From 2c447bd81f39d558868573e65945583b2ab7fe56 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Mon, 26 Aug 2024 14:07:59 +0200 Subject: [PATCH] Import OCP4 CIS rather than extending it When a profile extends another one, the rules on the extended profile are not auto referenced. This patch importa the CIS into PCI-DSS, allowing the CIS rules to have PCI-DSS added automatically. --- controls/cis_ocp_1_4_0/section-4.yml | 1 + controls/pcidss_4_ocp4.yml | 2 ++ products/ocp4/profiles/cis-1-4.profile | 1 - products/ocp4/profiles/cis-1-5.profile | 1 - products/ocp4/profiles/pci-dss-4-0.profile | 2 -- products/ocp4/profiles/pci-dss-node-4-0.profile | 3 --- 6 files changed, 3 insertions(+), 7 deletions(-) diff --git a/controls/cis_ocp_1_4_0/section-4.yml b/controls/cis_ocp_1_4_0/section-4.yml index 6ad340af6e58..0c53db629c57 100644 --- a/controls/cis_ocp_1_4_0/section-4.yml +++ b/controls/cis_ocp_1_4_0/section-4.yml @@ -131,6 +131,7 @@ controls: status: automated rules: - kubelet_configure_event_creation + - var_event_record_qps=50 levels: [ level_2, ] - id: 4.2.9 title: Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate diff --git a/controls/pcidss_4_ocp4.yml b/controls/pcidss_4_ocp4.yml index c5a6fcf5d607..696c8ce4682d 100644 --- a/controls/pcidss_4_ocp4.yml +++ b/controls/pcidss_4_ocp4.yml @@ -387,6 +387,8 @@ controls: This control is also addressed by applying the OpenShift CIS recommendations. rules: - scansettingbinding_exists + controls: + - cis_ocp_1_4_0:all:level_2 - id: 2.2.2 title: Vendor default accounts are managed diff --git a/products/ocp4/profiles/cis-1-4.profile b/products/ocp4/profiles/cis-1-4.profile index bf486978ebba..13bafef301d4 100644 --- a/products/ocp4/profiles/cis-1-4.profile +++ b/products/ocp4/profiles/cis-1-4.profile @@ -31,7 +31,6 @@ selections: - cis_ocp_1_4_0:all ### Variables - var_openshift_audit_profile=WriteRequestBodies - - var_event_record_qps=50 ### Helper Rules ### This is a helper rule to fetch the required api resource for detecting OCP version - version_detect_in_ocp diff --git a/products/ocp4/profiles/cis-1-5.profile b/products/ocp4/profiles/cis-1-5.profile index 78f05edf5e99..89c143af0e0b 100644 --- a/products/ocp4/profiles/cis-1-5.profile +++ b/products/ocp4/profiles/cis-1-5.profile @@ -32,7 +32,6 @@ selections: - cis_ocp_1_4_0:all ### Variables - var_openshift_audit_profile=WriteRequestBodies - - var_event_record_qps=50 ### Helper Rules ### This is a helper rule to fetch the required api resource for detecting OCP version - version_detect_in_ocp diff --git a/products/ocp4/profiles/pci-dss-4-0.profile b/products/ocp4/profiles/pci-dss-4-0.profile index f59f899170f4..5fd3e4afb418 100644 --- a/products/ocp4/profiles/pci-dss-4-0.profile +++ b/products/ocp4/profiles/pci-dss-4-0.profile @@ -18,8 +18,6 @@ description: |- filter_rules: '"ocp4-node" not in platforms and "ocp4-master-node" not in platforms and "ocp4-node-on-sdn" not in platforms and "ocp4-node-on-ovn" not in platforms' -# Req-2.2 -extends: cis selections: - pcidss_4_ocp4:all:base diff --git a/products/ocp4/profiles/pci-dss-node-4-0.profile b/products/ocp4/profiles/pci-dss-node-4-0.profile index 43c532013d9f..afee4784a22e 100644 --- a/products/ocp4/profiles/pci-dss-node-4-0.profile +++ b/products/ocp4/profiles/pci-dss-node-4-0.profile @@ -18,8 +18,5 @@ description: |- filter_rules: '"ocp4-node" in platforms or "ocp4-master-node" in platforms or "ocp4-node-on-sdn" in platforms or "ocp4-node-on-ovn" in platforms' -# Req-2.2 -extends: cis-node - selections: - pcidss_4_ocp4:all:base