зеркало из https://github.com/mozilla/frost.git
81 строка
2.1 KiB
Plaintext
81 строка
2.1 KiB
Plaintext
#
|
|
# frost config file
|
|
#
|
|
# Documentation on config file found in README.md
|
|
#
|
|
exemptions:
|
|
- test_name: test_ec2_instance_has_required_tags
|
|
test_param_id: i-0123456789f014c162
|
|
expiration_day: 2019-01-01
|
|
reason: ec2 instance has no owner
|
|
- test_name: test_ec2_security_group_opens_specific_ports_to_all
|
|
test_param_id: '*HoneyPot'
|
|
expiration_day: 2020-01-01
|
|
reason: purposefully insecure security group
|
|
severities:
|
|
- test_name: test_ec2_instance_has_required_tags
|
|
severity: INFO
|
|
- test_name: '*'
|
|
severity: ERROR
|
|
aws:
|
|
admin_groups:
|
|
- "Administrators"
|
|
admin_policies:
|
|
- "AWSAdminRequireMFA"
|
|
user_is_inactive:
|
|
no_activity_since:
|
|
years: 1
|
|
months: 0
|
|
created_after:
|
|
weeks: 1
|
|
access_key_expires_after:
|
|
years: 1
|
|
months: 0
|
|
required_tags:
|
|
- Name
|
|
- Type
|
|
- App
|
|
- Env
|
|
# Allowed ports for the test_ec2_security_group_opens_specific_ports_to_all
|
|
# test for all instances
|
|
allowed_ports_global:
|
|
- 25
|
|
# Allowed ports for the test_ec2_security_group_opens_specific_ports_to_all
|
|
# test for specific instances. In this example, we are allowing ports 22
|
|
# and 2222 for all security groups that include the word 'bastion' in them.
|
|
allowed_ports:
|
|
- test_param_id: '*bastion'
|
|
ports:
|
|
- 22
|
|
- 2222
|
|
max_ami_age_in_days: 90
|
|
owned_ami_account_ids:
|
|
- 1234567890
|
|
gcp:
|
|
allowed_org_domains:
|
|
- mygsuiteorg.com
|
|
allowed_gke_versions:
|
|
- 1.15.12-gke.20
|
|
- 1.16.13-gke.401
|
|
- 1.17.9-gke.1504
|
|
- 1.18.6-gke.3504
|
|
# Allowed ports for the test_firewall_opens_any_ports_to_all
|
|
# test for all firewalls
|
|
allowed_ports_global:
|
|
- 25
|
|
# Allowed ports for the test_firewall_opens_any_ports_to_all
|
|
# test for specific firewalls. In this example, we are allowing ports 22
|
|
# and 2222 for all firewalls that include the word 'bastion' in them.
|
|
allowed_ports:
|
|
- test_param_id: '*bastion'
|
|
ports:
|
|
- 22
|
|
- 2222
|
|
gsuite:
|
|
domain: 'mygsuiteorg.com'
|
|
min_number_of_owners: 2
|
|
user_is_inactive:
|
|
no_activity_since:
|
|
years: 1
|
|
months: 0
|