Skip to content

Commit

Permalink
Merge pull request #10616 from jhrozek/SRG-APP-000266-CTR-000625
Browse files Browse the repository at this point in the history 
SRG-APP-000266-CTR-000625: Inherently met SRG Was missing status justification
  • Loading branch information
@rhmdnd
rhmdnd authored Jun 8, 2023
2 parents e1f3601 + 16e5628 commit c5fc86a
Showing 1 changed file with 12 additions and 0 deletions.
12 changes: 12 additions & 0 deletions controls/srg_ctr/SRG-APP-000266-CTR-000625.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,3 +8,15 @@ controls:
related_rules:
- audit_profile_set
status: inherently met
status_justification: |-
In OpenShift, the logs depend greatly on the component. Some components would just write messages to stdout that the cluster administrator can retrieve logs through the use of the oc command. Some components emit events, and others emit a Prometheus metric which the API server would write into their logs.
For the OCP components that run in a container (most operators), the usual RBAC rules would prevent a non-admin user from reading the container logs or events.
OpenShift error message handling is designed to obscure or not log sensitive information which is contained inside Secrets.
Error Messages from applications will need to be reviewed independently as the messages provided by the application hosted on the platform is outside the scope of the platform control.
artifact_description: |-
Supporting evidence is in the following documentation:
https://docs.openshift.com/container-platform/latest/logging/cluster-logging-visualizer.html
https://docs.openshift.com/container-platform/latest/authentication/using-rbac.html

0 comments on commit c5fc86a

Please sign in to comment.