From f6e65b9476f09588a43d46568f4957d649eab480 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Tue, 9 Jul 2024 18:49:39 +0200 Subject: [PATCH 1/8] CMP-2460: Requirement 8.1 is not applicable --- controls/pcidss_4_ocp4.yml | 12 ++---------- 1 file changed, 2 insertions(+), 10 deletions(-) diff --git a/controls/pcidss_4_ocp4.yml b/controls/pcidss_4_ocp4.yml index a185f1c49f7..8666c7e94d1 100644 --- a/controls/pcidss_4_ocp4.yml +++ b/controls/pcidss_4_ocp4.yml @@ -2009,22 +2009,14 @@ controls: are Documented, Kept up to date, In use and Known to all affected parties. levels: - base - status: pending - notes: |- - Examine documentation and interview personnel to verify that security policies and - operational procedures identified in Requirement 8 are managed in accordance with all - elements specified in this requirement. + status: not applicable - id: 8.1.2 title: Roles and responsibilities for performing activities in Requirement 8 are documented, assigned, and understood. levels: - base - status: pending - notes: |- - Examine documentation and interview personnel to verify that day-to-day responsibilities - for performing all the activities in Requirement 8 are documented, assigned and understood - by the assigned personnel. + status: not applicable - id: '8.2' title: User identification and related accounts for users and administrators are strictly From f11b2ea63e69fce2093877eda09fa63a2076a9b4 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Wed, 10 Jul 2024 12:48:15 +0200 Subject: [PATCH 2/8] CMP-2460: Requirement 8.2 is automated The applicable requirements can be automated on OpenShift. However, the payment entity will still need to apply the same requirement onto their payment application. --- .../var_oauth_inactivity_timeout.var | 1 + controls/pcidss_4_ocp4.yml | 78 ++++++++++++++----- 2 files changed, 61 insertions(+), 18 deletions(-) diff --git a/applications/openshift/authentication/var_oauth_inactivity_timeout.var b/applications/openshift/authentication/var_oauth_inactivity_timeout.var index d7de31038c9..b05472996a9 100644 --- a/applications/openshift/authentication/var_oauth_inactivity_timeout.var +++ b/applications/openshift/authentication/var_oauth_inactivity_timeout.var @@ -12,4 +12,5 @@ interactive: false options: 10m0s: "10m0s" + 15m0s: "15m0s" default: "10m0s" diff --git a/controls/pcidss_4_ocp4.yml b/controls/pcidss_4_ocp4.yml index 8666c7e94d1..7cc29d759cf 100644 --- a/controls/pcidss_4_ocp4.yml +++ b/controls/pcidss_4_ocp4.yml @@ -2023,7 +2023,7 @@ controls: managed throughout an account's lifecycle. levels: - base - status: pending + status: automated controls: - id: 8.2.1 title: All users are assigned a unique ID before access to system components or cardholder @@ -2035,12 +2035,26 @@ controls: on point-of-sale terminals). levels: - base - status: planned + status: automated notes: |- - The rules selected in this requirement are incomplete. Missing remediation and test - scenarios. They should include test scenarios and likely remediation or a warning - informing why a remediation is not present. - rules: [] + Openshift should be configured to work with an external third-party identity provider. + Through the chosen identity provider, unique identifiers can be setup for each user. + See more at https://docs.openshift.com/container-platform/4.16/authentication/understanding-identity-provider.html + + However, the payment entity's processes and responsible personal still need to examined + to check whether each user is uniquely associated with an individual. + rules: + - idp_is_configured + related_rules: + # This control can be partially implemented with the following RHCOS rules + - no_direct_root_logins + - account_unique_id + - account_unique_name + - accounts_no_uid_except_zero + - accounts_root_gid_zero + - group_unique_id + - group_unique_name + - audit_rules_immutable_login_uids - id: 8.2.2 title: Group, shared, or generic accounts, or other shared authentication credentials are @@ -2054,24 +2068,37 @@ controls: - Every action taken is attributable to an individual user. levels: - base - status: pending + status: automated notes: |- - This requirement is complemented by 8.2.1 and related to 8.3.5. - rules: [] + Access tokens that are issued by OpenShift upon authentication should only be used by the + person for whom it was issued. + rules: + - kubeadmin_removed + related_rules: + # This control can also be implemented with the following RHCOS rules + - no_direct_root_logins - id: 8.2.3 title: 'Additional requirement for service providers only: Service providers with remote access to customer premises use unique authentication factors for each customer premises.' levels: - base - status: pending + status: not applicable + notes: |- + The payment entity itself is also required to not use group, shared, or generic IDs, + passwords, or other authentication methods. Access tokens that are issued by + OpenShift upon authentication should only be used by the person + for whom it was issued. - id: 8.2.4 title: Addition, deletion, and modification of user IDs, authentication factors, and other identifier objects are managed levels: - base - status: pending + status: not applicable + notes: |- + Only the payment entity can assess whether the access privileges granted to users are + appropriate and documented, and propperly reflected in the configured identity provider. - id: 8.2.5 title: Access for terminated users is immediately revoked. @@ -2079,9 +2106,11 @@ controls: The accounts of terminated users cannot be used. levels: - base - status: pending + status: not applicable notes: |- - This requirement depends on site policies for user termination. + Revocation of access for terminated users are performed by the third-party + identity provider. Additionaly, OpenShift nor the identity provider cannot by itself + determine the users associated with an individual. - id: 8.2.6 title: Inactive user accounts are removed or disabled within 90 days of inactivity. @@ -2089,9 +2118,12 @@ controls: Inactive user accounts cannot be used. levels: - base - status: pending + status: not applicable notes: |- - Also related to requirements 2.2.2 and 8.3.5. + Removal or disabling of inactive user accounts within 90 days are handled with the + identity provider. + All user IDs, including those handled by third parties to access, support, or maintain + system components via remote access, are handled externally to OpenShift. rules: [] - id: 8.2.7 @@ -2099,7 +2131,11 @@ controls: remote access are managed. levels: - base - status: pending + status: not applicable + notes: |- + Similar to how accounts for employees are managed, accounts for third parties are also + managed by the configured identity provider, and under responsibility of the payment + entity. - id: 8.2.8 title: If a user session has been idle for more than 15 minutes, the user is required to @@ -2112,8 +2148,14 @@ controls: from being performed while the console/PC is unattended. levels: - base - status: pending - rules: [] + status: automated + notes: |- + Session timeouts can be enabled with OpenShift to limit the amount of + time that a session can be active. However, the payment entity also needs to control the + user's and administrator's idle session timeouts on their payment applications as well. + rules: + - oauth_or_oauthclient_inactivity_timeout + - var_oauth_inactivity_timeout=15m0s - id: '8.3' title: Strong authentication for users and administrators is established and managed. From f22ea821b9e4a2e650af38a87f8f1a8317d8f68c Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Wed, 10 Jul 2024 16:44:52 +0200 Subject: [PATCH 3/8] CMP-2460: Requirement 8.3 is not applicable --- controls/pcidss_4_ocp4.yml | 98 ++++++++++++++++++++++---------------- 1 file changed, 57 insertions(+), 41 deletions(-) diff --git a/controls/pcidss_4_ocp4.yml b/controls/pcidss_4_ocp4.yml index 7cc29d759cf..3f92420f7cf 100644 --- a/controls/pcidss_4_ocp4.yml +++ b/controls/pcidss_4_ocp4.yml @@ -2161,14 +2161,23 @@ controls: title: Strong authentication for users and administrators is established and managed. levels: - base - status: pending + status: not applicable controls: - id: 8.3.1 title: All user access to system components for users and administrators is authenticated. + description: |- + All user access to system components for users and administrators is authenticated via at + least one of the following authentication factors: + - Something you know, such as a password or passphrase. + - Something you have, such as a token device or smart card. + - Something you are, such as a biometric element. levels: - base - status: pending - rules: [] + status: not applicable + notes: |- + The type of authenticators to be used (for example, password or passphrase, + token device or smart card, or biometrics) are managed externally + to OpenShift by the identity provider - id: 8.3.2 title: Strong cryptography is used to render all authentication factors unreadable during @@ -2178,10 +2187,11 @@ controls: interception of communications or from stored data. levels: - base - status: pending + status: not applicable notes: |- - There are similar rules that might be redundant for some distros. - rules: [] + The protection of the authentication credentials such as rendering the passwords and + passphrases unreadable during transmission and the storage of credentials on system + components is the responsibility of the third-party identity provider. - id: 8.3.3 title: User identity is verified before modifying any authentication factor. @@ -2190,12 +2200,12 @@ controls: authorized user. levels: - base - status: pending + status: not applicable notes: |- - This requirement is about processes, such as password resets, provisioning new hardware or - software tokens, and generating new keys. It is common that these activities involve help - desk teams and administrators and the involved people should ensure identities are properly - verified. + Modification of authentication credentials is handled by the third-party identity provider. + All access to modify parameters for authentication tokens or for generating keys within + OpenShift is managed with RBAC and requires prior authentication before the user is + authorized to act. - id: 8.3.4 title: Invalid authentication attempts are limited. @@ -2205,8 +2215,12 @@ controls: confirmed. levels: - base - status: pending - rules: [] + status: not applicable + notes: |- + Account lockout for failed attempts are managed by the identity provider as all + authentication attempts that occur prior to granting access from OpenShift. + Establishing a threshold for limiting repeated failed attempts are configured with + the chosen identity provider. - id: 8.3.5 title: If passwords/passphrases are used as authentication factors to meet Requirement @@ -2216,10 +2230,11 @@ controls: - Forced to be changed immediately after the first use. levels: - base - status: pending + status: not applicable notes: |- - Also related to requirement 2.2.2, 8.2.2 and 8.2.6. - rules: [] + Parameters for authenticators such as password length, maximum password + age, minimum password age, password history, and requirements to change + the password on first use are handled by the third-party identity provider. - id: 8.3.6 title: If passwords/passphrases are used as authentication factors to meet Requirement @@ -2232,14 +2247,11 @@ controls: force attack. levels: - base - status: pending + status: not applicable notes: |- - This requirement is not intended to apply to: - - User accounts on point-of-sale terminals that have access to only one card number at a - time to facilitate a single transaction (such as IDs used by cashiers on point-of-sale - terminals). - - Application or system accounts, which are governed by requirements in section 8.6. - rules: [] + Parameters for authenticators such as password length, maximum password + age, minimum password age, password history, and requirements to change + the password on first use are handled by the third-party identity provider. - id: 8.3.7 title: Individuals are not allowed to submit a new password/passphrase that is the same as @@ -2249,18 +2261,17 @@ controls: months. levels: - base - status: pending + status: not applicable notes: |- - This requirement is not intended to apply to user accounts on point-of-sale terminals that - have access to only one card number at a time to facilitate a single transaction (such as - IDs used by cashiers on point-of-sale terminals). - rules: [] + Parameters for authenticators such as password length, maximum password + age, minimum password age, password history, and requirements to change + the password on first use are handled by the third-party identity provider. - id: 8.3.8 title: Authentication policies and procedures are documented and communicated to all users. levels: - base - status: pending + status: not applicable - id: 8.3.9 title: If passwords/passphrases are used as the only authentication factor for user access @@ -2275,12 +2286,11 @@ controls: resources is automatically determined accordingly. levels: - base - status: pending + status: not applicable notes: |- - The requirement does not explicitily define the number of days before the password - expiration to warn the users, but the relevant rules were selected here as they do not - cause any problems in combination with password lifetime rules. - rules: [] + Parameters for authenticators such as password length, maximum password + age, minimum password age, password history, and requirements to change + the password on first use are handled by the third-party identity provider. - id: 8.3.10 title: 'Additional requirement for service providers only: If passwords/passphrases are used @@ -2289,7 +2299,7 @@ controls: users.' levels: - base - status: pending + status: not applicable controls: - id: 8.3.10.1 title: 'Additional requirement for service providers only: If passwords/passphrases are @@ -2297,9 +2307,11 @@ controls: single-factor authentication implementation) they should have a limited lifetime.' levels: - base - status: pending + status: not applicable notes: |- - This requirement is already covered by 8.3.9. + Parameters for authenticators such as password length, maximum password + age, minimum password age, password history, and requirements to change + the password on first use are handled by the third-party identity provider. - id: 8.3.11 title: Where authentication factors such as physical or logical security tokens, smart @@ -2307,13 +2319,17 @@ controls: is controlled.' levels: - base - status: pending + status: not applicable + notes: |- + The type of authenticators to be used (for example, password or passphrase, + token device or smart card, or biometrics) are managed externally + to OpenShift by the identity provider - id: '8.4' title: Multi-factor authentication (MFA) is implemented to secure access into the CDE. levels: - base - status: pending + status: not applicable notes: |- This parent requirement does not set one specific combination of Multi-factor authentication (MFA), so we can't enforce the use of smartcards or any specific solution. The systems @@ -2324,7 +2340,7 @@ controls: administrative access. levels: - base - status: pending + status: not applicable - id: 8.4.2 title: MFA is implemented for all access into the CDE. @@ -2332,7 +2348,7 @@ controls: Access