Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CMP 2417: Implement PCI-DSS v4.0 outline for OpenShift #11651

Merged
merged 14 commits into from
Mar 15, 2024

Conversation

rhmdnd
Copy link
Collaborator

@rhmdnd rhmdnd commented Mar 5, 2024

  • CMP-2417: Implement OpenShift PCI-DSS v4 outline for section 1
  • CMP-2417: Implement OpenShift PCI-DSS v4 outline for section 2
  • CMP-2417: Implement OpenShift PCI-DSS v4 outline for section 3
  • CMP-2417: Implement OpenShift PCI-DSS v4 outline for section 4
  • CMP-2417: Implement OpenShift PCI-DSS v4 outline for section 5
  • CMP-2417: Implement OpenShift PCI-DSS v4 outline for section 6
  • CMP-2417: Implement OpenShift PCI-DSS v4 outline for section 7
  • CMP-2417: Implement OpenShift PCI-DSS v4 outline for section 8
  • CMP-2417: Implement OpenShift PCI-DSS v4 outline for section 9
  • CMP-2417: Implement OpenShift PCI-DSS v4 outline for section 10
  • CMP-2417: Implement OpenShift PCI-DSS v4 outline for section 11
  • CMP-2417: Implement OpenShift PCI-DSS v4 outline for section 12
  • CMP-2417: Implement OpenShift PCI-DSS v4 outline for appendix
  • CMP-2417: Add new profiles for OpenShift PCI-DSS version 4.0.0

Note for reviewers

While this change is large, it's broken down into sections per commit. It may be easier to review on a per commit basis.

@rhmdnd rhmdnd added OpenShift OpenShift product related. pci-dss labels Mar 5, 2024
Copy link

github-actions bot commented Mar 5, 2024

Start a new ephemeral environment with changes proposed in this pull request:

Fedora Environment
Open in Gitpod

Oracle Linux 8 Environment
Open in Gitpod

Copy link

github-actions bot commented Mar 5, 2024

🤖 A k8s content image for this PR is available at:
ghcr.io/complianceascode/k8scontent:11651
This image was built from commit: c2bc50e

Click here to see how to deploy it

If you alread have Compliance Operator deployed:
utils/build_ds_container.py -i ghcr.io/complianceascode/k8scontent:11651

Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and:
CONTENT_IMAGE=ghcr.io/complianceascode/k8scontent:11651 make deploy-local

Copy link

codeclimate bot commented Mar 5, 2024

Code Climate has analyzed commit c2bc50e and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 59.8% (0.0% change).

View more on Code Climate.

@xiaojiey
Copy link
Collaborator

xiaojiey commented Mar 6, 2024

/hold for review

@openshift-ci openshift-ci bot added the do-not-merge/hold Used by openshift-ci-robot bot. label Mar 6, 2024
@rhmdnd
Copy link
Collaborator Author

rhmdnd commented Mar 6, 2024

Additional note for reviews is that this should generate an empty profile, where we can come through later and fill in the rules.

@rhmdnd rhmdnd changed the title CMP 2417 CMP 2417: Implement PCI-DSS v4.0 outline for OpenShift Mar 6, 2024
@BhargaviGudi
Copy link
Collaborator

Verification passed with 4.16.0-0.nightly-2024-03-06-174829 + compliance-operator code

  1. Install CO
  2. ./utils/build_ds_container.py -i ghcr.io/complianceascode/k8scontent:11651
    Scenario 1: upstream-ocp4-pci-dss-4-0
$ oc compliance bind -N test -S default-auto-apply profile/upstream-ocp4-pci-dss-4-0
Creating ScanSettingBinding test
$ oc get suite -w
NAME   PHASE     RESULT
test   RUNNING   NOT-AVAILABLE
test   AGGREGATING   NOT-AVAILABLE
test   DONE          NON-COMPLIANT
test   DONE          NON-COMPLIANT
^C$ oc get scan
NAME                        PHASE   RESULT
upstream-ocp4-pci-dss-4-0   DONE    NON-COMPLIANT
$ oc get ccr -l compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-status=FAIL 
No resources found in openshift-compliance namespace.
$ oc get ccr | grep FAIL
upstream-ocp4-pci-dss-4-0-api-server-api-priority-gate-enabled                     FAIL     medium
upstream-ocp4-pci-dss-4-0-audit-log-forwarding-enabled                             FAIL     medium
upstream-ocp4-pci-dss-4-0-configure-network-policies-namespaces                    FAIL     high
upstream-ocp4-pci-dss-4-0-kubeadmin-removed                                        FAIL     medium
upstream-ocp4-pci-dss-4-0-ocp-allowed-registries                                   FAIL     medium
upstream-ocp4-pci-dss-4-0-ocp-allowed-registries-for-import                        FAIL     medium

