CMP 2453 pci dss requirement 1 #11725
Conversation
rhmdnd
commented
Mar 18, 2024
rhmdnd
commented
- CMP-2453: Mark Requirement 1.1 as not applicable
- CMP-2453: Update Requirement 1.2
- CMP-2453: Update Requirement 1.3
- CMP-2453: Update Requirement 1.4
- CMP-2453: Update Requirement 1.5
These controls are documentation and process specific and there isn't a way to enforce them using the Compliance Operator. Mark them as not applicable.
Update each subsection of Requirement 1.2 based on its applicability to OpenShift and potential rules we can write to improve alignment with this requirement.
Add applicable rules that exist for these requirements, and add notes for rules we can create to further assess OpenShift clusters against these requirements.
Update each subsection of requirement 1.4. Some of these checks are outside the scope of OpenShift, but additional coverage for ingress and egress network configuration would be valuable. Documenting those gaps with references to tickets for that work.
Update the status of the single requirement in section 1.5.
|
Start a new ephemeral environment with changes proposed in this pull request: Fedora Environment Oracle Linux 8 Environment |
| # this in the OpenShift configuration: | ||
| # https://docs.openshift.com/container-platform/latest/networking/network_policy/default-network-policy.html | ||
| rules: | ||
| - configure_network_policies_namespaces |
There was a problem hiding this comment.
Need to make sure these rules reference the new requirement/control ID (e.g., 1.2.6) since the requirement IDs from PCI-DSS 3.2.1 don't line up directly with version 4.0.0.
There was a problem hiding this comment.
I wonder if we need to inspect all services, and also to inspect any pod using hostnetwork?
There was a problem hiding this comment.
I think network_policies does not apply to pod using hostnetwork
There was a problem hiding this comment.
Interesting - good question.
It looks like we do have some PCI-DSS overlap with the SCC rules for requirement 2.
$ grep -R pci applications/openshift/scc
applications/openshift/scc/scc_drop_container_capabilities/rule.yml: pcidss: Req-2.2
applications/openshift/scc/scc_limit_container_allowed_capabilities/rule.yml: pcidss: Req-2.2
applications/openshift/scc/scc_limit_ipc_namespace/rule.yml: pcidss: Req-2.2
applications/openshift/scc/scc_limit_net_raw_capability/rule.yml: pcidss: Req-2.2
applications/openshift/scc/scc_limit_network_namespace/rule.yml: pcidss: Req-2.2
applications/openshift/scc/scc_limit_privilege_escalation/rule.yml: pcidss: Req-2.2
applications/openshift/scc/scc_limit_privileged_containers/rule.yml: pcidss: Req-2.2
applications/openshift/scc/scc_limit_process_id_namespace/rule.yml: pcidss: Req-2.2
applications/openshift/scc/scc_limit_root_containers/rule.yml: pcidss: Req-2.2
I can make a note to go through those when we start parsing requirement 2.
|
🤖 A k8s content image for this PR is available at: Click here to see how to deploy itIf you alread have Compliance Operator deployed: Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and: |
|
Code Climate has analyzed commit 60195b8 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 59.3% (0.0% change). View more on Code Climate. |
|
/hold for test |
|
/unhold |
|
/lgtm |
Mab879
added
the
Update Profile