into the CDE cannot be obtained by the use of a single authentication factor. levels: - base - status: pending + status: not applicable - id: 8.4.3 title: MFA is implemented for all remote network access originating from outside the From 5264dfa4764c004c8361bbb12d183f2b350f90ac Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Thu, 11 Jul 2024 12:37:00 +0200 Subject: [PATCH 4/8] CMP-2460: Reqs 8.4 and 8.5 are not applicable --- controls/pcidss_4_ocp4.yml | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) diff --git a/controls/pcidss_4_ocp4.yml b/controls/pcidss_4_ocp4.yml index 3f92420f7cf..5f2832f77e5 100644 --- a/controls/pcidss_4_ocp4.yml +++ b/controls/pcidss_4_ocp4.yml @@ -2331,9 +2331,7 @@ controls: - base status: not applicable notes: |- - This parent requirement does not set one specific combination of Multi-factor authentication - (MFA), so we can't enforce the use of smartcards or any specific solution. The systems - usually support MFA but the chosen solution depends on site policies. + Multi-factor authenticators are managed externally to OpenShift by the identity provider controls: - id: 8.4.1 title: MFA is implemented for all non-console access into the CDE for personnel with @@ -2355,13 +2353,15 @@ controls: entity's network that could access or impact the CDE. levels: - base - status: pending + status: not applicable - id: '8.5' title: Multi-factor authentication (MFA) systems are configured to prevent misuse. levels: - base - status: pending + status: not applicable + notes: |- + Multi-factor authenticators are managed externally to OpenShift by the identity provider controls: - id: 8.5.1 title: MFA systems are properly implemented. @@ -2374,10 +2374,7 @@ controls: - Success of all authentication factors is required before access is granted. levels: - base - status: pending - notes: |- - Each site might have a different MFA solution and each solution has its own capabilities. - This requirement demands manual assessment based on site policies. + status: not applicable - id: '8.6' title: Use of application and system accounts and associated authentication factors is From 28423d20327e6fbd2a9b8074f0a51eb839bdeb92 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Thu, 11 Jul 2024 14:33:31 +0200 Subject: [PATCH 5/8] CMP-2460: Requirement 8.6 is supported Among many requirements not applicable one is supported. --- controls/pcidss_4_ocp4.yml | 23 ++++++++++++++--------- 1 file changed, 14 insertions(+), 9 deletions(-) diff --git a/controls/pcidss_4_ocp4.yml b/controls/pcidss_4_ocp4.yml index 5f2832f77e5..4660a1f4ce2 100644 --- a/controls/pcidss_4_ocp4.yml +++ b/controls/pcidss_4_ocp4.yml @@ -2381,7 +2381,7 @@ controls: strictly managed. levels: - base - status: pending + status: supported controls: - id: 8.6.1 title: If accounts used by systems or applications can be used for interactive login, they @@ -2395,13 +2395,14 @@ controls: - Every action taken is attributable to an individual user. levels: - base - status: pending + status: not applicable notes: |- - This requirement is related to 2.2.2, 2.2.6, 8.2.1 and 8.2.2. Specifically on 8.2.2 system - accounts usage is restricted. Exceptions to system accounts should be manually checked to - ensure the requirements in description. This requirement although implements some extra - controls regarding root account. + All user IDs, including those handled by third parties to access, support, or maintain + system components via remote access, are handled externally to OpenShift. rules: [] + related_rules: + # The following RHCOS rule can also contribute to the implementation of this control. + - securetty_root_login_console_only - id: 8.6.2 title: Passwords/passphrases for any application and system accounts that can be used for @@ -2412,7 +2413,9 @@ controls: unauthorized personnel. levels: - base - status: pending + status: supported + notes: |- + OpenShift can be integrated with a Vault to manage secrets. - id: 8.6.3 title: Passwords/passphrases for any application and system accounts are protected against @@ -2425,9 +2428,11 @@ controls: frequently the entity changes the passwords/passphrases. levels: - base - status: pending + status: not applicable notes: |- - Related to requirements 8.3.6 and 8.3.9. + Parameters for authenticators such as password length, maximum password + age, minimum password age, password history, and requirements to change + the password on first use are handled by the third-party identity provider. - id: '9.1' title: Processes and mechanisms for restricting physical access to cardholder data are defined From 504ec6c76940c6d6ac2eed5985daaf518ed55f8d Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Mon, 15 Jul 2024 11:29:57 +0200 Subject: [PATCH 6/8] Fix typos and review comments --- controls/pcidss_4_ocp4.