search

ComplianceAsCode / compliance-operator

Operator providing Kubernetes cluster compliance checks
Apache License 2.0
38 stars 23 forks source link

CMP-2401: Add STIG reference parser #494

Closed yuumasato closed 6 months ago

yuumasato commented 8 months ago

This ensures that rules part of STIG profile contain annotations with the STIGID.

One can see the STIG references as annotation on the rule when deployed together with content from https://github.com/ComplianceAsCode/content/pull/11593 

$ CONTENT_IMAGE=ghcr.io/complianceascode/k8scontent:11593 make deploy-local
$ oc get rule  ocp4-api-server-tls-security-profile -oyaml
...
metadata:
  annotations:
    compliance.openshift.io/image-digest: pb-ocp4vkwnn
    compliance.openshift.io/profiles: ocp4-moderate-rev-4,ocp4-stig,ocp4-high-rev-4,ocp4-stig-v1r1,ocp4-moderate,ocp4-high,ocp4-nerc-cip
    compliance.openshift.io/rule: api-server-tls-security-profile
    control.compliance.openshift.io/NIST-800-53: SC-8;SC-8(1)
    control.compliance.openshift.io/STIG: CNTR-OS-000020
    policies.open-cluster-management.io/controls: SC-8,SC-8(1),CNTR-OS-000020
    policies.open-cluster-management.io/standards: NIST-800-53,STIG
...
xiaojiey commented 8 months ago

/hold for test

xiaojiey commented 8 months ago

@yuumasato It is weird. I noticed there is stig annotation for stig in the master branch without the PR:

$ oc get clusterversion
NAME      VERSION                              AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.16.0-0.nightly-2024-02-26-013420   True        False         11h     Cluster version is 4.16.0-0.nightly-2024-02-26-013420

$ oc get rule  ocp4-api-server-tls-security-profile -o=jsonpath={.metadata.annotations} | jq -r
{
  "compliance.openshift.io/image-digest": "pb-ocp4qrc9k",
  "compliance.openshift.io/profiles": "ocp4-nerc-cip,ocp4-high-rev-4,ocp4-stig-v1r1,ocp4-moderate,ocp4-stig,ocp4-moderate-rev-4,ocp4-high",
  "compliance.openshift.io/rule": "api-server-tls-security-profile",
  "control.compliance.openshift.io/NIST-800-53": "SC-8;SC-8(1)",
  "policies.open-cluster-management.io/controls": "SC-8,SC-8(1)",
  "policies.open-cluster-management.io/standards": "NIST-800-53"
}
yuumasato commented 8 months ago

"compliance.openshift.io/profiles": "ocp4-nerc-cip,ocp4-high-rev-4,ocp4-stig-v1r1,ocp4-moderate,ocp4-stig,ocp4-moderate-rev-4,ocp4-high",

@xiaojiey The compliance.openshift.io/profiles annotation was added in #398, and it lists the profiles in which a rule is selected.

This PR adds the following annotations listing more specific information about the STIG requirement implemented: control.compliance.openshift.io/STIG: CNTR-OS-000020

And extends the policies.open-cluster-management.io/controls and policies.open-cluster-management.io/standards with STIG specific data:

    policies.open-cluster-management.io/controls: SC-8,SC-8(1),CNTR-OS-000020
    policies.open-cluster-management.io/standards: NIST-800-53,STIG

vs

  "policies.open-cluster-management.io/controls": "SC-8,SC-8(1)",
  "policies.open-cluster-management.io/standards": "NIST-800-53"
xiaojiey commented 8 months ago

Verification pass with 4.16.0-0.nightly-2024-02-29-062601:


$ utils/build_ds_container.py -i ghcr.io/complianceascode/k8scontent:11593
2024-03-01 15:36:10,750:INFO: Created profile bundles for ocp4, rhcos4

$ oc get rule  ocp4-api-server-tls-security-profile -o=jsonpath={.metadata.annotations} | jq -r
{
  "compliance.openshift.io/image-digest": "pb-ocp44m6tp",
  "compliance.openshift.io/profiles": "ocp4-high,ocp4-stig,ocp4-moderate,ocp4-high-rev-4,ocp4-moderate-rev-4,ocp4-stig-v1r1,ocp4-nerc-cip",
  "compliance.openshift.io/rule": "api-server-tls-security-profile",
  "control.compliance.openshift.io/NIST-800-53": "SC-8;SC-8(1)",
  "policies.open-cluster-management.io/controls": "SC-8,SC-8(1)",
  "policies.open-cluster-management.io/standards": "NIST-800-53"
}
$ oc get rule  upstream-ocp4-api-server-tls-security-profile -o=jsonpath={.metadata.annotations} | jq -r
{
  "compliance.openshift.io/image-digest": "pb-upstream-ocp46k8b6",
  "compliance.openshift.io/profiles": "upstream-ocp4-high,upstream-ocp4-stig-v1r1,upstream-ocp4-stig,upstream-ocp4-moderate-rev-4,upstream-ocp4-moderate,upstream-ocp4-nerc-cip,upstream-ocp4-high-rev-4",
  "compliance.openshift.io/rule": "api-server-tls-security-profile",
  "control.compliance.openshift.io/NIST-800-53": "SC-8;SC-8(1)",
  "control.compliance.openshift.io/STIG": "CNTR-OS-000020",
  "policies.open-cluster-management.io/controls": "SC-8,SC-8(1),CNTR-OS-000020",
  "policies.open-cluster-management.io/standards": "NIST-800-53,STIG"
}
xiaojiey commented 8 months ago

/unhold

openshift-ci-robot commented 8 months ago

@yuumasato: This pull request references CMP-2401 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the bug to target the "4.16.0" version, but no target version was set.