Scenario 2: upstream-ocp4-pci-dss-node-4-0

bgudi@bgudi-thinkpadt14sgen2i content]$  oc get profiles.compliance.openshift.io upstream-ocp4-pci-dss-node-4-0 -oyaml | grep 4.0.0
description: Ensures PCI-DSS v4.0.0 security configuration settings are applied.
title: PCI-DSS v4.0.0 Control Baseline for Red Hat OpenShift Container Platform 4
version: 4.0.0
$ oc get suite
NAME   PHASE   RESULT
test   DONE    NON-COMPLIANT
$ oc get ccr | grep FAIL
upstream-ocp4-pci-dss-4-0-api-server-api-priority-gate-enabled                     FAIL     medium
upstream-ocp4-pci-dss-4-0-audit-log-forwarding-enabled                             FAIL     medium
upstream-ocp4-pci-dss-4-0-configure-network-policies-namespaces                    FAIL     high
upstream-ocp4-pci-dss-4-0-kubeadmin-removed                                        FAIL     medium
upstream-ocp4-pci-dss-4-0-ocp-allowed-registries                                   FAIL     medium
upstream-ocp4-pci-dss-4-0-ocp-allowed-registries-for-import                        FAIL     medium
$ oc get ccr -l compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-status=FAIL 
No resources found in openshift-compliance namespace.

Scenario 3: upstream-ocp4-pci-dss-4-0 and upstream-ocp4-pci-dss-node-4-0

$ oc compliance bind -N test -S default-auto-apply profile/upstream-ocp4-pci-dss-4-0 profile/upstream-ocp4-pci-dss-node-4-0
Creating ScanSettingBinding test
$ oc get suite -w
NAME   PHASE       RESULT
test   LAUNCHING   NOT-AVAILABLE
test   LAUNCHING   NOT-AVAILABLE
test   LAUNCHING   NOT-AVAILABLE
test   RUNNING     NOT-AVAILABLE
test   RUNNING     NOT-AVAILABLE
test   RUNNING     NOT-AVAILABLE
test   AGGREGATING   NOT-AVAILABLE
test   AGGREGATING   NOT-AVAILABLE
test   AGGREGATING   NOT-AVAILABLE
test   DONE          NON-COMPLIANT
test   DONE          NON-COMPLIANT
$ oc get ccr -l compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-status=FAIL 
No resources found in openshift-compliance namespace.
$ oc get ccr -l compliance.openshift.io/inconsistent-check
No resources found in openshift-compliance namespace.

Scenario 4: Verify version

$  oc get profiles.compliance.openshift.io upstream-ocp4-pci-dss-4-0 -o=jsonpath={.version}
4.0.0
$  oc get profiles.compliance.openshift.io upstream-ocp4-pci-dss-node-4-0 -o=jsonpath={.version}
4.0.0

@BhargaviGudi
Copy link
Collaborator

/unhold

@openshift-ci openshift-ci bot removed the do-not-merge/hold Used by openshift-ci-robot bot. label Mar 7, 2024
@rhmdnd
Copy link
Collaborator Author

rhmdnd commented Mar 11, 2024

@Vincent056 should be ready for another look.

Copy link
Member

@yuumasato yuumasato left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The content in the controls look fine.
I just have a few remarks on the control ID and levels.

It seems to me that the policy doesn't clearly define levels, and they were not used in the 3.2.1 profiles.

controls/pcidss_4_ocp4.yml Show resolved Hide resolved
controls/pcidss_4_ocp4.yml Show resolved Hide resolved
controls/pcidss_4_ocp4.yml Show resolved Hide resolved
@yuumasato yuumasato added this to the 0.1.73 milestone Mar 15, 2024
@yuumasato yuumasato merged commit 844bd35 into ComplianceAsCode:master Mar 15, 2024
44 checks passed
@Mab879 Mab879 added New Profile Issues or pull requests related to new Profiles. Highlight This PR/Issue should make it to the featured changelog. labels May 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Highlight This PR/Issue should make it to the featured changelog. New Profile Issues or pull requests related to new Profiles. OpenShift OpenShift product related. pci-dss
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants