.metadata != null
+    meta_str := lower(object.get(api.config.metadata,"block-project-ssh-keys","undefined"))
+    meta_str  == "false"
+}
+
+projectWideSshKeysUsed[api.id]
+{
+    api := input.google_compute_project_metadata[_]
+    api.config.metadata != null
+    meta_str := lower(object.get(api.config.metadata,"block-project-ssh-keys","undefined"))
+    meta_str  == "false"    
+}

pkg/policies/opa/rego/gcp/google_compute_instance/serialPortEnabled.rego

@@ -0,0 +1,17 @@
+package accurics
+
+serialPortEnabled[api.id]
+{
+    api := input.google_compute_instance[_]
+    api.config.metadata != null
+    meta_str := lower(object.get(api.config.metadata,"serial-port-enable","undefined"))
+    meta_str  == "false"
+}
+
+serialPortEnabled[api.id]
+{
+    api := input.google_compute_project_metadata[_]
+    api.config.metadata != null
+    meta_str := lower(object.get(api.config.metadata,"serial-port-enable","undefined"))
+    meta_str  == "false"    
+}

pkg/policies/opa/rego/gcp/google_compute_instance/shieldedVmEenabled.rego

@@ -0,0 +1,22 @@
+package accurics
+
+shieldedVmEenabled[api.id]
+{
+     api := input.google_compute_instance[_]
+     count(api.config.shielded_instance_config) == 0
+
+}
+
+shieldedVmEenabled[api.id]
+{
+     api := input.google_compute_instance[_]
+     data := api.config.shielded_instance_config[_]
+     not data.enable_integrity_monitoring == true
+}
+
+shieldedVmEenabled[api.id]
+{
+     api := input.google_compute_instance[_]
+     data := api.config.shielded_instance_config[_]
+     not data.enable_vtpm == true
+}

pkg/policies/opa/rego/gcp/google_compute_project_metadata/accurics.gcp.IAM.127.json

@@ -0,0 +1,10 @@
+{
+    "name": "checkOSLoginEnabled",
+    "file": "checkOSLoginEnabled.rego",
+    "templateArgs": null,
+    "severity": "HIGH",
+    "description": "Ensure oslogin is enabled for a Project",
+    "referenceId": "accurics.gcp.IAM.127",
+    "category": "Access Control",
+    "version": 1
+}

pkg/policies/opa/rego/gcp/google_compute_project_metadata/checkOSLoginEnabled.rego

@@ -0,0 +1,14 @@
+package accurics
+
+checkOSLoginEnabled[metadata.id] {
+  metadata := input.google_compute_project_metadata[_]
+  metadata.config.metadata == null
+} {
+  metadata := input.google_compute_project_metadata[_]
+  metadata.config.metadata != null
+  not metadata.config.metadata["enable-oslogin"]
+} {
+  metadata := input.google_compute_project_metadata[_]
+  metadata.config.metadata != null
+  metadata.config.metadata["enable-oslogin"] != "TRUE"
+}

pkg/policies/opa/rego/gcp/google_compute_ssl_policy/accurics.gcp.EKM.134.json

@@ -0,0 +1,10 @@
+{
+    "name": "weakCipherSuitesEnabled",
+    "file": "weakCipherSuitesEnabled.rego",
+    "templateArgs": null,
+    "severity": "MEDIUM",
+    "description": "Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites.",
+    "referenceId": "accurics.gcp.EKM.134",
+    "category": "Encryption \u0026 Key Management",
+    "version": 1
+}

pkg/policies/opa/rego/gcp/google_compute_ssl_policy/weakCipherSuitesEnabled.rego

@@ -0,0 +1,7 @@
+package accurics
+
+weakCipherSuitesEnabled[api.id]
+{
+    api := input.google_compute_ssl_policy[_]
+    not api.config.min_tls_version == "TLS_1_2"
+}