Skip to content

Commit

Permalink
feat: add healthcare best practices v1 bundle (#378)
Browse files Browse the repository at this point in the history
  • Loading branch information
@xingao267
xingao267 authored Sep 22, 2020
1 parent 6f456e9 commit 1067ae4
Show file tree
Hide file tree
Showing 22 changed files with 76 additions and 7 deletions.
36 changes: 36 additions & 0 deletions docs/bundles/healthcare-baseline-v1.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
# healthcare-baseline-v1

This bundle can be installed via kpt:

```
export BUNDLE=healthcare-baseline-v1
kpt pkg get https://github.com/forseti-security/policy-library.git ./policy-library
kpt fn source policy-library/samples/ | \
kpt fn run --image gcr.io/config-validator/get-policy-bundle:latest -- bundle=$BUNDLE | \
kpt fn sink policy-library/policies/constraints/
```

## Constraints

| Constraint | Control | Description |
| ---------------------------------------------------------------------------------------------------- | -------- | ------------------------------------------------------------------------------ |
| [allow_appengine_applications_in_australia_and_south_america](../../samples/appengine_location.yaml) | security | Restrict locations (regions) where App Engine applications are deployed. |
| [allow_basic_set_of_apis](../../samples/serviceusage_allow_basic_apis.yaml) | security | Only a basic set of APIS |
| [allow_dataproc_clusters_in_asia](../../samples/dataproc_location.yaml) | security | Checks that Dataproc clusters are in correct regions. |
| [allow_some_sql_location](../../samples/sql_location.yaml) | security | Checks Cloud SQL instance locations against allowed or disallowed locations. |
| [allow_some_storage_location](../../samples/storage_location.yaml) | security | Checks Cloud Storage bucket locations against allowed or disallowed locations. |
| [allow_spanner_clusters_in_asia_and_europe](../../samples/spanner_location.yaml) | security | Checks Cloud Spanner locations. |
| [audit_log_all](../../samples/iam_audit_log_all.yaml) | security | Checks that all services have all types of audit logs enabled. |
| [bq_dataset_allowed_locations](../../samples/bq_dataset_location.yaml) | security | Checks in which locations BigQuery datasets exist. |
| [deny_allusers](../../samples/iam_deny_public.yaml) | security | Prevent public users from having access to resources via IAM |
| [denylist_public_users](../../samples/storage_denylist_public.yaml) | security | Prevent public users from having access to resources via IAM |
| [enable-network-firewall-logs](../../samples/network_enable_firewall_logs.yaml) | security | Ensure Firewall logs is enabled for every firewall in VPC Network |
| [enable_gke_stackdriver_logging](../../samples/gke_enable_stackdriver_logging.yaml) | security | Ensure stackdriver logging is enabled on a GKE cluster |
| [enable_network_flow_logs](../../samples/network_enable_flow_logs.yaml) | security | Ensure VPC Flow logs is enabled for every subnet in VPC Network |
| [gke-cluster-allowed-locations](../../samples/gke_cluster_location.yaml) | security | Checks which zones are allowed/disallowed for GKE clusters. |
| [only_my_domain](../../samples/iam_restrict_domain.yaml) | security | Only allow members from my domain to be added to IAM roles |
| [prevent-public-ip-cloudsql](../../samples/sql_public_ip.yaml) | security | Prevents a public IP from being assigned to a Cloud SQL instance. |
| [require_bq_table_iam](../../samples/bigquery_world_readable.yaml) | security | Checks if BigQuery datasets are publicly readable or allAuthenticatedUsers. |
| [require_bucket_policy_only](../../samples/storage_bucket_policy_only.yaml) | security | Checks if Cloud Storage buckets have Bucket Only Policy turned on. |
| [sql-world-readable](../../samples/sql_world_readable.yaml) | security | Checks if Cloud SQL instances are world readable. |

