diff --git a/controls/itsar_nfv.yml b/controls/itsar_nfv.yml new file mode 100644 index 000000000000..bc6d515ef978 --- /dev/null +++ b/controls/itsar_nfv.yml @@ -0,0 +1,9 @@ +--- +policy: ITSAR NFV +title: ITSAR NFV +id: itsar_nfv +source: '' + +product: + - ocp4 + - rhcos4 diff --git a/controls/itsar_nfv/section-2.yml b/controls/itsar_nfv/section-2.yml new file mode 100644 index 000000000000..380890f02b87 --- /dev/null +++ b/controls/itsar_nfv/section-2.yml @@ -0,0 +1,234 @@ +--- +controls: + - id: '2' + title: System Management + status: automated + rules: [] + controls: + - id: '2.1' + title: Access and Authorization + status: pending + rules: [] + controls: + - id: 2.1.1 + title: Ensure mutual authentication is enabled for system management interfaces + status: automated + rules: + - api_server_client_ca + - api_server_kubelet_client_cert + - etcd_client_cert_auth + - etcd_peer_client_cert_auth + - kubelet_configure_client_ca + - id: 2.1.2 + title: Management Traffic Protection + status: automated + rules: + - api_server_tls_security_profile + - api_server_tls_security_profile_not_old + - api_server_tls_security_profile_custom_min_tls_version + - api_server_tls_cipher_suites + - api_server_tls_cert + - api_server_tls_private_key + - api_server_https_for_kubelet_conn + - api_server_insecure_port + - api_server_insecure_bind_address + - kubelet_configure_tls_min_version + - kubelet_configure_tls_cipher_suites + - etcd_cert_file + - etcd_key_file + - etcd_peer_cert_file + - etcd_peer_key_file + - etcd_auto_tls + - etcd_peer_auto_tls + - etcd_check_cipher_suite + - id: 2.1.3 + title: Role-Based Access Control (RBAC) Policy + status: automated + rules: + - api_server_auth_mode_rbac + - rbac_least_privilege + - rbac_cluster_roles_defined + - rbac_roles_defined + - rbac_limit_cluster_admin + - rbac_wildcard_use + - id: 2.1.4 + title: User Authentication + status: automated + rules: + - idp_is_configured + - ocp_idp_no_htpasswd + - kubeadmin_removed + - ocp_no_ldap_insecure + - api_server_token_auth + - api_server_basic_auth + - accounts_unique_service_account + - accounts_restrict_service_account_tokens + - controller_use_service_account + - api_server_service_account_lookup + - id: 2.1.5 + title: Remote Login Restrictions for Privileged Users + status: automated + rules: + - sshd_disable_root_login + - no_direct_root_logins + - id: 2.1.6 + title: Authorization Policy + status: automated + rules: + - scc_limit_privileged_containers + - scc_limit_root_containers + - scc_limit_privilege_escalation + - scc_limit_host_dir_volume_plugin + - scc_drop_container_capabilities + - scc_limit_container_allowed_capabilities + - scc_limit_net_raw_capability + - scc_limit_ipc_namespace + - scc_limit_network_namespace + - scc_limit_process_id_namespace + - scc_limit_host_ports + - id: 2.1.7 + title: Unambiguous Identification of the User & Group Accounts Removal + status: automated + rules: + - idp_is_configured + - ocp_idp_no_htpasswd + - kubeadmin_removed + - accounts_unique_service_account + - accounts_no_clusterrolebindings_default_service_account + - accounts_no_rolebindings_default_service_account + - audit_logging_enabled + - audit_profile_set + - id: 2.1.8 + title: Out of Band Management + status: partial + notes: |- + This is an infrastructure-level control. Verify that the + Kubernetes API server and OpenShift Console are accessible + only through a private management network or a secure VPN + tunnel that enforces MFA. + rules: + - configure_network_policies + - configure_network_policies_namespaces + - project_config_and_template_network_policy + - id: '2.2' + title: Authentication Attribute Management + status: pending + rules: [] + controls: + - id: 2.2.1 + title: Authentication Policy + status: partial + notes: |- + OpenShift delegates authentication to an external Identity + Provider. The automated rules verify that an MFA-capable + IdP is configured and that weak single-factor methods + (htpasswd, basic-auth, static tokens) are disabled. + However, actual MFA enforcement must be verified at the + IdP level (e.g., Keycloak, Okta, Active Directory). For + machine accounts, ServiceAccount tokens satisfy the + single-attribute requirement. + rules: + - idp_is_configured + - ocp_idp_no_htpasswd + - kubeadmin_removed + - ocp_no_ldap_insecure + - api_server_token_auth + - api_server_basic_auth + - id: 2.2.2 + title: Authentication Support - External + status: automated + rules: + - ocp_no_ldap_insecure + - id: 2.2.3 + title: Protection against Brute Force and Dictionary Attacks + status: partial + notes: |- + Brute force and dictionary attack protections are primarily + enforced at the Identity Provider level. The automated rule + ensures an IdP capable of account lockout is used instead of + htpasswd. Verify that the external IdP is configured with at + least two countermeasures such as account lockout after failed + attempts, login delays, or password blacklists. + rules: + - ocp_idp_no_htpasswd + - id: 2.2.4 + title: Enforce Strong Password + status: partial + notes: |- + Password complexity is primarily enforced at the Identity + Provider level. The automated rules ensure Kubernetes + Secrets are encrypted at rest in etcd and that node-level + password storage uses strong hashing. Verify that the + external IdP enforces minimum length, character class, + and password history requirements. + rules: + - api_server_encryption_provider_cipher + - no_empty_passwords + - id: 2.2.5 + title: Inactive Session Timeout + status: automated + rules: + - oauth_inactivity_timeout + - oauthclient_inactivity_timeout + - oauth_or_oauthclient_inactivity_timeout + - oauth_token_maxage + - oauthclient_token_maxage + - oauth_or_oauthclient_token_maxage + - sshd_set_idle_timeout + - sshd_set_keepalive + - id: 2.2.6 + title: Password Changes + status: manual + notes: |- + Password change enforcement, expiration, and history are + functions of the external Identity Provider. Verify that + the IdP linked to OpenShift enforces password changes on + initial login and upon expiry, and prevents reuse of at + least the last 3 passwords. Kubernetes does not track + password history. + rules: [] + - id: 2.2.7 + title: Protected Authentication Feedback + status: inherently met + notes: |- + Password masking is inherent behavior in OpenShift and + Linux. The OpenShift Console, oc CLI, and node-level + authentication commands (passwd, login, sudo) all + obscure password input using system calls that do not + echo characters to the terminal. This cannot be + misconfigured. + rules: [] + - id: 2.2.8 + title: Removal of Predefined or Default Authentication Attributes + status: automated + rules: + - kubeadmin_removed + - id: 2.2.9 + title: Logout Function + status: automated + rules: + - oauth_logout_url_set + - id: 2.2.10 + title: Policy Regarding Consecutive Failed Login Attempts + status: partial + notes: |- + Account lockout after failed login attempts is enforced + at the Identity Provider level. The automated rule + ensures an IdP capable of account lockout is used. + Verify that the external IdP locks accounts after no + more than 8 consecutive failed attempts, with a + recommended default of 5. + rules: + - ocp_idp_no_htpasswd + - id: 2.2.11 + title: Suspend Accounts on Non-Use + status: partial + notes: |- + Account suspension after non-use is primarily managed + by the external Identity Provider. The automated rule + enforces account disabling on RHCOS nodes after + password expiration inactivity. Verify that the IdP + linked to OpenShift is configured to suspend accounts + after a defined period without valid login. + rules: + - account_disable_post_pw_expiration diff --git a/products/ocp4/profiles/itsar-nfv-v2-0-0.profile b/products/ocp4/profiles/itsar-nfv-v2-0-0.profile new file mode 100644 index 000000000000..9596140f3a61 --- /dev/null +++ b/products/ocp4/profiles/itsar-nfv-v2-0-0.profile @@ -0,0 +1,18 @@ +--- +documentation_complete: true + +title: 'ITSAR NFV for Red Hat OpenShift Container Platform 4' + +platform: ocp4 + +reference: https://nccs.gov.in/home/itsars + +metadata: + version: V2.0.0 + +description: |- + This profile defines a baseline that aligns to the ITSAR NFV + requirements for Red Hat OpenShift Container Platform 4. + +selections: + - itsar_nfv:all diff --git a/products/ocp4/profiles/itsar-nfv.profile b/products/ocp4/profiles/itsar-nfv.profile new file mode 100644 index 000000000000..c4c044df71a2 --- /dev/null +++ b/products/ocp4/profiles/itsar-nfv.profile @@ -0,0 +1,17 @@ +--- +documentation_complete: true + +title: 'ITSAR NFV for Red Hat OpenShift Container Platform 4' + +platform: ocp4 + +reference: https://nccs.gov.in/home/itsars + +metadata: + version: V2.0.0 + +description: |- + This profile defines a baseline that aligns to the ITSAR NFV + requirements for Red Hat OpenShift Container Platform 4. + +extends: itsar-nfv-v2-0-0 diff --git a/products/rhcos4/profiles/itsar-nfv-v2-0-0.profile b/products/rhcos4/profiles/itsar-nfv-v2-0-0.profile new file mode 100644 index 000000000000..15a4534159c8 --- /dev/null +++ b/products/rhcos4/profiles/itsar-nfv-v2-0-0.profile @@ -0,0 +1,18 @@ +--- +documentation_complete: true + +title: 'ITSAR NFV for Red Hat Enterprise Linux CoreOS 4' + +platform: rhcos4 + +reference: https://nccs.gov.in/home/itsars + +metadata: + version: V2.0.0 + +description: |- + This profile defines a baseline that aligns to the ITSAR NFV + requirements for Red Hat Enterprise Linux CoreOS 4. + +selections: + - itsar_nfv:all diff --git a/products/rhcos4/profiles/itsar-nfv.profile b/products/rhcos4/profiles/itsar-nfv.profile new file mode 100644 index 000000000000..14ba8b3e60f4 --- /dev/null +++ b/products/rhcos4/profiles/itsar-nfv.profile @@ -0,0 +1,17 @@ +--- +documentation_complete: true + +title: 'ITSAR NFV for Red Hat Enterprise Linux CoreOS 4' + +platform: rhcos4 + +reference: https://nccs.gov.in/home/itsars + +metadata: + version: V2.0.0 + +description: |- + This profile defines a baseline that aligns to the ITSAR NFV + requirements for Red Hat Enterprise Linux CoreOS 4. + +extends: itsar-nfv-v2-0-0