Merge pull request #11385 from projectdiscovery/alibaba-cloud-ack

Alibaba Cloud - Checks (OSS, ACK)

cloud/alibaba/ack/ack-cluster-api-public.yaml

@@ -0,0 +1,38 @@
+id: ack-cluster-api-public
+
+info:
+  name: Public Access to ACK Cluster's API Server - Enabled
+  author: ritikchaddha
+  severity: high
+  description: |
+    Ensure that your ACK cluster's API server is not publicly accessible in order to avoid exposing private data and minimizing security risks. The level of access to your Kubernetes API server depends on your application use cases, however, for most use cases, the Kubernetes API Server should be accessible only from within your Virtual Private Cloud (VPC).
+  reference:
+    - https://www.trendmicro.com/cloudoneconformity/knowledge-base/alibaba-cloud/AlibabaCloud-ACK/private-cluster.html
+  metadata:
+    max-request: 1
+    verified: true
+  tags: cloud,devops,aliyun,alibaba,aliyun-cloud-config,ack
+
+variables:
+  region: "cn-hangzhou"
+
+self-contained: true
+
+code:
+  - engine:
+      - sh
+      - bash
+    source: |
+      aliyun cs GET /clusters --header "Content-Type=application/json;" --body "{}"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - 'master_url":'
+          - 'api_server_endpoint\":\"'
+
+      - type: word
+        words:
+          - 'api_server_endpoint\":\"\",'
+        negative: true

cloud/alibaba/ack/ack-cluster-auditing-disable.yaml

@@ -0,0 +1,56 @@
+id: ack-cluster-auditing-disable
+
+info:
+  name: Cluster Auditing with Simple Log Service - Disabled
+  author: ritikchaddha
+  severity: low
+  description: |
+    Ensure that cluster auditing with Simple Log Service is enabled for your Container Service for Kubernetes (ACK) clusters. Simple Log Service is a comprehensive real-time data logging solution, facilitating the seamless handling of log collection, shipping, search, storage, and analysis. The service provides a user-friendly interface for accessing the Log Viewer and an API for efficient log management. Simple Log Service automatically captures, processes, and stores container and audit logs in a dedicated persistent datastore, collecting container logs from your containers and audit logs from kube-apiserver or deployed ingress, including cluster activity events.
+  reference:
+    - https://www.trendmicro.com/cloudoneconformity/knowledge-base/alibaba-cloud/AlibabaCloud-ACK/enable-log-service.html
+  metadata:
+    max-request: 2
+    verified: true
+  tags: cloud,devops,aliyun,alibaba,aliyun-cloud-config,ack
+
+variables:
+  region: "cn-hangzhou"
+
+flow: |
+  code(1)
+  for (let cluster_id of iterate(template.cluster)) {
+    set("cluster", cluster_id)
+    code(2)
+  }
+
+self-contained: true
+
+code:
+  - engine:
+      - sh
+      - bash
+    source: |
+      aliyun cs GET /clusters --header "Content-Type=application/json;" --body "{}"
+
+    extractors:
+      - type: json
+        name: cluster
+        internal: true
+        json:
+          - '.[].cluster_id'
+
+  - engine:
+      - sh
+      - bash
+    source: |
+      aliyun cs GET /clusters/$cluster --header "Content-Type=application/json;" --body "{}" --output cols=meta_data
+
+    matchers:
+      - type: regex
+        regex:
+          - '"AuditProjectName"\s*:\s*""'
+
+    extractors:
+      - type: dsl
+        dsl:
+          - 'cluster + " Cluster auditing with Simple Log Service is not enabled"'

cloud/alibaba/ack/ack-cluster-cloud-monitor-disable.yaml

@@ -0,0 +1,58 @@
+id: ack-cluster-cloud-monitor-disable
+
+info:
+  name: Cloud Monitor for ACK Clusters - Disable
+  author: ritikchaddha
+  severity: medium
+  description: |
+    Ensure that Cloud Monitor is enabled for your Container Service for Kubernetes (ACK) clusters. Cloud Monitor relies on a specialized agent for accessing extra system resources and application services within virtual machine instances. The agent allows monitoring of metrics such as CPU utilization, specific disk traffic metrics, network traffic, and disk IO information. These metrics play a crucial role in observing signals and facilitating operational activities within your Kubernetes Engine clusters.
+  reference:
+    - https://www.trendmicro.com/cloudoneconformity/knowledge-base/alibaba-cloud/AlibabaCloud-ACK/enable-cloud-monitor.html
+  metadata:
+    max-request: 2
+    verified: true
+  tags: cloud,devops,aliyun,alibaba,aliyun-cloud-config,ack
+
+variables:
+  region: "cn-hangzhou"
+
+flow: |
+  code(1)
+  for (let cluster_id of iterate(template.cluster)) {
+    set("cluster", cluster_id)
+    code(2)
+  }
+
+self-contained: true
+
+code:
+  - engine:
+      - sh
+      - bash
+    source: |
+      aliyun cs GET /clusters --header "Content-Type=application/json;" --body "{}"
+
+    extractors:
+      - type: json
+        name: cluster
+        internal: true
+        json:
+          - '.[].cluster_id'
+
+  - engine:
+      - sh
+      - bash
+    source: |
+      aliyun cs GET /clusters/$cluster/nodepools --header "Content-Type=application/json;" --body "{}"
+
+    matchers:
+      - type: word
+        words:
+          - 'kubernetes_config":'
+          - 'cms_enabled": false'
+        condition: and
+
+    extractors:
+      - type: dsl
+        dsl:
+          - 'cluster + " Cloud Monitor service is not enabled"'

cloud/alibaba/ack/ack-cluster-health-disable.yaml

@@ -0,0 +1,63 @@
+id: ack-cluster-health-disable
+
+info:
+  name: ACK Clusters Check - Disable
+  author: ritikchaddha
+  severity: medium
+  description: |
+    Ensure that the Cluster Check feature is triggered at least once per week to guarantee proactive health monitoring for your ACK clusters, minimizing downtime and optimizing the reliability of your containerized applications. By default, Cluster Check is not automatically triggered, the cluster inspection can be started using the Container Service for Kubernetes (ACK) console.
+  reference:
+    - https://www.trendmicro.com/cloudoneconformity/knowledge-base/alibaba-cloud/AlibabaCloud-ACK/cluster-check.html
+  metadata:
+    max-request: 2
+    verified: true
+  tags: cloud,devops,aliyun,alibaba,aliyun-cloud-config,ack
+
+variables:
+  region: "cn-hangzhou"
+
+flow: |
+  code(1)
+  for (let cluster_id of iterate(template.cluster)) {
+    set("cluster", cluster_id)
+    code(2)
+  }
+
+self-contained: true
+
+code:
+  - engine:
+      - sh
+      - bash
+    source: |
+      aliyun cs GET /clusters --header "Content-Type=application/json;" --body "{}"
+
+    extractors:
+      - type: json
+        name: cluster
+        internal: true
+        json:
+          - '.[].cluster_id'
+
+  - engine:
+      - sh
+      - bash
+    source: |
+      aliyun cs GET /clusters/$cluster/checks --header "Content-Type=application/json;" --body "{}"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - 'check_id":'
+          - 'status":'
+
+      - type: word
+        words:
+          - '"status": "Succeeded'
+        negative: true
+
+    extractors:
+      - type: dsl
+        dsl:
+          - 'cluster + " Cluster Health Check is Disabled"'

cloud/alibaba/ack/ack-cluster-network-policies-disable.yaml

@@ -0,0 +1,62 @@
+id: ack-cluster-network-policies-disable
+
+info:
+  name: Enforced Cluster Support for Network Policies - Disabled
+  author: ritikchaddha
+  severity: medium
+  description: |
+    Ensure that your ACK clusters are using Kubernetes network policies to implement secure policy-based access control. Container Service for Kubernetes (ACK) employs the Terway network plugin to enforce network policies at the cluster level.
+  reference:
+    - https://www.trendmicro.com/cloudoneconformity/knowledge-base/alibaba-cloud/AlibabaCloud-ACK/enable-network-policy-support.html
+  metadata:
+    max-request: 2
+    verified: true
+  tags: cloud,devops,aliyun,alibaba,aliyun-cloud-config,ack
+
+variables:
+  region: "cn-hangzhou"
+
+flow: |
+  code(1)
+  for (let cluster_id of iterate(template.cluster)) {
+    set("cluster", cluster_id)
+    code(2)
+  }
+
+self-contained: true
+
+code:
+  - engine:
+      - sh
+      - bash
+    source: |
+      aliyun cs GET /clusters --header "Content-Type=application/json;" --body "{}"
+
+    matchers:
+      - type: word
+        words:
+          - '"Network": "terway-eniip"'
+        internal: true
+
+    extractors:
+      - type: json
+        name: cluster
+        internal: true
+        json:
+          - '.[].cluster_id'
+
+  - engine:
+      - sh
+      - bash
+    source: |
+      aliyun cs GET /clusters/$cluster --header "Content-Type=application/json;" --body "{}" --output cols=meta_data
+
+    matchers:
+      - type: word
+        words:
+          - 'NetworkPolicy\":\"false'
+
+    extractors:
+      - type: dsl
+        dsl:
+          - 'cluster + " Cluster is not using the plugin to enforce network policies"'

cloud/alibaba/ack/ack-cluster-network-policies-missing.yaml

@@ -0,0 +1,42 @@
+id: ack-cluster-network-policies-missing
+
+info:
+  name: Cluster Support for Network Policies - Missing
+  author: ritikchaddha
+  severity: medium
+  description: |
+    Ensure that your ACK clusters are using Kubernetes network policies to implement secure policy-based access control. Container Service for Kubernetes (ACK) employs the Terway network plugin to enforce network policies at the cluster level.
+  reference:
+    - https://www.trendmicro.com/cloudoneconformity/knowledge-base/alibaba-cloud/AlibabaCloud-ACK/enable-network-policy-support.html
+  metadata:
+    max-request: 2
+    verified: true
+  tags: cloud,devops,aliyun,alibaba,aliyun-cloud-config,ack
+
+variables:
+  region: "cn-hangzhou"
+
+self-contained: true
+
+code:
+  - engine:
+      - sh
+      - bash
+    source: |
+      aliyun cs GET /clusters --header "Content-Type=application/json;" --body "{}"
+
+    matchers-condition: and
+    matchers:
+      - type: regex
+        regex:
+          - '"Network"\s*:\s*"'
+
+      - type: word
+        words:
+          - '"Network": "terway-eniip"'
+        negative: true
+
+    extractors:
+      - type: dsl
+        dsl:
+          - '"Cluster is not using the plugin to enforce network policies"'

cloud/alibaba/ack/kubernetes-dashboard-enabled.yaml

@@ -0,0 +1,56 @@
+id: kubernetes-dashboard-enabled
+
+info:
+  name: Kubernetes Dashboard for ACK Clusters - Enabled
+  author: ritikchaddha
+  severity: medium
+  description: |
+    Ensure that Kubernetes Dashboard (Dashboard WebUI) is disabled for your ACK clusters in order to enhance cluster security and prevent potential attack vectors. The Kubernetes Dashboard is a web-based user interface (UI) that provides a visual representation and management capabilities for Kubernetes clusters. It allows users to monitor and interact with the resources within the cluster, such as pods, deployments, and services, through a graphical interface rather than using command-line tools.
+  reference:
+    - https://www.trendmicro.com/cloudoneconformity/knowledge-base/alibaba-cloud/AlibabaCloud-ACK/disable-kubernetes-dashboard.html
+  metadata:
+    max-request: 2
+    verified: true
+  tags: cloud,devops,aliyun,alibaba,aliyun-cloud-config,ack
+
+variables:
+  region: "cn-hangzhou"
+
+flow: |
+  code(1)
+  for (let cluster_id of iterate(template.cluster)) {
+    set("cluster", cluster_id)
+    code(2)
+  }
+
+self-contained: true
+
+code:
+  - engine:
+      - sh
+      - bash
+    source: |
+      aliyun cs GET /clusters --header "Content-Type=application/json;" --body "{}"
+
+    extractors:
+      - type: json
+        name: cluster
+        internal: true
+        json:
+          - '.[].cluster_id'
+
+  - engine:
+      - sh
+      - bash
+    source: |
+      aliyun cs DescribeClusterAddonsVersion --ClusterId $cluster
+
+    matchers:
+      - type: word
+        words:
+          - 'kubernetes-dashboard'
+
+    extractors:
+      - type: dsl
+        dsl:
+          - 'cluster + " Kubernetes Dashboard is enabled for the selected ACK cluster"'

cloud/alibaba/actiontrail/multi-region-logging-disabled.yaml

@@ -30,13 +30,11 @@ code:
     matchers-condition: and
     matchers:
       - type: word
-        part: body
         words:
           - '"TrailRegion": "All"'
         negative: true
 
       - type: word
-        part: body
         words:
           - '"Status": "Enable"'