Merge pull request #10142 from jhrozek/SRG-APP-000038-CTR-000105

OCP4 STIG: Fix up rules that dealt with network policy

applications/openshift/networking/configure_network_policies/policy/stig/shared.yml

@@ -0,0 +1,21 @@
+checktext: |-
+  Verify that the CNI supports NetworkPolicies:
+  > oc get network cluster -oyaml -ojsonpath='{.spec.networkType}'
+
+  The result should list a CNI plugin that supports NetworkPolicies,
+  currently the plugins that do support NetworkPolicies are OpenShiftSDN,
+  OVN and Calico.
+
+  If the cluster does not return a CNI that supports NetworkPolicies,
+  this is a finding.
+
+fixtext: |-
+  Migration to a supported CNI plugin is not automated.
+
+  For additional information regarding network policies, see
+  https://docs.openshift.com/container-platform/latest/networking/network_policy/about-network-policy.html
+
+srg_requirement: |-
+  Red Hat OpenShift Container Platform 4 must enforce approved authorizations
+  for controlling the flow of information within Red Hat OpenShift Container
+  Platform 4 based on organization-defined information flow control policies.

applications/openshift/networking/configure_network_policies/rule.yml

@@ -34,7 +34,7 @@ references:
     nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
     nist: CM-6,CM-6(1)
     pcidss: Req-1.1.4,Req-1.2,Req-2.2
-    srg: SRG-APP-000516-CTR-001325,SRG-APP-000516-CTR-001330,SRG-APP-000516-CTR-001335,SRG-APP-000038-CTR-000105,SRG-APP-000039-CTR-000110
+    srg: SRG-APP-000038-CTR-000105
 
 warnings:
 - general: |-

applications/openshift/networking/configure_network_policies_namespaces/policy/stig/shared.yml

@@ -0,0 +1,61 @@
+checktext: |-
+  Verify that each user namespace has a Network Policy
+
+  1. Get a list of existing projects(namespaces), exclude default, kube-*, openshift-*
+
+  > oc get namespaces -ojson | jq -r '[.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default") | .metadata.name]'
+
+  2. Get a list of namespaces, excluding default, kube-* and openshift-* that contain
+  a NetworkPolicy object.
+
+  > oc get NetworkPolicy -A -ojson | jq -r '[.items[] | select((.metadata.namespace | startswith("openshift") | not) and (.metadata.namespace | startswith("kube-") | not) and .metadata.namespace != "default") | .metadata.namespace] | unique'
+
+  If the two lists do not match, in other words, if a project does not
+  have any NetworkPolicy definitions, this is a finding.
+fixtext: |-
+  Configure a default network policy as necessary to protect the flow of
+  information by performing the following steps.
+
+  1. Create a networkpolicy.yaml file with the NetworkPolicy object
+  definitions desired. For example, the following section defines two
+  policies one to allow requests from the same namespace, the other to
+  allow from the openshift ingress routing service.
+
+  apiVersion: v1
+  kind: List
+  items:
+  - apiVersion: networking.k8s.io/v1
+    kind: NetworkPolicy
+    metadata:
+      name: allow-from-same-namespace
+    spec:
+      podSelector:
+      ingress:
+      - from:
+        - podSelector: {}
+  - apiVersion: networking.k8s.io/v1
+    kind: NetworkPolicy
+    metadata:
+      name: allow-from-openshift-ingress
+    spec:
+      ingress:
+      - from:
+        - namespaceSelector:
+            matchLabels:
+              network.openshift.io/policy-group: ingress
+      podSelector: {}
+      policyTypes:
+      - Ingress
+
+  3. Apply the NetworkPolicy object to the appropriate namespaces by
+  running the following command:
+
+  > oc apply -f networkpolicy.yaml -n <PROJECT>
+
+  For additional information regarding network policies, see
+  https://docs.openshift.com/container-platform/latest/networking/network_policy/about-network-policy.html
+
+srg_requirement: |-
+  Red Hat OpenShift Container Platform 4 must enforce approved authorizations
+  for controlling the flow of information within Red Hat OpenShift Container
+  Platform 4 based on organization-defined information flow control policies.

