From 55e3a8bfc25315b5ae1c2a5a7aa770975527d969 Mon Sep 17 00:00:00 2001 From: sluetze <13255307+sluetze@users.noreply.github.com> Date: Tue, 29 Oct 2024 23:02:51 +0100 Subject: [PATCH] add docs --- BSI/Containerfile | 11 ++++++++ BSI/ProfileBundles.yaml | 17 ++++++++++++ BSI/README.md | 38 ++++++++++++++++++++++++++ BSI/ScanSettings.yaml | 41 +++++++++++++++++++++++++++++ products/ocp4/profiles/test.profile | 9 +++++++ 5 files changed, 116 insertions(+) create mode 100644 BSI/Containerfile create mode 100644 BSI/ProfileBundles.yaml create mode 100644 BSI/README.md create mode 100644 BSI/ScanSettings.yaml create mode 100644 products/ocp4/profiles/test.profile diff --git a/BSI/Containerfile b/BSI/Containerfile new file mode 100644 index 00000000000..c247fa33808 --- /dev/null +++ b/BSI/Containerfile @@ -0,0 +1,11 @@ +FROM registry.fedoraproject.org/fedora-minimal:38 as builder +WORKDIR /content +COPY . . +RUN microdnf -y install cmake make git /usr/bin/python3 python3-pyyaml python3-jinja2 openscap-utils +RUN ./build_product --datastream-only --debug ocp4 rhcos4 + + +FROM registry.access.redhat.com/ubi8/ubi-minimal +WORKDIR / +COPY --from=builder /content/build/ssg-ocp4-ds.xml . +COPY --from=builder /content/build/ssg-rhcos4-ds.xml . diff --git a/BSI/ProfileBundles.yaml b/BSI/ProfileBundles.yaml new file mode 100644 index 00000000000..97e07503b7d --- /dev/null +++ b/BSI/ProfileBundles.yaml @@ -0,0 +1,17 @@ +apiVersion: compliance.openshift.io/v1alpha1 +kind: ProfileBundle +metadata: + name: upstream-rhcos4 + namespace: openshift-compliance +spec: + contentFile: ssg-rhcos4-ds.xml + contentImage: quay.io/sluetzen/sig-bsi-grundschutz-content@sha256:c69db5c430b46f102a0bdea1f22ff66dd74c8fc7b921ed9d0039c6dba4a831be +--- +apiVersion: compliance.openshift.io/v1alpha1 +kind: ProfileBundle +metadata: + name: upstream-ocp4 + namespace: openshift-compliance +spec: + contentFile: ssg-ocp4-ds.xml + contentImage: quay.io/sluetzen/sig-bsi-grundschutz-content@sha256:c69db5c430b46f102a0bdea1f22ff66dd74c8fc7b921ed9d0039c6dba4a831be diff --git a/BSI/README.md b/BSI/README.md new file mode 100644 index 00000000000..0d3463974c3 --- /dev/null +++ b/BSI/README.md @@ -0,0 +1,38 @@ +# Summary +The following is intended for people who want to use this UPSTREAM content in the context of OpenShift, and do not need to understand the details of the buildprocess. It combines the Red Hat packaged Compliance Operator from Red Hat with the upstream content + +# Install Compliance Operator +Follow the guidance in the official docs +https://docs.openshift.com/container-platform/4.16/security/compliance_operator/co-management/compliance-operator-installation.html#compliance-operator-installation + +# Build +You can get the content in different ways. First possibility is a build from source in your own infrastructure. +The other possibility is a prebuild-content image, which provides the build content for you + +## ALTERNATIVE A: BUILD FROM SOURCE +This Process builds the content only for one cluster in the internal registry. if you need it in different clusters, you need to build it and output it to a image-repository. You can do this in an openshift cluster using the `outputs` in the `BuildConfig` or just manually build with `podman build --tag $IMAGEREGISTRY:$TAG --file BSI/Containerfile .` from the `content` directory + +### Clone git Repository +`git clone --depth 1 https://github.com/sig-bsi-grundschutz/content.git --branch bsi-profile-complete-2024-10-31` + +### Build content in the cluster using the build scripts +`./utils/build_ds_container.py --create-profile-bundles --build-in-cluster` + +IMPORTANT! +This creates additional upstream-rules and Profiles (prefixed with upstream) in the OpenShift Cluster due to the current functionality in RHACS the Compliance Dashboard in RHACS will show DUPLICATE RULES and throw ERRORS for the duplicate rules and not show the additional content + +This can currently be worked around with the following command, which REPLACES THE SUPPORTED CONTENT with the upstream content +`./utils/build_ds_container.py --create-profile-bundles --build-in-cluster --no-upstream-prefix` + +## ALTERNATIVE B: Use PreBuild Image +in disconnected / airgapped environments you might want to mirror the image first and either change the contentImage or create a `ImageDigestMirrorSet`. + +This follows https://docs.openshift.com/container-platform/4.17/security/compliance_operator/co-management/compliance-operator-manage.html + +`oc apply -f BSI/ProfileBundles.yaml` + +# Schedule +The profiles are prefixed with upstream in this case. If you do not use a prefix, please change accordingly +This follows https://docs.openshift.com/container-platform/4.17/security/compliance_operator/co-scans/compliance-scans.html + +`oc apply -f BSI/ScanSettings.yaml` diff --git a/BSI/ScanSettings.yaml b/BSI/ScanSettings.yaml new file mode 100644 index 00000000000..02a4484ea1e --- /dev/null +++ b/BSI/ScanSettings.yaml @@ -0,0 +1,41 @@ +apiVersion: compliance.openshift.io/v1alpha1 +kind: ScanSettingBinding +metadata: + name: upstream-bsi-ocp + namespace: openshift-compliance +profiles: + - apiGroup: compliance.openshift.io/v1alpha1 + kind: Profile + name: upstream-ocp4-bsi + - apiGroup: compliance.openshift.io/v1alpha1 + kind: Profile + name: upstream-ocp4-bsi-node +settingsRef: + apiGroup: compliance.openshift.io/v1alpha1 + kind: ScanSetting + name: bsi-schedule +--- +apiVersion: compliance.openshift.io/v1alpha1 +kind: ScanSettingBinding +metadata: + name: upstream-bsi-rhcos + namespace: openshift-compliance +profiles: + - apiGroup: compliance.openshift.io/v1alpha1 + kind: Profile + name: upstream-rhcos4-bsi +settingsRef: + apiGroup: compliance.openshift.io/v1alpha1 + kind: ScanSetting + name: bsi-schedule +--- +apiVersion: compliance.openshift.io/v1alpha1 +kind: ScanSetting +maxRetryOnTimeout: 3 +metadata: + name: bsi-schedule + namespace: openshift-compliance +roles: + - master + - worker +schedule: 0 1 * * 1 diff --git a/products/ocp4/profiles/test.profile b/products/ocp4/profiles/test.profile new file mode 100644 index 00000000000..8a17261b452 --- /dev/null +++ b/products/ocp4/profiles/test.profile @@ -0,0 +1,9 @@ +documentation_complete: true + +title: 'Test Profile for sandboxed_containers_operator_configured' + +platform: ocp4 + +description: Test Profile +selections: +- sandboxed_containers_operator_configured