Details
-
Story
-
Resolution: Done
-
Undefined
-
None
-
None
-
None
-
False
-
False
-
OCPPLAN-6104 - FedRAMP moderate controls
-
Undefined
Description
The contol says:
The organization:
a. Establishes [Assignment: organization-defined policies] governing the installation of software by users;
b. Enforces software installation policies through [Assignment: organization-defined methods]; and
c. Monitors policy compliance at [Assignment: organization-defined frequency].
Regarding the monitoring, the control says: "Policy enforcement methods
include procedural methods (e.g., periodic examination of user accounts),
automated methods (e.g., configuration settings implemented on organizational
information systems), or both." which makes me think that periodically running
the checks that look if signing is enforced and if registries have been
configured is enough. It would be nice to write the openscap rule so that
the list of allowed registries is configurable, that would provide nicer auditing.
In addition to checking signatures, which we already do, we should make sure that only the allowed registries are configured as per https://docs.openshift.com/container-platform/4.7/openshift_images/image-configuration.html