OCPBUGS-17828 Improve scc-limit-container-allowed-capabilities OCIL

[Vincent056]

Update the OCIL so the instruction for rule ocp4-cis-scc-limit-container-allowed-capabilities is correctly rendered, and can be used without error.

[github-actions]

Start a new ephemeral environment with changes proposed in this pull request:

Fedora Environment

Oracle Linux 8 Environment

[github-actions]

🤖 A k8s content image for this PR is available at:
ghcr.io/complianceascode/k8scontent:12071
This image was built from commit: 24624e6

Click here to see how to deploy it

If you alread have Compliance Operator deployed:
utils/build_ds_container.py -i ghcr.io/complianceascode/k8scontent:12071

Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and:
CONTENT_IMAGE=ghcr.io/complianceascode/k8scontent:12071 make deploy-local

[xiaojiey]

/hold for test

[Vincent056]

[vincent@node cac-content-fork]$ oc get rule upstream-ocp4-scc-limit-container-allowed-capabilities -o json
{
    "apiVersion": "compliance.openshift.io/v1alpha1",
    "checkType": "Platform",
    "description": "Containers should not enable more capabilites than needed as this opens the door for malicious use. To enable only the required capabilities, the appropriate Security Context Constraints (SCCs) should set capabilities as a list in allowedCapabilities.\n\nIn case an SCC outside the default allow list in the variable var-sccs-with-allowed-capabilities-regex is being flagged, create a TailoredProfile and add the additional SCC to the regular expression in the variable var-sccs-with-allowed-capabilities-regex. An example allowing an SCC named additional follows:\n\napiVersion: compliance.openshift.io/v1alpha1\nkind: TailoredProfile\nmetadata:\n name: cis-additional-scc\nspec:\n description: Allows an additional scc\n setValues:\n - name: ocp4-var-sccs-with-allowed-capabilities-regex\n   rationale: Allow our own custom SCC\n   value: ^privileged$|^hostnetwork-v2$|^restricted-v2$|^nonroot-v2$|^additional$\n extends: ocp4-cis\n title: Modified CIS allowing one more SCC\n\nFinally, reference this TailoredProfile in a ScanSettingBinding For more information on Tailoring the Compliance Operator, please consult the OpenShift documentation: https://docs.openshift.com/container-platform/4.12/security/compliance_operator/compliance-operator-tailor.html",
    "id": "xccdf_org.ssgproject.content_rule_scc_limit_container_allowed_capabilities",
    "instructions": "This rule checks the SCCs with allowedCapabilities set to non-null\nand fails if there are more such SCCs than those allowed in the variable\nnamed ocp4-var-sccs-with-allowed-capabilities-regex. To debug the rule,\ncheck the variable value, e.g:\n$ oc get variable ocp4-var-sccs-with-allowed-capabilities-regex  -ojsonpath='{.value}' \nThen use following command to list the SCCs that would fail the test:\noc get  scc -o json | jq '[.items[] | select(.metadata.name | test(\"^privileged$|^hostnetwork-v2$|^restricted-v2$|^nonroot-v2$\"; \"\") | not) | select(.allowedCapabilities != null) | .metadata.name]'\nPlease replace the regular expression in the test command with the value read from the variable\nocp4-var-sccs-with-allowed-capabilities-regex. You can read the variable\nvalue with:\n$ oc get variable ocp4-var-sccs-with-allowed-capabilities-regex -ojsonpath='{.value}' -n openshift-compliance",
    "kind": "Rule",
    "metadata": {
        "annotations": {
            "compliance.openshift.io/image-digest": "pb-upstream-ocp4p2dkh",
            "compliance.openshift.io/profiles": "upstream-ocp4-high,upstream-ocp4-cis-1-4,upstream-ocp4-cis-1-5,upstream-ocp4-pci-dss-3-2,upstream-ocp4-moderate,upstream-ocp4-cis,upstream-ocp4-pci-dss,upstream-ocp4-stig-v1r1,upstream-ocp4-high-rev-4,upstream-ocp4-stig,upstream-ocp4-pci-dss-4-0,upstream-ocp4-moderate-rev-4,upstream-ocp4-e8,upstream-ocp4-nerc-cip",
            "compliance.openshift.io/rule": "scc-limit-container-allowed-capabilities",
            "compliance.openshift.io/rule-variable": "var-sccs-with-allowed-capabilities-regex",
            "control.compliance.openshift.io/CIS-OCP": "5.2.8",
            "control.compliance.openshift.io/NERC-CIP": "CIP-003-8 R6;CIP-004-6 R3;CIP-007-3 R6.1",
            "control.compliance.openshift.io/NIST-800-53": "CM-6;CM-6(1)",
            "control.compliance.openshift.io/PCI-DSS": "Req-2.2",
            "control.compliance.openshift.io/STIG": "SRG-APP-000516-CTR-001325",
            "policies.open-cluster-management.io/controls": "CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1,CM-6,CM-6(1),Req-2.2,SRG-APP-000516-CTR-001325,5.2.8",
            "policies.open-cluster-management.io/standards": "NERC-CIP,NIST-800-53,PCI-DSS,STIG,CIS-OCP"
        },
        "creationTimestamp": "2024-06-18T10:09:11Z",
        "generation": 1,
        "labels": {
            "compliance.openshift.io/profile-bundle": "upstream-ocp4"
        },
        "name": "upstream-ocp4-scc-limit-container-allowed-capabilities",
        "namespace": "openshift-compliance",
        "ownerReferences": [
            {
                "apiVersion": "compliance.openshift.io/v1alpha1",
                "blockOwnerDeletion": true,
                "controller": true,
                "kind": "ProfileBundle",
                "name": "upstream-ocp4",
                "uid": "c4deea2c-65ce-48fe-af37-f65ab947bb23"
            }
        ],
        "resourceVersion": "48748909",
        "uid": "b6742fad-56bd-48bd-bcbd-0fcf9a685567"
    },
    "rationale": "By default, containers run with a default set of capabilities as assigned by the Container Runtime which can include dangerous or highly privileged capabilities. Capabilities should be dropped unless absolutely critical for the container to run software as added capabilities that are not required allow for malicious containers or attackers.",
    "severity": "medium",
    "title": "Limit Container Capabilities"
}
[vincent@node cac-content-fork]$ oc get  scc -o json | jq '[.items[] | select(.metadata.name | test("^privileged$|^hostnetwork-v2$|^restricted-v2$|^nonroot-v2$"; "") | not) | select(.allowedCapabilities != null) | .metadata.name]'
[
  "ceph-csi-rbd-provisioner",
  "container-build",

