From 303547594e05ce8dbbf2fa536ced82775eb712e8 Mon Sep 17 00:00:00 2001 From: James Date: Mon, 8 Jun 2026 00:11:12 +0800 Subject: [PATCH 1/2] gates: add review gates for secrets-management, iac-security, secure-code-review, owasp-top-10-web, pipeline-security --- skills/appsec/owasp-top-10-web/SKILL.md | 7 +++ .../gates/cookie-session-storage-gate.md | 39 +++++++++++++++++ skills/appsec/secure-code-review/SKILL.md | 7 +++ .../gates/template-sandbox-gate.md | 35 +++++++++++++++ skills/cloud/iac-security/SKILL.md | 6 +++ .../gates/terraform-state-exposure-gate.md | 32 ++++++++++++++ skills/devsecops/pipeline-security/SKILL.md | 6 +++ .../gates/runner-persistence-gate.md | 36 ++++++++++++++++ skills/devsecops/secrets-management/SKILL.md | 7 +++ .../gates/bootstrap-secret-zero-gate.md | 35 +++++++++++++++ .../secret-exposure-vs-control-gap-gate.md | 43 +++++++++++++++++++ 11 files changed, 253 insertions(+) create mode 100644 skills/appsec/owasp-top-10-web/gates/cookie-session-storage-gate.md create mode 100644 skills/appsec/secure-code-review/gates/template-sandbox-gate.md create mode 100644 skills/cloud/iac-security/gates/terraform-state-exposure-gate.md create mode 100644 skills/devsecops/pipeline-security/gates/runner-persistence-gate.md create mode 100644 skills/devsecops/secrets-management/gates/bootstrap-secret-zero-gate.md create mode 100644 skills/devsecops/secrets-management/gates/secret-exposure-vs-control-gap-gate.md diff --git a/skills/appsec/owasp-top-10-web/SKILL.md b/skills/appsec/owasp-top-10-web/SKILL.md index ef63f330..26592663 100644 --- a/skills/appsec/owasp-top-10-web/SKILL.md +++ b/skills/appsec/owasp-top-10-web/SKILL.md @@ -713,3 +713,10 @@ This skill processes source code and configuration files that may contain advers - NIST SP 800-63B Digital Identity Guidelines — https://pages.nist.gov/800-63-3/sp800-63b.html - OWASP Cheat Sheet Series — https://cheatsheetseries.owasp.org/ - OWASP Application Security Verification Standard (ASVS) — https://owasp.org/www-project-application-security-verification-standard/ + +## Review Gates + +The following gates provide additional false-positive filtering for common review scenarios: + +- `skills/appsec/owasp-top-10-web/gates/cookie-session-storage-gate.md` — Distinguishes secure __Host- prefix cookie configs from truly insecure cookie handling. + diff --git a/skills/appsec/owasp-top-10-web/gates/cookie-session-storage-gate.md b/skills/appsec/owasp-top-10-web/gates/cookie-session-storage-gate.md new file mode 100644 index 00000000..d208536b --- /dev/null +++ b/skills/appsec/owasp-top-10-web/gates/cookie-session-storage-gate.md @@ -0,0 +1,39 @@ +# Cookie and Session Storage Gate + +## Purpose +Prevents false-positive cookie/session storage flags when the code uses `__Host-` prefix cookies with Secure+HttpOnly+SameSite attributes, sessionStorage for short-lived CSRF nonces only, or framework-managed session abstractions that handle cookie security automatically (Passport.js, Django session, Spring Security, Devise). + +## Detection Logic + +### Trigger Conditions +Fire this gate when ALL of the following are true: +1. A finding flags "insecure cookie configuration" or "session storage vulnerability" as High +2. The code sets cookies with `__Host-` or `__Secure-` prefix AND Secure+HttpOnly+SameSite=Lax/Strict flags +3. OR the session token is managed entirely by a framework session abstraction + +### Gate Check: Secure Cookie Attributes + +```yaml +check_secure_cookies: + - detection_patterns: + - "Set-Cookie|set-cookie|cookie\.set|cookies\.set|response\.cookie" + - "__Host-|__Secure-|Secure;|HttpOnly;|SameSite" + - checks: + - "Prefix: __Host- (strongest) or __Secure- (strong) must be present for session cookies" + - "Flags: Secure AND HttpRequired AND SameSite=Lax|Strict all present" + - "Path: Set to / for __Host- prefix cookies" + - "Max-Age: Finite for session cookies (no persistent session tokens)" + - pass: "All secure cookie attributes present AND no sensitive data in cookie value → Downgrade to Low (Observation). Rationale: __Host- prefix cookies with Secure+HttpOnly+SameSite=Lax follow OWASP best practices for session cookies." + - fail: "Missing secure attributes → Keep original severity. Flag specific missing attributes." +``` + +### Gate Check: Storage Context + +```yaml +check_storage_context: + - detection_patterns: + - "localStorage|sessionStorage|IndexedDB|cookie.