From 1fa8af9d7ad4ce7489afb9ecfff8be5bc50e98ac Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Thu, 3 Oct 2024 09:23:04 +0200 Subject: [PATCH] cluster_logging_operator_exists now handles two APIs Reform rule cluster_logging_operator_exists to check for existence ClusterlogForwarders from logging and observability APIs. Adds two rules checking for log forwarding in each API --- .../oval/shared.xml | 11 +++ .../cluster_logging_operator_exist/rule.yml | 23 ++--- .../does_not_have_logging_instance.fail.sh | 4 +- .../have_cluster_logging_instance.pass.sh | 94 +++++++++---------- .../rule.yml | 47 ++++++++++ .../does_not_have_logging_instance.fail.sh | 22 +++++ .../have_cluster_logging_instance.pass.sh | 76 +++++++++++++++ .../tests/ocp4/e2e.yml | 3 + .../rule.yml | 47 ++++++++++ .../does_not_have_logging_instance.fail.sh | 22 +++++ .../have_cluster_logging_instance.pass.sh | 76 +++++++++++++++ .../tests/ocp4/e2e.yml | 3 + shared/references/cce-redhat-avail.txt | 2 - 13 files changed, 361 insertions(+), 69 deletions(-) create mode 100644 applications/openshift/logging/cluster_logging_operator_exist/oval/shared.xml create mode 100644 applications/openshift/logging/cluster_logging_operator_exists_logging_api/rule.yml create mode 100644 applications/openshift/logging/cluster_logging_operator_exists_logging_api/tests/does_not_have_logging_instance.fail.sh create mode 100644 applications/openshift/logging/cluster_logging_operator_exists_logging_api/tests/have_cluster_logging_instance.pass.sh create mode 100644 applications/openshift/logging/cluster_logging_operator_exists_logging_api/tests/ocp4/e2e.yml create mode 100644 applications/openshift/logging/cluster_logging_operator_exists_observability_api/rule.yml create mode 100644 applications/openshift/logging/cluster_logging_operator_exists_observability_api/tests/does_not_have_logging_instance.fail.sh create mode 100644 applications/openshift/logging/cluster_logging_operator_exists_observability_api/tests/have_cluster_logging_instance.pass.sh create mode 100644 applications/openshift/logging/cluster_logging_operator_exists_observability_api/tests/ocp4/e2e.yml diff --git a/applications/openshift/logging/cluster_logging_operator_exist/oval/shared.xml b/applications/openshift/logging/cluster_logging_operator_exist/oval/shared.xml new file mode 100644 index 000000000000..09e3e8718322 --- /dev/null +++ b/applications/openshift/logging/cluster_logging_operator_exist/oval/shared.xml @@ -0,0 +1,11 @@ + + {{{ + oval_metadata("Cluster Logging operator is installed and scanning") }}} + + + + + diff --git a/applications/openshift/logging/cluster_logging_operator_exist/rule.yml b/applications/openshift/logging/cluster_logging_operator_exist/rule.yml index 79d5414d37e7..131c98c4b61b 100644 --- a/applications/openshift/logging/cluster_logging_operator_exist/rule.yml +++ b/applications/openshift/logging/cluster_logging_operator_exist/rule.yml @@ -22,26 +22,17 @@ references: ocil_clause: 'OpenShift Logging Operator is not installed' ocil: |- - Run the following command to retrieve the clusterlogging objects in the system: - 
$ oc get clusterloggings --all-namespaces
+ Run the following command to retrieve the clusterlogforwarder objects in the system: + 
$ oc get clusterlogforwarder --all-namespaces
Make sure the OpenShift Logging Operator is installed and there exists - at least one active clusterlogging object in the cluster. + at least one active clusterlogforwarder object in the cluster. severity: medium warnings: - general: |- - {{{ openshift_cluster_setting("/apis/logging.openshift.io/v1/namespaces/openshift-logging/clusterloggings/instance") | indent(4) }}} - -template: - name: yamlfile_value - vars: - ocp_data: "true" - filepath: /apis/logging.openshift.io/v1/namespaces/openshift-logging/clusterloggings/instance - yamlpath: "metadata.name" - entity_check: "at least one" - values: - - value: ".*" - operation: "pattern match" - + {{{ openshift_cluster_setting([ + "/apis/logging.openshift.io/v1/namespaces/openshift-logging/clusterloggings/instance", + "/apis/observability.openshift.io/v1/namespaces/openshift-logging/clusterlogforwarders", + ]) | indent(4) }}} diff --git a/applications/openshift/logging/cluster_logging_operator_exist/tests/does_not_have_logging_instance.fail.sh b/applications/openshift/logging/cluster_logging_operator_exist/tests/does_not_have_logging_instance.fail.sh index 0b4c6760a3c6..8dd29d4abfd4 100644 --- a/applications/openshift/logging/cluster_logging_operator_exist/tests/does_not_have_logging_instance.fail.sh +++ b/applications/openshift/logging/cluster_logging_operator_exist/tests/does_not_have_logging_instance.fail.sh @@ -5,9 +5,9 @@ yum install -y jq kube_apipath="/kubernetes-api-resources" -mkdir -p "$kube_apipath/apis/logging.openshift.io/v1/namespaces/openshift-logging/" +mkdir -p "$kube_apipath/apis/observability.openshift.io/v1/namespaces/openshift-logging/" -routes_apipath="/apis/logging.openshift.io/v1/namespaces/openshift-logging/instance" +routes_apipath="/apis/observability.openshift.io/v1/namespaces/openshift-logging/instance" cat < "$kube_apipath$routes_apipath" { diff --git a/applications/openshift/logging/cluster_logging_operator_exist/tests/have_cluster_logging_instance.pass.sh b/applications/openshift/logging/cluster_logging_operator_exist/tests/have_cluster_logging_instance.pass.sh index dabd5f9a4038..391ab0611a5d 100644 --- a/applications/openshift/logging/cluster_logging_operator_exist/tests/have_cluster_logging_instance.pass.sh +++ b/applications/openshift/logging/cluster_logging_operator_exist/tests/have_cluster_logging_instance.pass.sh @@ -5,76 +5,72 @@ yum install -y jq kube_apipath="/kubernetes-api-resources" -mkdir -p "$kube_apipath/apis/logging.openshift.io/v1/namespaces/openshift-logging/" +mkdir -p "$kube_apipath/apis/observability.openshift.io/v1/namespaces/openshift-logging/" -routes_apipath="/apis/logging.openshift.io/v1/namespaces/openshift-logging/instance" +routes_apipath="/apis/observability.openshift.io/v1/namespaces/openshift-logging/instance" cat < "$kube_apipath$routes_apipath" { "apiVersion": "v1", "items": [ { - "apiVersion": "logging.openshift.io/v1", - "kind": "ClusterLogging", + "apiVersion": "observability.openshift.io/v1", + "kind": "ClusterLogForwarder", "metadata": { - "creationTimestamp": "2022-04-07T22:31:00Z", + "annotations": { + "kubectl.kubernetes.io/last-applied-configuration": "{\"apiVersion\":\"observability.openshift.io/v1\",\"kind\":\"ClusterLogForwarder\",\"metadata\":{\"annotations\":{},\"name\":\"instance\",\"namespace\":\"openshift-logging\"},\"spec\":{\"outputs\":[{\"elasticsearch\":{\"index\":\"most-logs\",\"url\":\"https://elasticsearch:9200\",\"version\":6},\"name\":\"default-elasticsearch\",\"type\":\"elasticsearch\"}],\"pipelines\":[{\"inputRefs\":[\"application\",\"audit\",\"infrastructure\"],\"name\":\"most-logs\",\"outputRefs\":[\"default\"]},{\"inputRefs\":[\"audit\"],\"name\":\"audit-logs\",\"outputRefs\":[\"default\"]}],\"serviceAccount\":{\"name\":\"cluster-loggin-operator\"}}}\n" + }, + "creationTimestamp": "2024-09-30T15:34:24Z", "generation": 1, "name": "instance", "namespace": "openshift-logging", - "resourceVersion": "16375545", - "uid": "dcc9e26d-934d-4dca-9e88-dcbc6b85c669" + "resourceVersion": "95318", + "uid": "7804fab5-b945-4024-acb7-e89652b5d4f7" }, "spec": { - "collection": { - "logs": { - "fluentd": {}, - "type": "fluentd" - } - }, - "curation": { - "curator": { - "schedule": "30 3,9,15,21 * * *" - }, - "type": "curator" - }, - "logStore": { - "elasticsearch": { - "nodeCount": 1, - "redundancyPolicy": "ZeroRedundancy", - "resources": { - "limits": { - "cpu": "500m", - "memory": "4Gi" - } - }, - "storage": {} - }, - "type": "elasticsearch" - }, "managementState": "Managed", - "visualization": { - "kibana": { - "replicas": 1 + "outputs": [ + { + "elasticsearch": { + "index": "most-logs", + "url": "https://elasticsearch:9200", + "version": 6 + }, + "name": "default-elasticsearch", + "type": "elasticsearch" + } + ], + "pipelines": [ + { + "inputRefs": [ + "application", + "audit", + "infrastructure" + ], + "name": "most-logs", + "outputRefs": [ + "default" + ] }, - "type": "kibana" - } - }, - "status": { - "collection": { - "logs": { - "fluentdStatus": {} + { + "inputRefs": [ + "audit" + ], + "name": "audit-logs", + "outputRefs": [ + "default" + ] } - }, - "curation": {}, - "logStore": {}, - "visualization": {} + ], + "serviceAccount": { + "name": "cluster-loggin-operator" + } } } ], "kind": "List", "metadata": { - "resourceVersion": "", - "selfLink": "" + "resourceVersion": "" } } EOF diff --git a/applications/openshift/logging/cluster_logging_operator_exists_logging_api/rule.yml b/applications/openshift/logging/cluster_logging_operator_exists_logging_api/rule.yml new file mode 100644 index 000000000000..4644f3afd5c0 --- /dev/null +++ b/applications/openshift/logging/cluster_logging_operator_exists_logging_api/rule.yml @@ -0,0 +1,47 @@ + +title: Ensure that OpenShift Logging Operator is scanning the cluster + +description: |- + OpenShift Logging Operator provides ability to aggregate all the logs from the + OpenShift Container Platform cluster, such as node system audit logs, application + container logs, and infrastructure logs. OpenShift Logging aggregates these logs + from throughout OpenShift cluster and stores them in a default log store. [1] + + [1]https://docs.openshift.com/container-platform/4.10/logging/cluster-logging.html + +rationale: |- + OpenShift Logging Operator is able to collect, aggregate, and manage logs. + +identifiers: + cce@ocp4: CCE-86638-4 + +references: + nist: AU-3(2) + srg: SRG-APP-000092-CTR-000165,SRG-APP-000111-CTR-000220,SRG-APP-000358-CTR-000805 + +ocil_clause: 'OpenShift Logging Operator is not installed' + +ocil: |- + Run the following command to retrieve the clusterlogging objects in the system: + 
$ oc get clusterlogging --all-namespaces
