Import OCP4 CIS rather than extending it

When a profile extends another one, the rules on the extended profile are not auto referenced. This patch importa the CIS into PCI-DSS, allowing the CIS rules to have PCI-DSS added automatically.
ComplianceAsCode · Aug 26, 2024 · 2438f12 · 2438f12
1 parent 5231666
commit 2438f12
Show file tree

Hide file tree

Showing 6 changed files with 3 additions and 7 deletions.
diff --git a/controls/cis_ocp_1_4_0/section-4.yml b/controls/cis_ocp_1_4_0/section-4.yml
@@ -131,6 +131,7 @@ controls:
       status: automated
       rules:
         - kubelet_configure_event_creation
+        - var_event_record_qps=50
       levels: [ level_2, ]
     - id: 4.2.9
       title: Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate

diff --git a/controls/pcidss_4_ocp4.yml b/controls/pcidss_4_ocp4.yml
@@ -387,6 +387,8 @@ controls:
         This control is also addressed by applying the OpenShift CIS recommendations.
       rules:
         - scansettingbinding_exists
+      controls:
+        - cis_ocp_1_4_0:all:level_2
 
     - id: 2.2.2
       title: Vendor default accounts are managed

diff --git a/products/ocp4/profiles/cis-1-4.profile b/products/ocp4/profiles/cis-1-4.profile
@@ -31,7 +31,6 @@ selections:
     - cis_ocp_1_4_0:all
     ### Variables
     - var_openshift_audit_profile=WriteRequestBodies
-    - var_event_record_qps=50
     ### Helper Rules
     ### This is a helper rule to fetch the required api resource for detecting OCP version
     - version_detect_in_ocp

diff --git a/products/ocp4/profiles/cis-1-5.profile b/products/ocp4/profiles/cis-1-5.profile
@@ -32,7 +32,6 @@ selections:
     - cis_ocp_1_4_0:all
     ### Variables
     - var_openshift_audit_profile=WriteRequestBodies
-    - var_event_record_qps=50
     ### Helper Rules
     ### This is a helper rule to fetch the required api resource for detecting OCP version
     - version_detect_in_ocp

diff --git a/products/ocp4/profiles/pci-dss-4-0.profile b/products/ocp4/profiles/pci-dss-4-0.profile
@@ -18,8 +18,6 @@ description: |-
 
 filter_rules: '"ocp4-node" not in platforms and "ocp4-master-node" not in platforms and "ocp4-node-on-sdn" not in platforms and "ocp4-node-on-ovn" not in platforms'
 
-# Req-2.2
-extends: cis
 
 selections:
     - pcidss_4_ocp4:all:base

diff --git a/products/ocp4/profiles/pci-dss-node-4-0.profile b/products/ocp4/profiles/pci-dss-node-4-0.profile
@@ -18,8 +18,5 @@ description: |-
 
 filter_rules: '"ocp4-node" in platforms or "ocp4-master-node" in platforms or "ocp4-node-on-sdn" in platforms or "ocp4-node-on-ovn" in platforms'
 
-# Req-2.2
-extends: cis-node
-
 selections:
     - pcidss_4_ocp4:all:base