Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
47 changes: 47 additions & 0 deletions catalogs/infrastructure_virtualization_security.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
[
{
"id": "IVS",
"name": "Infrastructure & Virtualization Security",
"description": "Controls that address hardening of compute hosts, guests, and virtualization infrastructure.",
"metadata": {
"color": "#004C97"
},
"short_name": "IVS",
"assurance_levels": [
"substantial",
"high"
],
"all_in_scope": true,
"categories": [
{
"name": "OS Hardening and Base Controls",
"description": "Baseline operating system and hypervisor protections for virtualized workloads.",
"controls": [
{
"id": "IVS-04",
"name": "Harden Hosts and Guests",
"description": "Harden host and guest OS, hypervisor or infrastructure control plane according to their respective best practices, supported by technical controls as part of a security baseline.",
"metrics": [
{ "id": "ActivityLoggingEnabled" },
{ "id": "L3FirewallEnabled" },
{ "id": "BootLoggingEnabled" },
{ "id": "OSLoggingEnabled" },
{ "id": "MonitoringLogDataEnabled" },
{ "id": "SecurityAlertsEnabled" },
{ "id": "AutomaticUpdatesEnabled" },
{ "id": "MalwareProtectionEnabled" },
{ "id": "SecureBootEnabled" },
{ "id": "VTPMEnabled" },
{ "id": "EncryptionAtHostEnabled" },
{ "id": "CacheEncryptionEnabled" },
{ "id": "TempDiskEncryptionEnabled" },
{ "id": "DataInTransitEncryptedVMStorageEnabled" },
{ "id": "IVS04SecurityBaseline" }
],
"assurance_level": "high"
}
]
}
]
}
]
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
# ====== Metadata ======
id: CacheEncryptionEnabled
description: This rule assesses whether a [VirtualMachine] that exposes a [SecurityProfile] with [EncryptionAtHost] has [p1:cacheEncryptionEnabled] configured correctly.
category: InfrastructureVirtualizationSecurity
version: "1.0"
comments: Enabling cache encryption at the host protects data cached on the hypervisor from being accessed in the clear, reducing exposure of sensitive information during maintenance operations.
# ====== Configuration ======
configuration:
p1:
operator: "=="
targetValue: True
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
{
"operator" : "==",
"target_value" : true
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
package cch.metrics.cache_encryption_enabled

import data.cch.compare
import rego.v1
import input as vm

default applicable := false

default compliant := false

applicable if {
vm.type[_] == "VirtualMachine"
security_profile := vm.securityProfile
security_profile != null
encryption_at_host := security_profile.encryptionAtHost
encryption_at_host != null
encryption_at_host.cacheEncryptionEnabled != null
}

compliant if {
vm.type[_] == "VirtualMachine"
security_profile := vm.securityProfile
security_profile != null
encryption_at_host := security_profile.encryptionAtHost
encryption_at_host != null
value := encryption_at_host.cacheEncryptionEnabled
compare(data.operator, data.target_value, value)
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
# ====== Metadata ======
id: DataInTransitEncryptedVMStorageEnabled
description: This rule assesses whether a [VirtualMachine] that exposes a [SecurityProfile] with [EncryptionAtHost] has [p1:dataInTransitEncryptedVmStorageEnabled] configured correctly.
category: InfrastructureVirtualizationSecurity
version: "1.0"
comments: Enforcing encryption for virtual machine storage traffic protects data moving between the host and underlying storage, mitigating interception or snooping risks within the infrastructure fabric.
# ====== Configuration ======
configuration:
p1:
operator: "=="
targetValue: True
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
{
"operator" : "==",
"target_value" : true
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
package cch.metrics.data_in_transit_encrypted_vm_storage_enabled

import data.cch.compare
import rego.v1
import input as vm

default applicable := false

default compliant := false

applicable if {
vm.type[_] == "VirtualMachine"
security_profile := vm.securityProfile
security_profile != null
encryption_at_host := security_profile.encryptionAtHost
encryption_at_host != null
encryption_at_host.dataInTransitEncryptedVmStorageEnabled != null
}

compliant if {
vm.type[_] == "VirtualMachine"
security_profile := vm.securityProfile
security_profile != null
encryption_at_host := security_profile.encryptionAtHost
encryption_at_host != null
value := encryption_at_host.dataInTransitEncryptedVmStorageEnabled
compare(data.operator, data.target_value, value)
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
# ====== Metadata ======
id: EncryptionAtHostEnabled
description: This rule assesses whether a [VirtualMachine] that exposes a [SecurityProfile] with [EncryptionAtHost] has [p1:enabled] configured correctly.
category: InfrastructureVirtualizationSecurity
version: "1.0"
comments: Enabling host-level encryption guarantees that data written to and read from the hypervisor is protected, providing a foundational safeguard for cache and disk encryption features.
# ====== Configuration ======
configuration:
p1:
operator: "=="
targetValue: True
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
{
"operator" : "==",
"target_value" : true
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
package cch.metrics.encryption_at_host_enabled

import data.cch.compare
import rego.v1
import input as vm

default applicable := false

default compliant := false

applicable if {
vm.type[_] == "VirtualMachine"
security_profile := vm.securityProfile
security_profile != null
encryption_at_host := security_profile.encryptionAtHost
encryption_at_host != null
encryption_at_host.enabled != null
}

compliant if {
vm.type[_] == "VirtualMachine"
security_profile := vm.securityProfile
security_profile != null
encryption_at_host := security_profile.encryptionAtHost
encryption_at_host != null
value := encryption_at_host.enabled
compare(data.operator, data.target_value, value)
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
# ====== Metadata ======
id: IVS04SecurityBaseline
description: This rule assesses whether a [VirtualMachine] satisfies the IVS-04 hardening baseline by enabling required logging, update, anti-malware, UEFI protection, and host encryption safeguards.
category: InfrastructureVirtualizationSecurity
version: "1.0"
comments: The IVS-04 control mandates that host and guest operating systems and their control planes follow hardening best practices. This includes enforcing logging, automated patching, malware protection, Secure Boot, virtual TPM, and encryption for caches, temporary disks, and storage traffic.
# ====== Configuration ======
configuration:
p1:
operator: "=="
targetValue: True
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
{
"operator" : "==",
"target_value" : true
}
Loading
Loading