Closed yuumasato closed 6 months ago
/hold for test
@yuumasato It is weird. I noticed there is stig annotation for stig in the master branch without the PR:
$ oc get clusterversion
NAME VERSION AVAILABLE PROGRESSING SINCE STATUS
version 4.16.0-0.nightly-2024-02-26-013420 True False 11h Cluster version is 4.16.0-0.nightly-2024-02-26-013420
$ oc get rule ocp4-api-server-tls-security-profile -o=jsonpath={.metadata.annotations} | jq -r
{
"compliance.openshift.io/image-digest": "pb-ocp4qrc9k",
"compliance.openshift.io/profiles": "ocp4-nerc-cip,ocp4-high-rev-4,ocp4-stig-v1r1,ocp4-moderate,ocp4-stig,ocp4-moderate-rev-4,ocp4-high",
"compliance.openshift.io/rule": "api-server-tls-security-profile",
"control.compliance.openshift.io/NIST-800-53": "SC-8;SC-8(1)",
"policies.open-cluster-management.io/controls": "SC-8,SC-8(1)",
"policies.open-cluster-management.io/standards": "NIST-800-53"
}
"compliance.openshift.io/profiles": "ocp4-nerc-cip,ocp4-high-rev-4,ocp4-stig-v1r1,ocp4-moderate,ocp4-stig,ocp4-moderate-rev-4,ocp4-high",
@xiaojiey The compliance.openshift.io/profiles
annotation was added in #398, and it lists the profiles in which a rule is selected.
This PR adds the following annotations listing more specific information about the STIG requirement implemented:
control.compliance.openshift.io/STIG: CNTR-OS-000020
And extends the policies.open-cluster-management.io/controls
and policies.open-cluster-management.io/standards
with STIG specific data:
policies.open-cluster-management.io/controls: SC-8,SC-8(1),CNTR-OS-000020
policies.open-cluster-management.io/standards: NIST-800-53,STIG
vs
"policies.open-cluster-management.io/controls": "SC-8,SC-8(1)",
"policies.open-cluster-management.io/standards": "NIST-800-53"
Verification pass with 4.16.0-0.nightly-2024-02-29-062601:
$ utils/build_ds_container.py -i ghcr.io/complianceascode/k8scontent:11593
2024-03-01 15:36:10,750:INFO: Created profile bundles for ocp4, rhcos4
$ oc get rule ocp4-api-server-tls-security-profile -o=jsonpath={.metadata.annotations} | jq -r
{
"compliance.openshift.io/image-digest": "pb-ocp44m6tp",
"compliance.openshift.io/profiles": "ocp4-high,ocp4-stig,ocp4-moderate,ocp4-high-rev-4,ocp4-moderate-rev-4,ocp4-stig-v1r1,ocp4-nerc-cip",
"compliance.openshift.io/rule": "api-server-tls-security-profile",
"control.compliance.openshift.io/NIST-800-53": "SC-8;SC-8(1)",
"policies.open-cluster-management.io/controls": "SC-8,SC-8(1)",
"policies.open-cluster-management.io/standards": "NIST-800-53"
}
$ oc get rule upstream-ocp4-api-server-tls-security-profile -o=jsonpath={.metadata.annotations} | jq -r
{
"compliance.openshift.io/image-digest": "pb-upstream-ocp46k8b6",
"compliance.openshift.io/profiles": "upstream-ocp4-high,upstream-ocp4-stig-v1r1,upstream-ocp4-stig,upstream-ocp4-moderate-rev-4,upstream-ocp4-moderate,upstream-ocp4-nerc-cip,upstream-ocp4-high-rev-4",
"compliance.openshift.io/rule": "api-server-tls-security-profile",
"control.compliance.openshift.io/NIST-800-53": "SC-8;SC-8(1)",
"control.compliance.openshift.io/STIG": "CNTR-OS-000020",
"policies.open-cluster-management.io/controls": "SC-8,SC-8(1),CNTR-OS-000020",
"policies.open-cluster-management.io/standards": "NIST-800-53,STIG"
}
/unhold
@yuumasato: This pull request references CMP-2401 which is a valid jira issue.
Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the bug to target the "4.16.0" version, but no target version was set.
@Vincent056 @rhmdnd This should be ready for review
@rhmdnd @Vincent056 I have added a parser for SRGs.
When content from https://github.com/ComplianceAsCode/content/pull/11647 is deployed, we can see the following annotations:
oc get rule ocp4-api-server-tls-security-profile -o=jsonpath={.metadata.annotations} | jq -r
{
"compliance.openshift.io/image-digest": "pb-ocp4j6dgh",
"compliance.openshift.io/profiles": "ocp4-moderate-rev-4,ocp4-stig-v1r1,ocp4-high-rev-4,ocp4-high,ocp4-nerc-cip,ocp4-moderate,ocp4-stig",
"compliance.openshift.io/rule": "api-server-tls-security-profile",
"control.compliance.openshift.io/NIST-800-53": "SC-8;SC-8(1)",
"control.compliance.openshift.io/SRG-APP-CTR": "SRG-APP-000014-CTR-000040;SRG-APP-000560-CTR-001340",
"policies.open-cluster-management.io/controls": "SC-8,SC-8(1),SRG-APP-000014-CTR-000040,SRG-APP-000560-CTR-001340",
"policies.open-cluster-management.io/standards": "NIST-800-53,SRG-APP-CTR"
}
Do you have any opinion on the control name SRG-APP-CTR
?
/hold for test
Got the same result with comment https://github.com/ComplianceAsCode/compliance-operator/pull/494#issuecomment-1977010549 when content from https://github.com/ComplianceAsCode/content/pull/11647 deployed
/unhold
/label qe-approved
Do you have any opinion on the control name
SRG-APP-CTR
?
This should align with the cells in the STIG spreadsheets, right?
Do you have any opinion on the control name
SRG-APP-CTR
?This should align with the cells in the STIG spreadsheets, right?
Yes, but not necessarily. The SRGs in each rule should match the ones in the spreadsheet, unless there were changes or bugs during generation of the spreadsheeet, and/or changes that DISA did from the spreadsheeet to the published xml.
@Vincent056 should be ready for review
@GroceryBoyJr: changing LGTM is restricted to collaborators
[APPROVALNOTIFIER] This PR is APPROVED
This pull-request has been approved by: GroceryBoyJr, rhmdnd, yuumasato
The full list of commands accepted by this bot can be found here.
The pull request process is described here
This ensures that rules part of STIG profile contain annotations with the STIGID.
One can see the STIG references as annotation on the rule when deployed together with content from https://github.com/ComplianceAsCode/content/pull/11593