Update OpenShift logging rules to handle CLO 6.0

applications/openshift/api-server/audit_log_forwarding_enabled/oval/shared.xml

@@ -0,0 +1,11 @@
+<def-group oval_version="5.11">
+  <definition class="compliance" id="{{{ rule_id }}}" version="1"> {{{
+    oval_metadata("A ClusterlogForwarder should be configured to forward logs, doesn't matter from which API") }}} <criteria
+      operator="OR">
+      <extend_definition comment="ClusterlogForwarder from observability.openshift.io (6.0)"
+        definition_ref="audit_log_forwarding_enabled_observability_api" />
+      <extend_definition comment="ClusterlogForwarder from logging.openshift.io"
+        definition_ref="audit_log_forwarding_enabled_logging_api" />
+    </criteria>
+  </definition>
+</def-group>

applications/openshift/api-server/audit_log_forwarding_enabled/rule.yml

@@ -7,7 +7,7 @@ description: |-
   The cluster-logging-operator is able to do this with the <pre>ClusterLogForwarders</pre> resource.
   The forementioned resource can be configured to logs to different third party systems.
   For more information on this, please reference the official documentation:
-  {{{ weblink(link="https://docs.openshift.com/container-platform/4.6/logging/cluster-logging-external.html") }}}
+  {{{ weblink(link="https://docs.openshift.com/container-platform/4.16/observability/logging/log_collection_forwarding/configuring-log-forwarding.html") }}}
 
 rationale: |-
   Retaining logs ensures the ability to go back in time to investigate or correlate any events.
@@ -33,20 +33,9 @@ ocil_clause: 'Logs are not forwarded outside the cluster'
 
 ocil: |-
     Run the following command:
-    <pre>oc get clusterlogforwarders instance -n openshift-logging -ojson | jq -r '.spec.pipelines[].inputRefs | contains(["audit"])'</pre>
+    <pre>oc get clusterlogforwarders -n openshift-logging -ojson | jq -r '.items[].spec.pipelines[].inputRefs | contains(["audit"])'</pre>
     The output should return <pre>true</pre>.
 
 warnings:
 - general: |-
-    {{{ openshift_cluster_setting("/apis/logging.openshift.io/v1/namespaces/openshift-logging/clusterlogforwarders/instance", true) | indent(4) }}}
-
-template:
-  name: yamlfile_value
-  vars:
-    ocp_data: "true"
-    filepath: /apis/logging.openshift.io/v1/namespaces/openshift-logging/clusterlogforwarders/instance
-    yamlpath: "spec.pipelines[:].inputRefs[:]"
-    entity_check: "at least one"
-    values:
-    - value: "audit"
-      entity_check: "at least one"
+    {{{ openshift_cluster_setting(["/apis/observability.openshift.io/v1/namespaces/openshift-logging/clusterlogforwarders", "/apis/logging.openshift.io/v1/namespaces/openshift-logging/clusterlogforwarders/instance"], true) | indent(4) }}}

applications/openshift/api-server/audit_log_forwarding_enabled/tests/ocp4/e2e-remediation.sh

@@ -1,8 +1,21 @@
 #!/bin/bash
 set -xe
 
-echo "installing cluster-logging-operator"
-oc apply -f ${ROOT_DIR}/ocp-resources/e2e/cluster-logging-install.yaml
+ocp_version=$(oc version -ojson | jq '.openshiftVersion')
+clo_v6_available_from="4.14.0"
+
+if [ "$(printf '%s\n' "$ocp_version" "$clo_v6_available_from" | sort -V | head -n1)" = "$clo_v6_available_from" ]; then
+    echo "OCP ${ocp_version} has CLO 6.0 is available for install";
+    install_v6=true
+fi
+
+if [ "$install_v6" = true ] ; then
+    echo "installing cluster-logging-operator V6.0"
+    oc apply -f ${ROOT_DIR}/ocp-resources/e2e/cluster-logging-install-observability.yaml
+else
+    echo "installing cluster-logging-operator"
+    oc apply -f ${ROOT_DIR}/ocp-resources/e2e/cluster-logging-install.yaml
+fi
 
 sleep 30
 
@@ -15,8 +28,13 @@ echo "waiting for cluster-logging-operator deployment to be ready"
 oc wait -n openshift-logging --for=condition=Available  --timeout=120s \
     deployment/cluster-logging-operator
 
