Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CMP-2456: PCI-DSS v4 Requirement 4 #12002

Merged
merged 4 commits into from
Jun 20, 2024
Merged

CMP-2456: PCI-DSS v4 Requirement 4 #12002

merged 4 commits into from
Jun 20, 2024

Conversation

yuumasato
Copy link
Member

Description:

  • 4.1 is not applicable
    Documentation and processes are not be created and maintained at in OpenShift.
  • 4.2 is partially applicable
    While OCP uses and can provide support for secure cryptography and protocols, the application / workload needs correctly to leverage them.

@yuumasato yuumasato added the OpenShift OpenShift product related. label May 16, 2024
@github-actions GitHub Actions
Copy link

Start a new ephemeral environment with changes proposed in this pull request:

Fedora Environment
Open in Gitpod

Oracle Linux 8 Environment
Open in Gitpod

@github-actions GitHub Actions
Copy link

github-actions bot commented May 16, 2024
edited
Loading

🤖 A k8s content image for this PR is available at:
ghcr.io/complianceascode/k8scontent:12002
This image was built from commit: 00cfb09

Click here to see how to deploy it

If you alread have Compliance Operator deployed:
utils/build_ds_container.py -i ghcr.io/complianceascode/k8scontent:12002

Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and:
CONTENT_IMAGE=ghcr.io/complianceascode/k8scontent:12002 make deploy-local

yuumasato
yuumasato commented May 21, 2024
View reviewed changes
controls/pcidss_4_ocp4.yml Outdated Show resolved Hide resolved
@rhmdnd
Copy link
Collaborator

rhmdnd commented May 23, 2024

/test

@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented May 23, 2024

@rhmdnd: The /test command needs one or more targets.
The following commands are available to trigger required jobs:

