diff --git a/catalogs/infrastructure_virtualization_security.json b/catalogs/infrastructure_virtualization_security.json new file mode 100644 index 00000000..4d8b64e9 --- /dev/null +++ b/catalogs/infrastructure_virtualization_security.json @@ -0,0 +1,47 @@ +[ + { + "id": "IVS", + "name": "Infrastructure & Virtualization Security", + "description": "Controls that address hardening of compute hosts, guests, and virtualization infrastructure.", + "metadata": { + "color": "#004C97" + }, + "short_name": "IVS", + "assurance_levels": [ + "substantial", + "high" + ], + "all_in_scope": true, + "categories": [ + { + "name": "OS Hardening and Base Controls", + "description": "Baseline operating system and hypervisor protections for virtualized workloads.", + "controls": [ + { + "id": "IVS-04", + "name": "Harden Hosts and Guests", + "description": "Harden host and guest OS, hypervisor or infrastructure control plane according to their respective best practices, supported by technical controls as part of a security baseline.", + "metrics": [ + { "id": "ActivityLoggingEnabled" }, + { "id": "L3FirewallEnabled" }, + { "id": "BootLoggingEnabled" }, + { "id": "OSLoggingEnabled" }, + { "id": "MonitoringLogDataEnabled" }, + { "id": "SecurityAlertsEnabled" }, + { "id": "AutomaticUpdatesEnabled" }, + { "id": "MalwareProtectionEnabled" }, + { "id": "SecureBootEnabled" }, + { "id": "VTPMEnabled" }, + { "id": "EncryptionAtHostEnabled" }, + { "id": "CacheEncryptionEnabled" }, + { "id": "TempDiskEncryptionEnabled" }, + { "id": "DataInTransitEncryptedVMStorageEnabled" }, + { "id": "IVS04SecurityBaseline" } + ], + "assurance_level": "high" + } + ] + } + ] + } +] diff --git a/metrics/InfrastructureVirtualizationSecurity/CacheEncryptionEnabled/CacheEncryptionEnabled.yml b/metrics/InfrastructureVirtualizationSecurity/CacheEncryptionEnabled/CacheEncryptionEnabled.yml new file mode 100644 index 00000000..3f6bd95c --- /dev/null +++ b/metrics/InfrastructureVirtualizationSecurity/CacheEncryptionEnabled/CacheEncryptionEnabled.yml @@ -0,0 +1,11 @@ +# ====== Metadata ====== +id: CacheEncryptionEnabled +description: This rule assesses whether a [VirtualMachine] that exposes a [SecurityProfile] with [EncryptionAtHost] has [p1:cacheEncryptionEnabled] configured correctly. +category: InfrastructureVirtualizationSecurity +version: "1.0" +comments: Enabling cache encryption at the host protects data cached on the hypervisor from being accessed in the clear, reducing exposure of sensitive information during maintenance operations. +# ====== Configuration ====== +configuration: + p1: + operator: "==" + targetValue: True diff --git a/metrics/InfrastructureVirtualizationSecurity/CacheEncryptionEnabled/data.json b/metrics/InfrastructureVirtualizationSecurity/CacheEncryptionEnabled/data.json new file mode 100644 index 00000000..5d2b55a1 --- /dev/null +++ b/metrics/InfrastructureVirtualizationSecurity/CacheEncryptionEnabled/data.json @@ -0,0 +1,4 @@ +{ + "operator" : "==", + "target_value" : true +} diff --git a/metrics/InfrastructureVirtualizationSecurity/CacheEncryptionEnabled/metric.rego b/metrics/InfrastructureVirtualizationSecurity/CacheEncryptionEnabled/metric.rego new file mode 100644 index 00000000..d38d0033 --- /dev/null +++ b/metrics/InfrastructureVirtualizationSecurity/CacheEncryptionEnabled/metric.rego @@ -0,0 +1,28 @@ +package cch.metrics.cache_encryption_enabled + +import data.cch.compare +import rego.v1 +import input as vm + +default applicable := false + +default compliant := false + +applicable if { + vm.type[_] == "VirtualMachine" + security_profile := vm.securityProfile + security_profile != null + encryption_at_host := security_profile.encryptionAtHost + encryption_at_host != null + encryption_at_host.cacheEncryptionEnabled != null +} + +compliant if { + vm.type[_] == "VirtualMachine" + security_profile := vm.securityProfile + security_profile != null + encryption_at_host := security_profile.encryptionAtHost + encryption_at_host != null + value := encryption_at_host.cacheEncryptionEnabled + compare(data.operator, data.target_value, value) +} diff --git a/metrics/InfrastructureVirtualizationSecurity/DataInTransitEncryptedVMStorageEnabled/DataInTransitEncryptedVMStorageEnabled.yml b/metrics/InfrastructureVirtualizationSecurity/DataInTransitEncryptedVMStorageEnabled/DataInTransitEncryptedVMStorageEnabled.yml new file mode 100644 index 00000000..15e7e382 --- /dev/null +++ b/metrics/InfrastructureVirtualizationSecurity/DataInTransitEncryptedVMStorageEnabled/DataInTransitEncryptedVMStorageEnabled.yml @@ -0,0 +1,11 @@ +# ====== Metadata ====== +id: DataInTransitEncryptedVMStorageEnabled +description: This rule assesses whether a [VirtualMachine] that exposes a [SecurityProfile] with [EncryptionAtHost] has [p1:dataInTransitEncryptedVmStorageEnabled] configured correctly. +category: InfrastructureVirtualizationSecurity +version: "1.0" +comments: Enforcing encryption for virtual machine storage traffic protects data moving between the host and underlying storage, mitigating interception or snooping risks within the infrastructure fabric. +# ====== Configuration ====== +configuration: + p1: + operator: "==" + targetValue: True diff --git a/metrics/InfrastructureVirtualizationSecurity/DataInTransitEncryptedVMStorageEnabled/data.json b/metrics/InfrastructureVirtualizationSecurity/DataInTransitEncryptedVMStorageEnabled/data.json new file mode 100644 index 00000000..5d2b55a1 --- /dev/null +++ b/metrics/InfrastructureVirtualizationSecurity/DataInTransitEncryptedVMStorageEnabled/data.json @@ -0,0 +1,4 @@ +{ + "operator" : "==", + "target_value" : true +} diff --git a/metrics/InfrastructureVirtualizationSecurity/DataInTransitEncryptedVMStorageEnabled/metric.rego b/metrics/InfrastructureVirtualizationSecurity/DataInTransitEncryptedVMStorageEnabled/metric.rego new file mode 100644 index 00000000..7df4ebc2 --- /dev/null +++ b/metrics/InfrastructureVirtualizationSecurity/DataInTransitEncryptedVMStorageEnabled/metric.rego @@ -0,0 +1,28 @@ +package cch.metrics.data_in_transit_encrypted_vm_storage_enabled + +import data.cch.compare +import rego.v1 +import input as vm + +default applicable := false + +default compliant := false + +applicable if { + vm.type[_] == "VirtualMachine" + security_profile := vm.securityProfile + security_profile != null + encryption_at_host := security_profile.encryptionAtHost + encryption_at_host != null + encryption_at_host.dataInTransitEncryptedVmStorageEnabled != null +} + +compliant if { + vm.type[_] == "VirtualMachine" + security_profile := vm.securityProfile + security_profile != null + encryption_at_host := security_profile.encryptionAtHost + encryption_at_host != null + value := encryption_at_host.dataInTransitEncryptedVmStorageEnabled + compare(data.operator, data.target_value, value) +} diff --git a/metrics/InfrastructureVirtualizationSecurity/EncryptionAtHostEnabled/EncryptionAtHostEnabled.yml b/metrics/InfrastructureVirtualizationSecurity/EncryptionAtHostEnabled/EncryptionAtHostEnabled.yml new file mode 100644 index 00000000..69d86339 --- /dev/null +++ b/metrics/InfrastructureVirtualizationSecurity/EncryptionAtHostEnabled/EncryptionAtHostEnabled.yml @@ -0,0 +1,11 @@ +# ====== Metadata ====== +id: EncryptionAtHostEnabled +description: This rule assesses whether a [VirtualMachine] that exposes a [SecurityProfile] with [EncryptionAtHost] has [p1:enabled] configured correctly. +category: InfrastructureVirtualizationSecurity +version: "1.0" +comments: Enabling host-level encryption guarantees that data written to and read from the hypervisor is protected, providing a foundational safeguard for cache and disk encryption features. +# ====== Configuration ====== +configuration: + p1: + operator: "==" + targetValue: True diff --git a/metrics/InfrastructureVirtualizationSecurity/EncryptionAtHostEnabled/data.json b/metrics/InfrastructureVirtualizationSecurity/EncryptionAtHostEnabled/data.json new file mode 100644 index 00000000..5d2b55a1 --- /dev/null +++ b/metrics/InfrastructureVirtualizationSecurity/EncryptionAtHostEnabled/data.json @@ -0,0 +1,4 @@ +{ + "operator" : "==", + "target_value" : true +} diff --git a/metrics/InfrastructureVirtualizationSecurity/EncryptionAtHostEnabled/metric.rego b/metrics/InfrastructureVirtualizationSecurity/EncryptionAtHostEnabled/metric.rego new file mode 100644 index 00000000..0f1505f2 --- /dev/null +++ b/metrics/InfrastructureVirtualizationSecurity/EncryptionAtHostEnabled/metric.rego @@ -0,0 +1,28 @@ +package cch.metrics.encryption_at_host_enabled + +import data.cch.compare +import rego.v1 +import input as vm + +default applicable := false + +default compliant := false + +applicable if { + vm.type[_] == "VirtualMachine" + security_profile := vm.securityProfile + security_profile != null + encryption_at_host := security_profile.encryptionAtHost + encryption_at_host != null + encryption_at_host.enabled != null +} + +compliant if { + vm.type[_] == "VirtualMachine" + security_profile := vm.securityProfile + security_profile != null + encryption_at_host := security_profile.encryptionAtHost + encryption_at_host != null + value := encryption_at_host.enabled + compare(data.operator, data.target_value, value) +} diff --git a/metrics/InfrastructureVirtualizationSecurity/IVS04SecurityBaseline/IVS04SecurityBaseline.yml b/metrics/InfrastructureVirtualizationSecurity/IVS04SecurityBaseline/IVS04SecurityBaseline.yml new file mode 100644 index 00000000..0ce3406b --- /dev/null +++ b/metrics/InfrastructureVirtualizationSecurity/IVS04SecurityBaseline/IVS04SecurityBaseline.yml @@ -0,0 +1,11 @@ +# ====== Metadata ====== +id: IVS04SecurityBaseline +description: This rule assesses whether a [VirtualMachine] satisfies the IVS-04 hardening baseline by enabling required logging, update, anti-malware, UEFI protection, and host encryption safeguards. +category: InfrastructureVirtualizationSecurity +version: "1.0" +comments: The IVS-04 control mandates that host and guest operating systems and their control planes follow hardening best practices. This includes enforcing logging, automated patching, malware protection, Secure Boot, virtual TPM, and encryption for caches, temporary disks, and storage traffic. +# ====== Configuration ====== +configuration: + p1: + operator: "==" + targetValue: True diff --git a/metrics/InfrastructureVirtualizationSecurity/IVS04SecurityBaseline/data.json b/metrics/InfrastructureVirtualizationSecurity/IVS04SecurityBaseline/data.json new file mode 100644 index 00000000..5d2b55a1 --- /dev/null +++ b/metrics/InfrastructureVirtualizationSecurity/IVS04SecurityBaseline/data.json @@ -0,0 +1,4 @@ +{ + "operator" : "==", + "target_value" : true +} diff --git a/metrics/InfrastructureVirtualizationSecurity/IVS04SecurityBaseline/metric.rego b/metrics/InfrastructureVirtualizationSecurity/IVS04SecurityBaseline/metric.rego new file mode 100644 index 00000000..155a49e7 --- /dev/null +++ b/metrics/InfrastructureVirtualizationSecurity/IVS04SecurityBaseline/metric.rego @@ -0,0 +1,244 @@ +package cch.metrics.ivs04_security_baseline + +import data.cch.compare +import rego.v1 +import input as vm + +default applicable := false + +default compliant := false + +is_vm if { + vm.type[_] == "VirtualMachine" +} + +expected_names := [ + "ActivityLoggingEnabled", + "ActivityMonitoringLogDataEnabled", + "ActivitySecurityAlertsEnabled", + "BootLoggingEnabled", + "BootMonitoringLogDataEnabled", + "BootSecurityAlertsEnabled", + "OSLoggingEnabled", + "OSMonitoringLogDataEnabled", + "OSSecurityAlertsEnabled", + "ResourceLoggingEnabled", + "ResourceMonitoringLogDataEnabled", + "ResourceSecurityAlertsEnabled", + "AutomaticUpdatesEnabled", + "MalwareProtectionEnabled", + "SecureBootEnabled", + "VTPMEnabled", + "EncryptionAtHostEnabled", + "CacheEncryptionEnabled", + "TempDiskEncryptionEnabled", + "DataInTransitEncryptedVMStorageEnabled" +] + +requirement_value["ActivityLoggingEnabled"] := value if { + is_vm + logging := vm.activityLogging + logging != null + value := logging.enabled + value != null +} + +requirement_value["ActivityMonitoringLogDataEnabled"] := value if { + is_vm + logging := vm.activityLogging + logging != null + value := logging.monitoringLogDataEnabled + value != null +} + +requirement_value["ActivitySecurityAlertsEnabled"] := value if { + is_vm + logging := vm.activityLogging + logging != null + value := logging.securityAlertsEnabled + value != null +} + +requirement_value["BootLoggingEnabled"] := value if { + is_vm + logging := vm.bootLogging + logging != null + value := logging.enabled + value != null +} + +requirement_value["BootMonitoringLogDataEnabled"] := value if { + is_vm + logging := vm.bootLogging + logging != null + value := logging.monitoringLogDataEnabled + value != null +} + +requirement_value["BootSecurityAlertsEnabled"] := value if { + is_vm + logging := vm.bootLogging + logging != null + value := logging.securityAlertsEnabled + value != null +} + +requirement_value["OSLoggingEnabled"] := value if { + is_vm + logging := vm.osLogging + logging != null + value := logging.enabled + value != null +} + +requirement_value["OSMonitoringLogDataEnabled"] := value if { + is_vm + logging := vm.osLogging + logging != null + value := logging.monitoringLogDataEnabled + value != null +} + +requirement_value["OSSecurityAlertsEnabled"] := value if { + is_vm + logging := vm.osLogging + logging != null + value := logging.securityAlertsEnabled + value != null +} + +requirement_value["ResourceLoggingEnabled"] := value if { + is_vm + logging := vm.resourceLogging + logging != null + value := logging.enabled + value != null +} + +requirement_value["ResourceMonitoringLogDataEnabled"] := value if { + is_vm + logging := vm.resourceLogging + logging != null + value := logging.monitoringLogDataEnabled + value != null +} + +requirement_value["ResourceSecurityAlertsEnabled"] := value if { + is_vm + logging := vm.resourceLogging + logging != null + value := logging.securityAlertsEnabled + value != null +} + +requirement_value["AutomaticUpdatesEnabled"] := value if { + is_vm + updates := vm.automaticUpdates + updates != null + value := updates.enabled + value != null +} + +requirement_value["MalwareProtectionEnabled"] := value if { + is_vm + mp := vm.malwareProtection + mp != null + value := mp.enabled + value != null +} + +requirement_value["SecureBootEnabled"] := value if { + is_vm + security_profile := vm.securityProfile + security_profile != null + uefi_settings := security_profile.uefiSettings + uefi_settings != null + value := uefi_settings.secureBootEnabled + value != null +} + +requirement_value["VTPMEnabled"] := value if { + is_vm + security_profile := vm.securityProfile + security_profile != null + uefi_settings := security_profile.uefiSettings + uefi_settings != null + value := uefi_settings.vTpmEnabled + value != null +} + +requirement_value["EncryptionAtHostEnabled"] := value if { + is_vm + security_profile := vm.securityProfile + security_profile != null + encryption_at_host := security_profile.encryptionAtHost + encryption_at_host != null + value := encryption_at_host.enabled + value != null +} + +requirement_value["CacheEncryptionEnabled"] := value if { + is_vm + security_profile := vm.securityProfile + security_profile != null + encryption_at_host := security_profile.encryptionAtHost + encryption_at_host != null + value := encryption_at_host.cacheEncryptionEnabled + value != null +} + +requirement_value["TempDiskEncryptionEnabled"] := value if { + is_vm + security_profile := vm.securityProfile + security_profile != null + encryption_at_host := security_profile.encryptionAtHost + encryption_at_host != null + value := encryption_at_host.tempDiskEncryptionEnabled + value != null +} + +requirement_value["DataInTransitEncryptedVMStorageEnabled"] := value if { + is_vm + security_profile := vm.securityProfile + security_profile != null + encryption_at_host := security_profile.encryptionAtHost + encryption_at_host != null + value := encryption_at_host.dataInTransitEncryptedVmStorageEnabled + value != null +} + +actual_names := { name | + some idx + expected_names[idx] = name + _ := requirement_value[name] +} + +missing_names := { name | + some idx + expected_names[idx] = name + not requirement_defined(name) +} + +requirement_defined(name) if { + _ := requirement_value[name] +} + +non_compliant if { + some idx + expected_names[idx] = name + value := requirement_value[name] + not compare(data.operator, data.target_value, value) +} + +applicable if { + is_vm + count(actual_names) > 0 +} + +compliant if { + is_vm + count(actual_names) > 0 + count(missing_names) == 0 + not non_compliant + compare(data.operator, data.target_value, true) +} diff --git a/metrics/InfrastructureVirtualizationSecurity/SecureBootEnabled/SecureBootEnabled.yml b/metrics/InfrastructureVirtualizationSecurity/SecureBootEnabled/SecureBootEnabled.yml new file mode 100644 index 00000000..8e296541 --- /dev/null +++ b/metrics/InfrastructureVirtualizationSecurity/SecureBootEnabled/SecureBootEnabled.yml @@ -0,0 +1,11 @@ +# ====== Metadata ====== +id: SecureBootEnabled +description: This rule assesses whether a [VirtualMachine] that exposes a [SecurityProfile] with [UefiSettings] has [p1:secureBootEnabled] configured correctly. +category: InfrastructureVirtualizationSecurity +version: "1.0" +comments: Secure Boot ensures that a virtual machine only boots trusted code signed by authorized authorities, protecting the guest operating system and hypervisor from tampering during the boot process. +# ====== Configuration ====== +configuration: + p1: + operator: "==" + targetValue: True diff --git a/metrics/InfrastructureVirtualizationSecurity/SecureBootEnabled/data.json b/metrics/InfrastructureVirtualizationSecurity/SecureBootEnabled/data.json new file mode 100644 index 00000000..5d2b55a1 --- /dev/null +++ b/metrics/InfrastructureVirtualizationSecurity/SecureBootEnabled/data.json @@ -0,0 +1,4 @@ +{ + "operator" : "==", + "target_value" : true +} diff --git a/metrics/InfrastructureVirtualizationSecurity/SecureBootEnabled/metric.rego b/metrics/InfrastructureVirtualizationSecurity/SecureBootEnabled/metric.rego new file mode 100644 index 00000000..f91a4f4a --- /dev/null +++ b/metrics/InfrastructureVirtualizationSecurity/SecureBootEnabled/metric.rego @@ -0,0 +1,28 @@ +package cch.metrics.secure_boot_enabled + +import data.cch.compare +import rego.v1 +import input as vm + +default applicable := false + +default compliant := false + +applicable if { + vm.type[_] == "VirtualMachine" + security_profile := vm.securityProfile + security_profile != null + uefi_settings := security_profile.uefiSettings + uefi_settings != null + uefi_settings.secureBootEnabled != null +} + +compliant if { + vm.type[_] == "VirtualMachine" + security_profile := vm.securityProfile + security_profile != null + uefi_settings := security_profile.uefiSettings + uefi_settings != null + value := uefi_settings.secureBootEnabled + compare(data.operator, data.target_value, value) +} diff --git a/metrics/InfrastructureVirtualizationSecurity/TempDiskEncryptionEnabled/TempDiskEncryptionEnabled.yml b/metrics/InfrastructureVirtualizationSecurity/TempDiskEncryptionEnabled/TempDiskEncryptionEnabled.yml new file mode 100644 index 00000000..30354ea5 --- /dev/null +++ b/metrics/InfrastructureVirtualizationSecurity/TempDiskEncryptionEnabled/TempDiskEncryptionEnabled.yml @@ -0,0 +1,11 @@ +# ====== Metadata ====== +id: TempDiskEncryptionEnabled +description: This rule assesses whether a [VirtualMachine] that exposes a [SecurityProfile] with [EncryptionAtHost] has [p1:tempDiskEncryptionEnabled] configured correctly. +category: InfrastructureVirtualizationSecurity +version: "1.0" +comments: Encrypting temporary disks at the host level prevents disclosure of transient workload data that may be written to ephemeral storage during runtime or failover scenarios. +# ====== Configuration ====== +configuration: + p1: + operator: "==" + targetValue: True diff --git a/metrics/InfrastructureVirtualizationSecurity/TempDiskEncryptionEnabled/data.json b/metrics/InfrastructureVirtualizationSecurity/TempDiskEncryptionEnabled/data.json new file mode 100644 index 00000000..5d2b55a1 --- /dev/null +++ b/metrics/InfrastructureVirtualizationSecurity/TempDiskEncryptionEnabled/data.json @@ -0,0 +1,4 @@ +{ + "operator" : "==", + "target_value" : true +} diff --git a/metrics/InfrastructureVirtualizationSecurity/TempDiskEncryptionEnabled/metric.rego b/metrics/InfrastructureVirtualizationSecurity/TempDiskEncryptionEnabled/metric.rego new file mode 100644 index 00000000..a25e669c --- /dev/null +++ b/metrics/InfrastructureVirtualizationSecurity/TempDiskEncryptionEnabled/metric.rego @@ -0,0 +1,28 @@ +package cch.metrics.temp_disk_encryption_enabled + +import data.cch.compare +import rego.v1 +import input as vm + +default applicable := false + +default compliant := false + +applicable if { + vm.type[_] == "VirtualMachine" + security_profile := vm.securityProfile + security_profile != null + encryption_at_host := security_profile.encryptionAtHost + encryption_at_host != null + encryption_at_host.tempDiskEncryptionEnabled != null +} + +compliant if { + vm.type[_] == "VirtualMachine" + security_profile := vm.securityProfile + security_profile != null + encryption_at_host := security_profile.encryptionAtHost + encryption_at_host != null + value := encryption_at_host.tempDiskEncryptionEnabled + compare(data.operator, data.target_value, value) +} diff --git a/metrics/InfrastructureVirtualizationSecurity/VTPMEnabled/VTPMEnabled.yml b/metrics/InfrastructureVirtualizationSecurity/VTPMEnabled/VTPMEnabled.yml new file mode 100644 index 00000000..02cd371c --- /dev/null +++ b/metrics/InfrastructureVirtualizationSecurity/VTPMEnabled/VTPMEnabled.yml @@ -0,0 +1,11 @@ +# ====== Metadata ====== +id: VTPMEnabled +description: This rule assesses whether a [VirtualMachine] that exposes a [SecurityProfile] with [UefiSettings] has [p1:vTpmEnabled] configured correctly. +category: InfrastructureVirtualizationSecurity +version: "1.0" +comments: Virtual TPMs safeguard the boot chain and provide attestation capabilities for virtual machines, enabling features such as measured boot and BitLocker key protection. +# ====== Configuration ====== +configuration: + p1: + operator: "==" + targetValue: True diff --git a/metrics/InfrastructureVirtualizationSecurity/VTPMEnabled/data.json b/metrics/InfrastructureVirtualizationSecurity/VTPMEnabled/data.json new file mode 100644 index 00000000..5d2b55a1 --- /dev/null +++ b/metrics/InfrastructureVirtualizationSecurity/VTPMEnabled/data.json @@ -0,0 +1,4 @@ +{ + "operator" : "==", + "target_value" : true +} diff --git a/metrics/InfrastructureVirtualizationSecurity/VTPMEnabled/metric.rego b/metrics/InfrastructureVirtualizationSecurity/VTPMEnabled/metric.rego new file mode 100644 index 00000000..1a225c3f --- /dev/null +++ b/metrics/InfrastructureVirtualizationSecurity/VTPMEnabled/metric.rego @@ -0,0 +1,28 @@ +package cch.metrics.vtpm_enabled + +import data.cch.compare +import rego.v1 +import input as vm + +default applicable := false + +default compliant := false + +applicable if { + vm.type[_] == "VirtualMachine" + security_profile := vm.securityProfile + security_profile != null + uefi_settings := security_profile.uefiSettings + uefi_settings != null + uefi_settings.vTpmEnabled != null +} + +compliant if { + vm.type[_] == "VirtualMachine" + security_profile := vm.securityProfile + security_profile != null + uefi_settings := security_profile.uefiSettings + uefi_settings != null + value := uefi_settings.vTpmEnabled + compare(data.operator, data.target_value, value) +} diff --git a/metrics/LoggingMonitoring/MonitoringLogDataEnabled/MonitoringLogDataEnabled.yml b/metrics/LoggingMonitoring/MonitoringLogDataEnabled/MonitoringLogDataEnabled.yml