diff --git a/applications/openshift/logging/cluster_logging_operator_exist/oval/shared.xml b/applications/openshift/logging/cluster_logging_operator_exist/oval/shared.xml
new file mode 100644
index 000000000000..09e3e8718322
--- /dev/null
+++ b/applications/openshift/logging/cluster_logging_operator_exist/oval/shared.xml
@@ -0,0 +1,11 @@
+
+ {{{
+ oval_metadata("Cluster Logging operator is installed and scanning") }}}
+
+
+
+
+
diff --git a/applications/openshift/logging/cluster_logging_operator_exist/rule.yml b/applications/openshift/logging/cluster_logging_operator_exist/rule.yml
index 79d5414d37e7..131c98c4b61b 100644
--- a/applications/openshift/logging/cluster_logging_operator_exist/rule.yml
+++ b/applications/openshift/logging/cluster_logging_operator_exist/rule.yml
@@ -22,26 +22,17 @@ references:
ocil_clause: 'OpenShift Logging Operator is not installed'
ocil: |-
- Run the following command to retrieve the clusterlogging objects in the system:
- $ oc get clusterloggings --all-namespaces
+ Run the following command to retrieve the clusterlogforwarder objects in the system:
+ $ oc get clusterlogforwarder --all-namespaces
Make sure the OpenShift Logging Operator is installed and there exists
- at least one active clusterlogging object in the cluster.
+ at least one active clusterlogforwarder object in the cluster.
severity: medium
warnings:
- general: |-
- {{{ openshift_cluster_setting("/apis/logging.openshift.io/v1/namespaces/openshift-logging/clusterloggings/instance") | indent(4) }}}
-
-template:
- name: yamlfile_value
- vars:
- ocp_data: "true"
- filepath: /apis/logging.openshift.io/v1/namespaces/openshift-logging/clusterloggings/instance
- yamlpath: "metadata.name"
- entity_check: "at least one"
- values:
- - value: ".*"
- operation: "pattern match"
-
+ {{{ openshift_cluster_setting([
+ "/apis/logging.openshift.io/v1/namespaces/openshift-logging/clusterloggings/instance",
+ "/apis/observability.openshift.io/v1/namespaces/openshift-logging/clusterlogforwarders",
+ ]) | indent(4) }}}
diff --git a/applications/openshift/logging/cluster_logging_operator_exist/tests/does_not_have_logging_instance.fail.sh b/applications/openshift/logging/cluster_logging_operator_exist/tests/does_not_have_logging_instance.fail.sh
index 0b4c6760a3c6..8dd29d4abfd4 100644
--- a/applications/openshift/logging/cluster_logging_operator_exist/tests/does_not_have_logging_instance.fail.sh
+++ b/applications/openshift/logging/cluster_logging_operator_exist/tests/does_not_have_logging_instance.fail.sh
@@ -5,9 +5,9 @@ yum install -y jq
kube_apipath="/kubernetes-api-resources"
-mkdir -p "$kube_apipath/apis/logging.openshift.io/v1/namespaces/openshift-logging/"
+mkdir -p "$kube_apipath/apis/observability.openshift.io/v1/namespaces/openshift-logging/"
-routes_apipath="/apis/logging.openshift.io/v1/namespaces/openshift-logging/instance"
+routes_apipath="/apis/observability.openshift.io/v1/namespaces/openshift-logging/instance"
cat < "$kube_apipath$routes_apipath"
{
diff --git a/applications/openshift/logging/cluster_logging_operator_exist/tests/have_cluster_logging_instance.pass.sh b/applications/openshift/logging/cluster_logging_operator_exist/tests/have_cluster_logging_instance.pass.sh
index dabd5f9a4038..391ab0611a5d 100644
--- a/applications/openshift/logging/cluster_logging_operator_exist/tests/have_cluster_logging_instance.pass.sh
+++ b/applications/openshift/logging/cluster_logging_operator_exist/tests/have_cluster_logging_instance.pass.sh
@@ -5,76 +5,72 @@ yum install -y jq
kube_apipath="/kubernetes-api-resources"
-mkdir -p "$kube_apipath/apis/logging.openshift.io/v1/namespaces/openshift-logging/"
+mkdir -p "$kube_apipath/apis/observability.openshift.io/v1/namespaces/openshift-logging/"
