Uploaded image for project: 'OpenShift Container Platform (OCP) Strategy'
  1. OpenShift Container Platform (OCP) Strategy
  2. OCPSTRAT-80

Checks & remediations for additional PCI-DSS controls

XMLWordPrintable

    • Icon: Feature Feature
    • Resolution: Done
    • Icon: Critical Critical
    • openshift-4.10
    • None
    • None
    • False
    • False
    • 0% To Do, 0% In Progress, 100% Done
    • Undefined
    • 0
    • 0
    • Backlog Refinement

      Description

      Out of the controls that have been addressed as part of the moderate assessment, we can already technically satisfy many items.  This epic covers writing SCAP content and remediations for the controls that can currently be met.  Every single control and remediation that is implemented adds value for the customer, so our approach is to implement as much as possible for the release. 

      https://docs.google.com/spreadsheets/d/17tijEH57XvFKGR9DWbbfmH-7BVnFtiZjZzxlGebVBwA/edit?usp=sharing

       

      Acceptance Criteria

      • An appropriate OpenSCAP checks as defined in the
      • an appropriate Remediations for checks that can be auto-remediated
      • Automated testing for the profile

      Documentation Needs

      This epic will be addressed by adding rules to the existing PCI-DSS SCAP profile that is used by the compliance operator.  SCAP content already includes human-readable guidance documentation that explains all of the rules and remediations that are contained in a profile.  Engineering will be developing this detailed guidance as a part of the profile development.  As such, the documentation needs in our official OpenShift docs for this should be minimal.  This may be possible to cover entirely in the release notes, as the regular documentation should not cover anything in-depth with regards to the rules and remediations inside of a profile.  

      This epic concerns the addition of a large set of rules and remediations to the "moderate" profile that is used by the compliance operator. As such, this profile must be tested to ensure the following:

      • The rules are able to get the necessary information
      • The rules generate appropriate remediations
      • The remediations indeed address the found gaps (defines by the rules)
      • The cluster is in a working state after the remediations have been applied

      A proposed test is as follows:

      • In a clean cluster, install the compliance-operator
      • Run a scan for the moderate profile. This will be both a Platform scan and a Node scan which are the ocp4 and rhcos4 profiles respectively.
      • Apply all the suggested remediations
      • Apply manual fixes as suggested by the results (e.g. configure a relevant IdP, use signed images only, etc.)
      • Re-scan
      • Verify that the rules which had issues were fixed and are now in a compliant state
      • Run a smoke test to verify that the cluster is still usable

      References

      The full list of security controls for PCI-DSS is tracked here https://docs.google.com/spreadsheets/d/17tijEH57XvFKGR9DWbbfmH-7BVnFtiZjZzxlGebVBwA/edit?usp=sharing

        1. Nymbus - OpenShift 4 & PCI-DSS.pdf
          11.07 MB
        2. 2020 Red Hat OpenShift ADG for PCI DSS 3.2.1 Final v1.0.pdf
          1.68 MB

            dcaspin@redhat.com Doron Caspin
            dcaspin@redhat.com Doron Caspin
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: