content
content copied to clipboard
ComplianceAsCode
Add OCP4 STIG control file and auto-add references
Description:
- Based on the Manual OCP4 STIG Benchmark and the SRG_CTR add a OCP4 STIG specific control file.
- With the OCP4 STIG control file we can leverage the build system to add the STIGID references for us (
CNTR-OS-XXXX).- This also extends the control file with capability to have multiple products. Build of other control files need to be tested/fixed
- Disable SRG-APP-000516-CTR-001325 and unselect tis rules. This SRG is not part of the published STIG.
- Remove global Apache STIGIDs from rules (
WAXXXandWGXXX) .- The project doesn't ship Apache product or profile, plus, they should not be added into every product's rule. (I definitely can move this to a separate PR).
Rationale:
- Add STIG ID references for easier rule - policy mapping and report
- Use of specific OCP4 STIG control file should easy maintenance and update of the profile.
Review Hints:
- Build the content and check that the STIGID for
ocp4andrhcos4are there. - Check that the rule selection is sane.
Start a new ephemeral environment with changes proposed in this pull request:
Fedora Environment
Oracle Linux 8 Environment
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
I was reviewing the built rule in build/ocp4/rules/api_server_tls_security_profile.yml and noticed this below. I would prefer that we didn't have these duplicated IDs.
stigid:
- CNTR-OS-000020
- CNTR-OS-000020
- CNTR-OS-000020
I was reviewing the built rule in
build/ocp4/rules/api_server_tls_security_profile.ymland noticed this beloww. I would prefer that we didn't have these duplicated IDs.stigid: - CNTR-OS-000020 - CNTR-OS-000020 - CNTR-OS-000020
Thank you for the review @Mab879
I have added two commits regarding duplicate references.
- The first commit raises an error when the build system tries to assign a reference that already exists in the rule. This should help content writers see that a control has duplicate rules.
- The second prevents the
build_stig_control.pyfrom adding duplicate rules to a control.
Example traceback
FAILED: ocp4/ssg_build_compile_all-ocp4 /home/wsato/git/content/build/ocp4/ssg_build_compile_all-ocp4
cd /home/wsato/git/content/build/ocp4 && /usr/bin/cmake -E make_directory /home/wsato/git/content/build/ocp4/profiles && env PYTHONPATH=/home/wsato/git/content:/home/wsato/git/content:/home/wsato/git/content /usr/bin/python3 /home/wsato/git/content/build-scripts/compile_all.py --resolved-base /home/wsato/git/content/build/ocp4 --project-root /home/wsato/git/content --build-config-yaml /home/wsato/git/content/build/build_config.yml --product-yaml /home/wsato/git/content/build/ocp4/product.yml --sce-metadata /home/wsato/git/content/build/ocp4/checks/sce/metadata.json --stig-references /home/wsato/git/content/shared/references/disa-stig-ocp4-v1r1-xccdf-manual.xml && /usr/bin/cmake -E touch /home/wsato/git/content/build/ocp4/ssg_build_compile_all-ocp4
Encountered file '.var_apiserver_bind_address.var.swp' while recursing, extension '.swp' is unknown. Skipping..
Traceback (most recent call last):
File "/home/wsato/git/content/ssg/controls.py", line 187, in add_references
rule.add_extra_reference(reference_type, self.id)
File "/home/wsato/git/content/ssg/build_yaml.py", line 1016, in add_extra_reference
raise ValueError(msg)
ValueError: Rule api_server_tls_security_profile already contains a 'stigid' reference with value 'CNTR-OS-000020'.
The above exception was the direct cause of the following exception:
Traceback (most recent call last):
File "/home/wsato/git/content/build-scripts/compile_all.py", line 169, in <module>
main()
File "/home/wsato/git/content/build-scripts/compile_all.py", line 159, in main
controls_manager.add_references(loader.all_rules)
File "/home/wsato/git/content/ssg/controls.py", line 524, in add_references
policy.add_references(rules)
File "/home/wsato/git/content/ssg/controls.py", line 420, in add_references
control.add_references(self.reference_type, rules)
File "/home/wsato/git/content/ssg/controls.py", line 193, in add_references
raise ValueError(msg) from exc
ValueError: Please remove any duplicate listing of rule 'api_server_tls_security_profile' in control 'CNTR-OS-000020'.
[10/52] [rhcos4-content] compiling everything
I plan to post more details on the profile changes and address the code climate findings.
:robot: A k8s content image for this PR is available at:
ghcr.io/complianceascode/k8scontent:11593
This image was built from commit: 4d7e9a21381b4109b27e39cfed45a76ba2f0d00d
Click here to see how to deploy it
If you alread have Compliance Operator deployed:
utils/build_ds_container.py -i ghcr.io/complianceascode/k8scontent:11593
Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and:
CONTENT_IMAGE=ghcr.io/complianceascode/k8scontent:11593 make deploy-local
Verification failed with 4.15.0-rc.5 + compliance-operator.v1.4.0 + PR #11593 code
- Install CO
- Create ssb $ oc compliance bind -N test profile/upstream-ocp4-stig profile/upstream-ocp4-stig-node Creating ScanSettingBinding test $ oc get scan NAME PHASE RESULT upstream-ocp4-stig DONE NON-COMPLIANT upstream-ocp4-stig-node-master DONE NON-COMPLIANT upstream-ocp4-stig-node-worker DONE NON-COMPLIANT
- Check for rules listed here does not present with above profile
- I could see that only below 20 rules are not listed with profile out of 191 rules listed in the above link. Other rules are still present with stig profile
api-server-insecure-port
api-server-kubelet-client-cert
api-server-kubelet-client-cert-pre-4-9
api-server-kubelet-client-key
api-server-kubelet-client-key-pre-4-9
file-groupowner-ip-allocations
file-groupowner-openshift-sdn-cniserver-config
file-owner-ip-allocations
file-owner-openshift-sdn-cniserver-config
file-permissions-ip-allocations
file-perms-openshift-sdn-cniserver-config
file-groupowner-proxy-kubeconfig
file-owner-proxy-kubeconfig
file-permissions-proxy-kubeconfig
file-permissions-ovn-cni-server-sock
file-groupowner-ovn-cni-server-sock
file-owner-ovn-cni-server-sock
file-groupowner-ovn-db-files
file-owner-ovn-db-files
file-permissions-ovn-db-files
@yuumasato Could you please help me check this issue. Thanks
@BhargaviGudi the mentioned rules are in the profile:
oc get profiles upstream-ocp4-stig upstream-ocp4-stig-node -oyaml
But for various reasons they result in notappilcable therefore a ccrs are not created for them.
Sometime the rule has platform ovn (file-permissions-ovn-db-files), in other cases the rule has platform sdn (file-groupowner-proxy-kubeconfig).
But the most curious ones are the api-server-* rules, which are is not applicable on OCP 4.15, :thinking:. @Vincent056 @rhmdnd Do you have an insight on this one?
https://github.com/ComplianceAsCode/content/blob/011089d5b5e10799740ad6b07efaa88a4eafef61/applications/openshift/api-server/api_server_insecure_port/rule.yml#L41
https://github.com/ComplianceAsCode/content/blob/011089d5b5e10799740ad6b07efaa88a4eafef61/applications/openshift/api-server/api_server_kubelet_client_cert/rule.yml#L37
@BhargaviGudi the mentioned rules are in the profile:
oc get profiles upstream-ocp4-stig upstream-ocp4-stig-node -oyamlBut for various reasons they result in
notappilcabletherefore accrs are not created for them. Sometime the rule has platformovn(file-permissions-ovn-db-files), in other cases the rule has platformsdn(file-groupowner-proxy-kubeconfig).But the most curious ones are the
api-server-*rules, which are is not applicable on OCP 4.15, 🤔. @Vincent056 @rhmdnd Do you have an insight on this one?https://github.com/ComplianceAsCode/content/blob/011089d5b5e10799740ad6b07efaa88a4eafef61/applications/openshift/api-server/api_server_insecure_port/rule.yml#L41
https://github.com/ComplianceAsCode/content/blob/011089d5b5e10799740ad6b07efaa88a4eafef61/applications/openshift/api-server/api_server_kubelet_client_cert/rule.yml#L37
api_server_insecure_port was only needed before 4.11, so they were disabled on 4.11 and above https://github.com/ComplianceAsCode/content/commit/9d2e1ab2a0f796764f465aa83e282e14b3564943
Thanks @Vincent056.
So the rules' notapplicable results seem correct to me.
Verification pass with 4.16.0-0.nightly-2024-02-26-013420
$ oc get clusterversion
NAME VERSION AVAILABLE PROGRESSING SINCE STATUS
version 4.16.0-0.nightly-2024-02-26-013420 True False 4h52m Cluster version is 4.16.0-0.nightly-2024-02-26-013420
$ oc get pb
NAME CONTENTIMAGE CONTENTFILE STATUS
ocp4 ghcr.io/complianceascode/k8scontent:latest ssg-ocp4-ds.xml VALID
rhcos4 ghcr.io/complianceascode/k8scontent:latest ssg-rhcos4-ds.xml VALID
upstream-ocp4 ghcr.io/complianceascode/k8scontent:11593 ssg-ocp4-ds.xml VALID
upstream-rhcos4 ghcr.io/complianceascode/k8scontent:11593 ssg-rhcos4-ds.xml VALID
$ oc get profile.compliance ocp4-stig -o=jsonpath={.rules} | jq -r | grep ocp4 | wc -l
125
$ oc get profile.compliance ocp4-stig-node -o=jsonpath={.rules} | jq -r | grep ocp4 | wc -l
113
$ oc get profile.compliance rhcos4-stig -o=jsonpath={.rules} | jq -r | grep rhcos | wc -l
120
$ oc get profile.compliance upstream-ocp4-stig -o=jsonpath={.rules} | jq -r | grep ocp4 | wc -l
125
$ oc get profile.compliance upstream-ocp4-stig-node -o=jsonpath={.rules} | jq -r | grep ocp4 | wc -l
113
$ oc get profile.compliance upstream-rhcos4-stig -o=jsonpath={.rules} | jq -r | grep rhcos | wc -l
120
$ oc compliance bind -N test-ocp4-stig profile/upstream-ocp4-stig profile/upstream-ocp4-stig-node
Creating ScanSettingBinding test-ocp4-stig
$ oc compliance bind -N test-rhcos4-stig profile/upstream-rhcos4-stig
Creating ScanSettingBinding test-rhcos4-stig
$ oc get suite
NAME PHASE RESULT
test-ocp4-stig DONE NON-COMPLIANT
test-rhcos4-stig DONE NON-COMPLIANT
$ oc get scan
NAME PHASE RESULT
upstream-ocp4-stig DONE NON-COMPLIANT
upstream-ocp4-stig-node-master DONE NON-COMPLIANT
upstream-ocp4-stig-node-worker DONE NON-COMPLIANT
upstream-rhcos4-stig-master DONE NON-COMPLIANT upstream-rhcos4-stig-worker DONE NON-COMPLIANT
@rhmdnd @Vincent056 I'll move the rules from SRG-APP-000516-CTR-001325 out of the needed_rules control to the profile file.
@rhmdnd @Vincent056 I'll move the rules from
SRG-APP-000516-CTR-001325out of theneeded_rulescontrol to the profile file.
Actually, it will be laborious to move the rules from the control file to the profile file. As we have both ocp4 and rhcos4 rules they need to each go into their respective product/profile.
So it'll be simper to kepep them in the control file.
@rhmdnd @Vincent056 Turns out all the rules are ocp4, I moved them to products/ocp4/profiles/stig-v1r1.profile
The data stream doesn'n have extraneous needed_rules references anymore.
Should be good to, :)
The list of rules still need to be split into node and non-node profile. :(
The list of rules still need to be split into node and non-node profile. :(
The rules from SRG-APP-000516-CTR-001325 were split into the stig-v1r1.profile and stig-node-v1r1.profile.
I used ./utils/profile_tool.py to help me list the missing rules in each profile. :stuck_out_tongue:.
The profiles before and after the split are the same, :).
