-
Notifications
You must be signed in to change notification settings - Fork 671
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CMP 2453 pci dss requirement 1 #11725
CMP 2453 pci dss requirement 1 #11725
Conversation
rhmdnd
commented
Mar 18, 2024
- CMP-2453: Mark Requirement 1.1 as not applicable
- CMP-2453: Update Requirement 1.2
- CMP-2453: Update Requirement 1.3
- CMP-2453: Update Requirement 1.4
- CMP-2453: Update Requirement 1.5
These controls are documentation and process specific and there isn't a way to enforce them using the Compliance Operator. Mark them as not applicable.
Update each subsection of Requirement 1.2 based on its applicability to OpenShift and potential rules we can write to improve alignment with this requirement.
Add applicable rules that exist for these requirements, and add notes for rules we can create to further assess OpenShift clusters against these requirements.
Update each subsection of requirement 1.4. Some of these checks are outside the scope of OpenShift, but additional coverage for ingress and egress network configuration would be valuable. Documenting those gaps with references to tickets for that work.
Update the status of the single requirement in section 1.5.
# this in the OpenShift configuration: | ||
# https://docs.openshift.com/container-platform/latest/networking/network_policy/default-network-policy.html | ||
rules: | ||
- configure_network_policies_namespaces |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Need to make sure these rules reference the new requirement/control ID (e.g., 1.2.6) since the requirement IDs from PCI-DSS 3.2.1 don't line up directly with version 4.0.0.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I wonder if we need to inspect all services, and also to inspect any pod using hostnetwork?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think network_policies does not apply to pod using hostnetwork
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Interesting - good question.
It looks like we do have some PCI-DSS overlap with the SCC rules for requirement 2.
$ grep -R pci applications/openshift/scc
applications/openshift/scc/scc_drop_container_capabilities/rule.yml: pcidss: Req-2.2
applications/openshift/scc/scc_limit_container_allowed_capabilities/rule.yml: pcidss: Req-2.2
applications/openshift/scc/scc_limit_ipc_namespace/rule.yml: pcidss: Req-2.2
applications/openshift/scc/scc_limit_net_raw_capability/rule.yml: pcidss: Req-2.2
applications/openshift/scc/scc_limit_network_namespace/rule.yml: pcidss: Req-2.2
applications/openshift/scc/scc_limit_privilege_escalation/rule.yml: pcidss: Req-2.2
applications/openshift/scc/scc_limit_privileged_containers/rule.yml: pcidss: Req-2.2
applications/openshift/scc/scc_limit_process_id_namespace/rule.yml: pcidss: Req-2.2
applications/openshift/scc/scc_limit_root_containers/rule.yml: pcidss: Req-2.2
I can make a note to go through those when we start parsing requirement 2.
🤖 A k8s content image for this PR is available at: Click here to see how to deploy itIf you alread have Compliance Operator deployed: Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and: |
Code Climate has analyzed commit 60195b8 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 59.3% (0.0% change). View more on Code Climate. |
/hold for test |
/unhold |
/lgtm |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
some just comments on adding on rule, we can do it in an another PR