Uploaded image for project: 'Cloud Infrastructure Security & Compliance'
  1. Cloud Infrastructure Security & Compliance
  2. CMP-1047

Create a DISA-STIG compliance-operator profile

    XMLWordPrintable

Details

    • Support Creation for DISA-STIG Profile
    • False
    • False
    • To Do
    • OCPSTRAT-438 - Support Creation for DISA-STIG Profile
    • OCPSTRAT-438Support Creation for DISA-STIG Profile
    • 100
    • 100% 100%
    • Undefined
    • ISC
    • Approved

    Description

      Description

      This epic covers writing SCAP content and remediations for the controls that can currently be met as well as migrating the STIG Profile content from a spreadsheet to CaC control files.

      Acceptance Criteria

      • Progress tracking tooling is created to track coverage for profile development
      • The control metadata is moved to the CaC repo in the controls structs
      • Appropriate OpenSCAP checks are implemented in the profile as defined in the spreadsheet
      • Appropriate Remediations exist for checks that can be auto-remediated
      • Automated testing for the profile

      Documentation Needs

      This epic will be addressed by adding rules to the DISA-STIG SCAP profile that is used by the compliance operator.  SCAP content already includes human-readable guidance documentation that explains all of the rules and remediations that are contained in a profile.  Engineering will be developing this detailed guidance as a part of the profile development.  As such, the documentation needs in our official OpenShift docs for this should be minimal.  This may be possible to cover entirely in the release notes, as the regular documentation should not cover anything in-depth with regards to the rules and remediations inside of a profile. 

      At a minimum, the documentation should mention the existence of the  DISA-STIG profile.  This should go into a section that lists the profiles we provide.  If this section does not already exist, we should add it.

      Testing Needs

      This epic concerns the addition of a large set of rules and remediations to the "STIG" profile that is used by the compliance operator. As such, this profile must be tested to ensure the following:

      • The rules are able to get the necessary information
      • The rules generate appropriate remediations
      • The remediations indeed address the found gaps (defines by the rules)
      • The cluster is in a working state after the remediations have been applied

      A proposed test is as follows:

      • In a clean cluster, install the compliance-operator
      • Run a scan for the STIG profile. This will be both a Platform scan and a Node scan which are the ocp4 and rhcos4 profiles respectively.
      • Apply all the suggested remediations
      • Apply manual fixes as suggested by the results (e.g. configure a relevant IdP, use signed images only, etc.)
      • Re-scan
      • Verify that the rules which had issues were fixed and are now in a compliant state
      • Run a smoke test to verify that the cluster is still usable

       

      In addition:

      • make sure all the information from the STIG spreadsheet is migrated to CaC controls.
      • the spreadsheet should be generated from the CaC controls going forward

      Tech enablement

      • none needed, this is a new profile only, no work on the operator side

      References

      STIG 

       

      External dependencies

      DISA must accept our draft. If the draft is not accepted, we'll "just" do the work upstream and reconcile the upstream content with the changes that DISA requests and release the profile when they do accept our draft.

       

      Attachments

        Issue Links

          is cloned by

          Feature - Capability or a well-defined set of functionality that delivers business value. Features can include additions or changes to existing functionality. Features can easily span multiple teams, and potentially multiple releases. OCPSTRAT-438 Support Creation for DISA-STIG Profile

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed
          is related to

          Feature Request - Feature requests from customers and/or users CMP-1894 Compliance Operator- OS STIG profile request

          • Normal - To be worked after urgent and high priorities are resolved. This term is chosen when the severity of an issue is relatively close to the level of effort to fix it. The existence of an easily implemented workaround can also lead to this priority level instead of a higher priority.
          • Closed
          links to

          Web Link RHBA-2023:120240 openshift-compliance-operator bug fix and/or enhancement update

          Activity

            People

              jhrozek@redhat.com Jakub Hrozek
              dcaspin@redhat.com Doron Caspin
              Cloud Infrastructure Security & Compliance
              Votes:
              3 Vote for this issue
              Watchers:
              17 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: