tenable · cesar-rodriguez · Sep 11, 2021 · Aug 12, 2021 · Aug 13, 2021 · Aug 16, 2021
@@ -0,0 +1,17 @@
+{
+    "name": "chownFlagExists",
+    "file": "chownFlagExists.rego",
+    "policy_type": "docker",
+    "resource_type": "docker_copy",
+    "template_args": {
+        "prefix": "",
+        "suffix": "",
+        "name": "chownFlagExists"
+    },
+    "severity": "MEDIUM",
+    "description": "Ensure not to use --chown flag when user only needs execution permission",
+    "reference_id": "AC_DOCKER_00024",
+    "category": "Infrastructure Security",
+    "id": "AC_DOCKER_00024",
+    "version": 1
+}
@@ -0,0 +1,7 @@
+package accurics
+
+{{.prefix}}{{.name}}{{.suffix}}[cmd.id]{
+	cmd := input.docker_copy[_]
+    config := cmd.config
+    contains(config, "--chown")
+}
@@ -0,0 +1,17 @@
+{
+    "name": "dnfCleanAllMissing",
+    "file": "dnfCleanAllMissing.rego",
+    "policy_type": "docker",
+    "resource_type": "docker_run",
+    "template_args": {
+        "prefix": "",
+        "suffix": "",
+        "name": "dnfCleanAllMissing"
+    },
+    "severity": "MEDIUM",
+    "description": "Ensure Cached package data should be cleaned after installation to reduce image size",
+    "reference_id": "AC_DOCKER_00025",
+    "category": "Infrastructure Security",
+    "id": "AC_DOCKER_00025",
+    "version": 1
+}
@@ -0,0 +1,17 @@
+{
+    "name": "pipInstallKeepingCachedPackages",
+    "file": "pipInstallKeepingCachedPackages.rego",
+    "policy_type": "docker",
+    "resource_type": "docker_run",
+    "template_args": {
+        "prefix": "",
+        "suffix": "",
+        "name": "pipInstallKeepingCachedPackages"
+    },
+    "severity": "MEDIUM",
+    "description": "Ensure when installing packages with pip, the '--no-cache-dir' flag should be set to make Docker images smaller",
+    "reference_id": "AC_DOCKER_0031",
+    "category": "Infrastructure Security",
+    "id": "AC_DOCKER_0031",
+    "version": 1
+}
@@ -0,0 +1,16 @@
+{
+    "name": "yumInstallWithoutVersion",
+    "file": "yumInstallWithoutVersion.rego",
+    "policy_type": "docker",
+    "resource_type": "docker_run",
+    "template_args": {
+        "prefix": "",
+        "suffix": ""
+    },
+    "severity": "MEDIUM",
+    "description": "Ensure package version is specified to avoid failures",
+    "reference_id": "AC_DOCKER_0033",
+    "category": "Infrastructure Security",
+    "id": "AC_DOCKER_0033",
+    "version": 1
+}
diff --git a/pkg/policies/opa/rego/docker/docker_run/AC_DOCKER_0036.json b/pkg/policies/opa/rego/docker/docker_run/AC_DOCKER_0036.json
@@ -0,0 +1,17 @@
+{
+    "name": "multipleRunAddCopyInstructions",
+    "file": "multipleRunAddCopyInstructions.rego",
+    "policy_type": "docker",
+    "resource_type": "docker_run",
+    "template_args": {
+        "prefix": "",
+        "suffix": "",
+        "name": "multipleRunAddCopyInstructions"
+    },
+    "severity": "LOW",
+    "description": "Ensure multiple commands (RUN, Copy, Add) should be grouped in order to reduce the number of layers.",
+    "reference_id": "AC_DOCKER_0036",
+    "category": "Infrastructure Security",
+    "id": "AC_DOCKER_0036",
+    "version": 1
+}
@@ -0,0 +1,17 @@
+{
+    "name": "updateInstructionsAlone",
+    "file": "updateInstructionsAlone.rego",
+    "policy_type": "docker",
+    "resource_type": "docker_run",
+    "template_args": {
+        "prefix": "",
+        "suffix": "",
+        "name": "updateInstructionsAlone"
+    },
+    "severity": "MEDIUM",
+    "description": "Ensure instruction 'RUN <package-manager> update' should always be followed by '<package-manager> install' in the same RUN statement",
+    "reference_id": "AC_DOCKER_0049",
+    "category": "Infrastructure Security",
+    "id": "AC_DOCKER_0049",
+    "version": 1
+}
@@ -0,0 +1,17 @@
+{
+    "name": "multipleCMDInstructions",
+    "file": "multipleCMDInstructions.rego",
+    "policy_type": "docker",
