Closed hrishikeshkalita closed 1 year ago
cbruno10
commented
2 years ago Hey @hrishikeshkalita , are there any specific OKE checks in CIS benchmarks that you're aware of that we're missing? We usually add controls based on what the compliance framework defines, and checking in CIS v1.1.0 for OCI, I don't see anything related to OKE.
And if not within CIS, are there other established compliance frameworks that include OKE that you use today?
cbruno10
commented
2 years ago Also, I see you've opened a few other issues similar to this one:
So to avoid losing comments across multiple issues, is it ok if we talk about all of those requests in this issue (we can update those issues afterward)?
hrishikeshkalita
commented
2 years ago Hey @hrishikeshkalita , are there any specific OKE checks in CIS benchmarks that you're aware of that we're missing? We usually add controls based on what the compliance framework defines, and checking in CIS v1.1.0 for OCI, I don't see anything related to OKE.
And if not within CIS, are there other established compliance frameworks that include OKE that you use today?
Hi @cbruno10 Regarding OKE CIS benchmarks, I found a document from CIS site. CIS Oracle Cloud Infrastructure Container Engine for Kubernetes (OKE) Benchmark v1.0 - 11-12-2020
I am attaching the pdf document for it in this reply. Hope it helps to bring up some compliance checks for OKE.
CIS_Oracle_Cloud_Infrastructure_Container_Engine_for_Kubernetes(OKE)_Benchmark_v1.0 PDF.pdf
cbruno10
commented
2 years ago Thanks @hrishikeshkalita ! I'm not familiar with that particular benchmark, but I'll have a look next week and see if it's something we can implement with the current set of tables.
For the other services you created issues for, e.g., MySQL, Autonomous DB, did you have a particular CIS benchmark in mind for those as well?
hrishikeshkalita
commented
2 years ago Thanks @hrishikeshkalita ! I'm not familiar with that particular benchmark, but I'll have a look next week and see if it's something we can implement with the current set of tables.
For the other services you created issues for, e.g., MySQL, Autonomous DB, did you have a particular CIS benchmark in mind for those as well?
@cbruno10 So far, I was able to find these: CIS_Oracle_Database_19c_Benchmark_v1.0.0.pdf CIS_Oracle_MySQL_Enterprise_Edition_8.0_Benchmark_v1.1.0.pdf
cbruno10
commented
2 years ago @hrishikeshkalita Thanks for the links! I took a look through some of the CIS benchmarks you've included, and it seems like some of the controls in the benchmarks are related to the infrastructure, which we could implement, while others deal with SSHing into servers and connecting to databases to run commands, which isn't supported by the OCI plugin at the moment.
So, if we were to implement the benchmarks you've linked above, our plan would be to create a new benchmark for each of the CIS benchmarks, and within those benchmarks we'd include the relevant sections primarily related to the infrastructure and things we can query through the OCI API, similar to what we've done in the CIS Kubernetes v1.20 benchmark.
Adding these benchmarks is not on our current roadmap, but if you're interested in adding some of these, we always appreciate any PRs!
github-actions[bot]
commented
1 year ago 'This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 30 days.'
github-actions[bot]
commented
1 year ago 'This issue was closed because it has been stalled for 90 days with no activity.'
Is your feature request related to a problem? Please describe. I can see no compliance checks for OKE in this mod.
Describe the solution you'd like It would be nice to have good volumes of checks for OKE.
Additional context I can see EKS compliance check for AWS. Would be really helpful if we can get OKE included in this mod.