  • /test 4.13-e2e-aws-ocp4-bsi
  • /test 4.13-e2e-aws-ocp4-bsi-node
  • /test 4.13-e2e-aws-ocp4-cis
  • /test 4.13-e2e-aws-ocp4-cis-node
  • /test 4.13-e2e-aws-ocp4-e8
  • /test 4.13-e2e-aws-ocp4-high
  • /test 4.13-e2e-aws-ocp4-high-node
  • /test 4.13-e2e-aws-ocp4-moderate
  • /test 4.13-e2e-aws-ocp4-moderate-node
  • /test 4.13-e2e-aws-ocp4-pci-dss
  • /test 4.13-e2e-aws-ocp4-pci-dss-node
  • /test 4.13-e2e-aws-ocp4-stig
  • /test 4.13-e2e-aws-ocp4-stig-node
  • /test 4.13-e2e-aws-rhcos4-bsi
  • /test 4.13-e2e-aws-rhcos4-e8
  • /test 4.13-e2e-aws-rhcos4-high
  • /test 4.13-e2e-aws-rhcos4-moderate
  • /test 4.13-e2e-aws-rhcos4-stig
  • /test 4.13-images
  • /test 4.14-e2e-aws-ocp4-bsi
  • /test 4.14-e2e-aws-ocp4-bsi-node
  • /test 4.14-e2e-aws-rhcos4-bsi
  • /test 4.14-images
  • /test 4.15-e2e-aws-ocp4-bsi
  • /test 4.15-e2e-aws-ocp4-bsi-node
  • /test 4.15-e2e-aws-ocp4-cis
  • /test 4.15-e2e-aws-ocp4-cis-node
  • /test 4.15-e2e-aws-ocp4-e8
  • /test 4.15-e2e-aws-ocp4-high
  • /test 4.15-e2e-aws-ocp4-high-node
  • /test 4.15-e2e-aws-ocp4-moderate
  • /test 4.15-e2e-aws-ocp4-moderate-node
  • /test 4.15-e2e-aws-ocp4-pci-dss
  • /test 4.15-e2e-aws-ocp4-pci-dss-node
  • /test 4.15-e2e-aws-ocp4-stig
  • /test 4.15-e2e-aws-ocp4-stig-node
  • /test 4.15-e2e-aws-rhcos4-bsi
  • /test 4.15-e2e-aws-rhcos4-e8
  • /test 4.15-e2e-aws-rhcos4-high
  • /test 4.15-e2e-aws-rhcos4-moderate
  • /test 4.15-e2e-aws-rhcos4-stig
  • /test 4.15-e2e-rosa-ocp4-cis-node
  • /test 4.15-e2e-rosa-ocp4-pci-dss-node
  • /test 4.15-images
  • /test 4.16-e2e-aws-ocp4-bsi
  • /test 4.16-e2e-aws-ocp4-bsi-node
  • /test 4.16-e2e-aws-ocp4-cis
  • /test 4.16-e2e-aws-ocp4-cis-node
  • /test 4.16-e2e-aws-ocp4-e8
  • /test 4.16-e2e-aws-ocp4-high
  • /test 4.16-e2e-aws-ocp4-high-node
  • /test 4.16-e2e-aws-ocp4-moderate
  • /test 4.16-e2e-aws-ocp4-moderate-node
  • /test 4.16-e2e-aws-ocp4-pci-dss
  • /test 4.16-e2e-aws-ocp4-pci-dss-node
  • /test 4.16-e2e-aws-ocp4-stig
  • /test 4.16-e2e-aws-ocp4-stig-node
  • /test 4.16-e2e-aws-rhcos4-bsi
  • /test 4.16-e2e-aws-rhcos4-e8
  • /test 4.16-e2e-aws-rhcos4-high
  • /test 4.16-e2e-aws-rhcos4-moderate
  • /test 4.16-e2e-aws-rhcos4-stig
  • /test 4.16-images
  • /test e2e-aws-ocp4-bsi
  • /test e2e-aws-ocp4-bsi-node
  • /test e2e-aws-ocp4-cis
  • /test e2e-aws-ocp4-cis-node
  • /test e2e-aws-ocp4-e8
  • /test e2e-aws-ocp4-high
  • /test e2e-aws-ocp4-high-node
  • /test e2e-aws-ocp4-moderate
  • /test e2e-aws-ocp4-moderate-node
  • /test e2e-aws-ocp4-pci-dss
  • /test e2e-aws-ocp4-pci-dss-node
  • /test e2e-aws-ocp4-stig
  • /test e2e-aws-ocp4-stig-node
  • /test e2e-aws-rhcos4-bsi
  • /test e2e-aws-rhcos4-e8
  • /test e2e-aws-rhcos4-high
  • /test e2e-aws-rhcos4-moderate
  • /test e2e-aws-rhcos4-stig
  • /test images

Use /test all to run the following jobs that were automatically triggered:

  • pull-ci-ComplianceAsCode-content-master-4.13-images
  • pull-ci-ComplianceAsCode-content-master-4.14-images
  • pull-ci-ComplianceAsCode-content-master-4.15-images
  • pull-ci-ComplianceAsCode-content-master-4.16-images
  • pull-ci-ComplianceAsCode-content-master-images

In response to this:

/test

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@rhmdnd
Copy link
Collaborator

rhmdnd commented May 23, 2024

Kicking the tires on some new CI we have for ROSA:

/test 4.15-e2e-rosa-ocp4-cis-node
/test 4.15-e2e-rosa-ocp4-pci-dss-node

@xiaojiey
Copy link
Collaborator

/hold for test

@openshift-ci openshift-ci bot added the do-not-merge/hold Used by openshift-ci-robot bot. label May 27, 2024
@xiaojiey
Copy link
Collaborator

/unhold

@openshift-ci openshift-ci bot removed the do-not-merge/hold Used by openshift-ci-robot bot. label May 30, 2024
rhmdnd
rhmdnd reviewed Jun 3, 2024
View reviewed changes
Copy link
Collaborator

@rhmdnd rhmdnd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall looks good to me. Just one question on if we need to include a couple additional rules for encrypting network traffic.

@rhmdnd rhmdnd added the pci-dss label Jun 5, 2024
@yuumasato yuumasato requested a review from rhmdnd June 6, 2024 16:56
rhmdnd
rhmdnd reviewed Jun 7, 2024
View reviewed changes
Copy link
Collaborator

@rhmdnd rhmdnd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me. I'll keep my comment open since @xiaojiey has a valid question there, too.

@yuumasato
Copy link
Member Author

Following my comment on #12002 (comment) I have removed the etcd_check_cipher_suite.

@xiaojiey
Copy link
Collaborator

/retest

@xiaojiey
Copy link
Collaborator

/lgtm

@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Jun 11, 2024
edited
Loading

@yuumasato: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/4.15-e2e-rosa-ocp4-cis-node 997b24c link true /test 4.15-e2e-rosa-ocp4-cis-node
ci/prow/4.15-e2e-rosa-ocp4-pci-dss-node 997b24c link true /test 4.15-e2e-rosa-ocp4-pci-dss-node

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@xiaojiey
Copy link
Collaborator

Following my comment on #12002 (comment) I have removed the etcd_check_cipher_suite.

@yuumasato I noticed this error in the ci jobs. Do we need to drop this rule?
ValueError: Control pcidss_4_ocp4:4.2.1 contains nonexisting rule(s) api_server_tls_cipher_suite

@yuumasato
Copy link
Member Author

api_server_tls_cipher_suite

@xiaojiey There was a typo in the rule. Should be fixed now.

@xiaojiey
Copy link
Collaborator

/lgtm

@yuumasato
Copy link
Member Author

Rebased on top of latest master.

@yuumasato
CMP-2456: Requirement 4.1 is not applicable
b214f11 
This req is defining processes and creating documentation.
@yuumasato
CMP-2456: Requirement 4.2 is partial
0f707bf 
OpenShift uses and provides strong cryptography and secure protocols,
but it is still up to the applications to leverage them.
@yuumasato
Adjust PCI-DSS 4.2.1
f22b4c0 
- Add api_server_tls_cert rule
- Tweak note on requirement 4.2.1
@yuumasato
Add tls_cipher_suite, drop etcd cihper rule
00cfb09 
The rule api_server_tls_security_profile sets up a custom security
profile, without specifying ciphers. So we also need to select
api_server_tls_security_profile.

Removing etcd cipher rule, it is not related to transission on public
networks.
@codeclimate CodeClimate
Copy link

codeclimate bot commented Jun 19, 2024

Code Climate has analyzed commit 00cfb09 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 59.4% (0.0% change).

View more on Code Climate.

@yuumasato
Copy link
Member Author

@rhmdnd @Vincent056 CI is happy now, :)

rhmdnd
rhmdnd approved these changes Jun 20, 2024
View reviewed changes
Copy link
Collaborator

@rhmdnd rhmdnd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@rhmdnd rhmdnd merged commit 8ff6232 into ComplianceAsCode:master Jun 20, 2024
92 of 93 checks passed
@Mab879 Mab879 added this to the 0.1.74 milestone Jun 20, 2024
@Mab879 Mab879 added the Update Profile Issues or pull requests related to Profiles updates. label Jun 20, 2024
@yuumasato yuumasato deleted the pcidss_4_req_4 branch June 21, 2024 13:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@xiaojiey xiaojiey xiaojiey left review comments

@rhmdnd rhmdnd rhmdnd approved these changes

@Vincent056 Vincent056 Awaiting requested review from Vincent056

Assignees

@rhmdnd rhmdnd

Labels
OpenShift OpenShift product related. pci-dss Update Profile Issues or pull requests related to Profiles updates.
Projects
None yet
Milestone
0.1.74
Development

Successfully merging this pull request may close these issues.
4 participants
@yuumasato @rhmdnd @xiaojiey @Mab879