Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add OCP STIG V2R1 profiles #12319

Merged
merged 3 commits into from
Sep 11, 2024
Merged

Add OCP STIG V2R1 profiles #12319

merged 3 commits into from
Sep 11, 2024

Conversation

yuumasato
Copy link
Member

Description:

  • Add new profiles for OCP4 STIG V2R1.
    • Note: Aiming for a better alignment with the STIG Benchmark rules from SRG-APP-000516-CTR-001325 are not selected anymore.
  • Update version-less profile to extend V2R1.

Rationale:

  • A new STIG for OCP4 is available and this adds new profiles aligned with it.

@yuumasato
Add reference file for OCP4 STIG V2R1
ed4ff7c
@yuumasato
Add OCP4 STIG V2R1 profile
355fe22 
New profiles for stig-v2r1 are added, and the version-less profile is
updated to extend v2r1.
@yuumasato yuumasato added OpenShift OpenShift product related. STIG STIG Benchmark related. labels Aug 21, 2024
@github-actions GitHub Actions
Copy link

Start a new ephemeral environment with changes proposed in this pull request:

Fedora Environment
Open in Gitpod

Oracle Linux 8 Environment
Open in Gitpod

@github-actions GitHub Actions
Copy link

github-actions bot commented Aug 21, 2024
edited
Loading

🤖 A k8s content image for this PR is available at:
ghcr.io/complianceascode/k8scontent:12319
This image was built from commit: e9653dd

Click here to see how to deploy it

If you alread have Compliance Operator deployed:
utils/build_ds_container.py -i ghcr.io/complianceascode/k8scontent:12319

Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and:
CONTENT_IMAGE=ghcr.io/complianceascode/k8scontent:12319 make deploy-local

@xiaojiey
Copy link
Collaborator

/hold for test

@openshift-ci openshift-ci bot added the do-not-merge/hold Used by openshift-ci-robot bot. label Aug 21, 2024
@yuumasato yuumasato added this to the 0.1.75 milestone Aug 27, 2024
@xiaojiey
Copy link
Collaborator

xiaojiey commented Aug 30, 2024
edited
Loading

@yuumasato I can see 178 reules were removed from ocp4-stig and ocp4-stig-node profiles, comparing V1R1 and V1R2. Is it expected behavior? Thanks.

% oc get scan
NAME                             PHASE   RESULT
ocp4-stig                        DONE    NON-COMPLIANT
ocp4-stig-node-master            DONE    NON-COMPLIANT
ocp4-stig-node-worker            DONE    NON-COMPLIANT
rhcos4-stig-master               DONE    NON-COMPLIANT
rhcos4-stig-worker               DONE    NON-COMPLIANT
upstream-ocp4-stig               DONE    NON-COMPLIANT
upstream-ocp4-stig-node-master   DONE    NON-COMPLIANT
upstream-ocp4-stig-node-worker   DONE    NON-COMPLIANT
upstream-rhcos4-stig-master      DONE    NON-COMPLIANT
upstream-rhcos4-stig-worker      DONE    NON-COMPLIANT
% oc get ccr -l compliance.openshift.io/scan-name=ocp4-stig --no-headers | wc -l     
     115
% oc get ccr -l compliance.openshift.io/scan-name=ocp4-stig-node-master --no-headers | wc -l
     100
% oc get ccr -l compliance.openshift.io/scan-name=ocp4-stig-node-worker --no-headers | wc -l
      63
% oc get ccr -l compliance.openshift.io/scan-name=rhcos4-stig-master --no-headers | wc -l
     107
% oc get ccr -l compliance.openshift.io/scan-name=rhcos4-stig-worker --no-headers | wc -l
     107
% oc get ccr -l compliance.openshift.io/scan-name=upstream-ocp4-stig --no-headers | wc -l   
      48
% oc get ccr -l compliance.openshift.io/scan-name=upstream-ocp4-stig-node-master --no-headers | wc -l
       3
% oc get ccr -l compliance.openshift.io/scan-name=upstream-ocp4-stig-node-worker --no-headers | wc -l
       3
% oc get ccr -l compliance.openshift.io/scan-name=upstream-rhcos4-stig-master --no-headers | wc -l
     107
% oc get ccr -l compliance.openshift.io/scan-name=upstream-rhcos4-stig-worker --no-headers | wc -l
     107
% cat diff
"ocp4-etcd-unique-ca",
"ocp4-file-groupowner-cni-conf",
"ocp4-file-groupowner-controller-manager-kubeconfig",
"ocp4-file-groupowner-etcd-data-dir",
"ocp4-file-groupowner-etcd-data-files",
"ocp4-file-groupowner-etcd-member",
"ocp4-file-groupowner-etcd-pki-cert-files",
"ocp4-file-groupowner-ip-allocations",
"ocp4-file-groupowner-kube-apiserver",
"ocp4-file-groupowner-kube-controller-manager",
"ocp4-file-groupowner-kube-scheduler",
"ocp4-file-groupowner-kubelet-conf",
"ocp4-file-groupowner-master-admin-kubeconfigs",
"ocp4-file-groupowner-multus-conf",
"ocp4-file-groupowner-openshift-pki-cert-files",
"ocp4-file-groupowner-openshift-pki-key-files",
"ocp4-file-groupowner-openshift-sdn-cniserver-config",
"ocp4-file-groupowner-ovn-cni-server-sock",
"ocp4-file-groupowner-ovn-db-files",
"ocp4-file-groupowner-ovs-conf-db",
"ocp4-file-groupowner-ovs-conf-db-lock",
"ocp4-file-groupowner-ovs-pid",
"ocp4-file-groupowner-ovs-sys-id-conf",
"ocp4-file-groupowner-ovs-vswitchd-pid",
"ocp4-file-groupowner-ovsdb-server-pid",
"ocp4-file-groupowner-scheduler-kubeconfig",
"ocp4-file-groupowner-worker-ca",
"ocp4-file-groupowner-worker-kubeconfig",
"ocp4-file-groupowner-worker-service",
"ocp4-file-owner-cni-conf",
"ocp4-file-owner-controller-manager-kubeconfig",
"ocp4-file-owner-etcd-data-dir",
"ocp4-file-owner-etcd-data-files",
"ocp4-file-owner-etcd-member",
"ocp4-file-owner-etcd-pki-cert-files",
"ocp4-file-owner-ip-allocations",
"ocp4-file-owner-kube-apiserver",
"ocp4-file-owner-kube-controller-manager",
"ocp4-file-owner-kube-scheduler",
"ocp4-file-owner-kubelet",
"ocp4-file-owner-kubelet-conf",
"ocp4-file-owner-master-admin-kubeconfigs",
"ocp4-file-owner-multus-conf",
"ocp4-file-owner-openshift-pki-cert-files",
"ocp4-file-owner-openshift-pki-key-files",
"ocp4-file-owner-openshift-sdn-cniserver-config",
"ocp4-file-owner-ovn-cni-server-sock",
"ocp4-file-owner-ovn-db-files",
"ocp4-file-owner-ovs-conf-db",
"ocp4-file-owner-ovs-conf-db-lock",
"ocp4-file-owner-ovs-pid",
"ocp4-file-owner-ovs-sys-id-conf",
"ocp4-file-owner-ovs-vswitchd-pid",
"ocp4-file-owner-ovsdb-server-pid",
"ocp4-file-owner-scheduler-kubeconfig",
"ocp4-file-owner-worker-ca",
"ocp4-file-owner-worker-kubeconfig",
"ocp4-file-owner-worker-service",
"ocp4-file-permissions-cni-conf",
"ocp4-file-permissions-controller-manager-kubeconfig",
"ocp4-file-permissions-etcd-data-dir",
"ocp4-file-permissions-etcd-data-files",
"ocp4-file-permissions-etcd-member",
"ocp4-file-permissions-etcd-pki-cert-files",
"ocp4-file-permissions-ip-allocations",
"ocp4-file-permissions-kube-apiserver",
"ocp4-file-permissions-kube-controller-manager",
"ocp4-file-permissions-kubelet",
"ocp4-file-permissions-kubelet-conf",
"ocp4-file-permissions-master-admin-kubeconfigs",
"ocp4-file-permissions-multus-conf",
"ocp4-file-permissions-openshift-pki-cert-files",
"ocp4-file-permissions-openshift-pki-key-files",
"ocp4-file-permissions-ovn-cni-server-sock",
"ocp4-file-permissions-ovn-db-files",
"ocp4-file-permissions-ovs-conf-db",
"ocp4-file-permissions-ovs-conf-db-lock",
"ocp4-file-permissions-ovs-pid",
"ocp4-file-permissions-ovs-sys-id-conf",
"ocp4-file-permissions-ovs-vswitchd-pid",
"ocp4-file-permissions-ovsdb-server-pid",
"ocp4-file-permissions-scheduler",
"ocp4-file-permissions-scheduler-kubeconfig",
"ocp4-file-permissions-worker-ca",
"ocp4-file-permissions-worker-kubeconfig",
"ocp4-file-permissions-worker-service",
"ocp4-file-perms-openshift-sdn-cniserver-config",
"ocp4-kubelet-anonymous-auth",
"ocp4-kubelet-authorization-mode",
"ocp4-kubelet-configure-client-ca",
"ocp4-kubelet-configure-event-creation",
"ocp4-kubelet-configure-tls-cipher-suites",
"ocp4-kubelet-enable-cert-rotation",
"ocp4-kubelet-enable-client-cert-rotation",
"ocp4-kubelet-enable-iptables-util-chains",
"ocp4-kubelet-enable-protect-kernel-defaults",
"ocp4-kubelet-enable-protect-kernel-sysctl",
"ocp4-kubelet-enable-server-cert-rotation",
"ocp4-kubelet-enable-streaming-connections",
"ocp4-kubelet-eviction-thresholds-set-hard-imagefs-available",
"ocp4-kubelet-eviction-thresholds-set-hard-memory-available",
"ocp4-kubelet-eviction-thresholds-set-hard-nodefs-available",
"ocp4-kubelet-eviction-thresholds-set-hard-nodefs-inodesfree",
"ocp4-accounts-restrict-service-account-tokens",
"ocp4-accounts-unique-service-account",
"ocp4-api-server-admission-control-plugin-alwaysadmit",
"ocp4-api-server-admission-control-plugin-alwayspullimages",
"ocp4-api-server-admission-control-plugin-namespacelifecycle",
"ocp4-api-server-admission-control-plugin-noderestriction",
"ocp4-api-server-admission-control-plugin-scc",
"ocp4-api-server-admission-control-plugin-securitycontextdeny",
"ocp4-api-server-admission-control-plugin-service-account",
"ocp4-api-server-anonymous-auth",
"ocp4-api-server-api-priority-flowschema-catch-all",
"ocp4-api-server-api-priority-gate-enabled",
"ocp4-api-server-audit-log-maxbackup",
"ocp4-api-server-audit-log-maxsize",
"ocp4-api-server-audit-log-path",
"ocp4-api-server-auth-mode-no-aa",
"ocp4-api-server-auth-mode-node",
"ocp4-api-server-auth-mode-rbac",
"ocp4-api-server-basic-auth",
"ocp4-api-server-bind-address",
"ocp4-api-server-etcd-cert",
"ocp4-api-server-etcd-key",
"ocp4-api-server-https-for-kubelet-conn",
"ocp4-api-server-insecure-bind-address",
"ocp4-api-server-insecure-port",
"ocp4-api-server-kubelet-certificate-authority",
"ocp4-api-server-kubelet-client-cert",
"ocp4-api-server-kubelet-client-cert-pre-4-9",
"ocp4-api-server-kubelet-client-key",
"ocp4-api-server-kubelet-client-key-pre-4-9",
"ocp4-api-server-no-adm-ctrl-plugins-disabled",
"ocp4-api-server-oauth-https-serving-cert",
"ocp4-api-server-openshift-https-serving-cert",
"ocp4-api-server-profiling-protected-by-rbac",
"ocp4-api-server-request-timeout",
"ocp4-api-server-service-account-lookup",
"ocp4-api-server-service-account-public-key",
"ocp4-api-server-tls-cipher-suites",
"ocp4-api-server-token-auth",
"ocp4-controller-insecure-port-disabled",
"ocp4-controller-rotate-kubelet-server-certs",
"ocp4-controller-secure-port",
"ocp4-controller-service-account-ca",
"ocp4-controller-service-account-private-key",
"ocp4-controller-use-service-account",
"ocp4-etcd-auto-tls",
"ocp4-etcd-cert-file",
"ocp4-etcd-client-cert-auth",
"ocp4-etcd-key-file",
"ocp4-etcd-peer-auto-tls",
"ocp4-etcd-peer-client-cert-auth",
"ocp4-file-groupowner-proxy-kubeconfig",
"ocp4-file-integrity-exists",
"ocp4-file-owner-proxy-kubeconfig",
"ocp4-file-permissions-proxy-kubeconfig",
"ocp4-general-apply-scc",
"ocp4-general-configure-imagepolicywebhook",
"ocp4-general-default-namespace-use",
"ocp4-general-default-seccomp-profile",
"ocp4-general-namespaces-in-use",
"ocp4-kubelet-disable-readonly-port",
"ocp4-ocp-api-server-audit-log-maxbackup",
"ocp4-ocp-api-server-audit-log-maxsize",
"ocp4-openshift-api-server-audit-log-path",
"ocp4-rbac-debug-role-protects-pprof",
"ocp4-rbac-limit-cluster-admin",
"ocp4-rbac-limit-secrets-access",
"ocp4-rbac-pod-creation-access",
"ocp4-rbac-wildcard-use",
"ocp4-scc-drop-container-capabilities",
"ocp4-scc-limit-container-allowed-capabilities",
"ocp4-scc-limit-net-raw-capability",
"ocp4-scc-limit-privilege-escalation",
"ocp4-secrets-consider-external-storage",
"ocp4-secrets-no-environment-variables",

