Supporting DISA-STIG v2r2 with the Compliance Operator on the Red Hat OpenShift Container Platform with IBM Power
Authors: Kaushik Talathi/IBM, Paul Bastide/IBM
The Compliance Operator is an optional operator that allows an administrator to run compliance scans and recommends remediations to keep the cluster's compliance to compliance standards. The Compliance Operator runs a profile assess the platform’s nodes and Kubernetes API resources. Each check is described in OpenSCAP, a NIST-certified tool, and describes how to scan and enforce security policies. You can see the content as it is described in opensource.
This article describes how to use and work with the Red Hat CoreOS DISA STIG profiles, and remediate the findings for rhcos4-disa-stig.
To install the Compliance Operator on your OpenShift Container Platform 4.17 or higher system, go to the OperatorHub:
-
Login with a user id that has cluster-admin user access
-
In the OpenShift Container Platform web console, navigate to Operators → OperatorHub.
-
Search for the Compliance Operator, then click Install.
-
Keep the default selection of Installation mode and namespace to ensure that the Operator will be installed to the openshift-compliance namespace.
-
Click Install.
-
Verify the installation succeeded by inspecting the CSV file:
$ oc project openshift-compliance
Now using project "openshift-compliance" on server "https://****.****.****:6443".
$ oc get csv
NAME DISPLAY VERSION REPLACES PHASE
compliance-operator.v1.7.0 Compliance Operator 1.7.0 Succeeded
- Verify that the Compliance Operator is up and running
$ oc get deploy -n openshift-compliance
NAME READY UP-TO-DATE AVAILABLE AGE
compliance-operator 1/1 1 1 3m25s
ocp4-openshift-compliance-pp 1/1 1 1 2m49s
- Check the pods created for Compliance operator through the command line interface:
$ oc get pods
NAME READY STATUS RESTARTS AGE
compliance-operator-866488784f-pkr9m 1/1 Running 1(3m8s ago) 3m34s
ocp4-openshift-compliance-pp-6f9bfc8997-mht76 1/1 Running 0 2m58s
- Verify DISA-STIG Profiles are installed
$ oc get -n openshift-compliance profiles.compliance | grep v2r2
NAME AGE
rhcos4-stig-v2r2 6d1h
As per above output you can see that DISA-STIG profiles are installed.
Run a DISA-STIG compliance Scan and Check the Scan Output
To make your OpenShift Cluster DISA-STIG Profile compliant, you need to check the status for all compliance check results and apply appropriate remediations.
To start scan, create ScanSettingBinding. Scan will be started immediately after creation.
-
Use OpenShift Container Platform web console to create a ScanSettingBinding
-
Add ocp4-DISA-STIG and ocp4-DISA-STIG-node for DISA-STIG compliance to ScanSettingBinding
apiVersion: compliance.openshift.io/v1alpha1
kind: ScanSettingBinding
metadata:
name: rhcos4-stig
namespace: openshift-compliance
profiles:
- name: rhcos4-stig
kind: Profile
apiGroup: compliance.openshift.io/v1alpha1
settingsRef:
name: default
kind: ScanSetting
apiGroup: compliance.openshift.io/v1alpha1
- Use CLI to check the scan
$ oc get compliancescan -n openshift-compliance
NAME PHASE RESULT
rhcos4-stig-master RUNNING NOT-AVAILABLE
rhcos4-stig-worker LAUNCHING NOT-AVAILABLE
When compliance scan is completed, you'll see COMPLIANT or NON-COMPLIANT.
$ oc get compliancescan -n openshift-compliance
NAME PHASE RESULT
rhcos4-test-stig-master Done NON-COMPLIANT
rhcos4-test-stig-worker Done NON-COMPLIANT
- To check the compliance check results, run below command:
$ oc get compliancecheckresult -n openshift-compliance | grep stig
rhcos4-stig-master-partition-for-var-log-audit MANUAL low
…
rhcos4-stig-worker-usbguard-allow-hid-and-hub FAIL medium
rhcos4-stig-worker-selinux-state PASS medium
- To check only the failed results, run below command:
$ oc get compliancecheckresult -n openshift-compliance | grep stig | grep FAIL
rhcos4-stig-master-audit-access-failed FAIL medium
...
rhcos4-stig-worker-sysctl-kernel-dmesg-restrict FAIL low
rhcos4-stig-worker-usbguard-allow-hid-and-hub FAIL medium
Remediating the failed results
You can run the auto-remediation script to fix a number of the results. Replace <scan-name> with the actual scan name.