+    "resource_type": "docker_run",
+    "template_args": {
+        "prefix": "",
+        "suffix": "",
+        "name": "multipleCMDInstructions"
+    },
+    "severity": "MEDIUM",
+    "description": "Ensure that there is only be one CMD instruction in a Dockerfile. If you list more than one CMD then only the last CMD will take effect",
+    "reference_id": "AC_DOCKER_0053",
+    "category": "Infrastructure Security",
+    "id": "AC_DOCKER_0053",
+    "version": 1
+}
@@ -0,0 +1,48 @@
+package accurics
+
+{{.prefix}}{{.name}}{{.suffix}}[run.id]
+{
+    run := input.docker_run[_]
+    config := run.config
+
+    installCommandExists(config)
+    not contains(config, "dnf clean")
+    not cleanExistsPostInstall(config)
+}
+
+installCommandExists(command) {
+	installCommands = [
+		"dnf install",
+		"dnf in",
+		"dnf reinstall",
+		"dnf rei",
+		"dnf install-n",
+		"dnf install-na",
+		"dnf install-nevra",
+	]
+
+	contains(command, installCommands[_])
+}
+
+cleanExistsPostInstall(config) {
+	contains(config, "dnf clean all")
+
+	installCommands = [
+		"dnf install",
+		"dnf in",
+		"dnf reinstall",
+		"dnf rei",
+		"dnf install-n",
+		"dnf install-na",
+		"dnf install-nevra",
+	]
+
+	some cmd
+	install := indexof(config, installCommands[cmd])
+	install != -1
+
+	clean := indexof(config, "dnf clean")
+	clean != -1
+
+	install < clean
+}
@@ -0,0 +1,12 @@
+package accurics
+
+{{.prefix}}{{.name}}{{.suffix}}[cmdInst[_]]{
+	command := input.docker_cmd
+    cmdInst := [x | x := checkCommandType(command[_])]
+	count(cmdInst) > 1
+}
+
+checkCommandType(command) = value {
+	command.type == "docker_cmd"
+    value := command.id
+}
diff --git a/pkg/policies/opa/rego/docker/docker_run/multipleRunAddCopyInstructions.rego b/pkg/policies/opa/rego/docker/docker_run/multipleRunAddCopyInstructions.rego
@@ -0,0 +1,23 @@
+package accurics
+
+{{.prefix}}{{.name}}{{.suffix}}[command.id]
+{
+   item_list := [
+        object.get(input, "docker_add", "undefined"),
+        object.get(input, "docker_copy", "undefined"),
+        object.get(input, "docker_dockerfile", "undefined"),
+        object.get(input, "docker_from", "undefined"),
+        object.get(input, "docker_run", "undefined"),
+    ]
+
+    item = item_list[_]
+    item != "undefined"
+    command := item[_]
+
+    instructions := {"copy", "add", "run"}
+	some i
+	check := [x | item[i].config == instructions[y]; x := item[i]]
+
+    some j, k
+	Counter := [x | check[j].line - check[k].line == -1; x := check[j]]
+}
@@ -0,0 +1,15 @@
+package accurics
+
+{{.prefix}}{{.name}}{{.suffix}}[run.id]{
+    run := input.docker_run[_]
+    config := run.config
+    hasCacheFlag(config)
+}
+
+hasCacheFlag(values) {
+	commands = split(values, "&&")
+	some i
+	instruction := commands[i]
+	re_match("pip(3)? (-(-)?[a-zA-Z]+ *)*install", instruction) == true
+	not contains(instruction, "--no-cache-dir")
+}
@@ -0,0 +1,7 @@
+package accurics
+
+{{.prefix}}{{.name}}{{.suffix}}[run.name] {
+    run := input.docker_run[_]    
+    config := run.config
+    config == ["apt-get update", "yum update", "sudo apt-get update", "sudo yum update"][_]
+}
@@ -0,0 +1,30 @@
+package accurics
+
+{{.prefix}}{{.name}}{{.suffix}}[run.id]{
+    run := input.docker_run[_]
+    config := run.config
+
+
+    commands := split(config, "&&")
+    command := commands[_]
+    contains(command, "yum install")
+    len := count(regex.split("yum (group|local)?install ?(-(-)?[a-zA-Z]+ *)*", command))
+    packages_array := array.slice(regex.split("yum (group|local)?install ?(-(-)?[a-zA-Z]+ *)*", command), 1, len)[0]
+    packages := split(packages_array, " ")
+    not checkVersion(packages)
+}
+
+checkVersion(arg) {
+    pack := arg[_]
+	re_match("[A-Za-z0-9_-]+[-:][$](.+)", pack)
+}
+
+checkVersion(arg) {
+    pack := arg[_]
+	re_match("[A-Za-z0-9_-]+[:-]([0-9]+.)+[0-9]+", pack)
+}
+
+checkVersion(arg) {
+    pack := arg[_]
+	re_match("[A-Za-z0-9_-]+=(.+)", pack)
+}