@yuumasato
Copy link
Member Author

@xiaojiey Yes, these rules are part of SRG-APP-000516-CTR-001325 which is not part o OCP4 STIG, but we were including the SRG in V1R1. In V2R1 we will more strictly align with the STIG and remove these rules.

See the list of rules in V1R1:

@xiaojiey
Copy link
Collaborator

xiaojiey commented Sep 9, 2024

lgtm

Vincent056
Vincent056 approved these changes Sep 10, 2024
View reviewed changes
Copy link
Contributor

@Vincent056 Vincent056 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@rhmdnd
Remove test.profile from OCP4 profiles
e9653dd 
This profile is used only for testing purposes when using the
`add_kubernetes_rule.py` script.
@codeclimate CodeClimate
Copy link

codeclimate bot commented Sep 10, 2024

Code Climate has analyzed commit e9653dd and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 59.5% (0.1% change).

View more on Code Climate.

Vincent056
Vincent056 approved these changes Sep 10, 2024
View reviewed changes
Copy link
Contributor

@Vincent056 Vincent056 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@Mab879
Copy link
Member

Mab879 commented Sep 11, 2024

/packit retest-failed

@rhmdnd rhmdnd merged commit 0f99444 into ComplianceAsCode:master Sep 11, 2024
100 checks passed
@yuumasato yuumasato deleted the update_ocp4_stig_to_v2r1 branch September 12, 2024 12:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Vincent056 Vincent056 Vincent056 approved these changes

@xiaojiey xiaojiey Awaiting requested review from xiaojiey

@rhmdnd rhmdnd Awaiting requested review from rhmdnd

@BhargaviGudi BhargaviGudi Awaiting requested review from BhargaviGudi

Assignees

@rhmdnd rhmdnd

Labels
do-not-merge/hold Used by openshift-ci-robot bot. OpenShift OpenShift product related. STIG STIG Benchmark related.
Projects
None yet
Milestone
0.1.75
Development

Successfully merging this pull request may close these issues.
5 participants
@yuumasato @xiaojiey @Mab879 @Vincent056 @rhmdnd