Merge pull request ComplianceAsCode#12319 from yuumasato/update_ocp4_…

…stig_to_v2r1 Add OCP STIG V2R1 profiles
rumch-se · Sep 11, 2024 · 0f99444 · 0f99444
2 parents bd26937 + e9653dd
commit 0f99444
Show file tree

Hide file tree

Showing 8 changed files with 4,158 additions and 16 deletions.
diff --git a/controls/stig_ocp4.yml b/controls/stig_ocp4.yml
@@ -3,7 +3,7 @@ policy: Red Hat OpenShift Container Platform 4.12 Security Technical Implementat
 title: Red Hat OpenShift Container Platform 4.12 Security Technical Implementation
   Guide
 id: stig_ocp4
-version: V1R1
+version: V2R1
 source: https://public.cyber.mil/stigs/downloads/
 reference_type: stigid
 product:

diff --git a/products/ocp4/profiles/stig-node-v2r1.profile b/products/ocp4/profiles/stig-node-v2r1.profile
@@ -0,0 +1,23 @@
+documentation_complete: true
+
+platform: ocp4-node
+
+metadata:
+    version: V2R1
+    SMEs:
+        - Vincent056
+        - rhmdnd
+        - yuumasato
+
+reference: https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RH_OpenShift_Container_Platform_4-12_V2R1_STIG.zip
+
+title: 'DISA STIG for Red Hat OpenShift Container Platform 4 - Node level'
+
+description: |-
+    This profile contains configuration checks that align to the DISA STIG for
+    Red Hat OpenShift Container Platform 4.
+
+filter_rules: '"ocp4-node" in platforms or "ocp4-master-node" in platforms or "ocp4-node-on-sdn" in platforms or "ocp4-node-on-ovn" in platforms'
+
+selections:
+    - stig_ocp4:all
diff --git a/products/ocp4/profiles/stig-node.profile b/products/ocp4/profiles/stig-node.profile
@@ -3,13 +3,11 @@ documentation_complete: true
 platform: ocp4-node
 
 metadata:
-    version: V1R1
+    version: V2R1
     SMEs:
-        - jhrozek
         - Vincent056
-        - mrogers950
         - rhmdnd
-        - david-rh
+        - yuumasato
 
 reference: https://public.cyber.mil/stigs/downloads/
 
@@ -19,4 +17,4 @@ description: |-
     This profile contains configuration checks that align to the DISA STIG for
     Red Hat OpenShift Container Platform 4.
 
-extends: stig-node-v1r1
+extends: stig-node-v2r1
diff --git a/products/ocp4/profiles/stig-v2r1.profile b/products/ocp4/profiles/stig-v2r1.profile
@@ -0,0 +1,30 @@
+documentation_complete: true
+
+platform: ocp4
+
+metadata:
+    version: V2R1
+    SMEs:
+        - Vincent056
+        - rhmdnd
+        - yuumasato
+
+reference: https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RH_OpenShift_Container_Platform_4-12_V2R1_STIG.zip
+
+title: 'DISA STIG for Red Hat OpenShift Container Platform 4 - Platform level'
+
+description: |-
+    This profile contains configuration checks that align to the DISA STIG for
+    Red Hat OpenShift Container Platform 4.
+
+filter_rules: '"ocp4-node" not in platforms and "ocp4-master-node" not in platforms and "ocp4-node-on-sdn" not in platforms and "ocp4-node-on-ovn" not in platforms'
+
+selections:
+    - stig_ocp4:all
+  ### Variables
+    - var_openshift_audit_profile=WriteRequestBodies
+    - var_oauth_token_maxage=8h
+  ### Helper Rules
+  ### This is a helper rule to fetch the required api resource for detecting OCP version
+    - version_detect_in_ocp
+    - version_detect_in_hypershift
diff --git a/products/ocp4/profiles/stig.profile b/products/ocp4/profiles/stig.profile
@@ -3,13 +3,11 @@ documentation_complete: true
 platform: ocp4
 
 metadata:
-    version: V1R1
+    version: V2R1
     SMEs:
-        - jhrozek
         - Vincent056
-        - mrogers950
         - rhmdnd
-        - david-rh
+        - yuumasato
 
 reference: https://public.cyber.mil/stigs/downloads/
 
@@ -19,4 +17,4 @@ description: |-
     This profile contains configuration checks that align to the DISA STIG for
     Red Hat OpenShift Container Platform 4.
 
-extends: stig-v1r1
+extends: stig-v2r1
diff --git a/products/rhcos4/profiles/stig-v2r1.profile b/products/rhcos4/profiles/stig-v2r1.profile
@@ -0,0 +1,33 @@
+documentation_complete: true
+
+metadata:
+    version: V2R1
+    SMEs:
+        - Vincent056
+        - rhmdnd
+        - yuumasato
+
+reference: https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RH_OpenShift_Container_Platform_4-12_V2R1_STIG.zip
+
+title: 'DISA STIG for Red Hat Enterprise Linux CoreOS'
+
+description: |-
+    This profile contains configuration checks that align to the DISA STIG for
+    Red Hat Enterprise Linux CoreOS 4.
+
+selections:
+  - stig_ocp4:all
+  - var_sshd_set_keepalive=0
+  - var_selinux_policy_name=targeted
+  - var_selinux_state=enforcing
+  - var_accounts_passwords_pam_faillock_dir=run
+  # Following rules once had a prodtype incompatible with the rhcos4 product
+  - '!audit_rules_suid_privilege_function'
+  - '!audit_rules_sudoers'
+  - '!audit_rules_privileged_commands_kmod'
+  - '!audit_rules_sudoers_d'
+  - '!audit_rules_execution_setfacl'
+  - '!audit_rules_privileged_commands_usermod'
+  - '!audit_rules_privileged_commands_unix_update'
+  - '!audit_rules_execution_chacl'
+  - '!audit_rules_privileged_commands_ssh_agent'
diff --git a/products/rhcos4/profiles/stig.profile b/products/rhcos4/profiles/stig.profile
@@ -1,19 +1,18 @@
 documentation_complete: true
 
 metadata:
-    version: V1R1
+    version: V2R1
     SMEs:
-        - jhrozek
         - Vincent056
         - rhmdnd
-        - david-rh
+        - yuumasato
 
-reference: https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Container_Platform_V1R3_SRG.zip
+reference: https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RH_OpenShift_Container_Platform_4-12_V2R1_STIG.zip
 
 title: 'DISA STIG for Red Hat Enterprise Linux CoreOS'
 
 description: |-
     This profile contains configuration checks that align to the DISA STIG for
     Red Hat Enterprise Linux CoreOS 4.
 
-extends: stig-v1r1
+extends: stig-v2r1
diff --git a/shared/references/disa-stig-ocp4-v2r1-xccdf-manual.xml b/shared/references/disa-stig-ocp4-v2r1-xccdf-manual.xml