Uploaded image for project: 'Cloud Infrastructure Security & Compliance'
  1. Cloud Infrastructure Security & Compliance
  2. CMP-1884

Create a tailored profile for PCI-DSS on ARO

XMLWordPrintable

    • pci-dss-aro-tailored-profile
    • False
    • None
    • False
    • Not Selected
    • To Do
    • RFE-6438Compliance operator ARO compatibility
    • 100% To Do, 0% In Progress, 0% Done

      Epic Goal

      • Create a TailoredProfile for running the PCI-DSS profile on ARO that shows ARO is compliance with PCI-DSS

      Why is this important?

      ARO claims PCI-DSS compliance, but the Compliance Operator shows the OpenShift cluster as non-compliant when run on ARO. We need to address these issues either in the ARO platform or in the rules so that the ARO documentation (and audit) are not inconsistent with what the Compliance Operator reports.

      Scenarios

      1. As a ARO customer, I want to run the PCI-DSS profile using the Compliance Operator and verify my cluster is in compliance.

      Acceptance Criteria

      • Must have a KCS that describes the relationship between PCI-DSS profile rules and ARO, if there are any discrepancies
      • Have a discussion with ARO teams to understand where we can advertise the KCS before customers hit this issue (ARO documentation or Compliance Operator documentation)
      • The TailoredProfile exists and contains valid rationale for why particular rules need to be excluded.
      • The TailoredProfile will be delivered by using the KCS article. It will not be delivered automatically in ARO environments
      • Any PCI-DSS violations must be raised with the ARO SRE team to ensure they're addressed or justified.
      • Should have ARO CI environment that exercises the TailoredProfile and fails if the profile returns non-compliance (depends on getting ARO CI environments, see below)
      • Meet with the ARO team to figure out if we can leverage any CI needs from ARO for testing this TailoredProfile (stretch goal unless we get commitment from ARO teams)
      • Identify a way to populate TailoredProfiles for managed platforms (stretch goal)

      Dependencies (internal and external)

      1. Working with ARO service delivery teams to establish CI
      2. Working with ARO SRE teams to remediate any legitimate PCI-DSS findings
      3. Working with PX and documentation teams to update KCS to include TailoredProfile

      Previous Work (Optional):

      Open questions::

      Done Checklist

      • CI - CI is running, tests are automated and merged.
      • Release Enablement <link to Feature Enablement Presentation>
      • DEV - Upstream code and tests merged: <link to meaningful PR or GitHub Issue>
      • DEV - Upstream documentation merged: <link to meaningful PR or GitHub Issue>
      • DEV - Downstream build attached to advisory: <link to errata>
      • QE - Test plans in Polarion: <link or reference to Polarion>
      • QE - Automated tests merged: <link or reference to automated tests>
      • DOC - Downstream documentation merged: <link to meaningful PR>

              lbragsta@redhat.com Lance Bragstad
              lbragsta@redhat.com Lance Bragstad
              Xiaojie Yuan Xiaojie Yuan
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: