CMP-2458: Requiremnt 6.4 is partially supported

applications/openshift/confinement/group.yml

@@ -0,0 +1,7 @@
+documentation_complete: true
+
+title: 'OpenShift - Confinement'
+
+description: |-
+    Contains evaluations to configure and assess the confinement of the cluster's
+    applications and workloads.

applications/openshift/confinement/security_profiles_operator_exists/rule.yml

@@ -0,0 +1,42 @@
+title: "Make sure the Security Profiles Operator is installed"
+
+description: |-
+    Security Profiles Operator provides a way to define secure computing (seccomp) profiles and
+    SELinux profiles as custom resources that are syncrhonized to every node in a given namespace.
+
+    Using security profiels can increase security at the container level in your cluster.
+    Seccomp security profiles list the syscalls a process can make, and SELinux security profiles
+    provide a label-based system taht restricts access and usage of processes, applications, and
+    files.
+
+rationale: |-
+  An application that runs with privileges can be attacked to have its privileges exploited.
+  Confining applications limit the actions an attacker can perform when they are compromised.
+
+identifiers:
+  cce@ocp4: CCE-86168-2
+
+ocil_clause: 'the security profiles operator is not installed'
+
+ocil: |-
+  To check if the Security Profiles Operator is installed, run the following command:
+  <pre>oc get sub -nopenshift-security-profiles security-profiles-operator-sub -ojsonpath='{.status.installedCSV}'</pre>
+  the output should return the version of the CSV that represents the installed operator.
+
+severity: medium
+
+warnings:
+- general: |-
+    {{{ openshift_cluster_setting("/apis/operators.coreos.com/v1alpha1/namespaces/openshift-security-profiles/subscriptions/security-profiles-operator-sub") | indent(4) }}}
+
+template:
+    name: yamlfile_value
+    vars:
+      ocp_data: 'true'
+      filepath: /apis/operators.coreos.com/v1alpha1/namespaces/openshift-security-profiles/subscriptions/security-profiles-operator-sub
+      yamlpath: .status.installedCSV
+      values:
+      - value: security-profiles-operator\.v.*
+        operation: pattern match
+        type: string
+

applications/openshift/confinement/security_profiles_operator_exists/tests/ocp4/e2e-remediation.sh

@@ -0,0 +1,21 @@
+#!/bin/bash
+set -xe
+
+echo "installing security profiles operator"
+oc apply -f ${ROOT_DIR}/ocp-resources/e2e/spo-install.yaml --server-side=true
+
+sleep 30
+
+echo "waiting for security-profiles-operator deployment to exist"
+while [ -z "$(oc wait -n openshift-security-profiles --for=condition=Available  --timeout=300s deployment/security-profiles-operator)" ]; do
+    sleep 3
+done
+
+echo "waiting for security-profiles-operator deployment to be ready"
+oc wait -n openshift-security-profiles --for=condition=Available  --timeout=300s \
+    deployment/security-profiles-operator
+
+echo "waiting the subscription to have .status.installedCSV"
+while [ -z "$(oc get subscription security-profiles-operator -nopenshift-security-profiles -o jsonpath='{.status.installedCSV}')" ]; do
+    sleep 3
+done

applications/openshift/confinement/security_profiles_operator_exists/tests/ocp4/e2e.yml

@@ -0,0 +1,3 @@
+---
+default_result: FAIL
+result_after_remediation: PASS

controls/pcidss_4_ocp4.yml

@@ -1634,7 +1634,7 @@ controls:
     title: Public-facing web applications are protected against attacks.
     levels:
       - base
-    status: pending
+    status: partial
     controls:
     - id: 6.4.1
       title: For public-facing web applications, new threats and vulnerabilities are addressed on
@@ -1661,14 +1661,31 @@ controls:
           investigated.
       levels:
         - base
-      status: pending
+      status: not applicable
+      notes: |-
+        It is up to the payment entity how they protect their public facing appilcations.
+        Depending on the approach taken OpenShift can provide support, see req. 6.4.2, for more details.
 
     - id: 6.4.2
       title: For public-facing web applications, an automated technical solution is deployed that
         continually detects and prevents web-based attacks.
       levels:
         - base
-      status: pending
+      status: partial
+      notes: |-
+        Support for Web Application Firewall in OCP is still in development:
+        https://www.redhat.com/en/blog/creating-web-application-firewall-red-hat-openshift
+
+        While Container Security Operator (CSO) is not focused on protecting web-applications it
+        can scan installed workflows and applications for known vulnerabilities.
+        https://access.redhat.com/documentation/en-us/red_hat_quay/3/html/red_hat_quay_operator_features/container-security-operator-setup
+
+        Security Profiles Operators can also be used to contain an attack when an application
+        is compromised.
+        https://docs.openshift.com/container-platform/latest/security/security_profiles_operator/spo-overview.html
+      rules:
+        - container_security_operator_exists
+        - security_profiles_operator_exists
 
     - id: 6.4.3
       title: All payment page scripts that are loaded and executed in the consumer's browser are
@@ -1682,7 +1699,7 @@ controls:
         necessary.
       levels:
         - base
-      status: pending
+      status: not applicable
 
   - id: '6.5'
     title: Changes to all system components are managed securely.

shared/references/cce-redhat-avail.txt

@@ -10,7 +10,6 @@ CCE-86164-1
 CCE-86165-8
 CCE-86166-6
 CCE-86167-4
-CCE-86168-2
 CCE-86169-0
 CCE-86170-8
 CCE-86174-0