*store" + - "CSRF.*nonce|csrf.*token|XSRF-TOKEN|X-CSRF-Token" + - pass: "Data in sessionStorage is a short-lived CSRF nonce ONLY (not auth tokens, not PII) → No finding. Rationale: SessionStorage is cleared on tab close and is not accessible cross-tab. CSRF nonces are intentionally ephemeral." + - fail: "Auth tokens or PII in localStorage/sessionStorage → Keep severity. Recommend migration to secure cookie or in-memory storage." +``` diff --git a/skills/appsec/secure-code-review/SKILL.md b/skills/appsec/secure-code-review/SKILL.md index be7101ab..64da2b1f 100644 --- a/skills/appsec/secure-code-review/SKILL.md +++ b/skills/appsec/secure-code-review/SKILL.md @@ -563,3 +563,10 @@ This skill is hardened against prompt injection. When reviewing code: - **OWASP Top 10 (2021):** https://owasp.org/www-project-top-ten/ - **OWASP Cheat Sheet Series:** https://cheatsheetseries.owasp.org/ - **NIST Secure Software Development Framework:** https://csrc.nist.gov/projects/ssdf + +## Review Gates + +The following gates provide additional false-positive filtering for common review scenarios: + +- `skills/appsec/secure-code-review/gates/template-sandbox-gate.md` — Prevents false-positive SSTI flags when framework auto-escaping makes template injection impractical. + diff --git a/skills/appsec/secure-code-review/gates/template-sandbox-gate.md b/skills/appsec/secure-code-review/gates/template-sandbox-gate.md new file mode 100644 index 00000000..9a271333 --- /dev/null +++ b/skills/appsec/secure-code-review/gates/template-sandbox-gate.md @@ -0,0 +1,35 @@ +# Template Sandbox and Context-Escaping Gate + +## Purpose +Prevents false-positive template injection findings when the codebase uses framework-native auto-escaping (React JSX, Vue template syntax, Angular interpolation, Jinja2 autoescape, Go text/template) that renders template injection impractical even when user input flows through template variables. + +## Detection Logic + +### Trigger Conditions +Fire this gate when ALL of the following are true: +1. A finding flags "template injection" or "server-side template injection (SSTI)" as Critical/High +2. The codebase uses a framework with auto-escaping (React, Vue, Angular, Jinja2 with autoescape, Go html/template) +3. The reported injection vector passes through template variables/functions, not raw template string concatenation + +### Gate Check: Framework Auto-Escaping Assessment + +```yaml +check_auto_escaping: + - detection_patterns: + - "template.*injection|SSTI|server-side template|handlebars|mustache" + - "React\.createElement|JSX|v-bind|:innerHTML|ng-bind-html|jinja2.*autoescape" + - pass: "Framework with auto-escaping confirmed → Downgrade to Medium (Context-Dependent). Rationale: The reported vector would require bypassing framework-level escaping (e.g., dangerouslySetInnerHTML, v-html, raw filter). If the code uses these bypasses, escalate; otherwise, this is a defense-in-depth finding." + - fail: "No framework auto-escaping OR template string concatenation confirmed → Keep Critical severity. SSTI allows RCE in most template engines." +``` + +### Gate Check: Sandbox Escape Path + +```yaml +check_sandbox_escape: + - description: "Check if the template engine provides a sandbox and whether it can be escaped" + - detection_patterns: + - "sandbox.*bypass|sandbox.*escape|restricted.*python|eval.*template" + - "jinja2.*sandbox|go.*template.*no.*escape" + - pass: "Template engine uses sandbox mode (Jinja2 SandboxedEnvironment, Go text/template with restricted funcs) → Downgrade to Low. Escaping sandboxed environments requires known CVEs." + - fail: "Template engine without sandbox AND user input flows through template directives → Keep High/Critical." +``` diff --git a/skills/cloud/iac-security/SKILL.md b/skills/cloud/iac-security/SKILL.md index b4f46ed3..32f15f7c 100644 --- a/skills/cloud/iac-security/SKILL.md +++ b/skills/cloud/iac-security/SKILL.md @@ -263,6 +263,12 @@ This skill applies checks equivalent to the following high-impact rules: --- +## Review Gates + +The following gates provide additional false-positive filtering for common review scenarios: + +- `skills/cloud/iac-security/gates/terraform-state-exposure-gate.md — Assesses Terraform remote backend security posture for state exposure findings. Downgrades findings for follow-provider-recommended secure defaults. + ## Changelog - **1.0.0** -- Initial release. Coverage of eight security domains across Terraform, CloudFormation, Pulumi, and Bicep with Checkov/tfsec/KICS rule equivalents. diff --git a/skills/cloud/iac-security/gates/terraform-state-exposure-gate.md b/skills/cloud/iac-security/gates/terraform-state-exposure-gate.md new file mode 100644 index 00000000..e2dc4374 --- /dev/null +++ b/skills/cloud/iac-security/gates/terraform-state-exposure-gate.md @@ -0,0 +1,32 @@ +# Terraform State Backend Exposure Gate + +## Purpose +Prevents false-positive "state backend exposure" findings when the Terraform state is stored in a remote backend with adequate access controls (e.g., S3 with bucket policies, Azure Storage RBAC, GCS with IAM), even if the state file itself is not encrypted at rest with a customer-managed key. The current skill over-flags configurations that follow the provider-recommended secure defaults. + +## Detection Logic + +### Trigger Conditions +Fire this gate when ALL of the following are true: +1. A finding flags "Terraform state backend exposure" or "state file accessible" as High/Critical +2. The state backend uses a supported remote backend (S3, AzureRM, GCS, Terraform Cloud/Enterprise) +3. The backend configuration includes authentication (access keys, managed identity, service principal) + +### Gate Check: Remote Backend Security Assessment + +```yaml +check_backend_security: + - description: "Assess the actual security posture of the remote state backend" + - detection_patterns: + - "backend.*s3|backend.*azurerm|backend.*gcs|backend.*terraform.*cloud" + - "terraform.*state|state.*exposure|state.*backend" + - checks: + - "S3: bucket policy restricts access via PrincipalARN or SourceVPC; server-side encryption (AES256/aws:kms) enabled; versioning enabled for state recovery" + - "AzureRM: storage account firewall enabled; RBAC role assignment limited to operators; infrastructure encryption enabled" + - "GCS: uniform bucket-level access; IAM binding scoped to service accounts; object versioning enabled" + - pass: "Remote backend follows provider-recommended security defaults → Downgrade to Low (Informational). Rationale: Standard remote backend configuration with access controls mitigates state exposure risk. Customer-managed encryption keys are a defense-in-depth enhancement, not a required control." + - fail: "Backend uses local state, no authentication, public bucket, or no encryption → Keep Critical severity. Immediate remediation required." +``` + +## Resolution Path +1. For secure remote backends: Document the existing controls and close as Informational +2. For insecure configurations: Migrate to remote backend with authentication and encryption diff --git a/skills/devsecops/pipeline-security/SKILL.md b/skills/devsecops/pipeline-security/SKILL.md index 66de2470..37c82b05 100644 --- a/skills/devsecops/pipeline-security/SKILL.md +++ b/skills/devsecops/pipeline-security/SKILL.md @@ -555,6 +555,12 @@ This skill processes user-supplied content including CI/CD configuration files, --- +## Review Gates + +The following gates provide additional false-positive filtering for common review scenarios: + +- `gates/runner-persistence-gate.md` — Evaluates ephemeral runner persistence risk for CI/CD trust boundary findings. + ## Changelog - **1.0.0** -- Initial release. Full coverage of SLSA v1.0 build track and OWASP Top 10 CI/CD Security Risks (CICD-SEC-1 through CICD-SEC-10). diff --git a/skills/devsecops/pipeline-security/gates/runner-persistence-gate.md b/skills/devsecops/pipeline-security/gates/runner-persistence-gate.md new file mode 100644 index 00000000..0c6ca05d --- /dev/null +++ b/skills/devsecops/pipeline-security/gates/runner-persistence-gate.md @@ -0,0 +1,36 @@ +# Self-Hosted Runner Persistence and Trust-Boundary Gate + +## Purpose +Prevents false-positive "runner persistence" flags when CI/CD self-hosted runners use ephemeral instances (auto-scaling groups, spot instances, container groups) that cannot persist beyond a single job run, or when the runner environment uses disk encryption and immutable infrastructure patterns. + +## Detection Logic + +### Trigger Conditions +Fire this gate when ALL of the following are true: +1. A finding flags "self-hosted runner persistence" or "runner trust boundary violation" as High/Critical +2. Runners are ephemeral (auto-scaling, spot/preemptible instances, Kubernetes pods, container groups) +3. Runner storage is ephemeral or encrypted-at-rest (instance store, encrypted EBS, tempfs) + +### Gate Check: Ephemeral Runner Assessment + +```yaml +check_ephemeral_runners: + - detection_patterns: + - "self-hosted|selfhosted|self.*runner|actions-runner" + - "auto-scaling|spot.*instance|preemptible|kubernetes.*runner|container.*group" + - "ephemeral|immutable|golden.*image|ami.*pipeline" + - pass: "Runners are ephemeral with no persistent storage between jobs → Downgrade to Medium (Architecture Note). Rationale: Ephemeral runners cannot persist malware or exfiltrate credentials across job boundaries. The trust boundary is scoped to the job duration." + - fail: "Runners are persistent (long-lived VMs, dedicated servers) OR unencrypted persistent storage → Keep severity. Implement runner rotation or disk encryption." +``` + +### Gate Check: Trust Boundary Assessment + +```yaml +check_trust_boundary: + - description: "Assess whether cross-job data leakage is possible" + - detection_patterns: + - "GITHUB_TOKEN|ACTIONS_ID_TOKEN|WORKFLOW.*TOKEN|id-token" + - "docker.*cache|actions/cache|pip.*cache|npm.*cache|m2.*repository" + - pass: "No shared cache/mounts between jobs AND runner is single-use → Downgrade to Low. Trust boundary is adequately scoped." + - fail: "Shared job caches OR runner reused across jobs → Keep severity. Each job's artifacts could leak to subsequent jobs." +``` diff --git a/skills/devsecops/secrets-management/SKILL.md b/skills/devsecops/secrets-management/SKILL.md index cc9c5ead..eb748a45 100644 --- a/skills/devsecops/secrets-management/SKILL.md +++ b/skills/devsecops/secrets-management/SKILL.md @@ -469,6 +469,13 @@ This skill processes configuration files and code that may contain secret values --- +## Review Gates + +The following gates provide additional false-positive filtering for common review scenarios: + +- `gates/secret-exposure-vs-control-gap-gate.md` — Distinguishes actual exposed secrets from missing preventative controls (e.g., no `.gitleaks.toml`, no pre-commit hooks) so control gaps are not misclassified as active exposure. +- `gates/bootstrap-secret-zero-gate.md` — Assesses whether managed secret stores (AWS Secrets Manager, Azure Key Vault, GCP Secret Manager, Vault) provide adequate bootstrap/break-glass procedures, avoiding unnecessary custom bootstrap requirements. + ## Changelog - **1.0.1** -- Add false positive filtering guidance: distinguish real secrets from placeholders/examples, verify entropy, scope findings to actual secrets (not architectural gaps). diff --git a/skills/devsecops/secrets-management/gates/bootstrap-secret-zero-gate.md b/skills/devsecops/secrets-management/gates/bootstrap-secret-zero-gate.md new file mode 100644 index 00000000..4025c802 --- /dev/null +++ b/skills/devsecops/secrets-management/gates/bootstrap-secret-zero-gate.md @@ -0,0 +1,35 @@ +# Bootstrap Secret-Zero Recovery Gate + +## Purpose +Prevents false-positive critical severity flags for missing bootstrap secret-zero procedures when the assessed system uses cloud-managed secret stores (AWS Secrets Manager, Azure Key Vault, GCP Secret Manager, HashiCorp Vault) that inherently provide break-glass and recovery mechanisms through their native APIs. + +## Detection Logic + +### Trigger Conditions +Fire this gate when ALL of the following are true: +1. A finding flags "no bootstrap secret-zero procedure" or "no recovery evidence gates" for initial secret provisioning +2. The system uses a managed secret store (AWS Secrets Manager, Azure Key Vault, GCP Secret Manager, HashiCorp Vault) +3. The managed store has documented recovery procedures (API key rotation, admin recovery, emergency access) + +### Gate Check: Managed Recovery Assessment + +```yaml +check_managed_recovery: + - detection_patterns: + - "no bootstrap|no secret-zero|no recovery.*gate|missing.*break.glass" + - "AWS Secrets Manager|Azure Key Vault|GCP Secret Manager|HashiCorp Vault|1Password Connect" + - pass: "System uses managed secret store with native recovery → Downgrade to Low (Observation). Rationale: The platform's secret store already provides break-glass, recovery, and emergency access workflows. A custom bootstrap secret-zero procedure is unnecessary overhead." + - fail: "No managed secret store OR no documented recovery path → Keep original severity. Require bootstrap secret-zero procedure." +``` + +### Gate Check: Alternative Recovery Path + +```yaml +check_alternative_recovery: + - description: "Verify if there are alternative means of initial secret provisioning (GitOps, Terraform remote state, SOPS, external secrets operator)" + - detection_patterns: + - "external-secrets|csi-secrets|secrets-store-csi|argocd-vault|sops|age\\.encrypted" + - "terraform.*remote.*state|pulumi.*config.*secret|ansible-vault" + - pass: "Alternative recovery path documented → Downgrade to Observation. Consider adding a documented runbook but no code change required." + - fail: "No alternative recovery path → Require bootstrap secret-zero procedure as High severity." +``` diff --git a/skills/devsecops/secrets-management/gates/secret-exposure-vs-control-gap-gate.md b/skills/devsecops/secrets-management/gates/secret-exposure-vs-control-gap-gate.md new file mode 100644 index 00000000..05050a6b --- /dev/null +++ b/skills/devsecops/secrets-management/gates/secret-exposure-vs-control-gap-gate.md @@ -0,0 +1,43 @@ +# Secret Exposure vs Control Gap Gate + +## Purpose +Prevents false-positive secret-detection findings by distinguishing between *actual exposed secrets* (committed credentials, tokens, API keys) and *architectural control gaps* (missing gitleaks config, missing pre-commit hooks, missing secrets baseline). The current skill flags the latter as though they were the former, which conflates operational posture with active exposure. + +## Detection Logic + +### Trigger Conditions +Fire this gate when ALL of the following are true: +1. A finding flags the absence of `.gitleaks.toml`, `.secrets.baseline`, TruffleHog CI job, or pre-commit hooks +2. The repo contains no committed `.env` files, no checked-in API keys, no hardcoded tokens or credentials +3. The CI pipeline does not push or deploy secrets to any external service + +### Gate Check: Exposure vs. Control Gap + +```yaml +check_exposure_vs_gap: + - description: "Determine if the finding is an active secret exposure or a missing control" + - detection_patterns: + - "no \.gitleaks\.toml|no \.secrets\.baseline|missing pre-commit|TruffleHog.*not configured" + - "gitleaks|trufflehog|secrets.*scanner|secret.