You may be aware that I am writing a series of blogs related to Security and Compliance on the OpenShift Container Platform (OCP) on IBM Power Systems.
As part of this series, I have written a blog PCI-DSS and the Compliance Operator to have a secure and compliant cluster. The blog shows how to use the Compliance Operator.
My team has added support for oc-compliance on OpenShift Container Platform on IBM Power, and in this post, I’m sharing the download, the setup, and using the tool in the cluster.
To download the tools, you must retrieve the Red Hat pull-secret.
1. Navigate to https://console.redhat.com/openshift/downloads#tool-pull-secret
2. If Prompted, Login with your Red Hat Network id.
3. Under Tokens, select Pull secret, then click Download.
4. Copy the pull-secret to your working directory. It may be named pull-secret.dms
Setup oc-compliance plugin
To setup the plugin and use it you should use the latest Compliance Operator (v0.1.59 or later) that’s installed in your OCP cluster.
1. Login to your Bastion vm.
2. Make the .local/bin directory to drop the plugin.
$ mkdir -p ~/.local/bin
3. Run the oc-compliance-rhel8 container image.
$ podman run --authfile pull-secret --rm -v ~/.local/bin:/mnt/out:Z --arch ppc64le registry.redhat.io/compliance/oc-compliance-rhel8:stable /bin/cp /usr/bin/oc-compliance /mnt/out/
Trying to pull registry.redhat.io/compliance/oc-compliance-rhel8:stable...
Getting image source signatures
Checking if image destination supports signatures
Copying blob 847f634e7f1e done
Copying blob 7643f185b5d8 done
Copying blob d6050ae37df3 done
Copying config 2f0afdf522 done
Writing manifest to image destination
Storing signatures
4. Check the oc-compliance plugin matches your intended architecture.
$ file ~/.local/bin/oc-compliance
/root/.local/bin/oc-compliance: ELF 64-bit LSB executable, 64-bit PowerPC or cisco 7500, version 1 (SYSV), dynamically linked, interpreter /lib64/ld64.so.2, for
GNU/Linux 2.6.32, BuildID[sha1]=d5bff511ee48b6cbc6afce6420e780da2f0eacdc, not stripped
If it doesn’t work, you can always verify your architecture of the machine podman is running on:
It should say ppc64le.
5. Once oc-compliance plugin is installed at directory ~/.local/bin, add it in PATH variable to access the plugin.
$ export PATH=~/.local/bin:$PATH
Once the path is setup you can use oc-compliance and oc compliance interchangeably.
Use the oc-compliance plugin
Once oc-compliance plugin is installed successfully on power, you can use the utilities to manage your compliance with a specific profile, such as PCI-DSS.
You create a ScanSettingBinding to generate a compliance scan.
$ oc-compliance bind -N binding profile/ocp4-pci-dss
Creating ScanSettingBinding binding
Once the binding is created and the scan is complete you can fetch-raw, which helps download the raw compliance results from the Persistent Volume that the operator stores them.
# oc-compliance fetch-raw scansettingbinding binding
Fetching results for binding scans: ocp4-pci-dss
Fetching raw compliance results for scan 'ocp4-pci-dss'........
The raw compliance results are available in the following directory: ocp4-pci-dss
$ cd ocp4-pci-dss/
$ ls
ocp4-pci-dss-api-checks-pod.xml.bzip2
$ bunzip2 -c ocp4-pci-dss-api-checks-pod.xml.bzip2 > ocp4-pci-dss-api-checks-pod.xml
$ ls
ocp4-pci-dss-api-checks-pod.xml ocp4-pci-dss-api-checks-pod.xml.bzip2
If your cluster is out of compliance, then you can fetch-fixes, which helps download the remediations the Compliance Operator recommends. These are stored as YAML files in the filesystem, so one would then be able to apply them to a cluster.
$ mkdir tmp
$ oc compliance fetch-fixes profile ocp4-pci-dss -o tmp/
…
No fixes to persist for rule 'ocp4-api-server-audit-log-maxbackup'
Persisted rule fix to tmp/ocp4-api-server-audit-log-maxsize.yaml
Not all rules have fixes pre-defined, however, for those that are pre-defined, you can view the YAML file. You can see it’s in the form of a YAML with a specification for the resource related to the fix.
apiVersion: config.openshift.io/v1
kind: APIServer
metadata:
name: cluster
spec:
maximumFileSizeMegabytes: 100
…
When you need more details for the profile and rules, you can use the controls verb to display the rules and controls for the profile and learn why a control/profile or rule is required.
$ oc-compliance controls profile ocp4-pci-dss > ocp4-pci-dss-controls.txt
+-------------+------------------+
| FRAMEWORK | CONTROLS |
+-------------+------------------+
| CIS-OCP | 1.2.1 |
+ +------------------+
| | 1.2.10 |
+ +------------------+
| | 1.2.11 |
+ +------------------+
| | 1.2.12 |
+ +------------------+
| | 1.2.13 |
+ +------------------+
| | 1.2.14 |
+ +------------------+
| | 1.2.15 |
+ +------------------+
| | 1.2.16 |
+--------------+-----------------+
Sometimes these scans fail, the oc-compliance plugin enables the rerun-now verb, which forces the scan or set of scans to re-run on command instead of waiting for them to be scheduled.
$ oc-compliance rerun-now scansettingbinding binding
Rerunning scans from 'binding': ocp4-pci-dss
Re-running scan 'openshift-compliance/ocp4-pci-dss'
A very handy verb is the view-result, which gathers information in one place about a specific compliance result, below is an abbreviated example:
$ oc-compliance view-result ocp4-pci-dss-scc-limit-ipc-namespace
+----------------------+--------------------------------------+
| KEY | VALUE |
+----------------------+--------------------------------------+
| Title | Limit Access to the Host IPC |
| | Namespace |
+----------------------+--------------------------------------+
| Status | MANUAL |
+----------------------+--------------------------------------+
| Severity | medium |
+----------------------+--------------------------------------+
| Description | Containers should not be |
| | allowed access to the host's |
| | Interprocess Commication |
| | (IPC) namespace. To prevent |
| | containers from getting access |
| | to a host's IPC namespace, the |
| | appropriate Security Context |
| | Constraints (SCCs) should set |
| | allowHostIPC to false. |
+----------------------+--------------------------------------+
| Rationale | A container running in |
| | the host's IPC namespace |
| | can to exploit other |
| | services. |
+----------------------+--------------------------------------+
| Instructions | Inspect each SCC returned from |
| | running the following command |
+----------------------+--------------------------------------+
| CIS-OCP Controls | 5.2.3 |
+----------------------+--------------------------------------+
| NERC-CIP Controls | CIP-003-8 R6, CIP-004-6 R3, |
| | CIP-007-3 R6.1 |
+----------------------+--------------------------------------+
| NIST-800-53 Controls | CM-6, CM-6(1) |
+----------------------+--------------------------------------+
| PCI-DSS Controls | Req-2.2 |
+----------------------+--------------------------------------+
| Available Fix | No |
+----------------------+--------------------------------------+
| Result Object Name | ocp4-pci-dss-scc-limit-ipc-namespace |
+----------------------+--------------------------------------+
| Rule Object Name | ocp4-scc-limit-ipc-namespace |
+----------------------+--------------------------------------+
| Remediation Created | No |
+----------------------+--------------------------------------+
This post you’ve seen how to download and setup the oc-compliance plugin and use the oc-compliance plugin to fetch raw compliance check results for the PCI-DSS profile.
Thanks for reading! I hope you found this helpful :)