CMP-2375: Implement a new rule for checking audit logging is enabled #11731

rhmdnd · 2024-03-19T20:23:04Z

We already have a rule that checks that audit logging is configured to a
specific level called audit_profile_set. While this works, it was being
used for CIS OpenShift controls 3.2.1 and 3.2.2.

CIS 3.2.1 is really just checking if audit logging is enabled, or that
the profile isn't set to None.

CIS 3.2.2 is checking that the audit profile is set to
WriteRequestBodies.

Using the same rule for both controls was causing confusion because
control 3.2.1 should be satisfied by default with OpenShift using the
Default audit profile. Control 3.2.2 is a level 2 control that
requires users to make a change to the api server configuration to
remediate the finding.

This commit breaks the rule into two separate rules so that its easier
to see that one rule is clearly for CIS 3.2.1 and the other is for CIS
3.2.2.

We already have a rule that checks that audit logging is configured to a specific level called audit_profile_set. While this works, it was being used for CIS OpenShift controls 3.2.1 and 3.2.2. CIS 3.2.1 is really just checking if audit logging is enabled, or that the profile isn't set to `None`. CIS 3.2.2 is checking that the audit profile is set to `WriteRequestBodies`. Using the same rule for both controls was causing confusion because control 3.2.1 should be satisfied by default with OpenShift using the `Default` audit profile. Control 3.2.2 is a level 2 control that requires users to make a change to the api server configuration to remediate the finding. This commit breaks the rule into two separate rules so that its easier to see that one rule is clearly for CIS 3.2.1 and the other is for CIS 3.2.2.

github-actions · 2024-03-19T20:24:37Z

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment)

Fedora Testing Environment

Oracle Linux 8 Environment

rhmdnd · 2024-03-19T20:29:28Z

/test

openshift-ci · 2024-03-19T20:29:31Z

@rhmdnd: The /test command needs one or more targets.
The following commands are available to trigger required jobs:

/test 4.13-e2e-aws-ocp4-cis
/test 4.13-e2e-aws-ocp4-cis-node
/test 4.13-e2e-aws-ocp4-e8
/test 4.13-e2e-aws-ocp4-high
/test 4.13-e2e-aws-ocp4-high-node
/test 4.13-e2e-aws-ocp4-moderate
/test 4.13-e2e-aws-ocp4-moderate-node
/test 4.13-e2e-aws-ocp4-pci-dss
/test 4.13-e2e-aws-ocp4-pci-dss-node
/test 4.13-e2e-aws-ocp4-stig
/test 4.13-e2e-aws-ocp4-stig-node
/test 4.13-e2e-aws-rhcos4-e8
/test 4.13-e2e-aws-rhcos4-high
/test 4.13-e2e-aws-rhcos4-moderate
/test 4.13-e2e-aws-rhcos4-stig
/test 4.13-images
/test 4.14-images
/test 4.15-e2e-aws-ocp4-cis
/test 4.15-e2e-aws-ocp4-cis-node
/test 4.15-e2e-aws-ocp4-e8
/test 4.15-e2e-aws-ocp4-high
/test 4.15-e2e-aws-ocp4-high-node
/test 4.15-e2e-aws-ocp4-moderate
/test 4.15-e2e-aws-ocp4-moderate-node
/test 4.15-e2e-aws-ocp4-pci-dss
/test 4.15-e2e-aws-ocp4-pci-dss-node
/test 4.15-e2e-aws-ocp4-stig
/test 4.15-e2e-aws-ocp4-stig-node
/test 4.15-e2e-aws-rhcos4-e8
/test 4.15-e2e-aws-rhcos4-high
/test 4.15-e2e-aws-rhcos4-moderate
/test 4.15-e2e-aws-rhcos4-stig
/test 4.15-images
/test 4.16-e2e-aws-ocp4-cis
/test 4.16-e2e-aws-ocp4-cis-node
/test 4.16-e2e-aws-ocp4-e8
/test 4.16-e2e-aws-ocp4-high
/test 4.16-e2e-aws-ocp4-high-node
/test 4.16-e2e-aws-ocp4-moderate
/test 4.16-e2e-aws-ocp4-moderate-node
/test 4.16-e2e-aws-ocp4-pci-dss
/test 4.16-e2e-aws-ocp4-pci-dss-node
/test 4.16-e2e-aws-ocp4-stig
/test 4.16-e2e-aws-ocp4-stig-node
/test 4.16-e2e-aws-rhcos4-e8
/test 4.16-e2e-aws-rhcos4-high
/test 4.16-e2e-aws-rhcos4-moderate
/test 4.16-e2e-aws-rhcos4-stig
/test 4.16-images
/test e2e-aws-ocp4-cis
/test e2e-aws-ocp4-cis-node
/test e2e-aws-ocp4-e8
/test e2e-aws-ocp4-high
/test e2e-aws-ocp4-high-node
/test e2e-aws-ocp4-moderate
/test e2e-aws-ocp4-moderate-node
/test e2e-aws-ocp4-pci-dss
/test e2e-aws-ocp4-pci-dss-node
/test e2e-aws-ocp4-stig
/test e2e-aws-ocp4-stig-node
/test e2e-aws-rhcos4-e8
/test e2e-aws-rhcos4-high
/test e2e-aws-rhcos4-moderate
/test e2e-aws-rhcos4-stig
/test images

Use /test all to run the following jobs that were automatically triggered:

pull-ci-ComplianceAsCode-content-master-4.13-images
pull-ci-ComplianceAsCode-content-master-4.14-images
pull-ci-ComplianceAsCode-content-master-4.15-images
pull-ci-ComplianceAsCode-content-master-4.16-images
pull-ci-ComplianceAsCode-content-master-images

