Supporting PCI-DSS v4 with the Compliance Operator on the OpenShift Container Platform

Author: Kaushik Talathi/IBM, Paul Bastide/IBM

If you’re processing Credit Card Payments, you care about security and following the PCI-DSS standard. I’ve got good news for you — the OpenShift Container Platform supports PCI-DSS v4. If you want to support PCI-DSS, you can use the OpenShift Compliance Operator to configure the built-in security to comply with the standard.

For those not familiar, PCI Data Security Standard (PCI DSS) is provided by the PCI Security Standards Council (PCI SSC) to secure payment card processing.

The Compliance Operator is an optional operator that allows an administrator to run compliance scans and recommend remediations to bring the cluster into compliance. The Compliance Operator runs a profile of PCI-DSS checks that assesses the platform’s nodes and Kubernetes API resources. Each check is described in OpenSCAP, a NIST-certified tool, and describes how to scan and enforce security policies. You can see the content as it is described in opensource.

This document walks you through the setup, run, auto-remediation and manual fixes required to setup your environment and facilitate your compliance.

Installation of Compliance-Operator

To install the Compliance Operator on your OpenShift 4.17 or higher system, go to the OperatorHub:

1. Login with a user id that has cluster-admin user access
2. In the OpenShift Container Platform web console, navigate to Operators → OperatorHub.
3. Search for the Compliance Operator, then click Install.
4. Keep the default selection of Installation mode and namespace to ensure that the Operator will be installed to the openshift-compliance namespace.
5. Click Install.

Verify the Compliance Operator Installation Status

1. Verify the installation succeeded by inspecting the CSV file:

$ oc project openshift-compliance 
Now using project "openshift-compliance" on server "https://****.****.****:6443". 

$ oc get csv 
NAME                         DISPLAY               VERSION   REPLACES                     PHASE
compliance-operator.v1.7.0   Compliance Operator   1.7.0     compliance-operator.v1.6.2   Succeeded

2. Verify that the Compliance Operator is up and running

$ oc get deploy -n openshift-compliance
NAME                                              READY   STATUS    RESTARTS   AGE
compliance-operator-67d7d4c548-twrcw              1/1     Running   0          3m9s
ocp4-openshift-compliance-pp-5c4f9b7f54-xwpr8     1/1     Running   0          3m6s
rhcos4-openshift-compliance-pp-58974c769b-gz7sj   1/1     Running   0          3m6s

3. Verify you see the PCI-DSS Profiles installed:

$ oc get -n openshift-compliance profiles.compliance | grep pci-dss
ocp4-pci-dss               88s   3.2.1
ocp4-pci-dss-3-2           89s   3.2.1
ocp4-pci-dss-4-0           89s   4.0.0
ocp4-pci-dss-node          89s   3.2.1
ocp4-pci-dss-node-3-2      89s   3.2.1
ocp4-pci-dss-node-4-0      89s   4.0.0

Create a PCI-DSS compliance Scan and Check the Scan Output

To make your OpenShift Cluster PCI Profile compliant, you need to check the status for all compliance check results and apply appropriate remediations.

To start scan, create ScanSettingBinding. Scan will be started immediately after creation.

1. Use OpenShift Container Platform web console to create a ScanSettingBinding

2. Add ocp4-pci-dss and ocp4-pci-dss-node for PCI-DSS compliance to ScanSettingBinding

apiVersion: compliance.openshift.io/v1alpha1 
profiles:   
- apiGroup: compliance.openshift.io/v1alpha1     
    name: ocp4-pci-dss-node     
    kind: Profile   
- apiGroup: compliance.openshift.io/v1alpha1     
    name: ocp4-pci-dss     
    kind: Profile  
settingsRef:   
apiGroup: compliance.openshift.io/v1alpha1   
name: default   
kind: ScanSetting 
kind: ScanSettingBinding 
metadata:   
name: pci-dss-profile   
namespace: openshift-compliance

3. Use CLI to check the scan

$ oc get compliancescan -n openshift-compliance
NAME                      PHASE      RESULT
ocp4-pci-dss              RUNNING    NOT-AVAILABLE
ocp4-pci-dss-node-master  LAUNCHING  NOT-AVAILABLE
ocp4-pci-dss-node-worker  LAUNCHING  NOT-AVAILABLE

When compliance scan is completed, you'll see COMPLIANT or NON-COMPLIANT.

$ oc get compliancescan -n openshift-compliance
NAME                      PHASE  RESULT
ocp4-pci-dss              DONE   NON-COMPLIANT
ocp4-pci-dss-node-master  DONE   NON-COMPLIANT
ocp4-pci-dss-node-worker  DONE   NON-COMPLIANT

4. To check the compliance check results, run below command:

$ oc get compliancecheckresult -n openshift-compliance | grep pci
ocp4-pci-dss-accounts-restrict-service-account-tokens   MANUAL medium
ocp4-pci-dss-accounts-unique-service-account            MANUAL medium
… 
ocp4-pci-dss-kubelet-configure-tls-cert                 PASS medium
ocp4-pci-dss-kubelet-configure-tls-cipher-suites        FAIL medium
ocp4-pci-dss-kubelet-configure-tls-key                  PASS medium

5. To check only the failed results, run below command:

$ oc get compliancecheckresult -n openshift-compliance | grep pci | grep FAIL
ocp4-pci-dss-4-0-acs-sensor-exists                          FAIL     medium
ocp4-pci-dss-4-0-audit-log-forwarding-enabled               FAIL     medium
ocp4-pci-dss-4-0-configure-network-policies-namespaces      FAIL     high
...
ocp4-pci-dss-4-0-ocp-allowed-registries-for-import          FAIL     medium
ocp4-pci-dss-4-0-security-profiles-operator-exists          FAIL     medium

Remediating the failed results

You can run the auto-remediation script to fix a number of the results. Replace <scan-name> with the actual scan name.

One by one run for all the scans. To get the list of scans, run below command

$ oc get compliancescan -n openshift-compliance
NAME                           PHASE   RESULT
ocp4-pci-dss-4-0               DONE    NON-COMPLIANT
ocp4-pci-dss-node-4-0-master   DONE    NON-COMPLIANT
ocp4-pci-dss-node-4-0-worker   DONE    NON-COMPLIANT

for REMEDIATION in $(oc get compliancecheckresults.compliance -l 'compliance.openshift.io/scan-name in (<scan-name>)' --no-headers | grep -v PASS | awk '{print $1}'); do
  echo "REMEDIATION ${REMEDIATION}"

  FOUND=$((oc get complianceremediations ${REMEDIATION} 1>&2 && echo "0") || echo "1")
  echo $FOUND
  if [[ "${FOUND}" == "0" ]]
  then
      oc -n openshift-compliance patch complianceremediations/${REMEDIATION} --patch '{"spec":{"apply":true}}' --type=merge
  fi
done

Once the auto-remediation if applied, the remaining results can be fixed manually:

1. Rule: acs-sensor-exists

Ensure that Advanced Cluster Security (ACS) Sensor is deployed ACS provides a method to continuously monitor and protect the Kubernetes environment against vulnerabilities and misconfigurations. This ensures that the infrastructure and applications are compliant with security standards and regulations, reducing the risk of security breaches.

Install the Advanced Cluster Security agent.

2. Rule: container-security-operator-exists

Vulnerabilities in software packages can be exploited by hackers or malicious users to obtain unauthorized access to resources. To check if the Container Security Operator is installed, run the following command. The output should return the version of the CSV that represents the installed operator, if not install the 'Red Hat Quay Container Security Operator' with default settings.

