Uploaded image for project: 'Cloud Infrastructure Security & Compliance'
  1. Cloud Infrastructure Security & Compliance
  2. CMP-1927

Add initialDelay option to File Integrity Operator FileIntegrity CR

XMLWordPrintable

    • BU Product Work
    • False
    • None
    • False
    • Not Selected

      1. Proposed title of this feature request
      Add initialDelay option to File Integrity Operator FileIntegrity CR

      2. What is the nature and description of the request?
      The request is to add a new option to File Integrity Operators' `FileIntegrity` CR to set an `intialDelay` value in which the operator waits before triggering an AIDE database init on nodes. This AIDE database init captures the current state of all files on each node and sets a hash. When file changes are detected, the hashes are different and FIO triggers a failed scan.

      3. Why does the customer need this? (List the business requirements here)
      The File Integrity Operator (FIO) is utilized in FedRAMP ROSA clusters to ensure we are meeting requirements to monitor the security of clusters. FIO is deployed to all FedRAMP clusters shortly after completion of the cluster creation.

      As with all ROSA/OSD clusters, once a cluster is been created, numerous configuration changes and updates are rolled down from Hive to the cluster, which triggers a bunch of changes including potentially file changes. We've noticed an issue that once FIO is deployed, it creates its AIDE database on each node and captures the current state of all files at that time. If FIO captures this data too early, the various updates and changes that occur after creation causes FIO to detect file changes which alerts SREP in FedRAMP. This has been occurring on all new clusters created. By having an option to set a delay, we can ensure AIDE does not init for a specific period of time, which will allow new clusters to settle and complete their syncing. This will ensure FIO has an accurate hash of current state and not create false alerts.

      4. List any affected packages or components.
      File Integrity Operator only

            dcaspin@redhat.com Doron Caspin
            anatale.openshift Antony Natale
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: