From 7ec255b14bc0c9513014e91fd5e7a43de9c0112b Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Mon, 17 Jun 2024 10:24:54 +0200 Subject: [PATCH 1/7] CPM-2458: Requirement 6.1 is not applicable --- controls/pcidss_4_ocp4.yml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/controls/pcidss_4_ocp4.yml b/controls/pcidss_4_ocp4.yml index 67b1bd5b96c..d98eec02791 100644 --- a/controls/pcidss_4_ocp4.yml +++ b/controls/pcidss_4_ocp4.yml @@ -1474,29 +1474,29 @@ controls: defined and understood. levels: - base - status: pending + status: not applicable controls: - id: 6.1.1 title: All security policies and operational procedures that are identified in Requirement 6 are Documented, Kept up to date, In use and Known to all affected parties. levels: - base - status: pending + status: not applicable notes: |- - Examine documentation and interview personnel to verify that security policies and - operational procedures identified in Requirement 6 are managed in accordance with all - elements specified in this requirement. + The responsibility for documentation, maintenance, use and dissemination of the processes + and mechanismis for developing and maintaining secure systems and software is on the + payment entity and its operations team. - id: 6.1.2 title: Roles and responsibilities for performing activities in Requirement 6 are documented, assigned, and understood. levels: - base - status: pending + status: not applicable notes: |- - Examine documentation and interview personnel to verify that day-to-day responsibilities - for performing all the activities in Requirement 6 are documented, assigned and understood - by the assigned personnel. + The responsibility for documentation, maintenance, use and dissemination of the processes + and mechanismis for developing and maintaining secure systems and software is on the + payment entity and its operations team. - id: '6.2' title: Bespoke and custom software are developed securely. From 2ca1d3d3029e5aa4fc8b014f910aeb2972c9f761 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Mon, 17 Jun 2024 10:45:41 +0200 Subject: [PATCH 2/7] CPM-2458: Requirement 6.2 is not applicable This does not apply to third-party software, only bespoke and custom software developed and mantained in-house. --- controls/pcidss_4_ocp4.yml | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/controls/pcidss_4_ocp4.yml b/controls/pcidss_4_ocp4.yml index d98eec02791..4cdbdcbd72b 100644 --- a/controls/pcidss_4_ocp4.yml +++ b/controls/pcidss_4_ocp4.yml @@ -1502,7 +1502,12 @@ controls: title: Bespoke and custom software are developed securely. levels: - base - status: pending + status: not applicable + notes: |- + OpenShift is developed and maintained following secure software development practices: + https://www.redhat.com/en/topics/security/red-hat-sdl + But this requirement applies only to software developed for or by the entity for the + entity's own use. This does not apply to third-party sofware. controls: - id: 6.2.1 title: Bespoke and custom software are developed securely. @@ -1514,7 +1519,7 @@ controls: software development lifecycle. levels: - base - status: pending + status: not applicable - id: 6.2.2 title: Software development personnel working on bespoke and custom software are trained at @@ -1528,7 +1533,7 @@ controls: vulnerabilities in software. levels: - base - status: pending + status: not applicable - id: 6.2.3 title: Bespoke and custom software is reviewed prior to being released into production or to @@ -1541,7 +1546,7 @@ controls: - Appropriate corrections are implemented prior to release. levels: - base - status: pending + status: not applicable controls: - id: 6.2.3.1 title: If manual code reviews are performed for bespoke and custom software prior to @@ -1554,7 +1559,7 @@ controls: - Reviewed and approved by management prior to release. levels: - base - status: pending + status: not applicable - id: 6.2.4 title: Software engineering techniques or other methods are defined and in use by software @@ -1562,7 +1567,7 @@ controls: vulnerabilities in bespoke and custom software. levels: - base - status: pending + status: not applicable - id: '6.3' title: Security vulnerabilities are identified and addressed. From 339a4d5bc1702f5fabf1d9c45c406013cbf2cd10 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Mon, 17 Jun 2024 13:23:57 +0200 Subject: [PATCH 3/7] CMP-2458: Requirement 3.1 WIP --- controls/pcidss_4_ocp4.yml | 26 ++++++++++++++++++-------- 1 file changed, 18 insertions(+), 8 deletions(-) diff --git a/controls/pcidss_4_ocp4.yml b/controls/pcidss_4_ocp4.yml index 4cdbdcbd72b..d9be4805a20 100644 --- a/controls/pcidss_4_ocp4.yml +++ b/controls/pcidss_4_ocp4.yml @@ -1573,13 +1573,27 @@ controls: title: Security vulnerabilities are identified and addressed. levels: - base - status: pending + status: not applicable controls: - id: 6.3.1 title: Security vulnerabilities are identified and managed + description: |- + Security vulnerabilities are identified and managed as follows: + - New security vulnerabilities are identified using industry-recognized sources for + security vulnerability information, including alerts from international and national + computer emergency response teams (CERTs). + - Vulnerabilities are assigned a risk ranking based on industry best practices and + consideration of potential impact. + - Risk rankings identify, at a minimum, all vulnerabilities considered to be a high-risk + or critical to the environment. + - Vulnerabilities for bespoke and custom, and third-party software (for example operating + systems and databases) are covered. levels: - base - status: pending + status: not applicable + notes: |- + The payment entity needs to stablish its own process of monitoring for vulnerabilities for + the systems in use, including bespoke and custom software. - id: 6.3.2 title: An inventory of bespoke and custom software, and third-party software components @@ -1591,13 +1605,10 @@ controls: it will be required and must be fully considered during a PCI DSS assessment. levels: - base - status: automated + status: not applicable notes: |- This requirement is a best practice until 31 March 2025, after which it will be required and must be fully considered during a PCI DSS assessment. - rules: - - acs_sensor_exists - - container_security_operator_exists - id: 6.3.3 title: All system components are protected from known vulnerabilities by installing @@ -1611,8 +1622,7 @@ controls: frame as determined by the entity (for example, within three months of release). levels: - base - status: pending - rules: [] + status: not applicable - id: '6.4' title: Public-facing web applications are protected against attacks. From d6ba9d6cd8696441c7f2d83ccd47df3c19cba697 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Tue, 18 Jun 2024 14:11:43 +0200 Subject: [PATCH 4/7] CMP-2458: Requirement 6.3 is inherently met OCP is not applicable to all the requirements, except for one, which it it inherently meets: Protection from known vulnerabilities by installing security patches or updates. --- controls/pcidss_4_ocp4.yml | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/controls/pcidss_4_ocp4.yml b/controls/pcidss_4_ocp4.yml index d9be4805a20..0581fb05f31 100644 --- a/controls/pcidss_4_ocp4.yml +++ b/controls/pcidss_4_ocp4.yml @@ -1573,7 +1573,7 @@ controls: title: Security vulnerabilities are identified and addressed. levels: - base - status: not applicable + status: inherently met controls: - id: 6.3.1 title: Security vulnerabilities are identified and managed @@ -1606,9 +1606,6 @@ controls: levels: - base status: not applicable - notes: |- - This requirement is a best practice until 31 March 2025, after which it will be required - and must be fully considered during a PCI DSS assessment. - id: 6.3.3 title: All system components are protected from known vulnerabilities by installing @@ -1622,7 +1619,16 @@ controls: frame as determined by the entity (for example, within three months of release). levels: - base - status: not applicable + status: inherently met + notes: |- + The OpenShift Container Platform provides the capability of updating + both the Kubernetes/OCP layer, as well as the Operating System (Red Hat + CoreOS) layer in an ubiquitous manner with over-the-air updates using + the OpenShift Update Service (OSUS) [1]. This service can also be installed + in clusters without internet connectivity [2]. + + [1] https://access.redhat.com/documentation/en-us/openshift_container_platform/4.15/html/updating_clusters/understanding-openshift-updates-1#update-service-about_understanding-openshift-updates + [2] https://access.redhat.com/documentation/en-us/openshift_container_platform/4.15/html/updating_clusters/performing-a-cluster-update#updating-restricted-network-cluster-OSUS - id: '6.4' title: Public-facing web applications are protected against attacks. From 03737fad85dba377a6463ed1a2ce95ebc20fef4d Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Tue, 18 Jun 2024 17:01:06 +0200 Subject: [PATCH 5/7] CMP-2458: Requiremnt 6.4 is partially supported --- applications/openshift/confinement/group.yml | 7 ++++ .../rule.yml | 42 +++++++++++++++++++ .../tests/ocp4/e2e-remediation.sh | 21 ++++++++++ .../tests/ocp4/e2e.yml | 3 ++ controls/pcidss_4_ocp4.yml | 25 +++++++++-- shared/references/cce-redhat-avail.txt | 1 - 6 files changed, 94 insertions(+), 5 deletions(-) create mode 100644 applications/openshift/confinement/group.yml create mode 100644 applications/openshift/confinement/security_profiles_operator_exists/rule.yml create mode 100644 applications/openshift/confinement/security_profiles_operator_exists/tests/ocp4/e2e-remediation.sh create mode 100644 applications/openshift/confinement/security_profiles_operator_exists/tests/ocp4/e2e.yml diff --git a/applications/openshift/confinement/group.yml b/applications/openshift/confinement/group.yml new file mode 100644 index 00000000000..fc134d38e26 --- /dev/null +++ b/applications/openshift/confinement/group.yml @@ -0,0 +1,7 @@ +documentation_complete: true + +title: 'OpenShift - Confinement' + +description: |- + Contains evaluations to configure and assess the confinement of the cluster's + applications and workloads. diff --git a/applications/openshift/confinement/security_profiles_operator_exists/rule.yml b/applications/openshift/confinement/security_profiles_operator_exists/rule.yml new file mode 100644 index 00000000000..84dbd3a24ab --- /dev/null +++ b/applications/openshift/confinement/security_profiles_operator_exists/rule.yml @@ -0,0 +1,42 @@ +title: "Make sure the Security Profiles Operator is installed" + +description: |- + Security Profiles Operator provides a way to define secure computing (seccomp) profiles and + SELinux profiles as custom resources that are syncrhonized to every node in a given namespace. + + Using security profiels can increase security at the container level in your cluster. + Seccomp security profiles list the syscalls a process can make, and SELinux security profiles + provide a label-based system taht restricts access and usage of processes, applications, and + files. + +rationale: |- + An application that runs with privileges can be attacked to have its privileges exploited. + Confining applications limit the actions an attacker can perform when they are compromised. + +identifiers: + cce@ocp4: CCE-86168-2 + +ocil_clause: 'the security profiles operator is not installed' + +ocil: |- + To check if the Security Profiles Operator is installed, run the following command: + 
oc get sub -nopenshift-security-profiles security-profiles-operator-sub -ojsonpath='{.status.installedCSV}'
+ the output should return the version of the CSV that represents the installed operator. + +severity: medium + +warnings: +- general: |- + {{{ openshift_cluster_setting("/apis/operators.coreos.com/v1alpha1/namespaces/openshift-security-profiles/subscriptions/security-profiles-operator-sub") | indent(4) }}} + +template: + name: yamlfile_value + vars: + ocp_data: 'true' + filepath: /apis/operators.coreos.com/v1alpha1/namespaces/openshift-security-profiles/subscriptions/security-profiles-operator-sub + yamlpath: .status.installedCSV + values: + - value: security-profiles-operator\.v.* + operation: pattern match + type: string + diff --git a/applications/openshift/confinement/security_profiles_operator_exists/tests/ocp4/e2e-remediation.sh b/applications/openshift/confinement/security_profiles_operator_exists/tests/ocp4/e2e-remediation.sh new file mode 100644 index 00000000000..22bf0d608a0 --- /dev/null +++ b/applications/openshift/confinement/security_profiles_operator_exists/tests/ocp4/e2e-remediation.sh @@ -0,0 +1,21 @@ +#!/bin/bash +set -xe + +echo "installing security profiles operator" +oc apply -f ${ROOT_DIR}/ocp-resources/e2e/spo-install.yaml --server-side=true + +sleep 30 + +echo "waiting for security-profiles-operator deployment to exist" +while [ -z "$(oc wait -n openshift-security-profiles --for=condition=Available --timeout=300s deployment/security-profiles-operator)" ]; do + sleep 3 +done + +echo "waiting for security-profiles-operator deployment to be ready" +oc wait -n openshift-security-profiles --for=condition=Available --timeout=300s \ + deployment/security-profiles-operator + +echo "waiting the subscription to have .status.installedCSV" +while [ -z "$(oc get subscription security-profiles-operator -nopenshift-security-profiles -o jsonpath='{.status.installedCSV}')" ]; do + sleep 3 +done diff --git a/applications/openshift/confinement/security_profiles_operator_exists/tests/ocp4/e2e.yml b/applications/openshift/confinement/security_profiles_operator_exists/tests/ocp4/e2e.yml new file mode 100644 index 00000000000..fd9b313e87b --- /dev/null +++ b/applications/openshift/confinement/security_profiles_operator_exists/tests/ocp4/e2e.yml @@ -0,0 +1,3 @@ +--- +default_result: FAIL +result_after_remediation: PASS diff --git a/controls/pcidss_4_ocp4.yml b/controls/pcidss_4_ocp4.yml index 0581fb05f31..afac8d5bff4 100644 --- a/controls/pcidss_4_ocp4.yml +++ b/controls/pcidss_4_ocp4.yml @@ -1634,7 +1634,7 @@ controls: title: Public-facing web applications are protected against attacks. levels: - base - status: pending + status: partial controls: - id: 6.4.1 title: For public-facing web applications, new threats and vulnerabilities are addressed on @@ -1661,14 +1661,31 @@ controls: investigated. levels: - base - status: pending + status: not applicable + notes: |- + It is up to the payment entity how they protect their public facing appilcations. + Depending on the approach taken OpenShift can provide support, see req. 6.4.2, for more details. - id: 6.4.2 title: For public-facing web applications, an automated technical solution is deployed that continually detects and prevents web-based attacks. levels: - base - status: pending + status: partial + notes: |- + Support for Web Application Firewall in OCP is still in development: + https://www.redhat.com/en/blog/creating-web-application-firewall-red-hat-openshift + + While Container Security Operator (CSO) is not focused on protecting web-applications it + can scan installed workflows and applications for known vulnerabilities. + https://access.redhat.com/documentation/en-us/red_hat_quay/3/html/red_hat_quay_operator_features/container-security-operator-setup + + Security Profiles Operators can also be used to contain an attack when an application + is compromised. + https://docs.openshift.com/container-platform/latest/security/security_profiles_operator/spo-overview.html + rules: + - container_security_operator_exists + - security_profiles_operator_exists - id: 6.4.3 title: All payment page scripts that are loaded and executed in the consumer's browser are @@ -1682,7 +1699,7 @@ controls: necessary. levels: - base - status: pending + status: not applicable - id: '6.5' title: Changes to all system components are managed securely. diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt index 5d824cd05cb..bd2164457ba 100644 --- a/shared/references/cce-redhat-avail.txt +++ b/shared/references/cce-redhat-avail.txt @@ -10,7 +10,6 @@ CCE-86164-1 CCE-86165-8 CCE-86166-6 CCE-86167-4 -CCE-86168-2 CCE-86169-0 CCE-86170-8 CCE-86174-0 From 1f06e4384139109720f79758b86b429457221850 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Tue, 18 Jun 2024 17:02:49 +0200 Subject: [PATCH 6/7] CMP-2458: Requirement 6.5 is not applicable --- controls/pcidss_4_ocp4.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/controls/pcidss_4_ocp4.yml b/controls/pcidss_4_ocp4.yml index afac8d5bff4..89f6c656b04 100644 --- a/controls/pcidss_4_ocp4.yml +++ b/controls/pcidss_4_ocp4.yml @@ -1705,14 +1705,14 @@ controls: title: Changes to all system components are managed securely. levels: - base - status: pending + status: not applicable controls: - id: 6.5.1 title: Changes to all system components in the production environment are made according to established procedures. levels: - base - status: pending + status: not applicable - id: 6.5.2 title: Upon completion of a significant change, all applicable PCI DSS requirements are @@ -1725,7 +1725,7 @@ controls: 12.5.2. levels: - base - status: pending + status: not applicable - id: 6.5.3 title: Pre-production environments are separated from production environments and the @@ -1735,7 +1735,7 @@ controls: environments. levels: - base - status: pending + status: not applicable - id: 6.5.4 title: Roles and functions are separated between production and pre-production environments @@ -1751,7 +1751,7 @@ controls: access to the production environment. levels: - base - status: pending + status: not applicable - id: 6.5.5 title: Live PANs are not used in pre-production environments, except where those @@ -1761,7 +1761,7 @@ controls: Live PANs cannot be present in pre-production environments outside the CDE.s levels: - base - status: pending + status: not applicable - id: 6.5.6 title: Test data and test accounts are removed from system components before the system goes @@ -1770,7 +1770,7 @@ controls: Test data and test accounts cannot exist in production environments. levels: - base - status: pending + status: not applicable - id: '7.1' title: Processes and mechanisms for restricting access to system components and cardholder From 3bdc1ff7ba1ec25301464b140d0647d20712dc31 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Tue, 25 Jun 2024 18:36:16 +0200 Subject: [PATCH 7/7] CMP-2458: Fix typos --- .../security_profiles_operator_exists/rule.yml | 4 ++-- controls/pcidss_4_ocp4.yml | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/applications/openshift/confinement/security_profiles_operator_exists/rule.yml b/applications/openshift/confinement/security_profiles_operator_exists/rule.yml index 84dbd3a24ab..f478f20a3ca 100644 --- a/applications/openshift/confinement/security_profiles_operator_exists/rule.yml +++ b/applications/openshift/confinement/security_profiles_operator_exists/rule.yml @@ -4,9 +4,9 @@ description: |- Security Profiles Operator provides a way to define secure computing (seccomp) profiles and SELinux profiles as custom resources that are syncrhonized to every node in a given namespace. - Using security profiels can increase security at the container level in your cluster. + Using security profiles can increase security at the container level in your cluster. Seccomp security profiles list the syscalls a process can make, and SELinux security profiles - provide a label-based system taht restricts access and usage of processes, applications, and + provide a label-based system that restricts access and usage of processes, applications, and files. rationale: |- diff --git a/controls/pcidss_4_ocp4.yml b/controls/pcidss_4_ocp4.yml index 89f6c656b04..77e13ad2a73 100644 --- a/controls/pcidss_4_ocp4.yml +++ b/controls/pcidss_4_ocp4.yml @@ -1484,7 +1484,7 @@ controls: status: not applicable notes: |- The responsibility for documentation, maintenance, use and dissemination of the processes - and mechanismis for developing and maintaining secure systems and software is on the + and mechanisms for developing and maintaining secure systems and software is on the payment entity and its operations team. - id: 6.1.2 @@ -1495,7 +1495,7 @@ controls: status: not applicable notes: |- The responsibility for documentation, maintenance, use and dissemination of the processes - and mechanismis for developing and maintaining secure systems and software is on the + and mechanisms for developing and maintaining secure systems and software is on the payment entity and its operations team. - id: '6.2' @@ -1507,7 +1507,7 @@ controls: OpenShift is developed and maintained following secure software development practices: https://www.redhat.com/en/topics/security/red-hat-sdl But this requirement applies only to software developed for or by the entity for the - entity's own use. This does not apply to third-party sofware. + entity's own use. This does not apply to third-party software. controls: - id: 6.2.1 title: Bespoke and custom software are developed securely. @@ -1592,7 +1592,7 @@ controls: - base status: not applicable notes: |- - The payment entity needs to stablish its own process of monitoring for vulnerabilities for + The payment entity needs to establish its own process of monitoring for vulnerabilities for the systems in use, including bespoke and custom software. - id: 6.3.2