From afa2bfa406fb81863bada5e2457a76033cf0dba5 Mon Sep 17 00:00:00 2001 From: Lance Bragstad Date: Fri, 30 Jun 2023 15:21:23 -0500 Subject: [PATCH] Implement rules for CIS OCP Section 5.5 Now that we have a profile and control files for CIS 1.4.0, we can start wiring up the existing rules. This commit ports all the existing rules we were using for the CIS OpenShift profile into the CIS 1.4.0 version. --- .../registry/ocp_allowed_registries/rule.yml | 1 + .../ocp_allowed_registries_for_import/rule.yml | 1 + .../rule.yml | 1 + .../registry/ocp_insecure_registries/rule.yml | 1 + controls/cis_ocp_1_4_0/section-5.yml | 12 ++++++++---- 5 files changed, 12 insertions(+), 4 deletions(-) diff --git a/applications/openshift/registry/ocp_allowed_registries/rule.yml b/applications/openshift/registry/ocp_allowed_registries/rule.yml index 6539b836ad1..3bbd71c0dff 100644 --- a/applications/openshift/registry/ocp_allowed_registries/rule.yml +++ b/applications/openshift/registry/ocp_allowed_registries/rule.yml @@ -34,6 +34,7 @@ ocil: |- make sure the output is not empty and matches the registries that you wish to allow. references: + cis@ocp4: '5.5.1' nist: CM-5(3),CM-7(2),CM-7(5),CM-11 srg: SRG-APP-000456-CTR-001125 diff --git a/applications/openshift/registry/ocp_allowed_registries_for_import/rule.yml b/applications/openshift/registry/ocp_allowed_registries_for_import/rule.yml index 7ffc176aaf8..a0e253b71a6 100644 --- a/applications/openshift/registry/ocp_allowed_registries_for_import/rule.yml +++ b/applications/openshift/registry/ocp_allowed_registries_for_import/rule.yml @@ -25,6 +25,7 @@ rationale: |- severity: medium references: + cis@ocp4: '5.5.1' nist: CM-5(3),CM-7(2),CM-7(5),CM-11 srg: SRG-APP-000456-CTR-001125 diff --git a/applications/openshift/registry/ocp_insecure_allowed_registries_for_import/rule.yml b/applications/openshift/registry/ocp_insecure_allowed_registries_for_import/rule.yml index 5bb756ba5f0..96ad5d0e3d6 100644 --- a/applications/openshift/registry/ocp_insecure_allowed_registries_for_import/rule.yml +++ b/applications/openshift/registry/ocp_insecure_allowed_registries_for_import/rule.yml @@ -31,6 +31,7 @@ identifiers: cce@ocp4: CCE-86235-9 references: + cis@ocp4: '5.5.1' nist: CM-5(3) srg: SRG-APP-000014-CTR-000035 diff --git a/applications/openshift/registry/ocp_insecure_registries/rule.yml b/applications/openshift/registry/ocp_insecure_registries/rule.yml index 2a45599f947..7a377c760ed 100644 --- a/applications/openshift/registry/ocp_insecure_registries/rule.yml +++ b/applications/openshift/registry/ocp_insecure_registries/rule.yml @@ -27,6 +27,7 @@ identifiers: cce@ocp4: CCE-86123-7 references: + cis@ocp4: '5.5.1' nist: CM-5(3) srg: SRG-APP-000014-CTR-000035 diff --git a/controls/cis_ocp_1_4_0/section-5.yml b/controls/cis_ocp_1_4_0/section-5.yml index 6102ed4126a..00cd1f1a866 100644 --- a/controls/cis_ocp_1_4_0/section-5.yml +++ b/controls/cis_ocp_1_4_0/section-5.yml @@ -147,14 +147,18 @@ controls: levels: level_2 - id: '5.5' title: Extensible Admission Control - status: pending + status: automated rules: [] controls: - id: 5.5.1 title: Configure Image Provenance using image controller configuration parameters - status: pending - rules: [] - levels: level_2 + status: automated + rules: + - ocp_allowed_registries + - ocp_allowed_registries_for_import + - ocp_insecure_registries + - ocp_insecure_allowed_registries_for_import + level: level_2 - id: '5.7' title: General Policies status: partial