Review and Update pcidss_4 control file

[marcusburghardt]

Description:

A valuable work was done by introducing a control file for PCI-DSSv4 in the project. Thanks @teacup-on-rockingchair
This is an important policy and I would like to facilitate the control file adoption by other products.

The entire control file was reviewed and updated in alignment to the PCI-DSS policy.
This PR is not introducing the pcidss_4 control file to other products. It is only about reviewing the control file to ensure it is in the best possible state so other products can more easily adopt it.

In General, this is how I reviewed the control file:

• I read requirement by requirement in the policy to better understand its context.
• For each requirement, I checked the equivalent entry in the control file.
  • Basically all titles were edited to separate requirement title from its description and eventual notes.
  • If the requirement is about paperwork, its status was moved to manual and rules entry was removed.
  • If the requirement is automatable, existing rules were reviewed, new rules were included and unrelated rules were removed.
    • Other control files, like CIS, were used as reference for finding new rules related to the requirements.
  • If the requirement is satisfied by selected rules, its status was moved to automated.
  • If the requirement is partially satisfied by selected rules, but something is still missing, its status was moved to partial and some notes about pending items were included.
  • If the requirement is clear and can be moved to automated without huge efforts, its status was moved to planned and some notes about what is expected to be done were included.
  • If the requirement is unclear and needs more investigation, it was kept as pending.

Rationale:

• Better PCI-DSS coverage.
• Complete review of pcidss_4 control file format and requirements so its adoption by other products is facilitated.
• Fixes PCI-DSS v4 was released on March 2022 #9161

Review Hints:

First of all, don't be scared by the number of commits.
This Policy is huge and many requirements are very related to each other.
It is common that a rule could fit in more than one requirement.
So along the review each change was in a separate commit to make the review much easier.
During the review, follow the flow of commits while checking the policy requirements to confirm the change makes sense. There are cases where a rule was inserted in a requirement from section 2 but when analyzing the section 8 it was concluded the rule better fits the section 8 and vice-versa. This is the reason I believe the review is much easier when checking commit by commit.
At the end, when all commits were checked and the context of each change is known, it time to a general review of the final state of the control file.

I hope these hints help to make the review less boring. : )

Additional Information:

After this PR, this should be the state of PCI-DSSv4 control file.

General stats:
all                 351 / 351 = 100.0%
applicable          349 / 351 = 99.43%
assessed            341 / 351 = 97.15%
full coverage       305 / 351 = 86.89%
not assessed          8 / 351 = 2.28%

Stats grouped by status:
automated            48 / 349 = 13.75%
manual              257 / 349 = 73.64%
not applicable        2 / 349 = 0.57%
partial              23 / 349 = 6.59%
pending               8 / 349 = 2.29%
planned               6 / 349 = 1.72%
supported             7 / 349 = 2.01%

Rules and Variables in pcidss_4 - base:
290 rules are selected
28 variables are explicitly defined

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[github-actions]

Start a new ephemeral environment with changes proposed in this pull request:

Fedora Environment

Oracle Linux 8 Environment

[marcusburghardt]

Don't worry about CI errors for now. We will fix all of them before moving the PR from draft to ready.

[vojtapolasek]

I have reviewed section 3 as of 35aefaa . I approve this section.

[vojtapolasek]

I have reviewed section 4 as of 35aefaa. I approve this section.

[vojtapolasek]

I have reviewed section 5 as of 35aefaa and I approve it.

[Mab879]

Done for sections 1-2.

[Mab879]

I have reviewed section 7 and I have no objections.

[Mab879]

I have reviewed section 8 and have some suggestions.

[marcusburghardt]

I rebased the PR and resolved the conflict.

[marcusburghardt]

@teacup-on-rockingchair , could you check these 3 rules and include SLE cce to them or remove sle from their prodtypes, please?

• no_password_auth_for_systemaccounts
• auditd_name_format
• package_libselinux_installed

It was detected by CI tests.

[vojtapolasek]

I have reviewed section 6 as of d58d76e . I have few remarks.

[Mab879]

Just some minor points on section 9.

[Mab879]

I have reviewed section 11, I have no objections.

[Mab879]

One suggestion.

Setting status to "Request changes" to keep it for the other section.

[Mab879]

Review of the appendix is done.

I have couple of changes.

[vojtapolasek]

I have reviewed section 10. I have some comments, please take look at them.

[vojtapolasek]

I think that rules grub2_audit_argument and grub2_audit_backlog_limit_argument belong here as well. They ensure that processes started before the actual audit process are auditable as well; events are collected and then consumed once the audit daemon starts.
Moreover, I think this requirement does not need to be related to Audit only. What about rsyslog_cron_logging, rsyslog_logging_configured, service_systemd-journald_enabled, service_rsyslog_enabled.
There are more rules which enable logging e.g. for SSH, httpd, FTP, DHCP... but I would consider those rather related.

[marcusburghardt]

• grub2_audit_argument is already in 10.7.2.
  • The 10.2.1 is more about enabling the auditing and I believe 10.7.2 is a better candidate for these specific configurations.
• grub2_audit_backlog_limit_argument included in 10.7.2. Thanks for finding it.
• rsyslog_cron_logging, rsyslog_logging_configured, service_systemd-journald_enabled, service_rsyslog_enabledwere included to related rules.
  • The PCI-DSS is not specific about products and solutions so I prefer to include less than more rules.
  • But keeping them in related_rules is good to keep us aware and we can reconsider this along the time.

Changes in 11a80be

[vojtapolasek]

I do not think that rules which make processes auditable before the audit daemon starts belong to 10.7.2, I see them more as assurance that the logging is active as soon as possible... but this can be disputed later, I don't think it is something what should block this PR.

[marcusburghardt]

Sure @vojtapolasek . We can better discuss this in a separate PR. I believe along the time we will find many other opportunities of improvements to polish the control file. Thanks for the hints and all valid points you shared during your reviews.

[marcusburghardt]

Rebased

[Mab879]

The sections I reviewed LTGM.

Thanks for getting this done!

[codeclimate]

Code Climate has analyzed commit b158267 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 58.8%.

View more on Code Climate.

[marcusburghardt]

Gate (AR / RHEL) / Build, Lint Ansible Roles on Fedora Latest (Container) (pull_request) failure is not related to this PR.

[vojtapolasek]

Reviewed section 10 as of b158267 .
I approve it and I am merging the whole update to the control file. Thank you @marcusburghardt for the thorough review and update, thanks go also to @Mab879 .

[marcusburghardt]

Great! I would like to thank @Mab879 , @vojtapolasek and @teacup-on-rockingchair for the great support you gave reviewing this huge, but necessary PR.
Also @mildas for helping with the #11257

Great collaboration guys!!