In response to this:

/test

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

rhmdnd · 2024-03-19T20:30:09Z

/test 4.13-e2e-aws-ocp4-cis
/test 4.15-e2e-aws-ocp4-cis
/test 4.16-e2e-aws-ocp4-cis
/test e2e-aws-ocp4-cis

github-actions · 2024-03-19T20:31:13Z

🤖 A k8s content image for this PR is available at:
ghcr.io/complianceascode/k8scontent:11731
This image was built from commit: fca4310

Click here to see how to deploy it

If you alread have Compliance Operator deployed:
utils/build_ds_container.py -i ghcr.io/complianceascode/k8scontent:11731

Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and:
CONTENT_IMAGE=ghcr.io/complianceascode/k8scontent:11731 make deploy-local

codeclimate · 2024-03-19T20:38:40Z

Code Climate has analyzed commit fca4310 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 59.3% (0.0% change).

View more on Code Climate.

xiaojiey · 2024-03-20T03:16:18Z

/hold for test

xiaojiey · 2024-03-20T03:17:14Z

Verification pass.

% oc get clusterversion
NAME      VERSION                              AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.16.0-0.nightly-2024-03-13-061822   True        False         56m     Cluster version is 4.16.0-0.nightly-2024-03-13-061822
% cat ssb_cis.yaml 
apiVersion: compliance.openshift.io/v1alpha1
kind: ScanSettingBinding
metadata:
  name: cis-compliance
  namespace: openshift-compliance
profiles:
  - name: upstream-ocp4-cis
    kind: Profile
    apiGroup: compliance.openshift.io/v1alpha1
settingsRef:
  name: default
  kind: ScanSetting
  apiGroup: compliance.openshift.io/v1alpha1

% oc apply -f ssb_cis.yaml
scansettingbinding.compliance.openshift.io/cis-compliance created
% oc get suite
NAME             PHASE   RESULT
cis-compliance   DONE    NON-COMPLIANT
% oc get ccr upstream-ocp4-cis-audit-logging-enabled
upstream-ocp4-cis-audit-logging-enabled                                    PASS     medium
% oc get ccr upstream-ocp4-cis-audit-logging-enabled  -o=jsonpath={.instructions}
Run the following command to retrieve the current audit profile:
$ oc get apiservers cluster -ojsonpath='{.spec.audit.profile}'
Make sure the value is not set to `None`.%
% oc get ccr upstream-ocp4-cis-audit-profile-set 
NAME                                  STATUS   SEVERITY
upstream-ocp4-cis-audit-profile-set   FAIL     medium
% oc get ccr upstream-ocp4-cis-audit-profile-set -o=jsonpath={.instructions}
Run the following command to retrieve the current audit profile:
$ oc get apiservers cluster -ojsonpath='{.spec.audit.profile}'
Make sure the profile returned matches the one that should be used.%                                                                        
% oc get apiservers cluster -ojsonpath='{.spec.audit.profile}'              
Default%

xiaojiey · 2024-03-20T03:20:30Z

/unhold
/lgtm

Vincent056

/lgtm
Thanks for adding this rule

GroceryBoyJr · 2024-03-26T15:41:28Z

/lgtm

rhmdnd requested review from Vincent056, xiaojiey and BhargaviGudi March 19, 2024 20:23

rhmdnd added OpenShift OpenShift product related. CIS CIS Benchmark related. labels Mar 19, 2024

openshift-ci bot added the do-not-merge/hold Used by openshift-ci-robot bot. label Mar 20, 2024

openshift-ci bot removed the do-not-merge/hold Used by openshift-ci-robot bot. label Mar 20, 2024

Vincent056 approved these changes Mar 25, 2024

View reviewed changes

rhmdnd merged commit faa019d into ComplianceAsCode:master Mar 26, 2024
44 of 48 checks passed

Mab879 added this to the 0.1.73 milestone Mar 26, 2024

Mab879 added the New Rule Issues or pull requests related to new Rules. label Mar 26, 2024

marcusburghardt assigned Vincent056 May 6, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CMP-2375: Implement a new rule for checking audit logging is enabled #11731

CMP-2375: Implement a new rule for checking audit logging is enabled #11731

rhmdnd commented Mar 19, 2024

github-actions bot commented Mar 19, 2024

rhmdnd commented Mar 19, 2024

openshift-ci bot commented Mar 19, 2024

rhmdnd commented Mar 19, 2024

github-actions bot commented Mar 19, 2024

codeclimate bot commented Mar 19, 2024

xiaojiey commented Mar 20, 2024

xiaojiey commented Mar 20, 2024

xiaojiey commented Mar 20, 2024

Vincent056 left a comment

GroceryBoyJr commented Mar 26, 2024

CMP-2375: Implement a new rule for checking audit logging is enabled #11731

CMP-2375: Implement a new rule for checking audit logging is enabled #11731

Conversation

rhmdnd commented Mar 19, 2024

github-actions bot commented Mar 19, 2024

rhmdnd commented Mar 19, 2024

openshift-ci bot commented Mar 19, 2024

rhmdnd commented Mar 19, 2024

github-actions bot commented Mar 19, 2024

codeclimate bot commented Mar 19, 2024

xiaojiey commented Mar 20, 2024

xiaojiey commented Mar 20, 2024

xiaojiey commented Mar 20, 2024

Vincent056 left a comment

Choose a reason for hiding this comment

GroceryBoyJr commented Mar 26, 2024