From 6861cc687e90f33c4fb7ed850111978fb5df4208 Mon Sep 17 00:00:00 2001 From: Vincent Shen Date: Thu, 9 Dec 2021 10:36:35 -0800 Subject: [PATCH] OCP4: Add additonal control response for SA-10(1) integrity check Added two rules, cluster_version_operator_exists to check if cluster version operator is available, and cluster_version_operator_verify_integrity to check if cluster image is verified Related link regarding how RHCOS integrity check https://github.com/openshift/machine-config-operator/blob/master/docs/OSUpgrades.md#questions-and-answers --- .../cluster_version_operator_exists/rule.yml | 49 ++++++ .../tests/available.pass.sh | 136 ++++++++++++++++ .../tests/ocp4/e2e.yml | 2 + .../tests/unavailable.fail.sh | 136 ++++++++++++++++ .../rule.yml | 46 ++++++ .../tests/allverfied_three_entries.pass.sh | 152 ++++++++++++++++++ .../tests/allverified.pass.sh | 136 ++++++++++++++++ .../tests/ocp4/e2e.yml | 2 + .../tests/someverified.fail.sh | 144 +++++++++++++++++ .../tests/someverified_three_entries.fail.sh | 144 +++++++++++++++++ controls/nist_ocp4.yml | 8 + controls/nist_rhcos4.yml | 9 +- shared/references/cce-redhat-avail.txt | 2 - 13 files changed, 960 insertions(+), 6 deletions(-) create mode 100644 applications/openshift/integrity/cluster_version_operator_exists/rule.yml create mode 100644 applications/openshift/integrity/cluster_version_operator_exists/tests/available.pass.sh create mode 100644 applications/openshift/integrity/cluster_version_operator_exists/tests/ocp4/e2e.yml create mode 100644 applications/openshift/integrity/cluster_version_operator_exists/tests/unavailable.fail.sh create mode 100644 applications/openshift/integrity/cluster_version_operator_verify_integrity/rule.yml create mode 100644 applications/openshift/integrity/cluster_version_operator_verify_integrity/tests/allverfied_three_entries.pass.sh create mode 100644 applications/openshift/integrity/cluster_version_operator_verify_integrity/tests/allverified.pass.sh create mode 100644 applications/openshift/integrity/cluster_version_operator_verify_integrity/tests/ocp4/e2e.yml create mode 100644 applications/openshift/integrity/cluster_version_operator_verify_integrity/tests/someverified.fail.sh create mode 100644 applications/openshift/integrity/cluster_version_operator_verify_integrity/tests/someverified_three_entries.fail.sh diff --git a/applications/openshift/integrity/cluster_version_operator_exists/rule.yml b/applications/openshift/integrity/cluster_version_operator_exists/rule.yml new file mode 100644 index 000000000000..8b9bc13fd426 --- /dev/null +++ b/applications/openshift/integrity/cluster_version_operator_exists/rule.yml @@ -0,0 +1,49 @@ +prodtype: ocp4 + +title: Ensure that Cluster Version Operator is deployed + +description: |- + Integrity of the OpenShift platform is handled to start by the cluster version operator. + Cluster Version Operator will by default GPG verify the integrity of the release + image before applying it. [1] + This rule checks if Cluster Version Operator is deployed and available in the system. + + [1] https://github.com/openshift/machine-config-operator/blob/master/docs/OSUpgrades.md#questions-and-answers + +rationale: |- + Integrity check prevent a malicious actor from using a unauthorized system image, hence it will ensure the + image has not been tampered with, or corrupted. + +identifiers: + cce@ocp4: CCE-90670-1 + +references: + nist: SA-10(1) + +{{% set jqfilter = '[.items[].status.conditions[] | select(.type=="Available") | .status]' %}} +{{% set apipath = '/apis/config.openshift.io/v1/clusterversions?limit=500' %}} + +ocil_clause: 'Cluster Version Operator is not installed' + +ocil: |- + Run the following command to retrieve the Cluster Version objects in the system: + 
$ oc get ClusterVersion
+ Make sure the Cluster Version Operator is installed and the AVAILABLE is True. + +severity: medium + +warnings: +- general: |- + {{{ openshift_filtered_cluster_setting({apipath: jqfilter}) | indent(4) }}} + +template: + name: yamlfile_value + vars: + ocp_data: "true" + filepath: |- + {{{ openshift_filtered_path(apipath, jqfilter) }}} + yamlpath: "[:]" + entity_check: "all" + values: + - value: "True" + operation: "equals" \ No newline at end of file diff --git a/applications/openshift/integrity/cluster_version_operator_exists/tests/available.pass.sh b/applications/openshift/integrity/cluster_version_operator_exists/tests/available.pass.sh new file mode 100644 index 000000000000..499e9a7ea179 --- /dev/null +++ b/applications/openshift/integrity/cluster_version_operator_exists/tests/available.pass.sh @@ -0,0 +1,136 @@ +#!/bin/bash + + +yum install -y jq + +kube_apipath="/kubernetes-api-resources" + +mkdir -p "$kube_apipath/apis/config.openshift.io/v1" + +apipath="/apis/config.openshift.io/v1/clusterversions?limit=500" + +cat << EOF > $kube_apipath$apipath +{ + "apiVersion": "v1", + "items": [ + { + "apiVersion": "config.openshift.io/v1", + "kind": "ClusterVersion", + "metadata": { + "creationTimestamp": "2021-12-08T16:39:28Z", + "generation": 2, + "name": "version", + "resourceVersion": "183751", + "uid": "01adc5c2-10b4-4d6b-a082-5e5de1b918ba" + }, + "spec": { + "channel": "stable-4.9", + "clusterID": "7b351e21-3a8b-4365-afeb-768b9907ea08" + }, + "status": { + "availableUpdates": [ + { + "channels": [ + "candidate-4.9", + "fast-4.9", + "stable-4.9" + ], + "image": "quay.io/openshift-release-dev/ocp-release@sha256:c9f58ccb8a9085df4eeb23e21ca201d4c7d39bc434786d58a55381e13215a199", + "url": "https://access.redhat.com/errata/RHBA-2021:4119", + "version": "4.9.6" + }, + { + "channels": [ + "candidate-4.9", + "fast-4.9", + "stable-4.9" + ], + "image": "quay.io/openshift-release-dev/ocp-release@sha256:c91c0faf7ae3c480724a935b3dab7e5f49aae19d195b12f3a4ae38f8440ea96b", + "url": "https://access.redhat.com/errata/RHBA-2021:4712", + "version": "4.9.8" + }, + { + "channels": [ + "candidate-4.9", + "fast-4.9", + "stable-4.9" + ], + "image": "quay.io/openshift-release-dev/ocp-release@sha256:dc6d4d8b2f9264c0037ed0222285f19512f112cc85a355b14a66bd6b910a4940", + "url": "https://access.redhat.com/errata/RHBA-2021:4834", + "version": "4.9.9" + }, + { + "channels": [ + "candidate-4.9", + "fast-4.9", + "stable-4.9" + ], + "image": "quay.io/openshift-release-dev/ocp-release@sha256:5c55be02e32e688ec5a404858a08cf533ba15b50b6f0e028089635b47db5866e", + "url": "https://access.redhat.com/errata/RHBA-2021:4579", + "version": "4.9.7" + } + ], + "conditions": [ + { + "lastTransitionTime": "2021-12-08T17:02:45Z", + "message": "Done applying 4.9.5", + "status": "True", + "type": "Available" + }, + { + "lastTransitionTime": "2021-12-08T17:02:45Z", + "status": "False", + "type": "Failing" + }, + { + "lastTransitionTime": "2021-12-08T17:02:45Z", + "message": "Cluster version is 4.9.5", + "status": "False", + "type": "Progressing" + }, + { + "lastTransitionTime": "2021-12-08T16:39:29Z", + "status": "True", + "type": "RetrievedUpdates" + } + ], + "desired": { + "channels": [ + "candidate-4.9", + "fast-4.9", + "stable-4.9" + ], + "image": "quay.io/openshift-release-dev/ocp-release@sha256:386f4e08c48d01e0c73d294a88bb64fac3284d1d16a5b8938deb3b8699825a88", + "url": "https://access.redhat.com/errata/RHBA-2021:4005", + "version": "4.9.5" + }, + "history": [ + { + "completionTime": "2021-12-08T17:02:45Z", + "image": "quay.io/openshift-release-dev/ocp-release@sha256:386f4e08c48d01e0c73d294a88bb64fac3284d1d16a5b8938deb3b8699825a88", + "startedTime": "2021-12-08T16:39:28Z", + "state": "Completed", + "verified": true, + "version": "4.9.5" + } + ], + "observedGeneration": 2, + "versionHash": "chub99FL3K0=" + } + } + ], + "kind": "List", + "metadata": { + "resourceVersion": "", + "selfLink": "" + } +} +EOF + +jq_filter='[.items[].status.conditions[] | select(.type=="Available") | .status]' + +# Get file path. This will actually be read by the scan +filteredpath="$kube_apipath$apipath#$(echo -n "$apipath$jq_filter" | sha256sum | awk '{print $1}')" + +# populate filtered path with jq-filtered result +jq "$jq_filter" "$kube_apipath$apipath" > "$filteredpath" \ No newline at end of file diff --git a/applications/openshift/integrity/cluster_version_operator_exists/tests/ocp4/e2e.yml b/applications/openshift/integrity/cluster_version_operator_exists/tests/ocp4/e2e.yml new file mode 100644 index 000000000000..ed3f08d15e22 --- /dev/null +++ b/applications/openshift/integrity/cluster_version_operator_exists/tests/ocp4/e2e.yml @@ -0,0 +1,2 @@ +--- +default_result: PASS \ No newline at end of file diff --git a/applications/openshift/integrity/cluster_version_operator_exists/tests/unavailable.fail.sh b/applications/openshift/integrity/cluster_version_operator_exists/tests/unavailable.fail.sh new file mode 100644 index 000000000000..1f6f6f7fc597 --- /dev/null +++ b/applications/openshift/integrity/cluster_version_operator_exists/tests/unavailable.fail.sh @@ -0,0 +1,136 @@ +#!/bin/bash + + +yum install -y jq + +kube_apipath="/kubernetes-api-resources" + +mkdir -p "$kube_apipath/apis/config.openshift.io/v1" + +apipath="/apis/config.openshift.io/v1/clusterversions?limit=500" + +cat << EOF > $kube_apipath$apipath +{ + "apiVersion": "v1", + "items": [ + { + "apiVersion": "config.openshift.io/v1", + "kind": "ClusterVersion", + "metadata": { + "creationTimestamp": "2021-12-08T16:39:28Z", + "generation": 2, + "name": "version", + "resourceVersion": "183751", + "uid": "01adc5c2-10b4-4d6b-a082-5e5de1b918ba" + }, + "spec": { + "channel": "stable-4.9", + "clusterID": "7b351e21-3a8b-4365-afeb-768b9907ea08" + }, + "status": { + "availableUpdates": [ + { + "channels": [ + "candidate-4.9", + "fast-4.9", + "stable-4.9" + ], + "image": "quay.io/openshift-release-dev/ocp-release@sha256:c9f58ccb8a9085df4eeb23e21ca201d4c7d39bc434786d58a55381e13215a199", + "url": "https://access.redhat.com/errata/RHBA-2021:4119", + "version": "4.9.6" + }, + { + "channels": [ + "candidate-4.9", + "fast-4.9", + "stable-4.9" + ], + "image": "quay.io/openshift-release-dev/ocp-release@sha256:c91c0faf7ae3c480724a935b3dab7e5f49aae19d195b12f3a4ae38f8440ea96b", + "url": "https://access.redhat.com/errata/RHBA-2021:4712", + "version": "4.9.8" + }, + { + "channels": [ + "candidate-4.9", + "fast-4.9", + "stable-4.9" + ], + "image": "quay.io/openshift-release-dev/ocp-release@sha256:dc6d4d8b2f9264c0037ed0222285f19512f112cc85a355b14a66bd6b910a4940", + "url": "https://access.redhat.com/errata/RHBA-2021:4834", + "version": "4.9.9" + }, + { + "channels": [ + "candidate-4.9", + "fast-4.9", + "stable-4.9" + ], + "image": "quay.io/openshift-release-dev/ocp-release@sha256:5c55be02e32e688ec5a404858a08cf533ba15b50b6f0e028089635b47db5866e", + "url": "https://access.redhat.com/errata/RHBA-2021:4579", + "version": "4.9.7" + } + ], + "conditions": [ + { + "lastTransitionTime": "2021-12-08T17:02:45Z", + "message": "Done applying 4.9.5", + "status": "False", + "type": "Available" + }, + { + "lastTransitionTime": "2021-12-08T17:02:45Z", + "status": "False", + "type": "Failing" + }, + { + "lastTransitionTime": "2021-12-08T17:02:45Z", + "message": "Cluster version is 4.9.5", + "status": "True", + "type": "Progressing" + }, + { + "lastTransitionTime": "2021-12-08T16:39:29Z", + "status": "True", + "type": "RetrievedUpdates" + } + ], + "desired": { + "channels": [ + "candidate-4.9", + "fast-4.9", + "stable-4.9" + ], + "image": "quay.io/openshift-release-dev/ocp-release@sha256:386f4e08c48d01e0c73d294a88bb64fac3284d1d16a5b8938deb3b8699825a88", + "url": "https://access.redhat.com/errata/RHBA-2021:4005", + "version": "4.9.5" + }, + "history": [ + { + "completionTime": "2021-12-08T17:02:45Z", + "image": "quay.io/openshift-release-dev/ocp-release@sha256:386f4e08c48d01e0c73d294a88bb64fac3284d1d16a5b8938deb3b8699825a88", + "startedTime": "2021-12-08T16:39:28Z", + "state": "Completed", + "verified": true, + "version": "4.9.5" + } + ], + "observedGeneration": 2, + "versionHash": "chub99FL3K0=" + } + } + ], + "kind": "List", + "metadata": { + "resourceVersion": "", + "selfLink": "" + } +} +EOF + +jq_filter='[.items[].status.conditions[] | select(.type=="Available") | .status]' + +# Get file path. This will actually be read by the scan +filteredpath="$kube_apipath$apipath#$(echo -n "$apipath$jq_filter" | sha256sum | awk '{print $1}')" + +# populate filtered path with jq-filtered result +jq "$jq_filter" "$kube_apipath$apipath" > "$filteredpath" \ No newline at end of file diff --git a/applications/openshift/integrity/cluster_version_operator_verify_integrity/rule.yml b/applications/openshift/integrity/cluster_version_operator_verify_integrity/rule.yml new file mode 100644 index 000000000000..e290a9789f0e --- /dev/null +++ b/applications/openshift/integrity/cluster_version_operator_verify_integrity/rule.yml @@ -0,0 +1,46 @@ +prodtype: ocp4 + +title: Ensure that Cluster Version Operator verifies integrity + +description: |- + Integrity of the OpenShift platform is handled to start by the cluster version operator. + Cluster Version Operator will by default GPG verify the integrity of the release + image before applying it. This rule check if there is an unverified cluster image. + +rationale: |- + Unverified cluster image will compromise the system integrity. + +identifiers: + cce@ocp4: CCE-90671-9 + +references: + nist: SA-10(1) + +{{% set jqfilter = '[.items[].status.history[] | .verified]' %}} +{{% set apipath = '/apis/config.openshift.io/v1/clusterversions?limit=500' %}} + +ocil_clause: 'Cluster image is not verified' + +ocil: |- + Run the following command to retrieve the Cluster Version objects in the system: + 
$ oc get ClusterVersion -o yaml
+ Make sure verified is true under status history for each item. + +severity: medium + +warnings: +- general: |- + {{{ openshift_filtered_cluster_setting({apipath: jqfilter}) | indent(4) }}} + +template: + name: yamlfile_value + vars: + ocp_data: "true" + filepath: |- + {{{ openshift_filtered_path(apipath, jqfilter) }}} + yamlpath: "[:]" + entity_check: "all" + values: + - value: "true" + operation: "equals" + diff --git a/applications/openshift/integrity/cluster_version_operator_verify_integrity/tests/allverfied_three_entries.pass.sh b/applications/openshift/integrity/cluster_version_operator_verify_integrity/tests/allverfied_three_entries.pass.sh new file mode 100644 index 000000000000..fa179ea0b5d3 --- /dev/null +++ b/applications/openshift/integrity/cluster_version_operator_verify_integrity/tests/allverfied_three_entries.pass.sh @@ -0,0 +1,152 @@ +#!/bin/bash + + +yum install -y jq + +kube_apipath="/kubernetes-api-resources" + +mkdir -p "$kube_apipath/apis/config.openshift.io/v1" + +apipath="/apis/config.openshift.io/v1/clusterversions?limit=500" + +cat << EOF > $kube_apipath$apipath +{ + "apiVersion": "v1", + "items": [ + { + "apiVersion": "config.openshift.io/v1", + "kind": "ClusterVersion", + "metadata": { + "creationTimestamp": "2021-12-08T16:39:28Z", + "generation": 2, + "name": "version", + "resourceVersion": "183751", + "uid": "01adc5c2-10b4-4d6b-a082-5e5de1b918ba" + }, + "spec": { + "channel": "stable-4.9", + "clusterID": "7b351e21-3a8b-4365-afeb-768b9907ea08" + }, + "status": { + "availableUpdates": [ + { + "channels": [ + "candidate-4.9", + "fast-4.9", + "stable-4.9" + ], + "image": "quay.io/openshift-release-dev/ocp-release@sha256:c9f58ccb8a9085df4eeb23e21ca201d4c7d39bc434786d58a55381e13215a199", + "url": "https://access.redhat.com/errata/RHBA-2021:4119", + "version": "4.9.6" + }, + { + "channels": [ + "candidate-4.9", + "fast-4.9", + "stable-4.9" + ], + "image": "quay.io/openshift-release-dev/ocp-release@sha256:c91c0faf7ae3c480724a935b3dab7e5f49aae19d195b12f3a4ae38f8440ea96b", + "url": "https://access.redhat.com/errata/RHBA-2021:4712", + "version": "4.9.8" + }, + { + "channels": [ + "candidate-4.9", + "fast-4.9", + "stable-4.9" + ], + "image": "quay.io/openshift-release-dev/ocp-release@sha256:dc6d4d8b2f9264c0037ed0222285f19512f112cc85a355b14a66bd6b910a4940", + "url": "https://access.redhat.com/errata/RHBA-2021:4834", + "version": "4.9.9" + }, + { + "channels": [ + "candidate-4.9", + "fast-4.9", + "stable-4.9" + ], + "image": "quay.io/openshift-release-dev/ocp-release@sha256:5c55be02e32e688ec5a404858a08cf533ba15b50b6f0e028089635b47db5866e", + "url": "https://access.redhat.com/errata/RHBA-2021:4579", + "version": "4.9.7" + } + ], + "conditions": [ + { + "lastTransitionTime": "2021-12-08T17:02:45Z", + "message": "Done applying 4.9.5", + "status": "True", + "type": "Available" + }, + { + "lastTransitionTime": "2021-12-08T17:02:45Z", + "status": "False", + "type": "Failing" + }, + { + "lastTransitionTime": "2021-12-08T17:02:45Z", + "message": "Cluster version is 4.9.5", + "status": "False", + "type": "Progressing" + }, + { + "lastTransitionTime": "2021-12-08T16:39:29Z", + "status": "True", + "type": "RetrievedUpdates" + } + ], + "desired": { + "channels": [ + "candidate-4.9", + "fast-4.9", + "stable-4.9" + ], + "image": "quay.io/openshift-release-dev/ocp-release@sha256:386f4e08c48d01e0c73d294a88bb64fac3284d1d16a5b8938deb3b8699825a88", + "url": "https://access.redhat.com/errata/RHBA-2021:4005", + "version": "4.9.5" + }, + "history": [ + { + "completionTime": "2021-12-08T17:02:45Z", + "image": "quay.io/openshift-release-dev/ocp-release@sha256:386f4e08c48d01e0c73d294a88bb64fac3284d1d16a5b8938deb3b8699825a88", + "startedTime": "2021-12-08T16:39:28Z", + "state": "Completed", + "verified": true, + "version": "4.9.5" + }, + { + "completionTime": "2021-12-07T17:02:45Z", + "image": "quay.io/openshift-release-dev/ocp-release@sha256:386f4e08c48d01e0c73d294a88bb64fac3284d1d16a5b8938deb3b8699825a88", + "startedTime": "2021-12-07T16:39:28Z", + "state": "Completed", + "verified": true, + "version": "4.9.5" + }, + { + "completionTime": "2021-12-06T17:02:45Z", + "image": "quay.io/openshift-release-dev/ocp-release@sha256:386f4e08c48d01e0c73d294a88bb64fac3284d1d16a5b8938deb3b8699825a88", + "startedTime": "2021-12-06T16:39:28Z", + "state": "Completed", + "verified": true, + "version": "4.9.5" + } + ], + "observedGeneration": 2, + "versionHash": "chub99FL3K0=" + } + } + ], + "kind": "List", + "metadata": { + "resourceVersion": "", + "selfLink": "" + } +} +EOF + +jq_filter='[.items[].status.history[] | .verified]' + +# Get file path. This will actually be read by the scan +filteredpath="$kube_apipath$apipath#$(echo -n "$apipath$jq_filter" | sha256sum | awk '{print $1}')" + +# populate filtered path with jq-filtered result +jq "$jq_filter" "$kube_apipath$apipath" > "$filteredpath" \ No newline at end of file diff --git a/applications/openshift/integrity/cluster_version_operator_verify_integrity/tests/allverified.pass.sh b/applications/openshift/integrity/cluster_version_operator_verify_integrity/tests/allverified.pass.sh new file mode 100644 index 000000000000..7cbb161080e0 --- /dev/null +++ b/applications/openshift/integrity/cluster_version_operator_verify_integrity/tests/allverified.pass.sh @@ -0,0 +1,136 @@ +#!/bin/bash + + +yum install -y jq + +kube_apipath="/kubernetes-api-resources" + +mkdir -p "$kube_apipath/apis/config.openshift.io/v1" + +apipath="/apis/config.openshift.io/v1/clusterversions?limit=500" + +cat << EOF > $kube_apipath$apipath +{ + "apiVersion": "v1", + "items": [ + { + "apiVersion": "config.openshift.io/v1", + "kind": "ClusterVersion", + "metadata": { + "creationTimestamp": "2021-12-08T16:39:28Z", + "generation": 2, + "name": "version", + "resourceVersion": "183751", + "uid": "01adc5c2-10b4-4d6b-a082-5e5de1b918ba" + }, + "spec": { + "channel": "stable-4.9", + "clusterID": "7b351e21-3a8b-4365-afeb-768b9907ea08" + }, + "status": { + "availableUpdates": [ + { + "channels": [ + "candidate-4.9", + "fast-4.9", + "stable-4.9" + ], + "image": "quay.io/openshift-release-dev/ocp-release@sha256:c9f58ccb8a9085df4eeb23e21ca201d4c7d39bc434786d58a55381e13215a199", + "url": "https://access.redhat.com/errata/RHBA-2021:4119", + "version": "4.9.6" + }, + { + "channels": [ + "candidate-4.9", + "fast-4.9", + "stable-4.9" + ], + "image": "quay.io/openshift-release-dev/ocp-release@sha256:c91c0faf7ae3c480724a935b3dab7e5f49aae19d195b12f3a4ae38f8440ea96b", + "url": "https://access.redhat.com/errata/RHBA-2021:4712", + "version": "4.9.8" + }, + { + "channels": [ + "candidate-4.9", + "fast-4.9", + "stable-4.9" + ], + "image": "quay.io/openshift-release-dev/ocp-release@sha256:dc6d4d8b2f9264c0037ed0222285f19512f112cc85a355b14a66bd6b910a4940", + "url": "https://access.redhat.com/errata/RHBA-2021:4834", + "version": "4.9.9" + }, + { + "channels": [ + "candidate-4.9", + "fast-4.9", + "stable-4.9" + ], + "image": "quay.io/openshift-release-dev/ocp-release@sha256:5c55be02e32e688ec5a404858a08cf533ba15b50b6f0e028089635b47db5866e", + "url": "https://access.redhat.com/errata/RHBA-2021:4579", + "version": "4.9.7" + } + ], + "conditions": [ + { + "lastTransitionTime": "2021-12-08T17:02:45Z", + "message": "Done applying 4.9.5", + "status": "True", + "type": "Available" + }, + { + "lastTransitionTime": "2021-12-08T17:02:45Z", + "status": "False", + "type": "Failing" + }, + { + "lastTransitionTime": "2021-12-08T17:02:45Z", + "message": "Cluster version is 4.9.5", + "status": "False", + "type": "Progressing" + }, + { + "lastTransitionTime": "2021-12-08T16:39:29Z", + "status": "True", + "type": "RetrievedUpdates" + } + ], + "desired": { + "channels": [ + "candidate-4.9", + "fast-4.9", + "stable-4.9" + ], + "image": "quay.io/openshift-release-dev/ocp-release@sha256:386f4e08c48d01e0c73d294a88bb64fac3284d1d16a5b8938deb3b8699825a88", + "url": "https://access.redhat.com/errata/RHBA-2021:4005", + "version": "4.9.5" + }, + "history": [ + { + "completionTime": "2021-12-08T17:02:45Z", + "image": "quay.io/openshift-release-dev/ocp-release@sha256:386f4e08c48d01e0c73d294a88bb64fac3284d1d16a5b8938deb3b8699825a88", + "startedTime": "2021-12-08T16:39:28Z", + "state": "Completed", + "verified": true, + "version": "4.9.5" + } + ], + "observedGeneration": 2, + "versionHash": "chub99FL3K0=" + } + } + ], + "kind": "List", + "metadata": { + "resourceVersion": "", + "selfLink": "" + } +} +EOF + +jq_filter='[.items[].status.history[] | .verified]' + +# Get file path. This will actually be read by the scan +filteredpath="$kube_apipath$apipath#$(echo -n "$apipath$jq_filter" | sha256sum | awk '{print $1}')" + +# populate filtered path with jq-filtered result +jq "$jq_filter" "$kube_apipath$apipath" > "$filteredpath" \ No newline at end of file diff --git a/applications/openshift/integrity/cluster_version_operator_verify_integrity/tests/ocp4/e2e.yml b/applications/openshift/integrity/cluster_version_operator_verify_integrity/tests/ocp4/e2e.yml new file mode 100644 index 000000000000..f426dc3d7ea4 --- /dev/null +++ b/applications/openshift/integrity/cluster_version_operator_verify_integrity/tests/ocp4/e2e.yml @@ -0,0 +1,2 @@ +--- +default_result: FAIL diff --git a/applications/openshift/integrity/cluster_version_operator_verify_integrity/tests/someverified.fail.sh b/applications/openshift/integrity/cluster_version_operator_verify_integrity/tests/someverified.fail.sh new file mode 100644 index 000000000000..1659e682bdab --- /dev/null +++ b/applications/openshift/integrity/cluster_version_operator_verify_integrity/tests/someverified.fail.sh @@ -0,0 +1,144 @@ +#!/bin/bash + + +yum install -y jq + +kube_apipath="/kubernetes-api-resources" + +mkdir -p "$kube_apipath/apis/config.openshift.io/v1" + +apipath="/apis/config.openshift.io/v1/clusterversions?limit=500" + +cat << EOF > $kube_apipath$apipath +{ + "apiVersion": "v1", + "items": [ + { + "apiVersion": "config.openshift.io/v1", + "kind": "ClusterVersion", + "metadata": { + "creationTimestamp": "2021-12-08T16:39:28Z", + "generation": 2, + "name": "version", + "resourceVersion": "183751", + "uid": "01adc5c2-10b4-4d6b-a082-5e5de1b918ba" + }, + "spec": { + "channel": "stable-4.9", + "clusterID": "7b351e21-3a8b-4365-afeb-768b9907ea08" + }, + "status": { + "availableUpdates": [ + { + "channels": [ + "candidate-4.9", + "fast-4.9", + "stable-4.9" + ], + "image": "quay.io/openshift-release-dev/ocp-release@sha256:c9f58ccb8a9085df4eeb23e21ca201d4c7d39bc434786d58a55381e13215a199", + "url": "https://access.redhat.com/errata/RHBA-2021:4119", + "version": "4.9.6" + }, + { + "channels": [ + "candidate-4.9", + "fast-4.9", + "stable-4.9" + ], + "image": "quay.io/openshift-release-dev/ocp-release@sha256:c91c0faf7ae3c480724a935b3dab7e5f49aae19d195b12f3a4ae38f8440ea96b", + "url": "https://access.redhat.com/errata/RHBA-2021:4712", + "version": "4.9.8" + }, + { + "channels": [ + "candidate-4.9", + "fast-4.9", + "stable-4.9" + ], + "image": "quay.io/openshift-release-dev/ocp-release@sha256:dc6d4d8b2f9264c0037ed0222285f19512f112cc85a355b14a66bd6b910a4940", + "url": "https://access.redhat.com/errata/RHBA-2021:4834", + "version": "4.9.9" + }, + { + "channels": [ + "candidate-4.9", + "fast-4.9", + "stable-4.9" + ], + "image": "quay.io/openshift-release-dev/ocp-release@sha256:5c55be02e32e688ec5a404858a08cf533ba15b50b6f0e028089635b47db5866e", + "url": "https://access.redhat.com/errata/RHBA-2021:4579", + "version": "4.9.7" + } + ], + "conditions": [ + { + "lastTransitionTime": "2021-12-08T17:02:45Z", + "message": "Done applying 4.9.5", + "status": "True", + "type": "Available" + }, + { + "lastTransitionTime": "2021-12-08T17:02:45Z", + "status": "False", + "type": "Failing" + }, + { + "lastTransitionTime": "2021-12-08T17:02:45Z", + "message": "Cluster version is 4.9.5", + "status": "False", + "type": "Progressing" + }, + { + "lastTransitionTime": "2021-12-08T16:39:29Z", + "status": "True", + "type": "RetrievedUpdates" + } + ], + "desired": { + "channels": [ + "candidate-4.9", + "fast-4.9", + "stable-4.9" + ], + "image": "quay.io/openshift-release-dev/ocp-release@sha256:386f4e08c48d01e0c73d294a88bb64fac3284d1d16a5b8938deb3b8699825a88", + "url": "https://access.redhat.com/errata/RHBA-2021:4005", + "version": "4.9.5" + }, + "history": [ + { + "completionTime": "2021-12-08T17:02:45Z", + "image": "quay.io/openshift-release-dev/ocp-release@sha256:386f4e08c48d01e0c73d294a88bb64fac3284d1d16a5b8938deb3b8699825a88", + "startedTime": "2021-12-08T16:39:28Z", + "state": "Completed", + "verified": true, + "version": "4.9.5" + }, + { + "completionTime": "2021-12-07T17:02:45Z", + "image": "quay.io/openshift-release-dev/ocp-release@sha256:386f4e08c48d01e0c73d294a88bb64fac3284d1d16a5b8938deb3b8699825a88", + "startedTime": "2021-12-07T16:39:28Z", + "state": "Completed", + "verified": false, + "version": "4.9.5" + } + ], + "observedGeneration": 2, + "versionHash": "chub99FL3K0=" + } + } + ], + "kind": "List", + "metadata": { + "resourceVersion": "", + "selfLink": "" + } +} +EOF + +jq_filter='[.items[].status.history[] | .verified]' + +# Get file path. This will actually be read by the scan +filteredpath="$kube_apipath$apipath#$(echo -n "$apipath$jq_filter" | sha256sum | awk '{print $1}')" + +# populate filtered path with jq-filtered result +jq "$jq_filter" "$kube_apipath$apipath" > "$filteredpath" \ No newline at end of file diff --git a/applications/openshift/integrity/cluster_version_operator_verify_integrity/tests/someverified_three_entries.fail.sh b/applications/openshift/integrity/cluster_version_operator_verify_integrity/tests/someverified_three_entries.fail.sh new file mode 100644 index 000000000000..1659e682bdab --- /dev/null +++ b/applications/openshift/integrity/cluster_version_operator_verify_integrity/tests/someverified_three_entries.fail.sh @@ -0,0 +1,144 @@ +#!/bin/bash + + +yum install -y jq + +kube_apipath="/kubernetes-api-resources" + +mkdir -p "$kube_apipath/apis/config.openshift.io/v1" + +apipath="/apis/config.openshift.io/v1/clusterversions?limit=500" + +cat << EOF > $kube_apipath$apipath +{ + "apiVersion": "v1", + "items": [ + { + "apiVersion": "config.openshift.io/v1", + "kind": "ClusterVersion", + "metadata": { + "creationTimestamp": "2021-12-08T16:39:28Z", + "generation": 2, + "name": "version", + "resourceVersion": "183751", + "uid": "01adc5c2-10b4-4d6b-a082-5e5de1b918ba" + }, + "spec": { + "channel": "stable-4.9", + "clusterID": "7b351e21-3a8b-4365-afeb-768b9907ea08" + }, + "status": { + "availableUpdates": [ + { + "channels": [ + "candidate-4.9", + "fast-4.9", + "stable-4.9" + ], + "image": "quay.io/openshift-release-dev/ocp-release@sha256:c9f58ccb8a9085df4eeb23e21ca201d4c7d39bc434786d58a55381e13215a199", + "url": "https://access.redhat.com/errata/RHBA-2021:4119", + "version": "4.9.6" + }, + { + "channels": [ + "candidate-4.9", + "fast-4.9", + "stable-4.9" + ], + "image": "quay.io/openshift-release-dev/ocp-release@sha256:c91c0faf7ae3c480724a935b3dab7e5f49aae19d195b12f3a4ae38f8440ea96b", + "url": "https://access.redhat.com/errata/RHBA-2021:4712", + "version": "4.9.8" + }, + { + "channels": [ + "candidate-4.9", + "fast-4.9", + "stable-4.9" + ], + "image": "quay.io/openshift-release-dev/ocp-release@sha256:dc6d4d8b2f9264c0037ed0222285f19512f112cc85a355b14a66bd6b910a4940", + "url": "https://access.redhat.com/errata/RHBA-2021:4834", + "version": "4.9.9" + }, + { + "channels": [ + "candidate-4.9", + "fast-4.9", + "stable-4.9" + ], + "image": "quay.io/openshift-release-dev/ocp-release@sha256:5c55be02e32e688ec5a404858a08cf533ba15b50b6f0e028089635b47db5866e", + "url": "https://access.redhat.com/errata/RHBA-2021:4579", + "version": "4.9.7" + } + ], + "conditions": [ + { + "lastTransitionTime": "2021-12-08T17:02:45Z", + "message": "Done applying 4.9.5", + "status": "True", + "type": "Available" + }, + { + "lastTransitionTime": "2021-12-08T17:02:45Z", + "status": "False", + "type": "Failing" + }, + { + "lastTransitionTime": "2021-12-08T17:02:45Z", + "message": "Cluster version is 4.9.5", + "status": "False", + "type": "Progressing" + }, + { + "lastTransitionTime": "2021-12-08T16:39:29Z", + "status": "True", + "type": "RetrievedUpdates" + } + ], + "desired": { + "channels": [ + "candidate-4.9", + "fast-4.9", + "stable-4.9" + ], + "image": "quay.io/openshift-release-dev/ocp-release@sha256:386f4e08c48d01e0c73d294a88bb64fac3284d1d16a5b8938deb3b8699825a88", + "url": "https://access.redhat.com/errata/RHBA-2021:4005", + "version": "4.9.5" + }, + "history": [ + { + "completionTime": "2021-12-08T17:02:45Z", + "image": "quay.io/openshift-release-dev/ocp-release@sha256:386f4e08c48d01e0c73d294a88bb64fac3284d1d16a5b8938deb3b8699825a88", + "startedTime": "2021-12-08T16:39:28Z", + "state": "Completed", + "verified": true, + "version": "4.9.5" + }, + { + "completionTime": "2021-12-07T17:02:45Z", + "image": "quay.io/openshift-release-dev/ocp-release@sha256:386f4e08c48d01e0c73d294a88bb64fac3284d1d16a5b8938deb3b8699825a88", + "startedTime": "2021-12-07T16:39:28Z", + "state": "Completed", + "verified": false, + "version": "4.9.5" + } + ], + "observedGeneration": 2, + "versionHash": "chub99FL3K0=" + } + } + ], + "kind": "List", + "metadata": { + "resourceVersion": "", + "selfLink": "" + } +} +EOF + +jq_filter='[.items[].status.history[] | .verified]' + +# Get file path. This will actually be read by the scan +filteredpath="$kube_apipath$apipath#$(echo -n "$apipath$jq_filter" | sha256sum | awk '{print $1}')" + +# populate filtered path with jq-filtered result +jq "$jq_filter" "$kube_apipath$apipath" > "$filteredpath" \ No newline at end of file diff --git a/controls/nist_ocp4.yml b/controls/nist_ocp4.yml index b62dbc805b44..036eae0c39dd 100644 --- a/controls/nist_ocp4.yml +++ b/controls/nist_ocp4.yml @@ -12133,8 +12133,16 @@ controls: signed and from an authorized registry. Signature verification is done in the Container Runtime level before running the containers. Therefore, the OpenShift Platform inherently meets this control. + + Integrity of the OpenShift platform is handled to start by the cluster + version operator. Today the CVO will by default GPG verify the integrity + of the release image before applying it. [1] + + [1] https://github.com/openshift/machine-config-operator/blob/master/docs/OSUpgrades.md#questions-and-answers rules: - reject_unsigned_images_by_default + - cluster_version_operator_exists + - cluster_version_operator_verify_integrity description: |- The organization requires the developer of the information system, system component, or information system service to enable integrity verification of software and firmware components. diff --git a/controls/nist_rhcos4.yml b/controls/nist_rhcos4.yml index 25edb62cdfee..b90abf18a941 100644 --- a/controls/nist_rhcos4.yml +++ b/controls/nist_rhcos4.yml @@ -11675,12 +11675,13 @@ controls: - high - moderate - id: SA-10(1) - status: pending + status: inherently met notes: |- - A control response to SA-10(1) is planned. Progress - can be tracked at: + CoreOS updates are distributed as signed container images and verified as such, the cluster version operator from OpenShift + will by default GPG verify the integrity of the release image before applying it. The release image contains a sha256 digest + of machine-os-content which is used by the Machine Config Operator for updates. [1] - https://issues.redhat.com/browse/CMP-373 + [1] https://github.com/openshift/machine-config-operator/blob/master/docs/OSUpgrades.md#questions-and-answers rules: [] description: |- The organization requires the developer of the information system, system component, or information system service to enable integrity verification of software and firmware components. diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt index 03e3ed34fc0d..73d082768d02 100644 --- a/shared/references/cce-redhat-avail.txt +++ b/shared/references/cce-redhat-avail.txt @@ -4545,8 +4545,6 @@ CCE-90666-9 CCE-90667-7 CCE-90668-5 CCE-90669-3 -CCE-90670-1 -CCE-90671-9 CCE-90672-7 CCE-90673-5 CCE-90674-3