Update OpenShift logging rules to handle CLO 6.0

applications/openshift/api-server/audit_log_forwarding_enabled/oval/shared.xml

@@ -0,0 +1,11 @@
+<def-group oval_version="5.11">
+  <definition class="compliance" id="{{{ rule_id }}}" version="1"> {{{
+    oval_metadata("A ClusterlogForwarder should be configured to forward logs, doesn't matter from which API") }}} <criteria
+      operator="OR">
+      <extend_definition comment="ClusterlogForwarder from observability.openshift.io (6.0)"
+        definition_ref="audit_log_forwarding_enabled_observability_api" />
+      <extend_definition comment="ClusterlogForwarder from logging.openshift.io"
+        definition_ref="audit_log_forwarding_enabled_logging_api" />
+    </criteria>
+  </definition>
+</def-group>

applications/openshift/api-server/audit_log_forwarding_enabled/rule.yml

@@ -7,7 +7,7 @@ description: |-
   The cluster-logging-operator is able to do this with the <pre>ClusterLogForwarders</pre> resource.
   The forementioned resource can be configured to logs to different third party systems.
   For more information on this, please reference the official documentation:
-  {{{ weblink(link="https://docs.openshift.com/container-platform/4.6/logging/cluster-logging-external.html") }}}
+  {{{ weblink(link="https://docs.openshift.com/container-platform/latest/observability/logging/logging-6.0/log6x-clf.html") }}}
 
 rationale: |-
   Retaining logs ensures the ability to go back in time to investigate or correlate any events.
@@ -33,20 +33,9 @@ ocil_clause: 'Logs are not forwarded outside the cluster'
 
 ocil: |-
     Run the following command:
-    <pre>oc get clusterlogforwarders instance -n openshift-logging -ojson | jq -r '.spec.pipelines[].inputRefs | contains(["audit"])'</pre>
+    <pre>oc get clusterlogforwarders -n openshift-logging -ojson | jq -r '.items[].spec.pipelines[].inputRefs | contains(["audit"])'</pre>
     The output should return <pre>true</pre>.
 
 warnings:
 - general: |-
-    {{{ openshift_cluster_setting("/apis/logging.openshift.io/v1/namespaces/openshift-logging/clusterlogforwarders/instance", true) | indent(4) }}}
-
-template:
-  name: yamlfile_value
-  vars:
-    ocp_data: "true"
-    filepath: /apis/logging.openshift.io/v1/namespaces/openshift-logging/clusterlogforwarders/instance
-    yamlpath: "spec.pipelines[:].inputRefs[:]"
-    entity_check: "at least one"
-    values:
-    - value: "audit"
-      entity_check: "at least one"
+    {{{ openshift_cluster_setting(["/apis/observability.openshift.io/v1/namespaces/openshift-logging/clusterlogforwarders", "/apis/logging.openshift.io/v1/namespaces/openshift-logging/clusterlogforwarders/instance"], true) | indent(4) }}}

applications/openshift/api-server/audit_log_forwarding_enabled/tests/ocp4/e2e-remediation.sh

@@ -1,8 +1,21 @@
 #!/bin/bash
 set -xe
 
-echo "installing cluster-logging-operator"
-oc apply -f ${ROOT_DIR}/ocp-resources/e2e/cluster-logging-install.yaml
+ocp_version=$(oc version -ojson | jq -r '.openshiftVersion')
+clo_v6_available_from="4.14.0"
+
+if [ "$(printf '%s\n' "$ocp_version" "$clo_v6_available_from" | sort -V | head -n1)" = "$clo_v6_available_from" ]; then
+    echo "OCP ${ocp_version} has CLO 6.0 is available for install";
+    install_v6=true
+fi
+
+if [ "$install_v6" = true ] ; then
+    echo "installing cluster-logging-operator V6.0"
+    oc apply -f ${ROOT_DIR}/ocp-resources/e2e/cluster-logging-install-observability.yaml
+else
+    echo "installing cluster-logging-operator"
+    oc apply -f ${ROOT_DIR}/ocp-resources/e2e/cluster-logging-install.yaml
+fi
 
 sleep 30
 
@@ -15,8 +28,13 @@ echo "waiting for cluster-logging-operator deployment to be ready"
 oc wait -n openshift-logging --for=condition=Available  --timeout=120s \
     deployment/cluster-logging-operator
 
