This repository has been archived by the owner on Sep 3, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 110
/
Copy pathknown_bad_inputs.rego
63 lines (52 loc) · 2.3 KB
/
known_bad_inputs.rego
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
# Copyright 2020-2022 Fugue, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
package rules.tf_aws_waf_known_bad_inputs
import data.fugue
__rego__metadoc__ := {
"custom": {
"severity": "Critical"
},
"description": "WAFv2 web ACLs should include the 'AWSManagedRulesKnownBadInputsRuleSet' managed rule group. The 'Known bad inputs' (AWSManagedRulesKnownBadInputsRuleSet) managed rule group contains rules that block request patterns that are invalid or known to be associated with vulnerabilities, such as Log4j. Please note that the 'Log4JRCE' WAFv2 rule (and many others) only inspects the first 8 KB of the request body, so you may additionally want to ensure that the 'Core rule set' (AWSManagedRulesCommonRuleSet) is also included, as the 'SizeRestrictions_BODY' rule in that managed rule group verifies that the request body size is at most 8 KB.",
"id": "FG_R00500",
"title": "WAFv2 web ACLs should include the 'AWSManagedRulesKnownBadInputsRuleSet' managed rule group"
}
wafsv2 = fugue.resources("aws_wafv2_web_acl")
resource_type := "MULTIPLE"
valid_rule_names = {"AWSManagedRulesKnownBadInputsRuleSet"}
valid_vendor_names = {"AWS"}
invalid_exclusions = {"Log4JRCE", "Log4JRCE_ALL_HEADER"}
is_valid_waf(waf) {
rule = waf.rule[_]
not rule_overridden(rule)
managed_statement = waf.rule[_].statement[_].managed_rule_group_statement[_]
valid_vendor_names[managed_statement.vendor_name]
valid_rule_names[managed_statement.name]
not excludes_log4jrce(managed_statement)
}
rule_overridden(rule) {
count(rule.override_action[_].count) == 1
}
excludes_log4jrce(managed_statement) {
invalid_exclusions[managed_statement.excluded_rule[_].name]
}
policy[j] {
waf = wafsv2[_]
is_valid_waf(waf)
j = fugue.allow_resource(waf)
}
policy[j] {
waf = wafsv2[_]
not is_valid_waf(waf)
j = fugue.deny_resource(waf)
}