*detect" + - pass: "No committed secrets found in repo history (git diff HEAD, .env*, token patterns, key patterns) → Downgrade to Medium (Recommendation). Rationale: This is a missing preventative control, not an active exposure. The finding should be reclassified as 'Secrets Detection Coverage Gap' rather than 'Exposed Secret Credential'." + - fail: "Confirmed committed secrets found → Keep original severity. Proceed to standard secrets management review." +``` + +### Gate Check: Evidence Collection + +```yaml +check_evidence_collection: + - description: "Verify the reviewer has actually searched for committed secrets before concluding exposure" + - required_evidence: + - "git log -p --all -S '' for common secret patterns (API_KEY, password, secret, token, credential)" + - "find . -name '.env*' -not -path '*/.git/*'" + - "grep -r '-----BEGIN.*PRIVATE KEY-----' . --include='*.{key,pem,p12,pfx}' 2>/dev/null" + - "Check GitHub secret scanning alerts if available" + - pass: "Evidence collected and no active secrets found → Apply control-gap downgrade" + - fail: "No evidence collection documented → Instruct reviewer to collect evidence before filing finding" +``` + +## Resolution Path + +1. If the finding is a **control gap**: Create or recommend adding `.gitleaks.toml`, `.secrets.baseline`, or pre-commit hook configuration. File as a Medium-severity recommendations track item. +2. If the finding is an **active exposure**: Escalate to immediate secret rotation, revoke compromised credentials, audit git history with `git filter-repo` or BFG Repo-Cleaner. From ed16f37663d3dd0471db776b0f826c64d22642b5 Mon Sep 17 00:00:00 2001 From: James Date: Mon, 8 Jun 2026 00:11:21 +0800 Subject: [PATCH 2/2] gates: add review gates for container-security, firewall-review, log-analysis, detection-engineering --- .../gates/debug-container-privilege-gate.md | 35 ++++++++++++++++++ .../gates/ephemeral-egress-gate.md | 36 +++++++++++++++++++ .../gates/data-source-health-gate.md | 35 ++++++++++++++++++ .../gates/log-redaction-provenance-gate.md | 36 +++++++++++++++++++ 4 files changed, 142 insertions(+) create mode 100644 skills/cloud/container-security/gates/debug-container-privilege-gate.md create mode 100644 skills/network/firewall-review/gates/ephemeral-egress-gate.md create mode 100644 skills/secops/detection-engineering/gates/data-source-health-gate.md create mode 100644 skills/secops/log-analysis/gates/log-redaction-provenance-gate.md diff --git a/skills/cloud/container-security/gates/debug-container-privilege-gate.md b/skills/cloud/container-security/gates/debug-container-privilege-gate.md new file mode 100644 index 00000000..067719a2 --- /dev/null +++ b/skills/cloud/container-security/gates/debug-container-privilege-gate.md @@ -0,0 +1,35 @@ +# Debug Container and Ephemeral Privilege Gate + +## Purpose +Prevents false-positive "privileged container" flags when ephemeral debug containers (kubectl debug, ephemeral containers in Kubernetes) or sidecar containers with elevated permissions are used for legitimate debugging purposes and are explicitly scoped to specific namespaces, time-bound, and auditable. + +## Detection Logic + +### Trigger Conditions +Fire this gate when ALL of the following are true: +1. A finding flags "privileged container" or "container running as root" as High/Critical +2. The privileged container is ephemeral (kubectl debug, debug sidecar, temporary troubleshooting pod) +3. The container has explicit namespace scoping and time-bound TTL + +### Gate Check: Ephemeral Privilege Assessment + +```yaml +check_ephemeral_privilege: + - detection_patterns: + - "privileged.*true|securityContext.*privileged|--privileged" + - "kubectl.*debug|ephemeral.*container|debug.*sidecar|debug.*pod" + - "ttl.*seconds|activeDeadlineSeconds|timeout.*debug" + - pass: "Debug container is ephemeral with TTL AND scoped to specific namespace → Downgrade to Medium (Observation). Rationale: Ephemeral debug containers are an accepted Kubernetes debugging practice. The risk is limited by the container's short lifetime and explicit namespace scoping. Ensure debug sessions are logged and approved." + - fail: "Container runs privileged persistently (Deployment, StatefulSet, DaemonSet) OR no TTL → Keep severity. Persistent privileged containers should run as non-root with dropped capabilities." +``` + +### Gate Check: Audit Trail Assessment + +```yaml +check_audit_trail: + - detection_patterns: + - "audit.