-
Notifications
You must be signed in to change notification settings - Fork 715
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add profile aliases for OpenShift versioned profiles
We've implement profile versioning for some of the OpenShift and RHCOS profiles. However, users that have ScanSettingBindings that reference profiles like `ocp4-cis` can still be affected by rolling updates to that profile. For example, when we implement support for CIS OpenShift 1.5.0, the `ocp4-cis` profile will automatically update to the rules for that profile. This is how we've historically maintained profiles. Now that we have a versioning mechanism and we're using it, we can give users the ability to pin to a specific version of a profile. This commit extends the profiles and names them according to their version. When a user wants to pin to a specific version of a profile, they can use `ocp4-cis-1.4` to run only the CIS OpenShift 1.4.0 rules, and they won't be affected by changes that implement the 1.5.0 profile when that is supported. This change doesn't change the functionality of the operator or the profiles, but gives users more flexibility for pinning to specific profile versions.
- Loading branch information
Showing
26 changed files
with
495 additions
and
90 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,38 @@ | ||
| documentation_complete: true | ||
|
|
||
| title: 'CIS Red Hat OpenShift Container Platform 4 Benchmark' | ||
|
|
||
| platform: ocp4 | ||
|
|
||
| metadata: | ||
| SMEs: | ||
| - JAORMX | ||
| - mrogers950 | ||
| - jhrozek | ||
| - rhmdnd | ||
| - Vincent056 | ||
| version: 1.4.0 | ||
|
|
||
| description: |- | ||
| This profile defines a baseline that aligns to the Center for Internet Security® | ||
| Red Hat OpenShift Container Platform 4 Benchmark™, V1.4. | ||
|
|
||
| This profile includes Center for Internet Security® | ||
| Red Hat OpenShift Container Platform 4 CIS Benchmarks™ content. | ||
|
|
||
| Note that this part of the profile is meant to run on the Platform that | ||
| Red Hat OpenShift Container Platform 4 runs on top of. | ||
|
|
||
| This profile is applicable to OpenShift versions 4.10 and greater. | ||
|
|
||
| filter_rules: '"ocp4-node" not in platforms and "ocp4-master-node" not in platforms and "ocp4-node-on-sdn" not in platforms and "ocp4-node-on-ovn" not in platforms' | ||
|
|
||
| selections: | ||
| - cis_ocp_1_4_0:all | ||
| ### Variables | ||
| - var_openshift_audit_profile=WriteRequestBodies | ||
| - var_event_record_qps=50 | ||
| ### Helper Rules | ||
| ### This is a helper rule to fetch the required api resource for detecting OCP version | ||
| - version_detect_in_ocp | ||
| - version_detect_in_hypershift |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,31 @@ | ||
| documentation_complete: true | ||
|
|
||
| title: 'CIS Red Hat OpenShift Container Platform 4 Benchmark' | ||
|
|
||
| platform: ocp4-node | ||
|
|
||
| metadata: | ||
| SMEs: | ||
| - JAORMX | ||
| - mrogers950 | ||
| - jhrozek | ||
| - rhmdnd | ||
| - Vincent056 | ||
| version: 1.4.0 | ||
|
|
||
| description: |- | ||
| This profile defines a baseline that aligns to the Center for Internet Security® | ||
| Red Hat OpenShift Container Platform 4 Benchmark™, V1.4. | ||
|
|
||
| This profile includes Center for Internet Security® | ||
| Red Hat OpenShift Container Platform 4 CIS Benchmarks™ content. | ||
|
|
||
| Note that this part of the profile is meant to run on the Operating System that | ||
| Red Hat OpenShift Container Platform 4 runs on top of. | ||
|
|
||
| This profile is applicable to OpenShift versions 4.10 and greater. | ||
|
|
||
| filter_rules: '"ocp4-node" in platforms or "ocp4-master-node" in platforms or "ocp4-node-on-sdn" in platforms or "ocp4-node-on-ovn" in platforms' | ||
|
|
||
| selections: | ||
| - cis_ocp_1_4_0:all |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,48 @@ | ||
| documentation_complete: true | ||
|
|
||
| reference: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/controls?version=5.1&security_baseline=High | ||
|
|
||
| title: 'NIST 800-53 High-Impact Baseline for Red Hat OpenShift - Node level' | ||
|
|
||
| platform: ocp4-node | ||
|
|
||
| metadata: | ||
| version: Revision 4 | ||
| SMEs: | ||
| - JAORMX | ||
| - mrogers950 | ||
| - jhrozek | ||
|
|
||
| description: |- | ||
| This compliance profile reflects the core set of High-Impact Baseline | ||
| configuration settings for deployment of Red Hat OpenShift Container | ||
| Platform into U.S. Defense, Intelligence, and Civilian agencies. | ||
| Development partners and sponsors include the U.S. National Institute | ||
