Add ITSAR NFV profile and controls for OCP/RHCOS #14409
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,9 @@ | ||
| --- | ||
| policy: ITSAR NFV | ||
| title: ITSAR NFV | ||
| id: itsar_nfv | ||
| source: '' | ||
|
|
||
| product: | ||
| - ocp4 | ||
| - rhcos4 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,234 @@ | ||
| --- | ||
| controls: | ||
| - id: '2' | ||
| title: System Management | ||
| status: automated | ||
| rules: [] | ||
| controls: | ||
| - id: '2.1' | ||
| title: Access and Authorization | ||
| status: pending | ||
| rules: [] | ||
| controls: | ||
| - id: 2.1.1 | ||
| title: Ensure mutual authentication is enabled for system management interfaces | ||
| status: automated | ||
| rules: | ||
| - api_server_client_ca | ||
| - api_server_kubelet_client_cert | ||
| - etcd_client_cert_auth | ||
| - etcd_peer_client_cert_auth | ||
| - kubelet_configure_client_ca | ||
| - id: 2.1.2 | ||
| title: Management Traffic Protection | ||
| status: automated | ||
| rules: | ||
| - api_server_tls_security_profile | ||
| - api_server_tls_security_profile_not_old | ||
| - api_server_tls_security_profile_custom_min_tls_version | ||
| - api_server_tls_cipher_suites | ||
| - api_server_tls_cert | ||
| - api_server_tls_private_key | ||
| - api_server_https_for_kubelet_conn | ||
| - api_server_insecure_port | ||
| - api_server_insecure_bind_address | ||
| - kubelet_configure_tls_min_version | ||
| - kubelet_configure_tls_cipher_suites | ||
| - etcd_cert_file | ||
| - etcd_key_file | ||
| - etcd_peer_cert_file | ||
| - etcd_peer_key_file | ||
| - etcd_auto_tls | ||
| - etcd_peer_auto_tls | ||
| - etcd_check_cipher_suite | ||
| - id: 2.1.3 | ||
| title: Role-Based Access Control (RBAC) Policy | ||
|
Collaborator
There was a problem hiding this comment. In the doc it says "The system shall support RBAC with minimum of 3 user roles, in particular, for OAM privilege management for SystemManagement and Maintenance, including authorization of the operation for configuration data and software via the network product console interface". we didn't verify the minimum count of 3 user roles. Maybe status should be "partial" |
||
| status: automated | ||
| rules: | ||
| - api_server_auth_mode_rbac | ||
| - rbac_least_privilege | ||
| - rbac_cluster_roles_defined | ||
| - rbac_roles_defined | ||
| - rbac_limit_cluster_admin | ||
| - rbac_wildcard_use | ||
| - id: 2.1.4 | ||
| title: User Authentication | ||
| status: automated | ||
| rules: | ||
| - idp_is_configured | ||
| - ocp_idp_no_htpasswd | ||
| - kubeadmin_removed | ||
| - ocp_no_ldap_insecure | ||
| - api_server_token_auth | ||
| - api_server_basic_auth | ||
| - accounts_unique_service_account | ||
| - accounts_restrict_service_account_tokens | ||
| - controller_use_service_account | ||
| - api_server_service_account_lookup | ||
| - id: 2.1.5 | ||
| title: Remote Login Restrictions for Privileged Users | ||
| status: automated | ||
| rules: | ||
| - sshd_disable_root_login | ||
| - no_direct_root_logins | ||
| - id: 2.1.6 | ||
| title: Authorization Policy | ||
| status: automated | ||
| rules: | ||
| - scc_limit_privileged_containers | ||
| - scc_limit_root_containers | ||
| - scc_limit_privilege_escalation | ||
| - scc_limit_host_dir_volume_plugin | ||
| - scc_drop_container_capabilities | ||
| - scc_limit_container_allowed_capabilities | ||
| - scc_limit_net_raw_capability | ||
| - scc_limit_ipc_namespace | ||
| - scc_limit_network_namespace | ||
| - scc_limit_process_id_namespace | ||
| - scc_limit_host_ports | ||
| - id: 2.1.7 | ||
| title: Unambiguous Identification of the User & Group Accounts Removal | ||
| status: automated | ||
| rules: | ||
| - idp_is_configured | ||
| - ocp_idp_no_htpasswd | ||
| - kubeadmin_removed | ||
| - accounts_unique_service_account | ||
| - accounts_no_clusterrolebindings_default_service_account | ||
| - accounts_no_rolebindings_default_service_account | ||
| - audit_logging_enabled | ||
| - audit_profile_set | ||
| - id: 2.1.8 | ||
| title: Out of Band Management | ||
| status: partial | ||
| notes: |- | ||
| This is an infrastructure-level control. Verify that the | ||
| Kubernetes API server and OpenShift Console are accessible | ||
| only through a private management network or a secure VPN | ||
| tunnel that enforces MFA. | ||
| rules: | ||
| - configure_network_policies | ||
| - configure_network_policies_namespaces | ||
| - project_config_and_template_network_policy | ||
| - id: '2.2' | ||
| title: Authentication Attribute Management | ||
| status: pending | ||
| rules: [] | ||
| controls: | ||
| - id: 2.2.1 | ||
| title: Authentication Policy | ||
| status: partial | ||
| notes: |- | ||
| OpenShift delegates authentication to an external Identity | ||
| Provider. The automated rules verify that an MFA-capable | ||
| IdP is configured and that weak single-factor methods | ||
| (htpasswd, basic-auth, static tokens) are disabled. | ||
| However, actual MFA enforcement must be verified at the | ||
| IdP level (e.g., Keycloak, Okta, Active Directory). For | ||
| machine accounts, ServiceAccount tokens satisfy the | ||
| single-attribute requirement. | ||
| rules: | ||
|
Collaborator
There was a problem hiding this comment. How about adding rule etcd_client_cert_auth? |
||
| - idp_is_configured | ||
| - ocp_idp_no_htpasswd | ||
| - kubeadmin_removed | ||
| - ocp_no_ldap_insecure | ||
| - api_server_token_auth | ||
| - api_server_basic_auth | ||
| - id: 2.2.2 | ||
| title: Authentication Support - External | ||
| status: automated | ||
| rules: | ||
| - ocp_no_ldap_insecure | ||
| - id: 2.2.3 | ||
| title: Protection against Brute Force and Dictionary Attacks | ||
| status: partial | ||
| notes: |- | ||
| Brute force and dictionary attack protections are primarily | ||
| enforced at the Identity Provider level. The automated rule | ||
| ensures an IdP capable of account lockout is used instead of | ||
| htpasswd. Verify that the external IdP is configured with at | ||
| least two countermeasures such as account lockout after failed | ||
| attempts, login delays, or password blacklists. | ||
| rules: | ||
|
Collaborator
There was a problem hiding this comment. Maybe also add idp_is_configured ? |
||
| - ocp_idp_no_htpasswd | ||
| - id: 2.2.4 | ||
| title: Enforce Strong Password | ||
| status: partial | ||
| notes: |- | ||
| Password complexity is primarily enforced at the Identity | ||
| Provider level. The automated rules ensure Kubernetes | ||
| Secrets are encrypted at rest in etcd and that node-level | ||
| password storage uses strong hashing. Verify that the | ||
| external IdP enforces minimum length, character class, | ||
| and password history requirements. | ||
| rules: | ||
|
Collaborator
There was a problem hiding this comment. Maybe also add more rules ocp_idp_no_htpasswd, idp_is_configured, ocp_no_ldap_insecure and kubeadmin_removed? |
||
| - api_server_encryption_provider_cipher | ||
| - no_empty_passwords | ||
| - id: 2.2.5 | ||
| title: Inactive Session Timeout | ||
| status: automated | ||
| rules: | ||
| - oauth_inactivity_timeout | ||
| - oauthclient_inactivity_timeout | ||
| - oauth_or_oauthclient_inactivity_timeout | ||
| - oauth_token_maxage | ||
| - oauthclient_token_maxage | ||
| - oauth_or_oauthclient_token_maxage | ||
| - sshd_set_idle_timeout | ||
| - sshd_set_keepalive | ||
| - id: 2.2.6 | ||
| title: Password Changes | ||
| status: manual | ||
| notes: |- | ||
| Password change enforcement, expiration, and history are | ||
| functions of the external Identity Provider. Verify that | ||
| the IdP linked to OpenShift enforces password changes on | ||
| initial login and upon expiry, and prevents reuse of at | ||
| least the last 3 passwords. Kubernetes does not track | ||
| password history. | ||
| rules: [] | ||
| - id: 2.2.7 | ||
| title: Protected Authentication Feedback | ||
| status: inherently met | ||
| notes: |- | ||
| Password masking is inherent behavior in OpenShift and | ||
| Linux. The OpenShift Console, oc CLI, and node-level | ||
| authentication commands (passwd, login, sudo) all | ||
| obscure password input using system calls that do not | ||
| echo characters to the terminal. This cannot be | ||
| misconfigured. | ||
| rules: [] | ||
| - id: 2.2.8 | ||
| title: Removal of Predefined or Default Authentication Attributes | ||
| status: automated | ||
| rules: | ||
| - kubeadmin_removed | ||
| - id: 2.2.9 | ||
| title: Logout Function | ||
| status: automated | ||
| rules: | ||
| - oauth_logout_url_set | ||
|
Collaborator
There was a problem hiding this comment. how about add one session timeout rule accounts_tmout? |
||
| - id: 2.2.10 | ||
| title: Policy Regarding Consecutive Failed Login Attempts | ||
| status: partial | ||
| notes: |- | ||
| Account lockout after failed login attempts is enforced | ||
| at the Identity Provider level. The automated rule | ||
| ensures an IdP capable of account lockout is used. | ||
| Verify that the external IdP locks accounts after no | ||
| more than 8 consecutive failed attempts, with a | ||
| recommended default of 5. | ||
| rules: | ||
|
Collaborator
There was a problem hiding this comment. How about add more pam faillock rules:
|
||
| - ocp_idp_no_htpasswd | ||
| - id: 2.2.11 | ||
| title: Suspend Accounts on Non-Use | ||
| status: partial | ||
| notes: |- | ||
| Account suspension after non-use is primarily managed | ||
| by the external Identity Provider. The automated rule | ||
| enforces account disabling on RHCOS nodes after | ||
| password expiration inactivity. Verify that the IdP | ||
| linked to OpenShift is configured to suspend accounts | ||
| after a defined period without valid login. | ||
| rules: | ||
| - account_disable_post_pw_expiration | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,18 @@ | ||
| --- | ||
|
Collaborator
There was a problem hiding this comment. The file name should be itsar-nfv-v1-0-0.profile |
||
| documentation_complete: true | ||
|
|
||
| title: 'ITSAR NFV for Red Hat OpenShift Container Platform 4' | ||
|
|
||
| platform: ocp4 | ||
|
|
||
| reference: https://nccs.gov.in/home/itsars | ||
|
|
||
| metadata: | ||
| version: V2.0.0 | ||
|
Collaborator
There was a problem hiding this comment. should be "version: V1.0.0" |
||
|
|
||
| description: |- | ||
| This profile defines a baseline that aligns to the ITSAR NFV | ||
| requirements for Red Hat OpenShift Container Platform 4. | ||
|
|
||
| selections: | ||
| - itsar_nfv:all | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,17 @@ | ||
| --- | ||
| documentation_complete: true | ||
|
|
||
| title: 'ITSAR NFV for Red Hat OpenShift Container Platform 4' | ||
|
|
||
| platform: ocp4 | ||
|
|
||
| reference: https://nccs.gov.in/home/itsars | ||
|
|
||
| metadata: | ||
| version: V2.0.0 | ||
|
Collaborator
There was a problem hiding this comment. should be "version: V1.0.0" |
||
|
|
||
| description: |- | ||
| This profile defines a baseline that aligns to the ITSAR NFV | ||
| requirements for Red Hat OpenShift Container Platform 4. | ||
|
|
||
| extends: itsar-nfv-v2-0-0 | ||
|
Collaborator
There was a problem hiding this comment. extends: itsar-nfv-v1-0-0 |
||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,18 @@ | ||
| --- | ||
| documentation_complete: true | ||
|
|
||
| title: 'ITSAR NFV for Red Hat Enterprise Linux CoreOS 4' | ||
|
|
||
| platform: rhcos4 | ||
|
|
||
| reference: https://nccs.gov.in/home/itsars | ||
|
|
||
| metadata: | ||
| version: V2.0.0 | ||
|
|
||
| description: |- | ||
| This profile defines a baseline that aligns to the ITSAR NFV | ||
| requirements for Red Hat Enterprise Linux CoreOS 4. | ||
|
|
||
| selections: | ||
| - itsar_nfv:all |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,17 @@ | ||
| --- | ||
| documentation_complete: true | ||
|
|
||
| title: 'ITSAR NFV for Red Hat Enterprise Linux CoreOS 4' | ||
|
|
||
| platform: rhcos4 | ||
|
|
||
| reference: https://nccs.gov.in/home/itsars | ||
|
|
||
| metadata: | ||
| version: V2.0.0 | ||
|
Collaborator
There was a problem hiding this comment. should be "version: v1.0.0" |
||
|
|
||
| description: |- | ||
| This profile defines a baseline that aligns to the ITSAR NFV | ||
| requirements for Red Hat Enterprise Linux CoreOS 4. | ||
|
|
||
| extends: itsar-nfv-v2-0-0 | ||
|
Collaborator
There was a problem hiding this comment. extends: itsar-nfv-v1-0-0 |
||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe also add some Ingress/Route Traffic Protection rules, such as ingress_controller_tls_security_profile, ingress_controller_tls_security_profile_custom_min_tls_version, ingress_controller_tls_security_profile_not_old and routes_protected_by_tls