Merge pull request #110 from AniruddhaNayek/disa_stig

ppc64le-cloud-bot · web-flow · commit 56f686613cef · 2025-04-08T17:26:23.000+05:30
Automate DISA-STIG profiles in CO
diff --git a/README.md b/README.md
@@ -48,6 +48,7 @@ This repository consists of additional ansible playbooks for the following:
 1. Validate Scheduler-Plugins
 1. Deploy Ingress Firewall Operator and run e2e.
 1. Validate CPU manager feature and run e2e.
+1. Enable DISA-STIG profiles for CO on P and remediate various rules
 
 ## Assumptions:
 
diff --git a/examples/all.yaml b/examples/all.yaml
@@ -314,6 +314,14 @@ sso_github_username: ""
 sso_github_token: ""
 sso_cleanup: true
 
+# ocp-disa-stig vars
+stig_compliance_enabled: false
+compliance_catalogsource: "redhat-operators"
+compliance_upgrade_channel: "stable"
+rhcos4_contentfile: "ssg-rhcos4-ds.xml"
+ocp4_contentfile: "ssg-ocp4-ds.xml"
+content_image: "ghcr.io/complianceascode/k8scontent:latest"
+
 #ocp-verification-tests vars
 verification_enabled: false
 verification_dir: "/root/verification-tests"
diff --git a/examples/ocp_disa_stig_vars.yaml b/examples/ocp_disa_stig_vars.yaml
@@ -0,0 +1,8 @@
+---
+# ocp-disa-stig vars
+stig_compliance_enabled: false
+compliance_catalogsource: "redhat-operators"
+compliance_upgrade_channel: "stable"
+rhcos4_contentfile: "ssg-rhcos4-ds.xml"
+ocp4_contentfile: "ssg-ocp4-ds.xml"
+content_image: "ghcr.io/complianceascode/k8scontent:latest"
diff --git a/playbooks/main.yml b/playbooks/main.yml
@@ -68,6 +68,9 @@
 - import_playbook: ocp-compliance.yml
   when: compliance_enabled is defined and compliance_enabled
 
+- import_playbook: ocp-disa-stig-compliance.yml
+  when: stig_compliance_enabled is defined and stig_compliance_enabled
+
 - import_playbook: hypershift.yml
   when: >
         (hypershift_install is defined and hypershift_install) or 
diff --git a/playbooks/ocp-disa-stig-compliance.yml b/playbooks/ocp-disa-stig-compliance.yml
@@ -0,0 +1,6 @@
+# ocp-disa-stig-compliance
+---
+- name: Validate stig profiles
+  hosts: bastion
+  roles:
+  - ocp-disa-stig-compliance
diff --git a/playbooks/roles/ocp-disa-stig-compliance/README.md b/playbooks/roles/ocp-disa-stig-compliance/README.md
@@ -0,0 +1,63 @@
+ocp-disa-stig-compliance
+========================
+
+The Compliance Operator lets OpenShift Container Platform administrators describe the required compliance state of a cluster and provides them with an overview of gaps and ways to remediate them. The Compliance Operator assesses compliance of both the Kubernetes API resources of OpenShift Container Platform, as well as the nodes running the cluster. The Compliance Operator uses OpenSCAP, a NIST-certified tool, to scan and enforce security policies provided by the content.
+
+This playbook installs Compliance Operator and enables: 
+Various rhcos4 and ocp4 disa-stig profiles
+Remediate various rules under these profiles to make them compliant, ensuring validation of these profiles for CO on Power.
+
+Requirements
+------------
+
+- Access to the cluster as a user with the cluster-admin role.
+- The cluster is in a known good state, without any errors.
+- Default StorageClass must be configured
+
+Role Variables
+--------------
+
+Role Variables
+--------------
+| Variable                       | Required | Default     | Comments                                       |
+|--------------------------------|----------|-------------|------------------------------------------------|
+| stig_compliance_enabled        | no       |    false    | Set it to true to run this playbook            |
+| compliance_catalogsource       | yes      | "redhat-operators" | Catlog source index image. default `redhat-operators` catalog source will be used |
+| compliance_upgrade_channel     | yes      |    stable   | Channel version for the compliance operator    |
+| rhcos4_contentfile             | yes      | "ssg-rhcos4-ds.xml" | Location of the file containing the rhcos4 compliance content |
+| ocp4_contentfile               | yes      | "ssg-ocp4-ds.xml"   | Location of the file containing the ocp4 compliance content |
+| content_image                  | yes      | "ghcr.io/complianceascode/k8scontent:latest" | Content image location |
+
+
+Example Playbook
+----------------
+
+```
+- name: Validate stig profiles
+  hosts: bastion
+  roles:
+  - ocp-disa-stig-compliance
+```
+
+Steps to run playbook
+----------------------
+ 
+- Copy `ocp4-playbooks-extras/examples/inventory` file to the home or working directory and modify it to add a remote host
+- Copy the `ocp4-playbooks-extras/examples/ocp_disa_stig_vars.yaml` to the home or working directory and set the role variables for `roles/ocp-disa-stig-compliance` with the custom inputs.
