-
Notifications
You must be signed in to change notification settings - Fork 705
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
CMP-2458: Requiremnt 6.4 is partially supported
- Loading branch information
Showing
6 changed files
with
94 additions
and
5 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
documentation_complete: true | ||
|
||
title: 'OpenShift - Confinement' | ||
|
||
description: |- | ||
Contains evaluations to configure and assess the confinement of the cluster's | ||
applications and workloads. |
42 changes: 42 additions & 0 deletions
42
applications/openshift/confinement/security_profiles_operator_exists/rule.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,42 @@ | ||
title: "Make sure the Security Profiles Operator is installed" | ||
|
||
description: |- | ||
Security Profiles Operator provides a way to define secure computing (seccomp) profiles and | ||
SELinux profiles as custom resources that are syncrhonized to every node in a given namespace. | ||
Using security profiels can increase security at the container level in your cluster. | ||
Seccomp security profiles list the syscalls a process can make, and SELinux security profiles | ||
provide a label-based system taht restricts access and usage of processes, applications, and | ||
files. | ||
rationale: |- | ||
An application that runs with privileges can be attacked to have its privileges exploited. | ||
Confining applications limit the actions an attacker can perform when they are compromised. | ||
identifiers: | ||
cce@ocp4: CCE-86168-2 | ||
|
||
ocil_clause: 'the security profiles operator is not installed' | ||
|
||
ocil: |- | ||
To check if the Security Profiles Operator is installed, run the following command: | ||
<pre>oc get sub -nopenshift-security-profiles security-profiles-operator-sub -ojsonpath='{.status.installedCSV}'</pre> | ||
the output should return the version of the CSV that represents the installed operator. | ||
severity: medium | ||
|
||
warnings: | ||
- general: |- | ||
{{{ openshift_cluster_setting("/apis/operators.coreos.com/v1alpha1/namespaces/openshift-security-profiles/subscriptions/security-profiles-operator-sub") | indent(4) }}} | ||
template: | ||
name: yamlfile_value | ||
vars: | ||
ocp_data: 'true' | ||
filepath: /apis/operators.coreos.com/v1alpha1/namespaces/openshift-security-profiles/subscriptions/security-profiles-operator-sub | ||
yamlpath: .status.installedCSV | ||
values: | ||
- value: security-profiles-operator\.v.* | ||
operation: pattern match | ||
type: string | ||
|
21 changes: 21 additions & 0 deletions
21
...ons/openshift/confinement/security_profiles_operator_exists/tests/ocp4/e2e-remediation.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
#!/bin/bash | ||
set -xe | ||
|
||
echo "installing security profiles operator" | ||
oc apply -f ${ROOT_DIR}/ocp-resources/e2e/spo-install.yaml --server-side=true | ||
|
||
sleep 30 | ||
|
||
echo "waiting for security-profiles-operator deployment to exist" | ||
while [ -z "$(oc wait -n openshift-security-profiles --for=condition=Available --timeout=300s deployment/security-profiles-operator)" ]; do | ||
sleep 3 | ||
done | ||
|
||
echo "waiting for security-profiles-operator deployment to be ready" | ||
oc wait -n openshift-security-profiles --for=condition=Available --timeout=300s \ | ||
deployment/security-profiles-operator | ||
|
||
echo "waiting the subscription to have .status.installedCSV" | ||
while [ -z "$(oc get subscription security-profiles-operator -nopenshift-security-profiles -o jsonpath='{.status.installedCSV}')" ]; do | ||
sleep 3 | ||
done |
3 changes: 3 additions & 0 deletions
3
applications/openshift/confinement/security_profiles_operator_exists/tests/ocp4/e2e.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
--- | ||
default_result: FAIL | ||
result_after_remediation: PASS |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -10,7 +10,6 @@ CCE-86164-1 | |
CCE-86165-8 | ||
CCE-86166-6 | ||
CCE-86167-4 | ||
CCE-86168-2 | ||
CCE-86169-0 | ||
CCE-86170-8 | ||
CCE-86174-0 | ||
|