From 5b41f7b60173179a2b1146f1fca60880c7f3b515 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Tue, 6 Aug 2024 18:01:52 +0200 Subject: [PATCH 01/11] CMP-2462: Requirement 10.1 is not applicable --- controls/pcidss_4_ocp4.yml | 14 +++----------- 1 file changed, 3 insertions(+), 11 deletions(-) diff --git a/controls/pcidss_4_ocp4.yml b/controls/pcidss_4_ocp4.yml index 3e0a6d72cba..0a5300f2fbd 100644 --- a/controls/pcidss_4_ocp4.yml +++ b/controls/pcidss_4_ocp4.yml @@ -2726,29 +2726,21 @@ controls: cardholder data are defined and documented. levels: - base - status: pending + status: not applicable controls: - id: 10.1.1 title: All security policies and operational procedures that are identified in Requirement 10 are Documented, Kept up to date, In use and Known to all affected parties. levels: - base - status: pending - notes: |- - Examine documentation and interview personnel to verify that security policies and - operational procedures identified in Requirement 10 are managed in accordance with all - elements specified in this requirement. + status: not applicable - id: 10.1.2 title: Roles and responsibilities for performing activities in Requirement 10 are documented, assigned, and understood. levels: - base - status: pending - notes: |- - Examine documentation and interview personnel to verify that day-to-day responsibilities - for performing all the activities in Requirement 10 are documented, assigned and - understood by the assigned personnel. + status: not applicable - id: '10.2' title: Audit logs are implemented to support the detection of anomalies and suspicious From 42814d990b851a1d00d8594184cc6f483d326b68 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Tue, 6 Aug 2024 18:02:18 +0200 Subject: [PATCH 02/11] CMP-2462: Requirement 10.2 is inherently met --- controls/pcidss_4_ocp4.yml | 74 +++++++++++++++++++++----------------- 1 file changed, 42 insertions(+), 32 deletions(-) diff --git a/controls/pcidss_4_ocp4.yml b/controls/pcidss_4_ocp4.yml index 0a5300f2fbd..ed940350834 100644 --- a/controls/pcidss_4_ocp4.yml +++ b/controls/pcidss_4_ocp4.yml @@ -2747,7 +2747,7 @@ controls: activity, and the forensic analysis of events. levels: - base - status: pending + status: inherently met controls: - id: 10.2.1 title: Audit logs are enabled and active for all system components and cardholder data. @@ -2755,7 +2755,7 @@ controls: Records of all activities affecting system components and cardholder data are captured. levels: - base - status: pending + status: inherently met rules: [] controls: - id: 10.2.1.1 @@ -2764,12 +2764,11 @@ controls: Records of all individual user access to cardholder data are captured. levels: - base - status: planned - notes: |- - Differently than 10.2.1.4, this requirement is about logginh successful access to - cardholder data. This kind of events can easily hit performance issues and are usually - not necessary if a good access policy is in place. More clarification is needed about - this requirement. + status: inherently met + notes: >- + All user and/or service account accesses to OpenShift components are logged. + However, the payment entity still is responsible for logging events for access to + applications within workloads hosted in containers in OpenShift. - id: 10.2.1.2 title: Audit logs capture all actions taken by any individual with administrative access, @@ -2778,11 +2777,12 @@ controls: Records of all actions performed by individuals with elevated privileges are captured. levels: - base - status: pending - notes: |- - Not all privileged commands have suid or sgid enabled. We probably want to include more - rules for this requirement. - rules: [] + status: inherently met + notes: >- + All actions taken by individual with root or administrative privileges to OpenShift and + Red Hat CoreOS are logged. + However, the payment entity still is responsible for logging events for access to + applications within workloads hosted in containers in OpenShift. - id: 10.2.1.3 title: Audit logs capture all access to audit logs. @@ -2790,8 +2790,16 @@ controls: Records of all access to audit logs are captured. levels: - base - status: pending - rules: [] + status: inherently met + notes: >- + Access to audit trails relative to OpenShift are made available at the OS level with + administrator accounts. + Red Hat CoreOS can be configured to log access to the journal or log file. For better + protection of audit trails, including improved access controls, it is recommended to + direct logs to an external log server or Security Information Event Management (SIEM) + solution. + rules: + - audit_logging_enabled - id: 10.2.1.4 title: Audit logs capture all invalid logical access attempts. @@ -2799,25 +2807,30 @@ controls: Records of all invalid access attempts are captured. levels: - base - status: pending - rules: [] + status: inherently met + notes: |- + Unauthorized attempts to access system components or run unauthorized commands against + OpenShift are logged. - id: 10.2.1.5 title: Audit logs capture all changes to identification and authentication credentials. levels: - base - status: pending - rules: [] + status: inherently met - id: 10.2.1.6 title: Audit logs capture the initialization of new audit logs, and starting, stopping, or pausing of the existing audit logs. levels: - base - status: planned + status: inherently met notes: |- - Ideally should exist rules specifically logging when audit configuration files are - modified and audit service state is changed. + Stopping the mechanisms for log creation in OpenShift requires stopping the OpenShift + Control Plane itself, which would have the effect of preventing any further access for + any users to the API, CLI, or Web UI. + Auditing within OpenShift cannot be reconfigured or stopped without reconfiguring + OpenShift. + Any attempt to reconfigure OpenShift will be logged. - id: 10.2.1.7 title: Audit logs capture all creation and deletion of system-level objects. @@ -2826,12 +2839,10 @@ controls: functionality are captured. levels: - base - status: pending - notes: |- - There are enough rules to capture deletion events but not for creation events. - This requirement needs to be better investigated to confirm which additional rules would - satistfy the requirement. - rules: [] + status: inherently met + notes: >- + Creation and deletion of system levels objects is logged by OpenShift and by + Red Hat CoreOS. - id: 10.2.2 title: Audit logs record sufficient details for each auditable event. @@ -2845,10 +2856,9 @@ controls: name and protocol). levels: - base - status: pending - notes: |- - Standard settings for audit should be enough. - rules: [] + status: inherently met + notes: >- + The logs generated by OpenShift and Red Hat CoreOS include all the data required. - id: '10.3' title: Audit logs are protected from destruction and unauthorized modifications. From 8c3ba2e634fe7b8a4ade0c4fbe5b5c39f3260ebf Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Tue, 6 Aug 2024 18:03:11 +0200 Subject: [PATCH 03/11] CMP-2462: Requirement 10.3 is partially met OpenShift provides sufficient protection for its audit log events. However, long term audit storing requires a third party storage that needs to be configured manually. --- controls/pcidss_4_ocp4.yml | 40 ++++++++++++++++++++++++++++++-------- 1 file changed, 32 insertions(+), 8 deletions(-) diff --git a/controls/pcidss_4_ocp4.yml b/controls/pcidss_4_ocp4.yml index ed940350834..df2e018ca35 100644 --- a/controls/pcidss_4_ocp4.yml +++ b/controls/pcidss_4_ocp4.yml @@ -2864,7 +2864,7 @@ controls: title: Audit logs are protected from destruction and unauthorized modifications. levels: - base - status: pending + status: partial controls: - id: 10.3.1 title: Read access to audit logs files is limited to those with a job-related need. @@ -2872,8 +2872,13 @@ controls: Stored activity records cannot be accessed by unauthorized personnel. levels: - base - status: pending - rules: [] + status: manual + notes: |- + Access to audit logs is limited to the cluster-admin role. Ensure that only those + user with a job-related need have the cluster-admin role. + rules: + # This rule doesn't have an automated check + - rbac_limit_cluster_admin - id: 10.3.2 title: Audit log files are protected to prevent modifications by individuals. @@ -2881,8 +2886,25 @@ controls: Stored activity records cannot be modified by personnel. levels: - base - status: pending - rules: [] + status: planned + notes: >- + Limited access to the audit trails on OpenShift hosts provides minimal protection from + unauthorized modification. + Use of an external log collector or SIEM solution may provide improved protections against + unauthorized modifications by adding additional features such as file integrity monitoring, + digital signing, or Write Once, Read Many (WORM) storage. + levels: + - base + rules: + - directory_permissions_var_log_kube_audit + - directory_permissions_var_log_oauth_audit + - directory_permissions_var_log_ocp_audit + - file_ownership_var_log_kube_audit + - file_ownership_var_log_oauth_audit + - file_ownership_var_log_ocp_audit + - file_permissions_var_log_kube_audit + - file_permissions_var_log_oauth_audit + - file_permissions_var_log_ocp_audit - id: 10.3.3 title: Audit log files, including those for external-facing technologies, are promptly @@ -2893,7 +2915,7 @@ controls: unauthorized modification. levels: - base - status: pending + status: manual notes: |- Although the technologies in general allow to send logs to a centralized server, some parameters for this configuration are specific to each site policy and therefore the @@ -2907,8 +2929,10 @@ controls: Stored activity records cannot be modified without an alert being generated. levels: - base - status: pending - rules: [] + status: partial + rules: + # TODO: Add FIO config to allow /var/log/... to extend in size but monitor perms. + - file_integrity_exists - id: '10.4' title: Audit logs are reviewed to identify anomalies or suspicious activity. From 5ae7c60812fec35524e875a5acdff3fee458742b Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Tue, 6 Aug 2024 18:06:18 +0200 Subject: [PATCH 04/11] CMP-2462: Requirement 10.4 manual or not applicable Reviewing audit logs requires a third party software, for example an SIEM. --- controls/pcidss_4_ocp4.yml | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/controls/pcidss_4_ocp4.yml b/controls/pcidss_4_ocp4.yml index df2e018ca35..a2e690910d3 100644 --- a/controls/pcidss_4_ocp4.yml +++ b/controls/pcidss_4_ocp4.yml @@ -2938,7 +2938,7 @@ controls: title: Audit logs are reviewed to identify anomalies or suspicious activity. levels: - base - status: pending + status: manual controls: - id: 10.4.1 title: The audit logs are reviewed at least once daily. @@ -2951,7 +2951,7 @@ controls: (IDS/IPS), authentication servers). levels: - base - status: pending + status: manual controls: - id: 10.4.1.1 title: Automated mechanisms are used to perform audit log reviews. @@ -2961,9 +2961,7 @@ controls: which it will be required and must be fully considered during a PCI DSS assessment. levels: - base - status: pending - notes: |- - Automation mechanisms, solutions and approaches vary for each organizarion. + status: not applicable - id: 10.4.2 title: Logs of all other system components (those not specified in Requirement 10.4.1) are @@ -2974,7 +2972,7 @@ controls: is applicable to all other in-scope system components not included in Requirement 10.4.1. levels: - base - status: pending + status: not applicable controls: - id: 10.4.2.1 title: The frequency of periodic log reviews for all other system components (not defined @@ -2986,7 +2984,7 @@ controls: it will be required and must be fully considered during a PCI DSS assessment. levels: - base - status: pending + status: not applicable - id: 10.4.3 title: Exceptions and anomalies identified during the review process are addressed. @@ -2994,7 +2992,7 @@ controls: Suspicious or anomalous activities are addressed. levels: - base - status: pending + status: not applicable - id: '10.5' title: Audit log history is retained and available for analysis. From aabdfbeb0fbf206b9171a207134da67cea5cf856 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Tue, 6 Aug 2024 18:09:13 +0200 Subject: [PATCH 05/11] CMP-2462: Requirement 10.5 is supported By defualt OpenShift is configured to retain logs for a short period of time. To handle long term storage of audit logs a third party application is required. --- controls/pcidss_4_ocp4.yml | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/controls/pcidss_4_ocp4.yml b/controls/pcidss_4_ocp4.yml index a2e690910d3..6aa3b02f131 100644 --- a/controls/pcidss_4_ocp4.yml +++ b/controls/pcidss_4_ocp4.yml @@ -2998,7 +2998,7 @@ controls: title: Audit log history is retained and available for analysis. levels: - base - status: pending + status: supported controls: - id: 10.5.1 title: Retain audit log history for at least 12 months, with at least the most recent three @@ -3008,10 +3008,13 @@ controls: are retained for at least 12 months. levels: - base - status: pending + status: supported notes: |- - It is not simple to ensure 12 months history is present in each system but the rules in - this requirement ensures the logs are not lost without administrators awareness. + Log retention in OpenShift is not time based, the default configuration rotates 10 log + files of 100 MB each, allowing up to 1GB of retention. + + To implement time based audit log retention configure log forwarding to a third party + storage, for example Elasticsearch or LokiStack. rules: [] - id: '10.6' From 74cf8f82e1a1bcafc46f7656de5ac69e7c5edd70 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Tue, 6 Aug 2024 18:11:18 +0200 Subject: [PATCH 06/11] CMP-2462: Requirement 10.6 is supported NTP configuration is done at the node level, and support for an RHCOS4 PCI-DSS v4 profile will come at a later time. --- controls/pcidss_4_ocp4.yml | 35 +++++++++++++++++++++++++++-------- 1 file changed, 27 insertions(+), 8 deletions(-) diff --git a/controls/pcidss_4_ocp4.yml b/controls/pcidss_4_ocp4.yml index 6aa3b02f131..e15715bf003 100644 --- a/controls/pcidss_4_ocp4.yml +++ b/controls/pcidss_4_ocp4.yml @@ -3021,7 +3021,7 @@ controls: title: Time-synchronization mechanisms support consistent time settings across all systems. levels: - base - status: pending + status: planned controls: - id: 10.6.1 title: System clocks and time are synchronized using time-synchronization technology. @@ -3031,10 +3031,11 @@ controls: Requirements 6.3.1 and 6.3.3. levels: - base - status: pending + status: inherently met notes: |- - Maybe it is possible to optmize some similar rules related to ntp. - rules: [] + By default OpenShift uses a public Network Time Protocol (NTP) server. + However, additional configuration is nedded to use a local enterprise NTP server, + or in disconnected environments. - id: 10.6.2 title: Systems are configured to the correct and consistent time. @@ -3050,11 +3051,20 @@ controls: - Internal systems receive time information only from designated central time server(s). levels: - base - status: pending + status: planned notes: |- - The selected rules might need updates in order to restrict their platform applicability - to avoid conflicts. + OpenShift is configured to use a public pool.ntp..org which is good and reliable, but + ultimatlely is not enterprise grade. + The notion of central time server implies that an exclusive NTP server is deployed to + serve the cluster. + + NTP configuration is done at the node level, excpept when using Precison Time Procotol + (PTP), for which PTP Operator can be used. PTP can only be used on bare metal deployments. + https://docs.openshift.com/container-platform/latest/networking/ptp/about-ptp.html rules: [] + related_rules: + - var_multiple_time_servers=generic + - chronyd_specify_remote_server - id: 10.6.3 title: Time synchronization settings and data are protected. @@ -3063,8 +3073,17 @@ controls: - Any changes to time settings on critical systems are logged, monitored, and reviewed. levels: - base - status: pending + status: planned + notes: |- + As NTP is configured directly on the node the audit should also be configured there. rules: [] + related_rules: + - audit_rules_time_watch_localtime + - audit_rules_time_settimeofday + - audit_rules_time_clock_settime + - audit_rules_time_stime + - audit_rules_time_adjtimex + - chronyd_run_as_chrony_user - id: '10.7' title: Failures of critical security control systems are detected, reported, and responded to From 707f5684e5c86c7633d023c9d818c66d87613ffd Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Tue, 6 Aug 2024 18:12:44 +0200 Subject: [PATCH 07/11] CMP-2462: Requirement 10.7 is partial Handling and answering to system component failures is a manual activity. Reporting can be somehow automated, and that is why this control is partial. --- controls/pcidss_4_ocp4.yml | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/controls/pcidss_4_ocp4.yml b/controls/pcidss_4_ocp4.yml index e15715bf003..5b6f3246446 100644 --- a/controls/pcidss_4_ocp4.yml +++ b/controls/pcidss_4_ocp4.yml @@ -3090,7 +3090,7 @@ controls: promptly. levels: - base - status: pending + status: partial controls: - id: 10.7.1 title: 'Additional requirement for service providers only: Failures of critical security @@ -3108,7 +3108,7 @@ controls: - Segmentation controls (if used). levels: - base - status: pending + status: not applicable - id: 10.7.2 title: Failures of critical security control systems are detected, alerted, and addressed @@ -3128,8 +3128,10 @@ controls: - Automated security testing tools (if used). levels: - base - status: pending - rules: [] + status: partial + rules: + - alert_receiver_configured + - audit_error_alert_exists - id: 10.7.3 title: Failures of any critical security controls systems are responded to restore security @@ -3147,7 +3149,7 @@ controls: - Resuming monitoring of security controls. levels: - base - status: pending + status: manual - id: '11.1' title: Processes and mechanisms for regularly testing security of systems and networks are From 35017802108f2477a4d29a6488549448fd00d9c1 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Wed, 7 Aug 2024 10:50:20 +0200 Subject: [PATCH 08/11] Fix issues and typos --- controls/pcidss_4_ocp4.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/controls/pcidss_4_ocp4.yml b/controls/pcidss_4_ocp4.yml index 5b6f3246446..2589a311d7b 100644 --- a/controls/pcidss_4_ocp4.yml +++ b/controls/pcidss_4_ocp4.yml @@ -3034,7 +3034,7 @@ controls: status: inherently met notes: |- By default OpenShift uses a public Network Time Protocol (NTP) server. - However, additional configuration is nedded to use a local enterprise NTP server, + However, additional configuration is needed to use a local enterprise NTP server, or in disconnected environments. - id: 10.6.2 @@ -3053,12 +3053,12 @@ controls: - base status: planned notes: |- - OpenShift is configured to use a public pool.ntp..org which is good and reliable, but - ultimatlely is not enterprise grade. + OpenShift is configured to use a public ntppool.org which is good and reliable, but + ultimately is not enterprise grade. The notion of central time server implies that an exclusive NTP server is deployed to serve the cluster. - NTP configuration is done at the node level, excpept when using Precison Time Procotol + NTP configuration is done at the node level, except when using Precision Time Protocol (PTP), for which PTP Operator can be used. PTP can only be used on bare metal deployments. https://docs.openshift.com/container-platform/latest/networking/ptp/about-ptp.html rules: [] From 865647dceb5c4d21c03a329f76f4a4de5f230e98 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Wed, 7 Aug 2024 11:24:48 +0200 Subject: [PATCH 09/11] Add rules to watch kube audit log directories --- controls/pcidss_4_ocp4.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/controls/pcidss_4_ocp4.yml b/controls/pcidss_4_ocp4.yml index 2589a311d7b..a8cb9708dbd 100644 --- a/controls/pcidss_4_ocp4.yml +++ b/controls/pcidss_4_ocp4.yml @@ -2896,6 +2896,9 @@ controls: levels: - base rules: + - directory_access_var_log_kube_audit + - directory_access_var_log_oauth_audit + - directory_access_var_log_ocp_audit - directory_permissions_var_log_kube_audit - directory_permissions_var_log_oauth_audit - directory_permissions_var_log_ocp_audit From 7de25312c5213d467646eed2769a5621dd2ee3ed Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Wed, 7 Aug 2024 11:27:54 +0200 Subject: [PATCH 10/11] Add RHCOS rule to ensure chronyd is running --- controls/pcidss_4_ocp4.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/controls/pcidss_4_ocp4.yml b/controls/pcidss_4_ocp4.yml index a8cb9708dbd..56951725d89 100644 --- a/controls/pcidss_4_ocp4.yml +++ b/controls/pcidss_4_ocp4.yml @@ -3066,6 +3066,7 @@ controls: https://docs.openshift.com/container-platform/latest/networking/ptp/about-ptp.html rules: [] related_rules: + - service_chronyd_enabled - var_multiple_time_servers=generic - chronyd_specify_remote_server From 311e32986b3ba993f0de757c30f6dc9fabe7e0d5 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Wed, 7 Aug 2024 14:14:38 +0200 Subject: [PATCH 11/11] 10.2.2: Collect request bodies for audit --- controls/pcidss_4_ocp4.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/controls/pcidss_4_ocp4.yml b/controls/pcidss_4_ocp4.yml index 56951725d89..b3b9612c4ec 100644 --- a/controls/pcidss_4_ocp4.yml +++ b/controls/pcidss_4_ocp4.yml @@ -2856,9 +2856,12 @@ controls: name and protocol). levels: - base - status: inherently met + status: automated notes: >- The logs generated by OpenShift and Red Hat CoreOS include all the data required. + rules: + - audit_profile_set + - var_openshift_audit_profile=WriteRequestBodies - id: '10.3' title: Audit logs are protected from destruction and unauthorized modifications.