new file mode 100644 index 00000000..03b185a0 --- /dev/null +++ b/metrics/LoggingMonitoring/MonitoringLogDataEnabled/MonitoringLogDataEnabled.yml @@ -0,0 +1,11 @@ +# ====== Metadata ====== +id: MonitoringLogDataEnabled +description: This rule assesses whether the logging capabilities offered by a [VirtualMachine] have [p1:monitoringLogDataEnabled] configured correctly. +category: LoggingMonitoring +version: "1.0" +comments: Forwarding operating system, boot, resource, and security monitoring data enables centralized detection of anomalous activity and supports compliance evidence collection. +# ====== Configuration ====== +configuration: + p1: + operator: "==" + targetValue: True diff --git a/metrics/LoggingMonitoring/MonitoringLogDataEnabled/data.json b/metrics/LoggingMonitoring/MonitoringLogDataEnabled/data.json new file mode 100644 index 00000000..5d2b55a1 --- /dev/null +++ b/metrics/LoggingMonitoring/MonitoringLogDataEnabled/data.json @@ -0,0 +1,4 @@ +{ + "operator" : "==", + "target_value" : true +} diff --git a/metrics/LoggingMonitoring/MonitoringLogDataEnabled/metric.rego b/metrics/LoggingMonitoring/MonitoringLogDataEnabled/metric.rego new file mode 100644 index 00000000..8d4be845 --- /dev/null +++ b/metrics/LoggingMonitoring/MonitoringLogDataEnabled/metric.rego @@ -0,0 +1,99 @@ +package cch.metrics.monitoring_log_data_enabled + +import data.cch.compare +import rego.v1 +import input as vm + +default applicable := false + +default compliant := false + +applicable if { + vm.type[_] == "VirtualMachine" + logging := vm.activityLogging + logging != null + logging.monitoringLogDataEnabled != null +} + +applicable if { + vm.type[_] == "VirtualMachine" + logging := vm.bootLogging + logging != null + logging.monitoringLogDataEnabled != null +} + +applicable if { + vm.type[_] == "VirtualMachine" + logging := vm.osLogging + logging != null + logging.monitoringLogDataEnabled != null +} + +applicable if { + vm.type[_] == "VirtualMachine" + logging := vm.resourceLogging + logging != null + logging.monitoringLogDataEnabled != null +} + +applicable if { + vm.type[_] == "VirtualMachine" + mp := vm.malwareProtection + mp != null + logging := mp.applicationLogging + logging != null + logging.monitoringLogDataEnabled != null +} + +non_compliant if { + vm.type[_] == "VirtualMachine" + logging := vm.activityLogging + logging != null + value := logging.monitoringLogDataEnabled + value != null + not compare(data.operator, data.target_value, value) +} + +non_compliant if { + vm.type[_] == "VirtualMachine" + logging := vm.bootLogging + logging != null + value := logging.monitoringLogDataEnabled + value != null + not compare(data.operator, data.target_value, value) +} + +non_compliant if { + vm.type[_] == "VirtualMachine" + logging := vm.osLogging + logging != null + value := logging.monitoringLogDataEnabled + value != null + not compare(data.operator, data.target_value, value) +} + +non_compliant if { + vm.type[_] == "VirtualMachine" + logging := vm.resourceLogging + logging != null + value := logging.monitoringLogDataEnabled + value != null + not compare(data.operator, data.target_value, value) +} + +non_compliant if { + vm.type[_] == "VirtualMachine" + mp := vm.malwareProtection + mp != null + logging := mp.applicationLogging + logging != null + value := logging.monitoringLogDataEnabled + value != null + not compare(data.operator, data.target_value, value) +} + +compliant if { + applicable + not non_compliant + compare(data.operator, data.target_value, true) +} diff --git a/metrics/LoggingMonitoring/SecurityAlertsEnabled/SecurityAlertsEnabled.yml b/metrics/LoggingMonitoring/SecurityAlertsEnabled/SecurityAlertsEnabled.yml new file mode 100644 index 00000000..2f5197d1 --- /dev/null +++ b/metrics/LoggingMonitoring/SecurityAlertsEnabled/SecurityAlertsEnabled.yml @@ -0,0 +1,11 @@ +# ====== Metadata ====== +id: SecurityAlertsEnabled +description: This rule assesses whether the logging capabilities offered by a [VirtualMachine] have [p1:securityAlertsEnabled] configured correctly. +category: LoggingMonitoring +version: "1.0" +comments: Enabling alert generation on log sources ensures suspicious events in operating system, boot, and workload telemetry trigger timely notifications for response teams. +# ====== Configuration ====== +configuration: + p1: + operator: "==" + targetValue: True diff --git a/metrics/LoggingMonitoring/SecurityAlertsEnabled/data.json b/metrics/LoggingMonitoring/SecurityAlertsEnabled/data.json new file mode 100644 index 00000000..5d2b55a1 --- /dev/null +++ b/metrics/LoggingMonitoring/SecurityAlertsEnabled/data.json @@ -0,0 +1,4 @@ +{ + "operator" : "==", + "target_value" : true +} diff --git a/metrics/LoggingMonitoring/SecurityAlertsEnabled/metric.rego b/metrics/LoggingMonitoring/SecurityAlertsEnabled/metric.rego new file mode 100644 index 00000000..759932b6 --- /dev/null +++ b/metrics/LoggingMonitoring/SecurityAlertsEnabled/metric.rego @@ -0,0 +1,99 @@ +package cch.metrics.security_alerts_enabled + +import data.cch.compare +import rego.v1 +import input as vm + +default applicable := false + +default compliant := false + +applicable if { + vm.type[_] == "VirtualMachine" + logging := vm.activityLogging + logging != null + logging.securityAlertsEnabled != null +} + +applicable if { + vm.type[_] == "VirtualMachine" + logging := vm.bootLogging + logging != null + logging.securityAlertsEnabled != null +} + +applicable if { + vm.type[_] == "VirtualMachine" + logging := vm.osLogging + logging != null + logging.securityAlertsEnabled != null +} + +applicable if { + vm.type[_] == "VirtualMachine" + logging := vm.resourceLogging + logging != null + logging.securityAlertsEnabled != null +} + +applicable if { + vm.type[_] == "VirtualMachine" + mp := vm.malwareProtection + mp != null + logging := mp.applicationLogging + logging != null + logging.securityAlertsEnabled != null +} + +non_compliant if { + vm.type[_] == "VirtualMachine" + logging := vm.activityLogging + logging != null + value := logging.securityAlertsEnabled + value != null + not compare(data.operator, data.target_value, value) +} + +non_compliant if { + vm.type[_] == "VirtualMachine" + logging := vm.bootLogging + logging != null + value := logging.securityAlertsEnabled + value != null + not compare(data.operator, data.target_value, value) +} + +non_compliant if { + vm.type[_] == "VirtualMachine" + logging := vm.osLogging + logging != null + value := logging.securityAlertsEnabled + value != null + not compare(data.operator, data.target_value, value) +} + +non_compliant if { + vm.type[_] == "VirtualMachine" + logging := vm.resourceLogging + logging != null + value := logging.securityAlertsEnabled + value != null + not compare(data.operator, data.target_value, value) +} + +non_compliant if { + vm.type[_] == "VirtualMachine" + mp := vm.malwareProtection + mp != null + logging := mp.applicationLogging + logging != null + value := logging.securityAlertsEnabled + value != null + not compare(data.operator, data.target_value, value) +} + +compliant if { + applicable + not non_compliant + compare(data.operator, data.target_value, true) +} diff --git a/resources/jsonExamples/VirtualMachine.json b/resources/jsonExamples/VirtualMachine.json index 3e3a1b19..28951baa 100644 --- a/resources/jsonExamples/VirtualMachine.json +++ b/resources/jsonExamples/VirtualMachine.json @@ -91,6 +91,18 @@ "remote_attestation": { "enabled": true }, + "security_profile": { + "uefi_settings": { + "secure_boot_enabled": true, + "v_tpm_enabled": true + }, + "encryption_at_host": { + "enabled": true, + "cache_encryption_enabled": true, + "temp_disk_encryption_enabled": true, + "data_in_transit_encrypted_vm_storage_enabled": true + } + }, "parent_id": "123e4567-e89b-12d3-a456-426614174003", "resource_logging": { "enabled": true, @@ -107,4 +119,4 @@ "usage_statistics": { "api_hits_per_month": 150 } -} \ No newline at end of file +}