From 0031534ab0942de9377b05c47f6b01b6385818a0 Mon Sep 17 00:00:00 2001
From: Juan Antonio Osorio Robles <jaosorior@redhat.com>
Date: Tue, 2 Feb 2021 10:57:37 +0200
Subject: [PATCH] ocp4/CIS: Address 3.2

This addresses 3.2.1 and 3.2.2 with a single rule that checks that
desired audit profile is set in the cluster.

Signed-off-by: Juan Antonio Osorio Robles <jaosorior@redhat.com>
---
 .../logging/audit_profile_set/rule.yml        | 71 +++++++++++++++++++
 .../audit_profile_set/tests/ocp4/e2e.yml      |  2 +
 applications/openshift/logging/group.yml      |  8 +++
 .../logging/var_openshift_audit_profile.var   | 19 +++++
 ocp4/profiles/cis.profile                     |  1 +
 shared/references/cce-redhat-avail.txt        |  1 -
 6 files changed, 101 insertions(+), 1 deletion(-)
 create mode 100644 applications/openshift/logging/audit_profile_set/rule.yml
 create mode 100644 applications/openshift/logging/audit_profile_set/tests/ocp4/e2e.yml
 create mode 100644 applications/openshift/logging/group.yml
 create mode 100644 applications/openshift/logging/var_openshift_audit_profile.var

diff --git a/applications/openshift/logging/audit_profile_set/rule.yml b/applications/openshift/logging/audit_profile_set/rule.yml
new file mode 100644
index 000000000000..438c12eeef23
--- /dev/null
+++ b/applications/openshift/logging/audit_profile_set/rule.yml
@@ -0,0 +1,71 @@
+prodtype: ocp4
+
+title: Ensure that the cluster's audit profile is properly set
+
+description: |-
+  <p>
+  OpenShift can audit the details of requests made to the API server through
+  the standard Kubernetes audit capabilities. 
+  </p>
+
+  <p>
+  In OpenShift, auditing of the API Server is on by default. Audit provides a
+  security-relevant chronological set of records documenting the sequence of
+  activities that have affected system by individual users, administrators, or
+  other components of the system. Audit works at the API server level, logging
+  all requests coming to the server. Each audit log contains two entries:
+  </p>
+
+  <p>
+  The request line containing:
+  </p>
+
+  <ul>
+    <li>A Unique ID allowing to match the response line (see #2)</li>
+    <li>The source IP of the request</li>
+    <li>The HTTP method being invoked</li>
+    <li>The original user invoking the operation</li>
+    <li>The impersonated user for the operation (self meaning himself)</li>
+    <li>The impersonated group for the operation (lookup meaning user's group)</li>
+    <li>The namespace of the request or none</li>
+    <li>The URI as requested</li>
+  </ul>
+
+  <p>
+  The response line containing:
+  </p>
+
+  <ul>
+    <li>The aforementioned unique ID</li>
+    <li>The response code</li>
+  </ul>
+
+  <p>
+  For more information on how to configure the audit profile, please visit 
+  {{{ weblink(link="https://docs.openshift.com/container-platform/4.6/security/audit-log-policy-config.html",
+              text="the documentation") }}}
+  </p>
+  
+rationale: |-
+  Logging is an important detective control for all systems, to detect potential
+  unauthorised access.
+
+identifiers:
+  cce@ocp4: CCE-83577-7
+
+references:
+  cis: 3.2.1,3.2.2
+
+severity: medium
+
+warnings:
+- general: |-
+    {{{ openshift_cluster_setting("/apis/config.openshift.io/v1/apiservers/cluster") | indent(4) }}}
+
+template:
+  name: yamlfile_value
+  vars:
+    ocp_data: "true"
+    filepath: /apis/config.openshift.io/v1/apiservers/cluster
+    yamlpath: "spec.audit.profile"
+    xccdf_variable: var_openshift_audit_profile
\ No newline at end of file
diff --git a/applications/openshift/logging/audit_profile_set/tests/ocp4/e2e.yml b/applications/openshift/logging/audit_profile_set/tests/ocp4/e2e.yml
new file mode 100644
index 000000000000..b49fd368b988
--- /dev/null
+++ b/applications/openshift/logging/audit_profile_set/tests/ocp4/e2e.yml
@@ -0,0 +1,2 @@
+---
+default_result: PASS
diff --git a/applications/openshift/logging/group.yml b/applications/openshift/logging/group.yml
new file mode 100644
index 000000000000..927585a469ba
--- /dev/null
+++ b/applications/openshift/logging/group.yml
@@ -0,0 +1,8 @@
+documentation_complete: true
+
+prodtype: ocp4
+
+title: 'OpenShift - Logging Settings'
+
+description: |-
+    Contains evaluations for the cluster's logging configuration settings.
diff --git a/applications/openshift/logging/var_openshift_audit_profile.var b/applications/openshift/logging/var_openshift_audit_profile.var
new file mode 100644
index 000000000000..7e6743ce881f
--- /dev/null
+++ b/applications/openshift/logging/var_openshift_audit_profile.var
@@ -0,0 +1,19 @@
+documentation_complete: true
+
+title: 'Configure the OpenShift Audit Profile'
+
+description: |-
+  Audit log profiles define how to log requests that come to the OpenShift
+  API server, the Kubernetes API server, and the OAuth API server.
+
+type: string
+
+operator: equals
+
+interactive: false
+
+options:
+  default: "Default"
+  Default: "Default"
+  WriteRequestBodies: "WriteRequestBodies"
+  AllRequestBodies: "AllRequestBodies"
\ No newline at end of file
diff --git a/ocp4/profiles/cis.profile b/ocp4/profiles/cis.profile
index b9b2b9ce574b..bd15e8b53e55 100644
--- a/ocp4/profiles/cis.profile
+++ b/ocp4/profiles/cis.profile
@@ -158,6 +158,7 @@ selections:
   #### 3.2 Logging
   # 3.2.1 Ensure that a minimal audit policy is created
   # 3.2.2 Ensure that the audit policy covers key security concerns
+    - audit_profile_set
 
   ### 4 Worker Nodes
   ###
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index e0562485625c..a39b145df02b 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -98,7 +98,6 @@ CCE-83568-6
 CCE-83569-4
 CCE-83570-2
 CCE-83575-1
-CCE-83577-7
 CCE-83579-3
 CCE-83581-9
 CCE-83583-5