[xiaojiey]

There are some minor issues:

1. The command in the instructions not work. Need to trip "" first instead of use the command directly.

% oc get  scc -o json | jq '[.items[] | select(.metadata.name | test(\"^privileged$|^hostnetwork-v2$|^restricted-v2$|^nonroot-v2$\"; \"\") | not) | select(.allowedCapabilities != null) | .metadata.name]'
jq: error: syntax error, unexpected INVALID_CHARACTER (Unix shell quoting issues?) at <top-level>, line 1:
[.items[] | select(.metadata.name | test(\"^privileged$|^hostnetwork-v2$|^restricted-v2$|^nonroot-v2$\"; \"\") | not) | select(.allowedCapabilities != null) | .metadata.name]                                         
jq: 1 compile error
% oc get  scc -o json | jq '[.items[] | select(.metadata.name | test("^privileged$|^hostnetwork-v2$|^restricted-v2$|^nonroot-v2$"; "") | not) | select(.allowedCapabilities != null) | .metadata.name]'
[]

2. The document link here is not valid. It will return a 404 error.
   https://github.com/ComplianceAsCode/content/pull/12071/files#diff-373d0f63b3aa279ac284e7bd2866ee4f15a40c9b81af8c1d8e17efd47d14829dR38
   It should be updated to https://docs.openshift.com/container-platform/latest/security/compliance_operator/co-scans/compliance-operator-tailor.html

[Vincent056]

ComplianceAsCode/compliance-operator#537 is need to fix the quote issue @xiaojiey

[codeclimate]

Code Climate has analyzed commit 24624e6 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 59.4% (0.0% change).

View more on Code Climate.

