Merge pull request #12309 from yuumasato/add_ocp4_pci_dss_references

Add ocp4 pci dss references

controls/cis_ocp_1_4_0/section-4.yml

@@ -131,6 +131,7 @@ controls:
       status: automated
       rules:
         - kubelet_configure_event_creation
+        - var_event_record_qps=50
       levels: [ level_2, ]
     - id: 4.2.9
       title: Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate

controls/pcidss_4.yml

@@ -2788,7 +2788,6 @@ controls:
       rules:
         - var_auditd_name_format=fqd
         - auditd_name_format
-        - audit_profile_set
 
   - id: '10.3'
     title: Audit logs are protected from destruction and unauthorized modifications.

controls/pcidss_4_ocp4.yml

@@ -5,6 +5,7 @@ version: '4.0'
 source: https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf
 levels:
 - id: base
+reference_type: pcidss4
 
 controls:
   - id: '1.1'
@@ -386,6 +387,8 @@ controls:
         This control is also addressed by applying the OpenShift CIS recommendations.
       rules:
         - scansettingbinding_exists
+      controls:
+        - cis_ocp_1_4_0:all:level_2
 
     - id: 2.2.2
       title: Vendor default accounts are managed

docs/manual/developer/03_creating_content.md

@@ -700,6 +700,7 @@ Nesting can be accomplished both by
 * nesting whole control definitions, or by
 * nesting references to existing controls in the `policy:control` format, where the `policy:` part can be skipped
 if the reference points to a control in that policy.
+ * To nest all controls of a policy level, use `all` followed by the level. e.g: `cis_ocp4_1_4_0:all:level_2`.
 
 Nesting using references allows reuse of controls across multiple policies.
 

products/ocp4/profiles/cis-1-4.profile

@@ -31,7 +31,6 @@ selections:
     - cis_ocp_1_4_0:all
     ### Variables
     - var_openshift_audit_profile=WriteRequestBodies
-    - var_event_record_qps=50
     ### Helper Rules
     ### This is a helper rule to fetch the required api resource for detecting OCP version
     - version_detect_in_ocp

products/ocp4/profiles/cis-1-5.profile

@@ -32,7 +32,6 @@ selections:
     - cis_ocp_1_4_0:all
     ### Variables
     - var_openshift_audit_profile=WriteRequestBodies
-    - var_event_record_qps=50
     ### Helper Rules
     ### This is a helper rule to fetch the required api resource for detecting OCP version
     - version_detect_in_ocp

products/ocp4/profiles/pci-dss-3-2.profile

@@ -16,7 +16,8 @@ title: 'PCI-DSS v3.2.1 Control Baseline for Red Hat OpenShift Container Platform
 description: |-
     Ensures PCI-DSS v3.2.1 security configuration settings are applied.
 
-filter_rules: '"ocp4-node" not in platforms and "ocp4-master-node" not in platforms'
+filter_rules: '"ocp4-node" not in platforms and "ocp4-master-node" not in platforms and "ocp4-node-on-sdn" not in platforms and "ocp4-node-on-ovn" not in platforms'
+
 
 # Req-2.2
 extends: cis

products/ocp4/profiles/pci-dss-4-0.profile

@@ -16,10 +16,8 @@ title: 'PCI-DSS v4.0.0 Control Baseline for Red Hat OpenShift Container Platform
 description: |-
     Ensures PCI-DSS v4.0.0 security configuration settings are applied.
 
-filter_rules: '"ocp4-node" not in platforms and "ocp4-master-node" not in platforms'
+filter_rules: '"ocp4-node" not in platforms and "ocp4-master-node" not in platforms and "ocp4-node-on-sdn" not in platforms and "ocp4-node-on-ovn" not in platforms'
 
-# Req-2.2
-extends: cis
 
 selections:
     - pcidss_4_ocp4:all:base

products/ocp4/profiles/pci-dss-node-4-0.profile

@@ -18,8 +18,5 @@ description: |-
 
 filter_rules: '"ocp4-node" in platforms or "ocp4-master-node" in platforms or "ocp4-node-on-sdn" in platforms or "ocp4-node-on-ovn" in platforms'
 
-# Req-2.2
-extends: cis-node
-
 selections:
     - pcidss_4_ocp4:all:base

products/ocp4/profiles/pci-dss-node.profile

@@ -17,4 +17,4 @@ description: |-
     Ensures PCI-DSS v3.2.1 security configuration settings are applied.
 
 # Req-2.2
-extends: pci-dss-node-3-2
+extends: pci-dss-node-4-0

products/ocp4/profiles/pci-dss.profile

@@ -17,4 +17,4 @@ description: |-
     Ensures PCI-DSS v3.2.1 security configuration settings are applied.
 
 # Req-2.2
-extends: pci-dss-3-2
+extends: pci-dss-4-0

ssg/controls.py

@@ -177,7 +177,7 @@ def represent_as_dict(self):
         return data
 
     def add_references(self, reference_type, rules):
-        for selection in self.rules:
+        for selection in self.selections:
             if "=" in selection:
                 continue
             rule = rules.get(selection)
@@ -456,14 +456,25 @@ def resolve_controls(self):
             for control in policy.controls:
                 self._resolve_control(pid, control)
 
+    def _get_foreign_subcontrols(self, policy_id, req):
+        if req.startswith("all"):
+            _, level_id = req.split(":", 1)
+            return self.get_all_controls_of_level(policy_id, level_id)
+        else:
+            return [self.get_control(policy_id, req)]
+
     def _resolve_control(self, pid, control):
         for sub_name in control.controls:
             policy_id = pid
             if ":" in sub_name:
-                policy_id, sub_name = sub_name.split(":", 1)
-            subcontrol = self.get_control(policy_id, sub_name)
-            self._resolve_control(pid, subcontrol)
-            control.update_with(subcontrol)
+                policy_id, req = sub_name.split(":", 1)
+                subcontrols = self._get_foreign_subcontrols(policy_id, req)
+            else:
+                subcontrols = [self.get_control(policy_id, sub_name)]
+
+            for subcontrol in subcontrols:
+                self._resolve_control(policy_id, subcontrol)
+                control.update_with(subcontrol)
 
     def get_control(self, policy_id, control_id):
         policy = self._get_policy(policy_id)

tests/unit/ssg-module/test_controls.py

@@ -486,6 +486,37 @@ def test_policy_parse_from_ours_and_foreign():
     assert "really_ours" in control.selections
     assert "foreign" in control.selections
 
+def test_policy_parse_foreign_with_all():
+    main_control_dict = dict(id="top", controls=["foreign:all:level_1", "ours", "P:ours_qualified"])
+    main_subcontrol_dicts = [dict(id="ours", rules=["ours"]), dict(id="ours_qualified", rules=["really_ours"])]
+    foreign_control_dicts = [dict(id="req1", rules=["foreign_1"], levels=["level_1"]),
+                            dict(id="req2", rules=["foreign_2"], levels=["level_1", "level_2"]),
+                            dict(id="req3", rules=["foreign_3"], levels=["level_2"])]
+
+    main_policy = ssg.controls.Policy("")
+    main_policy.id = "P"
+    main_policy.save_controls_tree([main_control_dict] + main_subcontrol_dicts)
+
+    foreign_policy = ssg.controls.Policy("")
+    foreign_policy.id = "foreign"
+    level1 = ssg.controls.Level.from_level_dict(dict(id="level_1"))
+    level2 = ssg.controls.Level.from_level_dict(dict(id="level_2"))
+
+    foreign_policy.levels = [level1, level2]
+    foreign_policy.levels_by_id = {"level_1": level1, "level_2": level2}
+    foreign_policy.save_controls_tree(foreign_control_dicts)
+
+    controls_manager = ssg.controls.ControlsManager("", dict())
+    controls_manager.policies[main_policy.id] = main_policy
+    controls_manager.policies[foreign_policy.id] = foreign_policy
+
+    controls_manager.resolve_controls()
+    control = controls_manager.get_control("P", "top")
+    assert "ours" in control.selections
+    assert "really_ours" in control.selections
+    assert "foreign_1" in control.selections
+    assert "foreign_2" in control.selections
+    assert "foreign_3" not in control.selections
 
 def test_policy_parse_from_referenced(minimal_empty_controls, one_simple_subcontrol):
     nested_controls = minimal_empty_controls