-routes_apipath="/apis/logging.openshift.io/v1/namespaces/openshift-logging/instance"
+routes_apipath="/apis/observability.openshift.io/v1/namespaces/openshift-logging/instance"
cat < "$kube_apipath$routes_apipath"
{
"apiVersion": "v1",
"items": [
{
- "apiVersion": "logging.openshift.io/v1",
- "kind": "ClusterLogging",
+ "apiVersion": "observability.openshift.io/v1",
+ "kind": "ClusterLogForwarder",
"metadata": {
- "creationTimestamp": "2022-04-07T22:31:00Z",
+ "annotations": {
+ "kubectl.kubernetes.io/last-applied-configuration": "{\"apiVersion\":\"observability.openshift.io/v1\",\"kind\":\"ClusterLogForwarder\",\"metadata\":{\"annotations\":{},\"name\":\"instance\",\"namespace\":\"openshift-logging\"},\"spec\":{\"outputs\":[{\"elasticsearch\":{\"index\":\"most-logs\",\"url\":\"https://elasticsearch:9200\",\"version\":6},\"name\":\"default-elasticsearch\",\"type\":\"elasticsearch\"}],\"pipelines\":[{\"inputRefs\":[\"application\",\"audit\",\"infrastructure\"],\"name\":\"most-logs\",\"outputRefs\":[\"default\"]},{\"inputRefs\":[\"audit\"],\"name\":\"audit-logs\",\"outputRefs\":[\"default\"]}],\"serviceAccount\":{\"name\":\"cluster-loggin-operator\"}}}\n"
+ },
+ "creationTimestamp": "2024-09-30T15:34:24Z",
"generation": 1,
"name": "instance",
"namespace": "openshift-logging",
- "resourceVersion": "16375545",
- "uid": "dcc9e26d-934d-4dca-9e88-dcbc6b85c669"
+ "resourceVersion": "95318",
+ "uid": "7804fab5-b945-4024-acb7-e89652b5d4f7"
},
"spec": {
- "collection": {
- "logs": {
- "fluentd": {},
- "type": "fluentd"
- }
- },
- "curation": {
- "curator": {
- "schedule": "30 3,9,15,21 * * *"
- },
- "type": "curator"
- },
- "logStore": {
- "elasticsearch": {
- "nodeCount": 1,
- "redundancyPolicy": "ZeroRedundancy",
- "resources": {
- "limits": {
- "cpu": "500m",
- "memory": "4Gi"
- }
- },
- "storage": {}
- },
- "type": "elasticsearch"
- },
"managementState": "Managed",
- "visualization": {
- "kibana": {
- "replicas": 1
+ "outputs": [
+ {
+ "elasticsearch": {
+ "index": "most-logs",
+ "url": "https://elasticsearch:9200",
+ "version": 6
+ },
+ "name": "default-elasticsearch",
+ "type": "elasticsearch"
+ }
+ ],
+ "pipelines": [
+ {
+ "inputRefs": [
+ "application",
+ "audit",
+ "infrastructure"
+ ],
+ "name": "most-logs",
+ "outputRefs": [
+ "default"
+ ]
},
- "type": "kibana"
- }
- },
- "status": {
- "collection": {
- "logs": {
- "fluentdStatus": {}
+ {
+ "inputRefs": [
+ "audit"
+ ],
+ "name": "audit-logs",
+ "outputRefs": [
+ "default"
+ ]
}
- },
- "curation": {},
- "logStore": {},
- "visualization": {}
+ ],
+ "serviceAccount": {
+ "name": "cluster-loggin-operator"
+ }
}
}
],
"kind": "List",
"metadata": {
- "resourceVersion": "",
- "selfLink": ""
+ "resourceVersion": ""
}
}
EOF
diff --git a/applications/openshift/logging/cluster_logging_operator_exists_logging_api/rule.yml b/applications/openshift/logging/cluster_logging_operator_exists_logging_api/rule.yml
new file mode 100644
index 000000000000..4644f3afd5c0
--- /dev/null
+++ b/applications/openshift/logging/cluster_logging_operator_exists_logging_api/rule.yml
@@ -0,0 +1,47 @@
+
+title: Ensure that OpenShift Logging Operator is scanning the cluster
+
+description: |-
+ OpenShift Logging Operator provides ability to aggregate all the logs from the
+ OpenShift Container Platform cluster, such as node system audit logs, application
+ container logs, and infrastructure logs. OpenShift Logging aggregates these logs
+ from throughout OpenShift cluster and stores them in a default log store. [1]
+
+ [1]https://docs.openshift.com/container-platform/4.10/logging/cluster-logging.html
+
+rationale: |-
+ OpenShift Logging Operator is able to collect, aggregate, and manage logs.