9 changes: 5 additions & 4 deletions docs/func.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,18 +9,19 @@ data:
# Config Validator Policy Library
Constraint templates specify the logic to be used by constraints.
This repository contains pre-defined constraint templates that you can implement or modify for your own needs.
This repository contains pre-defined constraint templates that you can implement or modify for your own needs.
## Creating a constraint template
You can create and implement your own custom constraint templates.
For instructions on how to write constraint templates, see [How to write your own constraint templates](./constraint_template_authoring.md).
## Policy Bundles
In addition to browsing all [Available Templates](#available-templates) and [Sample Constraints](#sample-constraints),
you can explore these policy bundles:
- [CFT Scorecard](./bundles/scorecard-v1.md)
- [CIS v1.0](./bundles/cis-v1.0.md)
- [CIS v1.1](./bundles/cis-v1.1.md)
- [Forseti Security](./bundles/forseti-security.md)
- [GKE Hardening](./bundles/gke-hardening-v2019.11.11.md)
- [Healthcare Baseline](./bundles/healthcare-baseline-v1.md)
9 changes: 6 additions & 3 deletions docs/index.md
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
# Config Validator Policy Library

Constraint templates specify the logic to be used by constraints.
This repository contains pre-defined constraint templates that you can implement or modify for your own needs.
This repository contains pre-defined constraint templates that you can implement or modify for your own needs.

## Creating a constraint template
You can create and implement your own custom constraint templates.
Expand All @@ -16,6 +16,8 @@ you can explore these policy bundles:
- [CIS v1.1](./bundles/cis-v1.1.md)
- [Forseti Security](./bundles/forseti-security.md)
- [GKE Hardening](./bundles/gke-hardening-v2019.11.11.md)
- [Healthcare Baseline](./bundles/healthcare-baseline-v1.md)


## Available Templates

Expand Down Expand Up @@ -71,7 +73,7 @@ you can explore these policy bundles:
| [GCPIAMAllowedBindingsConstraintV3](../policies/templates/gcp_iam_allowed_bindings.yaml) | [block_serviceaccount_token_creator](../samples/iam_block_service_account_creator_role.yaml), [deny_allusers](../samples/iam_deny_public.yaml), [deny_role](../samples/iam_deny_role.yaml), [restrict-gmail-bigquery-dataset](../samples/iam_restrict_gmail_bigquery_dataset.yaml), [restrict-googlegroups-bigquery-dataset](../samples/iam_restrict_googlegroups_bigquery_dataset.yaml), [restrict_gmail](../samples/iam_restrict_gmail.yaml), [restrict_owner_role](../samples/iam_restrict_role.yaml) |
| [GCPIAMAllowedPolicyMemberDomainsConstraintV1](../policies/templates/legacy/gcp_iam_allowed_policy_member_domains_v1.yaml) | |
| [GCPIAMAllowedPolicyMemberDomainsConstraintV2](../policies/templates/gcp_iam_allowed_policy_member_domains.yaml) | [only_my_domain](../samples/iam_restrict_domain.yaml), [service_accounts_only](../samples/iam_service_accounts_only.yaml) |
| [GCPIAMAuditLogConstraintV1](../policies/templates/gcp_iam_audit_log.yaml) | [audit_log_data_read_write](../samples/iam_audit_log.yaml) |
| [GCPIAMAuditLogConstraintV1](../policies/templates/gcp_iam_audit_log.yaml) | [audit_log_all](../samples/iam_audit_log_all.yaml), [audit_log_data_read_write](../samples/iam_audit_log.yaml) |
| [GCPIAMCustomRolePermissionsConstraintV1](../policies/templates/gcp_iam_custom_role_permissions_v1.yaml) | [allowlist-custom-role-permissions](../samples/iam_custom_role_permissions.yaml) |
| [GCPIAMRequiredBindingsConstraintV1](../policies/templates/gcp_iam_required_bindings_v1.yaml) | [require_members_and_domains_owner](../samples/iam_required_roles.yaml) |
| [GCPIAMRestrictServiceAccountCreationConstraintV1](../policies/templates/gcp_iam_restrict_service_account_creation_v1.yaml) | [iam_restrict_service_account_creation](../samples/gcp_iam_restrict_service_account_creation.yaml) |
Expand Down Expand Up @@ -130,12 +132,13 @@ The repo also contains a number of sample constraints:
| [allowed-networks](../samples/compute_allowed_networks.yaml) | [Link](../policies/templates/gcp_compute_allowed_networks.yaml) | Checks all VM network interfaces are attached to certain VPC networks. |
| [allowlist-custom-role-permissions](../samples/iam_custom_role_permissions.yaml) | [Link](../policies/templates/gcp_iam_custom_role_permissions_v1.yaml) | Custom BigQuery role must only have specific permissions |
| [always_violates_all](../samples/always_violates.yaml) | [Link](../policies/templates/gcp_always_violates_v1.yaml) | Testing policy, will always violate. |
| [audit_log_all](../samples/iam_audit_log_all.yaml) | [Link](../policies/templates/gcp_iam_audit_log.yaml) | Checks that all services have all types of audit logs enabled. |
| [audit_log_data_read_write](../samples/iam_audit_log.yaml) | [Link](../policies/templates/gcp_iam_audit_log.yaml) | Checks that the defined services have audit logs enabled (ADMIN_READ, DATA_READ, DATA_WRITE). |
| [block_serviceaccount_token_creator](../samples/iam_block_service_account_creator_role.yaml) | [Link](../policies/templates/gcp_iam_allowed_bindings.yaml) | Ban any users from being granted Service Account Token Creator access |
| [bq_dataset_allowed_locations](../samples/bq_dataset_location.yaml) | [Link](../policies/templates/gcp_bq_dataset_location_v1.yaml) | Checks in which locations BigQuery datasets exist. |
| [bq_table_minimum_maximum_retention](../samples/bigquery_table_retention.yaml) | [Link](../policies/templates/gcp_bigquery_table_retention_v1.yaml) | Checks if a BigQuery table violates retention policy. |
| [cmek_rotation](../samples/cmek_rotation.yaml) | [Link](../policies/templates/gcp_cmek_rotation_v1.yaml) | Checks that CMEK rotation policy is in place and is sufficiently short. |
| [cmek_rotation](../samples/cmek_settings.yaml) | [Link](../policies/templates/gcp_cmek_settings_v1.yaml) | Checks multiple CMEK key settings (protection level, algorithm, purpose, rotation period). |
| [cmek_rotation](../samples/cmek_rotation.yaml) | [Link](../policies/templates/gcp_cmek_rotation_v1.yaml) | Checks that CMEK rotation policy is in place and is sufficiently short. |
| [cmek_rotation_one_hundred_days](../samples/cmek_rotation_100_days.yaml) | [Link](../policies/templates/gcp_cmek_rotation_v1.yaml) | Checks that CMEK rotation policy is in place and is sufficiently short. |
| [compute_disk_resource_policies_allowlist_one](../samples/compute_disk_resource_policies.yaml) | [Link](../policies/templates/gcp_compute_disk_resource_policies_v1.yaml) | Checks that Persistent Disks have correct resource policies (eg. snapshot schedules) attached to them. |
| [compute_zone_allowlist_one](../samples/compute_zone.yaml) | [Link](../policies/templates/gcp_compute_zone_v1.yaml) | Checks the instances and Persistent Disks are in desired zones. |