[yuumasato]

/lgtm

With ComplianceAsCode/compliance-operator#537, the rule instructions render as:

instructions: |-                                                                                                      
  This rule checks the SCCs with allowedCapabilities set to non-null
  and fails if there are more such SCCs than those allowed in the variable                                                                                                                                                                   
  named ocp4-var-sccs-with-allowed-capabilities-regex. To debug the rule,                                             
  check the variable value, e.g:                                                                                                                                                                                                             
  $ oc get variable ocp4-var-sccs-with-allowed-capabilities-regex  -ojsonpath='{.value}'                                                                                                                                                     
  Then use following command to list the SCCs that would fail the test:                                               
  $ oc get  scc -o json | jq '[.items[] | select(.metadata.name | test("^privileged$|^hostnetwork-v2$|^restricted-v2$|^nonroot-v2$"; "") | not) | select(.allowedCapabilities != null) | .metadata.name]'                                    
  Please replace the regular expression in the test command with the value read from the variable                                                                                                                                            
  ocp4-var-sccs-with-allowed-capabilities-regex. You can read the variable                                                                                                                                                                   
  value with:                                                                                                                                                                                                                                
  $ oc get variable ocp4-var-sccs-with-allowed-capabilities-regex -ojsonpath='{.value}' -n openshift-compliance
  Is it the case that allowed capabilities listings in SCCs needs review?

[xiaojiey]

/lgtm
Verification pass with ComplianceAsCode/compliance-operator#537 + #12071:

## instructions
% oc get rule upstream-ocp4-scc-limit-container-allowed-capabilities -o=jsonpath={.instructions}
This rule checks the SCCs with allowedCapabilities set to non-null
and fails if there are more such SCCs than those allowed in the variable
named ocp4-var-sccs-with-allowed-capabilities-regex. To debug the rule,
check the variable value, e.g:
$ oc get variable ocp4-var-sccs-with-allowed-capabilities-regex  -ojsonpath='{.value}'
Then use following command to list the SCCs that would fail the test:
$ oc get  scc -o json | jq '[.items[] | select(.metadata.name | test("^privileged$|^hostnetwork-v2$|^restricted-v2$|^nonroot-v2$"; "") | not) | select(.allowedCapabilities != null) | .metadata.name]'
Please replace the regular expression in the test command with the value read from the variable
ocp4-var-sccs-with-allowed-capabilities-regex. You can read the variable
value with:
$ oc get variable ocp4-var-sccs-with-allowed-capabilities-regex -ojsonpath='{.value}' -n openshift-compliance
Is it the case that allowed capabilities listings in SCCs needs review?%    

###default output for commands in the instruction                                                                                         
% oc get  scc -o json | jq '[.items[] | select(.metadata.name | test("^privileged$|^hostnetwork-v2$|^restricted-v2$|^nonroot-v2$"; "") | not) | select(.allowedCapabilities != null) | .metadata.name]'
[]
% oc get variable ocp4-var-sccs-with-allowed-capabilities-regex -ojsonpath='{.value}' -n openshift-compliance
^privileged$|^hostnetwork-v2$|^restricted-v2$|^nonroot-v2$%  
###output with a cutom scc:
 % cat scc_test.yaml 
allowHostDirVolumePlugin: true
allowHostIPC: false
allowHostNetwork: true
allowHostPID: true
allowHostPorts: true
allowPrivilegeEscalation: true
allowPrivilegedContainer: true
allowedCapabilities:
- NET_BIND_SERVICE
apiVersion: security.openshift.io/v1
defaultAddCapabilities: null
fsGroup:
  type: RunAsAny
groups: []
kind: SecurityContextConstraints
metadata:
  annotations:
    kubernetes.io/description: test-scc scc is used for test purpose
  name: test-scc
priority: null
readOnlyRootFilesystem: false
requiredDropCapabilities: null
runAsUser:
  type: RunAsAny
seLinuxContext:
  type: RunAsAny
seccompProfiles:
- runtime/default
supplementalGroups:
  type: RunAsAny
users: []
volumes:
- '*'
% oc apply -f scc_test.yaml
securitycontextconstraints.security.openshift.io/test-scc created
% oc get  scc -o json | jq '[.items[] | select(.metadata.name | test("^privileged$|^hostnetwork-v2$|^restricted-v2$|^nonroot-v2$"; "") | not) | select(.allowedCapabilities != null) | .metadata.name]'
[
  "test-scc"
]

[xiaojiey]

/unhold

[yuumasato]

Skipping ansible hardening tests.