Add ITSAR NFV section 2 profile and controls

rhmdnd · rhmdnd · commit b50dcd4c0311 · 2026-02-17T10:30:26.000-06:00
ITSAR has a benchmark for NFV functionality, which is applicable to
OpenShift and RHCOS.

Let's build out those profiles section by section, starting with section
2. Section 1 is reserved as an overview and doesn't contain any
technical controls.
diff --git a/controls/itsar_nfv.yml b/controls/itsar_nfv.yml
@@ -0,0 +1,9 @@
+---
+policy: ITSAR NFV
+title: ITSAR NFV
+id: itsar_nfv
+source: ''
+
+product:
+    - ocp4
+    - rhcos4
diff --git a/controls/itsar_nfv/section-2.yml b/controls/itsar_nfv/section-2.yml
@@ -0,0 +1,112 @@
+---
+controls:
+    - id: '2'
+      title: System Management
+      status: automated
+      rules: []
+      controls:
+          - id: '2.1'
+            title: Authentication
+            status: pending
+            rules: []
+            controls:
+                - id: 2.1.1
+                  title: Ensure mutual authentication is enabled for system management interfaces
+                  status: automated
+                  rules:
+                      - api_server_client_ca
+                      - api_server_kubelet_client_cert
+                      - etcd_client_cert_auth
+                      - etcd_peer_client_cert_auth
+                      - kubelet_configure_client_ca
+                - id: 2.1.2
+                  title: Management Traffic Protection
+                  status: automated
+                  rules:
+                      - api_server_tls_security_profile
+                      - api_server_tls_security_profile_not_old
+                      - api_server_tls_security_profile_custom_min_tls_version
+                      - api_server_tls_cipher_suites
+                      - api_server_tls_cert
+                      - api_server_tls_private_key
+                      - api_server_https_for_kubelet_conn
+                      - api_server_insecure_port
+                      - api_server_insecure_bind_address
+                      - kubelet_configure_tls_min_version
+                      - kubelet_configure_tls_cipher_suites
+                      - etcd_cert_file
+                      - etcd_key_file
+                      - etcd_peer_cert_file
+                      - etcd_peer_key_file
+                      - etcd_auto_tls
+                      - etcd_peer_auto_tls
+                      - etcd_check_cipher_suite
+                - id: 2.1.3
+                  title: Role-Based Access Control (RBAC) Policy
+                  status: automated
+                  rules:
+                      - api_server_auth_mode_rbac
+                      - rbac_least_privilege
+                      - rbac_cluster_roles_defined
+                      - rbac_roles_defined
+                      - rbac_limit_cluster_admin
+                      - rbac_wildcard_use
+                - id: 2.1.4
+                  title: User Authentication
+                  status: automated
+                  rules:
+                      - idp_is_configured
+                      - ocp_idp_no_htpasswd
+                      - kubeadmin_removed
+                      - ocp_no_ldap_insecure
+                      - api_server_token_auth
+                      - api_server_basic_auth
+                      - accounts_unique_service_account
+                      - accounts_restrict_service_account_tokens
+                      - controller_use_service_account
+                      - api_server_service_account_lookup
+                - id: 2.1.5
+                  title: Remote Login Restrictions for Privileged Users
+                  status: automated
+                  rules:
+                      - sshd_disable_root_login
+                      - no_direct_root_logins
+                - id: 2.1.6
+                  title: Authorization Policy
+                  status: automated
+                  rules:
+                      - scc_limit_privileged_containers
+                      - scc_limit_root_containers
+                      - scc_limit_privilege_escalation
+                      - scc_limit_host_dir_volume_plugin
+                      - scc_drop_container_capabilities
+                      - scc_limit_container_allowed_capabilities
+                      - scc_limit_net_raw_capability
+                      - scc_limit_ipc_namespace
+                      - scc_limit_network_namespace
+                      - scc_limit_process_id_namespace
+                      - scc_limit_host_ports
+                - id: 2.1.7
+                  title: Unambiguous Identification of the User & Group Accounts Removal
+                  status: automated
+                  rules:
+                      - idp_is_configured
+                      - ocp_idp_no_htpasswd
+                      - kubeadmin_removed
+                      - accounts_unique_service_account
+                      - accounts_no_clusterrolebindings_default_service_account
+                      - accounts_no_rolebindings_default_service_account
+                      - audit_logging_enabled
+                      - audit_profile_set
+                - id: 2.1.8
+                  title: Out of Band Management
+                  status: partial
+                  notes: |-
+                      This is an infrastructure-level control. Verify that the
+                      Kubernetes API server and OpenShift Console are accessible
+                      only through a private management network or a secure VPN
+                      tunnel that enforces MFA.
+                  rules:
+                      - configure_network_policies
+                      - configure_network_policies_namespaces
+                      - project_config_and_template_network_policy
diff --git a/products/ocp4/profiles/itsar-nfv-v2-0-0.profile b/products/ocp4/profiles/itsar-nfv-v2-0-0.profile
@@ -0,0 +1,18 @@
+---
+documentation_complete: true
+
+title: 'ITSAR NFV for Red Hat OpenShift Container Platform 4'
+
+platform: ocp4
+
+reference: https://nccs.gov.in/home/itsars
+
+metadata:
+    version: V2.0.0
+
+description: |-
+    This profile defines a baseline that aligns to the ITSAR NFV
+    requirements for Red Hat OpenShift Container Platform 4.
+
+selections:
+    - itsar_nfv:all
diff --git a/products/ocp4/profiles/itsar-nfv.profile b/products/ocp4/profiles/itsar-nfv.profile
@@ -0,0 +1,17 @@
+---
+documentation_complete: true
+
+title: 'ITSAR NFV for Red Hat OpenShift Container Platform 4'
+
+platform: ocp4
+
+reference: https://nccs.gov.in/home/itsars
+
+metadata:
+    version: V2.0.0
+
+description: |-
+    This profile defines a baseline that aligns to the ITSAR NFV
+    requirements for Red Hat OpenShift Container Platform 4.
+
+extends: itsar-nfv-v2-0-0
diff --git a/products/rhcos4/profiles/itsar-nfv-v2-0-0.profile b/products/rhcos4/profiles/itsar-nfv-v2-0-0.profile
@@ -0,0 +1,18 @@
+---
+documentation_complete: true
+
+title: 'ITSAR NFV for Red Hat Enterprise Linux CoreOS 4'
+
+platform: rhcos4
+
+reference: https://nccs.gov.in/home/itsars
+
+metadata:
+    version: V2.0.0
+
+description: |-
+    This profile defines a baseline that aligns to the ITSAR NFV
+    requirements for Red Hat Enterprise Linux CoreOS 4.
+
+selections:
+    - itsar_nfv:all
diff --git a/products/rhcos4/profiles/itsar-nfv.profile b/products/rhcos4/profiles/itsar-nfv.profile
@@ -0,0 +1,17 @@
+---
+documentation_complete: true
+
+title: 'ITSAR NFV for Red Hat Enterprise Linux CoreOS 4'
+
+platform: rhcos4
+
+reference: https://nccs.gov.in/home/itsars
+
+metadata:
+    version: V2.0.0
+
+description: |-
+    This profile defines a baseline that aligns to the ITSAR NFV
+    requirements for Red Hat Enterprise Linux CoreOS 4.
+
+extends: itsar-nfv-v2-0-0
