-
Notifications
You must be signed in to change notification settings - Fork 185
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[WIP] Metaschema Enhancements Needed for Rule Construct in Component …
…Definition (#1160) * [WIP] Add rules model and refs into component-definition model. * [WIP] Highlight example touch-ups with model changes for review later today. * Schema touch-ups and updated example. Signed-off-by: Alexander Stein <[email protected]> Signed-off-by: Alexander Stein <[email protected]>
- Loading branch information
1 parent
21b17ec
commit 1366460
Showing
3 changed files
with
374 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,129 @@ | ||
| <?xml version="1.0" encoding="UTF-8"?> | ||
| <!-- This is a mapping example used for development. This file should be moved to the oscal-content repo when this feature is ready. --> | ||
| <component-definition xmlns="http://csrc.nist.gov/ns/oscal/1.0" | ||
| xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | ||
| xsi:schemaLocation="http://csrc.nist.gov/ns/oscal/1.0 ../../../xml/schema/oscal_complete_schema.xsd" uuid="3559d200-4849-41ac-a420-28b2ffa22c52"> | ||
| <metadata> | ||
| <title>Example Component Definition for Openshift Container Platform v4, Rules, and Tests</title> | ||
| <last-modified>2022-08-23T00:00:00.000000000-04:00</last-modified> | ||
| <version>0.0.1-alpha</version> | ||
| <oscal-version>1.2.0</oscal-version> | ||
| </metadata> | ||
| <rule uuid="97a52f09-0248-45f4-8ac7-b7566170d733"> | ||
| <title>Disable Anonymous Unauthenticated Access to Components</title> | ||
| <description> | ||
| <p>Anonymous (i.e. unauthenticated) access to any OCP4 sub-system documented in the components below must prevent anonymous, unauthenticated access.</p> | ||
| </description> | ||
| </rule> | ||
| <test uuid="7d50cd70-f0b3-4922-a566-3526d5eba97b"> | ||
| <title>Disable Anonymous Authentication to the Kubelet - Iac Analysis</title> | ||
| <description> | ||
| <p>This test will analyze Infrastructure-as-Code (IaC) written in Ansible to provision OCP4 cluster(s). If the necessary configuration in <code>/etc/kubernetes/kubelet.conf</code> disables anonymous authentication with the appropriate setting (<code>authentication.anonymous.enabled: false</code>), this test will return a passing value. It will be one example of an aspect of OCP4 cluster(s) configured to meet CM-6 requirements.</p> | ||
| </description> | ||
| </test> | ||
| <test uuid="2388cb25-ccbc-4de0-9630-675de624593f"> | ||
| <title>Disable Anonymous Authentication to the Kubelet - Runtime Analysis with OCP4 Compliance Operator</title> | ||
| <description> | ||
| <p> | ||
| This test will analyze running OCP4 cluster(s) with its configured Compliance Operator to perform the necessary configuration management scans. If operator conducts scans of node kubelets and the necessary configuration in <code>/etc/kubernetes/kubelet.conf</code> disables anonymous authentication with the appropriate setting (<code>authentication.anonymous.enabled: false</code>), this test will return a passing value. It will be one example of an aspect of OCP4 cluster(s) configured to meet CM-6 requirements.</p> | ||
| </description> | ||
| <prop name="version" ns="https://www.open-scap.org/" value="0.1.63"/> | ||
| <prop name="id" ns="https://www.open-scap.org/" value="xccdf_org.ssgproject.content_rule_kubelet_anonymous_auth"/> | ||
| <link href="https://static.open-scap.org/ssg-guides/ssg-ocp4-guide-moderate-node.html#xccdf_org.ssgproject.content_rule_kubelet_anonymous_auth" rel="reference"/> | ||
| <link href="https://docs.openshift.com/container-platform/4.10/security/compliance_operator/compliance-operator-understanding.html" rel="reference"/> | ||
| </test> | ||
| <test uuid="b426642a-7ff0-42a0-9ef5-ceed4e14f326"> | ||
