Merge branch 'ComplianceAsCode:master' into demo-pst

applications/openshift/etcd/etcd_backup/rule.yml

@@ -0,0 +1,30 @@
+documentation_complete: true
+
+title: Configure Recurring Backups For etcd
+
+description: |-
+    <p>
+    Back up your clusters etcd data regularly and store in a secure location ideally outside the OpenShift Container Platform environment. Do not take an etcd backup before the first certificate rotation completes, which occurs 24 hours after installation, otherwise the backup will contain expired certificates. It is also recommended to take etcd backups during non-peak usage hours because the etcd snapshot has a high I/O cost.
+    </p>
+    <p>
+    For more information, follow
+    {{{ weblink(link="https://docs.openshift.com/container-platform/latest/backup_and_restore/control_plane_backup_and_restore/backing-up-etcd.html#backing-up-etcd-data_backup-etcd",
+                text="the relevant documentation") }}}.
+    </p>
+
+rationale: |-
+    While etcd automatically recovers from temporary failures, issues may arise if an etcd cluster loses more than (N-1)/2 or when an update goes wrong.
+    Recurring backups of etcd enable you to recover from a disastrous fail.
+
+identifiers:
+    cce@ocp4: CCE-88188-8
+
+references:
+    bsi: APP.4.4.A5
+
+severity: medium
+
+ocil_clause: 'etcd backup needs review'
+
+ocil: |-
+    Ensure, that you have a process in place, that ensures that you do recurring backups for etcd.

applications/openshift/etcd/etcd_backup/tests/ocp4/e2e.yml

@@ -0,0 +1,2 @@
+---
+default_result: MANUAL

applications/openshift/general/general_backup_solution_installed/rule.yml

@@ -0,0 +1,44 @@
+documentation_complete: true
+
+title: A Backup Solution Has To Be Installed
+
+description: |-
+    Backup and Restore are fundamental practices when it comes to disaster recovery. By utilizing a Backup Software you are able to backup (and restore) data, which is lost, if your cluster crashes beyong recoverability.
+    There are multiple Backup Solutions on the Market which diverge in Features. Thus some of them might only backup your cluster, others might also be able to backup VMs or PVCs running in your Cluster.
+
+rationale: |-
+    Backup and Recovery abilities are a necessity to recover from a disaster.
+
+identifiers:
+    cce@ocp4: CCE-90185-0
+
+references:
+    bsi: APP.4.4.A5
+
+severity: medium
+
+ocil_clause: 'No CRDs from a known backup solution installed'
+
+ocil: |-
+    Run the following command to retrieve the customresourcedefinitions objects in the system:
+    <pre>$ oc crds </pre>
+    Make sure there is a crd of a backup solution. Also make sure, that the backup solution is properly configured and that you are able to recover from the backups.
+    You can add your known CRD to the var_backup_solution_crds_regex, to allowlist your own backup solution.
+
+{{% set jqfilter = '[.items[] | if select(.metadata.name | test("{{.var_backup_solution_crds_regex}}"))!=null then true else false end]' %}}
+
+warnings:
+- general: |-
+    {{{ openshift_filtered_cluster_setting({'/apis/apiextensions.k8s.io/v1/customresourcedefinitions?limit=500': jqfilter}) | indent(4) }}}
+
+template:
+    name: yamlfile_value
+    vars:
+        ocp_data: 'true'
+        filepath: "{{{ openshift_filtered_path('/apis/apiextensions.k8s.io/v1/customresourcedefinitions?limit=500', jqfilter) }}}"
+        yamlpath: "[:]"
+        entity_check: "at least one"
+        values:
+        -   value: 'true'
+            type: "string"
+            entity_check: "at least one"

applications/openshift/general/general_backup_solution_installed/tests/ocp4/e2e.yml

@@ -0,0 +1,3 @@
+---
+default_result: FAIL
+

applications/openshift/general/var_backup_solution_crds_regex.var

@@ -0,0 +1,15 @@
+documentation_complete: true
+
+title: 'Known CRDs which are provided by backup solutions'
+
+description: |-
+   'A regular expression that lists all CRDs that are known to be part of a backup solution'
+
+type: string
+
+operator: equals
+
+interactive: true
+
+options:
+   default: '^DataProtectionApplication\\.oadp\\.openshift\\.io$|^backups\\.velero\\.io$|^policies\\.config\\.kio\\.kasten\\.io$'

controls/bsi_app_4_4.yml

@@ -143,19 +143,30 @@ controls:
     levels:
     - basic
     description: >-
-      A cluster MUST have a backup. The backup MUST include:
-        • Persistent volumes
-        • Configuration files for Kubernetes and the other programs of the control plane
-        • The current state of the Kubernetes cluster, including extensions
-        • Databases of the configuration (namely etcd in this case)
-        • All infrastructure applications required to operate the cluster and the services within it
-        • The data storage of the code and image registries
-        Snapshots for the operation of the applications SHOULD also be considered. Snapshots MUST
-        NOT be considered a substitute for backups.
+      (1) A cluster MUST have a backup. The backup MUST include:
+        (2) • Persistent volumes
+        (3) • Configuration files for Kubernetes and the other programs of the control plane
+        (4) • The current state of the Kubernetes cluster, including extensions
+        (5) • Databases of the configuration (namely etcd in this case)
+        (6) • All infrastructure applications required to operate the cluster and the services within it
+        (7) • The data storage of the code and image registries
+      (8) Snapshots for the operation of the applications SHOULD also be considered. Snapshots MUST NOT be considered a substitute for backups.
     notes: >-
-      TBD
-    status: pending
-    rules: []
+      The data backup of a cluster must be individually defined as part of the system architecture as part of the operating model. The areas of responsibility for the container platform (cluster administration), the infrastructure services (system administration) and the application management (technical administration) should be considered separately.
+
+      For data backup as part of cluster administration (Kubernetes configuration, current state of the Kubernetes cluster, configuration database) the integrated functions or methods of OpenShift must be used. System administration and specialist administration must be carried out in accordance with the respective specifications.
+
+      Snapshots for persistent volumes are supported when using OpenShift's Container Storage Interface (CSI) drivers. OpenShift offers an easily configurable backup system with the OpenShift API for Data Protection (OADP).
+
+      Additional third-party solutions for backup are also available in the OperatorHub.
+
+      The checks are not checking the requirement in detail. They only setup a foundation to implement the configurations as described. For Section 3,4 and 6 a GitOps approach might achieve the best results. for 2 and 7 a sufficient backup solution is needed. 5 can be achieved with onboard utilities. 8 is dependend on the CSI provider and the available features
+    status: partial
+    rules:
+      # Section 2,7
+      - general_backup_solution_installed
+      # Section 5
+      - etcd_backup
 
   - id: APP.4.4.A6
     title: Initialisation of Pods

shared/references/cce-redhat-avail.txt

@@ -1403,7 +1403,6 @@ CCE-88183-9
 CCE-88184-7
 CCE-88186-2
 CCE-88187-0
-CCE-88188-8
 CCE-88189-6
 CCE-88190-4
 CCE-88191-2
@@ -3183,7 +3182,6 @@ CCE-90181-9
 CCE-90182-7
 CCE-90183-5
 CCE-90184-3
-CCE-90185-0
 CCE-90186-8
 CCE-90188-4
 CCE-90189-2