Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add OCP4 STIG control file and auto-add references #11593

Merged
merged 29 commits into from
Mar 14, 2024

Conversation

yuumasato
Copy link
Member

@yuumasato yuumasato commented Feb 15, 2024

Description:

  • Based on the Manual OCP4 STIG Benchmark and the SRG_CTR add a OCP4 STIG specific control file.
  • With the OCP4 STIG control file we can leverage the build system to add the STIGID references for us (CNTR-OS-XXXX).
    • This also extends the control file with capability to have multiple products. Build of other control files need to be tested/fixed
  • Disable SRG-APP-000516-CTR-001325 and unselect tis rules. This SRG is not part of the published STIG.
    • But for now the rules from the SRG are added directly to the profile file.
  • Add more specific URI for SRG-APP-XXXXXX-CTR-XXXXXX references: container-platform and fix STIG ID URIs
  • Update product stability data to include new app-srg-ctr reference URI and updated stigid URI for ocp4 and rhcos4.
    • test_product_stability.py --update-reference-data

Rationale:

  • Add STIG ID references for easier rule - policy mapping and report
  • Use of specific OCP4 STIG control file should easy maintenance and update of the profile.
  • The container-platform URI more accurately points to the source of SRG CTR and STIG ID.
  • These SRGs are not yet parsed by CO, so this change should not have any impact there.
  • Build ocp4 and rhcos4 and check that refernces SRG-APP-XXXXXX-CTR-XXXXX and CNTR-OS-XXXXX have href pointing to https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=container-platform

Review Hints:

  • Build the content and check that the STIGID for ocp4 and rhcos4 are there.
  • Check that the rule selection is sane.

@yuumasato yuumasato added the OpenShift OpenShift product related. label Feb 15, 2024
Copy link

Start a new ephemeral environment with changes proposed in this pull request:

Fedora Environment
Open in Gitpod

Oracle Linux 8 Environment
Open in Gitpod

@Mab879
Copy link
Member

Mab879 commented Feb 15, 2024

I was reviewing the built rule in build/ocp4/rules/api_server_tls_security_profile.yml and noticed this below. I would prefer that we didn't have these duplicated IDs.

    stigid:
    - CNTR-OS-000020
    - CNTR-OS-000020
    - CNTR-OS-000020

@yuumasato
Copy link
Member Author

yuumasato commented Feb 16, 2024

I was reviewing the built rule in build/ocp4/rules/api_server_tls_security_profile.yml and noticed this beloww. I would prefer that we didn't have these duplicated IDs.

    stigid:
    - CNTR-OS-000020
    - CNTR-OS-000020
    - CNTR-OS-000020

Thank you for the review @Mab879

I have added two commits regarding duplicate references.

  • The first commit raises an error when the build system tries to assign a reference that already exists in the rule. This should help content writers see that a control has duplicate rules.
  • The second prevents the build_stig_control.py from adding duplicate rules to a control.

Example traceback

FAILED: ocp4/ssg_build_compile_all-ocp4 /home/wsato/git/content/build/ocp4/ssg_build_compile_all-ocp4 
cd /home/wsato/git/content/build/ocp4 && /usr/bin/cmake -E make_directory /home/wsato/git/content/build/ocp4/profiles && env PYTHONPATH=/home/wsato/git/content:/home/wsato/git/content:/home/wsato/git/content /usr/bin/python3 /home/wsato/git/content/build-scripts/compile_all.py --resolved-base /home/wsato/git/content/build/ocp4 --project-root /home/wsato/git/content --build-config-yaml /home/wsato/git/content/build/build_config.yml --product-yaml /home/wsato/git/content/build/ocp4/product.yml --sce-metadata /home/wsato/git/content/build/ocp4/checks/sce/metadata.json --stig-references /home/wsato/git/content/shared/references/disa-stig-ocp4-v1r1-xccdf-manual.xml && /usr/bin/cmake -E touch /home/wsato/git/content/build/ocp4/ssg_build_compile_all-ocp4
Encountered file '.var_apiserver_bind_address.var.swp' while recursing, extension '.swp' is unknown. Skipping..
Traceback (most recent call last):
  File "/home/wsato/git/content/ssg/controls.py", line 187, in add_references
    rule.add_extra_reference(reference_type, self.id)
  File "/home/wsato/git/content/ssg/build_yaml.py", line 1016, in add_extra_reference
    raise ValueError(msg)
ValueError: Rule api_server_tls_security_profile already contains a 'stigid' reference with value 'CNTR-OS-000020'.

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "/home/wsato/git/content/build-scripts/compile_all.py", line 169, in <module>
    main()
  File "/home/wsato/git/content/build-scripts/compile_all.py", line 159, in main
    controls_manager.add_references(loader.all_rules)
  File "/home/wsato/git/content/ssg/controls.py", line 524, in add_references
    policy.add_references(rules)
  File "/home/wsato/git/content/ssg/controls.py", line 420, in add_references
    control.add_references(self.reference_type, rules)
  File "/home/wsato/git/content/ssg/controls.py", line 193, in add_references
    raise ValueError(msg) from exc
ValueError: Please remove any duplicate listing of rule 'api_server_tls_security_profile' in control 'CNTR-OS-000020'.
[10/52] [rhcos4-content] compiling everything

@yuumasato
Copy link
Member Author

I plan to post more details on the profile changes and address the code climate findings.

@yuumasato yuumasato force-pushed the add_ocp4_stig_control_file branch from 1c968a5 to e0f27fa Compare February 20, 2024 16:30
@openshift-merge-robot openshift-merge-robot added the needs-rebase Used by openshift-ci bot. label Feb 20, 2024
@yuumasato yuumasato force-pushed the add_ocp4_stig_control_file branch from e0f27fa to a9cb965 Compare February 20, 2024 16:38
@openshift-merge-robot openshift-merge-robot removed the needs-rebase Used by openshift-ci bot. label Feb 20, 2024
Copy link

github-actions bot commented Feb 20, 2024

🤖 A k8s content image for this PR is available at:
ghcr.io/complianceascode/k8scontent:11593
This image was built from commit: 4d7e9a2

Click here to see how to deploy it

If you alread have Compliance Operator deployed:
utils/build_ds_container.py -i ghcr.io/complianceascode/k8scontent:11593

Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and:
CONTENT_IMAGE=ghcr.io/complianceascode/k8scontent:11593 make deploy-local

products/rhcos4/profiles/stig-v1r1.profile Show resolved Hide resolved
controls/stig_ocp4.yml Outdated Show resolved Hide resolved
@yuumasato yuumasato force-pushed the add_ocp4_stig_control_file branch 2 times, most recently from bcff6c1 to 27ff094 Compare February 20, 2024 18:16
@xiaojiey
Copy link
Collaborator

/hold for test

@openshift-ci openshift-ci bot added the do-not-merge/hold Used by openshift-ci-robot bot. label Feb 21, 2024
@BhargaviGudi
Copy link
Collaborator

Verification failed with 4.15.0-rc.5 + compliance-operator.v1.4.0 + PR #11593 code

  1. Install CO
  2. Create ssb
    $ oc compliance bind -N test profile/upstream-ocp4-stig profile/upstream-ocp4-stig-node
    Creating ScanSettingBinding test
    $ oc get scan
    NAME PHASE RESULT
    upstream-ocp4-stig DONE NON-COMPLIANT
    upstream-ocp4-stig-node-master DONE NON-COMPLIANT
    upstream-ocp4-stig-node-worker DONE NON-COMPLIANT
  3. Check for rules listed here does not present with above profile
  4. I could see that only below 20 rules are not listed with profile out of 191 rules listed in the above link. Other rules are still present with stig profile
api-server-insecure-port
api-server-kubelet-client-cert
api-server-kubelet-client-cert-pre-4-9
api-server-kubelet-client-key
api-server-kubelet-client-key-pre-4-9
file-groupowner-ip-allocations
file-groupowner-openshift-sdn-cniserver-config
file-owner-ip-allocations
file-owner-openshift-sdn-cniserver-config
file-permissions-ip-allocations
file-perms-openshift-sdn-cniserver-config
file-groupowner-proxy-kubeconfig
file-owner-proxy-kubeconfig
file-permissions-proxy-kubeconfig
file-permissions-ovn-cni-server-sock
file-groupowner-ovn-cni-server-sock
file-owner-ovn-cni-server-sock
file-groupowner-ovn-db-files
file-owner-ovn-db-files
file-permissions-ovn-db-files

@yuumasato Could you please help me check this issue. Thanks

@yuumasato
Copy link
Member Author

@BhargaviGudi the mentioned rules are in the profile:
oc get profiles upstream-ocp4-stig upstream-ocp4-stig-node -oyaml

But for various reasons they result in notappilcable therefore a ccrs are not created for them.
Sometime the rule has platform ovn (file-permissions-ovn-db-files), in other cases the rule has platform sdn (file-groupowner-proxy-kubeconfig).

But the most curious ones are the api-server-* rules, which are is not applicable on OCP 4.15, 🤔. @Vincent056 @rhmdnd Do you have an insight on this one?

- (ocp4.6 or ocp4.7 or ocp4.8 or ocp4.9 or ocp4.10) and not ocp4-on-hypershift-hosted

- (ocp4.9 or ocp4.10 or ocp4.11 or ocp4.12 or ocp4.13 or ocp4.14 or ocp4.15 or ocp4.16) and not ocp4-on-hypershift-hosted

@Vincent056
Copy link
Contributor

@BhargaviGudi the mentioned rules are in the profile: oc get profiles upstream-ocp4-stig upstream-ocp4-stig-node -oyaml

But for various reasons they result in notappilcable therefore a ccrs are not created for them. Sometime the rule has platform ovn (file-permissions-ovn-db-files), in other cases the rule has platform sdn (file-groupowner-proxy-kubeconfig).

But the most curious ones are the api-server-* rules, which are is not applicable on OCP 4.15, 🤔. @Vincent056 @rhmdnd Do you have an insight on this one?

- (ocp4.6 or ocp4.7 or ocp4.8 or ocp4.9 or ocp4.10) and not ocp4-on-hypershift-hosted

- (ocp4.9 or ocp4.10 or ocp4.11 or ocp4.12 or ocp4.13 or ocp4.14 or ocp4.15 or ocp4.16) and not ocp4-on-hypershift-hosted

api_server_insecure_port was only needed before 4.11, so they were disabled on 4.11 and above 9d2e1ab

@yuumasato
Copy link
Member Author

Thanks @Vincent056.

So the rules' notapplicable results seem correct to me.

@xiaojiey
Copy link
Collaborator

Verification pass with 4.16.0-0.nightly-2024-02-26-013420

$ oc get clusterversion
NAME      VERSION                              AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.16.0-0.nightly-2024-02-26-013420   True        False         4h52m   Cluster version is 4.16.0-0.nightly-2024-02-26-013420
$ oc get pb
NAME              CONTENTIMAGE                                 CONTENTFILE         STATUS
ocp4              ghcr.io/complianceascode/k8scontent:latest   ssg-ocp4-ds.xml     VALID
rhcos4            ghcr.io/complianceascode/k8scontent:latest   ssg-rhcos4-ds.xml   VALID
upstream-ocp4     ghcr.io/complianceascode/k8scontent:11593    ssg-ocp4-ds.xml     VALID
upstream-rhcos4   ghcr.io/complianceascode/k8scontent:11593    ssg-rhcos4-ds.xml   VALID
$ oc get profile.compliance ocp4-stig -o=jsonpath={.rules} | jq -r | grep ocp4 | wc -l
125
$ oc get profile.compliance ocp4-stig-node -o=jsonpath={.rules} | jq -r | grep ocp4 | wc -l
113
$ oc get profile.compliance rhcos4-stig -o=jsonpath={.rules} | jq -r | grep rhcos | wc -l
120
$ oc get profile.compliance upstream-ocp4-stig -o=jsonpath={.rules} | jq -r | grep ocp4 | wc -l
125
$ oc get profile.compliance upstream-ocp4-stig-node -o=jsonpath={.rules} | jq -r | grep ocp4 | wc -l
113
$ oc get profile.compliance upstream-rhcos4-stig -o=jsonpath={.rules} | jq -r | grep rhcos | wc -l
120
$ oc compliance bind -N test-ocp4-stig profile/upstream-ocp4-stig profile/upstream-ocp4-stig-node
Creating ScanSettingBinding test-ocp4-stig
$ oc compliance bind -N test-rhcos4-stig profile/upstream-rhcos4-stig
Creating ScanSettingBinding test-rhcos4-stig
$ oc get suite 
NAME               PHASE   RESULT
test-ocp4-stig     DONE    NON-COMPLIANT
test-rhcos4-stig   DONE    NON-COMPLIANT
$ oc get scan
NAME                             PHASE   RESULT
upstream-ocp4-stig               DONE    NON-COMPLIANT
upstream-ocp4-stig-node-master   DONE    NON-COMPLIANT
upstream-ocp4-stig-node-worker   DONE    NON-COMPLIANT

upstream-rhcos4-stig-master DONE NON-COMPLIANT
upstream-rhcos4-stig-worker DONE NON-COMPLIANT

@xiaojiey
Copy link
Collaborator

/unhold

@yuumasato
Copy link
Member Author

@rhmdnd @Vincent056 I'll move the rules from SRG-APP-000516-CTR-001325 out of the needed_rules control to the profile file.

@yuumasato
Copy link
Member Author

@rhmdnd @Vincent056 I'll move the rules from SRG-APP-000516-CTR-001325 out of the needed_rules control to the profile file.

Actually, it will be laborious to move the rules from the control file to the profile file. As we have both ocp4 and rhcos4 rules they need to each go into their respective product/profile.
So it'll be simper to kepep them in the control file.

@yuumasato
Copy link
Member Author

@rhmdnd @Vincent056 Turns out all the rules are ocp4, I moved them to products/ocp4/profiles/stig-v1r1.profile

The data stream doesn'n have extraneous needed_rules references anymore.
Should be good to, :)

@yuumasato yuumasato force-pushed the add_ocp4_stig_control_file branch from ed9e06d to 8fcad8b Compare March 6, 2024 11:30
@yuumasato
Copy link
Member Author

I have update some of the controls' pending status and rebased to latest master.
@rhmdnd @Vincent056

@yuumasato
Copy link
Member Author

/test e2e-aws-ocp4-stig
/test e2e-aws-ocp4-stig-node
/test e2e-aws-rhcos4-stig

ocp4 and rhcos4 products should have a different URI than the unix-linux
products.

The OpenShift Container Platform STIG can be found at
https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=container-platform
Update SRG CTR reference to a more specific URI.
The application-servers is about Apache, JBoss and other server
applications.
Run test_product_stability.py --update-reference-data to update 'stigid'
and 'srg-app-ctr' for ocp4 and rhcos4.
Run test_product_stability.py --update-reference-data to update and
update all products stability data.
@yuumasato yuumasato requested review from a team as code owners March 7, 2024 14:57
@yuumasato
Copy link
Member Author

/test e2e-aws-ocp4-stig
/test e2e-aws-ocp4-stig-node
/test e2e-aws-rhcos4-stig

@yuumasato
Copy link
Member Author

ping @dodys @teacup-on-rockingchair @Mab879 regarding product stability data

Copy link

codeclimate bot commented Mar 7, 2024

Code Climate has analyzed commit 4d7e9a2 and detected 1 issue on this pull request.

Here's the issue category breakdown:

Category Count
Style 1

The test coverage on the diff in this pull request is 36.3% (50% is the threshold).

This pull request will bring the total coverage in the repository to 59.8% (0.0% change).

View more on Code Climate.

@xiaojiey
Copy link
Collaborator

/hold for test

@openshift-ci openshift-ci bot added the do-not-merge/hold Used by openshift-ci-robot bot. label Mar 11, 2024
Copy link
Contributor

@dodys dodys left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm, thanks!

Copy link
Member

@Mab879 Mab879 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

@BhargaviGudi
Copy link
Collaborator

Verification passed with 4.16.0-0.nightly-2024-03-11-195522 + compliance-operator

1. Install Co
2. ./utils/build_ds_container.py -i ghcr.io/complianceascode/k8scontent:11593
$ oc get clusterversions.config.openshift.io 
NAME      VERSION                              AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.16.0-0.nightly-2024-03-11-195522   True        False         31m     Cluster version is 4.16.0-0.nightly-2024-03-11-195522
$ oc get pb
NAME              CONTENTIMAGE                                 CONTENTFILE         STATUS
ocp4              ghcr.io/complianceascode/k8scontent:latest   ssg-ocp4-ds.xml     VALID
rhcos4            ghcr.io/complianceascode/k8scontent:latest   ssg-rhcos4-ds.xml   VALID
upstream-ocp4     ghcr.io/complianceascode/k8scontent:11593    ssg-ocp4-ds.xml     VALID
upstream-rhcos4   ghcr.io/complianceascode/k8scontent:11593    ssg-rhcos4-ds.xml   VALID
$ oc get profile.compliance ocp4-stig -o=jsonpath={.rules} | jq -r | grep ocp4 | wc -l
125
$ oc get profile.compliance ocp4-stig-node -o=jsonpath={.rules} | jq -r | grep ocp4 | wc -l
113
$ oc get profile.compliance rhcos4-stig -o=jsonpath={.rules} | jq -r | grep rhcos | wc -l
120
$ oc get profile.compliance upstream-ocp4-stig -o=jsonpath={.rules} | jq -r | grep ocp4 | wc -l
125
$ oc get profile.compliance upstream-ocp4-stig-node -o=jsonpath={.rules} | jq -r | grep ocp4 | wc -l
113
$ oc get profile.compliance upstream-rhcos4-stig -o=jsonpath={.rules} | jq -r | grep rhcos | wc -l
120
$ oc compliance bind -N test-ocp4-stig profile/upstream-ocp4-stig profile/upstream-ocp4-stig-node
Creating ScanSettingBinding test-ocp4-stig
$ oc compliance bind -N test-rhcos4-stig profile/upstream-rhcos4-stig
Creating ScanSettingBinding test-rhcos4-stig
$ oc get ssb
NAME               STATUS
test-ocp4-stig     READY
test-rhcos4-stig   READY
$ oc get suite
NAME               PHASE   RESULT
test-ocp4-stig     DONE    NON-COMPLIANT
test-rhcos4-stig   DONE    NON-COMPLIANT
$ oc get scan
NAME                             PHASE   RESULT
upstream-ocp4-stig               DONE    NON-COMPLIANT
upstream-ocp4-stig-node-master   DONE    NON-COMPLIANT
upstream-ocp4-stig-node-worker   DONE    NON-COMPLIANT
upstream-rhcos4-stig-master      DONE    NON-COMPLIANT
upstream-rhcos4-stig-worker      DONE    NON-COMPLIANT

@BhargaviGudi
Copy link
Collaborator

/unhold

@openshift-ci openshift-ci bot removed the do-not-merge/hold Used by openshift-ci-robot bot. label Mar 12, 2024
Copy link
Contributor

@teacup-on-rockingchair teacup-on-rockingchair left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm 🙇

@rhmdnd rhmdnd merged commit c18326c into ComplianceAsCode:master Mar 14, 2024
45 of 47 checks passed
rhmdnd added a commit to rhmdnd/content that referenced this pull request Mar 14, 2024
@yuumasato yuumasato deleted the add_ocp4_stig_control_file branch March 15, 2024 09:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
OpenShift OpenShift product related.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

9 participants