Add ocp4 pci dss references

[yuumasato]

Description:

• Removes ocp4 rule from pcidss_4.yml.
  Rule audit_profile_set is an OCP4, and it was breaking auto referencing in pcidss_4_ocp4.yml
• Adds auto referencing to pcidss_4_ocp4.yml.
• Add capability to import all controls of a specific level from a foreign policy.
  • For example, the OCP4 PCI-DSS v4.0 control file imports all OCP4 CIS controls in Req 2.2 with cis_ocp_1_4_0:all:level_2

Rationale:

• Ensures the rules used in PCI-DSS v4 profile reference the requirement they are supporting.

Review Hints:

• Checkout compliance-operator
• gh co 594
• $ CONTENT_IMAGE=ghcr.io/complianceascode/k8scontent:12309 make deploy-local

$ oc get rule ocp4-api-server-tls-cert -oyaml
...
id: xccdf_org.ssgproject.content_rule_api_server_tls_cert
kind: Rule
metadata:
  annotations:
    compliance.openshift.io/image-digest: pb-upstream-ocp45qsp7
    compliance.openshift.io/profiles: upstream-ocp4-high,upstream-ocp4-nerc-cip,upstream-ocp4-cis-1-4,upstream-ocp4-moderate-rev-4,upstream-ocp4-cis,upstream-ocp4-cis-1-5,upstream-ocp4-moderate,upstream-ocp4-pci-dss,upstream-ocp4-pci-dss-3-2,upstream-ocp4-high-rev-4,upstream-ocp4-pci-dss-4-0
    compliance.openshift.io/rule: api-server-tls-cert
    control.compliance.openshift.io/CIS-OCP: 1.2.28
    control.compliance.openshift.io/NERC-CIP: CIP-003-8 R4.2;CIP-007-3 R5.1
    control.compliance.openshift.io/NIST-800-53: SC-8;SC-8(1);SC-8(2)
    control.compliance.openshift.io/PCI-DSS: Req-2.2;Req-2.2.3;Req-2.3
->  control.compliance.openshift.io/PCI-DSS-4-0: 2.2.5;2.2.7;4.2.1  <-
    control.compliance.openshift.io/STIG: SRG-APP-000441-CTR-001090;SRG-APP-000442-CTR-001095
    policies.open-cluster-management.io/controls: CIP-003-8 R4.2,CIP-007-3 R5.1,SC-8,SC-8(1),SC-8(2),Req-2.2,Req-2.2.3,Req-2.3,SRG-APP-000441-CTR-001090,SRG-APP-000442-CTR-001095,1.2.28,2.2.5,2.2.7,4.2.1
    policies.open-cluster-management.io/standards: NERC-CIP,NIST-800-53,PCI-DSS,STIG,CIS-OCP,PCI-DSS-4-0
...

[github-actions]

Start a new ephemeral environment with changes proposed in this pull request:

Fedora Environment

Oracle Linux 8 Environment

[github-actions]

🤖 A k8s content image for this PR is available at:
ghcr.io/complianceascode/k8scontent:12309
This image was built from commit: 4d8484e

Click here to see how to deploy it

If you alread have Compliance Operator deployed:
utils/build_ds_container.py -i ghcr.io/complianceascode/k8scontent:12309

Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and:
CONTENT_IMAGE=ghcr.io/complianceascode/k8scontent:12309 make deploy-local

[rhmdnd]

I deployed this change into a cluster, then attempted to verify each rule in the PCI-DSS profiles has the expected reference, but only a handful of them did. Here are the steps I used to reproduce:

1. Grab a list of all the rules associated with the profile

$  oc get profiles ocp4-pci-dss-node-4-0 -o yaml > 4-0-node-rules.txt

2. Trimmed out all the data but rules separated by newlines

$ head 4-0-node-rules.txt 
ocp4-directory-access-var-log-kube-audit
ocp4-directory-access-var-log-oauth-audit
ocp4-directory-access-var-log-ocp-audit
ocp4-directory-permissions-var-log-kube-audit
ocp4-directory-permissions-var-log-oauth-audit
ocp4-directory-permissions-var-log-ocp-audit
ocp4-etcd-unique-ca
ocp4-file-groupowner-cni-conf
ocp4-file-groupowner-controller-manager-kubeconfig
ocp4-file-groupowner-etcd-data-dir

3. Check annotations for each rule

$ for r in $(cat 4-0-node-rules.txt); do oc get rules $r -o json | jq '.metadata.annotations."control.compliance.openshift.io/PCI-DSS-4-0"'; done                                                                                                                                                                                                                                                                    130 ↵
"10.3.2"
"10.3.2"
"10.3.2"
"10.3.2"
"10.3.2"
"10.3.2"
null
null
null
null
null
null
null
null
null
null
null
null

Is this expected?

[yuumasato]

Interesting, the rules without PCI-DSS-4-0 annotation references are the rules we inherited from CiS, because we extend the CIS profiles as part of requirement 2.2.1 which is is about developing, implementing and maintaining configuration standards consistent with industry-accepted hardening standards. So we include CIS rules.

The auto-referencing works on the rules selected in the Control file, these are rules added by extension.
Another point is that these inherited rules miss PCI-DSS 3.2.1 references as well.

Let me see if I can make it work...

[yuumasato]

@rhmdnd All the CIS rules added as part of 2.2 now have PCI-DSS references.

[yuumasato]

@Mab879 @jan-cerny in c63cb65 I have extended nesting of controls to support all key, works like in the *.profile files. Please take a look.

The reason I change from extending CIS profile to importing all CIS controls, is to take advantage of the auto-referencing of rules in the control file.

[rhmdnd]

Is it safe to assume this is the old way of doing things, and what you did on 2438f12#diff-67844ce694c84c54b76dac7610bc6443a329477c4a685417d3aaa1eae7b6e29cR391 is how we should be doing it moving forward?

[yuumasato]

I guess so, if one wants to take advantage of auto-referencing in control files.

[rhmdnd]

/lgtm

Works for me in my cluster with the latest profiles, thanks!

[yuumasato]

@Mab879 @jan-cerny Test added for the import of controls with all key.

[xiaojiey]

/hold for test

[yuumasato]

Rebased to address codeclimate issues.

[codeclimate]

Code Climate has analyzed commit 4d8484e and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 59.5% (0.1% change).

View more on Code Climate.

[jan-cerny]

I have built the ocp4 product and reviewed the resolved control file at build/ocp4/controls/pcidss_4_ocp4.yml. The control includes rules form the CIS controls. It seems to work correctly.

[xiaojiey]

@yuumasato I am not sure if there is anything wrong.
Now I can see all rules have
"control.compliance.openshift.io/PCI-DSS-4-0": "4.2.1;4.2" annotations. Is it expected behavior? Thanks.

1. Check all rules in ocp4-pci-dss-4-0 and ocp4-pci-dss-node-4-0
% oc get profile upstream-ocp4-pci-dss-4-0 -o=jsonpath={.rules} | jq -r > ocp4_pci_40     
% oc get profile upstream-ocp4-pci-dss-node-4-0 -o=jsonpath={.rules} | jq -r >> ocp4_pci_40
2. #Trim the data in ocp4_pci_40 and save all rules info into a file called rules. And check the annotation.
% for rule in `cat rules`; do oc get rule $r -o json | jq '.metadata.annotations."control.compliance.openshift.io/PCI-DSS-4-0"'; done 
"4.2.1;4.2"
"4.2.1;4.2"
"4.2.1;4.2"
"4.2.1;4.2"
"4.2.1;4.2"
"4.2.1;4.2"
"4.2.1;4.2"
"4.2.1;4.2"
"4.2.1;4.2"
"4.2.1;4.2"
"4.2.1;4.2"
"4.2.1;4.2"
"4.2.1;4.2"
"4.2.1;4.2"
...

[xiaojiey]

/hold for test

[xiaojiey]

sorry, a stupid typo error. The PR works well.

% for rule in `cat rules`; do oc get rule $rule -o json | jq '.metadata.annotations."control.compliance.openshift.io/PCI-DSS-4-0"'; done 
"2.2.1;2.2"
"2.2.1;2.2"
"11.5.1.1;11.5.1;11.5"
"10.7.2;10.7"
"2.2.1;2.2"
"2.2.1;2.2"
"2.2.1;2.2"
"2.2.1;2.2"
"2.2.1;2.2"
"2.2.1;2.2"
"2.2.1;2.2"
"2.2.1;2.2"
"2.2.1;2.2"
"2.2.1;2.2"
"2.2.1;2.2"
"2.2.1;2.2"
"2.2.1;2.2"
"2.2.1;2.2.5;2.2.7;2.2"
"2.2.1;2.2.5;2.2.7;2.2"
"2.2.1;2.2;3.5.1.3;3.5.1;3.5"
"2.2.1;2.2.5;2.2.7;2.2"
...