Skip to content

Commit

Permalink
Merge pull request #12311 from yuumasato/add-pci-dss-v4.0-assertion-f…
Browse files Browse the repository at this point in the history
…iles

Add PCI-DSS v4.0 assertion files
  • Loading branch information
rhmdnd authored Aug 27, 2024
2 parents 6cafeec + efc1483 commit ec2429f
Show file tree
Hide file tree
Showing 16 changed files with 6,226 additions and 4 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@ identifiers:
cce@ocp4: CCE-84080-1

platforms:
- (ocp4.9 or ocp4.10 or ocp4.11 or ocp4.12 or ocp4.13 or ocp4.14 or ocp4.15 or ocp4.16) and not ocp4-on-hypershift-hosted
- (ocp4.9 or ocp4.10 or ocp4.11 or ocp4.12 or ocp4.13 or ocp4.14 or ocp4.15 or ocp4.16 or ocp4.17) and not ocp4-on-hypershift-hosted

severity: high

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@ identifiers:
cce@ocp4: CCE-83591-8

platforms:
- (ocp4.9 or ocp4.10 or ocp4.11 or ocp4.12 or ocp4.13 or ocp4.14 or ocp4.15 or ocp4.16) and not ocp4-on-hypershift-hosted
- (ocp4.9 or ocp4.10 or ocp4.11 or ocp4.12 or ocp4.13 or ocp4.14 or ocp4.15 or ocp4.16 or ocp4.17) and not ocp4-on-hypershift-hosted

severity: high

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ identifiers:
cce@ocp4: CCE-83396-2

platforms:
- (ocp4.9 or ocp4.10 or ocp4.11 or ocp4.12 or ocp4.13 or ocp4.14 or ocp4.15 or ocp4.16) and not ocp4-on-hypershift-hosted
- (ocp4.9 or ocp4.10 or ocp4.11 or ocp4.12 or ocp4.13 or ocp4.14 or ocp4.15 or ocp4.16 or ocp4.17) and not ocp4-on-hypershift-hosted

references:
cis@ocp4: 4.2.9
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ identifiers:
cce@ocp4: CCE-90614-9

platforms:
- (ocp4.9 or ocp4.10 or ocp4.11 or ocp4.12 or ocp4.13 or ocp4.14 or ocp4.15 or ocp4.16) and not ocp4-on-hypershift-hosted
- (ocp4.9 or ocp4.10 or ocp4.11 or ocp4.12 or ocp4.13 or ocp4.14 or ocp4.15 or ocp4.16 or ocp4.17) and not ocp4-on-hypershift-hosted

references:
cis@ocp4: 4.2.9
Expand Down
352 changes: 352 additions & 0 deletions tests/assertions/ocp4/ocp4-pci-dss-4-0-4.12.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,352 @@
rule_results:
e2e-pci-dss-4-0-accounts-restrict-service-account-tokens:
default_result: MANUAL
result_after_remediation: MANUAL
e2e-pci-dss-4-0-accounts-unique-service-account:
default_result: MANUAL
result_after_remediation: MANUAL
e2e-pci-dss-4-0-acs-sensor-exists:
default_result: FAIL
result_after_remediation: PASS
e2e-pci-dss-4-0-alert-receiver-configured:
default_result: MANUAL
result_after_remediation: MANUAL
e2e-pci-dss-4-0-api-server-admission-control-plugin-alwaysadmit:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-api-server-admission-control-plugin-alwayspullimages:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-api-server-admission-control-plugin-namespacelifecycle:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-api-server-admission-control-plugin-noderestriction:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-api-server-admission-control-plugin-scc:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-api-server-admission-control-plugin-service-account:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-api-server-anonymous-auth:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-api-server-audit-log-maxbackup:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-api-server-audit-log-maxsize:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-api-server-audit-log-path:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-api-server-auth-mode-no-aa:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-api-server-auth-mode-rbac:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-api-server-basic-auth:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-api-server-bind-address:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-api-server-client-ca:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-api-server-encryption-provider-cipher:
default_result: FAIL
result_after_remediation: PASS
e2e-pci-dss-4-0-api-server-etcd-ca:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-api-server-etcd-cert:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-api-server-etcd-key:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-api-server-https-for-kubelet-conn:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-api-server-insecure-bind-address:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-api-server-kubelet-certificate-authority:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-api-server-kubelet-client-cert:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-api-server-kubelet-client-cert-pre-4-9:
default_result: NOT-APPLICABLE
result_after_remediation: NOT-APPLICABLE
e2e-pci-dss-4-0-api-server-kubelet-client-key:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-api-server-kubelet-client-key-pre-4-9:
default_result: NOT-APPLICABLE
result_after_remediation: NOT-APPLICABLE
e2e-pci-dss-4-0-api-server-oauth-https-serving-cert:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-api-server-openshift-https-serving-cert:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-api-server-profiling-protected-by-rbac:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-api-server-request-timeout:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-api-server-service-account-lookup:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-api-server-service-account-public-key:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-api-server-tls-cert:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-api-server-tls-cipher-suites:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-api-server-tls-private-key:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-api-server-tls-security-profile:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-api-server-token-auth:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-audit-error-alert-exists:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-audit-log-forwarding-enabled:
default_result: FAIL
result_after_remediation: PASS
e2e-pci-dss-4-0-audit-log-forwarding-webhook:
default_result: NOT-APPLICABLE
result_after_remediation: NOT-APPLICABLE
e2e-pci-dss-4-0-audit-logging-enabled:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-audit-profile-set:
default_result: FAIL
result_after_remediation: PASS
e2e-pci-dss-4-0-configure-network-policies:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-configure-network-policies-hypershift-hosted:
default_result: NOT-APPLICABLE
result_after_remediation: NOT-APPLICABLE
e2e-pci-dss-4-0-configure-network-policies-namespaces:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-container-security-operator-exists:
default_result: FAIL
result_after_remediation: PASS
e2e-pci-dss-4-0-controller-insecure-port-disabled:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-controller-secure-port:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-controller-service-account-ca:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-controller-service-account-private-key:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-controller-use-service-account:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-etcd-auto-tls:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-etcd-cert-file:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-etcd-client-cert-auth:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-etcd-key-file:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-etcd-peer-auto-tls:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-etcd-peer-cert-file:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-etcd-peer-client-cert-auth:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-etcd-peer-key-file:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-file-groupowner-proxy-kubeconfig:
default_result: NOT-APPLICABLE
result_after_remediation: NOT-APPLICABLE
e2e-pci-dss-4-0-file-integrity-exists:
default_result: FAIL
result_after_remediation: PASS
e2e-pci-dss-4-0-file-integrity-notification-enabled:
default_result: FAIL
result_after_remediation: PASS
e2e-pci-dss-4-0-file-owner-proxy-kubeconfig:
default_result: NOT-APPLICABLE
result_after_remediation: NOT-APPLICABLE
e2e-pci-dss-4-0-file-permissions-proxy-kubeconfig:
default_result: NOT-APPLICABLE
result_after_remediation: NOT-APPLICABLE
e2e-pci-dss-4-0-general-apply-scc:
default_result: MANUAL
result_after_remediation: MANUAL
e2e-pci-dss-4-0-general-default-namespace-use:
default_result: MANUAL
result_after_remediation: MANUAL
e2e-pci-dss-4-0-general-default-seccomp-profile:
default_result: MANUAL
result_after_remediation: MANUAL
e2e-pci-dss-4-0-general-namespaces-in-use:
default_result: MANUAL
result_after_remediation: MANUAL
e2e-pci-dss-4-0-idp-is-configured:
default_result: FAIL
result_after_remediation: PASS
e2e-pci-dss-4-0-ingress-controller-certificate:
default_result: FAIL
result_after_remediation: PASS
e2e-pci-dss-4-0-ingress-controller-tls-security-profile:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-kubeadmin-removed:
default_result: FAIL
result_after_remediation: FAIL
e2e-pci-dss-4-0-kubelet-configure-tls-cert:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-kubelet-configure-tls-key:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-kubelet-disable-readonly-port:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-machine-volume-encrypted:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-oauth-or-oauthclient-inactivity-timeout:
default_result: FAIL
result_after_remediation: PASS
e2e-pci-dss-4-0-ocp-allowed-registries:
default_result: FAIL
result_after_remediation: FAIL
e2e-pci-dss-4-0-ocp-allowed-registries-for-import:
default_result: FAIL
result_after_remediation: FAIL
e2e-pci-dss-4-0-ocp-api-server-audit-log-maxbackup:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-ocp-api-server-audit-log-maxsize:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-ocp-idp-no-htpasswd:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-ocp-insecure-allowed-registries-for-import:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-ocp-insecure-registries:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-ocp-no-ldap-insecure:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-openshift-api-server-audit-log-path:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-rbac-cluster-roles-defined:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-rbac-debug-role-protects-pprof:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-rbac-least-privilege:
default_result: MANUAL
result_after_remediation: MANUAL
e2e-pci-dss-4-0-rbac-limit-cluster-admin:
default_result: MANUAL
result_after_remediation: MANUAL
e2e-pci-dss-4-0-rbac-limit-secrets-access:
default_result: MANUAL
result_after_remediation: MANUAL
e2e-pci-dss-4-0-rbac-pod-creation-access:
default_result: MANUAL
result_after_remediation: MANUAL
e2e-pci-dss-4-0-rbac-roles-defined:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-rbac-wildcard-use:
default_result: MANUAL
result_after_remediation: MANUAL
e2e-pci-dss-4-0-routes-protected-by-tls:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-scansettingbinding-exists:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-scc-drop-container-capabilities:
default_result: MANUAL
result_after_remediation: MANUAL
e2e-pci-dss-4-0-scc-limit-container-allowed-capabilities:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-scc-limit-ipc-namespace:
default_result: MANUAL
result_after_remediation: MANUAL
e2e-pci-dss-4-0-scc-limit-net-raw-capability:
default_result: MANUAL
result_after_remediation: MANUAL
e2e-pci-dss-4-0-scc-limit-network-namespace:
default_result: MANUAL
result_after_remediation: MANUAL
e2e-pci-dss-4-0-scc-limit-privilege-escalation:
default_result: MANUAL
result_after_remediation: MANUAL
e2e-pci-dss-4-0-scc-limit-privileged-containers:
default_result: MANUAL
result_after_remediation: MANUAL
e2e-pci-dss-4-0-scc-limit-process-id-namespace:
default_result: MANUAL
result_after_remediation: MANUAL
e2e-pci-dss-4-0-scc-limit-root-containers:
default_result: MANUAL
result_after_remediation: MANUAL
e2e-pci-dss-4-0-scheduler-profiling-protected-by-rbac:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-scheduler-service-protected-by-rbac:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-secrets-consider-external-storage:
default_result: MANUAL
result_after_remediation: MANUAL
e2e-pci-dss-4-0-secrets-no-environment-variables:
default_result: MANUAL
result_after_remediation: MANUAL
e2e-pci-dss-4-0-security-profiles-operator-exists:
default_result: FAIL
result_after_remediation: PASS
e2e-pci-dss-4-0-storageclass-encryption-enabled:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-tls-version-check-apiserver:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-tls-version-check-router:
default_result: PASS
result_after_remediation: PASS
Loading

0 comments on commit ec2429f

Please sign in to comment.