forked from ComplianceAsCode/content
-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
add autoapplyremediation rule for APP.4.4.A13
- Loading branch information
Showing
3 changed files
with
54 additions
and
1 deletion.
There are no files selected for viewing
50 changes: 50 additions & 0 deletions
50
applications/openshift/risk-assessment/scansetting_has_autoapplyremediations/rule.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,50 @@ | ||
| documentation_complete: true | ||
|
|
||
| title: Enable AutoApplyRemediation for at least One ScanSetting | ||
|
|
||
| description: |- | ||
| {{{ weblink(link="https://docs.openshift.com/container-platform/latest/security/compliance_operator/compliance-operator-understanding.html#compliance-operator-understanding", | ||
| text="The Compliance Operator") }}} | ||
| scans the hosts and the platform (OCP) | ||
| configurations for software flaws and improper configurations according | ||
| to different compliance benchmarks. Compliance Operator allows its | ||
| scans to automatically apply remediations for failed rules, if such remediations exist. | ||
| Applying remediations automatically should only be done with careful consideration. | ||
| The Compliance Operator does not automatically resolve dependency issues that can occur between remediations. Users should perform a rescan after remediations are applied to ensure accurate results. | ||
| rationale: |- | ||
| With enabled AutoApplyRemediation compliance failures get automatically corrected. | ||
| ocil_clause: 'compliance operator is not automatically remediating the cluster' | ||
|
|
||
| ocil: |- | ||
| Run the following command to retrieve the scansettingbindings in the system: | ||
| <pre>oc get scansettings -ojson | jq '.items[].autoApplyRemediations'</pre> | ||
| If a scansetting is defined to set the autoApplyRemediation attribute, the above | ||
| filter will return at least one 'true'. Run the following jq query to identify the non-compliant scansettings objects: | ||
| <pre>oc get scansettings -ojson | jq -r '[.items[] | select(.autoApplyRemediation != "" or .autoApplyRemediation != null) | .metadata.name]'</pre> | ||
| references: | ||
| bsi: APP.4.4.A13 | ||
|
|
||
| severity: medium | ||
|
|
||
| warnings: | ||
| - general: |- | ||
| {{{ openshift_cluster_setting('/apis/compliance.openshift.io/v1alpha1/scansettings') | indent(4) }}} | ||
| template: | ||
| name: yamlfile_value | ||
| vars: | ||
| ocp_data: "true" | ||
| filepath: /apis/compliance.openshift.io/v1alpha1/scansettings | ||
| yamlpath: ".items[:].autoApplyRemediations" | ||
| check_existence: "at_least_one_exists" | ||
| entity_check: "at least one" | ||
| values: | ||
| - value: "true" | ||
| entity_check: "at least one" | ||
| operation: "pattern match" | ||
| check_existence: "at_least_one_exists" |
2 changes: 2 additions & 0 deletions
2
...ations/openshift/risk-assessment/scansetting_has_autoapplyremediations/tests/ocp4/e2e.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,2 @@ | ||
| --- | ||
| default_result: PASS |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters