Uploaded image for project: 'Cloud Infrastructure Security & Compliance'
  1. Cloud Infrastructure Security & Compliance
  2. CMP-1130

Create a FedRAMP High compliance-operator profile

XMLWordPrintable

    • Complete Checks & remediations for FedRAMP High controls
    • False
    • False
    • Green
    • To Do
    • OCPPLAN-7638 - Complete Checks & remediations for FedRAMP High controls
    • Impediment
    • OCPPLAN-7638Complete Checks & remediations for FedRAMP High controls
    • 0% To Do, 0% In Progress, 100% Done
    • Undefined
    • Hide

      Implementation complete.  Builds for QE completed, waiting to be tested.

      Show
      Implementation complete.  Builds for QE completed, waiting to be tested.

      This epic covers writing SCAP content and remediations for the controls that can currently be met.  Every single control and remediation that is implemented adds value for the customer, so our approach is to implement as much as possible for the release.  There is no MVP with regards to the number/percentage of goals that need to be implemented.

      There are still functional gaps in OCP related to FedRAMP that have been identified, which are outside of the scope of this epic.  These will be tracked and targeted separately.

      Acceptance Criteria

      • We provide a new FedRAMP high profile for Compliance Operator
      • We have the appropriate OpenSCAP checks as defined 
      • We have the appropriate Remediations for checks that can be auto-remediated
      • We have automated testing for the profile

      Documentation Needs

      This epic will be addressed by adding rules to a new "FedRAMP high" SCAP profile that is used by compliance-operator.  SCAP content already includes human-readable guidance documentation that explains all of the rules and remediations that are contained in a profile.  Engineering will be developing this detailed guidance as a part of the profile development.  As such, the documentation needs in our official OpenShift docs for this should be minimal.  Mentioning that additional security content is added to the FedRAMP High profile can be covered in the release notes, as the regular documentation should not cover anything in-depth with regards to the rules and remediations inside of a profile.

      We have added a basic table that lists the provided profiles in the "Supported compliance profiles"[1] chapter. In addition to the current list of profiles, we should add the "FedRAMP high" profile to that table. Ex.

      Profile Profile Title Compliance Operator version Industry compliance benchmark
      ocp4-high NIST 800-53 High-Impact Baseline for Red Hat OpenShift - Platform level   NIST SP-800-53 Release Search\
      rhcos4-high NIST 800-53 High-Impact Baseline for Red Hat Enterprise Linux CoreOS   NIST SP-800-53 Release Search\
      ocp4-high-node NIST 800-53 High-Impact Baseline for Red Hat OpenShift - Node level   NIST SP-800-53 Release Search\

      [1] https://docs.openshift.com/container-platform/4.9/security/compliance_operator/compliance-operator-supported-profiles.html
       

      Quality Assurance Needs

      This epic concerns the addition of a large set of rules and remediations to the "high" profile that is used by the compliance-operator. As such, this profile must be tested to ensure the following:

      • The rules are able to get the necessary information
      • The rules generate appropriate remediations
      • The remediations indeed address the found gaps (defines by the rules)
      • The cluster is in a working state after the remediations have been applied

      A proposed test is as follows:

      • In a clean cluster, install the compliance-operator
      • Run a scan for the FedRamp High profile. This will be both a Platform scan and a Node scan which are the ocp4 and rhcos4 profiles respectively.
      • Apply all the suggested remediations
      • Apply manual fixes as suggested by the results (e.g. configure a relevant IdP, use signed images only, etc.)
      • Re-scan
      • Verify that the rules which had issues were fixed and are now in a compliant state
      • Run a smoke test to verify that the cluster is still usable

      References

      The full list of security controls for FedRAMP high are tracked in the OCP NIST SP800-53  epic.  This board indicates which controls that we have determined can be met with the current functionality provided by OpenShift Container Platform.

          There are no Sub-Tasks for this issue.

              wenshen@redhat.com Vincent Shen
              dcaspin@redhat.com Doron Caspin
              Xiaojie Yuan Xiaojie Yuan
              Votes:
              0 Vote for this issue
              Watchers:
              11 Start watching this issue

                Created:
                Updated:
                Resolved:

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - Not Specified
                  Not Specified
                  Logged:
                  Time Spent - 3 days
                  3d