+- To execute the playbook run the below sample command
+ 
+ 
+Sample Command
+---------------
+ 
+ansible-playbook -i inventory -e @ocp_disa_stig_vars.yaml ~/ocp4-playbooks-extras/playbooks/ocp-disa-stig-compliance.yml
+
+License
+-------
+
+See LICENCE.txt
+
+Author Information
+------------------
+
+aniruddha.nayek@ibm.com
diff --git a/playbooks/roles/ocp-disa-stig-compliance/defaults/main.yml b/playbooks/roles/ocp-disa-stig-compliance/defaults/main.yml
@@ -0,0 +1,8 @@
+---
+# defaults file for playbooks/roles/ocp-disa-stig-compliance
+stig_compliance_enabled: false
+compliance_catalogsource: "redhat-operators"
+compliance_upgrade_channel: "stable"
+rhcos4_contentfile: "ssg-rhcos4-ds.xml"
+ocp4_contentfile: "ssg-ocp4-ds.xml"
+content_image: "ghcr.io/complianceascode/k8scontent:latest"
diff --git a/playbooks/roles/ocp-disa-stig-compliance/files/MC1.yml b/playbooks/roles/ocp-disa-stig-compliance/files/MC1.yml
@@ -0,0 +1,12 @@
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+metadata:
+  labels:
+    machineconfiguration.openshift.io/role: worker
+  name: 80-worker-extensions
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+  extensions:
+  - usbguard
diff --git a/playbooks/roles/ocp-disa-stig-compliance/files/MC2.yml b/playbooks/roles/ocp-disa-stig-compliance/files/MC2.yml
@@ -0,0 +1,14 @@
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+metadata:
+  name: 75-master-worker-enable
+  labels:
+    machineconfiguration.openshift.io/role: worker
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    systemd:
+      units:
+      - name: usbguard.service
+        enabled: true
diff --git a/playbooks/roles/ocp-disa-stig-compliance/files/MC3.yml b/playbooks/roles/ocp-disa-stig-compliance/files/MC3.yml
@@ -0,0 +1,16 @@
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+metadata:
+  name: 99-worker-usbguard-rules-conf
+  labels:
+    machineconfiguration.openshift.io/role: worker
+spec:
+  config:
+    ignition:
+      version: 3.2.0
+    storage:
+      files:
+      - path: /etc/usbguard/rules.conf
+        contents:
+          source: data:text/plain;charset=utf-8;base64,IyBSVUxFUwphbGxvdyB3aXRoLWludGVyZmFjZSBtYXRjaC1hbGwgeyAwMzoqOiogMDk6MDA6KiB9Cg==
+        mode: 0600
diff --git a/playbooks/roles/ocp-disa-stig-compliance/files/MC4.yml b/playbooks/roles/ocp-disa-stig-compliance/files/MC4.yml
@@ -0,0 +1,17 @@
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+metadata:
+  name: 99-worker-usb-storage-config
+  labels:
+    machineconfiguration.openshift.io/role: worker
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - path: /etc/modprobe.d/usb-storage.conf
+        mode: 0600
+        overwrite: true
+        contents:
+          source: data:text/plain;base64,aW5zdGFsbCB1c2Itc3RvcmFnZSAvYmluL2ZhbHNlCmJsYWNrbGlzdCB1c2Itc3RvcmFnZQ==
diff --git a/playbooks/roles/ocp-disa-stig-compliance/files/MC5.yml b/playbooks/roles/ocp-disa-stig-compliance/files/MC5.yml
@@ -0,0 +1,17 @@
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+metadata:
+  name: 99-worker-usbguard-daemon-rules-config
+  labels:
+    machineconfiguration.openshift.io/role: worker
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - path: /etc/usbguard/usbguard-daemon.conf
+        mode: 0600
+        overwrite: true
+        contents:
