[SCCD] New SCCD evaluation using the results of the Base AMI SCCD scans

[hgbarreto]

Description

Once the Base AMI SCCD score is reported, we can generate new reports on rule failures for the image. With this information we can then split the rules between "rules we can fix" and "rules we can submit remediation requests for"

Resources

• CIS AL2 Controls Checklist

Acceptance Criteria

• [x] Generate new report from SCCD score of dsva-vagov-sccd-compliance-prod
• [ ] Determine false positives (these will be for remediation request submission)
• [ ] Determine those that can be investigated/corrected. Create a plan for addressing these items.

Refinement Guidance - Check the following before working on this issue:

• [x] Team label assigned ("platform-tech-team-2")
• [x] Epic assigned (if needed)
• [x] Estimated (points assigned)
• [ ] Sprint assigned (once planned)
• [x] Team member(s) assigned
• [x] Understands how this work aligns with the overall platform

[hgbarreto]

Sitting at 91.7 SCCD Score after the following events:

• Pushed new changes and tweaks via AMI build
• Approximately 20 rules are scanned as non applicable
• Made a few manual/live changes to observe results

Next steps: Find permanent fix for SELinux context being lost in the AMI build. This should resolve multiple issues like, audit service failing on startup + BESclient becoming unconfined daemon.

[jhouse-solvd]

@hgbarreto - I quickly checked the BigFix console, and it looks like one of the EKS cluster nodes is reporting at 89%! This is super exciting. 🎉

Screenshot from BigFix console this morning:

Screenshot from AWS console for the host from BigFix above:

As you mentioned in your comment above, do you expect those changes to be deployed to other hosts in production soon? I don't want to rush your progress, but I'm just curious. :)

[hgbarreto]

Currently have the Base AMI sitting at a true 90.4% Score.

[hgbarreto]

Closing this effort to begin optimization and eks node ami hardening.