Skip to content

Commit 0527b2a

Browse files
authored
feat: submit risk and subject template definitions (#26)
* feat: submit risk and subject template definitions * fix: tests with new violation schema
1 parent 743b9de commit 0527b2a

10 files changed

Lines changed: 403 additions & 248 deletions

File tree

.github/workflows/build-and-upload.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -22,7 +22,7 @@ jobs:
2222
- name: Authenticate gooci cli
2323
run: gooci login ghcr.io --username ${{ github.actor }} --password ${{ secrets.GITHUB_TOKEN }}
2424
- name: gooci Upload Version
25-
run: gooci upload dist/ ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }}:${{github.ref_name}}
25+
run: gooci upload dist/ ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }}:${{github.ref_name}} --annotate="org.ccf.plugin.protocol.version=2"
2626
- name: gooci Upload Latest
2727
if: "!github.event.release.prerelease"
28-
run: gooci upload dist/ ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }}:latest
28+
run: gooci upload dist/ ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }}:latest --annotate="org.ccf.plugin.protocol.version=2"

.gitignore

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2,3 +2,4 @@
22
dist/
33
.DS_Store
44
cf-plugin-local-ssh
5+
.config

Makefile

Lines changed: 38 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,38 @@
1+
# The help target prints out all targets with their descriptions organized
2+
# beneath their categories. The categories are represented by '##@' and the
3+
# target descriptions by '##'. The awk commands is responsible for reading the
4+
# entire set of makefiles included in this invocation, looking for lines of the
5+
# file as xyz: ## something, and then pretty-format the target and help. Then,
6+
# if there's a line with ##@ something, that gets pretty-printed as a category.
7+
# More info on the usage of ANSI catalog characters for terminal formatting:
8+
# https://en.wikipedia.org/wiki/ANSI_escape_code#SGR_parameters
9+
# More info on the awk command:
10+
# http://linuxcommand.org/lc3_adv_awk.php
11+
12+
# Check if OPA CLI is installed
13+
OPA := $(shell command -v opa 2> /dev/null)
14+
ifeq ($(OPA),)
15+
$(error "opa CLI not found. Please install it: https://www.openpolicyagent.org/docs/latest/cli/")
16+
endif
17+
18+
##@ Help
19+
help: ## Display this concise help, ie only the porcelain target
20+
@awk 'BEGIN {FS = ":.*##"; printf "\033[1mUsage\033[0m\n make \033[36m<target>\033[0m\n"} /^[a-zA-Z_0-9-]+:.*?##/ { printf " \033[36m%-30s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST)
21+
22+
help-all: ## Display all help items, ie including plumbing targets
23+
@awk 'BEGIN {FS = ":.*#"; printf "\nUsage:\n make \033[36m<target>\033[0m\n"} /^[a-zA-Z_0-9-]+:.*?#/ { printf " \033[36m%-25s\033[0m %s\n", $$1, $$2 } /^#@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST)
24+
25+
26+
##@ Test
27+
test: ## Run tests
28+
@go test ./...
29+
30+
clean: # Cleanup build artifacts
31+
@rm -rf dist/*
32+
33+
build: clean ## Build the plugin package
34+
@mkdir -p dist/
35+
@go build -o dist/plugin main.go
36+
37+
run: build ## Execute the Concom agent with the built plugin
38+
@../agent/dist/./concom agent --config ./.config/config.yaml

README.md

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -18,7 +18,8 @@ package compliance_framework.local_ssh.deny_password_auth
1818

1919
The plugin expects Rego policies to output a `violation` key to indicate failed resources, which will be reported to the
2020
compliance framework. Additional data can be added to violations, that describe what failed, and recommendations on how
21-
to fix them.
21+
to fix them. Policies should also expose top-level `title` and `description` values so evidence can be
22+
created for both passing and failing evaluations.
2223

2324
Here is an example rego policy which ensures that passwords are turned off for SSH-able hosts.
2425

@@ -28,7 +29,13 @@ package compliance_framework.local_ssh.deny_password_auth
2829
2930
import future.keywords.in
3031
32+
title := "SSH password authentication is disabled"
33+
description := "Checks whether SSH password authentication is disabled on the host machine."
34+
3135
violation[{
36+
# ID identifies the violation for mapping to risk templates
37+
"id": "ssh_password_auth",
38+
3239
# Title describes the violation
3340
"title": "Host SSH is using password authentication.",
3441
# Description adds more details about the violation

examples/policies/shh_deny_password_auth.rego

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -2,10 +2,11 @@ package compliance_framework.local_ssh.deny_password_auth
22

33
import future.keywords.in
44

5+
title := "SSH password authentication is disabled"
6+
description := "Checks whether SSH password authentication is disabled on the host machine."
7+
58
violation[{
6-
"title": "Host SSH is using password authentication.",
7-
"description": "Host SSH should not use password, as this is insecure to brute force attacks from external sources.",
8-
"remarks": "Migrate to using SSH Public Keys, and switch off password authentication."
9+
"id": "ssh_password_auth",
910
}] if {
1011
"yes" in input.passwordauthentication
1112
}

examples/policies/shh_deny_root_with_password.rego

Lines changed: 5 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -2,10 +2,11 @@ package compliance_framework.local_ssh.deny_root_with_password
22

33
import future.keywords.in
44

5+
title := "Root SSH password authentication is disabled"
6+
description := "Checks whether the root account is prevented from using password-based SSH authentication."
7+
58
violation[{
6-
"title": "Root account should not be allowed to use password authentication",
7-
"description": "Root accounts using password is a severe security flaw, by which a brute force attack could gain elevated access to a host machine.",
8-
"remarks": "Remove password authentication from the root account, and use public keys or certificates as a stronger authentication method."
9+
"id": "ssh_root_password_auth",
910
}] if {
1011
not "without-password" in input.permitrootlogin
11-
}
12+
}

examples/policies/shh_require_public_key.rego

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -2,10 +2,11 @@ package compliance_framework.local_ssh.require_public_key
22

33
import future.keywords.in
44

5+
title := "SSH public key authentication is enabled"
6+
description := "Checks whether SSH public key authentication is enabled on the host machine."
7+
58
violation[{
6-
"title": "Public key authentication is not enabled",
7-
"description": "Public key authentication should be used for strong and secure authentication on host machines.",
8-
"remarks": "Enabled public key authentication for host machine."
9+
"id": "ssh_require_public_key",
910
}] if {
1011
not "yes" in input.pubkeyauthentication
1112
}

go.mod

Lines changed: 43 additions & 36 deletions
Original file line numberDiff line numberDiff line change
@@ -1,57 +1,64 @@
11
module github.com/chris-cmsoft/cf-plugin-local-ssh
22

3-
go 1.23.2
3+
go 1.25.8
44

55
require (
66
github.com/chris-cmsoft/conftojson v0.0.0-20241105132434-7c8873e5cbb6
7-
github.com/compliance-framework/agent v0.2.1
7+
github.com/compliance-framework/agent v0.3.1
88
github.com/hashicorp/go-hclog v1.6.3
9-
github.com/hashicorp/go-plugin v1.6.2
9+
github.com/hashicorp/go-plugin v1.7.0
1010
)
1111

1212
require (
13-
github.com/OneOfOne/xxhash v1.2.8 // indirect
14-
github.com/agnivade/levenshtein v1.2.0 // indirect
15-
github.com/beorn7/perks v1.0.1 // indirect
13+
github.com/agnivade/levenshtein v1.2.1 // indirect
1614
github.com/cespare/xxhash/v2 v2.3.0 // indirect
17-
github.com/compliance-framework/api v0.4.0 // indirect
18-
github.com/defenseunicorns/go-oscal v0.6.2 // indirect
15+
github.com/compliance-framework/api v0.13.0 // indirect
16+
github.com/containerd/errdefs/pkg v0.3.0 // indirect
17+
github.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.1 // indirect
18+
github.com/defenseunicorns/go-oscal v0.7.0 // indirect
19+
github.com/docker/docker v28.5.2+incompatible // indirect
1920
github.com/fatih/color v1.18.0 // indirect
20-
github.com/go-ini/ini v1.67.0 // indirect
21-
github.com/go-logr/logr v1.4.2 // indirect
22-
github.com/go-logr/stdr v1.2.2 // indirect
23-
github.com/go-viper/mapstructure/v2 v2.3.0 // indirect
21+
github.com/go-viper/mapstructure/v2 v2.5.0 // indirect
2422
github.com/gobwas/glob v0.2.3 // indirect
23+
github.com/goccy/go-json v0.10.5 // indirect
2524
github.com/golang/protobuf v1.5.4 // indirect
2625
github.com/google/uuid v1.6.0 // indirect
27-
github.com/gorilla/mux v1.8.1 // indirect
2826
github.com/hashicorp/yamux v0.1.2 // indirect
27+
github.com/lestrrat-go/blackmagic v1.0.4 // indirect
28+
github.com/lestrrat-go/dsig v1.0.0 // indirect
29+
github.com/lestrrat-go/dsig-secp256k1 v1.0.0 // indirect
30+
github.com/lestrrat-go/httpcc v1.0.1 // indirect
31+
github.com/lestrrat-go/httprc/v3 v3.0.4 // indirect
32+
github.com/lestrrat-go/jwx/v3 v3.0.13 // indirect
33+
github.com/lestrrat-go/option/v2 v2.0.0 // indirect
2934
github.com/mattn/go-colorable v0.1.14 // indirect
3035
github.com/mattn/go-isatty v0.0.20 // indirect
31-
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
32-
github.com/oklog/run v1.1.0 // indirect
33-
github.com/open-policy-agent/opa v1.0.0 // indirect
34-
github.com/prometheus/client_golang v1.20.5 // indirect
35-
github.com/prometheus/client_model v0.6.1 // indirect
36-
github.com/prometheus/common v0.61.0 // indirect
37-
github.com/prometheus/procfs v0.15.1 // indirect
38-
github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 // indirect
39-
github.com/sirupsen/logrus v1.9.3 // indirect
40-
github.com/tchap/go-patricia/v2 v2.3.1 // indirect
36+
github.com/oklog/run v1.2.0 // indirect
37+
github.com/open-policy-agent/opa v1.14.1 // indirect
38+
github.com/rcrowley/go-metrics v0.0.0-20250401214520-65e299d6c5c9 // indirect
39+
github.com/segmentio/asm v1.2.1 // indirect
40+
github.com/sirupsen/logrus v1.9.4 // indirect
41+
github.com/tchap/go-patricia/v2 v2.3.3 // indirect
42+
github.com/valyala/fastjson v1.6.10 // indirect
43+
github.com/vektah/gqlparser/v2 v2.5.32 // indirect
4144
github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
4245
github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
4346
github.com/yashtewari/glob-intersection v0.2.0 // indirect
44-
go.opentelemetry.io/auto/sdk v1.1.0 // indirect
45-
go.opentelemetry.io/otel v1.35.0 // indirect
46-
go.opentelemetry.io/otel/metric v1.35.0 // indirect
47-
go.opentelemetry.io/otel/sdk v1.33.0 // indirect
48-
go.opentelemetry.io/otel/trace v1.35.0 // indirect
49-
golang.org/x/net v0.38.0 // indirect
50-
golang.org/x/sys v0.33.0 // indirect
51-
golang.org/x/text v0.24.0 // indirect
52-
google.golang.org/genproto/googleapis/rpc v0.0.0-20250106144421-5f5ef82da422 // indirect
53-
google.golang.org/grpc v1.69.2 // indirect
54-
google.golang.org/protobuf v1.36.2 // indirect
55-
gopkg.in/yaml.v3 v3.0.1 // indirect
56-
sigs.k8s.io/yaml v1.4.0 // indirect
47+
go.opentelemetry.io/otel/metric v1.42.0 // indirect
48+
go.opentelemetry.io/otel/trace v1.42.0 // indirect
49+
go.uber.org/multierr v1.11.0 // indirect
50+
go.uber.org/zap v1.27.1 // indirect
51+
go.yaml.in/yaml/v2 v2.4.4 // indirect
52+
go.yaml.in/yaml/v3 v3.0.4 // indirect
53+
golang.org/x/crypto v0.48.0 // indirect
54+
golang.org/x/net v0.51.0 // indirect
55+
golang.org/x/oauth2 v0.35.0 // indirect
56+
golang.org/x/sync v0.20.0 // indirect
57+
golang.org/x/sys v0.42.0 // indirect
58+
golang.org/x/text v0.34.0 // indirect
59+
golang.org/x/tools v0.42.0 // indirect
60+
google.golang.org/genproto/googleapis/rpc v0.0.0-20260226221140-a57be14db171 // indirect
61+
google.golang.org/grpc v1.79.3 // indirect
62+
google.golang.org/protobuf v1.36.11 // indirect
63+
sigs.k8s.io/yaml v1.6.0 // indirect
5764
)

0 commit comments

Comments
 (0)