aj-stein-nist/rule-ocpv4-cdef.xml

## rule-ocpv4-cdef.xml
<?xml version="1.0" encoding="UTF-8"?>
<component-definition xmlns="http://csrc.nist.gov/ns/oscal/1.0"
    uuid="a7ba800c-a432-44cd-9075-0862cd66da6b"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://csrc.nist.gov/ns/oscal/1.0 https://raw.githubusercontent.com/usnistgov/OSCAL/master/xml/schema/oscal_component_schema.xsd">
  <metadata>
    <title>OpenShift Container Platform v4 Example Component Definition</title>
    <last-modified>2001-12-09T14:00:00Z</last-modified>
    <version>20211209</version>
    <oscal-version>1.1.0-alpha</oscal-version>
    <role id="provider">
      <title>Provider</title>
    </role>
    <party uuid="12bde908-adba-4a59-a6a3-198163f62a48" type="organization">
      <name>RedHat</name>
      <link rel="website" href="https://docs.openshift.com/"/>
    </party>
  </metadata>
  <rule uuid="a969feae-ae93-422f-8a95-9362adef826b"
     name="OpenShift Container Platform v4 Kubelet Eviction Threshhold Settings">
      <title>Ensure Eviction threshold Settings Are Set - evictionSoft: nodefs.available</title>
      <condition>For OpenShift Container Platform v4 node, nodefs.inodesFree equals 5%</condition>
      <description>
          <p>Two types of garbage collection are performed on an OpenShift Container Platform node:</p>
                <ul>
                  <li>Container garbage collection: Removes terminated containers.</li>
                  <li>Image garbage collection: Removes images not referenced by any running pods.</li>
                </ul>
                <p>Container garbage collection can be performed using eviction thresholds.
                  Image garbage collection relies on disk usage as reported by cAdvisor on the
                  node to decide which images to remove from the node.</p>
                <p>The OpenShift administrator can configure how OpenShift Container Platform
                    performs garbage collection by creating a kubeletConfig object for each
                  Machine Config Pool using any combination of the following:</p>
                <ul>
                  <li>soft eviction for containers</li>
                  <li>hard eviction for containers</li>
                  <li>eviction for images</li>
                </ul>
                <p>To configure, follow the directions in
                  <a href="https://docs.openshift.com/container-platform/4.6/nodes/nodes/nodes-nodes-garbage-collection.html#nodes-nodes-garbage-collection-configuring_nodes-nodes-configuring">the documentation</a>
                  </p>
                <p>This rule pertains to the <code>nodefs.available</code> setting of the <code>evictionSoft</code> section.</p>
      </description>
      <condition-evaluator uuid="02970ddf-68f2-4bf8-8f2d-cc511766a3e8"
        name="xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_nodefs_inodesfree"
        type="tool">
          <title>OpenSCAP | CIS | OCPv4 Baseline Tests and Parameters</title>
          <description>
              <p>The <code>oscap</code> program is a command line tool that
              allows users to load, scan, validate, edit, and export SCAP
              documents.</p>
              <p>This baseline is to test against the recommendations from
              the Center for Internet Security for hardening one or more
              instances of the OpenShift Container Platform (v4).</p>
          </description>
          <prop ns="https://www.open-scap.org" type="dependency" name="checklist" value="ssg-ocp4-ds-1.2.xml"/>
          <prop ns="https://www.open-scap.org" type="argument" name="kubelet_eviction_thresholds_set_soft_nodefs_inodesfree" value="5%"/>
          <link rel="dependency" href="#9c1d4058-127e-4314-b25d-f042182eea7d"/>
          <link rel="dependency" href="#96c0023a-3ba7-4160-8dfc-e6c230885586"/>
      </condition-evaluator>
      <condition-target ref-id="a0c6c6d7-7fae-4c9c-a80d-b4bcae7cd079">
          <description>
              <p>This is an instance of the OpenShift Container Platform the
              <code>condition-evaluator</code> will target to return a rule check.</p>
              <p>It can be a <code>id</code> or <code>uuid</code> for a relevant
              identifier in an OSCAL document instance, but in this case it should
              be a <code>component-uuid</code> for a component for a OCPv4 node.</p>
          </description>
      </condition-target>
      <prop name="supports" value="#8df5b586-c7af-428d-b200-805151814ff4"/>
  </rule>
  <component uuid="a0c6c6d7-7fae-4c9c-a80d-b4bcae7cd079" type="software">
    <title>OpenShift</title>
    <description>
      <p>Red Hat OpenShift is an enterprise-ready Kubernetes container platform
      built for an open hybrid cloud strategy. It provides a consistent application
      platform to manage hybrid cloud, multicloud, and edge deployments.</p>
    </description>
    <purpose>Provides a container platform</purpose>
    <responsible-role role-id="provider">
      <party-uuid>12bde908-adba-4a59-a6a3-198163f62a48</party-uuid>
    </responsible-role>
    <responsible-role role-id="customer">
      <party-uuid>cf464e59-3926-46b8-8513-7a8132afe74f</party-uuid>
    </responsible-role>
    <protocol uuid="b9ec3518-1615-4add-9bba-a443b69bd8dc" name="kubernetes-api-server">
      <title>Primary control plane API for the Kubernetes sub-systems of OCP.</title>
      <port-range start="6443" end="6443" transport="TCP" />
    </protocol>
    <control-implementation
        uuid="32036dfd-3f2a-4952-b9d3-c8675cea82da"
        source="https://github.com/usnistgov/oscal-content/blob/master/nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5_MODERATE-baseline_profile.xml">
      <description>
        <p>OpenShift control implementations for NIST SP 800-53 revision 5.</p>
      </description>
      <implemented-requirement
          uuid="be44debe-6801-49c4-9c3b-6e8494d6850a"
          control-id="cm-6">
        <description>
          <p>OpenShift's architecture and implementation for this information system
          support and it's organization's configuration management requirements for
          secure baselines with restrictive modes consistent with operational
          requirements.</p>
        </description>
        <set-parameter param-id="cm-6_prm_1">
            <value>organization-defined common secure configurations</value>
        </set-parameter>
        <statement
          statement-id="cm-6_smt.b"
          uuid="8df5b586-c7af-428d-b200-805151814ff4">
            <description>
              <p>OpenShift as part of this information system supports
                <insert type="param" id-ref="cm-6_prm_1"/>.
              OpenShift is configured to properly enforced logical quotas
              to prevent full use of OpenShift host volumes on the underlying
              Kubernetes' nodes in the cluster by use of soft eviction settings.</p>
            </description>
        </statement>
      </implemented-requirement>
    </control-implementation>
  </component>
  <back-matter>
    <resource uuid="9c1d4058-127e-4314-b25d-f042182eea7d">
        <title>OpenSCAP 1.3.5</title>
        <rlink media-type="application/gzip"
            href="https://github.com/OpenSCAP/openscap/releases/download/1.3.5/openscap-1.3.5.tar.gz"/>
    </resource>
    <resource uuid="96c0023a-3ba7-4160-8dfc-e6c230885586">
        <title></title>
        <rlink media-type="application/zip"
            href="https://github.com/ComplianceAsCode/content/releases/download/v0.1.59/scap-security-guide-0.1.59-oval-5.10.zip"/>
    </resource>
  </back-matter>
</component-definition>
	<?xml version="1.0" encoding="UTF-8"?>
	<component-definition xmlns="http://csrc.nist.gov/ns/oscal/1.0"
	uuid="a7ba800c-a432-44cd-9075-0862cd66da6b"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="http://csrc.nist.gov/ns/oscal/1.0 https://raw.githubusercontent.com/usnistgov/OSCAL/master/xml/schema/oscal_component_schema.xsd">
	<metadata>
	<title>OpenShift Container Platform v4 Example Component Definition</title>
	<last-modified>2001-12-09T14:00:00Z</last-modified>
	<version>20211209</version>
	<oscal-version>1.1.0-alpha</oscal-version>
	<role id="provider">
	<title>Provider</title>
	</role>
	<party uuid="12bde908-adba-4a59-a6a3-198163f62a48" type="organization">
	<name>RedHat</name>
	<link rel="website" href="https://docs.openshift.com/"/>
	</party>
	</metadata>
	<rule uuid="a969feae-ae93-422f-8a95-9362adef826b"
	name="OpenShift Container Platform v4 Kubelet Eviction Threshhold Settings">
	<title>Ensure Eviction threshold Settings Are Set - evictionSoft: nodefs.available</title>
	<condition>For OpenShift Container Platform v4 node, nodefs.inodesFree equals 5%</condition>
	<description>
	<p>Two types of garbage collection are performed on an OpenShift Container Platform node:</p>
	<ul>
	<li>Container garbage collection: Removes terminated containers.</li>
	<li>Image garbage collection: Removes images not referenced by any running pods.</li>
	</ul>
	<p>Container garbage collection can be performed using eviction thresholds.
