Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add PCI-DSS v4.0 assertion files #12311

Merged
merged 4 commits into from
Aug 27, 2024
Merged

Add PCI-DSS v4.0 assertion files #12311

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
6a49f22
Enable these rules on OCP 4.17
yuumasato Aug 16, 2024
ffa4cc1
Add PCI-DSS v4.0 assertion files
yuumasato Aug 16, 2024
c6b5f2e
security-profile-operator-exists: update assertion
yuumasato Aug 26, 2024
efc1483
etcd_unique_ca: update assertion file
yuumasato Aug 26, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion applications/openshift/api-server/api_server_kubelet_client_cert/rule.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@ identifiers:
cce@ocp4: CCE-84080-1

platforms:
- (ocp4.9 or ocp4.10 or ocp4.11 or ocp4.12 or ocp4.13 or ocp4.14 or ocp4.15 or ocp4.16) and not ocp4-on-hypershift-hosted
- (ocp4.9 or ocp4.10 or ocp4.11 or ocp4.12 or ocp4.13 or ocp4.14 or ocp4.15 or ocp4.16 or ocp4.17) and not ocp4-on-hypershift-hosted

severity: high

Expand Down
2 changes: 1 addition & 1 deletion applications/openshift/api-server/api_server_kubelet_client_key/rule.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@ identifiers:
cce@ocp4: CCE-83591-8

platforms:
- (ocp4.9 or ocp4.10 or ocp4.11 or ocp4.12 or ocp4.13 or ocp4.14 or ocp4.15 or ocp4.16) and not ocp4-on-hypershift-hosted
- (ocp4.9 or ocp4.10 or ocp4.11 or ocp4.12 or ocp4.13 or ocp4.14 or ocp4.15 or ocp4.16 or ocp4.17) and not ocp4-on-hypershift-hosted

severity: high

Expand Down
2 changes: 1 addition & 1 deletion applications/openshift/kubelet/kubelet_configure_tls_cert/rule.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ identifiers:
cce@ocp4: CCE-83396-2

platforms:
- (ocp4.9 or ocp4.10 or ocp4.11 or ocp4.12 or ocp4.13 or ocp4.14 or ocp4.15 or ocp4.16) and not ocp4-on-hypershift-hosted
- (ocp4.9 or ocp4.10 or ocp4.11 or ocp4.12 or ocp4.13 or ocp4.14 or ocp4.15 or ocp4.16 or ocp4.17) and not ocp4-on-hypershift-hosted

references:
cis@ocp4: 4.2.9
Expand Down
2 changes: 1 addition & 1 deletion applications/openshift/kubelet/kubelet_configure_tls_key/rule.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ identifiers:
cce@ocp4: CCE-90614-9

platforms:
- (ocp4.9 or ocp4.10 or ocp4.11 or ocp4.12 or ocp4.13 or ocp4.14 or ocp4.15 or ocp4.16) and not ocp4-on-hypershift-hosted
- (ocp4.9 or ocp4.10 or ocp4.11 or ocp4.12 or ocp4.13 or ocp4.14 or ocp4.15 or ocp4.16 or ocp4.17) and not ocp4-on-hypershift-hosted

