From 9ab3a06c908abba4a736bfb33669f4a8f91a36be Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Tue, 18 Jun 2024 17:01:06 +0200 Subject: [PATCH] CMP-2458: Requiremnt 6.4 is partially supported --- applications/openshift/confinement/group.yml | 7 ++++ .../rule.yml | 42 +++++++++++++++++++ .../tests/ocp4/e2e-remediation.sh | 21 ++++++++++ .../tests/ocp4/e2e.yml | 3 ++ controls/pcidss_4_ocp4.yml | 25 +++++++++-- shared/references/cce-redhat-avail.txt | 1 - 6 files changed, 94 insertions(+), 5 deletions(-) create mode 100644 applications/openshift/confinement/group.yml create mode 100644 applications/openshift/confinement/security_profiles_operator_exists/rule.yml create mode 100644 applications/openshift/confinement/security_profiles_operator_exists/tests/ocp4/e2e-remediation.sh create mode 100644 applications/openshift/confinement/security_profiles_operator_exists/tests/ocp4/e2e.yml diff --git a/applications/openshift/confinement/group.yml b/applications/openshift/confinement/group.yml new file mode 100644 index 000000000000..fc134d38e268 --- /dev/null +++ b/applications/openshift/confinement/group.yml @@ -0,0 +1,7 @@ +documentation_complete: true + +title: 'OpenShift - Confinement' + +description: |- + Contains evaluations to configure and assess the confinement of the cluster's + applications and workloads. diff --git a/applications/openshift/confinement/security_profiles_operator_exists/rule.yml b/applications/openshift/confinement/security_profiles_operator_exists/rule.yml new file mode 100644 index 000000000000..84dbd3a24ab5 --- /dev/null +++ b/applications/openshift/confinement/security_profiles_operator_exists/rule.yml @@ -0,0 +1,42 @@ +title: "Make sure the Security Profiles Operator is installed" + +description: |- + Security Profiles Operator provides a way to define secure computing (seccomp) profiles and + SELinux profiles as custom resources that are syncrhonized to every node in a given namespace. + + Using security profiels can increase security at the container level in your cluster. + Seccomp security profiles list the syscalls a process can make, and SELinux security profiles + provide a label-based system taht restricts access and usage of processes, applications, and + files. + +rationale: |- + An application that runs with privileges can be attacked to have its privileges exploited. + Confining applications limit the actions an attacker can perform when they are compromised. + +identifiers: + cce@ocp4: CCE-86168-2 + +ocil_clause: 'the security profiles operator is not installed' + +ocil: |- + To check if the Security Profiles Operator is installed, run the following command: +
oc get sub -nopenshift-security-profiles security-profiles-operator-sub -ojsonpath='{.status.installedCSV}'
+ the output should return the version of the CSV that represents the installed operator. + +severity: medium + +warnings: +- general: |- + {{{ openshift_cluster_setting("/apis/operators.coreos.com/v1alpha1/namespaces/openshift-security-profiles/subscriptions/security-profiles-operator-sub") | indent(4) }}} + +template: + name: yamlfile_value + vars: + ocp_data: 'true' + filepath: /apis/operators.coreos.com/v1alpha1/namespaces/openshift-security-profiles/subscriptions/security-profiles-operator-sub + yamlpath: .status.installedCSV + values: + - value: security-profiles-operator\.v.* + operation: pattern match + type: string + diff --git a/applications/openshift/confinement/security_profiles_operator_exists/tests/ocp4/e2e-remediation.sh b/applications/openshift/confinement/security_profiles_operator_exists/tests/ocp4/e2e-remediation.sh new file mode 100644 index 000000000000..22bf0d608a01 --- /dev/null +++ b/applications/openshift/confinement/security_profiles_operator_exists/tests/ocp4/e2e-remediation.sh @@ -0,0 +1,21 @@ +#!/bin/bash +set -xe + +echo "installing security profiles operator" +oc apply -f ${ROOT_DIR}/ocp-resources/e2e/spo-install.yaml --server-side=true + +sleep 30 + +echo "waiting for security-profiles-operator deployment to exist" +while [ -z "$(oc wait -n openshift-security-profiles --for=condition=Available --timeout=300s deployment/security-profiles-operator)" ]; do + sleep 3 +done + +echo "waiting for security-profiles-operator deployment to be ready" +oc wait -n openshift-security-profiles --for=condition=Available --timeout=300s \ + deployment/security-profiles-operator + +echo "waiting the subscription to have .status.installedCSV" +while [ -z "$(oc get subscription security-profiles-operator -nopenshift-security-profiles -o jsonpath='{.status.installedCSV}')" ]; do + sleep 3 +done diff --git a/applications/openshift/confinement/security_profiles_operator_exists/tests/ocp4/e2e.yml b/applications/openshift/confinement/security_profiles_operator_exists/tests/ocp4/e2e.yml new file mode 100644 index 000000000000..fd9b313e87b4 --- /dev/null +++ b/applications/openshift/confinement/security_profiles_operator_exists/tests/ocp4/e2e.yml @@ -0,0 +1,3 @@ +--- +default_result: FAIL +result_after_remediation: PASS diff --git a/controls/pcidss_4_ocp4.yml b/controls/pcidss_4_ocp4.yml index 0581fb05f312..afac8d5bff41 100644 --- a/controls/pcidss_4_ocp4.yml +++ b/controls/pcidss_4_ocp4.yml @@ -1634,7 +1634,7 @@ controls: title: Public-facing web applications are protected against attacks. levels: - base - status: pending + status: partial controls: - id: 6.4.1 title: For public-facing web applications, new threats and vulnerabilities are addressed on @@ -1661,14 +1661,31 @@ controls: investigated. levels: - base - status: pending + status: not applicable + notes: |- + It is up to the payment entity how they protect their public facing appilcations. + Depending on the approach taken OpenShift can provide support, see req. 6.4.2, for more details. - id: 6.4.2 title: For public-facing web applications, an automated technical solution is deployed that continually detects and prevents web-based attacks. levels: - base - status: pending + status: partial + notes: |- + Support for Web Application Firewall in OCP is still in development: + https://www.redhat.com/en/blog/creating-web-application-firewall-red-hat-openshift + + While Container Security Operator (CSO) is not focused on protecting web-applications it + can scan installed workflows and applications for known vulnerabilities. + https://access.redhat.com/documentation/en-us/red_hat_quay/3/html/red_hat_quay_operator_features/container-security-operator-setup + + Security Profiles Operators can also be used to contain an attack when an application + is compromised. + https://docs.openshift.com/container-platform/latest/security/security_profiles_operator/spo-overview.html + rules: + - container_security_operator_exists + - security_profiles_operator_exists - id: 6.4.3 title: All payment page scripts that are loaded and executed in the consumer's browser are @@ -1682,7 +1699,7 @@ controls: necessary. levels: - base - status: pending + status: not applicable - id: '6.5' title: Changes to all system components are managed securely. diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt index 5d824cd05cb9..bd2164457bad 100644 --- a/shared/references/cce-redhat-avail.txt +++ b/shared/references/cce-redhat-avail.txt @@ -10,7 +10,6 @@ CCE-86164-1 CCE-86165-8 CCE-86166-6 CCE-86167-4 -CCE-86168-2 CCE-86169-0 CCE-86170-8 CCE-86174-0