Expand Down
1 change: 1 addition & 0 deletions samples/appengine_location.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ metadata:
name: allow_appengine_applications_in_australia_and_south_america
annotations:
description: Restrict locations (regions) where App Engine applications are deployed.
bundles.validator.forsetisecurity.org/healthcare-baseline-v1: security
spec:
severity: high
match:
Expand Down
1 change: 1 addition & 0 deletions samples/bigquery_world_readable.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@ metadata:
bundles.validator.forsetisecurity.org/cis-v1.1: 5.03
bundles.validator.forsetisecurity.org/forseti-security: v2.26.0
bundles.validator.forsetisecurity.org/scorecard-v1: security
bundles.validator.forsetisecurity.org/healthcare-baseline-v1: security
description: Checks if BigQuery datasets are publicly readable
or allAuthenticatedUsers.
spec:
Expand Down
1 change: 1 addition & 0 deletions samples/bq_dataset_location.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ metadata:
name: bq_dataset_allowed_locations
annotations:
description: Checks in which locations BigQuery datasets exist.
bundles.validator.forsetisecurity.org/healthcare-baseline-v1: security
spec:
severity: high
parameters:
Expand Down
1 change: 1 addition & 0 deletions samples/dataproc_location.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ metadata:
name: allow_dataproc_clusters_in_asia
annotations:
description: Checks that Dataproc clusters are in correct regions.
bundles.validator.forsetisecurity.org/healthcare-baseline-v1: security
spec:
severity: high
match:
Expand Down
1 change: 1 addition & 0 deletions samples/gke_cluster_location.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ metadata:
name: gke-cluster-allowed-locations
annotations:
description: Checks which zones are allowed/disallowed for GKE clusters.
bundles.validator.forsetisecurity.org/healthcare-baseline-v1: security
spec:
severity: high
match:
Expand Down
1 change: 1 addition & 0 deletions samples/gke_enable_stackdriver_logging.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ metadata:
description: Ensure stackdriver logging is enabled on a GKE cluster
# This constraint has not been validated by the formal CIS certification process.
bundles.validator.forsetisecurity.org/cis-v1.0: 7.01
bundles.validator.forsetisecurity.org/healthcare-baseline-v1: security
spec:
severity: high
match:
Expand Down
11 changes: 11 additions & 0 deletions samples/iam_audit_log_all.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
apiVersion: constraints.gatekeeper.sh/v1alpha1
kind: GCPIAMAuditLogConstraintV1
metadata:
name: audit_log_all
annotations:
description: Checks that all services have all types of audit logs enabled.
bundles.validator.forsetisecurity.org/healthcare-baseline-v1: security
spec:
parameters:
services: [allServices]
log_types: [DATA_READ, DATA_WRITE, ADMIN_READ]
1 change: 1 addition & 0 deletions samples/iam_deny_public.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ metadata:
annotations:
description: Prevent public users from having access to resources via IAM
bundles.validator.forsetisecurity.org/scorecard-v1: security
bundles.validator.forsetisecurity.org/healthcare-baseline-v1: security
spec:
severity: high
match:
Expand Down
1 change: 1 addition & 0 deletions samples/iam_restrict_domain.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ metadata:
name: only_my_domain
annotations:
bundles.validator.forsetisecurity.org/forseti-security: v2.26.0
bundles.validator.forsetisecurity.org/healthcare-baseline-v1: security
description: Only allow members from my domain to be added to IAM roles
spec:
severity: high
Expand Down
1 change: 1 addition & 0 deletions samples/network_enable_firewall_logs.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ metadata:
name: enable-network-firewall-logs
annotations:
description: Ensure Firewall logs is enabled for every firewall in VPC Network
bundles.validator.forsetisecurity.org/healthcare-baseline-v1: security
spec:
severity: high
match:
Expand Down
1 change: 1 addition & 0 deletions samples/network_enable_flow_logs.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@ metadata:
# This constraint is not certified by CIS.
bundles.validator.forsetisecurity.org/cis-v1.1: 3.09
bundles.validator.forsetisecurity.org/scorecard-v1: security
bundles.validator.forsetisecurity.org/healthcare-baseline-v1: security
spec:
severity: high
match:
Expand Down
1 change: 1 addition & 0 deletions samples/serviceusage_allow_basic_apis.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ metadata:
name: allow_basic_set_of_apis
annotations:
description: Only a basic set of APIS
bundles.validator.forsetisecurity.org/healthcare-baseline-v1: security
spec:
severity: high
match:
Expand Down
Loading

0 comments on commit 1067ae4

Please sign in to comment.