In response to [this](https://github.com/ComplianceAsCode/compliance-operator/pull/494): >This ensures that rules part of STIG profile contain annotations with the STIGID. > >One can see the STIG references as annotation on the rule when deployed together with content from https://github.com/ComplianceAsCode/content/pull/11593 > >``` >$ CONTENT_IMAGE=ghcr.io/complianceascode/k8scontent:11593 make deploy-local >$ oc get rule ocp4-api-server-tls-security-profile -oyaml >... >metadata: > annotations: > compliance.openshift.io/image-digest: pb-ocp4vkwnn > compliance.openshift.io/profiles: ocp4-moderate-rev-4,ocp4-stig,ocp4-high-rev-4,ocp4-stig-v1r1,ocp4-moderate,ocp4-high,ocp4-nerc-cip > compliance.openshift.io/rule: api-server-tls-security-profile > control.compliance.openshift.io/NIST-800-53: SC-8;SC-8(1) > control.compliance.openshift.io/STIG: CNTR-OS-000020 > policies.open-cluster-management.io/controls: SC-8,SC-8(1),CNTR-OS-000020 > policies.open-cluster-management.io/standards: NIST-800-53,STIG >... >``` Instructions for interacting with me using PR comments are available [here](https://prow.ci.openshift.org/command-help?repo=ComplianceAsCode%2Fcompliance-operator). If you have questions or suggestions related to my behavior, please file an issue against the [openshift-eng/jira-lifecycle-plugin](https://github.com/openshift-eng/jira-lifecycle-plugin/issues/new) repository.
yuumasato commented 7 months ago

@Vincent056 @rhmdnd This should be ready for review

yuumasato commented 7 months ago

@rhmdnd @Vincent056 I have added a parser for SRGs.

When content from https://github.com/ComplianceAsCode/content/pull/11647 is deployed, we can see the following annotations:

oc get rule  ocp4-api-server-tls-security-profile -o=jsonpath={.metadata.annotations} | jq -r
{
  "compliance.openshift.io/image-digest": "pb-ocp4j6dgh",
  "compliance.openshift.io/profiles": "ocp4-moderate-rev-4,ocp4-stig-v1r1,ocp4-high-rev-4,ocp4-high,ocp4-nerc-cip,ocp4-moderate,ocp4-stig",
  "compliance.openshift.io/rule": "api-server-tls-security-profile",
  "control.compliance.openshift.io/NIST-800-53": "SC-8;SC-8(1)",
  "control.compliance.openshift.io/SRG-APP-CTR": "SRG-APP-000014-CTR-000040;SRG-APP-000560-CTR-001340",
  "policies.open-cluster-management.io/controls": "SC-8,SC-8(1),SRG-APP-000014-CTR-000040,SRG-APP-000560-CTR-001340",
  "policies.open-cluster-management.io/standards": "NIST-800-53,SRG-APP-CTR"
}

Do you have any opinion on the control name SRG-APP-CTR?

xiaojiey commented 7 months ago

/hold for test

xiaojiey commented 7 months ago

Got the same result with comment https://github.com/ComplianceAsCode/compliance-operator/pull/494#issuecomment-1977010549 when content from https://github.com/ComplianceAsCode/content/pull/11647 deployed

xiaojiey commented 7 months ago

/unhold

xiaojiey commented 7 months ago

/label qe-approved

rhmdnd commented 7 months ago

Do you have any opinion on the control name SRG-APP-CTR?

This should align with the cells in the STIG spreadsheets, right?

yuumasato commented 7 months ago

Do you have any opinion on the control name SRG-APP-CTR?

This should align with the cells in the STIG spreadsheets, right?

Yes, but not necessarily. The SRGs in each rule should match the ones in the spreadsheet, unless there were changes or bugs during generation of the spreadsheeet, and/or changes that DISA did from the spreadsheeet to the published xml.

yuumasato commented 7 months ago

@Vincent056 should be ready for review

openshift-ci[bot] commented 6 months ago

@GroceryBoyJr: changing LGTM is restricted to collaborators

In response to [this](https://github.com/ComplianceAsCode/compliance-operator/pull/494#pullrequestreview-1987012087): >lgtm Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.
openshift-ci[bot] commented 6 months ago

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: GroceryBoyJr, rhmdnd, yuumasato

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files: - ~~[OWNERS](https://github.com/ComplianceAsCode/compliance-operator/blob/master/OWNERS)~~ [rhmdnd] Approvers can indicate their approval by writing `/approve` in a comment Approvers can cancel approval by writing `/approve cancel` in a comment