+ Make sure the OpenShift Logging Operator is installed and there exists + at least one active clusterlogging in the cluster. + +severity: medium + + +warnings: +- general: |- + {{{ openshift_cluster_setting("/apis/logging.openshift.io/v1/namespaces/openshift-logging/clusterloggings/instance") | indent(4) }}} + +template: + name: yamlfile_value + vars: + ocp_data: "true" + filepath: /apis/logging.openshift.io/v1/namespaces/openshift-logging/clusterloggings/instance + yamlpath: ".metadata.name" + entity_check: "at least one" + values: + - value: ".*" + operation: "pattern match" + diff --git a/applications/openshift/logging/cluster_logging_operator_exists_logging_api/tests/does_not_have_logging_instance.fail.sh b/applications/openshift/logging/cluster_logging_operator_exists_logging_api/tests/does_not_have_logging_instance.fail.sh new file mode 100644 index 000000000000..0b4c6760a3c6 --- /dev/null +++ b/applications/openshift/logging/cluster_logging_operator_exists_logging_api/tests/does_not_have_logging_instance.fail.sh @@ -0,0 +1,22 @@ +#!/bin/bash +# remediation = none + +yum install -y jq + +kube_apipath="/kubernetes-api-resources" + +mkdir -p "$kube_apipath/apis/logging.openshift.io/v1/namespaces/openshift-logging/" + +routes_apipath="/apis/logging.openshift.io/v1/namespaces/openshift-logging/instance" + +cat < "$kube_apipath$routes_apipath" +{ + "apiVersion": "v1", + "items": [], + "kind": "List", + "metadata": { + "resourceVersion": "", + "selfLink": "" + } +} +EOF diff --git a/applications/openshift/logging/cluster_logging_operator_exists_logging_api/tests/have_cluster_logging_instance.pass.sh b/applications/openshift/logging/cluster_logging_operator_exists_logging_api/tests/have_cluster_logging_instance.pass.sh new file mode 100644 index 000000000000..0004bf2da49d --- /dev/null +++ b/applications/openshift/logging/cluster_logging_operator_exists_logging_api/tests/have_cluster_logging_instance.pass.sh @@ -0,0 +1,76 @@ +#!/bin/bash +# remediation = none + +yum install -y jq + +kube_apipath="/kubernetes-api-resources" + +mkdir -p "$kube_apipath/apis/logging.openshift.io/v1/namespaces/openshift-logging/" + +routes_apipath="/apis/logging.openshift.io/v1/namespaces/openshift-logging/instance" + +cat < "$kube_apipath$routes_apipath" +{ + "apiVersion": "v1", + "items": [ + { + "apiVersion": "observability.openshift.io/v1", + "kind": "ClusterLogForwarder", + "metadata": { + "annotations": { + "kubectl.kubernetes.io/last-applied-configuration": "{\"apiVersion\":\"observability.openshift.io/v1\",\"kind\":\"ClusterLogForwarder\",\"metadata\":{\"annotations\":{},\"name\":\"instance\",\"namespace\":\"openshift-logging\"},\"spec\":{\"outputs\":[{\"elasticsearch\":{\"index\":\"most-logs\",\"url\":\"https://elasticsearch:9200\",\"version\":6},\"name\":\"default-elasticsearch\",\"type\":\"elasticsearch\"}],\"pipelines\":[{\"inputRefs\":[\"application\",\"audit\",\"infrastructure\"],\"name\":\"most-logs\",\"outputRefs\":[\"default\"]},{\"inputRefs\":[\"audit\"],\"name\":\"audit-logs\",\"outputRefs\":[\"default\"]}],\"serviceAccount\":{\"name\":\"cluster-loggin-operator\"}}}\n" + }, + "creationTimestamp": "2024-09-30T15:34:24Z", + "generation": 1, + "name": "instance", + "namespace": "openshift-logging", + "resourceVersion": "95318", + "uid": "7804fab5-b945-4024-acb7-e89652b5d4f7" + }, + "spec": { + "managementState": "Managed", + "outputs": [ + { + "elasticsearch": { + "index": "most-logs", + "url": "https://elasticsearch:9200", + "version": 6 + }, + "name": "default-elasticsearch", + "type": "elasticsearch" + } + ], + "pipelines": [ + { + "inputRefs": [ + "application", + "audit", + "infrastructure" + ], + "name": "most-logs", + "outputRefs": [ + "default" + ] + }, + { + "inputRefs": [ + "audit" + ], + "name": "audit-logs", + "outputRefs": [ + "default" + ] + } + ], + "serviceAccount": { + "name": "cluster-loggin-operator" + } + } + } + ], + "kind": "List", + "metadata": { + "resourceVersion": "" + } +} +EOF diff --git a/applications/openshift/logging/cluster_logging_operator_exists_logging_api/tests/ocp4/e2e.yml b/applications/openshift/logging/cluster_logging_operator_exists_logging_api/tests/ocp4/e2e.yml new file mode 100644 index 000000000000..fd9b313e87b4 --- /dev/null +++ b/applications/openshift/logging/cluster_logging_operator_exists_logging_api/tests/ocp4/e2e.yml @@ -0,0 +1,3 @@ +--- +default_result: FAIL +result_after_remediation: PASS diff --git a/applications/openshift/logging/cluster_logging_operator_exists_observability_api/rule.yml b/applications/openshift/logging/cluster_logging_operator_exists_observability_api/rule.yml new file mode 100644 index 000000000000..dd2dc336f7c2 --- /dev/null +++ b/applications/openshift/logging/cluster_logging_operator_exists_observability_api/rule.yml @@ -0,0 +1,47 @@ + +title: Ensure that OpenShift Logging Operator is scanning the cluster + +description: |- + OpenShift Logging Operator provides ability to aggregate all the logs from the + OpenShift Container Platform cluster, such as node system audit logs, application + container logs, and infrastructure logs. OpenShift Logging aggregates these logs + from throughout OpenShift cluster and stores them in a default log store. [1] + + [1]https://docs.openshift.com/container-platform/4.10/logging/cluster-logging.html + +rationale: |- + OpenShift Logging Operator is able to collect, aggregate, and manage logs. + +identifiers: + cce@ocp4: CCE-86639-2 + +references: + nist: AU-3(2) + srg: SRG-APP-000092-CTR-000165,SRG-APP-000111-CTR-000220,SRG-APP-000358-CTR-000805 + +ocil_clause: 'OpenShift Logging Operator is not installed' + +ocil: |- + Run the following command to retrieve the clusterlogforwarder objects in the system: + 
$ oc get clusterlogforwarder --all-namespaces
+ Make sure the OpenShift Logging Operator is installed and there exists + at least one active clusterlogforwarderobject in the cluster. + +severity: medium + + +warnings: +- general: |- + {{{ openshift_cluster_setting("/apis/observability.openshift.io/v1/namespaces/openshift-logging/clusterlogforwarders") | indent(4) }}} + +template: + name: yamlfile_value + vars: + ocp_data: "true" + filepath: /apis/observability.openshift.io/v1/namespaces/openshift-logging/clusterlogforwarders + yamlpath: ".items[].metadata.name" + entity_check: "at least one" + values: + - value: ".*" + operation: "pattern match" + diff --git a/applications/openshift/logging/cluster_logging_operator_exists_observability_api/tests/does_not_have_logging_instance.fail.sh b/applications/openshift/logging/cluster_logging_operator_exists_observability_api/tests/does_not_have_logging_instance.fail.sh new file mode 100644 index 000000000000..8dd29d4abfd4 --- /dev/null +++ b/applications/openshift/logging/cluster_logging_operator_exists_observability_api/tests/does_not_have_logging_instance.fail.sh @@ -0,0 +1,22 @@ +#!