OCPBUGS-11932: Disable checks for Open vSwitch on NSX cluster

This PR make open vSwitch rules only be check with SDN and OVN network type
rumch-se · Nov 20, 2023 · 0c828db · 0c828db
1 parent cfc9388
commit 0c828db
Show file tree

Hide file tree

Showing 27 changed files with 48 additions and 42 deletions.
diff --git a/applications/openshift/master/file_groupowner_openvswitch/rule.yml b/applications/openshift/master/file_groupowner_openvswitch/rule.yml
@@ -20,6 +20,8 @@ severity: medium
 references:
     cis@ocp4: 1.1.10
 
+platform: ocp4-node-on-sdn or ocp4-node-on-ovn
+
 ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/openvswitch/.*", group="root") }}}'
 
 ocil: |-

diff --git a/applications/openshift/master/file_groupowner_ovs_conf_db/rule.yml b/applications/openshift/master/file_groupowner_ovs_conf_db/rule.yml
@@ -2,8 +2,6 @@ documentation_complete: true
 
 prodtype: ocp4
 
-platform: ocp4-node
-
 title: 'Verify Group Who Owns The Open vSwitch Configuration Database'
 
 description: |-
@@ -28,6 +26,8 @@ references:
     nist: CM-6,CM-6(1)
     srg: SRG-APP-000516-CTR-001325
 
+platform: ocp4-node-on-sdn or ocp4-node-on-ovn
+
 ocil_clause: |-
   <code>/etc/openvswitch/conf.db</code> does not have a group owner of
   code>hugetlbfs</code> on architectures other than s390x or <code>openvswitch</code>

diff --git a/applications/openshift/master/file_groupowner_ovs_conf_db_lock/rule.yml b/applications/openshift/master/file_groupowner_ovs_conf_db_lock/rule.yml
@@ -2,8 +2,6 @@ documentation_complete: true
 
 prodtype: ocp4
 
-platform: ocp4-node
-
 title: 'Verify Group Who Owns The Open vSwitch Configuration Database Lock'
 
 description: |-
@@ -28,6 +26,8 @@ references:
     nist: CM-6,CM-6(1)
     srg: SRG-APP-000516-CTR-001325
 
+platform: ocp4-node-on-sdn or ocp4-node-on-ovn
+
 ocil_clause: |-
   <code>/etc/openvswitch/conf.db.~lock~</code> does not have a group owner of
   code>hugetlbfs</code> on architectures other than s390x or <code>openvswitch</code>

diff --git a/applications/openshift/master/file_groupowner_ovs_conf_db_lock_not_s390x/rule.yml b/applications/openshift/master/file_groupowner_ovs_conf_db_lock_not_s390x/rule.yml
@@ -2,8 +2,6 @@ documentation_complete: true
 
 prodtype: ocp4
 
-platform: ocp4-node and not_s390x_arch
-
 title: 'Verify Group Who Owns The Open vSwitch Configuration Database Lock'
 
 description: |-
@@ -26,6 +24,8 @@ references:
     nist: CM-6,CM-6(1)
     srg: SRG-APP-000516-CTR-001325
 
+platform: (ocp4-node-on-sdn or ocp4-node-on-ovn) and not_s390x_arch
+
 ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/openvswitch/.conf.db.~lock~", group="hugetlbfs") }}}'
 
 ocil: |-

diff --git a/applications/openshift/master/file_groupowner_ovs_conf_db_lock_s390x/rule.yml b/applications/openshift/master/file_groupowner_ovs_conf_db_lock_s390x/rule.yml
@@ -2,8 +2,6 @@ documentation_complete: true
 
 prodtype: ocp4
 
-platform: ocp4-node and s390x_arch
-
 title: 'Verify Group Who Owns The Open vSwitch Configuration Database Lock'
 
 description: |-
@@ -26,6 +24,8 @@ references:
     nist: CM-6,CM-6(1)
     srg: SRG-APP-000516-CTR-001325
 
+platform: (ocp4-node-on-sdn or ocp4-node-on-ovn) and s390x_arch
+
 ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/openvswitch/.conf.db.~lock~", group="hugetlbfs") }}}'
 
 ocil: |-

diff --git a/applications/openshift/master/file_groupowner_ovs_conf_db_not_s390x/rule.yml b/applications/openshift/master/file_groupowner_ovs_conf_db_not_s390x/rule.yml
@@ -2,8 +2,6 @@ documentation_complete: true
 
 prodtype: ocp4
 
-platform: ocp4-node and not_s390x_arch
-
 title: 'Verify Group Who Owns The Open vSwitch Configuration Database'
 
 description: |-
@@ -26,6 +24,8 @@ references:
     nist: CM-6,CM-6(1)
     srg: SRG-APP-000516-CTR-001325
 
+platform: (ocp4-node-on-sdn or ocp4-node-on-ovn) and not_s390x_arch
+
 ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/openvswitch/conf.db", group="hugetlbfs") }}}'
 
 ocil: |-

diff --git a/applications/openshift/master/file_groupowner_ovs_conf_db_s390x/rule.yml b/applications/openshift/master/file_groupowner_ovs_conf_db_s390x/rule.yml
@@ -2,8 +2,6 @@ documentation_complete: true
 
 prodtype: ocp4
 
-platform: ocp4-node and s390x_arch
-
 title: 'Verify Group Who Owns The Open vSwitch Configuration Database'
 
 description: |-
@@ -26,6 +24,8 @@ references:
     nist: CM-6,CM-6(1)
     srg: SRG-APP-000516-CTR-001325
 
+platform: (ocp4-node-on-sdn or ocp4-node-on-ovn) and s390x_arch
+
 ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/openvswitch/conf.db", group="openvswitch") }}}'
 
 ocil: |-

diff --git a/applications/openshift/master/file_groupowner_ovs_pid/rule.yml b/applications/openshift/master/file_groupowner_ovs_pid/rule.yml
@@ -2,8 +2,6 @@ documentation_complete: true
 
 prodtype: ocp4
 
-platform: ocp4-node
-
 title: 'Verify Group Who Owns The Open vSwitch Process ID File'
 
 description: |-
@@ -28,6 +26,8 @@ references:
     nist: CM-6,CM-6(1)
     srg: SRG-APP-000516-CTR-001325
 
+platform: ocp4-node-on-sdn or ocp4-node-on-ovn
+
 ocil_clause: '/var/run/openvswitch/ovs-vswitchd.pid has group owner openvswitch or hugetlbfs'
 
 ocil: |-

diff --git a/applications/openshift/master/file_groupowner_ovs_sys_id_conf/rule.yml b/applications/openshift/master/file_groupowner_ovs_sys_id_conf/rule.yml
@@ -2,8 +2,6 @@ documentation_complete: true
 
 prodtype: ocp4
 
-platform: ocp4-node
-
 title: 'Verify Group Who Owns The Open vSwitch Persistent System ID'
 
 description: |-
@@ -28,6 +26,8 @@ references:
     nist: CM-6,CM-6(1)
     srg: SRG-APP-000516-CTR-001325
 
+platform: ocp4-node-on-sdn or ocp4-node-on-ovn
+
 ocil_clause: |-
   <code>/etc/openvswitch/system-id.conf</code> does not have a group owner of
   code>hugetlbfs</code> on architectures other than s390x or <code>openvswitch</code>

diff --git a/applications/openshift/master/file_groupowner_ovs_sys_id_conf_not_s390x/rule.yml b/applications/openshift/master/file_groupowner_ovs_sys_id_conf_not_s390x/rule.yml
@@ -2,8 +2,6 @@ documentation_complete: true
 
 prodtype: ocp4
 
-platform: ocp4-node and not_s390x_arch
-
 title: 'Verify Group Who Owns The Open vSwitch Persistent System ID'
 
 description: |-
@@ -26,6 +24,8 @@ references:
     nist: CM-6,CM-6(1)
     srg: SRG-APP-000516-CTR-001325
 
+platform: (ocp4-node-on-sdn or ocp4-node-on-ovn) and not_s390x_arch
+
 ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/openvswitch/system-id.conf", group="hugetlbfs") }}}'
 
 ocil: |-

diff --git a/applications/openshift/master/file_groupowner_ovs_sys_id_conf_s390x/rule.yml b/applications/openshift/master/file_groupowner_ovs_sys_id_conf_s390x/rule.yml
@@ -2,8 +2,6 @@ documentation_complete: true
 
 prodtype: ocp4
 
-platform: ocp4-node and s390x_arch
-
 title: 'Verify Group Who Owns The Open vSwitch Persistent System ID'
 
 description: |-
@@ -26,6 +24,8 @@ references:
     nist: CM-6,CM-6(1)
     srg: SRG-APP-000516-CTR-001325
 
+platform: (ocp4-node-on-sdn or ocp4-node-on-ovn) and s390x_arch
+
 ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/openvswitch/system-id.conf", group="hugetlbfs") }}}'
 
 ocil: |-

diff --git a/applications/openshift/master/file_groupowner_ovs_vswitchd_pid/rule.yml b/applications/openshift/master/file_groupowner_ovs_vswitchd_pid/rule.yml
@@ -2,8 +2,6 @@ documentation_complete: true
 
 prodtype: ocp4
 
-platform: ocp4-node
-
 title: 'Verify Group Who Owns The Open vSwitch Daemon PID File'
 
 description: |-
@@ -28,6 +26,8 @@ references:
     nist: CM-6,CM-6(1)
     srg: SRG-APP-000516-CTR-001325
 
+platform: ocp4-node-on-sdn or ocp4-node-on-ovn
+
 ocil_clause: '/run/openvswitch/ovs-vswitchd.pid has group owner openvswitch or hugetlbfs'
 
 ocil: |-

diff --git a/applications/openshift/master/file_groupowner_ovsdb_server_pid/rule.yml b/applications/openshift/master/file_groupowner_ovsdb_server_pid/rule.yml
@@ -2,8 +2,6 @@ documentation_complete: true
 
 prodtype: ocp4
 
-platform: ocp4-node
-
 title: 'Verify Group Who Owns The Open vSwitch Database Server PID'
 
 description: |-
@@ -28,6 +26,8 @@ references:
     nist: CM-6,CM-6(1)
     srg: SRG-APP-000516-CTR-001325
 
+platform: ocp4-node-on-sdn or ocp4-node-on-ovn
+
 ocil_clause: '/run/openvswitch/ovsdb-server.pid has group owner openvswitch or hugetlbfs'
 
 ocil: |-

diff --git a/applications/openshift/master/file_owner_openvswitch/rule.yml b/applications/openshift/master/file_owner_openvswitch/rule.yml
@@ -20,6 +20,8 @@ severity: medium
 references:
     cis@ocp4: 1.1.10
 
+platform: ocp4-node-on-sdn or ocp4-node-on-ovn
+
 ocil_clause: '{{{ ocil_clause_file_owner(file="/etc/openvswitch/.*", owner="root") }}}'
 
 ocil: |-

diff --git a/applications/openshift/master/file_owner_ovs_conf_db/rule.yml b/applications/openshift/master/file_owner_ovs_conf_db/rule.yml
@@ -2,7 +2,7 @@ documentation_complete: true
 
 prodtype: ocp4
 
-platform: ocp4-node
+platform: ocp4-node-on-sdn or ocp4-node-on-ovn
 
 title: 'Verify User Who Owns The Open vSwitch Configuration Database'
 

diff --git a/applications/openshift/master/file_owner_ovs_conf_db_lock/rule.yml b/applications/openshift/master/file_owner_ovs_conf_db_lock/rule.yml
@@ -2,7 +2,7 @@ documentation_complete: true
 
 prodtype: ocp4
 
-platform: ocp4-node
+platform: ocp4-node-on-sdn or ocp4-node-on-ovn
 
 title: 'Verify User Who Owns The Open vSwitch Configuration Database Lock'
 

diff --git a/applications/openshift/master/file_owner_ovs_pid/rule.yml b/applications/openshift/master/file_owner_ovs_pid/rule.yml
@@ -2,7 +2,7 @@ documentation_complete: true
 
 prodtype: ocp4
 
-platform: ocp4-node
+platform: ocp4-node-on-sdn or ocp4-node-on-ovn
 
 title: 'Verify User Who Owns The Open vSwitch Process ID File'
 

diff --git a/applications/openshift/master/file_owner_ovs_sys_id_conf/rule.yml b/applications/openshift/master/file_owner_ovs_sys_id_conf/rule.yml
@@ -2,7 +2,7 @@ documentation_complete: true
 
 prodtype: ocp4
 
-platform: ocp4-node
+platform: ocp4-node-on-sdn or ocp4-node-on-ovn
 
 title: 'Verify User Who Owns The Open vSwitch Persistent System ID'
 

diff --git a/applications/openshift/master/file_owner_ovs_vswitchd_pid/rule.yml b/applications/openshift/master/file_owner_ovs_vswitchd_pid/rule.yml
@@ -2,7 +2,7 @@ documentation_complete: true
 
 prodtype: ocp4
 
-platform: ocp4-node
+platform: ocp4-node-on-sdn or ocp4-node-on-ovn
 
 title: 'Verify User Who Owns The Open vSwitch Daemon PID File'
 

diff --git a/applications/openshift/master/file_owner_ovsdb_server_pid/rule.yml b/applications/openshift/master/file_owner_ovsdb_server_pid/rule.yml
@@ -2,7 +2,7 @@ documentation_complete: true
 
 prodtype: ocp4
 
-platform: ocp4-node
+platform: ocp4-node-on-sdn or ocp4-node-on-ovn
 
 title: 'Verify User Who Owns The Open vSwitch Database Server PID'
 

diff --git a/applications/openshift/master/file_permissions_openvswitch/rule.yml b/applications/openshift/master/file_permissions_openvswitch/rule.yml
@@ -21,6 +21,8 @@ severity: medium
 references:
     cis@ocp4: 1.4.9
 