+          source: data:;base64,IyBSdWxlIHNldCBmaWxlIHBhdGguClJ1bGVGaWxlPS9ldGMvdXNiZ3VhcmQvcnVsZXMuY29uZgoKIyBSdWxlIHNldCBmb2xkZXIgcGF0aC4KUnVsZUZvbGRlcj0vZXRjL3VzYmd1YXJkL3J1bGVzLmQvCgojIEltcGxpY2l0IHBvbGljeSB0YXJnZXQuCkltcGxpY2l0UG9saWN5VGFyZ2V0PWJsb2NrCgojIFByZXNlbnQgZGV2aWNlIHBvbGljeS4KUHJlc2VudERldmljZVBvbGljeT1hcHBseS1wb2xpY3kKCiMgUHJlc2VudCBjb250cm9sbGVyIHBvbGljeS4KUHJlc2VudENvbnRyb2xsZXJQb2xpY3k9a2VlcAoKIyBJbnNlcnRlZCBkZXZpY2UgcG9saWN5LgpJbnNlcnRlZERldmljZVBvbGljeT1hcHBseS1wb2xpY3kKCiMgUmVzdG9yZSBjb250cm9sbGVyIGRldmljZSBzdGF0ZS4KUmVzdG9yZUNvbnRyb2xsZXJEZXZpY2VTdGF0ZT1mYWxzZQoKIyBEZXZpY2UgTWFuYWdlciBiYWNrZW5kCkRldmljZU1hbmFnZXJCYWNrZW5kPXVldmVudAoKIyBVc2VycyBhbGxvd2VkIHRvIHVzZSB0aGUgSVBDIGludGVyZmFjZS4KSVBDQWxsb3dlZFVzZXJzPXJvb3QKCiMgR3JvdXBzIGFsbG93ZWQgdG8gdXNlIHRoZSBJUEMgaW50ZXJmYWNlLgpJUENBbGxvd2VkR3JvdXBzPXdoZWVsCgojIElQQyBhY2Nlc3MgY29udHJvbCBkZWZpbml0aW9uIGZpbGVzIHBhdGguCklQQ0FjY2Vzc0NvbnRyb2xGaWxlcz0vZXRjL3VzYmd1YXJkL0lQQ0FjY2Vzc0NvbnRyb2wuZC8KCiMgR2VuZXJhdGUgZGV2aWNlIHNwZWNpZmljIHJ1bGVzIGluY2x1ZGluZyB0aGUgdmlhNTAyCiMgYXR0cmlidXRlLgpEZXZpY2VSdWxlc1dpdGhQb3J0PWZhbHNlCgojIFVTQkd1YXJkIEF1ZGl0IGV2ZW50cyBsb2cgYmFja2VuZAojICogRmlsZUF1ZGl0IC0gTG9nIGF1ZGl0IGV2ZW50cyBpbnRvIGEgZmlsZSBzcGVjaWZpZWQgYnkKIyAgICAgICAgICAgICAgICAgICAgQXVkaXRGaWxlUGF0aCBzZXR0aW5nIChzZWUgYmVsb3cpCiMgICogTGludXhBdWRpdCAtIExvZyBhdWRpdCBldmVudHMgdXNpbmcgdGhlIExpbnV4IEF1ZGl0IHN1YnN5c3RlbSAodXNpbmcgYXVkaXRfbG9nX3VzZXJfbWVzc2FnZSkKQXVkaXRCYWNrZW5kPUxpbnV4QXVkaXQKCiMgVVNCR3VhcmQgYXVkaXQgZXZlbnRzIGxvZyBmaWxlIHBhdGguCkF1ZGl0RmlsZVBhdGg9L3Zhci9sb2cvdXNiZ3VhcmQvdXNiZ3VhcmQtYXVkaXQubG9nCg==
diff --git a/playbooks/roles/ocp-disa-stig-compliance/files/autoremediation-script.sh b/playbooks/roles/ocp-disa-stig-compliance/files/autoremediation-script.sh
@@ -0,0 +1,8 @@
+for REMEDIATION in $(oc get compliancecheckresults.compliance --no-headers | grep -v PASS | grep -v usb | awk '{print $1}') 
+do 
+    FOUND="$((oc get complianceremediations ${REMEDIATION} 2> /dev/null 1> /dev/null && echo 0) || echo 1)" 
+    if [[ "${FOUND}" == "0" ]] 
+    then 
+        oc -n openshift-compliance patch complianceremediations/${REMEDIATION} --patch '{"spec":{"apply":true}}' --type=merge 
+    fi 
+done 
diff --git a/playbooks/roles/ocp-disa-stig-compliance/files/list_namespaces_without_network_policies.sh b/playbooks/roles/ocp-disa-stig-compliance/files/list_namespaces_without_network_policies.sh
@@ -0,0 +1,9 @@
+for NAMESPACE in $(oc get namespaces -o json | jq -r '.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default") | .metadata.name')
+do
+TOTAL_NETWORK_POLICIES=$(oc get -n ${NAMESPACE} networkpolicies -ojson | jq -r '.items[].metadata.name')
+if [ -z "${TOTAL_NETWORK_POLICIES}" ]
+then
+echo "NAMESPACE: ${NAMESPACE}"
+oc get -n ${NAMESPACE} networkpolicies -ojson | jq -r '.items[].metadata.name'
+fi
+done
diff --git a/playbooks/roles/ocp-disa-stig-compliance/tasks/main.yml b/playbooks/roles/ocp-disa-stig-compliance/tasks/main.yml
@@ -0,0 +1,101 @@
+---
+# tasks file for playbooks/roles/ocp-disa-stig-compliance
+
+- name: Check if cluster operators and nodes are healthy
+  include_role:
+    name: check-cluster-health
+
+- name: Search for the StorageClass
+  kubernetes.core.k8s_info:
+    kind: StorageClass
+  register: storage_class
+
+- name: Check for default StorageClass annotations
+  set_fact:
+    default_storage_class: "{{ storage_class.resources[0].metadata.annotations }}"
+  when:
+  - storage_class.resources|length != 0 and storage_class.resources[0].metadata.annotations is defined