Install the Container Security Operator

3. Rule: logging

Install the OpenShift Logging Operator

4. Rule: configure-network-policies-namespaces We can see the non-default / system namespaces. Here is a script to find the Namespaces without network policies.

for NAMESPACE in $(oc get namespaces -o json | jq -r '.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default") | .metadata.name')
do
TOTAL_NETWORK_POLICIES=$(oc get -n ${NAMESPACE} networkpolicies -ojson | jq -r '.items[].metadata.name')
if [ -z "${TOTAL_NETWORK_POLICIES}" ]
then
echo "NAMESPACE: ${NAMESPACE}"
oc get -n ${NAMESPACE} networkpolicies -ojson | jq -r '.items[].metadata.name'
fi
done

You to create the polices in non-defaults namespaces based on the instructions mentioned in the rule.

for NAMESPACE in $(oc get namespaces -o json | jq -r '.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default") | .metadata.name')
do
TOTAL_NETWORK_POLICIES=$(oc get -n ${NAMESPACE} networkpolicies -ojson | jq -r '.items[].metadata.name')
if [ -z "${TOTAL_NETWORK_POLICIES}" ]
then
echo "NAMESPACE: ${NAMESPACE}"
cat << EOF | oc apply -n ${NAMESPACE} -f -
apiVersion: v1
kind: ResourceQuota
metadata:
  name: storage-consumption
spec:
  hard:
    bronze.storageclass.storage.k8s.io/persistentvolumeclaims: "0"
    bronze.storageclass.storage.k8s.io/requests.storage: "0"
    gold.storageclass.storage.k8s.io/requests.storage: 10Gi
    persistentvolumeclaims: "10"
    requests.storage: 50Gi
    silver.storageclass.storage.k8s.io/persistentvolumeclaims: "5"
    silver.storageclass.storage.k8s.io/requests.storage: 20Gi
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-from-openshift-ingress
spec:
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          network.openshift.io/policy-group: ingress
  podSelector: {}
  policyTypes:
  - Ingress
status: {}
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-from-same-namespace
spec:
  ingress:
  - from:
    - podSelector: {}
  podSelector: {}
  policyTypes:
  - Ingress
status: {}
EOF
oc get -n ${NAMESPACE} networkpolicies -ojson | jq -r '.items[].metadata.name'
fi
done

Note, the security-profiles-operator-exists rule will be removed in future Compliance Operator releases.

apiVersion: compliance.openshift.io/v1alpha1
kind: TailoredProfile
metadata:
  name: ocp4-pci-dss-custom
spec:
  extends: ocp4-pci-dss
  title: PCI-DSS v4 Customized
  disableRules:
    - name: ocp4-pci-dss-security-profiles-operator-exists
      rationale: security profiles operator is not used in the control.

You can see the details on CMP-3278: Misleading rule associated with PCI-DSS 6.4.2 and BSI

After Remediating

After remediating, you must should re-run the scan. Replace <scan-name> with the actual scan name.

$ oc get compliancescan -n openshift-compliance
NAME                           PHASE   RESULT
ocp4-pci-dss-4-0               DONE    NON-COMPLIANT
ocp4-pci-dss-node-4-0-master   DONE    COMPLIANT
ocp4-pci-dss-node-4-0-worker   DONE    COMPLIANT

$ oc -n openshift-compliance annotate compliancescans/<scan-name> compliance.openshift.io/rescan=
compliancescan.compliance.openshift.io/<scan-name> annotated

Wait for the scanning to complete and check if the compliance check result are Passed

$ oc get compliancecheckresult -n openshift-compliance | grep pci
ocp4-pci-dss-accounts-restrict-service-account-tokens   MANUAL medium
ocp4-pci-dss-accounts-unique-service-account            MANUAL medium
… 
ocp4-pci-dss-kubelet-configure-tls-cert                 PASS medium
ocp4-pci-dss-kubelet-configure-tls-cipher-suites        PASS medium
ocp4-pci-dss-kubelet-configure-tls-key                  PASS medium

At this point, you should review the MANUAL rules, and confirm you application and environment is compliant.

Conclusion

This post you’ve seen how to remediate the PCI-DSS profile failed compliance checks. Thanks for reading! I hope you found this helpful!