+platform: ocp4-node-on-sdn
+
 ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/openvswitch/.*", perms="-rw-r--r--") }}}'
 
 ocil: |-

diff --git a/applications/openshift/master/file_permissions_ovs_conf_db/rule.yml b/applications/openshift/master/file_permissions_ovs_conf_db/rule.yml
@@ -2,8 +2,6 @@ documentation_complete: true
 
 prodtype: ocp4
 
-platform: ocp4-node
-
 title: 'Verify Permissions on the Open vSwitch Configuration Database'
 
 description: |-
@@ -26,6 +24,8 @@ references:
     nist: CM-6,CM-6(1)
     srg: SRG-APP-000516-CTR-001325
 
+platform: ocp4-node-on-sdn
+
 ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/openvswitch/conf.db", perms="-rw-r-----") }}}'
 
 ocil: |-

diff --git a/applications/openshift/master/file_permissions_ovs_conf_db_lock/rule.yml b/applications/openshift/master/file_permissions_ovs_conf_db_lock/rule.yml
@@ -2,8 +2,6 @@ documentation_complete: true
 
 prodtype: ocp4
 
-platform: ocp4-node
-
 title: 'Verify Permissions on the Open vSwitch Configuration Database Lock'
 
 description: |-
@@ -26,6 +24,8 @@ references:
     nist: CM-6,CM-6(1)
     srg: SRG-APP-000516-CTR-001325
 
+platform: ocp4-node-on-sdn
+
 ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/openvswitch/.conf.db.~lock~", perms="-rw-------") }}}'
 
 ocil: |-

diff --git a/applications/openshift/master/file_permissions_ovs_pid/rule.yml b/applications/openshift/master/file_permissions_ovs_pid/rule.yml
@@ -2,8 +2,6 @@ documentation_complete: true
 
 prodtype: ocp4
 
-platform: ocp4-node
-
 title: 'Verify Permissions on the Open vSwitch Process ID File'
 
 description: |-
@@ -26,6 +24,8 @@ references:
     nist: CM-6,CM-6(1)
     srg: SRG-APP-000516-CTR-001325
 
+platform: ocp4-node-on-sdn
+
 ocil_clause: '{{{ ocil_clause_file_permissions(file="/var/run/openvswitch/ovs-vswitchd.pid", perms="-rw-r--r--") }}}'
 
 ocil: |-

diff --git a/applications/openshift/master/file_permissions_ovs_sys_id_conf/rule.yml b/applications/openshift/master/file_permissions_ovs_sys_id_conf/rule.yml
@@ -2,8 +2,6 @@ documentation_complete: true
 
 prodtype: ocp4
 
-platform: ocp4-node
-
 title: 'Verify Permissions on the Open vSwitch Persistent System ID'
 
 description: |-
@@ -26,6 +24,8 @@ references:
     nist: CM-6,CM-6(1)
     srg: SRG-APP-000516-CTR-001325
 
+platform: ocp4-node-on-sdn
+
 ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/openvswitch/system-id.conf", perms="-rw-r--r--") }}}'
 
 ocil: |-

diff --git a/applications/openshift/master/file_permissions_ovs_vswitchd_pid/rule.yml b/applications/openshift/master/file_permissions_ovs_vswitchd_pid/rule.yml
@@ -2,8 +2,6 @@ documentation_complete: true
 
 prodtype: ocp4
 
-platform: ocp4-node
-
 title: 'Verify Permissions on the Open vSwitch Daemon PID File'
 
 description: |-
@@ -26,6 +24,8 @@ references:
     nist: CM-6,CM-6(1)
     srg: SRG-APP-000516-CTR-001325
 
+platform: ocp4-node-on-sdn
+
 ocil_clause: '{{{ ocil_clause_file_permissions(file="/run/openvswitch/ovs-vswitchd.pid", perms="-rw-r--r--") }}}'
 
 ocil: |-