+  - "'storageclass.kubernetes.io/is-default-class' in storage_class.resources[0].metadata.annotations"
+
+- name: Fail if default StorageClass does not exist
+  fail:
+    msg: 'Default StorageClass does not exist'
+  when: >
+    (default_storage_class is undefined) or
+    (default_storage_class is defined and not default_storage_class["storageclass.kubernetes.io/is-default-class"]|bool)
+
+- name: Deploy Compliance Operator
+  block:
+  - name: Create namespace for Compliance Operator
+    kubernetes.core.k8s:
+      state: present
+      definition:
+        apiVersion: v1
+        kind: Namespace
+        metadata:
+          labels:
+            pod-security.kubernetes.io/audit: privileged
+            pod-security.kubernetes.io/enforce: privileged
+            pod-security.kubernetes.io/warn: privileged
+            security.openshift.io/scc.podSecurityLabelSync: "false"
+          name: openshift-compliance
+        spec:
+          targetNamespaces:
+          - openshift-compliance
+
+  - name: Create operator group for Compliance Operator
+    kubernetes.core.k8s:
+      state: present
+      definition:
+        apiVersion: operators.coreos.com/v1
+        kind: OperatorGroup
+        metadata:
+          name: openshift-compliance
+          namespace: openshift-compliance
+        spec:
+          targetNamespaces:
+          - openshift-compliance
+
+  - name: Create subscription for Compliance Operator
+    kubernetes.core.k8s:
+      state: present
+      definition:
+        apiVersion: operators.coreos.com/v1alpha1
+        kind: Subscription
+        metadata:
+          name: compliance-operator
+          namespace: openshift-compliance
+        spec:
+          channel: "{{ compliance_upgrade_channel }}"
+          installPlanApproval: Automatic
+          name: compliance-operator
+          source: "{{ compliance_catalogsource }}"
+          sourceNamespace: openshift-marketplace
+
+  - name: Verification of operator installation
+    block:
+    - name: Check if the cluster service version has succeeded
+      shell: oc get csv -n openshift-compliance --no-headers | awk '{ if (($1 ~ /^compliance-operator/) && $NF=="Succeeded") print $1 }'| wc -l
+      register: compliance_operators_csv
+      until: compliance_operators_csv.stdout|int == 1
+      retries: 15
+      delay: 120
+
+    - name: Check if pods are running
+      shell: oc get pods -n openshift-compliance --no-headers | grep "Running" | wc -l
+      register: compliance_pods
+      until: compliance_pods.stdout|int == 2
+      retries: 15
+      delay: 60
+
+- name: Switch to openshift-compliance project
+  shell: oc project openshift-compliance
+
+- name: Enable rhcos4-disa-stig profiles
+  include_tasks: rhcos4_disa_stig.yml
+
+- name: Enable ocp4-disa-stig profiles part1
+  include_tasks: ocp4_disa_stig1.yml
+
+- name: Enable ocp4-disa-stig profiles part2
+  include_tasks: ocp4_disa_stig2.yml
diff --git a/playbooks/roles/ocp-disa-stig-compliance/tasks/ocp4_disa_stig1.yml b/playbooks/roles/ocp-disa-stig-compliance/tasks/ocp4_disa_stig1.yml
diff --git a/playbooks/roles/ocp-disa-stig-compliance/tasks/ocp4_disa_stig2.yml b/playbooks/roles/ocp-disa-stig-compliance/tasks/ocp4_disa_stig2.yml
diff --git a/playbooks/roles/ocp-disa-stig-compliance/tasks/rhcos4_disa_stig.yml b/playbooks/roles/ocp-disa-stig-compliance/tasks/rhcos4_disa_stig.yml
