Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove protect kernel default and sysctl rules from CIS #10931

Merged
merged 1 commit into from
Aug 1, 2023
Merged

Remove protect kernel default and sysctl rules from CIS #10931

merged 1 commit into from
Aug 1, 2023

Conversation

rhmdnd
Copy link
Collaborator

@rhmdnd rhmdnd commented Jul 31, 2023

Upstream guidance in the Kubernetes benchmarks for protecting kernel
defaults and sysctl rules was removed. This removal affected the CIS
benchmark since it is rebased to pickup general guidance from the
Kubernetes CIS community.

This commit updates those rules and removes the CIS references from them
so that they're consistent with CIS OpenShift 1.4.0. The following is
the relevant upstream CIS discussion about the removal.

https://workbench.cisecurity.org/benchmarks/11107/tickets/17377

@rhmdnd
Remove protect kernel default and sysctl rules from CIS
0f5ed45 
Upstream guidance in the Kubernetes benchmarks for protecting kernel
defaults and sysctl rules was removed. This removal affected the CIS
benchmark since it is rebased to pickup general guidance from the
Kubernetes CIS community.

This commit updates those rules and removes the CIS references from them
so that they're consistent with CIS OpenShift 1.4.0. The following is
the relevant upstream CIS discussion about the removal.

  https://workbench.cisecurity.org/benchmarks/11107/tickets/17377
@rhmdnd
Copy link
Collaborator Author

rhmdnd commented Jul 31, 2023

Technically - this also means those rules will no longer be included in the fedramp or PCI-DSS profiles.

We can either add them explicitly under another control, or omit them like CIS did.

@rhmdnd rhmdnd requested a review from yuumasato July 31, 2023 19:40
@github-actions
Copy link

Start a new ephemeral environment with changes proposed in this pull request:

Fedora Environment
Open in Gitpod

Oracle Linux 8 Environment
Open in Gitpod

@codeclimate
Copy link

codeclimate bot commented Jul 31, 2023

Code Climate has analyzed commit 0f5ed45 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 53.2% (0.0% change).

View more on Code Climate.

@yuumasato yuumasato self-assigned this Aug 1, 2023
yuumasato
yuumasato approved these changes Aug 1, 2023
View reviewed changes
Copy link
Member

@yuumasato yuumasato left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, the rules are not used in the CIS profile.

@yuumasato yuumasato added this to the 0.1.70 milestone Aug 1, 2023
@yuumasato
Copy link
Member

Technically - this also means those rules will no longer be included in the fedramp or PCI-DSS profiles.

From what is described in https://workbench.cisecurity.org/benchmarks/11107/tickets/17377 the rules don't seem to bring any value, so I'd favor removing them.

We can either add them explicitly under another control, or omit them like CIS did.

Another option is to directly select the rules in profiles/pci-dss.profile.

@rhmdnd
Copy link
Collaborator Author

rhmdnd commented Aug 1, 2023

Another option is to directly select the rules in profiles/pci-dss.profile.

Correct. Since these rules were only pulled in as a side-effect of relying on CIS in the PCI-DSS benchmark, I'm curious if they "must" be included with PCI-DSS.

In other cases (like CIS 5.5.1), we pulled in additional rules (like the OCP allowed registry rules) and omit the general webhook rule, which would have affected the overall PCI-DSS rules, too.

If we apply that same principle here, we wouldn't be re-adding those rules to the PCI-DSS profile, which seems reasonable given the justification in the CIS Workbench discussion.

@rhmdnd rhmdnd merged commit e4a59de into ComplianceAsCode:master Aug 1, 2023
33 of 34 checks passed
@Mab879 Mab879 added Update Profile Issues or pull requests related to Profiles updates. OpenShift OpenShift product related. CIS CIS Benchmark related. labels Oct 12, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yuumasato yuumasato yuumasato approved these changes

Assignees

@yuumasato yuumasato

Labels
CIS CIS Benchmark related. OpenShift OpenShift product related. Update Profile Issues or pull requests related to Profiles updates.
Projects
None yet
Milestone
0.1.70
Development

Successfully merging this pull request may close these issues.
3 participants
@rhmdnd @yuumasato @Mab879