From 16e5628d7beae84ac9a1b9a061003b0792a54726 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Mon, 22 May 2023 17:55:48 +0200
Subject: [PATCH] SRG-APP-000266-CTR-000625: Inherently met SRG Was missing
 status justification

---
 controls/srg_ctr/SRG-APP-000266-CTR-000625.yml | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/controls/srg_ctr/SRG-APP-000266-CTR-000625.yml b/controls/srg_ctr/SRG-APP-000266-CTR-000625.yml
index 27a06cc5b4a..087e2e90072 100644
--- a/controls/srg_ctr/SRG-APP-000266-CTR-000625.yml
+++ b/controls/srg_ctr/SRG-APP-000266-CTR-000625.yml
@@ -8,3 +8,15 @@ controls:
   related_rules:
   - audit_profile_set
   status: inherently met
+  status_justification: |-
+    In OpenShift, the logs depend greatly on the component. Some components would just write messages to stdout that the cluster administrator can retrieve logs through the use of the oc command. Some components emit events, and others emit a Prometheus metric which the API server would write into their logs.
+
+    For the OCP components that run in a container (most operators), the usual RBAC rules would prevent a non-admin user from reading the container logs or events.
+
+    OpenShift error message handling is designed to obscure or not log sensitive information which is contained inside Secrets.
+
+    Error Messages from applications will need to be reviewed independently as the messages provided by the application hosted on the platform is outside the scope of the platform control.
+  artifact_description: |-
+    Supporting evidence is in the following documentation:
+    https://docs.openshift.com/container-platform/latest/logging/cluster-logging-visualizer.html
+    https://docs.openshift.com/container-platform/latest/authentication/using-rbac.html