From 95b59c6b843cdb2785733a242b5984d1625f41fa Mon Sep 17 00:00:00 2001 From: Lance Bragstad Date: Tue, 3 Sep 2024 11:40:52 -0500 Subject: [PATCH] Update assertions for PCI-DSS profile We recently updated the PCI-DSS profile to use 4.0 by default, but didn't update the default assertions. This commit updates the assertions so that the versionless profile name includes assertions for rules in the v4.0 profile. --- tests/assertions/ocp4/ocp4-pci-dss-4.13.yml | 33 +++++++++++++++++++ tests/assertions/ocp4/ocp4-pci-dss-4.14.yml | 33 +++++++++++++++++++ tests/assertions/ocp4/ocp4-pci-dss-4.15.yml | 33 +++++++++++++++++++ tests/assertions/ocp4/ocp4-pci-dss-4.16.yml | 33 +++++++++++++++++++ tests/assertions/ocp4/ocp4-pci-dss-4.17.yml | 33 +++++++++++++++++++ .../ocp4/ocp4-pci-dss-node-4.13.yml | 24 ++++++++++++++ .../ocp4/ocp4-pci-dss-node-4.14.yml | 24 ++++++++++++++ .../ocp4/ocp4-pci-dss-node-4.15.yml | 24 ++++++++++++++ .../ocp4/ocp4-pci-dss-node-4.16.yml | 24 ++++++++++++++ .../ocp4/ocp4-pci-dss-node-4.17.yml | 24 ++++++++++++++ 10 files changed, 285 insertions(+) diff --git a/tests/assertions/ocp4/ocp4-pci-dss-4.13.yml b/tests/assertions/ocp4/ocp4-pci-dss-4.13.yml index 3347b808548..fa90d5b2f79 100644 --- a/tests/assertions/ocp4/ocp4-pci-dss-4.13.yml +++ b/tests/assertions/ocp4/ocp4-pci-dss-4.13.yml @@ -334,3 +334,36 @@ rule_results: e2e-pci-dss-tls-version-check-router: default_result: PASS result_after_remediation: PASS + e2e-pci-dss-acs-sensor-exists: + default_result: FAIL + result_after_remediation: PASS + e2e-pci-dss-alert-receiver-configured: + default_result: MANUAL + result_after_remediation: MANUAL + e2e-pci-dss-api-server-tls-security-profile: + default_result: PASS + result_after_remediation: PASS + e2e-pci-dss-audit-error-alert-exists: + default_result: PASS + result_after_remediation: PASS + e2e-pci-dss-container-security-operator-exists: + default_result: FAIL + result_after_remediation: PASS + e2e-pci-dss-ingress-controller-certificate: + default_result: FAIL + result_after_remediation: PASS + e2e-pci-dss-ingress-controller-tls-security-profile: + default_result: PASS + result_after_remediation: PASS + e2e-pci-dss-kubelet-configure-tls-cipher-suites-ingresscontroller: + default_result: FAIL + result_after_remediation: PASS + e2e-pci-dss-oauth-or-oauthclient-inactivity-timeout: + default_result: FAIL + result_after_remediation: PASS + e2e-pci-dss-ocp-idp-no-htpasswd: + default_result: PASS + result_after_remediation: PASS + e2e-pci-dss-security-profiles-operator-exists: + default_result: FAIL + result_after_remediation: PASS diff --git a/tests/assertions/ocp4/ocp4-pci-dss-4.14.yml b/tests/assertions/ocp4/ocp4-pci-dss-4.14.yml index 3347b808548..fa90d5b2f79 100644 --- a/tests/assertions/ocp4/ocp4-pci-dss-4.14.yml +++ b/tests/assertions/ocp4/ocp4-pci-dss-4.14.yml @@ -334,3 +334,36 @@ rule_results: e2e-pci-dss-tls-version-check-router: default_result: PASS result_after_remediation: PASS + e2e-pci-dss-acs-sensor-exists: + default_result: FAIL + result_after_remediation: PASS + e2e-pci-dss-alert-receiver-configured: + default_result: MANUAL + result_after_remediation: MANUAL + e2e-pci-dss-api-server-tls-security-profile: + default_result: PASS + result_after_remediation: PASS + e2e-pci-dss-audit-error-alert-exists: + default_result: PASS + result_after_remediation: PASS + e2e-pci-dss-container-security-operator-exists: + default_result: FAIL + result_after_remediation: PASS + e2e-pci-dss-ingress-controller-certificate: + default_result: FAIL + result_after_remediation: PASS + e2e-pci-dss-ingress-controller-tls-security-profile: + default_result: PASS + result_after_remediation: PASS + e2e-pci-dss-kubelet-configure-tls-cipher-suites-ingresscontroller: + default_result: FAIL + result_after_remediation: PASS + e2e-pci-dss-oauth-or-oauthclient-inactivity-timeout: + default_result: FAIL + result_after_remediation: PASS + e2e-pci-dss-ocp-idp-no-htpasswd: + default_result: PASS + result_after_remediation: PASS + e2e-pci-dss-security-profiles-operator-exists: + default_result: FAIL + result_after_remediation: PASS diff --git a/tests/assertions/ocp4/ocp4-pci-dss-4.15.yml b/tests/assertions/ocp4/ocp4-pci-dss-4.15.yml index 3347b808548..fa90d5b2f79 100644 --- a/tests/assertions/ocp4/ocp4-pci-dss-4.15.yml +++ b/tests/assertions/ocp4/ocp4-pci-dss-4.15.yml @@ -334,3 +334,36 @@ rule_results: e2e-pci-dss-tls-version-check-router: default_result: PASS result_after_remediation: PASS + e2e-pci-dss-acs-sensor-exists: + default_result: FAIL + result_after_remediation: PASS + e2e-pci-dss-alert-receiver-configured: + default_result: MANUAL + result_after_remediation: MANUAL + e2e-pci-dss-api-server-tls-security-profile: + default_result: PASS + result_after_remediation: PASS + e2e-pci-dss-audit-error-alert-exists: + default_result: PASS + result_after_remediation: PASS + e2e-pci-dss-container-security-operator-exists: + default_result: FAIL + result_after_remediation: PASS + e2e-pci-dss-ingress-controller-certificate: + default_result: FAIL + result_after_remediation: PASS + e2e-pci-dss-ingress-controller-tls-security-profile: + default_result: PASS + result_after_remediation: PASS + e2e-pci-dss-kubelet-configure-tls-cipher-suites-ingresscontroller: + default_result: FAIL + result_after_remediation: PASS + e2e-pci-dss-oauth-or-oauthclient-inactivity-timeout: + default_result: FAIL + result_after_remediation: PASS + e2e-pci-dss-ocp-idp-no-htpasswd: + default_result: PASS + result_after_remediation: PASS + e2e-pci-dss-security-profiles-operator-exists: + default_result: FAIL + result_after_remediation: PASS diff --git a/tests/assertions/ocp4/ocp4-pci-dss-4.16.yml b/tests/assertions/ocp4/ocp4-pci-dss-4.16.yml index 3347b808548..fa90d5b2f79 100644 --- a/tests/assertions/ocp4/ocp4-pci-dss-4.16.yml +++ b/tests/assertions/ocp4/ocp4-pci-dss-4.16.yml @@ -334,3 +334,36 @@ rule_results: e2e-pci-dss-tls-version-check-router: default_result: PASS result_after_remediation: PASS + e2e-pci-dss-acs-sensor-exists: + default_result: FAIL + result_after_remediation: PASS + e2e-pci-dss-alert-receiver-configured: + default_result: MANUAL + result_after_remediation: MANUAL + e2e-pci-dss-api-server-tls-security-profile: + default_result: PASS + result_after_remediation: PASS + e2e-pci-dss-audit-error-alert-exists: + default_result: PASS + result_after_remediation: PASS + e2e-pci-dss-container-security-operator-exists: + default_result: FAIL + result_after_remediation: PASS + e2e-pci-dss-ingress-controller-certificate: + default_result: FAIL + result_after_remediation: PASS + e2e-pci-dss-ingress-controller-tls-security-profile: + default_result: PASS + result_after_remediation: PASS + e2e-pci-dss-kubelet-configure-tls-cipher-suites-ingresscontroller: + default_result: FAIL + result_after_remediation: PASS + e2e-pci-dss-oauth-or-oauthclient-inactivity-timeout: + default_result: FAIL + result_after_remediation: PASS + e2e-pci-dss-ocp-idp-no-htpasswd: + default_result: PASS + result_after_remediation: PASS + e2e-pci-dss-security-profiles-operator-exists: + default_result: FAIL + result_after_remediation: PASS diff --git a/tests/assertions/ocp4/ocp4-pci-dss-4.17.yml b/tests/assertions/ocp4/ocp4-pci-dss-4.17.yml index 4dec8e5be02..23f29db6bc3 100644 --- a/tests/assertions/ocp4/ocp4-pci-dss-4.17.yml +++ b/tests/assertions/ocp4/ocp4-pci-dss-4.17.yml @@ -335,3 +335,36 @@ rule_results: e2e-pci-dss-tls-version-check-router: default_result: PASS result_after_remediation: PASS + e2e-pci-dss-acs-sensor-exists: + default_result: FAIL + result_after_remediation: PASS + e2e-pci-dss-alert-receiver-configured: + default_result: MANUAL + result_after_remediation: MANUAL + e2e-pci-dss-api-server-tls-security-profile: + default_result: PASS + result_after_remediation: PASS + e2e-pci-dss-audit-error-alert-exists: + default_result: PASS + result_after_remediation: PASS + e2e-pci-dss-container-security-operator-exists: + default_result: FAIL + result_after_remediation: PASS + e2e-pci-dss-ingress-controller-certificate: + default_result: FAIL + result_after_remediation: PASS + e2e-pci-dss-ingress-controller-tls-security-profile: + default_result: PASS + result_after_remediation: PASS + e2e-pci-dss-kubelet-configure-tls-cipher-suites-ingresscontroller: + default_result: FAIL + result_after_remediation: PASS + e2e-pci-dss-oauth-or-oauthclient-inactivity-timeout: + default_result: FAIL + result_after_remediation: PASS + e2e-pci-dss-ocp-idp-no-htpasswd: + default_result: PASS + result_after_remediation: PASS + e2e-pci-dss-security-profiles-operator-exists: + default_result: FAIL + result_after_remediation: PASS diff --git a/tests/assertions/ocp4/ocp4-pci-dss-node-4.13.yml b/tests/assertions/ocp4/ocp4-pci-dss-node-4.13.yml index d2005ba195a..4b62196d73e 100644 --- a/tests/assertions/ocp4/ocp4-pci-dss-node-4.13.yml +++ b/tests/assertions/ocp4/ocp4-pci-dss-node-4.13.yml @@ -452,3 +452,27 @@ rule_results: default_result: MANUAL e2e-pci-dss-node-worker-tls-version-check-masters-workers: default_result: PASS + e2e-pci-dss-node-master-directory-access-var-log-kube-audit: + default_result: FAIL + result_after_remediation: PASS + e2e-pci-dss-node-master-directory-access-var-log-oauth-audit: + default_result: FAIL + result_after_remediation: PASS + e2e-pci-dss-node-master-directory-access-var-log-ocp-audit: + default_result: FAIL + result_after_remediation: PASS + e2e-pci-dss-node-master-kubelet-configure-tls-min-version: + default_result: PASS + result_after_remediation: PASS + e2e-pci-dss-node-worker-directory-access-var-log-kube-audit: + default_result: NOT-APPLICABLE + result_after_remediation: NOT-APPLICABLE + e2e-pci-dss-node-worker-directory-access-var-log-oauth-audit: + default_result: NOT-APPLICABLE + result_after_remediation: NOT-APPLICABLE + e2e-pci-dss-node-worker-directory-access-var-log-ocp-audit: + default_result: NOT-APPLICABLE + result_after_remediation: NOT-APPLICABLE + e2e-pci-dss-node-worker-kubelet-configure-tls-min-version: + default_result: PASS + result_after_remediation: PASS diff --git a/tests/assertions/ocp4/ocp4-pci-dss-node-4.14.yml b/tests/assertions/ocp4/ocp4-pci-dss-node-4.14.yml index d2005ba195a..4b62196d73e 100644 --- a/tests/assertions/ocp4/ocp4-pci-dss-node-4.14.yml +++ b/tests/assertions/ocp4/ocp4-pci-dss-node-4.14.yml @@ -452,3 +452,27 @@ rule_results: default_result: MANUAL e2e-pci-dss-node-worker-tls-version-check-masters-workers: default_result: PASS + e2e-pci-dss-node-master-directory-access-var-log-kube-audit: + default_result: FAIL + result_after_remediation: PASS + e2e-pci-dss-node-master-directory-access-var-log-oauth-audit: + default_result: FAIL + result_after_remediation: PASS + e2e-pci-dss-node-master-directory-access-var-log-ocp-audit: + default_result: FAIL + result_after_remediation: PASS + e2e-pci-dss-node-master-kubelet-configure-tls-min-version: + default_result: PASS + result_after_remediation: PASS + e2e-pci-dss-node-worker-directory-access-var-log-kube-audit: + default_result: NOT-APPLICABLE + result_after_remediation: NOT-APPLICABLE + e2e-pci-dss-node-worker-directory-access-var-log-oauth-audit: + default_result: NOT-APPLICABLE + result_after_remediation: NOT-APPLICABLE + e2e-pci-dss-node-worker-directory-access-var-log-ocp-audit: + default_result: NOT-APPLICABLE + result_after_remediation: NOT-APPLICABLE + e2e-pci-dss-node-worker-kubelet-configure-tls-min-version: + default_result: PASS + result_after_remediation: PASS diff --git a/tests/assertions/ocp4/ocp4-pci-dss-node-4.15.yml b/tests/assertions/ocp4/ocp4-pci-dss-node-4.15.yml index d2005ba195a..4b62196d73e 100644 --- a/tests/assertions/ocp4/ocp4-pci-dss-node-4.15.yml +++ b/tests/assertions/ocp4/ocp4-pci-dss-node-4.15.yml @@ -452,3 +452,27 @@ rule_results: default_result: MANUAL e2e-pci-dss-node-worker-tls-version-check-masters-workers: default_result: PASS + e2e-pci-dss-node-master-directory-access-var-log-kube-audit: + default_result: FAIL + result_after_remediation: PASS + e2e-pci-dss-node-master-directory-access-var-log-oauth-audit: + default_result: FAIL + result_after_remediation: PASS + e2e-pci-dss-node-master-directory-access-var-log-ocp-audit: + default_result: FAIL + result_after_remediation: PASS + e2e-pci-dss-node-master-kubelet-configure-tls-min-version: + default_result: PASS + result_after_remediation: PASS + e2e-pci-dss-node-worker-directory-access-var-log-kube-audit: + default_result: NOT-APPLICABLE + result_after_remediation: NOT-APPLICABLE + e2e-pci-dss-node-worker-directory-access-var-log-oauth-audit: + default_result: NOT-APPLICABLE + result_after_remediation: NOT-APPLICABLE + e2e-pci-dss-node-worker-directory-access-var-log-ocp-audit: + default_result: NOT-APPLICABLE + result_after_remediation: NOT-APPLICABLE + e2e-pci-dss-node-worker-kubelet-configure-tls-min-version: + default_result: PASS + result_after_remediation: PASS diff --git a/tests/assertions/ocp4/ocp4-pci-dss-node-4.16.yml b/tests/assertions/ocp4/ocp4-pci-dss-node-4.16.yml index 830992b38d4..0870e9f36bf 100644 --- a/tests/assertions/ocp4/ocp4-pci-dss-node-4.16.yml +++ b/tests/assertions/ocp4/ocp4-pci-dss-node-4.16.yml @@ -452,3 +452,27 @@ rule_results: default_result: MANUAL e2e-pci-dss-node-worker-tls-version-check-masters-workers: default_result: PASS + e2e-pci-dss-node-master-directory-access-var-log-kube-audit: + default_result: FAIL + result_after_remediation: PASS + e2e-pci-dss-node-master-directory-access-var-log-oauth-audit: + default_result: FAIL + result_after_remediation: PASS + e2e-pci-dss-node-master-directory-access-var-log-ocp-audit: + default_result: FAIL + result_after_remediation: PASS + e2e-pci-dss-node-master-kubelet-configure-tls-min-version: + default_result: PASS + result_after_remediation: PASS + e2e-pci-dss-node-worker-directory-access-var-log-kube-audit: + default_result: NOT-APPLICABLE + result_after_remediation: NOT-APPLICABLE + e2e-pci-dss-node-worker-directory-access-var-log-oauth-audit: + default_result: NOT-APPLICABLE + result_after_remediation: NOT-APPLICABLE + e2e-pci-dss-node-worker-directory-access-var-log-ocp-audit: + default_result: NOT-APPLICABLE + result_after_remediation: NOT-APPLICABLE + e2e-pci-dss-node-worker-kubelet-configure-tls-min-version: + default_result: PASS + result_after_remediation: PASS diff --git a/tests/assertions/ocp4/ocp4-pci-dss-node-4.17.yml b/tests/assertions/ocp4/ocp4-pci-dss-node-4.17.yml index 25bd0c6ea2f..2df8e260014 100644 --- a/tests/assertions/ocp4/ocp4-pci-dss-node-4.17.yml +++ b/tests/assertions/ocp4/ocp4-pci-dss-node-4.17.yml @@ -451,3 +451,27 @@ rule_results: default_result: MANUAL e2e-pci-dss-node-worker-tls-version-check-masters-workers: default_result: PASS + e2e-pci-dss-node-master-directory-access-var-log-kube-audit: + default_result: FAIL + result_after_remediation: PASS + e2e-pci-dss-node-master-directory-access-var-log-oauth-audit: + default_result: FAIL + result_after_remediation: PASS + e2e-pci-dss-node-master-directory-access-var-log-ocp-audit: + default_result: FAIL + result_after_remediation: PASS + e2e-pci-dss-node-master-kubelet-configure-tls-min-version: + default_result: PASS + result_after_remediation: PASS + e2e-pci-dss-node-worker-directory-access-var-log-kube-audit: + default_result: NOT-APPLICABLE + result_after_remediation: NOT-APPLICABLE + e2e-pci-dss-node-worker-directory-access-var-log-oauth-audit: + default_result: NOT-APPLICABLE + result_after_remediation: NOT-APPLICABLE + e2e-pci-dss-node-worker-directory-access-var-log-ocp-audit: + default_result: NOT-APPLICABLE + result_after_remediation: NOT-APPLICABLE + e2e-pci-dss-node-worker-kubelet-configure-tls-min-version: + default_result: PASS + result_after_remediation: PASS