Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SYS.1.6.A24 #24

Open
sluetze opened this issue Nov 7, 2023 · 5 comments
Open

SYS.1.6.A24 #24

sluetze opened this issue Nov 7, 2023 · 5 comments
Assignees

Comments

@sluetze
Copy link

sluetze commented Nov 7, 2023

No description provided.

@sluetze
Copy link
Author

sluetze commented Jul 17, 2024

The behavior of the containers and the applications or services operating within them SHOULD be monitored.

ACS offers policies that monitor behavior. Baselining enables the definition of the desired behavior and policies enable the reaction to undesirable behavior (i.e. that does not exist in the baseline).

Deviations from normal behavior SHOULD be noticed and reported.

The policies provided by ACS alert via OpenShift Monitoring. Furthermore, ACS maintains a history of all violations.

Reports SHOULD be handled appropriately in the central security incident handling process.

This requirement must be implemented organizationally.

Note: The alerts from OpenShift monitoring must be forwarded to the system used by the central process for handling security incidents. The usual alert manager methods are available for this. OpenShift provides email and Slack integration. The community offers further integration such as in Teams. If necessary, an integration can be developed that receives the alert manager's webhook and forwards it appropriately to the external system.

The behavior to be monitored SHOULD include at least:

network connections,

created processes,

file system accesses and

kernel requests (syscalls).

At the host level, Red Hat CoreOS supports auditd, which is enabled by default. Policies for auditd can include network connections, created processes, file accesses and syscalls. Red Hat CoreOS provides many sample policies that cover all of the areas described.

ACS offers alerting on network connections, created processes and kernel requests. File access is not covered by ACS policies.

In addition, the files on the RHCOS nodes can be checked cryptographically using the Advanced Intrusion Detection Environment (AIDE) using the file integrity operator provided by Red Hat and changes to files can be detected [FileIntegrity].

@benruland benruland self-assigned this Sep 6, 2024
@benruland
Copy link

I would argue for does not meet, because the requirement is not met by OpenShift by itself. We need a solution such as ACS.

Do you agree @sluetze or would you prefer partial due to capabilities such as auditd? But how to configure auditd for that?

@benruland
Copy link

Created PR: ComplianceAsCode#12471

@sluetze
Copy link
Author

sluetze commented Oct 5, 2024

I would at least add the auditd rules from the linux guides. And the check for file integrity operator.

And then set partial met.

I am not sure if we mapped the auditd rules elsewhere. But a well configured auditing helps with behavioral monitoring as requested.

@benruland
Copy link

benruland commented Oct 8, 2024

Per discussion with @sluetze and @lichtblaugue, we will include file integrity operator, appropriate auditd rules (see CIS for "basic audit set") these are even necessary when using ACS) and an additional manual rule for a security solution

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
Status: Upstream PR
Development

No branches or pull requests

2 participants