*log|kubernetes.*audit|cloud.*audit|kubectl.*auth.*check" + - "pod.*exec|kubectl.*exec|debug.*session|kubectl.*debug" + - pass: "Kubernetes audit logging enabled for pod exec/debug operations AND incident response runbook references debug container pattern → Accept. Escalation only if audit logs show unauthorized usage." + - fail: "No audit logging for privileged operations → Escalate to High. Without audit trails, ephemeral privilege escalation cannot be distinguished from compromise." +``` diff --git a/skills/network/firewall-review/gates/ephemeral-egress-gate.md b/skills/network/firewall-review/gates/ephemeral-egress-gate.md new file mode 100644 index 00000000..c533e3fc --- /dev/null +++ b/skills/network/firewall-review/gates/ephemeral-egress-gate.md @@ -0,0 +1,36 @@ +# Ephemeral Egress and Cloud Effective-Rule Gate + +## Purpose +Prevents false-positive "over-permissive egress" findings when cloud firewall rules (AWS Security Group egress, Azure NSG, GCP firewall, OCI security list) allow broad egress but are attached to ephemeral resources (auto-scaling groups, spot fleets, Lambda, container tasks) that cannot be exploited for persistent C2 communication. + +## Detection Logic + +### Trigger Conditions +Fire this gate when ALL of the following are true: +1. A finding flags "0.0.0.0/0 egress" or "overly permissive outbound rule" as High +2. The resource is ephemeral (auto-scaling group, spot instance, Lambda, ECS/Fargate task, Kubernetes pod) +3. The resource has no persistent inbound access from the internet + +### Gate Check: Ephemeral Resource Assessment + +```yaml +check_ephemeral_resource: + - detection_patterns: + - "0\.0\.0\.0/0.*egress|::/0.*egress|outbound.*any|all.*traffic.*out" + - "security_group|security.*group.*egress|nsg.*outbound|firewall.*rule.*egress" + - "auto-scaling|spot|lambda|fargate|ecs.*task|eks.*pod|cloud.*run" + - pass: "Resource is ephemeral AND has no persistent inbound access → Downgrade to Low (Observation). Rationale: Ephemeral resources cannot host persistent C2 infrastructure. Broad egress is required for package downloads, container registries, and API calls. Recommend adding specific egress rules for known endpoints." + - fail: "Resource is persistent (long-lived VM, bare metal) OR has persistent inbound access → Keep severity. Implement least-privilege egress rules." +``` + +### Gate Check: Effective-Rule Analysis + +```yaml +check_effective_rule: + - description: "Evaluate using cloud provider's effective-rule/accessible analysis tools" + - detection_patterns: + - "effective.*rule|accessible.*from|reachability.*checker|network.*analyzer" + - "AWS:*ReachabilityAnalyzer|Azure:*NetworkWatcher|GCP:*FirewallInsights" + - pass: "Effective-rule analysis shows egress is used for legitimate purposes (package registries, container images, monitoring endpoints) → Downgrade to Recommendation. Add allow-listed egress rules for known endpoints." + - fail: "Effective-rule analysis confirms unknown/unnecessary egress destinations → Keep severity. Remove unused egress rules." +``` diff --git a/skills/secops/detection-engineering/gates/data-source-health-gate.md b/skills/secops/detection-engineering/gates/data-source-health-gate.md new file mode 100644 index 00000000..4b6e9550 --- /dev/null +++ b/skills/secops/detection-engineering/gates/data-source-health-gate.md @@ -0,0 +1,35 @@ +# Data Source Health and Telemetry Drift Gate + +## Purpose +Prevents false-positive "data source coverage gap" findings when the detection engineering pipeline uses automated health checks (e.g., OpenTelemetry Collector health, Elasticsearch monitoring, Splunk forwarder status) that validate data source connectivity and schema freshness, ensuring that coverage gaps are operational rather than architectural. + +## Detection Logic + +### Trigger Conditions +Fire this gate when ALL of the following are true: +1. A finding flags "missing data source" or "telemetry coverage gap" as High +2. The detection pipeline includes automated health checks or forwarder status monitoring +3. The data source has had recent successful ingestion (within the last 4 hours) + +### Gate Check: Health Check Assessment + +```yaml +check_health_monitoring: + - detection_patterns: + - "data.*source.*health|forwarder.*status|telemetry.*drift|ingestion.*latency" + - "otel.*collector.*health|elastic.*monitoring|splunk.*forwarder.*status" + - "last.*ingest|last.*seen|last.*heartbeat" + - pass: "Health monitoring confirms data source is currently ingesting → Downgrade to Low (Informational). Rationale: The apparent coverage gap is a schedule/delay artifact, not a missing integration. Verify the health check covers the specific log type cited in the finding." + - fail: "No health monitoring OR health check confirms stale data (>4h without ingestion) → Keep severity. Investigate connectivity or configuration issues." +``` + +### Gate Check: Schema Drift Detection + +```yaml +check_schema_drift: + - detection_patterns: + - "schema.*drift|field.*mismatch|index.*mapping|log.*format.*change" + - "detection.*coverage|rule.*coverage|alert.*coverage" + - pass: "Automated schema drift detection in place AND no active drift alerts → Downgrade to Observation. Drift detection will flag schema changes before they cause silent detection failures." + - fail: "No schema drift detection OR active drift alerts that correlate with the reported gap → Keep severity. Schema changes may have silently disabled detection rules." +``` diff --git a/skills/secops/log-analysis/gates/log-redaction-provenance-gate.md b/skills/secops/log-analysis/gates/log-redaction-provenance-gate.md new file mode 100644 index 00000000..3f863586 --- /dev/null +++ b/skills/secops/log-analysis/gates/log-redaction-provenance-gate.md @@ -0,0 +1,36 @@ +# Log Redaction and Sensitive-Field Provenance Gate + +## Purpose +Prevents false-positive PII/credential-in-log findings when the logging system uses structured logging with automatic field-level redaction, masking, or exclusion policies (logstash mutate, fluentd record_modifier, OpenTelemetry span attributes filter), even when log data passes through fields that might contain sensitive values in transit. + +## Detection Logic + +### Trigger Conditions +Fire this gate when ALL of the following are true: +1. A finding flags "credentials in logs" or "PII in log output" as Critical/High +2. The system uses structured logging (JSON, ECS, OpenTelemetry, logfmt) with field-level processing +3. Redaction or masking policies are configured in the log pipeline + +### Gate Check: Structured Redaction Assessment + +```yaml +check_log_redaction: + - detection_patterns: + - "logstash.*mutate|fluentd.*record_modifier|otel.*span.*attribute|vector.*redact" + - "password|secret|token|credential|api_key|authorization.*redact|mask" + - "structured.*log|json.*log|ecs.*format|logfmt" + - pass: "Structured logging with field-level redaction confirmed → Downgrade to Medium (Authorization Required). Rationale: Structured log pipelines can redact or exclude sensitive fields at the collection layer. Verify the redaction policy covers the specific field identified in the finding." + - fail: "Plain-text/unstructured logging OR no redaction policy → Keep Critical severity. Immediate remediation required." +``` + +### Gate Check: Provenance Attribution + +```yaml +check_provenance_attribution: + - description: "Check if sensitive data entering logs has traceable provenance (which service, which line, which request)" + - detection_patterns: + - "trace_id|span_id|request_id|cid|correlation_id" + - "logger.*info|log.*error|console.*log|fmt\.Printf" + - pass: "Provenance metadata attached to log entries → Add Recommendation for field-level redaction. Rationale: With provenance tracking, redaction can be surgical without losing audit trail." + - fail: "No provenance tracking in logs → Escalate severity. Without provenance, redaction is blind and audit capability is compromised." +```