-echo "installing clusterlogging instance"
-oc apply -f ${ROOT_DIR}/ocp-resources/e2e/cluster-logging-instance.yaml
+if [ "$install_v6" = true ] ; then
+    echo "installing clusterlogforwarder 6.0"
+    oc apply -f ${ROOT_DIR}/ocp-resources/e2e/forward-logs-observability.yaml
+else
+    echo "installing clusterlogging instance"
+    oc apply -f ${ROOT_DIR}/ocp-resources/e2e/cluster-logging-instance.yaml
 
-echo "installing clusterlogforwarder instance"
-oc apply -f ${ROOT_DIR}/ocp-resources/e2e/forward-logs.yaml
+    echo "installing clusterlogforwarder instance"
+    oc apply -f ${ROOT_DIR}/ocp-resources/e2e/forward-logs.yaml
+fi

applications/openshift/api-server/audit_log_forwarding_enabled_logging_api/rule.yml

@@ -0,0 +1,52 @@
+
+title: Ensure that Audit Log Forwarding Is Enabled
+
+description: |-
+  OpenShift audit works at the API server level, logging all requests coming to the server.
+  Audit is on by default and the best practice is to ship audit logs off the cluster for retention.
+  The cluster-logging-operator is able to do this with the <pre>ClusterLogForwarders</pre> resource.
+  The forementioned resource can be configured to log to different third party systems.
+  For more information on this, please reference the official documentation:
+  {{{ weblink(link="https://docs.openshift.com/container-platform/4.16/observability/logging/log_collection_forwarding/configuring-log-forwarding.html") }}}
+
+rationale: |-
+  Retaining logs ensures the ability to go back in time to investigate or correlate any events.
+  Offloading audit logs from the cluster ensures that an attacker that has access to the cluster will not be able to
+  tamper with the logs because of the logs being stored off-site.
+
+severity: medium
+
+identifiers:
+  cce@ocp4: CCE-86258-1
+
+references:
+  cis@ocp4: 1.2.21
+  nerc-cip: CIP-003-8 R5.2,CIP-004-6 R2.2.2,CIP-004-6 R2.2.3,CIP-004-6 R3.3,CIP-007-3 R.1.3,CIP-007-3 R5,CIP-007-3 R5.1.1,CIP-007-3 R5.2,CIP-007-3 R5.3.1,CIP-007-3 R5.3.2,CIP-007-3 R5.3.3,CIP-007-3 R6.5
+  nist: AC-2(12),AU-3(2),AU-5(1),AU-6,AU-6(1),AU-6(3),AU-9(2),SI-4(16),AU-4(1),AU-11,AU-7,AU-7(1),SI-4(20)
+  pcidss: Req-2.2,Req-10.5.3,Req-10.5.4
+  srg: SRG-APP-000092-CTR-000165,SRG-APP-000111-CTR-000220,SRG-APP-000358-CTR-000805
+
+platform: not ocp4-on-hypershift and not ocp4-on-hypershift-hosted
+
+
+ocil_clause: 'Logs are not forwarded outside the cluster'
+
+ocil: |-
+    Run the following command:
+    <pre>oc get clusterlogforwarders -n openshift-logging -ojson | jq -r '.items[].spec.pipelines[].inputRefs | contains(["audit"])'</pre>
+    The output should return <pre>true</pre>.
+
+warnings:
+- general: |-
+    {{{ openshift_cluster_setting("/apis/logging.openshift.io/v1/namespaces/openshift-logging/clusterlogforwarders/instance", true) | indent(4) }}}
+
+template:
+  name: yamlfile_value
+  vars:
+    ocp_data: "true"
+    filepath: /apis/logging.openshift.io/v1/namespaces/openshift-logging/clusterlogforwarders/instance
+    yamlpath: ".spec.pipelines[:].inputRefs[:]"
+    entity_check: "at least one"
+    values:
+    - value: "audit"
+      entity_check: "at least one"

applications/openshift/api-server/audit_log_forwarding_enabled_logging_api/tests/ocp4/e2e-remediation.sh

@@ -0,0 +1,22 @@
+#!/bin/bash
+set -xe
+
+echo "installing cluster-logging-operator"
+oc apply -f ${ROOT_DIR}/ocp-resources/e2e/cluster-logging-install.yaml
+
+sleep 30
+
+echo "waiting for cluster-logging-operator deployment to exist"
+while [ -z "$(oc get -n openshift-logging --ignore-not-found deployment/cluster-logging-operator)" ]; do
+    sleep 3
+done
+
+echo "waiting for cluster-logging-operator deployment to be ready"
+oc wait -n openshift-logging --for=condition=Available  --timeout=120s \
+    deployment/cluster-logging-operator
+
+echo "installing clusterlogging instance"
+oc apply -f ${ROOT_DIR}/ocp-resources/e2e/cluster-logging-instance.yaml
+
+echo "installing clusterlogforwarder instance"
+oc apply -f ${ROOT_DIR}/ocp-resources/e2e/forward-logs.yaml

applications/openshift/api-server/audit_log_forwarding_enabled_logging_api/tests/ocp4/e2e.yml

@@ -0,0 +1,3 @@
+---
+default_result: FAIL
+result_after_remediation: PASS

applications/openshift/api-server/audit_log_forwarding_enabled_observability_api/rule.yml

@@ -0,0 +1,52 @@
+
+title: Ensure that Audit Log Forwarding Is Enabled
+
+description: |-
+  OpenShift audit works at the API server level, logging all requests coming to the server.
+  Audit is on by default and the best practice is to ship audit logs off the cluster for retention.
+  The cluster-logging-operator is able to do this with the <pre>ClusterLogForwarders</pre> resource.
+  The forementioned resource can be configured to log to different third party systems.
+  For more information on this, please reference the official documentation:
+  {{{ weblink(link="https://docs.openshift.com/container-platform/latest/observability/logging/logging-6.0/log6x-clf.html") }}}
+
+rationale: |-
+  Retaining logs ensures the ability to go back in time to investigate or correlate any events.
+  Offloading audit logs from the cluster ensures that an attacker that has access to the cluster will not be able to
+  tamper with the logs because of the logs being stored off-site.
+
+severity: medium
+
+identifiers:
+  cce@ocp4: CCE-86265-6
+
+references:
+  cis@ocp4: 1.2.21
+  nerc-cip: CIP-003-8 R5.2,CIP-004-6 R2.2.2,CIP-004-6 R2.2.3,CIP-004-6 R3.3,CIP-007-3 R.1.3,CIP-007-3 R5,CIP-007-3 R5.1.1,CIP-007-3 R5.2,CIP-007-3 R5.3.1,CIP-007-3 R5.3.2,CIP-007-3 R5.3.3,CIP-007-3 R6.5
+  nist: AC-2(12),AU-3(2),AU-5(1),AU-6,AU-6(1),AU-6(3),AU-9(2),SI-4(16),AU-4(1),AU-11,AU-7,AU-7(1),SI-4(20)
+  pcidss: Req-2.2,Req-10.5.3,Req-10.5.4
+  srg: SRG-APP-000092-CTR-000165,SRG-APP-000111-CTR-000220,SRG-APP-000358-CTR-000805
+
+platform: not ocp4-on-hypershift and not ocp4-on-hypershift-hosted
+
+
+ocil_clause: 'Logs are not forwarded outside the cluster'
+
+ocil: |-
+    Run the following command:
+    <pre>oc get clusterlogforwarders -n openshift-logging -ojson | jq -r '.items[].spec.pipelines[].inputRefs | contains(["audit"])'</pre>
+    The output should return <pre>true</pre>.
+
+warnings:
+- general: |-
+    {{{ openshift_cluster_setting("/apis/observability.openshift.io/v1/namespaces/openshift-logging/clusterlogforwarders", true) | indent(4) }}}
+
+template:
+  name: yamlfile_value
+  vars:
+    ocp_data: "true"
+    filepath: /apis/observability.openshift.io/v1/namespaces/openshift-logging/clusterlogforwarders
+    yamlpath: ".items[].spec.pipelines[:].inputRefs[:]"
+    entity_check: "at least one"
+    values:
+    - value: "audit"
+      entity_check: "at least one"

applications/openshift/api-server/audit_log_forwarding_enabled_observability_api/tests/ocp4/e2e.yml

@@ -0,0 +1,3 @@
+---
+default_result: FAIL
+result_after_remediation: PASS

applications/openshift/api-server/audit_log_forwarding_webhook/oval/shared.xml

@@ -0,0 +1,11 @@
+<def-group oval_version="5.11">
+  <definition class="compliance" id="{{{ rule_id }}}" version="1"> {{{
+    oval_metadata("Audit webhook should be configure, regardless of which API") }}} <criteria
+      operator="OR">
+      <extend_definition comment="ClusterlogForwarder from observability.openshift.io (6.0)"
+        definition_ref="audit_log_forwarding_webhook_observability_api" />
+      <extend_definition comment="ClusterlogForwarder from logging.openshift.io"
+        definition_ref="audit_log_forwarding_webhook_logging_api" />
+    </criteria>
+  </definition>
+</def-group>

applications/openshift/api-server/audit_log_forwarding_webhook/rule.yml

@@ -3,8 +3,14 @@ title: Ensure that Audit Log Webhook Is Configured
 
 {{% set default_jqfilter = '.spec' %}}
 {{% set default_api_path = '/apis/logging.openshift.io/v1/namespaces/openshift-logging/clusterlogforwarders/instance' %}}
+
+{{% set v6_default_jqfilter = '.items[].spec' %}}
+{{% set v6_default_api_path = '/apis/observability.openshift.io/v1/namespaces/openshift-logging/clusterlogforwarders' %}}
+
 {{% set hypershift_path = '/apis/hypershift.openshift.io/v1beta1/namespaces/{{.hypershift_namespace_prefix}}/hostedclusters/{{.hypershift_cluster}}' %}}
+
 {{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ default_jqfilter %}}
+{{% set v6_dump_path = v6_default_api_path ~ ',' ~ v6_default_jqfilter ~ ',' ~ v6_default_jqfilter %}}
 
 description: |-
   Audit is on by default and the best practice is to ship audit logs off an cluster for retention.
@@ -33,20 +39,9 @@ ocil_clause: 'Audit Webhook not configured'
 
 ocil: |-
     Run the following command to verify that the audit webhook is configured:
-    <pre>oc get hostedclusters {{.hypershift_cluster}} -n clusters -ojson | jq -r '.spec.auditWebhook'</pre>
+    <pre>oc get hostedclusters {{.hypershift_cluster}} -n clusters -ojson | jq -r '.items[].spec.auditWebhook'</pre>
     The output should contain a properly configured webhook.
 
 warnings:
 - general: |-
-    {{{ openshift_filtered_cluster_setting_suppressed({hypershift_path: dump_path}) | indent(4) }}}
-
-template:
-  name: yamlfile_value
-  vars:
-    ocp_data: 'true'
-    filepath: {{{ openshift_filtered_path(default_api_path, default_jqfilter) }}}
-    yamlpath: ".auditWebhook"
-    entity_check: "at least one"
-    values:
-    - value: ".*"
-      operation: "pattern match"
+    {{{ openshift_filtered_cluster_setting_suppressed({hypershift_path: dump_path, hypershift_path: v6_dump_path}) | indent(4) }}}

applications/openshift/api-server/audit_log_forwarding_webhook_logging_api/ocp4/e2e.yml

@@ -0,0 +1,2 @@
+---
+default_result: NOT-APPLICABLE

applications/openshift/api-server/audit_log_forwarding_webhook_logging_api/rule.yml

@@ -0,0 +1,52 @@
+
+title: Ensure that Audit Log Webhook Is Configured
+
+{{% set default_jqfilter = '.spec' %}}
+{{% set default_api_path = '/apis/logging.openshift.io/v1/namespaces/openshift-logging/clusterlogforwarders/instance' %}}
+{{% set hypershift_path = '/apis/hypershift.openshift.io/v1beta1/namespaces/{{.hypershift_namespace_prefix}}/hostedclusters/{{.hypershift_cluster}}' %}}
+{{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ default_jqfilter %}}
+
+description: |-
+  Audit is on by default and the best practice is to ship audit logs off an cluster for retention.
+  HyperShift is able to do this with the a audit webhook, which is configured in the HostedCluster
+  custom resource. The forementioned resource can be configured to log to different third party systems.
+  For more information on this, please reference the official documentation:
+  {{{ weblink(link="https://hypershift-docs.netlify.app/reference/api/") }}}
+
+rationale: |-
+  Retaining logs ensures the ability to go back in time to investigate or correlate any events.
+  Offloading audit logs from the cluster ensures that an attacker that has access to the cluster will not be able to
+  tamper with the logs because of the logs being stored off-site.
+
+severity: medium
+
+identifiers:
+  cce@ocp4: CCE-86658-2
+
+references:
+  cis@ocp4: 1.2.21
+  pcidss: Req-2.2,Req-10.5.3,Req-10.5.4
+
+platform: ocp4-on-hypershift
+
+ocil_clause: 'Audit Webhook not configured'
+
+ocil: |-
+    Run the following command to verify that the audit webhook is configured:
+    <pre>oc get hostedclusters {{.hypershift_cluster}} -n clusters -ojson | jq -r '.spec.auditWebhook'</pre>
+    The output should contain a properly configured webhook.
+
+warnings:
+- general: |-
+    {{{ openshift_filtered_cluster_setting_suppressed({hypershift_path: dump_path}) | indent(4) }}}
+
+template:
+  name: yamlfile_value
+  vars:
+    ocp_data: 'true'
+    filepath: {{{ openshift_filtered_path(default_api_path, default_jqfilter) }}}
+    yamlpath: ".auditWebhook"
+    entity_check: "at least one"
+    values:
+    - value: ".*"
+      operation: "pattern match"

applications/openshift/api-server/audit_log_forwarding_webhook_observability_api/ocp4/e2e.yml

@@ -0,0 +1,2 @@
+---
+default_result: NOT-APPLICABLE

applications/openshift/api-server/audit_log_forwarding_webhook_observability_api/rule.yml

@@ -0,0 +1,52 @@
+
+title: Ensure that Audit Log Webhook Is Configured
+
+{{% set default_jqfilter = '.items[].spec' %}}
+{{% set default_api_path = '/apis/observability.openshift.io/v1/namespaces/openshift-logging/clusterlogforwarders' %}}
+{{% set hypershift_path = '/apis/hypershift.openshift.io/v1beta1/namespaces/{{.hypershift_namespace_prefix}}/hostedclusters/{{.hypershift_cluster}}' %}}
+{{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ default_jqfilter %}}
+
+description: |-
+  Audit is on by default and the best practice is to ship audit logs off an cluster for retention.
+  HyperShift is able to do this with the a audit webhook, which is configured in the HostedCluster
+  custom resource. The forementioned resource can be configured to log to different third party systems.
+  For more information on this, please reference the official documentation:
+  {{{ weblink(link="https://hypershift-docs.netlify.app/reference/api/") }}}
+
+rationale: |-
+  Retaining logs ensures the ability to go back in time to investigate or correlate any events.
+  Offloading audit logs from the cluster ensures that an attacker that has access to the cluster will not be able to
+  tamper with the logs because of the logs being stored off-site.
+
+severity: medium
+
+identifiers:
+  cce@ocp4: CCE-86660-8
+
+references:
+  cis@ocp4: 1.2.21
+  pcidss: Req-2.2,Req-10.5.3,Req-10.5.4
+
+platform: ocp4-on-hypershift
+
+ocil_clause: 'Audit Webhook not configured'
+
+ocil: |-
+    Run the following command to verify that the audit webhook is configured:
+    <pre>oc get hostedclusters {{.hypershift_cluster}} -n clusters -ojson | jq -r '.items[].spec.auditWebhook'</pre>
+    The output should contain a properly configured webhook.
+
+warnings:
+- general: |-
+    {{{ openshift_filtered_cluster_setting_suppressed({hypershift_path: dump_path}) | indent(4) }}}
+
+template:
+  name: yamlfile_value
+  vars:
+    ocp_data: 'true'
+    filepath: {{{ openshift_filtered_path(default_api_path, default_jqfilter) }}}
+    yamlpath: ".auditWebhook"
+    entity_check: "at least one"
+    values:
+    - value: ".*"
+      operation: "pattern match"

applications/openshift/logging/audit_log_forwarding_uses_tls/oval/shared.xml

@@ -0,0 +1,11 @@
+<def-group oval_version="5.11">
+  <definition class="compliance" id="{{{ rule_id }}}" version="1"> {{{
+    oval_metadata("A ClusterlogForwarder should be configured to use tls, doesn't matter from which API") }}} <criteria
+      operator="OR">
+      <extend_definition comment="ClusterlogForwarder from observability.openshift.io (6.0)"
+        definition_ref="audit_log_forwarding_uses_tls_observability_api" />
+      <extend_definition comment="ClusterlogForwarder from logging.openshift.io"
+        definition_ref="audit_log_forwarding_uses_tls_logging_api" />
+    </criteria>
+  </definition>
+</def-group>