From 1746628b6b5a29ee3ca22238d1a885b8a37096e5 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Tue, 18 Jun 2024 14:11:43 +0200 Subject: [PATCH] CMP-2458: Requirement 6.3 is inherently met OCP is not applicable to all the requirements, except for one, which it it inherently meets: Protection from known vulnerabilities by installing security patches or updates. --- controls/pcidss_4_ocp4.yml | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/controls/pcidss_4_ocp4.yml b/controls/pcidss_4_ocp4.yml index d9be4805a204..0581fb05f312 100644 --- a/controls/pcidss_4_ocp4.yml +++ b/controls/pcidss_4_ocp4.yml @@ -1573,7 +1573,7 @@ controls: title: Security vulnerabilities are identified and addressed. levels: - base - status: not applicable + status: inherently met controls: - id: 6.3.1 title: Security vulnerabilities are identified and managed @@ -1606,9 +1606,6 @@ controls: levels: - base status: not applicable - notes: |- - This requirement is a best practice until 31 March 2025, after which it will be required - and must be fully considered during a PCI DSS assessment. - id: 6.3.3 title: All system components are protected from known vulnerabilities by installing @@ -1622,7 +1619,16 @@ controls: frame as determined by the entity (for example, within three months of release). levels: - base - status: not applicable + status: inherently met + notes: |- + The OpenShift Container Platform provides the capability of updating + both the Kubernetes/OCP layer, as well as the Operating System (Red Hat + CoreOS) layer in an ubiquitous manner with over-the-air updates using + the OpenShift Update Service (OSUS) [1]. This service can also be installed + in clusters without internet connectivity [2]. + + [1] https://access.redhat.com/documentation/en-us/openshift_container_platform/4.15/html/updating_clusters/understanding-openshift-updates-1#update-service-about_understanding-openshift-updates + [2] https://access.redhat.com/documentation/en-us/openshift_container_platform/4.15/html/updating_clusters/performing-a-cluster-update#updating-restricted-network-cluster-OSUS - id: '6.4' title: Public-facing web applications are protected against attacks.