Merge pull request #7973 from Vincent056/SA-10(1)

OCP4: Add additonal control response for SA-10(1) integrity check

applications/openshift/integrity/cluster_version_operator_exists/rule.yml

@@ -0,0 +1,49 @@
+prodtype: ocp4
+
+title: Ensure that Cluster Version Operator is deployed
+
+description: |-
+  Integrity of the OpenShift platform is handled to start by the cluster version operator.
+  Cluster Version Operator will by default GPG verify the integrity of the release 
+  image before applying it. [1]
+  This rule checks if Cluster Version Operator is deployed and available in the system.
+
+  [1] https://github.com/openshift/machine-config-operator/blob/master/docs/OSUpgrades.md#questions-and-answers
+
+rationale: |-
+  Integrity check prevent a malicious actor from using a unauthorized system image, hence it will ensure the
+  image has not been tampered with, or corrupted.
+
+identifiers:
+  cce@ocp4: CCE-90670-1
+
+references:
+  nist: SA-10(1)
+
+{{% set jqfilter = '[.status.conditions[] | select(.type=="Available") | .status]' %}}
+{{% set apipath = '/apis/config.openshift.io/v1/clusterversions/version' %}}
+
+ocil_clause: 'Cluster Version Operator is not installed'
+
+ocil: |-
+    Run the following command to retrieve the Cluster Version objects in the system:
+    <pre>$ oc get clusterversion version</pre>
+    Make sure the Cluster Version Operator is installed and the AVAILABLE is True.
+
+severity: medium
+
+warnings:
+- general: |-
+    {{{ openshift_filtered_cluster_setting({apipath: jqfilter}) | indent(4) }}}
+
+template:
+  name: yamlfile_value
+  vars:
+    ocp_data: "true"
+    filepath: |-
+      {{{ openshift_filtered_path(apipath, jqfilter) }}}
+    yamlpath: "[:]"
+    entity_check: "all"
+    values:
+      - value: "True"
+        operation: "equals"

applications/openshift/integrity/cluster_version_operator_exists/tests/available.pass.sh

@@ -0,0 +1,80 @@
+#!/bin/bash
+
+
+yum install -y jq
+
+kube_apipath="/kubernetes-api-resources"
+
+mkdir -p "$kube_apipath/apis/config.openshift.io/v1/clusterversions"
+
+apipath="/apis/config.openshift.io/v1/clusterversions/version"
+
+cat << EOF > $kube_apipath$apipath
+{
+    "apiVersion": "config.openshift.io/v1",
+    "kind": "ClusterVersion",
+    "metadata": {
+        "creationTimestamp": "2021-12-16T06:23:17Z",
+        "generation": 2,
+        "name": "version",
+        "resourceVersion": "26705",
+        "uid": "82964255-cdb8-43c7-b662-f5d4d32a6a1c"
+    },
+    "spec": {
+        "clusterID": "6476f301-185d-468f-ac2e-98144b9aa300"
+    },
+    "status": {
+        "availableUpdates": null,
+        "conditions": [
+            {
+                "lastTransitionTime": "2021-12-16T06:23:17Z",
+                "message": "The update channel has not been configured.",
+                "reason": "NoChannel",
+                "status": "False",
+                "type": "RetrievedUpdates"
+            },
+            {
+                "lastTransitionTime": "2021-12-16T06:44:42Z",
+                "message": "Done applying 4.10.0-0.ci-2021-12-15-195801",
+                "status": "True",
+                "type": "Available"
+            },
+            {
+                "lastTransitionTime": "2021-12-16T06:44:42Z",
+                "status": "False",
+                "type": "Failing"
+            },
+            {
+                "lastTransitionTime": "2021-12-16T06:44:42Z",
+                "message": "Cluster version is 4.10.0-0.ci-2021-12-15-195801",
+                "status": "False",
+                "type": "Progressing"
+            }
+        ],
+        "desired": {
+            "image": "registry.build01.ci.openshift.org/ci-ln-vhslt2k/release@sha256:cd38c2c90e01b6c3461afbc6f44743242b9e62fcb4a0c8b7593d7c459a164636",
+            "version": "4.10.0-0.ci-2021-12-15-195801"
+        },
+        "history": [
+            {
+                "completionTime": "2021-12-16T06:44:42Z",
+                "image": "registry.build01.ci.openshift.org/ci-ln-vhslt2k/release@sha256:cd38c2c90e01b6c3461afbc6f44743242b9e62fcb4a0c8b7593d7c459a164636",
+                "startedTime": "2021-12-16T06:23:17Z",
+                "state": "Completed",
+                "verified": false,
+                "version": "4.10.0-0.ci-2021-12-15-195801"
+            }
+        ],
+        "observedGeneration": 2,
+        "versionHash": "nKvpmlDXL0I="
+    }
+}
+EOF
+
+jq_filter='[.status.conditions[] | select(.type=="Available") | .status]'
+
+# Get file path. This will actually be read by the scan
+filteredpath="$kube_apipath$apipath#$(echo -n "$apipath$jq_filter" | sha256sum | awk '{print $1}')"
+
+# populate filtered path with jq-filtered result
+jq "$jq_filter" "$kube_apipath$apipath" > "$filteredpath"

applications/openshift/integrity/cluster_version_operator_exists/tests/ocp4/e2e.yml

@@ -0,0 +1,2 @@
+---
+default_result: PASS

applications/openshift/integrity/cluster_version_operator_exists/tests/unavailable.fail.sh

@@ -0,0 +1,80 @@
+#!/bin/bash
+
+
+yum install -y jq
+
+kube_apipath="/kubernetes-api-resources"
+
+mkdir -p "$kube_apipath/apis/config.openshift.io/v1/clusterversions"
+
+apipath="/apis/config.openshift.io/v1/clusterversions/version"
+
+cat << EOF > $kube_apipath$apipath
+{
+    "apiVersion": "config.openshift.io/v1",
+    "kind": "ClusterVersion",
+    "metadata": {
+        "creationTimestamp": "2021-12-16T06:23:17Z",
+        "generation": 2,
+        "name": "version",
+        "resourceVersion": "26705",
+        "uid": "82964255-cdb8-43c7-b662-f5d4d32a6a1c"
+    },
+    "spec": {
+        "clusterID": "6476f301-185d-468f-ac2e-98144b9aa300"
+    },
+    "status": {
+        "availableUpdates": null,
+        "conditions": [
+            {
+                "lastTransitionTime": "2021-12-16T06:23:17Z",
+                "message": "The update channel has not been configured.",
+                "reason": "NoChannel",
+                "status": "False",
+                "type": "RetrievedUpdates"
+            },
+            {
+                "lastTransitionTime": "2021-12-16T06:44:42Z",
+                "message": "Done applying 4.10.0-0.ci-2021-12-15-195801",
+                "status": "False",
+                "type": "Available"
+            },
+            {
+                "lastTransitionTime": "2021-12-16T06:44:42Z",
+                "status": "True",
+                "type": "Failing"
+            },
+            {
+                "lastTransitionTime": "2021-12-16T06:44:42Z",
+                "message": "Cluster version is 4.10.0-0.ci-2021-12-15-195801",
+                "status": "False",
+                "type": "Progressing"
+            }
+        ],
+        "desired": {
+            "image": "registry.build01.ci.openshift.org/ci-ln-vhslt2k/release@sha256:cd38c2c90e01b6c3461afbc6f44743242b9e62fcb4a0c8b7593d7c459a164636",
+            "version": "4.10.0-0.ci-2021-12-15-195801"
+        },
+        "history": [
+            {
+                "completionTime": "2021-12-16T06:44:42Z",
+                "image": "registry.build01.ci.openshift.org/ci-ln-vhslt2k/release@sha256:cd38c2c90e01b6c3461afbc6f44743242b9e62fcb4a0c8b7593d7c459a164636",
+                "startedTime": "2021-12-16T06:23:17Z",
+                "state": "Completed",
+                "verified": false,
+                "version": "4.10.0-0.ci-2021-12-15-195801"
+            }
+        ],
+        "observedGeneration": 2,
+        "versionHash": "nKvpmlDXL0I="
+    }
+}
+EOF
+
+jq_filter='[.status.conditions[] | select(.type=="Available") | .status]'
+
+# Get file path. This will actually be read by the scan
+filteredpath="$kube_apipath$apipath#$(echo -n "$apipath$jq_filter" | sha256sum | awk '{print $1}')"
+
+# populate filtered path with jq-filtered result
+jq "$jq_filter" "$kube_apipath$apipath" > "$filteredpath"

applications/openshift/integrity/cluster_version_operator_verify_integrity/rule.yml

@@ -0,0 +1,48 @@
+prodtype: ocp4
+
+title: Ensure that Cluster Version Operator verifies integrity
+
+description: |-
+  Integrity of the OpenShift platform is handled to start by the cluster version operator.
+  Cluster Version Operator will by default GPG verify the integrity of the release 
+  image before applying it. This rule check if there is an unverified cluster image.
+
+rationale: |-
+  Unverified cluster image will compromise the system integrity. Integrity check prevent 
+  a malicious actor from using a unauthorized system image, hence it will ensure the
+  image has not been tampered with, or corrupted.
+
+identifiers:
+  cce@ocp4: CCE-90671-9
+
+references:
+  nist: SA-10(1)
+
+{{% set jqfilter = '[.status.history[] | .verified]' %}}
+{{% set apipath = '/apis/config.openshift.io/v1/clusterversions/version' %}}
+
+ocil_clause: 'Cluster image is not verified'
+
+ocil: |-
+    Run the following command to retrieve the Cluster Version objects in the system:
+    <pre>$ oc get clusterversion version -o yaml</pre>
+    Make sure verified is true under status history for each item.
+
+severity: medium
+
+warnings:
+- general: |-
+    {{{ openshift_filtered_cluster_setting({apipath: jqfilter}) | indent(4) }}}
+
+template:
+  name: yamlfile_value
+  vars:
+    ocp_data: "true"
+    filepath: |-
+      {{{ openshift_filtered_path(apipath, jqfilter) }}}
+    yamlpath: "[:]"
+    entity_check: "all"
+    values:
+      - value: "true"
+        operation: "equals"
+

applications/openshift/integrity/cluster_version_operator_verify_integrity/tests/allverfied_three_entries.pass.sh

@@ -0,0 +1,96 @@
+#!/bin/bash
+
+
+yum install -y jq
+
+kube_apipath="/kubernetes-api-resources"
+
+mkdir -p "$kube_apipath/apis/config.openshift.io/v1/clusterversions"
+
+apipath="/apis/config.openshift.io/v1/clusterversions/version"
+
+cat << EOF > $kube_apipath$apipath
+{
+    "apiVersion": "config.openshift.io/v1",
+    "kind": "ClusterVersion",
+    "metadata": {
+        "creationTimestamp": "2021-12-16T06:23:17Z",
+        "generation": 2,
+        "name": "version",
+        "resourceVersion": "26705",
+        "uid": "82964255-cdb8-43c7-b662-f5d4d32a6a1c"
+    },
+    "spec": {
+        "clusterID": "6476f301-185d-468f-ac2e-98144b9aa300"
+    },
+    "status": {
+        "availableUpdates": null,
+        "conditions": [
+            {
+                "lastTransitionTime": "2021-12-16T06:23:17Z",
+                "message": "The update channel has not been configured.",
+                "reason": "NoChannel",
+                "status": "False",
+                "type": "RetrievedUpdates"
+            },
+            {
+                "lastTransitionTime": "2021-12-16T06:44:42Z",
+                "message": "Done applying 4.10.0-0.ci-2021-12-15-195801",
+                "status": "True",
+                "type": "Available"
+            },
+            {
+                "lastTransitionTime": "2021-12-16T06:44:42Z",
+                "status": "False",
+                "type": "Failing"
+            },
+            {
+                "lastTransitionTime": "2021-12-16T06:44:42Z",
+                "message": "Cluster version is 4.10.0-0.ci-2021-12-15-195801",
+                "status": "False",
+                "type": "Progressing"
+            }
+        ],
+        "desired": {
+            "image": "registry.build01.ci.openshift.org/ci-ln-vhslt2k/release@sha256:cd38c2c90e01b6c3461afbc6f44743242b9e62fcb4a0c8b7593d7c459a164636",
+            "version": "4.10.0-0.ci-2021-12-15-195801"
+        },
+        "history": [
+            {
+                "completionTime": "2021-12-16T06:44:42Z",
+                "image": "registry.build01.ci.openshift.org/ci-ln-vhslt2k/release@sha256:cd38c2c90e01b6c3461afbc6f44743242b9e62fcb4a0c8b7593d7c459a164636",
+                "startedTime": "2021-12-16T06:23:17Z",
+                "state": "Completed",
+                "verified": true,
+                "version": "4.10.0-0.ci-2021-12-15-195801"
+            },
+            {
+                "completionTime": "2021-12-15T06:44:42Z",
+                "image": "registry.build01.ci.openshift.org/ci-ln-vhslt2k/release@sha256:cd38c2c90e01b6c3461afbc6f44743242b9e62fcb4a0c8b7593d7c459a164636",
+                "startedTime": "2021-12-15T06:23:17Z",
+                "state": "Completed",
+                "verified": true,
+                "version": "4.10.0-0.ci-2021-12-15-195801"
+            },
+            {
+                "completionTime": "2021-12-15T03:44:42Z",
+                "image": "registry.build01.ci.openshift.org/ci-ln-vhslt2k/release@sha256:cd38c2c90e01b6c3461afbc6f44743242b9e62fcb4a0c8b7593d7c459a164636",
+                "startedTime": "2021-12-15T03:23:17Z",
+                "state": "Completed",
+                "verified": true,
+                "version": "4.10.0-0.ci-2021-12-15-195801"
+            }
+        ],
+        "observedGeneration": 2,
+        "versionHash": "nKvpmlDXL0I="
+    }
+}
+EOF
+
+jq_filter='[.status.history[] | .verified]'
+
+# Get file path. This will actually be read by the scan
+filteredpath="$kube_apipath$apipath#$(echo -n "$apipath$jq_filter" | sha256sum | awk '{print $1}')"
+
+# populate filtered path with jq-filtered result
+jq "$jq_filter" "$kube_apipath$apipath" > "$filteredpath"