/bin/bash +# remediation = none + +yum install -y jq + +kube_apipath="/kubernetes-api-resources" + +mkdir -p "$kube_apipath/apis/observability.openshift.io/v1/namespaces/openshift-logging/" + +routes_apipath="/apis/observability.openshift.io/v1/namespaces/openshift-logging/instance" + +cat < "$kube_apipath$routes_apipath" +{ + "apiVersion": "v1", + "items": [], + "kind": "List", + "metadata": { + "resourceVersion": "", + "selfLink": "" + } +} +EOF diff --git a/applications/openshift/logging/cluster_logging_operator_exists_observability_api/tests/have_cluster_logging_instance.pass.sh b/applications/openshift/logging/cluster_logging_operator_exists_observability_api/tests/have_cluster_logging_instance.pass.sh new file mode 100644 index 000000000000..391ab0611a5d --- /dev/null +++ b/applications/openshift/logging/cluster_logging_operator_exists_observability_api/tests/have_cluster_logging_instance.pass.sh @@ -0,0 +1,76 @@ +#!/bin/bash +# remediation = none + +yum install -y jq + +kube_apipath="/kubernetes-api-resources" + +mkdir -p "$kube_apipath/apis/observability.openshift.io/v1/namespaces/openshift-logging/" + +routes_apipath="/apis/observability.openshift.io/v1/namespaces/openshift-logging/instance" + +cat < "$kube_apipath$routes_apipath" +{ + "apiVersion": "v1", + "items": [ + { + "apiVersion": "observability.openshift.io/v1", + "kind": "ClusterLogForwarder", + "metadata": { + "annotations": { + "kubectl.kubernetes.io/last-applied-configuration": "{\"apiVersion\":\"observability.openshift.io/v1\",\"kind\":\"ClusterLogForwarder\",\"metadata\":{\"annotations\":{},\"name\":\"instance\",\"namespace\":\"openshift-logging\"},\"spec\":{\"outputs\":[{\"elasticsearch\":{\"index\":\"most-logs\",\"url\":\"https://elasticsearch:9200\",\"version\":6},\"name\":\"default-elasticsearch\",\"type\":\"elasticsearch\"}],\"pipelines\":[{\"inputRefs\":[\"application\",\"audit\",\"infrastructure\"],\"name\":\"most-logs\",\"outputRefs\":[\"default\"]},{\"inputRefs\":[\"audit\"],\"name\":\"audit-logs\",\"outputRefs\":[\"default\"]}],\"serviceAccount\":{\"name\":\"cluster-loggin-operator\"}}}\n" + }, + "creationTimestamp": "2024-09-30T15:34:24Z", + "generation": 1, + "name": "instance", + "namespace": "openshift-logging", + "resourceVersion": "95318", + "uid": "7804fab5-b945-4024-acb7-e89652b5d4f7" + }, + "spec": { + "managementState": "Managed", + "outputs": [ + { + "elasticsearch": { + "index": "most-logs", + "url": "https://elasticsearch:9200", + "version": 6 + }, + "name": "default-elasticsearch", + "type": "elasticsearch" + } + ], + "pipelines": [ + { + "inputRefs": [ + "application", + "audit", + "infrastructure" + ], + "name": "most-logs", + "outputRefs": [ + "default" + ] + }, + { + "inputRefs": [ + "audit" + ], + "name": "audit-logs", + "outputRefs": [ + "default" + ] + } + ], + "serviceAccount": { + "name": "cluster-loggin-operator" + } + } + } + ], + "kind": "List", + "metadata": { + "resourceVersion": "" + } +} +EOF diff --git a/applications/openshift/logging/cluster_logging_operator_exists_observability_api/tests/ocp4/e2e.yml b/applications/openshift/logging/cluster_logging_operator_exists_observability_api/tests/ocp4/e2e.yml new file mode 100644 index 000000000000..fd9b313e87b4 --- /dev/null +++ b/applications/openshift/logging/cluster_logging_operator_exists_observability_api/tests/ocp4/e2e.yml @@ -0,0 +1,3 @@ +--- +default_result: FAIL +result_after_remediation: PASS diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt index 13ba05881e54..773b3da55f2f 100644 --- a/shared/references/cce-redhat-avail.txt +++ b/shared/references/cce-redhat-avail.txt @@ -110,8 +110,6 @@ CCE-86633-5 CCE-86635-0 CCE-86636-8 CCE-86637-6 -CCE-86638-4 -CCE-86639-2 CCE-86641-8 CCE-86643-4 CCE-86647-5