@@ -5,10 +5,39 @@ prodtype: ocp4
55title : ' Limit Container Capabilities'
66
77description : |-
8- Containers should not enable more capabilities than needed as this
8+ <p>
9+ Containers should not enable more capabilites than needed as this
910 opens the door for malicious use. To enable only the
1011 required capabilities, the appropriate Security Context Constraints (SCCs)
1112 should set capabilities as a list in <tt>allowedCapabilities</tt>.
13+ </p>
14+ <p>
15+ In case an SCC outside the default allow list in the variable
16+ <tt>var-sccs-with-allowed-capabilities-regex</tt> is being flagged,
17+ create a <tt>TailoredProfile</tt> and add the additional SCC to the
18+ regular expression in the variable <tt>var-sccs-with-allowed-capabilities-regex</tt>.
19+ An example allowing an SCC named <tt>additional</tt> follows:
20+ </p>
21+ <pre>
22+ apiVersion: compliance.openshift.io/v1alpha1
23+ kind: TailoredProfile
24+ metadata:
25+ name: cis-additional-scc
26+ spec:
27+ description: Allows an additional scc
28+ setValues:
29+ - name: upstream-ocp4-var-sccs-with-allowed-capabilities-regex
30+ rationale: Allow our own custom SCC
31+ value: ^privileged$|^hostnetwork-v2$|^restricted-v2$|^nonroot-v2$|^additional$
32+ extends: upstream-ocp4-cis
33+ title: Modified CIS allowing one more SCC
34+ </pre>
35+ <p>
36+ Finally, reference this <tt>TailoredProfile</tt> in a <tt>ScanSettingBinding</tt>
37+ For more information on Tailoring the Compliance Operator, please consult the
38+ OpenShift documentation:
39+ {{{ weblink(link="https://docs.openshift.com/container-platform/4.12/security/compliance_operator/compliance-operator-tailor.html") }}}
40+ </p>
1241
1342rationale : |-
1443 By default, containers run with a default set of capabilities as assigned
@@ -31,25 +60,17 @@ references:
3160ocil_clause : ' allowed capabilities listings in SCCs needs review'
3261
3362ocil : |-
34- Inspect each SCC returned from running the following command:
35- <pre>$ oc get scc</pre>
36- Next, examine the outputs of the following commands:
37- <pre>$ oc describe roles --all-namespaces</pre>
38- <pre>$ oc describe clusterroles</pre>
39- For any role/clusterrole that reference the
40- <tt>securitycontextconstraints</tt> resource with the <tt>resourceNames</tt>
41- of the SCCs that do not list an explicit <tt>allowedCapabilities</tt>, examine the
42- associated rolebindings to account for the users that are bound to the role.
43- Review each SCC and determine that only required capabilities are either
44- completely added as a list entry under <tt>allowedCapabilities</tt>,
45- or that all the un-required capabilities are dropped for containers and SCCs.
46- variable var_sccs_with_allowed_capabilities_regex can be set to exclude certain
47- SCCs from the check.
48- Use following command to verify if the correct regex is being used, this ouput
49- will list unqualified SCCs:
63+ This rule checks the SCCs with allowedCapabilities set to non-null
64+ and fails if there are more such SCCs than those allowed in the variable
65+ named ocp4-var-sccs-with-allowed-capabilities-regex. To debug the rule,
66+ check the variable value, e.g:
67+ <pre>$ oc get variable ocp4-var-sccs-with-allowed-capabilities-regex -ojsonpath='{.value}' </pre>
68+ Then use following command to list the SCCs that would fail the test:
5069 <pre>$ oc get scc -o json | {{{ jqfilter }}}</pre>
51- {{.var_sccs_with_allowed_capabilities_regex}} should be replace to the actual value set,
52- either the default one or the one set from TailoredProfile.
70+ Please replace the regular expression in the test command with the value read from the variable
71+ <pre>ocp4-var-sccs-with-allowed-capabilities-regex</pre>. You can read the variable
72+ value with:
73+ <pre>$ oc get variable ocp4-var-sccs-with-allowed-capabilities-regex -ojsonpath='{.value}' -n openshift-compliance </pre>
5374
5475
5576warnings :
0 commit comments