CIS Benchmark Manual policy decisions

[AdrianHammond]

In the CIS benchmark there are a number of policy setting that require users to make decisions based on their firms needs and manually implement technical controls, from the OCP benchmark document (attached) they include:

• Configure encryption of data at rest in etcd datastore
• Manage Image Provenance
• Set the --event-qps argument as appropriate
• Configure the API server audit log retention
• Configure cluster logging to forward audit logs off the cluster
• Configure the audit log file size
• Adjust the garbage collection settings as needed
• Create custom Security Context Constraints as needed
• Configure Network Policies as appropriate

Based on previous service accelerator we would set policy to configure encryption of data at rest in etcd datastore.

Does anyone have views on the other MANUAL policies?, my view is that we should leave these for firms to make their own decisions ior do we need consistent CFI recommendation for these MANUAL policy remediations.

Thoughts?

CIS_RedHat_OpenShift_Container_Platform_v4_Benchmark_v1.1.0_PDF.pdf

[mcleo-d]

Is this discussion also related to #223 ..?

[mcleo-d]

@eddie-knight confirmed during #237 this is related to Open Shift and not #223

[eddie-knight]

confirmed 👍