Skip to content

Commit

Permalink
CMP-2458: Requiremnt 6.4 is partially supported
Browse files Browse the repository at this point in the history
  • Loading branch information
yuumasato committed Jun 18, 2024
1 parent 1746628 commit 9ab3a06
Show file tree
Hide file tree
Showing 6 changed files with 94 additions and 5 deletions.
7 changes: 7 additions & 0 deletions applications/openshift/confinement/group.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
documentation_complete: true

title: 'OpenShift - Confinement'

description: |-
Contains evaluations to configure and assess the confinement of the cluster's
applications and workloads.
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
title: "Make sure the Security Profiles Operator is installed"

description: |-
Security Profiles Operator provides a way to define secure computing (seccomp) profiles and
SELinux profiles as custom resources that are syncrhonized to every node in a given namespace.
Using security profiels can increase security at the container level in your cluster.
Seccomp security profiles list the syscalls a process can make, and SELinux security profiles
provide a label-based system taht restricts access and usage of processes, applications, and
files.
rationale: |-
An application that runs with privileges can be attacked to have its privileges exploited.
Confining applications limit the actions an attacker can perform when they are compromised.
identifiers:
cce@ocp4: CCE-86168-2

ocil_clause: 'the security profiles operator is not installed'

ocil: |-
To check if the Security Profiles Operator is installed, run the following command:
<pre>oc get sub -nopenshift-security-profiles security-profiles-operator-sub -ojsonpath='{.status.installedCSV}'</pre>
the output should return the version of the CSV that represents the installed operator.
severity: medium

warnings:
- general: |-
{{{ openshift_cluster_setting("/apis/operators.coreos.com/v1alpha1/namespaces/openshift-security-profiles/subscriptions/security-profiles-operator-sub") | indent(4) }}}
template:
name: yamlfile_value
vars:
ocp_data: 'true'
filepath: /apis/operators.coreos.com/v1alpha1/namespaces/openshift-security-profiles/subscriptions/security-profiles-operator-sub
yamlpath: .status.installedCSV
values:
- value: security-profiles-operator\.v.*
operation: pattern match
type: string

Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
#!/bin/bash
set -xe

echo "installing security profiles operator"
oc apply -f ${ROOT_DIR}/ocp-resources/e2e/spo-install.yaml --server-side=true

sleep 30

echo "waiting for security-profiles-operator deployment to exist"
while [ -z "$(oc wait -n openshift-security-profiles --for=condition=Available --timeout=300s deployment/security-profiles-operator)" ]; do
sleep 3
done

echo "waiting for security-profiles-operator deployment to be ready"
oc wait -n openshift-security-profiles --for=condition=Available --timeout=300s \
deployment/security-profiles-operator

echo "waiting the subscription to have .status.installedCSV"
while [ -z "$(oc get subscription security-profiles-operator -nopenshift-security-profiles -o jsonpath='{.status.installedCSV}')" ]; do
sleep 3
done
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
---
default_result: FAIL
result_after_remediation: PASS
25 changes: 21 additions & 4 deletions controls/pcidss_4_ocp4.yml
Original file line number Diff line number Diff line change
Expand Up @@ -1634,7 +1634,7 @@ controls:
title: Public-facing web applications are protected against attacks.
levels:
- base
status: pending
status: partial
controls:
- id: 6.4.1
title: For public-facing web applications, new threats and vulnerabilities are addressed on
Expand All @@ -1661,14 +1661,31 @@ controls:
investigated.
levels:
- base
status: pending
status: not applicable
notes: |-
It is up to the payment entity how they protect their public facing appilcations.
Depending on the approach taken OpenShift can provide support, see req. 6.4.2, for more details.
- id: 6.4.2
title: For public-facing web applications, an automated technical solution is deployed that
continually detects and prevents web-based attacks.
levels:
- base
status: pending
status: partial
notes: |-
Support for Web Application Firewall in OCP is still in development:
https://www.redhat.com/en/blog/creating-web-application-firewall-red-hat-openshift
While Container Security Operator (CSO) is not focused on protecting web-applications it
can scan installed workflows and applications for known vulnerabilities.
https://access.redhat.com/documentation/en-us/red_hat_quay/3/html/red_hat_quay_operator_features/container-security-operator-setup
Security Profiles Operators can also be used to contain an attack when an application
is compromised.
https://docs.openshift.com/container-platform/latest/security/security_profiles_operator/spo-overview.html
rules:
- container_security_operator_exists
- security_profiles_operator_exists

- id: 6.4.3
title: All payment page scripts that are loaded and executed in the consumer's browser are
Expand All @@ -1682,7 +1699,7 @@ controls:
necessary.
levels:
- base
status: pending
status: not applicable

- id: '6.5'
title: Changes to all system components are managed securely.
Expand Down
1 change: 0 additions & 1 deletion shared/references/cce-redhat-avail.txt
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,6 @@ CCE-86164-1
CCE-86165-8
CCE-86166-6
CCE-86167-4
CCE-86168-2
CCE-86169-0
CCE-86170-8
CCE-86174-0
Expand Down

0 comments on commit 9ab3a06

Please sign in to comment.