CMP-2462: PCI-DSS v4 Requirement 10 #12272
Conversation
OpenShift provides sufficient protection for its audit log events. However, long term audit storing requires a third party storage that needs to be configured manually.
Reviewing audit logs requires a third party software, for example an SIEM.
By defualt OpenShift is configured to retain logs for a short period of time. To handle long term storage of audit logs a third party application is required.
NTP configuration is done at the node level, and support for an RHCOS4 PCI-DSS v4 profile will come at a later time.
Handling and answering to system component failures is a manual activity. Reporting can be somehow automated, and that is why this control is partial.
|
Start a new ephemeral environment with changes proposed in this pull request: Fedora Environment Oracle Linux 8 Environment |
| rules: [] | ||
| status: partial | ||
| rules: | ||
| # TODO: Add FIO config to allow /var/log/... to extend in size but monitor perms. |
There was a problem hiding this comment.
Good idea. We could track this as an issue or bug against FIO directly.
There was a problem hiding this comment.
This was actually extracted from the 3.2.1 version, 😬
|
🤖 A k8s content image for this PR is available at: Click here to see how to deploy itIf you alread have Compliance Operator deployed: Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and: |
| rules: [] | ||
| related_rules: |
There was a problem hiding this comment.
Not sure If below rules related. They are rhcos rules.
- service_chronyd_enabled
- service_chronyd_or_ntpd_enable
By the way, chronyd_specify_remote_server is also a rchos rule.
There was a problem hiding this comment.
I have added service_chronyd_enabled.
service_chronyd_or_ntpd_enable is very similar andchronyd_specify_remote_server was already there.
There was a problem hiding this comment.
previously, we don't have rhcos4 profile for pci dss: https://docs.openshift.com/container-platform/4.16/security/compliance_operator/co-scans/compliance-operator-supported-profiles.html#compliance-supported-profiles_compliance-operator-supported-profiles. Does it mean we will have rhcos4-pci-dss profile? Thanks.
There was a problem hiding this comment.
Potentially, but we've broken the work up into pieces with the profiles so we can deliver some value with the OpenShift profiles initially.
|
Code Climate has analyzed commit 311e329 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 59.4% (0.0% change). View more on Code Climate. |
|
/lgtm |
| related_rules: | ||
| - service_chronyd_enabled | ||
| - var_multiple_time_servers=generic | ||
| - chronyd_specify_remote_server |
There was a problem hiding this comment.
I think we need to remove service_chronyd_enabled and chronyd_specify_remote_server var_multiple_time_servers, since they are in the linux folder
There was a problem hiding this comment.
These are under the related_rules key so they shouldn't get generated in the final datastream:
The build system adds all XCCDF rules listed under rules key in the control to the built profile. The rules listed under related_rules key are not added. Therefore, the related_rules don’t affect the generated source data stream. Also, the selections from selection key in profile file are included.
These will make it easier though if/when we build out an RHCOS4 profile.
There was a problem hiding this comment.
Thanks a lot for the clarification.
There was a problem hiding this comment.
I missed that part, thanks for pointing it out!
| - audit_rules_time_clock_settime | ||
| - audit_rules_time_stime | ||
| - audit_rules_time_adjtimex | ||
| - chronyd_run_as_chrony_user |
There was a problem hiding this comment.
Those rules are also from the Linux group. https://github.com/ComplianceAsCode/content/pull/12272/files#diff-67844ce694c84c54b76dac7610bc6443a329477c4a685417d3aaa1eae7b6e29cR3088-R3093
There was a problem hiding this comment.
Similar comment as above. I think Yuuma is just putting these here so that we can bootstrap them in an RHCOS4 profile eventually, without affecting the actual OpenShift profiles.
There was a problem hiding this comment.
Yes, 😀
As I went through the 3.2.1 profile and searched through the rules, I added notable rules that can be useful for RHCOS 4 profile.
Long term audit storing requires a third party storage that needs to be configured manually.
Reviewing audit logs requires a third party software, for example a SIEM.
To handle long term storage of audit logs a third party application is required.
NTP configuration is done at the node level.
Handling system component failures is a manual activity, but reporting can be automated.