+
+identifiers:
+ cce@ocp4: CCE-86638-4
+
+references:
+ nist: AU-3(2)
+ srg: SRG-APP-000092-CTR-000165,SRG-APP-000111-CTR-000220,SRG-APP-000358-CTR-000805
+
+ocil_clause: 'OpenShift Logging Operator is not installed'
+
+ocil: |-
+ Run the following command to retrieve the clusterlogging objects in the system:
+ $ oc get clusterlogging --all-namespaces
+ Make sure the OpenShift Logging Operator is installed and there exists
+ at least one active clusterlogging in the cluster.
+
+severity: medium
+
+
+warnings:
+- general: |-
+ {{{ openshift_cluster_setting("/apis/logging.openshift.io/v1/namespaces/openshift-logging/clusterloggings/instance") | indent(4) }}}
+
+template:
+ name: yamlfile_value
+ vars:
+ ocp_data: "true"
+ filepath: /apis/logging.openshift.io/v1/namespaces/openshift-logging/clusterloggings/instance
+ yamlpath: ".metadata.name"
+ entity_check: "at least one"
+ values:
+ - value: ".*"
+ operation: "pattern match"
+
diff --git a/applications/openshift/logging/cluster_logging_operator_exists_logging_api/tests/does_not_have_logging_instance.fail.sh b/applications/openshift/logging/cluster_logging_operator_exists_logging_api/tests/does_not_have_logging_instance.fail.sh
new file mode 100644
index 000000000000..0b4c6760a3c6
--- /dev/null
+++ b/applications/openshift/logging/cluster_logging_operator_exists_logging_api/tests/does_not_have_logging_instance.fail.sh
@@ -0,0 +1,22 @@
+#!/bin/bash
+# remediation = none
+
+yum install -y jq
+
+kube_apipath="/kubernetes-api-resources"
+
+mkdir -p "$kube_apipath/apis/logging.openshift.io/v1/namespaces/openshift-logging/"
+
+routes_apipath="/apis/logging.openshift.io/v1/namespaces/openshift-logging/instance"
+
+cat < "$kube_apipath$routes_apipath"
+{
+ "apiVersion": "v1",
+ "items": [],
+ "kind": "List",
+ "metadata": {
+ "resourceVersion": "",
+ "selfLink": ""
+ }
+}
+EOF
diff --git a/applications/openshift/logging/cluster_logging_operator_exists_logging_api/tests/have_cluster_logging_instance.pass.sh b/applications/openshift/logging/cluster_logging_operator_exists_logging_api/tests/have_cluster_logging_instance.pass.sh
new file mode 100644
index 000000000000..0004bf2da49d
--- /dev/null
+++ b/applications/openshift/logging/cluster_logging_operator_exists_logging_api/tests/have_cluster_logging_instance.pass.sh
@@ -0,0 +1,76 @@
+#!/bin/bash
+# remediation = none
+
+yum install -y jq
+
+kube_apipath="/kubernetes-api-resources"
+
+mkdir -p "$kube_apipath/apis/logging.openshift.io/v1/namespaces/openshift-logging/"
+
+routes_apipath="/apis/logging.openshift.io/v1/namespaces/openshift-logging/instance"
+
+cat < "$kube_apipath$routes_apipath"
+{
+ "apiVersion": "v1",
+ "items": [
+ {
+ "apiVersion": "observability.openshift.io/v1",
+ "kind": "ClusterLogForwarder",
+ "metadata": {
+ "annotations": {
+ "kubectl.kubernetes.io/last-applied-configuration": "{\"apiVersion\":\"observability.openshift.io/v1\",\"kind\":\"ClusterLogForwarder\",\"metadata\":{\"annotations\":{},\"name\":\"instance\",\"namespace\":\"openshift-logging\"},\"spec\":{\"outputs\":[{\"elasticsearch\":{\"index\":\"most-logs\",\"url\":\"https://elasticsearch:9200\",\"version\":6},\"name\":\"default-elasticsearch\",\"type\":\"elasticsearch\"}],\"pipelines\":[{\"inputRefs\":[\"application\",\"audit\",\"infrastructure\"],\"name\":\"most-logs\",\"outputRefs\":[\"default\"]},{\"inputRefs\":[\"audit\"],\"name\":\"audit-logs\",\"outputRefs\":[\"default\"]}],\"serviceAccount\":{\"name\":\"cluster-loggin-operator\"}}}\n"
+ },
+ "creationTimestamp": "2024-09-30T15:34:24Z",
+ "generation": 1,
+ "name": "instance",
+ "namespace": "openshift-logging",
+ "resourceVersion": "95318",