applications/openshift/networking/configure_network_policies_namespaces/rule.yml

@@ -23,7 +23,7 @@ references:
     nerc-cip: CIP-003-8 R4,CIP-003-8 R4.2,CIP-003-8 R5,CIP-003-8 R6,CIP-004-6 R2.2.4,CIP-004-6 R3,CIP-007-3 R2,CIP-007-3 R2.1,CIP-007-3 R2.2,CIP-007-3 R2.3,CIP-007-3 R5.1,CIP-007-3 R6.1
     nist: AC-4,AC-4(21),CA-3(5),CM-6,CM-6(1),CM-7,CM-7(1),SC-7,SC-7(3),SC-7(5),SC-7(8),SC-7(12),SC-7(13),SC-7(18),SC-7(10),SI-4(22)
     pcidss: Req-1.1.4,Req-1.2,Req-1.2.1,Req-1.3.1,Req-1.3.2,Req-2.2
-    srg: SRG-APP-000038-CTR-000105,SRG-APP-000039-CTR-000110,SRG-APP-000141-CTR-000315,SRG-APP-000141-CTR-000320,SRG-APP-000142-CTR-000325,SRG-APP-000142-CTR-000330,SRG-APP-000516-CTR-001325,SRG-APP-000516-CTR-001330,SRG-APP-000516-CTR-001335,SRG-APP-000645-CTR-001410
+    srg: SRG-APP-000038-CTR-000105
 
 {{% set networkpolicies_api_path = '/apis/networking.k8s.io/v1/networkpolicies' %}}
 {{% set namespaces_api_path = '/api/v1/namespaces' %}}

applications/openshift/networking/routes_protected_by_tls/rule.yml

@@ -26,7 +26,7 @@ references:
   nerc-cip: CIP-003-8 R4,CIP-003-8 R4.2,CIP-003-8 R5,CIP-004-6 R3,CIP-007-3 R5.1,CIP-007-3 R7.1
   nist: AC-4,AC-4(21),AC-17(3),SC-8,SC-8(1),SC-8(2),SI-4,SI-4(22)
   pcidss: Req-6.5.4
-  srg: SRG-APP-000038-CTR-000105,SRG-APP-000039-CTR-000110,SRG-APP-000441-CTR-001090,SRG-APP-000442-CTR-001095
+  srg: SRG-APP-000441-CTR-001090,SRG-APP-000442-CTR-001095
 
 ocil_clause: 'The proper insecureEdgeTerminationPolicy is not set'
 

controls/srg_ctr/SRG-APP-000038-CTR-000105.yml

@@ -7,62 +7,7 @@ controls:
     information flow control policies.
   rules:
   - configure_network_policies_namespaces
-  - routes_protected_by_tls
-  related_rules:
   - configure_network_policies
+  related_rules:
+  - routes_protected_by_tls
   status: automated
-  check: |-
-    Verify that each user namespace has a Network Policy
-
-    1. Get a list of existing projects(namespaces)
-
-    > oc get projects
-
-    2. For each user namespace (exclude default, kube-*, openshift-*) verify
-    that one or more Network Policy objects exist.
-
-    > oc get NetworkPolicy -n <PROJECT>
-
-    If a project does not have any NetworkPolicy definitions, this is a finding.
-  fixtext: |-
-    Configure a default network policy as necessary to protect the flow of
-    information by performing the following steps.
-
-    1. Create a networkpolicy.yaml file with the NetworkPolicy object
-    definitions desired. For example, the following section defines two
-    policies one to allow requests from the same namespace, the other to
-    allow from the openshift ingress routing service.
-
-    apiVersion: v1
-    kind: List
-    items:
-    - apiVersion: networking.k8s.io/v1
-      kind: NetworkPolicy
-      metadata:
-        name: allow-from-same-namespace
-      spec:
-        podSelector:
-        ingress:
-        - from:
-          - podSelector: {}
-    - apiVersion: networking.k8s.io/v1
-      kind: NetworkPolicy
-      metadata:
-        name: allow-from-openshift-ingress
-      spec:
-        ingress:
-        - from:
-          - namespaceSelector:
-              matchLabels:
-                network.openshift.io/policy-group: ingress
-        podSelector: {}
-        policyTypes:
-        - Ingress
-
-    3. Apply the NetworkPolicy object to the appropriate namespaces by
-    running the following command:
-
-    > oc apply -f networkpolicy.yaml -n <PROJECT>
-
-    For additional information regarding network policies, see
-    https://docs.openshift.com/container-platform/latest/networking/network_policy/about-network-policy.html

controls/srg_ctr/SRG-APP-000039-CTR-000110.yml

@@ -5,11 +5,10 @@ controls:
   title: {{{ full_name }}} must enforce approved authorizations for controlling
     the flow of information between interconnected systems and services based on organization-defined
     information flow control policies.
-  rules:
-  - configure_network_policies_namespaces
-  - routes_protected_by_tls
   related_rules:
   - configure_network_policies
+  - configure_network_policies_namespaces
+  - routes_protected_by_tls
   status: automated
   check: |-
     Verify that a default project template is defined

controls/srg_ctr/SRG-APP-000141-CTR-000315.yml

@@ -3,6 +3,12 @@ controls:
   levels:
   - medium
   title: {{{ full_name }}} must be configured with only essential configurations.
-  rules:
-  - configure_network_policies_namespaces
   status: inherently met
+  artifact_description: |-
+    Supporting evidence is in the following documentation
+
+    https://docs.openshift.com/container-platform/latest/architecture/architecture-rhcos.html
+  status_justification: |-
+    RHCOS itself is built with the sole intention of running OpenShift,
+    therefore it doesn't have extra packages that are not necessary to run the main
+    workload (OCP). There is, for instance, no extra interpreters, e.g. python.

controls/srg_ctr/SRG-APP-000141-CTR-000320.yml

@@ -4,6 +4,20 @@ controls:
   - medium
   title: {{{ full_name }}} registry must contain only container images for those
     capabilities being offered by the container platform.
-  rules:
-  - configure_network_policies_namespaces
-  status: automated
+  related_rules:
+  - reject_unsigned_images_by_default
+  - ocp_allowed_registries_for_import
+  - ocp_allowed_registries
+  - ocp_insecure_registries
+  - ocp_insecure_allowed_registries_for_import
+  status: manual
+  checktext: |-
+    To review the container images within the container platform registry, run the following command:
+    > oc get images
+    Review the container platform container images to validate that only
+    necessary container images for the functionality of the information
+    system are present.
+  fixtext: |-
+    Remove all container images from the container platform registry that
+    are not being used or contain features and functions not supported by
+    the platform.

controls/srg_ctr/SRG-APP-000142-CTR-000325.yml

@@ -4,6 +4,34 @@ controls:
   - medium
   title: {{{ full_name }}} runtime must enforce ports, protocols, and services
     that adhere to the PPSM CAL.
-  rules:
-  - configure_network_policies_namespaces
   status: does not meet
+  mitigation: |-
+    Review the OpenShift Documentation regarding network infrastructure requirements
+    https://docs.openshift.com/container-platform/latest/installing/installing_bare_metal/installing-bare-metal-network-customizations.html#installation-network-connectivity-user-infra_installing-bare-metal-network-customizations
+
+    In addition, verify the network port configuration for the following services:
+
+    kube-apiserver
+    > oc get configmap kube-apiserver-pod -n openshift-kube-apiserver -o "jsonpath={ .data['pod\.yaml'] }" | jq '..|.containerPort?' | grep -v "null"
+    > oc get configmap kube-apiserver-pod -n openshift-kube-apiserver -o "jsonpath={ .data['pod\.yaml'] }" | jq '..|.hostPort?' | grep -v "null"
+    > oc get services -A --show-labels | grep apiserver | awk '{print $6,$8}' | grep apiserver
+
+    kube-scheduler
+    > oc get configmap kube-scheduler-pod -n openshift-kube-scheduler -o "jsonpath={ .data['pod\.yaml'] }" | jq '..|.containerPort?' | grep -v "null"
+    > oc get services -A --show-labels | grep scheduler | awk '{print $6,$8}' | grep scheduler
+
+    kube-controller-manager
+    > oc get configmap kube-controller-manager-pod -n openshift-kube-controller-manager -o "jsonpath={ .data['pod\.yaml'] }" | jq '..|.containerPort?' | grep -v "null"
+    > oc get services -A --show-labels | grep kube-controller
+
+    etcd
+    > oc get configmap etcd-pod -n openshift-etcd -o "jsonpath={ .data['pod\.yaml'] }" | grep -Po '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}:[0-9]+' | sort -u
+
+    If any of the ports used in these services are prohibited by the
+    PPSM CAL, document the additional ports. Update any network firewall
+    policies to limit access to those services in accordance with the RH
+    documentation in the above link.
+  status_justification: |-
+    OpenShift Container Platform uses a number of IPV4 and IPV6 ports and
+    protocols to facilitate cluster communication and coordination. Not
+    all of these ports are identified and approved by the PPSM CAL.

controls/srg_ctr/SRG-APP-000142-CTR-000330.yml

@@ -3,6 +3,4 @@ controls:
   levels:
   - medium
   title: {{{ full_name }}} runtime must enforce the use of ports that are non-privileged.
-  rules:
-  - configure_network_policies_namespaces
-  status: automated
+  status: manual

controls/srg_ctr/SRG-APP-000516-CTR-001325.yml

@@ -155,8 +155,6 @@ controls:
   - file_permissions_scheduler
   - file_permissions_scheduler_kubeconfig
   - file_perms_openshift_sdn_cniserver_config
-  - configure_network_policies
-  - configure_network_policies_namespaces
   - openshift_api_server_audit_log_path
   - rbac_debug_role_protects_pprof
   - rbac_limit_cluster_admin

controls/srg_ctr/SRG-APP-000516-CTR-001330.yml

@@ -154,8 +154,6 @@ controls:
   - file_permissions_scheduler
   - file_permissions_scheduler_kubeconfig
   - file_perms_openshift_sdn_cniserver_config
-  - configure_network_policies
-  - configure_network_policies_namespaces
   - openshift_api_server_audit_log_path
   - rbac_debug_role_protects_pprof
   - rbac_limit_cluster_admin

controls/srg_ctr/SRG-APP-000516-CTR-001335.yml

@@ -154,8 +154,6 @@ controls:
   - file_permissions_scheduler
   - file_permissions_scheduler_kubeconfig
   - file_perms_openshift_sdn_cniserver_config
-  - configure_network_policies
-  - configure_network_policies_namespaces
   - openshift_api_server_audit_log_path
   - rbac_debug_role_protects_pprof
   - rbac_limit_cluster_admin

controls/srg_ctr/SRG-APP-000645-CTR-001410.yml

@@ -5,6 +5,14 @@ controls:
   title: {{{ full_name }}} must prohibit or restrict the use of protocols that
     transmit unencrypted authentication information or use flawed cryptographic algorithms
     for transmission.
-  rules:
+  related_rules:
   - configure_network_policies_namespaces
   status: inherently met
+  artifact_description: |-
+    Supporting evidence is in the following documentation
+    https://docs.openshift.com/container-platform/latest/post_installation_configuration/network-configuration.html
+  status_justification: |-
+    The ports and protocols configured with OpenShift are required for the
+    proper functioning of the clusters and associated network.  Details on
+    configuration options are located in the following document:
+    https://docs.openshift.com/container-platform/latest/post_installation_configuration/network-configuration.html