| <title>Disable Anonymous Authentication to the Kubelet - Runtime Analysis with CSP API for Managed OCP4 Control Plane</title> | ||
| <description> | ||
| <p>This test will analyze running OCP4 cluster(s) with a managed service from a cloud service provider (CSP). The CSP has a managed service that provisions OCP4 cluster(s) for customers. A REST API for this managed service can be queried. If the API confirms the setting is appropriately set, this test will return a passing value. It will be one example of an aspect of OCP4 cluster(s) configured to meet CM-6 requirements.</p> | ||
| </description> | ||
| </test> | ||
| <test uuid="2f6c5c71-13fb-43c8-beca-1e79498b34c4"> | ||
| <title>OCP4 Cluster Properly Configured and Deployed with Compliance Operator</title> | ||
| <description> | ||
| <p>This is a test that provides automated evaluation to confirm that an OCP4 cluster has the Compliance Operator properly installed and configured.</p> | ||
| </description> | ||
| <prop name="version" ns="https://github.com/openshift/compliance-operator" value="0.1.49"/> | ||
| <link href="https://docs.openshift.com/container-platform/4.10/security/compliance_operator/compliance-operator-installation.html" rel="reference"/> | ||
| <link href="https://www.redhat.com/en/technologies/cloud-computing/openshift/what-are-openshift-operators" rel="reference"/> | ||
| <link href="https://kubernetes.io/docs/concepts/extend-kubernetes/operator/" rel="reference"/> | ||
| </test> | ||
| <testing-scenario rule-uuid="97a52f09-0248-45f4-8ac7-b7566170d733" uuid="0666cbf2-2b76-4e9d-ba99-a783419ff1fe"> | ||
| <!-- Bind rule to static analysis test only. --> | ||
| <test-reference test-uuid="7d50cd70-f0b3-4922-a566-3526d5eba97b"/> | ||
| </testing-scenario> | ||
| <testing-scenario rule-uuid="97a52f09-0248-45f4-8ac7-b7566170d733" uuid="ccb267c8-f672-4aac-b522-5bbaef26f8e4"> | ||
| <!-- Bind rule to only runtime analysis rule with OpenSCAP in Compliance Operator test only. --> | ||
| <test-reference test-uuid="2388cb25-ccbc-4de0-9630-675de624593f" /> | ||
| </testing-scenario> | ||
| <testing-scenario rule-uuid="97a52f09-0248-45f4-8ac7-b7566170d733" uuid="ccb267c8-f672-4aac-b522-5bbaef26f8e4"> | ||
| <!-- Bind rule to only runtime analysis rule with CSP API test only. --> | ||
| <test-reference test-uuid="b426642a-7ff0-42a0-9ef5-ceed4e14f326" /> | ||
| </testing-scenario> | ||
| <testing-scenario rule-uuid="97a52f09-0248-45f4-8ac7-b7566170d733" uuid="e88b710f-41cc-4096-8a95-c91d986ae09a"> | ||
| <!-- Bind rule to both static analysis and CSP API tests. --> | ||
| <condition operator="and"> | ||
| <test-reference test-uuid="7d50cd70-f0b3-4922-a566-3526d5eba97b" /> | ||
| <test-reference test-uuid="2388cb25-ccbc-4de0-9630-675de624593f" /> | ||
| </condition> | ||
| </testing-scenario> | ||
| <testing-scenario rule-uuid="97a52f09-0248-45f4-8ac7-b7566170d733" uuid="37853442-2fc2-4e33-aca2-ddf8ff49390c"> | ||
| <!-- Bind rule to either static analysis or CSP API tests. --> | ||
| <condition operator="or"> | ||
| <test-reference test-uuid="7d50cd70-f0b3-4922-a566-3526d5eba97b" /> | ||
| <test-reference test-uuid="2388cb25-ccbc-4de0-9630-675de624593f" /> | ||
| </condition> | ||
| </testing-scenario> | ||
| <testing-scenario rule-uuid="97a52f09-0248-45f4-8ac7-b7566170d733" uuid="f3edfdbf-b3b4-48c9-8733-fd3ebdeed43c"> | ||
| <condition operator="and"> | ||
| <condition operator="and"> | ||
| <prerequisite operator="and"> | ||
| <!-- Cannot run the Compliance Operator test without Compliance Operator, make sure it is installed. --> | ||
| <test-reference test-uuid="2f6c5c71-13fb-43c8-beca-1e79498b34c4" /> | ||
| </prerequisite> | ||
| <test-reference test-uuid="2388cb25-ccbc-4de0-9630-675de624593f" /> | ||
| </condition> | ||
| <condition operator="and"> | ||
| <test-reference test-uuid="7d50cd70-f0b3-4922-a566-3526d5eba97b"/> | ||
| <test-reference test-uuid="b426642a-7ff0-42a0-9ef5-ceed4e14f326"/> | ||
| </condition> | ||
| </condition> | ||
| </testing-scenario> | ||
| <component uuid="94512adf-d8df-4535-a5af-57aaa1eed131" type="software"> | ||
| <title>RedHit Openshift Container Platform v4</title> | ||
| <description> | ||
| <p>This component documents the usage of RedHat's OpenShift Container Platform v4 (OCP4) in a system.</p> | ||
| <p>For many OpenShift Container Platform customers, regulatory readiness, or compliance, on some level is required before any systems can be put into production. That regulatory readiness can be imposed by national standards, industry standards, or the organization's corporate governance framework.</p> | ||
| <p>This component documents a system's use of OCP4 and its regulatory readiness in relation to NIST's Special Publication 800-37 information security and risk management framework. Implemented requirements are documented through security and privacy controls from NIST's Special Publication 800-53 Revision 5 Catalog.</p> | ||
| <p>Many of the implemented requirements provide supporting evidence of already implemented requirements with OCP4 cluster(s) as-is or recommendations for customers to configure cluster(s) accordingly in their own environment when it is their responsibility, on a control-by-control basis. Where applicable, OSCAL and its <code>rule</code>s provide machine-readable instructions for recommended security tools to evaluate security and privacy control requirements are met and provide machine-readable evidence of such requirements.</p> | ||
| </description> | ||
| <link href="https://docs.openshift.com/container-platform/4.10/security/index.html" rel="website"/> | ||
| <responsible-role role-id="ocp4-configuration-manager"/> | ||
| <control-implementation uuid="1ca1e0bf-4164-4823-9887-efbcee85d567" source="https://raw.githubusercontent.com/usnistgov/oscal-content/036b80f4153a2646b6a9dcb8902ebe519bc76225/nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5_catalog.xml"> | ||
| <description> | ||
| <p>Control implementations and their documented requirements for OCP4 from the NIST 800-53 Revision 5 Catalog (sourced from NIST ITL CSD's official OSCAL catalog).</p> | ||
| </description> | ||
| <implemented-requirement uuid="55c45f52-2d99-4efb-a429-479662428a88" control-id="cm-6"> | ||
| <description> | ||
| <p> | ||
| OCP4 implements requirements to support NIST 800-53 Revision 5 control CM-6: Configuration Settings. | ||
| </p> | ||
| </description> | ||
| <set-parameter param-id="cm-6_prm_1"> | ||
| <value>common secure configurations from official RedHat or community OpenSCAP sources</value> | ||
| </set-parameter> | ||
| <responsible-role role-id="ocp4-configuration-manager"/> | ||
| <statement statement-id="cm-6_smt.a" uuid="3cf1d575-82f7-44c1-bef9-f0d09178c726"> | ||
| <description> | ||
| <p>Configuration managers can use the product's functionality to establish and document configuration settings for OCP4 cluster(s) employed within the system. When not using system defaults, configuration managers can use <insert type="param" id-ref="cm-06_prm_1"/> that reflect the most restrictive mode consistent with operational requirements.</p> | ||
| </description> | ||
| </statement> | ||
| <condition operator="and"> | ||
| <!-- Bind testing scenario for static analysis test only. --> | ||
| <testing-scenario-reference testing-scenario-uuid="0666cbf2-2b76-4e9d-ba99-a783419ff1fe" /> | ||
| </condition> | ||
| </implemented-requirement> | ||
| </control-implementation> | ||
| </component> | ||
| <back-matter/> | ||
| </component-definition> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.