One by one run for all the scans. To get the list of scans, run below command (and skip usbguard autofix)
$ oc get compliancescan -n openshift-compliance
NAME PHASE RESULT
rhcos4-stig-master Done NON-COMPLIANT
rhcos4-stig-worker Done NON-COMPLIANT
for REMEDIATION in $(oc get compliancecheckresults.compliance -l 'compliance.openshift.io/scan-name in (<scan-name>)' --no-headers | grep -v PASS | awk '{print $1}'); do
if [[ "$REMEDIATION" == *"usbguard-allow-hid-and-hub"* || "$REMEDIATION" == *"kernel-module-usb-storage-disabled "* ]]; then
echo "Skipping $REMEDIATION"
continue
fi
echo "REMEDIATION ${REMEDIATION}"
FOUND=$((oc get complianceremediations ${REMEDIATION} 1>&2 && echo "0") || echo "1")
echo $FOUND
if [[ "${FOUND}" == "0" ]]
then
oc -n openshift-compliance patch complianceremediations/${REMEDIATION} --patch '{"spec":{"apply":true}}' --type=merge
fi
done
Note: Rules usbguard-allow-hid-and-hub & kernel-usb-storage-disabled are skipped in the Auto-Remediation script as you will need to install the usbguard RHCOS extension first.
Fixing Rules: usbguard-allow-hid-and-hub & kernel-usb-storage-disabled
Note: The order is very important
- Adding extensions to RHCOS for
usbguard, create 80-extensions.yaml:
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
labels:
machineconfiguration.openshift.io/role: worker
name: 80-worker-extensions
spec:
config:
ignition:
version: 3.2.0
extensions:
- usbguard
-
The Machines in the mcp/worker are going to restart.
-
Rescan and verify the rules (I expect a number to fail).
-
Try autofixing this one kernel-usb-storage-disabled
-
Try following usbguard config:
Update the MachineConfig file /etc/usbguard/rules.conf using following yaml:
$ oc get mc 80-worker-extensions -oyaml
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
labels:
machineconfiguration.openshift.io/role: worker
name: 80-worker-extensions
spec:
config:
ignition:
version: 3.2.0
storage:
files:
- contents:
source: data:data:text/plain;base64,IyBSVUxFUwphbGxvdyB3aXRoLWludGVyZmFjZSBtYXRjaC1hbGwgeyAwMzoqOiogMDk6MDA6KiB9Cg==
mode: 420
overwrite: true
path: /etc/usbguard/rules.conf
After applying above yaml the MachineConfig file /etc/usbguard/rules.conf should look like following:
# RULES
allow with-interface match-all { 03:: 09:00:* }
- Re-run the auto-remediation script for the earlier FAILED rules after the above two rules are resolved. Replace
<scan-name> with the actual scan name and One by one run for all the scans. To get the list of scans, run below command
$ oc get compliancescan -n openshift-compliance
NAME PHASE RESULT
rhcos4-stig-master Done NON-COMPLIANT
rhcos4-stig-worker Done NON-COMPLIANT
oc -n openshift-compliance patch complianceremediations/<scan-name>-service-usbguard-enabled --patch '{"spec":{"apply":true}}' --type=merge
oc -n openshift-compliance patch complianceremediations/<scan-name>-configure-usbguard-auditbackend --patch '{"spec":{"apply":true}}' --type=merge
After remediating, you must should re-run the scan. Replace <scan-name> with the actual scan name.
$ oc -n openshift-compliance annotate compliancescans/<scan-name> compliance.openshift.io/rescan=
compliancescan.compliance.openshift.io/<scan-name> annotated
$ oc get compliancescan -n openshift-compliance
NAME PHASE RESULT
rhcos4-stig-master Done COMPLIANT
rhcos4-stig-worker Done COMPLIANT
Wait for the scanning to complete and check if the compliance check result are Passed
$ oc get compliancecheckresult -n openshift-compliance | grep stig
rhcos4-test-stig-master-partition-for-var-log-audit MANUAL low
…
rhcos4-test-stig-worker-usbguard-allow-hid-and-hub PASS medium
rhcos4-test-stig-worker-selinux-state PASS medium
At this point, you should review the MANUAL rules, and confirm you application and environment is compliant.
This post you’ve seen how to use and remediate findings for the Red Hat CoreOS DISA-STIG v2r2 profiles. Thanks for reading! We hope you found this helpful!