-echo "installing clusterlogging instance"
-oc apply -f ${ROOT_DIR}/ocp-resources/e2e/cluster-logging-instance.yaml
+if [ "$install_v6" = true ] ; then
+    echo "installing clusterlogforwarder 6.0"
+    oc apply -f ${ROOT_DIR}/ocp-resources/e2e/forward-logs-observability.yaml
+else
+    echo "installing clusterlogging instance"
+    oc apply -f ${ROOT_DIR}/ocp-resources/e2e/cluster-logging-instance.yaml
 
-echo "installing clusterlogforwarder instance"
-oc apply -f ${ROOT_DIR}/ocp-resources/e2e/forward-logs.yaml
+    echo "installing clusterlogforwarder instance"
+    oc apply -f ${ROOT_DIR}/ocp-resources/e2e/forward-logs.yaml
+fi

applications/openshift/api-server/audit_log_forwarding_enabled_logging_api/rule.yml

@@ -0,0 +1,52 @@
+
+title: Ensure that Audit Log Forwarding Is Enabled
+
+description: |-
+  OpenShift audit works at the API server level, logging all requests coming to the server.
+  Audit is on by default and the best practice is to ship audit logs off the cluster for retention.
+  The cluster-logging-operator is able to do this with the <pre>ClusterLogForwarders</pre> resource.
+  The forementioned resource can be configured to logs to different third party systems.
+  For more information on this, please reference the official documentation:
+  {{{ weblink(link="https://docs.openshift.com/container-platform/4.16/observability/logging/log_collection_forwarding/configuring-log-forwarding.html") }}}
+
+rationale: |-
+  Retaining logs ensures the ability to go back in time to investigate or correlate any events.
+  Offloading audit logs from the cluster ensures that an attacker that has access to the cluster will not be able to
+  tamper with the logs because of the logs being stored off-site.
+
+severity: medium
+
+identifiers:
+  cce@ocp4: CCE-86258-1
+
+references:
+  cis@ocp4: 1.2.21
+  nerc-cip: CIP-003-8 R5.2,CIP-004-6 R2.2.2,CIP-004-6 R2.2.3,CIP-004-6 R3.3,CIP-007-3 R.1.3,CIP-007-3 R5,CIP-007-3 R5.1.1,CIP-007-3 R5.2,CIP-007-3 R5.3.1,CIP-007-3 R5.3.2,CIP-007-3 R5.3.3,CIP-007-3 R6.5
+  nist: AC-2(12),AU-3(2),AU-5(1),AU-6,AU-6(1),AU-6(3),AU-9(2),SI-4(16),AU-4(1),AU-11,AU-7,AU-7(1),SI-4(20)
+  pcidss: Req-2.2,Req-10.5.3,Req-10.5.4
+  srg: SRG-APP-000092-CTR-000165,SRG-APP-000111-CTR-000220,SRG-APP-000358-CTR-000805
+
+platform: not ocp4-on-hypershift and not ocp4-on-hypershift-hosted
+
+
+ocil_clause: 'Logs are not forwarded outside the cluster'
+
+ocil: |-
+    Run the following command:
+    <pre>oc get clusterlogforwarders -n openshift-logging -ojson | jq -r '.items[].spec.pipelines[].inputRefs | contains(["audit"])'</pre>
+    The output should return <pre>true</pre>.
+
+warnings:
+- general: |-
+    {{{ openshift_cluster_setting("/apis/logging.openshift.io/v1/namespaces/openshift-logging/clusterlogforwarders/instance", true) | indent(4) }}}
+
+template:
+  name: yamlfile_value
+  vars:
+    ocp_data: "true"
+    filepath: /apis/logging.openshift.io/v1/namespaces/openshift-logging/clusterlogforwarders/instance
+    yamlpath: ".spec.pipelines[:].inputRefs[:]"
+    entity_check: "at least one"
+    values:
+    - value: "audit"
+      entity_check: "at least one"

applications/openshift/api-server/audit_log_forwarding_enabled_logging_api/tests/ocp4/e2e-remediation.sh

@@ -0,0 +1,22 @@
+#!/bin/bash
+set -xe
+
+echo "installing cluster-logging-operator"
+oc apply -f ${ROOT_DIR}/ocp-resources/e2e/cluster-logging-install.yaml
+
+sleep 30
+
+echo "waiting for cluster-logging-operator deployment to exist"
+while [ -z "$(oc get -n openshift-logging --ignore-not-found deployment/cluster-logging-operator)" ]; do
+    sleep 3
+done
+
+echo "waiting for cluster-logging-operator deployment to be ready"
+oc wait -n openshift-logging --for=condition=Available  --timeout=120s \
+    deployment/cluster-logging-operator
+
+echo "installing clusterlogging instance"
+oc apply -f ${ROOT_DIR}/ocp-resources/e2e/cluster-logging-instance.yaml
+
+echo "installing clusterlogforwarder instance"
+oc apply -f ${ROOT_DIR}/ocp-resources/e2e/forward-logs.yaml

applications/openshift/api-server/audit_log_forwarding_enabled_logging_api/tests/ocp4/e2e.yml

@@ -0,0 +1,3 @@
+---
+default_result: FAIL
+result_after_remediation: PASS

applications/openshift/api-server/audit_log_forwarding_enabled_observability_api/rule.yml

@@ -0,0 +1,52 @@
+
+title: Ensure that Audit Log Forwarding Is Enabled
+
+description: |-
+  OpenShift audit works at the API server level, logging all requests coming to the server.
+  Audit is on by default and the best practice is to ship audit logs off the cluster for retention.
+  The cluster-logging-operator is able to do this with the <pre>ClusterLogForwarders</pre> resource.
+  The forementioned resource can be configured to logs to different third party systems.
+  For more information on this, please reference the official documentation:
+  {{{ weblink(link="https://docs.openshift.com/container-platform/4.16/observability/logging/log_collection_forwarding/configuring-log-forwarding.html") }}}
+
+rationale: |-
+  Retaining logs ensures the ability to go back in time to investigate or correlate any events.
+  Offloading audit logs from the cluster ensures that an attacker that has access to the cluster will not be able to
+  tamper with the logs because of the logs being stored off-site.
+
+severity: medium
+
+identifiers:
+  cce@ocp4: CCE-86265-6
+
+references:
+  cis@ocp4: 1.2.21
+  nerc-cip: CIP-003-8 R5.2,CIP-004-6 R2.2.2,CIP-004-6 R2.2.3,CIP-004-6 R3.3,CIP-007-3 R.1.3,CIP-007-3 R5,CIP-007-3 R5.1.1,CIP-007-3 R5.2,CIP-007-3 R5.3.1,CIP-007-3 R5.3.2,CIP-007-3 R5.3.3,CIP-007-3 R6.5
+  nist: AC-2(12),AU-3(2),AU-5(1),AU-6,AU-6(1),AU-6(3),AU-9(2),SI-4(16),AU-4(1),AU-11,AU-7,AU-7(1),SI-4(20)
+  pcidss: Req-2.2,Req-10.5.3,Req-10.5.4
+  srg: SRG-APP-000092-CTR-000165,SRG-APP-000111-CTR-000220,SRG-APP-000358-CTR-000805
+
+platform: not ocp4-on-hypershift and not ocp4-on-hypershift-hosted
+
+
+ocil_clause: 'Logs are not forwarded outside the cluster'
+
+ocil: |-
+    Run the following command:
+    <pre>oc get clusterlogforwarders -n openshift-logging -ojson | jq -r '.items[].spec.pipelines[].inputRefs | contains(["audit"])'</pre>
+    The output should return <pre>true</pre>.
+
+warnings:
+- general: |-
+    {{{ openshift_cluster_setting("/apis/observability.openshift.io/v1/namespaces/openshift-logging/clusterlogforwarders", true) | indent(4) }}}
+
+template:
+  name: yamlfile_value
+  vars:
+    ocp_data: "true"
+    filepath: /apis/observability.openshift.io/v1/namespaces/openshift-logging/clusterlogforwarders
+    yamlpath: ".items[].spec.pipelines[:].inputRefs[:]"
+    entity_check: "at least one"
+    values:
+    - value: "audit"
+      entity_check: "at least one"

applications/openshift/api-server/audit_log_forwarding_enabled_observability_api/tests/ocp4/e2e.yml

@@ -0,0 +1,3 @@
+---
+default_result: FAIL
+result_after_remediation: PASS

ocp-resources/e2e/cluster-logging-install-observability.yaml

@@ -0,0 +1,75 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openshift-operators-redhat
+  annotations:
+    openshift.io/node-selector: ""
+  labels:
+    openshift.io/cluster-monitoring: "true"
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openshift-logging
+  annotations:
+    openshift.io/node-selector: ""
+  labels:
+    openshift.io/cluster-monitoring: "true"
+---
+apiVersion: operators.coreos.com/v1
+kind: OperatorGroup
+metadata:
+  name: openshift-operators-redhat
+  namespace: openshift-operators-redhat
+spec: {}
+---
+apiVersion: operators.coreos.com/v1alpha1
+kind: Subscription
+metadata:
+  name: "elasticsearch-operator"
+  namespace: "openshift-operators-redhat"
+spec:
+  installPlanApproval: "Automatic"
+  source: "redhat-operators"
+  sourceNamespace: "openshift-marketplace"
+  name: "elasticsearch-operator"
+---
+apiVersion: operators.coreos.com/v1
+kind: OperatorGroup
+metadata:
+  name: cluster-logging
+  namespace: openshift-logging
+spec:
+  targetNamespaces:
+    - openshift-logging
+---
+apiVersion: operators.coreos.com/v1alpha1
+kind: Subscription
+metadata:
+  name: cluster-logging
+  namespace: openshift-logging
+spec:
+  channel: stable-6.0
+  name: cluster-logging
+  source: redhat-operators
+  sourceNamespace: openshift-marketplace
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: cluster-logging-operator
+  namespace: openshift-logging
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: manager-rolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-logging-operator
+subjects:
+  - kind: ServiceAccount
+    name: cluster-logging-operator
+    namespace: openshift-logging

ocp-resources/e2e/cluster-logging-install.yaml

@@ -50,6 +50,7 @@ metadata:
   name: cluster-logging
   namespace: openshift-logging
 spec:
+  channel: stable
   name: cluster-logging
   source: redhat-operators
   sourceNamespace: openshift-marketplace

ocp-resources/e2e/forward-logs-observability.yaml

@@ -0,0 +1,29 @@
+apiVersion: "observability.openshift.io/v1"
+kind: ClusterLogForwarder
+metadata:
+  name: log-forwarder
+  namespace: openshift-logging
+spec:
+  outputs:
+    # This output is fake... but it's used for a probe to work
+    - elasticsearch:
+        index: most-logs
+        url: 'https://elasticsearch:9200'
+        version: 6
+      name: default-elasticsearch
+      type: elasticsearch
+  pipelines:
+   - name: most-logs
+     inputRefs:
+       - application
+       - audit
+       - infrastructure
+     outputRefs:
+      - default
+   - name: audit-logs
+     inputRefs:
+       - audit
+     outputRefs:
+      - default
+  serviceAccount:
+    name: cluster-loggin-operator

shared/references/cce-redhat-avail.txt

@@ -30,8 +30,6 @@ CCE-86247-4
 CCE-86250-8
 CCE-86253-2
 CCE-86254-0
-CCE-86258-1
-CCE-86265-6
 CCE-86268-0
 CCE-86442-1
 CCE-86444-7