(This fix is need to run the tool https://github.com/ComplianceAsCode/content/pull/11637)
@Vincent056 @rhmdnd Should be good for another review.
/test e2e-aws-ocp4-stig /test e2e-aws-ocp4-stig-node /test e2e-aws-rhcos4-stig
I have update some of the controls' pending status and rebased to latest master. @rhmdnd @Vincent056
/test e2e-aws-ocp4-stig /test e2e-aws-ocp4-stig-node /test e2e-aws-rhcos4-stig
/test e2e-aws-ocp4-stig /test e2e-aws-ocp4-stig-node /test e2e-aws-rhcos4-stig
ping @dodys @teacup-on-rockingchair @Mab879 regarding product stability data
Code Climate has analyzed commit 4d7e9a21 and detected 1 issue on this pull request.
Here's the issue category breakdown:
| Category | Count |
|---|---|
| Style | 1 |
The test coverage on the diff in this pull request is 36.3% (50% is the threshold).
This pull request will bring the total coverage in the repository to 59.8% (0.0% change).
View more on Code Climate.
![qlty-cloud-legacy[bot] avatar](https://avatars.githubusercontent.com/in/9403?v=4 "Published by a pub.dev verified publisher"){kind=small}
Verification passed with 4.16.0-0.nightly-2024-03-11-195522 + compliance-operator
1. Install Co
2. ./utils/build_ds_container.py -i ghcr.io/complianceascode/k8scontent:11593
$ oc get clusterversions.config.openshift.io
NAME VERSION AVAILABLE PROGRESSING SINCE STATUS
version 4.16.0-0.nightly-2024-03-11-195522 True False 31m Cluster version is 4.16.0-0.nightly-2024-03-11-195522
$ oc get pb
NAME CONTENTIMAGE CONTENTFILE STATUS
ocp4 ghcr.io/complianceascode/k8scontent:latest ssg-ocp4-ds.xml VALID
rhcos4 ghcr.io/complianceascode/k8scontent:latest ssg-rhcos4-ds.xml VALID
upstream-ocp4 ghcr.io/complianceascode/k8scontent:11593 ssg-ocp4-ds.xml VALID
upstream-rhcos4 ghcr.io/complianceascode/k8scontent:11593 ssg-rhcos4-ds.xml VALID
$ oc get profile.compliance ocp4-stig -o=jsonpath={.rules} | jq -r | grep ocp4 | wc -l
125
$ oc get profile.compliance ocp4-stig-node -o=jsonpath={.rules} | jq -r | grep ocp4 | wc -l
113
$ oc get profile.compliance rhcos4-stig -o=jsonpath={.rules} | jq -r | grep rhcos | wc -l
120
$ oc get profile.compliance upstream-ocp4-stig -o=jsonpath={.rules} | jq -r | grep ocp4 | wc -l
125
$ oc get profile.compliance upstream-ocp4-stig-node -o=jsonpath={.rules} | jq -r | grep ocp4 | wc -l
113
$ oc get profile.compliance upstream-rhcos4-stig -o=jsonpath={.rules} | jq -r | grep rhcos | wc -l
120
$ oc compliance bind -N test-ocp4-stig profile/upstream-ocp4-stig profile/upstream-ocp4-stig-node
Creating ScanSettingBinding test-ocp4-stig
$ oc compliance bind -N test-rhcos4-stig profile/upstream-rhcos4-stig
Creating ScanSettingBinding test-rhcos4-stig
$ oc get ssb
NAME STATUS
test-ocp4-stig READY
test-rhcos4-stig READY
$ oc get suite
NAME PHASE RESULT
test-ocp4-stig DONE NON-COMPLIANT
test-rhcos4-stig DONE NON-COMPLIANT
$ oc get scan
NAME PHASE RESULT
upstream-ocp4-stig DONE NON-COMPLIANT
upstream-ocp4-stig-node-master DONE NON-COMPLIANT
upstream-ocp4-stig-node-worker DONE NON-COMPLIANT
upstream-rhcos4-stig-master DONE NON-COMPLIANT
upstream-rhcos4-stig-worker DONE NON-COMPLIANT