ComplianceAsCode · sluetze · Oct 14, 2024 · Oct 14, 2024 · Oct 14, 2024
diff --git a/applications/openshift/general/sandboxed_containers_operator_configured/rule.yml b/applications/openshift/general/sandboxed_containers_operator_configured/rule.yml
@@ -0,0 +1,41 @@
+
+title: Ensure that Sandboxed Containers Operator is Configured
+
+description: |-
+    {{{ weblink(link="https://docs.redhat.com/en/documentation/openshift_sandboxed_containers/1.7",
+                text="The Sandboxed Containers Operator") }}}
+    provides containers with a dedicated kernel by running them in a virtual machine. This allows for extended separation, as no kernel is shared. This is done by using RHCOS cluster extension and is only available on RHCOS nodes.
+
+    It is only active, if it is correctly configured with a KataConfig AND you configured each pod spec with <pre>runtimeClassName: kata</pre>.
+
+    Be advised, that on AWS, Azure, IBM Z and IBM LinuxOne you need to enable PeerPods and confiugre additional resources.
+
+rationale: |-
+    Using separate kernels for each container provides for better isolation, and makes it harder for adveseries to move laterally to other containers or the container-host.
+
+severity: medium
+
+identifiers:
+    cce@ocp4: CCE-87430-5
+
+ocil_clause: 'Sandboxed Containers Operator is not configured'
+
+ocil: |-
+    Run the following command to check if a KataConfig for the cluster exists:
+    <pre>$ oc get kataconfigs openshift-sandboxed-containers-operator</pre>
+    Make sure at least one KataConfig exists.
+
+warnings:
+- general: |-
+    {{{ openshift_cluster_setting("/apis/kataconfiguration.openshift.io/v1/kataconfigs?limit=5") | indent(4) }}}
+
+template:
+    name: yamlfile_value
+    vars:
+        ocp_data: "true"
+        filepath: /apis/kataconfiguration.openshift.io/v1/kataconfigs?limit=5
+        yamlpath: ".items[:].metadata.name"
+        entity_check: "at least one"
+        values:
+            - value: ".*"
+              operation: "pattern match"
diff --git a/.../openshift/general/sandboxed_containers_operator_configured/tests/ocp4/e2e-remediation.sh b/.../openshift/general/sandboxed_containers_operator_configured/tests/ocp4/e2e-remediation.sh
@@ -0,0 +1,27 @@
+#!/bin/bash
+set -xe
+
+echo "installing sandboxed-containers-operator"
+oc apply -f ${ROOT_DIR}/ocp-resources/e2e/sandboxed-containers-install.yaml --server-side=true
+
+sleep 30
+
+echo "waiting for sandboxed-containers-operator deployment to exist"
+while [ -z "$(oc get -n openshift-sandboxed-containers-operator --ignore-not-found deployment/controller-manager)" ]; do
+    sleep 3
+done
+
+# we need to wait for the pods to be ready, otherwise there is no webhook endpoint
+# for the kataconfig
+echo "waiting for sandboxed-containers-operator pods to be ready"
+oc wait -n openshift-sandboxed-containers-operator --for=condition=ContainersReady=true \
+--timeout=300s pods -l control-plane=controller-manager
+
+echo "configuring kataconfig"
+oc apply -f ${ROOT_DIR}/ocp-resources/e2e/sandboxed-containers-instance.yaml --server-side=true
+
+echo "check, that the mcp was updated"
+oc wait --for=condition=Updated --timeout=3600s machineconfigpool/kata-oc
+
+echo "waiting for the cluster to become stable"
+oc adm wait-for-stable-cluster --minimum-stable-period 1m
diff --git a/applications/openshift/general/sandboxed_containers_operator_configured/tests/ocp4/e2e.yml b/applications/openshift/general/sandboxed_containers_operator_configured/tests/ocp4/e2e.yml
@@ -0,0 +1,3 @@
+---
+default_result: FAIL
+result_after_remediation: PASS
diff --git a/applications/openshift/general/sandboxed_containers_operator_exists/rule.yml b/applications/openshift/general/sandboxed_containers_operator_exists/rule.yml
@@ -0,0 +1,38 @@
+
+title: Ensure that Sandboxed Containers Operator exists in the cluster
+
+description: |-
+    {{{ weblink(link="https://docs.redhat.com/en/documentation/openshift_sandboxed_containers/1.7",
+                text="The Sandboxed Containers Operator") }}}
+    provides containers with a dedicated kernel by running them in a virtual machine. This allows for extended separation, as no kernel is shared. This is done by using RHCOS cluster extension and is only available on RHCOS nodes.
+
+rationale: |-
+    Using separate kernels for each container provides for better isolation, and makes it harder for adveseries to move laterally to other containers or the container-host.
+
+severity: medium
+
+identifiers:
+    cce@ocp4: CCE-86496-7
+
+ocil_clause: 'Sandboxed Containers Operator is not installed'
+
+ocil: |-
+    Run the following command to check if a subscription for the operator exists in the system:
+    <pre>$ oc get sub -n openshift-sandboxed-containers-operator</pre>
+    Make sure the Sandboxed Containers Operator is installed.
+
+warnings:
+- general: |-
+    {{{ openshift_cluster_setting("/apis/operators.coreos.com/v1alpha1/subscriptions") | indent(4) }}}
+
+template:
+  name: yamlfile_value
+  vars:
+    ocp_data: "true"
+    filepath: '/apis/operators.coreos.com/v1alpha1/subscriptions'
+    yamlpath: ".items[:].status.installedCSV"
+    check_existence: "at_least_one_exists"
+    values:
+    - value: "sandboxed-containers-operator.*"
+      operation: "pattern match"
+      entity_check: "at least one"
diff --git a/...ions/openshift/general/sandboxed_containers_operator_exists/tests/ocp4/e2e-remediation.sh b/...ions/openshift/general/sandboxed_containers_operator_exists/tests/ocp4/e2e-remediation.sh
@@ -0,0 +1,16 @@
+#!/bin/bash
+set -xe
+
+echo "installing sandboxed-containers-operator"
+oc apply -f ${ROOT_DIR}/ocp-resources/e2e/sandboxed-containers-install.yaml --server-side=true
+
+sleep 30
+
+echo "waiting for sandboxed-containers-operator deployment to exist"
+while [ -z "$(oc get -n openshift-sandboxed-containers-operator --ignore-not-found deployment/controller-manager)" ]; do
+    sleep 3
+done
+
+echo "waiting for sandboxed-containers-operator deployment to be ready"
+oc wait -n openshift-sandboxed-containers-operator --for=condition=Available  --timeout=300s \
+    deployment/controller-manager
diff --git a/applications/openshift/general/sandboxed_containers_operator_exists/tests/ocp4/e2e.yml b/applications/openshift/general/sandboxed_containers_operator_exists/tests/ocp4/e2e.yml
@@ -0,0 +1,3 @@
+---
+default_result: FAIL
+result_after_remediation: PASS
diff --git a/controls/bsi_sys_1_6.yml b/controls/bsi_sys_1_6.yml
@@ -563,13 +563,18 @@ controls:
     levels:
     - elevated
     description: >-
-      If further isolation and encapsulation of containers is required, the following measures
+      (1) If further isolation and encapsulation of containers is required, the following measures
       SHOULD be considered for increased effectiveness:
-      • Fixed assignment of containers to container hosts
-      • Execution of the individual containers and/or the container host by means of
+      (2) • Fixed assignment of containers to container hosts
+      (3) • Execution of the individual containers and/or the container host by means of
       hypervisors
-      • Fixed assignment of a single container to a single container host
+      (4) • Fixed assignment of a single container to a single container host
     notes: >-
-      ToDo
+      Section 1,2,4: OpenShift offers the option of binding containers (in pods) to specific nodes using node labels and node selectors in the deployment descriptors. Section 3: These can also be made available as virtual machines via hypervisors (via IaaS or via OpenShift Sandboxes). This implements all three assignments mentioned in the requirement.
     status: manual
-    #rules:
+    rules:
+      # Section 1,2,4
+      - general_node_separation
+      # Section 3
+      - sandboxed_containers_operator_exists
+      - sandboxed_containers_operator_configured
diff --git a/ocp-resources/e2e/sandboxed-containers-install.yaml b/ocp-resources/e2e/sandboxed-containers-install.yaml
@@ -0,0 +1,28 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openshift-sandboxed-containers-operator
+  labels:
+    openshift.io/cluster-monitoring: "true"
+---
+apiVersion: operators.coreos.com/v1
+kind: OperatorGroup
+metadata:
+  name: sandboxed-containers-operator-group
+  namespace: openshift-sandboxed-containers-operator
+spec:
+  targetNamespaces:
+  - openshift-sandboxed-containers-operator
+---
+apiVersion: operators.coreos.com/v1alpha1
+kind: Subscription
+metadata:
+  name: "sandboxed-containers-operator"
+  namespace: "openshift-sandboxed-containers-operator"
+spec:
+  channel: stable
+  installPlanApproval: Automatic
+  name: sandboxed-containers-operator
+  source: redhat-operators
+  sourceNamespace: openshift-marketplace
diff --git a/ocp-resources/e2e/sandboxed-containers-instance.yaml b/ocp-resources/e2e/sandboxed-containers-instance.yaml
@@ -0,0 +1,12 @@
+apiVersion: kataconfiguration.openshift.io/v1
+kind: KataConfig
+metadata:
+  name: example-kataconfig
+spec:
+  checkNodeEligibility: false
+  enablePeerPods: false
+  kataConfigPoolSelector:
+    matchExpressions:
+      - key: node-role.kubernetes.io/worker
+        operator: Exists
+  logLevel: info
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
@@ -55,7 +55,6 @@ CCE-86484-3
 CCE-86492-6
 CCE-86493-4
 CCE-86494-2
-CCE-86496-7
 CCE-86497-5
 CCE-86498-3
 CCE-86499-1
@@ -521,7 +520,6 @@ CCE-87419-8
 CCE-87422-2
 CCE-87426-3
 CCE-87427-1
-CCE-87430-5
 CCE-87431-3
 CCE-87432-1
 CCE-87434-7