CMP 2417: Implement PCI-DSS v4.0 outline for OpenShift

[rhmdnd]

• CMP-2417: Implement OpenShift PCI-DSS v4 outline for section 1
• CMP-2417: Implement OpenShift PCI-DSS v4 outline for section 2
• CMP-2417: Implement OpenShift PCI-DSS v4 outline for section 3
• CMP-2417: Implement OpenShift PCI-DSS v4 outline for section 4
• CMP-2417: Implement OpenShift PCI-DSS v4 outline for section 5
• CMP-2417: Implement OpenShift PCI-DSS v4 outline for section 6
• CMP-2417: Implement OpenShift PCI-DSS v4 outline for section 7
• CMP-2417: Implement OpenShift PCI-DSS v4 outline for section 8
• CMP-2417: Implement OpenShift PCI-DSS v4 outline for section 9
• CMP-2417: Implement OpenShift PCI-DSS v4 outline for section 10
• CMP-2417: Implement OpenShift PCI-DSS v4 outline for section 11
• CMP-2417: Implement OpenShift PCI-DSS v4 outline for section 12
• CMP-2417: Implement OpenShift PCI-DSS v4 outline for appendix
• CMP-2417: Add new profiles for OpenShift PCI-DSS version 4.0.0

Note for reviewers

While this change is large, it's broken down into sections per commit. It may be easier to review on a per commit basis.

[github-actions]

Start a new ephemeral environment with changes proposed in this pull request:

Fedora Environment

Oracle Linux 8 Environment

[github-actions]

🤖 A k8s content image for this PR is available at:
ghcr.io/complianceascode/k8scontent:11651
This image was built from commit: c2bc50e

Click here to see how to deploy it

If you alread have Compliance Operator deployed:
utils/build_ds_container.py -i ghcr.io/complianceascode/k8scontent:11651

Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and:
CONTENT_IMAGE=ghcr.io/complianceascode/k8scontent:11651 make deploy-local

[codeclimate]

Code Climate has analyzed commit c2bc50e and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 59.8% (0.0% change).

View more on Code Climate.

[xiaojiey]

/hold for review

[rhmdnd]

Additional note for reviews is that this should generate an empty profile, where we can come through later and fill in the rules.

[BhargaviGudi]

Verification passed with 4.16.0-0.nightly-2024-03-06-174829 + compliance-operator code

1. Install CO
2. ./utils/build_ds_container.py -i ghcr.io/complianceascode/k8scontent:11651
   Scenario 1: upstream-ocp4-pci-dss-4-0

$ oc compliance bind -N test -S default-auto-apply profile/upstream-ocp4-pci-dss-4-0
Creating ScanSettingBinding test
$ oc get suite -w
NAME   PHASE     RESULT
test   RUNNING   NOT-AVAILABLE
test   AGGREGATING   NOT-AVAILABLE
test   DONE          NON-COMPLIANT
test   DONE          NON-COMPLIANT
^C$ oc get scan
NAME                        PHASE   RESULT
upstream-ocp4-pci-dss-4-0   DONE    NON-COMPLIANT
$ oc get ccr -l compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-status=FAIL 
No resources found in openshift-compliance namespace.
$ oc get ccr | grep FAIL
upstream-ocp4-pci-dss-4-0-api-server-api-priority-gate-enabled                     FAIL     medium
upstream-ocp4-pci-dss-4-0-audit-log-forwarding-enabled                             FAIL     medium
upstream-ocp4-pci-dss-4-0-configure-network-policies-namespaces                    FAIL     high
upstream-ocp4-pci-dss-4-0-kubeadmin-removed                                        FAIL     medium
upstream-ocp4-pci-dss-4-0-ocp-allowed-registries                                   FAIL     medium
upstream-ocp4-pci-dss-4-0-ocp-allowed-registries-for-import                        FAIL     medium

Scenario 2: upstream-ocp4-pci-dss-node-4-0

bgudi@bgudi-thinkpadt14sgen2i content]$  oc get profiles.compliance.openshift.io upstream-ocp4-pci-dss-node-4-0 -oyaml | grep 4.0.0
description: Ensures PCI-DSS v4.0.0 security configuration settings are applied.
title: PCI-DSS v4.0.0 Control Baseline for Red Hat OpenShift Container Platform 4
version: 4.0.0
$ oc get suite
NAME   PHASE   RESULT
test   DONE    NON-COMPLIANT
$ oc get ccr | grep FAIL
upstream-ocp4-pci-dss-4-0-api-server-api-priority-gate-enabled                     FAIL     medium
upstream-ocp4-pci-dss-4-0-audit-log-forwarding-enabled                             FAIL     medium
upstream-ocp4-pci-dss-4-0-configure-network-policies-namespaces                    FAIL     high
upstream-ocp4-pci-dss-4-0-kubeadmin-removed                                        FAIL     medium
upstream-ocp4-pci-dss-4-0-ocp-allowed-registries                                   FAIL     medium
upstream-ocp4-pci-dss-4-0-ocp-allowed-registries-for-import                        FAIL     medium
$ oc get ccr -l compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-status=FAIL 
No resources found in openshift-compliance namespace.

Scenario 3: upstream-ocp4-pci-dss-4-0 and upstream-ocp4-pci-dss-node-4-0

$ oc compliance bind -N test -S default-auto-apply profile/upstream-ocp4-pci-dss-4-0 profile/upstream-ocp4-pci-dss-node-4-0
Creating ScanSettingBinding test
$ oc get suite -w
NAME   PHASE       RESULT
test   LAUNCHING   NOT-AVAILABLE
test   LAUNCHING   NOT-AVAILABLE
test   LAUNCHING   NOT-AVAILABLE
test   RUNNING     NOT-AVAILABLE
test   RUNNING     NOT-AVAILABLE
test   RUNNING     NOT-AVAILABLE
test   AGGREGATING   NOT-AVAILABLE
test   AGGREGATING   NOT-AVAILABLE
test   AGGREGATING   NOT-AVAILABLE
test   DONE          NON-COMPLIANT
test   DONE          NON-COMPLIANT
$ oc get ccr -l compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-status=FAIL 
No resources found in openshift-compliance namespace.
$ oc get ccr -l compliance.openshift.io/inconsistent-check
No resources found in openshift-compliance namespace.

Scenario 4: Verify version

$  oc get profiles.compliance.openshift.io upstream-ocp4-pci-dss-4-0 -o=jsonpath={.version}
4.0.0
$  oc get profiles.compliance.openshift.io upstream-ocp4-pci-dss-node-4-0 -o=jsonpath={.version}
4.0.0

[BhargaviGudi]

/unhold

[rhmdnd]

@Vincent056 should be ready for another look.

[yuumasato]

The content in the controls look fine.
I just have a few remarks on the control ID and levels.

It seems to me that the policy doesn't clearly define levels, and they were not used in the 3.2.1 profiles.