Uploaded image for project: 'Cloud Infrastructure Security & Compliance'
  1. Cloud Infrastructure Security & Compliance
  2. CMP-1559

Update OpenShift CIS benchmark to version 1.4.0

XMLWordPrintable

    • CIS profile update 1.4.0
    • False
    • None
    • False
    • Not Selected
    • To Do
    • 0% To Do, 0% In Progress, 100% Done
    • Approved

      Epic Goal

      • Ensure the CIS profile is up-to-date

      Update the OpenShift CIS benchmark to version 1.3.0.

      This work has a dependency on https://issues.redhat.com/browse/CMP-1692 where we want to build automation that completes this task.

      The work in this epic will require using tools to generate a CIS OpenShift profile for version 1.2.0. Then, engineers will need to map the relevant rules/checks into the generated controls.

      Why is this important?

      The current profile for CIS is version 1.1.0 and was superseded by version 1.2.0, which was published on June 22 2022. Some of our customers have noticed discrepancies between the profile we ship and the new version (e.g., section 5.7).

      We should update the profile we support to version 1.2.0 so we're checking against the latest version offered by CIS.

      This work requires automation, which will be tracked in a separate initiative: https://issues.redhat.com/browse/CMP-1692

      Scenarios

      1. As an OpenShift administrator, i want to ensure that my cluster is CIS version 1.2.0 compliant

      Acceptance Criteria

      • CI must test the latest version of the OCP CIS benchmark (version 1.2.0)
      • Any additional rules added in version 1.2.0 should be automated if possible
      • Primary differences between version 1.1.0 and 1.2.0 should be summarized and documented for users

      Dependencies (internal and external)

      1. https://issues.redhat.com/browse/CMP-1692

      Previous Work (Optional):

      1. The CIS and CIS-node profile exist, but are not up-to-date

      Open questions::

      Done Checklist

      • CI - CI is running, tests are automated and merged.
      • Release Enablement <link to Feature Enablement Presentation>
      • DEV - Upstream code and tests merged: <link to meaningful PR or GitHub Issue>
      • DEV - Upstream documentation merged: <link to meaningful PR or GitHub Issue>
      • DEV - Downstream build attached to advisory: <link to errata>
      • QE - Test plans in Polarion: <link or reference to Polarion>
      • QE - Automated tests merged: <link or reference to automated tests>
      • DOC - Downstream documentation merged: <link to meaningful PR>

        1. CIS Benchmarks.png
          CIS Benchmarks.png
          148 kB

              lbragsta@redhat.com Lance Bragstad
              jhrozek@redhat.com Jakub Hrozek (Inactive)
              Xiaojie Yuan Xiaojie Yuan
              Votes:
              1 Vote for this issue
              Watchers:
              16 Start watching this issue

                Created:
                Updated:
                Resolved: