Add ITSAR NFV profile and controls for OCP/RHCOS#14409
Add ITSAR NFV profile and controls for OCP/RHCOS#14409rhmdnd wants to merge 2 commits intoComplianceAsCode:masterfrom
Conversation
ITSAR has a benchmark for NFV functionality, which is applicable to OpenShift and RHCOS. Let's build out those profiles section by section, starting with section 1. Despite it being labeled as section 1, the controls are indexed at 2.
This commit adds the rules for authentication attribute management (IAM-like) controls.
rhmdnd
changed the title
rhmdnd
changed the title
|
@rhmdnd: The following tests failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
| IdP level (e.g., Keycloak, Okta, Active Directory). For | ||
| machine accounts, ServiceAccount tokens satisfy the | ||
| single-attribute requirement. | ||
| rules: |
There was a problem hiding this comment.
How about adding rule etcd_client_cert_auth?
| htpasswd. Verify that the external IdP is configured with at | ||
| least two countermeasures such as account lockout after failed | ||
| attempts, login delays, or password blacklists. | ||
| rules: |
There was a problem hiding this comment.
Maybe also add idp_is_configured ?
| password storage uses strong hashing. Verify that the | ||
| external IdP enforces minimum length, character class, | ||
| and password history requirements. | ||
| rules: |
There was a problem hiding this comment.
Maybe also add more rules ocp_idp_no_htpasswd, idp_is_configured, ocp_no_ldap_insecure and kubeadmin_removed?
| - kubelet_configure_client_ca | ||
| - id: 2.1.2 | ||
| title: Management Traffic Protection | ||
| status: automated |
There was a problem hiding this comment.
Maybe also add some Ingress/Route Traffic Protection rules, such as ingress_controller_tls_security_profile, ingress_controller_tls_security_profile_custom_min_tls_version, ingress_controller_tls_security_profile_not_old and routes_protected_by_tls
| reference: https://nccs.gov.in/home/itsars | ||
|
|
||
| metadata: | ||
| version: V2.0.0 |
There was a problem hiding this comment.
should be "version: V1.0.0"
| reference: https://nccs.gov.in/home/itsars | ||
|
|
||
| metadata: | ||
| version: V2.0.0 |
There was a problem hiding this comment.
should be "version: V1.0.0"
| @@ -0,0 +1,18 @@ | |||
| --- | |||
There was a problem hiding this comment.
The file name should be itsar-nfv-v1-0-0.profile
| This profile defines a baseline that aligns to the ITSAR NFV | ||
| requirements for Red Hat OpenShift Container Platform 4. | ||
|
|
||
| extends: itsar-nfv-v2-0-0 |
There was a problem hiding this comment.
extends: itsar-nfv-v1-0-0
| reference: https://nccs.gov.in/home/itsars | ||
|
|
||
| metadata: | ||
| version: V2.0.0 |
There was a problem hiding this comment.
should be "version: v1.0.0"
| This profile defines a baseline that aligns to the ITSAR NFV | ||
| requirements for Red Hat Enterprise Linux CoreOS 4. | ||
|
|
||
| extends: itsar-nfv-v2-0-0 |
There was a problem hiding this comment.
extends: itsar-nfv-v1-0-0
| - etcd_peer_auto_tls | ||
| - etcd_check_cipher_suite | ||
| - id: 2.1.3 | ||
| title: Role-Based Access Control (RBAC) Policy |
There was a problem hiding this comment.
In the doc it says "The system shall support RBAC with minimum of 3 user roles, in particular, for OAM privilege management for SystemManagement and Maintenance, including authorization of the operation for configuration data and software via the network product console interface". we didn't verify the minimum count of 3 user roles. Maybe status should be "partial"
| title: Logout Function | ||
| status: automated | ||
| rules: | ||
| - oauth_logout_url_set |
There was a problem hiding this comment.
how about add one session timeout rule accounts_tmout?
| Verify that the external IdP locks accounts after no | ||
| more than 8 consecutive failed attempts, with a | ||
| recommended default of 5. | ||
| rules: |
There was a problem hiding this comment.
How about add more pam faillock rules:
- accounts_passwords_pam_faillock_deny
- accounts_passwords_pam_faillock_unlock_time
- accounts_passwords_pam_faillock_interval
2 participants
ITSAR has a benchmark for NFV functionality, which is applicable to OpenShift and RHCOS.
Let's build out those profiles section by section, starting with section
2. Section 1 is reserved as an overview and doesn't contain any technical controls.