Dear admins,
At the CKI Team we're going through the Enterprise Security Standard (ESSv9) assessment to publish one of our internal applications and we need to know if the cluster[0] meets the SEC-NET-REQ-5 (Monitor outgoing internet traffic) requirement.
All outgoing network connections (to internet) originated from applications/systems/platforms that are deployed in Red Hat data centers or at cloud providers where we have administrative control must be: logged and monitored for potential malicious activity prevented from making connections to potential rogue sites or hosts (e.g., by maintaining a "deny" list of services / domains / sites / IPs) allowed to connect only to "allow" listed services / domains / sites / IPs that are required for an application to operate
All outgoing network connections (to internet) originated from applications/systems/platforms that are deployed in Red Hat data centers or at cloud providers where we have administrative control must be:
We need to know if networking is monitored on the apps.ocp.ci.centos.org cluster for potential malicious activity, as the other points depend on the pod configuration.
apps.ocp.ci.centos.org
Thanks in advance,
Edit: 0_ Asking about the apps.ocp.ci.centos.org cluster only
Edit 2: Clarify that only the logging point is necessary.
You need to be a bit more specific about which cluster with ip range. CentOS and Fedora have clusters of computers in various community areas (which in the past were considered public). If things have changed that those areas also need this monitoring it needs to go to the Red Hat Community Platform Engineering under @lgriffin so that it can be done systematically versus 'oh there is just one cluster they asked for and not the 4-5 others they didn't'.
Metadata Update from @humaton: - Issue priority set to: Waiting on Reporter (was: Needs Review)
Hi @smooge ,
Sorry for not being specific enough, I was asking about the apps.ocp.ci.centos.org cluster.
@ina We do not comply to SEC-NET-REQ-5 we offer this openshift cluster as a service and these type of security measures are the responsibility of the tenant
Hi @mobrien , thanks for the reply!
Closing the ticket as the are no more questions :smile:
Metadata Update from @ina: - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.