From b214f11ba4f2ff95d997de5d93d322f3061a413b Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 16 May 2024 16:59:17 +0200
Subject: [PATCH 1/4] CMP-2456: Requirement 4.1 is not applicable

This req is defining processes and creating documentation.
---
 controls/pcidss_4_ocp4.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/controls/pcidss_4_ocp4.yml b/controls/pcidss_4_ocp4.yml
index 67b1bd5b96c..c7c07a53c76 100644
--- a/controls/pcidss_4_ocp4.yml
+++ b/controls/pcidss_4_ocp4.yml
@@ -1202,21 +1202,21 @@ controls:
       transmission over open, public networks are defined and documented.
     levels:
       - base
-    status: pending
+    status: not applicable
     controls:
     - id: 4.1.1
       title: All security policies and operational procedures that are identified in Requirement 4
         are Documented, Kept up to date, In use and Known to all affected parties.
       levels:
         - base
-      status: pending
+      status: not applicable
 
     - id: 4.1.2
       title: Roles and responsibilities for performing activities in Requirement 4 are documented,
         assigned, and understood.
       levels:
         - base
-      status: pending
+      status: not applicable
       notes: |-
         Examine documentation and interview personnel to verify that day-to-day responsibilities
         for performing all the activities in Requirement 4 are documented, assigned and understood

From 0f707bfe93f6ccf3834bb813a4272f44b221042f Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 16 May 2024 17:00:45 +0200
Subject: [PATCH 2/4] CMP-2456: Requirement 4.2 is partial

OpenShift uses and provides strong cryptography and secure protocols,
but it is still up to the applications to leverage them.
---
 controls/pcidss_4_ocp4.yml | 35 ++++++++++++++++++++++++++---------
 1 file changed, 26 insertions(+), 9 deletions(-)

diff --git a/controls/pcidss_4_ocp4.yml b/controls/pcidss_4_ocp4.yml
index c7c07a53c76..80a4bb9c824 100644
--- a/controls/pcidss_4_ocp4.yml
+++ b/controls/pcidss_4_ocp4.yml
@@ -1226,7 +1226,7 @@ controls:
     title: PAN is protected with strong cryptography during transmission.
     levels:
       - base
-    status: pending
+    status: partial
     controls:
     - id: 4.2.1
       title: Strong cryptography and security protocols are implemented as follows to safeguard
@@ -1244,7 +1244,22 @@ controls:
         - The encryption strength is appropriate for the encryption methodology in use.
       levels:
         - base
-      status: pending
+      status: partial
+      notes: |-
+        OpenShift provides mechanisms to securely transmit PAN over open public networks, but
+        the application is still responsible for leveraging and implementing strong
+        cryptography when transmitting PAN.
+      rules:
+        - file_permissions_openshift_pki_cert_files
+        - tls_version_check_apiserver
+        - tls_version_check_masters_workers
+        - tls_version_check_router
+        - etcd_check_cipher_suite
+        - api_server_tls_security_profile
+        - ingress_controller_certificate
+        - ingress_controller_tls_security_profile
+        - kubelet_configure_tls_min_version
+
       controls:
       - id: 4.2.1.1
         title: An inventory of the entity's trusted keys and certificates used to protect PAN
@@ -1255,7 +1270,10 @@ controls:
           which it will be required and must be fully considered during a PCI DSS assessment.
         levels:
           - base
-        status: pending
+        status: not applicable
+        notes: |-
+          OpenShift doesn't directly handle PANs, the management of keys and certificates
+          protecting a PAN is resposibility of the application.
 
       - id: 4.2.1.2
         title: Wireless networks transmitting PAN or connected to the CDE use industry best
@@ -1264,9 +1282,9 @@ controls:
           Cleartext PAN cannot be read or intercepted from wireless network transmissions.
         levels:
           - base
-        status: pending
+        status: not applicable
         notes: |-
-          Wireless interfaces are disabled by 1.3.3.
+          OpenShift doesn't manage wireless environments nor they security configurations.
 
     - id: 4.2.2
       title: PAN is secured with strong cryptography whenever it is sent via end-user messaging
@@ -1282,11 +1300,10 @@ controls:
         from being used for cardholder data.
       levels:
         - base
-      status: pending
+      status: not applicable
       notes: |-
-        Some known insecure services and protocols are disabled by 2.2.4.
-        If any specific end-user messaging technology is used, it should be manually checked in
-        alignment to site policies.
+        OpenShift doesn't directly handle PANs, the application is responsible for appropriately
+        securing PAN.
 
   - id: '5.1'
     title: Processes and mechanisms for protecting all systems and networks from malicious

From f22b4c039c89220cf83d0e781d00d0ea2b035163 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 6 Jun 2024 16:05:01 +0200
Subject: [PATCH 3/4] Adjust PCI-DSS 4.2.1

- Add api_server_tls_cert rule
- Tweak note on requirement 4.2.1
---
 controls/pcidss_4_ocp4.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/controls/pcidss_4_ocp4.yml b/controls/pcidss_4_ocp4.yml
index 80a4bb9c824..c3402c25afd 100644
--- a/controls/pcidss_4_ocp4.yml
+++ b/controls/pcidss_4_ocp4.yml
@@ -1255,6 +1255,7 @@ controls:
         - tls_version_check_masters_workers
         - tls_version_check_router
         - etcd_check_cipher_suite
+        - api_server_tls_cert
         - api_server_tls_security_profile
         - ingress_controller_certificate
         - ingress_controller_tls_security_profile
@@ -1273,7 +1274,7 @@ controls:
         status: not applicable
         notes: |-
           OpenShift doesn't directly handle PANs, the management of keys and certificates
-          protecting a PAN is resposibility of the application.
+          protecting them is responsibility of the payment application.
 
       - id: 4.2.1.2
         title: Wireless networks transmitting PAN or connected to the CDE use industry best

From 00cfb09fdfc353392fdc23523dee02233a18f2b4 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Mon, 10 Jun 2024 14:40:11 +0200
Subject: [PATCH 4/4] Add tls_cipher_suite, drop etcd cihper rule

The rule api_server_tls_security_profile sets up a custom security
profile, without specifying ciphers. So we also need to select
api_server_tls_security_profile.

Removing etcd cipher rule, it is not related to transission on public
networks.
---
 controls/pcidss_4_ocp4.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/controls/pcidss_4_ocp4.yml b/controls/pcidss_4_ocp4.yml
index c3402c25afd..4706f9c0cbf 100644
--- a/controls/pcidss_4_ocp4.yml
+++ b/controls/pcidss_4_ocp4.yml
@@ -1254,9 +1254,9 @@ controls:
         - tls_version_check_apiserver
         - tls_version_check_masters_workers
         - tls_version_check_router
-        - etcd_check_cipher_suite
         - api_server_tls_cert
         - api_server_tls_security_profile
+        - api_server_tls_cipher_suites
         - ingress_controller_certificate
         - ingress_controller_tls_security_profile
         - kubelet_configure_tls_min_version