	Image garbage collection relies on disk usage as reported by cAdvisor on the
	node to decide which images to remove from the node.</p>
	<p>The OpenShift administrator can configure how OpenShift Container Platform
	performs garbage collection by creating a kubeletConfig object for each
	Machine Config Pool using any combination of the following:</p>
	<ul>
	<li>soft eviction for containers</li>
	<li>hard eviction for containers</li>
	<li>eviction for images</li>
	</ul>
	<p>To configure, follow the directions in
	<a href="https://docs.openshift.com/container-platform/4.6/nodes/nodes/nodes-nodes-garbage-collection.html#nodes-nodes-garbage-collection-configuring_nodes-nodes-configuring">the documentation</a>
	</p>
	<p>This rule pertains to the <code>nodefs.available</code> setting of the <code>evictionSoft</code> section.</p>
	</description>
	<condition-evaluator uuid="02970ddf-68f2-4bf8-8f2d-cc511766a3e8"
	name="xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_nodefs_inodesfree"
	type="tool">
	<title>OpenSCAP \| CIS \| OCPv4 Baseline Tests and Parameters</title>
	<description>
	<p>The <code>oscap</code> program is a command line tool that
	allows users to load, scan, validate, edit, and export SCAP
	documents.</p>
	<p>This baseline is to test against the recommendations from
	the Center for Internet Security for hardening one or more
	instances of the OpenShift Container Platform (v4).</p>
	</description>
	<prop ns="https://www.open-scap.org" type="dependency" name="checklist" value="ssg-ocp4-ds-1.2.xml"/>
	<prop ns="https://www.open-scap.org" type="argument" name="kubelet_eviction_thresholds_set_soft_nodefs_inodesfree" value="5%"/>
	<link rel="dependency" href="#9c1d4058-127e-4314-b25d-f042182eea7d"/>
	<link rel="dependency" href="#96c0023a-3ba7-4160-8dfc-e6c230885586"/>
	</condition-evaluator>
	<condition-target ref-id="a0c6c6d7-7fae-4c9c-a80d-b4bcae7cd079">
	<description>
	<p>This is an instance of the OpenShift Container Platform the
	<code>condition-evaluator</code> will target to return a rule check.</p>
	<p>It can be a <code>id</code> or <code>uuid</code> for a relevant
	identifier in an OSCAL document instance, but in this case it should
	be a <code>component-uuid</code> for a component for a OCPv4 node.</p>
	</description>
	</condition-target>
	<prop name="supports" value="#8df5b586-c7af-428d-b200-805151814ff4"/>
	</rule>
	<component uuid="a0c6c6d7-7fae-4c9c-a80d-b4bcae7cd079" type="software">
	<title>OpenShift</title>
	<description>
	<p>Red Hat OpenShift is an enterprise-ready Kubernetes container platform
	built for an open hybrid cloud strategy. It provides a consistent application
	platform to manage hybrid cloud, multicloud, and edge deployments.</p>
	</description>
	<purpose>Provides a container platform</purpose>
	<responsible-role role-id="provider">
	<party-uuid>12bde908-adba-4a59-a6a3-198163f62a48</party-uuid>
	</responsible-role>
	<responsible-role role-id="customer">
	<party-uuid>cf464e59-3926-46b8-8513-7a8132afe74f</party-uuid>
	</responsible-role>
	<protocol uuid="b9ec3518-1615-4add-9bba-a443b69bd8dc" name="kubernetes-api-server">
	<title>Primary control plane API for the Kubernetes sub-systems of OCP.</title>
	<port-range start="6443" end="6443" transport="TCP" />
	</protocol>
	<control-implementation
	uuid="32036dfd-3f2a-4952-b9d3-c8675cea82da"
	source="https://github.com/usnistgov/oscal-content/blob/master/nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5_MODERATE-baseline_profile.xml">
	<description>
	<p>OpenShift control implementations for NIST SP 800-53 revision 5.</p>
	</description>
	<implemented-requirement
	uuid="be44debe-6801-49c4-9c3b-6e8494d6850a"
	control-id="cm-6">
	<description>
	<p>OpenShift's architecture and implementation for this information system
	support and it's organization's configuration management requirements for
	secure baselines with restrictive modes consistent with operational
	requirements.</p>
	</description>
	<set-parameter param-id="cm-6_prm_1">
	<value>organization-defined common secure configurations</value>
	</set-parameter>
	<statement
	statement-id="cm-6_smt.b"
	uuid="8df5b586-c7af-428d-b200-805151814ff4">
	<description>
	<p>OpenShift as part of this information system supports
	<insert type="param" id-ref="cm-6_prm_1"/>.
	OpenShift is configured to properly enforced logical quotas
	to prevent full use of OpenShift host volumes on the underlying
	Kubernetes' nodes in the cluster by use of soft eviction settings.</p>
	</description>
	</statement>
	</implemented-requirement>
	</control-implementation>
	</component>
	<back-matter>
	<resource uuid="9c1d4058-127e-4314-b25d-f042182eea7d">
	<title>OpenSCAP 1.3.5</title>
	<rlink media-type="application/gzip"
	href="https://github.com/OpenSCAP/openscap/releases/download/1.3.5/openscap-1.3.5.tar.gz"/>
	</resource>
	<resource uuid="96c0023a-3ba7-4160-8dfc-e6c230885586">
	<title></title>
	<rlink media-type="application/zip"
	href="https://github.com/ComplianceAsCode/content/releases/download/v0.1.59/scap-security-guide-0.1.59-oval-5.10.zip"/>
	</resource>
	</back-matter>
	</component-definition>