Skip to content

Commit

Permalink
OCP4: Add additonal control response for SA-10(1) integrity check
Browse files Browse the repository at this point in the history 
Added two rules, cluster_version_operator_exists to check if cluster version operator is available, and cluster_version_operator_verify_integrity to check if cluster image is verified

Related link regarding how RHCOS integrity check https://github.com/openshift/machine-config-operator/blob/master/docs/OSUpgrades.md#questions-and-answers
  • Loading branch information
@Vincent056
Vincent056 committed Dec 9, 2021
1 parent cda9d9e commit d6ea049
Show file tree
Hide file tree
Showing 13 changed files with 962 additions and 6 deletions.
49 changes: 49 additions & 0 deletions applications/openshift/integrity/cluster_version_operator_exists/rule.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
prodtype: ocp4

title: Ensure that Cluster Version Operator is deployed

description: |-
Integrity of the OpenShift platform is handled to start by the cluster version operator.
Cluster Version Operator will by default GPG verify the integrity of the release
image before applying it. [1]
This rule checks if Cluster Version Operator is deployed and available in the system.
[1] https://github.com/openshift/machine-config-operator/blob/master/docs/OSUpgrades.md#questions-and-answers
rationale: |-
Integrity check prevent a malicious actor from using a unauthorized system image, hence it will ensure the
image has not been tampered with, or corrupted.
identifiers:
cce@ocp4: CCE-90670-1

references:
nist: SA-10(1)

{{% set jqfilter = '[.items[].status.conditions[] | select(.type=="Available") | .status]' %}}
{{% set apipath = '/apis/config.openshift.io/v1/clusterversions?limit=500' %}}

ocil_clause: 'Cluster Version Operator is not installed'

ocil: |-
Run the following command to retrieve the Cluster Version objects in the system:
<pre>$ oc get ClusterVersion</pre>
Make sure the Cluster Version Operator is installed and the AVAILABLE is True.
severity: medium

warnings:
- general: |-
{{{ openshift_filtered_cluster_setting({apipath: jqfilter}) | indent(4) }}}
template:
name: yamlfile_value
vars:
ocp_data: "true"
filepath: |-
{{{ openshift_filtered_path(apipath, jqfilter) }}}
yamlpath: "[:]"
entity_check: "all"
values:
- value: "True"
operation: "equals"
136 changes: 136 additions & 0 deletions applications/openshift/integrity/cluster_version_operator_exists/tests/available.pass.sh
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,136 @@
#!/bin/bash


yum install -y jq

kube_apipath="/kubernetes-api-resources"

mkdir -p "$kube_apipath/apis/config.openshift.io/v1"

apipath="/apis/config.openshift.io/v1/clusterversions?limit=500"

cat << EOF > $kube_apipath$apipath
{
"apiVersion": "v1",
"items": [
{
"apiVersion": "config.openshift.io/v1",
"kind": "ClusterVersion",
"metadata": {
"creationTimestamp": "2021-12-08T16:39:28Z",
"generation": 2,
"name": "version",
"resourceVersion": "183751",
"uid": "01adc5c2-10b4-4d6b-a082-5e5de1b918ba"
},
"spec": {
"channel": "stable-4.9",
"clusterID": "7b351e21-3a8b-4365-afeb-768b9907ea08"
},
"status": {
"availableUpdates": [
{
"channels": [
"candidate-4.9",
"fast-4.9",
"stable-4.9"
],
"image": "quay.io/openshift-release-dev/ocp-release@sha256:c9f58ccb8a9085df4eeb23e21ca201d4c7d39bc434786d58a55381e13215a199",
"url": "https://access.redhat.com/errata/RHBA-2021:4119",
"version": "4.9.6"
},
{
"channels": [
"candidate-4.9",
"fast-4.9",
"stable-4.9"
],
"image": "quay.io/openshift-release-dev/ocp-release@sha256:c91c0faf7ae3c480724a935b3dab7e5f49aae19d195b12f3a4ae38f8440ea96b",
"url": "https://access.redhat.com/errata/RHBA-2021:4712",
"version": "4.9.8"
},
{
"channels": [
"candidate-4.9",
"fast-4.9",
"stable-4.9"
],
"image": "quay.io/openshift-release-dev/ocp-release@sha256:dc6d4d8b2f9264c0037ed0222285f19512f112cc85a355b14a66bd6b910a4940",
"url": "https://access.redhat.com/errata/RHBA-2021:4834",
"version": "4.9.9"
},
{
"channels": [
"candidate-4.9",
"fast-4.9",
"stable-4.9"
],
"image": "quay.io/openshift-release-dev/ocp-release@sha256:5c55be02e32e688ec5a404858a08cf533ba15b50b6f0e028089635b47db5866e",
"url": "https://access.redhat.com/errata/RHBA-2021:4579",
"version": "4.9.7"
}
],
"conditions": [
{
"lastTransitionTime": "2021-12-08T17:02:45Z",
"message": "Done applying 4.9.5",
"status": "True",
"type": "Available"
},
{
"lastTransitionTime": "2021-12-08T17:02:45Z",
"status": "False",
"type": "Failing"
},
{
"lastTransitionTime": "2021-12-08T17:02:45Z",
"message": "Cluster version is 4.9.5",
"status": "False",
"type": "Progressing"
},
{
"lastTransitionTime": "2021-12-08T16:39:29Z",
"status": "True",
"type": "RetrievedUpdates"
}
],
"desired": {
"channels": [
"candidate-4.9",
"fast-4.9",
"stable-4.9"
],
"image": "quay.io/openshift-release-dev/ocp-release@sha256:386f4e08c48d01e0c73d294a88bb64fac3284d1d16a5b8938deb3b8699825a88",
"url": "https://access.redhat.com/errata/RHBA-2021:4005",
"version": "4.9.5"
},
"history": [
{
"completionTime": "2021-12-08T17:02:45Z",
"image": "quay.io/openshift-release-dev/ocp-release@sha256:386f4e08c48d01e0c73d294a88bb64fac3284d1d16a5b8938deb3b8699825a88",
"startedTime": "2021-12-08T16:39:28Z",
"state": "Completed",
"verified": true,
"version": "4.9.5"
}
],
"observedGeneration": 2,
"versionHash": "chub99FL3K0="
}
}
],
"kind": "List",
"metadata": {
"resourceVersion": "",
"selfLink": ""
}
}
EOF

jq_filter='[.items[].status.conditions[] | select(.type=="Available") | .status]'

# Get file path. This will actually be read by the scan
filteredpath="$kube_apipath$apipath#$(echo -n "$apipath$jq_filter" | sha256sum | awk '{print $1}')"

# populate filtered path with jq-filtered result
jq "$jq_filter" "$kube_apipath$apipath" > "$filteredpath"
2 changes: 2 additions & 0 deletions applications/openshift/integrity/cluster_version_operator_exists/tests/ocp4/e2e.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
---
default_result: PASS
136 changes: 136 additions & 0 deletions applications/openshift/integrity/cluster_version_operator_exists/tests/unavailable.fail.sh
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,136 @@
#!/bin/bash


yum install -y jq

kube_apipath="/kubernetes-api-resources"

mkdir -p "$kube_apipath/apis/config.openshift.io/v1"

apipath="/apis/config.openshift.io/v1/clusterversions?limit=500"

cat << EOF > $kube_apipath$apipath
{
"apiVersion": "v1",
"items": [
{
"apiVersion": "config.openshift.io/v1",
"kind": "ClusterVersion",
"metadata": {
"creationTimestamp": "2021-12-08T16:39:28Z",
"generation": 2,
"name": "version",
"resourceVersion": "183751",
"uid": "01adc5c2-10b4-4d6b-a082-5e5de1b918ba"
},
"spec": {
"channel": "stable-4.9",
"clusterID": "7b351e21-3a8b-4365-afeb-768b9907ea08"
},
"status": {
"availableUpdates": [
{
"channels": [
"candidate-4.9",
"fast-4.9",
"stable-4.9"
],
"image": "quay.io/openshift-release-dev/ocp-release@sha256:c9f58ccb8a9085df4eeb23e21ca201d4c7d39bc434786d58a55381e13215a199",
"url": "https://access.redhat.com/errata/RHBA-2021:4119",
"version": "4.9.6"
},
{
"channels": [
"candidate-4.9",
"fast-4.9",
"stable-4.9"
],
"image": "quay.io/openshift-release-dev/ocp-release@sha256:c91c0faf7ae3c480724a935b3dab7e5f49aae19d195b12f3a4ae38f8440ea96b",
"url": "https://access.redhat.com/errata/RHBA-2021:4712",
"version": "4.9.8"
},
{
"channels": [
"candidate-4.9",
"fast-4.9",
"stable-4.9"
],
"image": "quay.io/openshift-release-dev/ocp-release@sha256:dc6d4d8b2f9264c0037ed0222285f19512f112cc85a355b14a66bd6b910a4940",
"url": "https://access.redhat.com/errata/RHBA-2021:4834",
"version": "4.9.9"
},
{
"channels": [
"candidate-4.9",
"fast-4.9",
"stable-4.9"
],
"image": "quay.io/openshift-release-dev/ocp-release@sha256:5c55be02e32e688ec5a404858a08cf533ba15b50b6f0e028089635b47db5866e",
"url": "https://access.redhat.com/errata/RHBA-2021:4579",
"version": "4.9.7"
}
],
"conditions": [
{
"lastTransitionTime": "2021-12-08T17:02:45Z",
"message": "Done applying 4.9.5",
"status": "False",
"type": "Available"
},
{
"lastTransitionTime": "2021-12-08T17:02:45Z",
"status": "False",
"type": "Failing"
},
{
"lastTransitionTime": "2021-12-08T17:02:45Z",
"message": "Cluster version is 4.9.5",
"status": "True",
"type": "Progressing"
},
{
"lastTransitionTime": "2021-12-08T16:39:29Z",
"status": "True",
"type": "RetrievedUpdates"
}
],
"desired": {
"channels": [
"candidate-4.9",
"fast-4.9",
"stable-4.9"
],
"image": "quay.io/openshift-release-dev/ocp-release@sha256:386f4e08c48d01e0c73d294a88bb64fac3284d1d16a5b8938deb3b8699825a88",
"url": "https://access.redhat.com/errata/RHBA-2021:4005",
"version": "4.9.5"
},
"history": [
{
"completionTime": "2021-12-08T17:02:45Z",
"image": "quay.io/openshift-release-dev/ocp-release@sha256:386f4e08c48d01e0c73d294a88bb64fac3284d1d16a5b8938deb3b8699825a88",
"startedTime": "2021-12-08T16:39:28Z",
"state": "Completed",
"verified": true,
"version": "4.9.5"
}
],
"observedGeneration": 2,
"versionHash": "chub99FL3K0="
}
}
],
"kind": "List",
"metadata": {
"resourceVersion": "",
"selfLink": ""
}
}
EOF

jq_filter='[.items[].status.conditions[] | select(.type=="Available") | .status]'

# Get file path. This will actually be read by the scan
filteredpath="$kube_apipath$apipath#$(echo -n "$apipath$jq_filter" | sha256sum | awk '{print $1}')"

# populate filtered path with jq-filtered result
jq "$jq_filter" "$kube_apipath$apipath" > "$filteredpath"
48 changes: 48 additions & 0 deletions applications/openshift/integrity/cluster_version_operator_verify_integrity/rule.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
prodtype: ocp4

title: Ensure that Cluster Version Operator verifies integrity

description: |-
Integrity of the OpenShift platform is handled to start by the cluster version operator.
Cluster Version Operator will by default GPG verify the integrity of the release
image before applying it. This rule check if there is an unverified cluster image.
rationale: |-
Unverified cluster image will compromise the system integrity. Integrity check prevent
a malicious actor from using a unauthorized system image, hence it will ensure the
image has not been tampered with, or corrupted.
identifiers:
cce@ocp4: CCE-90671-9

references:
nist: SA-10(1)

{{% set jqfilter = '[.items[].status.history[] | .verified]' %}}
{{% set apipath = '/apis/config.openshift.io/v1/clusterversions?limit=500' %}}

ocil_clause: 'Cluster image is not verified'

ocil: |-
Run the following command to retrieve the Cluster Version objects in the system:
<pre>$ oc get ClusterVersion -o yaml</pre>
Make sure verified is true under status history for each item.
severity: medium

warnings:
- general: |-
{{{ openshift_filtered_cluster_setting({apipath: jqfilter}) | indent(4) }}}
template:
name: yamlfile_value
vars:
ocp_data: "true"
filepath: |-
{{{ openshift_filtered_path(apipath, jqfilter) }}}
yamlpath: "[:]"
entity_check: "all"
values:
- value: "true"
operation: "equals"

Loading

0 comments on commit d6ea049

Please sign in to comment.