+ "uid": "7804fab5-b945-4024-acb7-e89652b5d4f7"
+ },
+ "spec": {
+ "managementState": "Managed",
+ "outputs": [
+ {
+ "elasticsearch": {
+ "index": "most-logs",
+ "url": "https://elasticsearch:9200",
+ "version": 6
+ },
+ "name": "default-elasticsearch",
+ "type": "elasticsearch"
+ }
+ ],
+ "pipelines": [
+ {
+ "inputRefs": [
+ "application",
+ "audit",
+ "infrastructure"
+ ],
+ "name": "most-logs",
+ "outputRefs": [
+ "default"
+ ]
+ },
+ {
+ "inputRefs": [
+ "audit"
+ ],
+ "name": "audit-logs",
+ "outputRefs": [
+ "default"
+ ]
+ }
+ ],
+ "serviceAccount": {
+ "name": "cluster-loggin-operator"
+ }
+ }
+ }
+ ],
+ "kind": "List",
+ "metadata": {
+ "resourceVersion": ""
+ }
+}
+EOF
diff --git a/applications/openshift/logging/cluster_logging_operator_exists_logging_api/tests/ocp4/e2e.yml b/applications/openshift/logging/cluster_logging_operator_exists_logging_api/tests/ocp4/e2e.yml
new file mode 100644
index 000000000000..fd9b313e87b4
--- /dev/null
+++ b/applications/openshift/logging/cluster_logging_operator_exists_logging_api/tests/ocp4/e2e.yml
@@ -0,0 +1,3 @@
+---
+default_result: FAIL
+result_after_remediation: PASS
diff --git a/applications/openshift/logging/cluster_logging_operator_exists_observability_api/rule.yml b/applications/openshift/logging/cluster_logging_operator_exists_observability_api/rule.yml
new file mode 100644
index 000000000000..dd2dc336f7c2
--- /dev/null
+++ b/applications/openshift/logging/cluster_logging_operator_exists_observability_api/rule.yml
@@ -0,0 +1,47 @@
+
+title: Ensure that OpenShift Logging Operator is scanning the cluster
+
+description: |-
+ OpenShift Logging Operator provides ability to aggregate all the logs from the
+ OpenShift Container Platform cluster, such as node system audit logs, application
+ container logs, and infrastructure logs. OpenShift Logging aggregates these logs
+ from throughout OpenShift cluster and stores them in a default log store. [1]
+
+ [1]https://docs.openshift.com/container-platform/4.10/logging/cluster-logging.html
+
+rationale: |-
+ OpenShift Logging Operator is able to collect, aggregate, and manage logs.
+
+identifiers:
+ cce@ocp4: CCE-86639-2
+
+references:
+ nist: AU-3(2)
+ srg: SRG-APP-000092-CTR-000165,SRG-APP-000111-CTR-000220,SRG-APP-000358-CTR-000805
+
+ocil_clause: 'OpenShift Logging Operator is not installed'
+
+ocil: |-
+ Run the following command to retrieve the clusterlogforwarder objects in the system:
+ $ oc get clusterlogforwarder --all-namespaces
+ Make sure the OpenShift Logging Operator is installed and there exists
+ at least one active clusterlogforwarderobject in the cluster.
+
+severity: medium
+
+
+warnings:
+- general: |-
+ {{{ openshift_cluster_setting("/apis/observability.openshift.io/v1/namespaces/openshift-logging/clusterlogforwarders") | indent(4) }}}
+
+template:
+ name: yamlfile_value
+ vars:
+ ocp_data: "true"
+ filepath: /apis/observability.openshift.io/v1/namespaces/openshift-logging/clusterlogforwarders
+ yamlpath: ".items[].metadata.name"
+ entity_check: "at least one"
+ values:
+ - value: ".*"
+ operation: "pattern match"
+
diff --git a/applications/openshift/logging/cluster_logging_operator_exists_observability_api/tests/does_not_have_logging_instance.fail.sh b/applications/openshift/logging/cluster_logging_operator_exists_observability_api/tests/does_not_have_logging_instance.fail.sh
new file mode 100644
index 000000000000..8dd29d4abfd4
--- /dev/null
+++ b/applications/openshift/logging/cluster_logging_operator_exists_observability_api/tests/does_not_have_logging_instance.fail.sh
@@ -0,0 +1,22 @@
+#!/bin/bash
+# remediation = none
+
+yum install -y jq