| of Standards and Technology (NIST), U.S. Department of Defense, | ||
| the National Security Agency, and Red Hat. | ||
|
|
||
| This baseline implements configuration requirements from the following | ||
| sources: | ||
|
|
||
| - NIST 800-53 control selections for High-Impact systems (NIST 800-53) | ||
|
|
||
| For any differing configuration requirements, e.g. password lengths, the stricter | ||
| security setting was chosen. Security Requirement Traceability Guides (RTMs) and | ||
| sample System Security Configuration Guides are provided via the | ||
| scap-security-guide-docs package. | ||
|
|
||
| This profile reflects U.S. Government consensus content and is developed through | ||
| the ComplianceAsCode initiative, championed by the National | ||
| Security Agency. Except for differences in formatting to accommodate | ||
| publishing processes, this profile mirrors ComplianceAsCode | ||
| content as minor divergences, such as bugfixes, work through the | ||
| consensus and release processes. | ||
|
|
||
| # CM-6 CONFIGURATION SETTINGS | ||
| # CM-6(1) CONFIGURATION SETTINGS | AUTOMATED CENTRAL MANAGEMENT / APPLICATION / VERIFICATION | ||
| extends: cis-node | ||
|
|
||
| filter_rules: '"ocp4-node" in platforms or "ocp4-master-node" in platforms or "ocp4-node-on-sdn" in platforms or "ocp4-node-on-ovn" in platforms' | ||
|
|
||
| selections: | ||
| - nist_ocp4:all:high |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,52 @@ | ||
| documentation_complete: true | ||
|
|
||
| metadata: | ||
| version: Revision 4 | ||
| SMEs: | ||
| - JAORMX | ||
| - mrogers950 | ||
| - jhrozek | ||
|
|
||
| reference: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/controls?version=5.1&security_baseline=High | ||
|
|
||
| title: 'NIST 800-53 High-Impact Baseline for Red Hat OpenShift - Platform level' | ||
|
|
||
| platform: ocp4 | ||
|
|
||
| description: |- | ||
| This compliance profile reflects the core set of High-Impact Baseline | ||
| configuration settings for deployment of Red Hat OpenShift Container | ||
| Platform into U.S. Defense, Intelligence, and Civilian agencies. | ||
| Development partners and sponsors include the U.S. National Institute | ||
| of Standards and Technology (NIST), U.S. Department of Defense, | ||
| the National Security Agency, and Red Hat. | ||
|
|
||
| This baseline implements configuration requirements from the following | ||
| sources: | ||
|
|
||
| - NIST 800-53 control selections for High-Impact systems (NIST 800-53) | ||
|
|
||
| For any differing configuration requirements, e.g. password lengths, the stricter | ||
| security setting was chosen. Security Requirement Traceability Guides (RTMs) and | ||
| sample System Security Configuration Guides are provided via the | ||
| scap-security-guide-docs package. | ||
|
|
||
| This profile reflects U.S. Government consensus content and is developed through | ||
| the ComplianceAsCode initiative, championed by the National | ||
| Security Agency. Except for differences in formatting to accommodate | ||
| publishing processes, this profile mirrors ComplianceAsCode | ||
| content as minor divergences, such as bugfixes, work through the | ||
| consensus and release processes. | ||
|
|
||
| filter_rules: '"ocp4-node" not in platforms and "ocp4-master-node" not in platforms and "ocp4-node-on-sdn" not in platforms and "ocp4-node-on-ovn" not in platforms' | ||
|
|
||
| # CM-6 CONFIGURATION SETTINGS | ||
| # CM-6(1) CONFIGURATION SETTINGS | AUTOMATED CENTRAL MANAGEMENT / APPLICATION / VERIFICATION | ||
| extends: cis | ||
|
|
||
| selections: | ||
| - nist_ocp4:all:high | ||
| ### Helper Rules | ||
| ### This is a helper rule to fetch the required api resource for detecting OCP version | ||
| - version_detect_in_ocp | ||
| - version_detect_in_hypershift |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,46 @@ | ||
| documentation_complete: true | ||
|
|
||
| title: 'NIST 800-53 Moderate-Impact Baseline for Red Hat OpenShift - Node level' | ||
|
|
||
| platform: ocp4-node | ||
|
|
||
| metadata: | ||
| version: Revision 4 | ||
| SMEs: | ||
| - JAORMX | ||
| - mrogers950 | ||
| - jhrozek | ||
|
|
||
| description: |- | ||
| This compliance profile reflects the core set of Moderate-Impact Baseline | ||
| configuration settings for deployment of Red Hat OpenShift Container | ||
| Platform into U.S. Defense, Intelligence, and Civilian agencies. | ||
| Development partners and sponsors include the U.S. National Institute | ||
| of Standards and Technology (NIST), U.S. Department of Defense, | ||
