OCP4: Add rule to check ACS sensor deployed

Add rule acs_sensor_exists, so we can check that ACS sensor is being deployed on the cluster

applications/openshift/general/acs_sensor_exists/rule.yml

@@ -0,0 +1,59 @@
+
+title: Ensure that Advanced Cluster Security (ACS) Sensor is deployed
+
+description: |-
+  Red Hat Advanced Cluster Security (ACS) for Kubernetes provides comprehensive security
+  for containerized environments. It offers deep visibility into deployed resources
+  across Kubernetes clusters, enabling teams to detect vulnerabilities in all images,
+  manage compliance, and enforce security policies. By integrating ACS into the Kubernetes
+  environment, organizations can automate security checks and configurations, ensuring that every
+  deployed application is scanned and secured according to best practices and organizational policies.
+
+  Sensor is the service responsible for analyzing and monitoring the cluster. Sensor
+  listens to the OpenShift Container Platform or Kubernetes API and Collector events
+  to report the current state of the cluster. Sensor also triggers deploy-time and
+  runtime violations based on RHACS Cloud Service policies. In addition, Sensor is
+  responsible for all cluster interactions, such as applying network policies,
+  initiating reprocessing of RHACS Cloud Service policies, and interacting with
+  the Admission controller.
+
+
+rationale: |-
+  ACS provides a method to continuously monitor and protect the Kubernetes environment against vulnerabilities
+  and misconfigurations. This ensures that the infrastructure and applications are compliant
+  with security standards and regulations, reducing the risk of security breaches.
+
+identifiers:
+  cce@ocp4: CCE-86171-6
+
+references:
+  pcidss: Req-6.3.2,Req-11.3.1.1,Req-11.5.1.1
+
+ocil_clause: 'ACS Sensor is not deployed'
+
+{{% set jqfilter = '[ .items[] | select(.metadata.name == "sensor" and .metadata.labels["app.kubernetes.io/name"] == "stackrox") | .status.availableReplicas]' %}}
+
+ocil: |-
+    Run the following command to check if the ACS Sensor is deployed:
+    <pre>$ oc get Deployment --all-namespaces -o json | jq '{{ jqfilter }}'</pre>
+    The output should return a non-zero value.
+
+
+severity: medium
+
+warnings:
+- general: |-
+    {{{ openshift_filtered_cluster_setting({'/apis/apps/v1/deployments?limit=500': jqfilter}) | indent(4) }}}
+
+template:
+  name: yamlfile_value
+  vars:
+    ocp_data: "true"
+    filepath: |-
+      {{{ openshift_filtered_path('/apis/apps/v1/deployments?limit=500', jqfilter) }}}
+    yamlpath: "[:]"
+    check_existence: "all_exist"
+    entity_check: "all"
+    values:
+      - value: "0"
+        operation: "not equal"

applications/openshift/general/acs_sensor_exists/tests/ocp4/e2e-remediation.sh

@@ -0,0 +1,16 @@
+#!/bin/bash
+set -xe
+
+echo "Mimicking the behavior of a deployed scanner"
+oc apply -f ${ROOT_DIR}/ocp-resources/e2e/acs-sensor-install.yaml --server-side=true
+
+sleep 30
+
+echo "waiting for gitops deployment to exist"
+while [ -z "$(oc wait -n stackrox --for=condition=Available  --timeout=300s deployment/sensor)" ]; do
+    sleep 3
+done
+
+echo "waiting for gitops deployment to be ready"
+oc wait -n stackrox --for=condition=Available  --timeout=300s \
+    deployment/sensor

applications/openshift/general/acs_sensor_exists/tests/ocp4/e2e.yml

@@ -0,0 +1,3 @@
+---
+default_result: FAIL
+result_after_remediation: PASS

controls/pcidss_4_ocp4.yml

@@ -1309,10 +1309,12 @@ controls:
         it will be required and must be fully considered during a PCI DSS assessment.
       levels:
         - base
-      status: pending
+      status: automated
       notes: |-
         This requirement is a best practice until 31 March 2025, after which it will be required
         and must be fully considered during a PCI DSS assessment.
+      rules:
+        - acs_sensor_exists
 
     - id: 6.3.3
       title: All system components are protected from known vulnerabilities by installing
@@ -2714,7 +2716,9 @@ controls:
           the entity's vulnerability risk rankings defined at Requirement 6.3.1) are managed
         levels:
           - base
-        status: pending
+        status: automated
+        rules:
+          - acs_sensor_exists
 
       - id: 11.3.1.2
         title: Internal vulnerability scans are performed via authenticated scanning.
@@ -2825,10 +2829,12 @@ controls:
           must be fully considered during a PCI DSS assessment.
         levels:
           - base
-        status: pending
+        status: automated
         notes: |-
           The policy is not explicit about any specific solution. The solution might vary
           depending on site policies.
+        rules:
+          - acs_sensor_exists
 
   - id: 11.5.2
     title: A change-detection mechanism (for example, file integrity monitoring tools) is deployed.

ocp-resources/e2e/acs-sensor-install.yaml

@@ -0,0 +1,36 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: stackrox
+  annotations:
+    openshift.io/node-selector: ""
+  labels:
+    openshift.io/cluster-monitoring: "true"
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: sensor
+  namespace: stackrox
+  labels:
+    app: sensor
+    "app.kubernetes.io/name": stackrox  
+spec:
+  replicas: 1
+  minReadySeconds: 15
+  selector:
+    matchLabels:
+      app: sensor
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      labels:
+        app: sensor
+    spec:
+      containers:
+      - image: quay.io/fedora/fedora-toolbox
+        imagePullPolicy: Always
+        name: sensor
+        command: ["/bin/sh", "-c", "while true; do echo 'Hello, StackRox!'; sleep 3600; done"]

shared/references/cce-redhat-avail.txt

@@ -15,7 +15,6 @@ CCE-86167-4
 CCE-86168-2
 CCE-86169-0
 CCE-86170-8
-CCE-86171-6
 CCE-86174-0
 CCE-86178-1
 CCE-86179-9