Implement rules for CIS OCP Section 1.2 #10774
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Start a new ephemeral environment with changes proposed in this pull request: ocp4 (from CTF) Environment (using Fedora as testing environment) Fedora Testing Environment Oracle Linux 8 Environment |
|
/test e2e-aws-ocp4-cis-node |
|
/test e2e-aws-ocp4-cis |
jhrozek
suggested changes
Jul 3, 2023
rhmdnd
force-pushed
the
implement-cis-ocp-1-2
branch
from
67b55d4 to
27647bc
Compare
|
/test e2e-aws-ocp4-cis |
|
This datastream diff is auto generated by the check Click here to see the full diffNew content has different text for rule 'xccdf_org.ssgproject.content_rule_api_server_admission_control_plugin_alwaysadmit'.
--- xccdf_org.ssgproject.content_rule_api_server_admission_control_plugin_alwaysadmit
+++ xccdf_org.ssgproject.content_rule_api_server_admission_control_plugin_alwaysadmit
@@ -39,7 +39,7 @@
SRG-APP-000516-CTR-001325
[reference]:
-1.2.11
+1.2.10
[rationale]:
Enabling the admission control plugin AlwaysAdmit allows all
New content has different text for rule 'xccdf_org.ssgproject.content_rule_api_server_admission_control_plugin_alwayspullimages'.
--- xccdf_org.ssgproject.content_rule_api_server_admission_control_plugin_alwayspullimages
+++ xccdf_org.ssgproject.content_rule_api_server_admission_control_plugin_alwayspullimages
@@ -39,7 +39,7 @@
SRG-APP-000516-CTR-001325
[reference]:
-1.2.12
+1.2.11
[rationale]:
Setting admission control policy to AlwaysPullImages forces every new pod
New content has different text for rule 'xccdf_org.ssgproject.content_rule_api_server_admission_control_plugin_namespacelifecycle'.
--- xccdf_org.ssgproject.content_rule_api_server_admission_control_plugin_namespacelifecycle
+++ xccdf_org.ssgproject.content_rule_api_server_admission_control_plugin_namespacelifecycle
@@ -37,7 +37,7 @@
SRG-APP-000516-CTR-001325
[reference]:
-1.2.15
+1.2.13
[rationale]:
Setting admission control policy to NamespaceLifecycle ensures that
New content has different text for rule 'xccdf_org.ssgproject.content_rule_api_server_admission_control_plugin_noderestriction'.
--- xccdf_org.ssgproject.content_rule_api_server_admission_control_plugin_noderestriction
+++ xccdf_org.ssgproject.content_rule_api_server_admission_control_plugin_noderestriction
@@ -40,7 +40,7 @@
SRG-APP-000516-CTR-001325
[reference]:
-1.2.17
+1.2.15
[rationale]:
Using the NodeRestriction plugin ensures that the kubelet is
New content has different text for rule 'xccdf_org.ssgproject.content_rule_api_server_admission_control_plugin_scc'.
--- xccdf_org.ssgproject.content_rule_api_server_admission_control_plugin_scc
+++ xccdf_org.ssgproject.content_rule_api_server_admission_control_plugin_scc
@@ -38,7 +38,7 @@
SRG-APP-000516-CTR-001325
[reference]:
-1.2.16
+1.2.14
[rationale]:
A Security Context Constraint is a cluster-level resource that controls the actions
New content has different text for rule 'xccdf_org.ssgproject.content_rule_api_server_admission_control_plugin_service_account'.
--- xccdf_org.ssgproject.content_rule_api_server_admission_control_plugin_service_account
+++ xccdf_org.ssgproject.content_rule_api_server_admission_control_plugin_service_account
@@ -41,7 +41,7 @@
SRG-APP-000516-CTR-001325
[reference]:
-1.2.14
+1.2.12
[rationale]:
When a pod is created, if a service account is not specified, the pod
New content has different text for rule 'xccdf_org.ssgproject.content_rule_api_server_api_priority_gate_enabled'.
--- xccdf_org.ssgproject.content_rule_api_server_api_priority_gate_enabled
+++ xccdf_org.ssgproject.content_rule_api_server_api_priority_gate_enabled
@@ -41,7 +41,7 @@
SRG-APP-000516-CTR-001325
[reference]:
-1.2.10
+1.2.9
[rationale]:
The APIPriorityAndFairness feature gate enables the use of the
New content has different text for rule 'xccdf_org.ssgproject.content_rule_api_server_audit_log_maxbackup'.
--- xccdf_org.ssgproject.content_rule_api_server_audit_log_maxbackup
+++ xccdf_org.ssgproject.content_rule_api_server_audit_log_maxbackup
@@ -45,7 +45,7 @@
SRG-APP-000516-CTR-001325
[reference]:
-1.2.24
+1.2.22
[rationale]:
OpenShift automatically rotates the log files. Retaining old log files ensures
New content has different text for rule 'xccdf_org.ssgproject.content_rule_api_server_audit_log_maxsize'.
--- xccdf_org.ssgproject.content_rule_api_server_audit_log_maxsize
+++ xccdf_org.ssgproject.content_rule_api_server_audit_log_maxsize
@@ -45,7 +45,7 @@
SRG-APP-000516-CTR-001325
[reference]:
-1.2.25
+1.2.23
[rationale]:
OpenShift automatically rotates log files. Retaining old log files ensures that
New content has different text for rule 'xccdf_org.ssgproject.content_rule_api_server_audit_log_path'.
--- xccdf_org.ssgproject.content_rule_api_server_audit_log_path
+++ xccdf_org.ssgproject.content_rule_api_server_audit_log_path
@@ -45,7 +45,7 @@
SRG-APP-000516-CTR-001325
[reference]:
-1.2.22
+1.2.20
[rationale]:
Auditing of the Kubernetes API Server is not enabled by default. Auditing the API Server
New content has different text for rule 'xccdf_org.ssgproject.content_rule_api_server_auth_mode_rbac'.
--- xccdf_org.ssgproject.content_rule_api_server_auth_mode_rbac
+++ xccdf_org.ssgproject.content_rule_api_server_auth_mode_rbac
@@ -39,7 +39,7 @@
SRG-APP-000516-CTR-001325
[reference]:
-1.2.9
+1.2.8
[rationale]:
Role Based Access Control (RBAC) allows fine-grained control over the
New content has different text for rule 'xccdf_org.ssgproject.content_rule_api_server_bind_address'.
--- xccdf_org.ssgproject.content_rule_api_server_bind_address
+++ xccdf_org.ssgproject.content_rule_api_server_bind_address
@@ -43,7 +43,7 @@
SRG-APP-000516-CTR-001325
[reference]:
-1.2.20
+1.2.18
[rationale]:
The OpenShift API server is served over HTTPS with authentication and authorization;
New content has different text for rule 'xccdf_org.ssgproject.content_rule_api_server_client_ca'.
--- xccdf_org.ssgproject.content_rule_api_server_client_ca
+++ xccdf_org.ssgproject.content_rule_api_server_client_ca
@@ -58,7 +58,7 @@
SRG-APP-000442-CTR-001095
[reference]:
-1.2.31
+1.2.29
[rationale]:
API Server communication contains sensitive parameters that should remain
New content has different text for rule 'xccdf_org.ssgproject.content_rule_api_server_encryption_provider_cipher'.
--- xccdf_org.ssgproject.content_rule_api_server_encryption_provider_cipher
+++ xccdf_org.ssgproject.content_rule_api_server_encryption_provider_cipher
@@ -51,10 +51,7 @@
SRG-APP-000429-CTR-001060
[reference]:
-1.2.33
-
-[reference]:
-1.2.34
+1.2.31
[reference]:
2.8
New content has different text for rule 'xccdf_org.ssgproject.content_rule_api_server_etcd_ca'.
--- xccdf_org.ssgproject.content_rule_api_server_etcd_ca
+++ xccdf_org.ssgproject.content_rule_api_server_etcd_ca
@@ -58,7 +58,7 @@
SRG-APP-000442-CTR-001095
[reference]:
-1.2.32
+1.2.30
[rationale]:
etcd is a highly-available key-value store used by OpenShift deployments
New content has different text for rule 'xccdf_org.ssgproject.content_rule_api_server_etcd_cert'.
--- xccdf_org.ssgproject.content_rule_api_server_etcd_cert
+++ xccdf_org.ssgproject.content_rule_api_server_etcd_cert
@@ -65,7 +65,7 @@
SRG-APP-000516-CTR-001325
[reference]:
-1.2.29
+1.2.27
[rationale]:
etcd is a highly-available key-value store used by OpenShift deployments
New content has different text for rule 'xccdf_org.ssgproject.content_rule_api_server_etcd_key'.
--- xccdf_org.ssgproject.content_rule_api_server_etcd_key
+++ xccdf_org.ssgproject.content_rule_api_server_etcd_key
@@ -65,7 +65,7 @@
SRG-APP-000516-CTR-001325
[reference]:
-1.2.29
+1.2.27
[rationale]:
etcd is a highly-available key-value store used by OpenShift deployments
New content has different text for rule 'xccdf_org.ssgproject.content_rule_api_server_insecure_bind_address'.
--- xccdf_org.ssgproject.content_rule_api_server_insecure_bind_address
+++ xccdf_org.ssgproject.content_rule_api_server_insecure_bind_address
@@ -46,7 +46,7 @@
SRG-APP-000516-CTR-001325
[reference]:
-1.2.18
+1.2.16
[rationale]:
If the API Server is bound to an insecure address the installation would
New content has different text for rule 'xccdf_org.ssgproject.content_rule_api_server_insecure_port'.
--- xccdf_org.ssgproject.content_rule_api_server_insecure_port
+++ xccdf_org.ssgproject.content_rule_api_server_insecure_port
@@ -52,7 +52,7 @@
SRG-APP-000516-CTR-001325
[reference]:
-1.2.19
+1.2.17
[rationale]:
Configuring the API Server on an insecure port would allow unauthenticated
New content has different text for rule 'xccdf_org.ssgproject.content_rule_api_server_request_timeout'.
--- xccdf_org.ssgproject.content_rule_api_server_request_timeout
+++ xccdf_org.ssgproject.content_rule_api_server_request_timeout
@@ -47,7 +47,7 @@
SRG-APP-000516-CTR-001325
[reference]:
-1.2.26
+1.2.24
[rationale]:
Setting global request timeout allows extending the API Server request
New content has different text for rule 'xccdf_org.ssgproject.content_rule_api_server_service_account_lookup'.
--- xccdf_org.ssgproject.content_rule_api_server_service_account_lookup
+++ xccdf_org.ssgproject.content_rule_api_server_service_account_lookup
@@ -37,7 +37,7 @@
SRG-APP-000516-CTR-001325
[reference]:
-1.2.27
+1.2.25
[rationale]:
If service-account-lookup is not enabled, the apiserver
New content has different text for rule 'xccdf_org.ssgproject.content_rule_api_server_service_account_public_key'.
--- xccdf_org.ssgproject.content_rule_api_server_service_account_public_key
+++ xccdf_org.ssgproject.content_rule_api_server_service_account_public_key
@@ -52,7 +52,7 @@
SRG-APP-000516-CTR-001325
[reference]:
-1.2.28
+1.2.26
[rationale]:
By default if no service-account-key-file is specified
New content has different text for rule 'xccdf_org.ssgproject.content_rule_api_server_tls_cert'.
--- xccdf_org.ssgproject.content_rule_api_server_tls_cert
+++ xccdf_org.ssgproject.content_rule_api_server_tls_cert
@@ -58,7 +58,7 @@
SRG-APP-000442-CTR-001095
[reference]:
-1.2.30
+1.2.28
[rationale]:
API Server communication contains sensitive parameters that should remain
New content has different text for rule 'xccdf_org.ssgproject.content_rule_api_server_tls_cipher_suites'.
--- xccdf_org.ssgproject.content_rule_api_server_tls_cipher_suites
+++ xccdf_org.ssgproject.content_rule_api_server_tls_cipher_suites
@@ -50,7 +50,7 @@
SRG-APP-000516-CTR-001325
[reference]:
-1.2.35
+1.2.32
[rationale]:
TLS ciphers have had a number of known vulnerabilities and weaknesses,
New content has different text for rule 'xccdf_org.ssgproject.content_rule_api_server_tls_private_key'.
--- xccdf_org.ssgproject.content_rule_api_server_tls_private_key
+++ xccdf_org.ssgproject.content_rule_api_server_tls_private_key
@@ -58,7 +58,7 @@
SRG-APP-000442-CTR-001095
[reference]:
-1.2.30
+1.2.28
[rationale]:
API Server communication contains sensitive parameters that should remain
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_log_forwarding_enabled'.
--- xccdf_org.ssgproject.content_rule_audit_log_forwarding_enabled
+++ xccdf_org.ssgproject.content_rule_audit_log_forwarding_enabled
@@ -109,7 +109,7 @@
SRG-APP-000358-CTR-000805
[reference]:
-1.2.23
+1.2.21
[rationale]:
Retaining logs ensures the ability to go back in time to investigate or correlate any events.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_log_forwarding_webhook'.
--- xccdf_org.ssgproject.content_rule_audit_log_forwarding_webhook
+++ xccdf_org.ssgproject.content_rule_audit_log_forwarding_webhook
@@ -30,7 +30,7 @@
Req-10.5.4
[reference]:
-1.2.23
+1.2.21
[rationale]:
Retaining logs ensures the ability to go back in time to investigate or correlate any events.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_ocp_api_server_audit_log_maxbackup'.
--- xccdf_org.ssgproject.content_rule_ocp_api_server_audit_log_maxbackup
+++ xccdf_org.ssgproject.content_rule_ocp_api_server_audit_log_maxbackup
@@ -45,7 +45,7 @@
SRG-APP-000516-CTR-001325
[reference]:
-1.2.24
+1.2.22
[rationale]:
OpenShift automatically rotates the log files. Retaining old log files ensures
New content has different text for rule 'xccdf_org.ssgproject.content_rule_ocp_api_server_audit_log_maxsize'.
--- xccdf_org.ssgproject.content_rule_ocp_api_server_audit_log_maxsize
+++ xccdf_org.ssgproject.content_rule_ocp_api_server_audit_log_maxsize
@@ -45,7 +45,7 @@
SRG-APP-000516-CTR-001325
[reference]:
-1.2.25
+1.2.23
[rationale]:
OpenShift automatically rotates log files. Retaining old log files ensures that
New content has different text for rule 'xccdf_org.ssgproject.content_rule_openshift_api_server_audit_log_path'.
--- xccdf_org.ssgproject.content_rule_openshift_api_server_audit_log_path
+++ xccdf_org.ssgproject.content_rule_openshift_api_server_audit_log_path
@@ -39,7 +39,7 @@
SRG-APP-000516-CTR-001325
[reference]:
-1.2.22
+1.2.20
[rationale]:
Auditing of the API Server is not enabled by default. Auditing the API Server |
jhrozek
previously requested changes
Jul 12, 2023
rhmdnd
force-pushed
the
implement-cis-ocp-1-2
branch
from
27647bc to
3fdb405
Compare
|
Code Climate has analyzed commit 3fdb405 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 53.4% (0.0% change). View more on Code Climate. |
yuumasato
approved these changes
Jul 13, 2023
Now that we have a profile and control files for CIS 1.4.0, we can start wiring up the existing rules. This commit ports all the existing rules we were using for the CIS OpenShift profile into the CIS 1.4.0 version.
rhmdnd
force-pushed
the
implement-cis-ocp-1-2
branch
from
3fdb405 to
61ae795
Compare
|
Rebased and cleaned up the merge conflicts. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Now that we have a profile and control files for CIS 1.4.0, we can start wiring up the existing rules.
This commit ports all the existing rules we were using for the CIS OpenShift profile into the CIS 1.4.0 version.