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/controls/pcidss_4_ocp4.yml b/controls/pcidss_4_ocp4.yml index 4660a1f4ce2..eb93377cab8 100644 --- a/controls/pcidss_4_ocp4.yml +++ b/controls/pcidss_4_ocp4.yml @@ -2039,9 +2039,9 @@ controls: notes: |- Openshift should be configured to work with an external third-party identity provider. Through the chosen identity provider, unique identifiers can be setup for each user. - See more at https://docs.openshift.com/container-platform/4.16/authentication/understanding-identity-provider.html + See more at https://docs.openshift.com/container-platform/latest/authentication/understanding-identity-provider.html - However, the payment entity's processes and responsible personal still need to examined + However, the payment entity's processes and responsible personal still need to be examined to check whether each user is uniquely associated with an individual. rules: - idp_is_configured @@ -2098,7 +2098,7 @@ controls: status: not applicable notes: |- Only the payment entity can assess whether the access privileges granted to users are - appropriate and documented, and propperly reflected in the configured identity provider. + appropriate and documented, and properly reflected in the configured identity provider. - id: 8.2.5 title: Access for terminated users is immediately revoked. @@ -2109,7 +2109,7 @@ controls: status: not applicable notes: |- Revocation of access for terminated users are performed by the third-party - identity provider. Additionaly, OpenShift nor the identity provider cannot by itself + identity provider. Additionally, OpenShift nor the identity provider cannot by itself determine the users associated with an individual. - id: 8.2.6 From 80eaadbf2d3a4fc7adebb774ce5e0579af372014 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Mon, 15 Jul 2024 12:42:49 +0200 Subject: [PATCH 7/8] Add pre requisite rules for Req 8.2 and 8.3 Sections 8.2 and 8.3 are heavily dependant on the selected identity provider and removal of kubeadmin user. So rules for these tow aspects were added to the controls. --- controls/pcidss_4_ocp4.yml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/controls/pcidss_4_ocp4.yml b/controls/pcidss_4_ocp4.yml index eb93377cab8..81230c4674b 100644 --- a/controls/pcidss_4_ocp4.yml +++ b/controls/pcidss_4_ocp4.yml @@ -2024,6 +2024,12 @@ controls: levels: - base status: automated + notes: |- + For this control to be satisfiable an identity provider must be used and the kubeadmin user + needs to be removed. + rules: + - idp_is_configured + - kubeadmin_removed controls: - id: 8.2.1 title: All users are assigned a unique ID before access to system components or cardholder @@ -2162,6 +2168,12 @@ controls: levels: - base status: not applicable + notes: |- + For this control to be satisfiable an identity provider must be used and the kubeadmin user + needs to be removed. + rules: + - idp_is_configured + - kubeadmin_removed controls: - id: 8.3.1 title: All user access to system components for users and administrators is authenticated. From c6eac497c192e19e757b2b87cd76cfd6be0bd12a Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Fri, 19 Jul 2024 15:05:23 +0200 Subject: [PATCH 8/8] CMP-2460: Restrict IdP configurations The choice of which identity provider to use falls onto the payment entity. But we already know that htpaswd cannot satisfy PCI-DSS's needs, and LDAP provider needs to be restrained. Restrict usage of htpasswd as the identity provider, it cannot provide user lockout feature required by PCI-DSS. Do not allow the LDAP provider to transmit clear text passwords. --- controls/pcidss_4_ocp4.yml | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/controls/pcidss_4_ocp4.yml b/controls/pcidss_4_ocp4.yml index 81230c4674b..57a20372dff 100644 --- a/controls/pcidss_4_ocp4.yml +++ b/controls/pcidss_4_ocp4.yml @@ -2167,7 +2167,7 @@ controls: title: Strong authentication for users and administrators is established and managed. levels: - base - status: not applicable + status: partial notes: |- For this control to be satisfiable an identity provider must be used and the kubeadmin user needs to be removed. @@ -2199,12 +2199,17 @@ controls: interception of communications or from stored data. levels: - base - status: not applicable + status: partial notes: |- The protection of the authentication credentials such as rendering the passwords and passphrases unreadable during transmission and the storage of credentials on system components is the responsibility of the third-party identity provider. + If LDAP is used as the identity provider, we do not allow it to run with the + 'insecure' flag on. + rules: + - ocp_no_ldap_insecure + - id: 8.3.3 title: User identity is verified before modifying any authentication factor. description: |- @@ -2227,13 +2232,18 @@ controls: confirmed. levels: - base - status: not applicable + status: partial notes: |- Account lockout for failed attempts are managed by the identity provider as all authentication attempts that occur prior to granting access from OpenShift. Establishing a threshold for limiting repeated failed attempts are configured with the chosen identity provider. + In this control we do not allow usage of htpasswd as the identity provider, as it + doesn't provide user lockout feature. + rules: + - ocp_idp_no_htpasswd + - id: 8.3.5 title: If passwords/passphrases are used as authentication factors to meet Requirement 8.3.1, they are set and reset for each user.