references:
cis@ocp4: 4.2.9
Expand Down
352 changes: 352 additions & 0 deletions tests/assertions/ocp4/ocp4-pci-dss-4-0-4.12.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,352 @@
rule_results:
e2e-pci-dss-4-0-accounts-restrict-service-account-tokens:
default_result: MANUAL
result_after_remediation: MANUAL
e2e-pci-dss-4-0-accounts-unique-service-account:
default_result: MANUAL
result_after_remediation: MANUAL
e2e-pci-dss-4-0-acs-sensor-exists:
default_result: FAIL
result_after_remediation: PASS
e2e-pci-dss-4-0-alert-receiver-configured:
default_result: MANUAL
result_after_remediation: MANUAL
e2e-pci-dss-4-0-api-server-admission-control-plugin-alwaysadmit:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-api-server-admission-control-plugin-alwayspullimages:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-api-server-admission-control-plugin-namespacelifecycle:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-api-server-admission-control-plugin-noderestriction:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-api-server-admission-control-plugin-scc:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-api-server-admission-control-plugin-service-account:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-api-server-anonymous-auth:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-api-server-audit-log-maxbackup:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-api-server-audit-log-maxsize:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-api-server-audit-log-path:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-api-server-auth-mode-no-aa:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-api-server-auth-mode-rbac:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-api-server-basic-auth:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-api-server-bind-address:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-api-server-client-ca:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-api-server-encryption-provider-cipher:
default_result: FAIL
result_after_remediation: PASS
e2e-pci-dss-4-0-api-server-etcd-ca:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-api-server-etcd-cert:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-api-server-etcd-key:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-api-server-https-for-kubelet-conn:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-api-server-insecure-bind-address:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-api-server-kubelet-certificate-authority:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-api-server-kubelet-client-cert:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-api-server-kubelet-client-cert-pre-4-9:
default_result: NOT-APPLICABLE
result_after_remediation: NOT-APPLICABLE
e2e-pci-dss-4-0-api-server-kubelet-client-key:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-api-server-kubelet-client-key-pre-4-9:
default_result: NOT-APPLICABLE
result_after_remediation: NOT-APPLICABLE
e2e-pci-dss-4-0-api-server-oauth-https-serving-cert:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-api-server-openshift-https-serving-cert:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-api-server-profiling-protected-by-rbac:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-api-server-request-timeout:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-api-server-service-account-lookup:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-api-server-service-account-public-key:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-api-server-tls-cert:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-api-server-tls-cipher-suites:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-api-server-tls-private-key:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-api-server-tls-security-profile:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-api-server-token-auth:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-audit-error-alert-exists:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-audit-log-forwarding-enabled:
default_result: FAIL
result_after_remediation: PASS
e2e-pci-dss-4-0-audit-log-forwarding-webhook:
default_result: NOT-APPLICABLE
result_after_remediation: NOT-APPLICABLE
e2e-pci-dss-4-0-audit-logging-enabled:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-audit-profile-set:
default_result: FAIL
result_after_remediation: PASS
e2e-pci-dss-4-0-configure-network-policies:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-configure-network-policies-hypershift-hosted:
default_result: NOT-APPLICABLE
result_after_remediation: NOT-APPLICABLE
e2e-pci-dss-4-0-configure-network-policies-namespaces:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-container-security-operator-exists:
default_result: FAIL
result_after_remediation: PASS
e2e-pci-dss-4-0-controller-insecure-port-disabled:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-controller-secure-port:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-controller-service-account-ca:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-controller-service-account-private-key:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-controller-use-service-account:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-etcd-auto-tls:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-etcd-cert-file:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-etcd-client-cert-auth:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-etcd-key-file:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-etcd-peer-auto-tls:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-etcd-peer-cert-file:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-etcd-peer-client-cert-auth:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-etcd-peer-key-file:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-file-groupowner-proxy-kubeconfig:
default_result: NOT-APPLICABLE
result_after_remediation: NOT-APPLICABLE
e2e-pci-dss-4-0-file-integrity-exists:
default_result: FAIL
result_after_remediation: PASS
e2e-pci-dss-4-0-file-integrity-notification-enabled:
default_result: FAIL
result_after_remediation: PASS
e2e-pci-dss-4-0-file-owner-proxy-kubeconfig:
default_result: NOT-APPLICABLE
result_after_remediation: NOT-APPLICABLE
e2e-pci-dss-4-0-file-permissions-proxy-kubeconfig:
default_result: NOT-APPLICABLE
result_after_remediation: NOT-APPLICABLE
e2e-pci-dss-4-0-general-apply-scc:
default_result: MANUAL
result_after_remediation: MANUAL
e2e-pci-dss-4-0-general-default-namespace-use:
default_result: MANUAL
result_after_remediation: MANUAL
e2e-pci-dss-4-0-general-default-seccomp-profile:
default_result: MANUAL
result_after_remediation: MANUAL
e2e-pci-dss-4-0-general-namespaces-in-use:
default_result: MANUAL
result_after_remediation: MANUAL
e2e-pci-dss-4-0-idp-is-configured:
default_result: FAIL
result_after_remediation: PASS
e2e-pci-dss-4-0-ingress-controller-certificate:
default_result: FAIL
result_after_remediation: PASS
e2e-pci-dss-4-0-ingress-controller-tls-security-profile:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-kubeadmin-removed:
default_result: FAIL
result_after_remediation: FAIL
e2e-pci-dss-4-0-kubelet-configure-tls-cert:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-kubelet-configure-tls-key:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-kubelet-disable-readonly-port:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-machine-volume-encrypted:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-oauth-or-oauthclient-inactivity-timeout:
default_result: FAIL
result_after_remediation: PASS
e2e-pci-dss-4-0-ocp-allowed-registries:
default_result: FAIL
result_after_remediation: FAIL
e2e-pci-dss-4-0-ocp-allowed-registries-for-import:
default_result: FAIL
result_after_remediation: FAIL
e2e-pci-dss-4-0-ocp-api-server-audit-log-maxbackup:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-ocp-api-server-audit-log-maxsize:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-ocp-idp-no-htpasswd:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-ocp-insecure-allowed-registries-for-import:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-ocp-insecure-registries:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-ocp-no-ldap-insecure:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-openshift-api-server-audit-log-path:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-rbac-cluster-roles-defined:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-rbac-debug-role-protects-pprof:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-rbac-least-privilege:
default_result: MANUAL
result_after_remediation: MANUAL
e2e-pci-dss-4-0-rbac-limit-cluster-admin:
default_result: MANUAL
result_after_remediation: MANUAL
e2e-pci-dss-4-0-rbac-limit-secrets-access:
default_result: MANUAL
result_after_remediation: MANUAL
e2e-pci-dss-4-0-rbac-pod-creation-access:
default_result: MANUAL
result_after_remediation: MANUAL
e2e-pci-dss-4-0-rbac-roles-defined:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-rbac-wildcard-use:
default_result: MANUAL
result_after_remediation: MANUAL
e2e-pci-dss-4-0-routes-protected-by-tls:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-scansettingbinding-exists:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-scc-drop-container-capabilities:
default_result: MANUAL
result_after_remediation: MANUAL
e2e-pci-dss-4-0-scc-limit-container-allowed-capabilities:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-scc-limit-ipc-namespace:
default_result: MANUAL
result_after_remediation: MANUAL
e2e-pci-dss-4-0-scc-limit-net-raw-capability:
default_result: MANUAL
result_after_remediation: MANUAL
e2e-pci-dss-4-0-scc-limit-network-namespace:
default_result: MANUAL
result_after_remediation: MANUAL
e2e-pci-dss-4-0-scc-limit-privilege-escalation:
default_result: MANUAL
result_after_remediation: MANUAL
e2e-pci-dss-4-0-scc-limit-privileged-containers:
default_result: MANUAL
result_after_remediation: MANUAL
e2e-pci-dss-4-0-scc-limit-process-id-namespace:
default_result: MANUAL
result_after_remediation: MANUAL
e2e-pci-dss-4-0-scc-limit-root-containers:
default_result: MANUAL
result_after_remediation: MANUAL
e2e-pci-dss-4-0-scheduler-profiling-protected-by-rbac:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-scheduler-service-protected-by-rbac:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-secrets-consider-external-storage:
default_result: MANUAL
result_after_remediation: MANUAL
e2e-pci-dss-4-0-secrets-no-environment-variables:
default_result: MANUAL
result_after_remediation: MANUAL
e2e-pci-dss-4-0-security-profiles-operator-exists:
default_result: FAIL
result_after_remediation: PASS
e2e-pci-dss-4-0-storageclass-encryption-enabled:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-tls-version-check-apiserver:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-tls-version-check-router:
default_result: PASS
result_after_remediation: PASS
Loading
Loading