+
+kube_apipath="/kubernetes-api-resources"
+
+mkdir -p "$kube_apipath/apis/observability.openshift.io/v1/namespaces/openshift-logging/"
+
+routes_apipath="/apis/observability.openshift.io/v1/namespaces/openshift-logging/instance"
+
+cat < "$kube_apipath$routes_apipath"
+{
+ "apiVersion": "v1",
+ "items": [],
+ "kind": "List",
+ "metadata": {
+ "resourceVersion": "",
+ "selfLink": ""
+ }
+}
+EOF
diff --git a/applications/openshift/logging/cluster_logging_operator_exists_observability_api/tests/have_cluster_logging_instance.pass.sh b/applications/openshift/logging/cluster_logging_operator_exists_observability_api/tests/have_cluster_logging_instance.pass.sh
new file mode 100644
index 000000000000..391ab0611a5d
--- /dev/null
+++ b/applications/openshift/logging/cluster_logging_operator_exists_observability_api/tests/have_cluster_logging_instance.pass.sh
@@ -0,0 +1,76 @@
+#!/bin/bash
+# remediation = none
+
+yum install -y jq
+
+kube_apipath="/kubernetes-api-resources"
+
+mkdir -p "$kube_apipath/apis/observability.openshift.io/v1/namespaces/openshift-logging/"
+
+routes_apipath="/apis/observability.openshift.io/v1/namespaces/openshift-logging/instance"
+
+cat < "$kube_apipath$routes_apipath"
+{
+ "apiVersion": "v1",
+ "items": [
+ {
+ "apiVersion": "observability.openshift.io/v1",
+ "kind": "ClusterLogForwarder",
+ "metadata": {
+ "annotations": {
+ "kubectl.kubernetes.io/last-applied-configuration": "{\"apiVersion\":\"observability.openshift.io/v1\",\"kind\":\"ClusterLogForwarder\",\"metadata\":{\"annotations\":{},\"name\":\"instance\",\"namespace\":\"openshift-logging\"},\"spec\":{\"outputs\":[{\"elasticsearch\":{\"index\":\"most-logs\",\"url\":\"https://elasticsearch:9200\",\"version\":6},\"name\":\"default-elasticsearch\",\"type\":\"elasticsearch\"}],\"pipelines\":[{\"inputRefs\":[\"application\",\"audit\",\"infrastructure\"],\"name\":\"most-logs\",\"outputRefs\":[\"default\"]},{\"inputRefs\":[\"audit\"],\"name\":\"audit-logs\",\"outputRefs\":[\"default\"]}],\"serviceAccount\":{\"name\":\"cluster-loggin-operator\"}}}\n"
+ },
+ "creationTimestamp": "2024-09-30T15:34:24Z",
+ "generation": 1,
+ "name": "instance",
+ "namespace": "openshift-logging",
+ "resourceVersion": "95318",
+ "uid": "7804fab5-b945-4024-acb7-e89652b5d4f7"
+ },
+ "spec": {
+ "managementState": "Managed",
+ "outputs": [
+ {
+ "elasticsearch": {
+ "index": "most-logs",
+ "url": "https://elasticsearch:9200",
+ "version": 6
+ },
+ "name": "default-elasticsearch",
+ "type": "elasticsearch"
+ }
+ ],
+ "pipelines": [
+ {
+ "inputRefs": [
+ "application",
+ "audit",
+ "infrastructure"
+ ],
+ "name": "most-logs",
+ "outputRefs": [
+ "default"
+ ]
+ },
+ {
+ "inputRefs": [
+ "audit"
+ ],
+ "name": "audit-logs",
+ "outputRefs": [
+ "default"
+ ]
+ }
+ ],
+ "serviceAccount": {
+ "name": "cluster-loggin-operator"
+ }
+ }
+ }
+ ],
+ "kind": "List",
+ "metadata": {
+ "resourceVersion": ""
+ }
+}
+EOF
diff --git a/applications/openshift/logging/cluster_logging_operator_exists_observability_api/tests/ocp4/e2e.yml b/applications/openshift/logging/cluster_logging_operator_exists_observability_api/tests/ocp4/e2e.yml
new file mode 100644
index 000000000000..fd9b313e87b4
--- /dev/null
+++ b/applications/openshift/logging/cluster_logging_operator_exists_observability_api/tests/ocp4/e2e.yml
@@ -0,0 +1,3 @@
+---
+default_result: FAIL
+result_after_remediation: PASS
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index 13ba05881e54..773b3da55f2f 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -110,8 +110,6 @@ CCE-86633-5
CCE-86635-0
CCE-86636-8
CCE-86637-6
-CCE-86638-4
-CCE-86639-2
CCE-86641-8
CCE-86643-4
CCE-86647-5