| the National Security Agency, and Red Hat. | ||
|
|
||
| This baseline implements configuration requirements from the following | ||
| sources: | ||
|
|
||
| - NIST 800-53 control selections for Moderate-Impact systems (NIST 800-53) | ||
|
|
||
| For any differing configuration requirements, e.g. password lengths, the stricter | ||
| security setting was chosen. Security Requirement Traceability Guides (RTMs) and | ||
| sample System Security Configuration Guides are provided via the | ||
| scap-security-guide-docs package. | ||
|
|
||
| This profile reflects U.S. Government consensus content and is developed through | ||
| the ComplianceAsCode initiative, championed by the National | ||
| Security Agency. Except for differences in formatting to accommodate | ||
| publishing processes, this profile mirrors ComplianceAsCode | ||
| content as minor divergences, such as bugfixes, work through the | ||
| consensus and release processes. | ||
|
|
||
| # CM-6 CONFIGURATION SETTINGS | ||
| # CM-6(1) CONFIGURATION SETTINGS | AUTOMATED CENTRAL MANAGEMENT / APPLICATION / VERIFICATION | ||
| extends: cis-node | ||
|
|
||
| filter_rules: '"ocp4-node" in platforms or "ocp4-master-node" in platforms or "ocp4-node-on-sdn" in platforms or "ocp4-node-on-ovn" in platforms' | ||
|
|
||
| selections: | ||
| - nist_ocp4:all:moderate |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,51 @@ | ||
| documentation_complete: true | ||
|
|
||
| metadata: | ||
| version: Revision 4 | ||
| SMEs: | ||
| - JAORMX | ||
| - mrogers950 | ||
|
|
||
| reference: https://nvd.nist.gov/800-53/Rev4/impact/moderate | ||
|
|
||
| title: 'NIST 800-53 Moderate-Impact Baseline for Red Hat OpenShift - Platform level' | ||
|
|
||
| platform: ocp4 | ||
|
|
||
| description: |- | ||
| This compliance profile reflects the core set of Moderate-Impact Baseline | ||
| configuration settings for deployment of Red Hat OpenShift Container | ||
| Platform into U.S. Defense, Intelligence, and Civilian agencies. | ||
| Development partners and sponsors include the U.S. National Institute | ||
| of Standards and Technology (NIST), U.S. Department of Defense, | ||
| the National Security Agency, and Red Hat. | ||
|
|
||
| This baseline implements configuration requirements from the following | ||
| sources: | ||
|
|
||
| - NIST 800-53 control selections for Moderate-Impact systems (NIST 800-53) | ||
|
|
||
| For any differing configuration requirements, e.g. password lengths, the stricter | ||
| security setting was chosen. Security Requirement Traceability Guides (RTMs) and | ||
| sample System Security Configuration Guides are provided via the | ||
| scap-security-guide-docs package. | ||
|
|
||
| This profile reflects U.S. Government consensus content and is developed through | ||
| the ComplianceAsCode initiative, championed by the National | ||
| Security Agency. Except for differences in formatting to accommodate | ||
| publishing processes, this profile mirrors ComplianceAsCode | ||
| content as minor divergences, such as bugfixes, work through the | ||
| consensus and release processes. | ||
|
|
||
| filter_rules: '"ocp4-node" not in platforms and "ocp4-master-node" not in platforms and "ocp4-node-on-sdn" not in platforms and "ocp4-node-on-ovn" not in platforms' | ||
|
|
||
| # CM-6 CONFIGURATION SETTINGS | ||
| # CM-6(1) CONFIGURATION SETTINGS | AUTOMATED CENTRAL MANAGEMENT / APPLICATION / VERIFICATION | ||
| extends: cis | ||
|
|
||
| selections: | ||
| - nist_ocp4:all:moderate | ||
| ### Helper Rules | ||
| ### This is a helper rule to fetch the required api resource for detecting OCP version | ||
| - version_detect_in_ocp | ||
| - version_detect_in_hypershift |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,29 @@ | ||
| documentation_complete: true | ||
|
|
||
| platform: ocp4 | ||
|
|
||
| metadata: | ||
| version: 3.2.1 | ||
| SMEs: | ||
| - JAORMX | ||
| - jhrozek | ||
| - mrogers950 | ||
|
|
||
| reference: https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf | ||
|
|
||
| title: 'PCI-DSS v3.2.1 Control Baseline for Red Hat OpenShift Container Platform 4' | ||
|
|
||
| description: |- | ||
| Ensures PCI-DSS v3.2.1 security configuration settings are applied. | ||
|
|
||
| filter_rules: '"ocp4-node" not in platforms and "ocp4-master-node" not in platforms' | ||
|
|
||
| # Req-2.2 | ||
| extends: cis | ||
|
|
||
| selections: | ||
| - pcidss_ocp4:all:base | ||
| ### Helper Rules | ||
| ### This is a helper rule to fetch the required api resource for detecting OCP version | ||
| - version_detect_in_ocp | ||
| - version_detect_in_hypershift |
Oops, something went wrong.