IBM Cloud Pak for Multicloud Management security findings

Use IBM® Cloud Security Advisor (SA) to manage your cluster security findings.

IBM Cloud Security Advisor (SA) is a security dashboard to manage any application and system security findings in your IBM Cloud Pak for Multicloud Manager cluster. SA displays any security alerts or vulnerabilities in your cluster as Security findings on the Governance and risk page of the IBM Cloud Pak for Multicloud Management console.

View the descriptions of the following core microservices from SA in IBM Cloud Pak for Multicloud Management:

For more information about SA, see About Security Advisor in the IBM Cloud documentation.

View the descriptions of the three data sources that comprise the Security Advisor:

Security findings

Security findings in SA is called an occurrence. Security Advisor uses the policy-adapter microservice on the hub cluster to report non-compliant policies to the SA. An occurrence is created for each policy that is non-compliant on any managed cluster. An SA occurrence created by the policy adapter might resemble the following example:

   {
      "author": {
        "account_id": "ServiceId-4294102b-f0c6-4b47-8215-a748bba6fc85",
        "email": "example@email.com",
        "id": "iam-ServiceId-4294102b-f0c6-4b47-8215-a748bba6fc85",
        "kind": "service-id"
      },
      "context": {
        "account_id": "id-mycluster-account",
        "cluster_name": "clusterhub",
        "namespace_name": "Excludes: [kube-*], Includes: [default]",
        "region": "clusterhub",
        "resource_id": "777f5cb2-c360-11e9-bb07-005056a0c35d",
        "resource_name": "cert-expiration",
        "resource_type": "Policy",
        "service_name": "security-advisor"
      },
      "create_time": "2019-08-20T17:32:09.633473Z",
      "create_timestamp": 1566322329633,
      "finding": {
        "next_steps": [
          {
            "title": "View the details for the compliance problem in the occurrence of the findings."
          }
        ],
        "severity": "HIGH"
      },
      "id": "clusterhub-policy-777f5cb2-c360-11e9-bb07-005056a0c35d",
      "insertion_timestamp": 1566322329634,
      "kind": "FINDING",
      "long_description": "MCM Policy that is not compliant",
      "name": "id-mycluster-account/providers/security-advisor/occurrences/clusterhub-policy-777f5cb2-c360-11e9-bb07-005056a0c35d",
      "note_name": "id-mycluster-account/providers/security-advisor/notes/policy-not-compliant",
      "provider_id": "security-advisor",
      "provider_name": "id-mycluster-account/providers/security-advisor",
      "remediation": "NonCompliant; Non-compliant certificates (expires in less than 50h0m0s) in kube-system[1]: [test-policy-cert, test-policy-cert-secret]",
      "reported_by": {
        "id": "mcm-policy-adapter",
        "title": "Security Advisor MCM Policy Findings Adapter"
      },
      "security_classification": {
        "security_categories": [
          "SystemAndCommunicationsProtections"
        ],
        "security_control": "CertManager",
        "security_standards": [
          "PCI"
        ]
      },
      "short_description": "Policy that is not compliant",
      "update_time": "2019-08-20T17:32:09.633506Z",
      "update_timestamp": 1566322329634,
      "update_week_date": "2019-W34-2"
    }

Security findings data retention policy

Required access: At least Operator

Use the security findings data retention policy to manage data size from your findings. By default, all of the security findings are retained in MongoDB in 90 days. You can modify your security findings data retention policy and filtering policy with the OpenShift Container Platform console. For more information, see ConfigMaps in the OpenShift Container Platform documentation Opens in a new tab.

Note: You must install IBM Cloud Pak for Multicloud Management hub chart. For more information, see Installation and upgrade.

Modifying your security findings data retention policy

Complete the following steps to modify your security findings data retention policy:

  1. Log in to the OpenShift Container Platform console.
  2. From the navigation menu, select Workloads > Config Maps.
  3. Update the Project field by selecting the drop-down arrow. Select kube-system.
  4. Find the <mcm-chart-release-name>-findingsapi-configuration in the list of configuration maps.
  5. Click the Actions icon and select Edit Config Map. The YAML editor appears.
  6. Set the FINDINGS_OCCURRENCES_RETENTION_DAYS parameter value to the wanted number of days. For example, set the retention days to 180 days. Your retention policy might resemble the following content:

     "FINDINGS_OCCURRENCES_RETENTION_DAYS": "180"
    
  7. Set the DELETE_ALL_FINDINGS_OCCURRENCES_BY_PROVIDERS parameter value to the target providers. For example, to delete the security findings for the mutation-advisor and security-advisor providers, your retention policy might resemble the following content:

     "DELETE_ALL_FINDINGS_OCCURRENCES_BY_PROVIDERS": "mutation-advisor, security-advisor"
    
  8. Click Save.

Your security findings retention policy is successfully updated.

Modifying your security findings filtering policy

Modify your policy to avoid creating security findings for policies that are not security related. Complete the following steps to skip non-security findings:

  1. From the navigation menu, click Workloads > Config Maps.
  2. Update the Project field by selecting the drop-down arrow. Select kube-system.
  3. Search and select the <mcm-chart-release-name>-policy-adapter-configuration configuration map.
  4. Click the Actions icon and select Edit Config Map. The YAML editor appears.
  5. Update the SKIP_SECURITY_FINDINGS_CREATION_BY_POLICY_TEMPLATE_KINDS parameter value to LimitRange, Pod, Namespace. Your updated parameter might resemble the following content:

    "SKIP_SECURITY_FINDINGS_CREATION_BY_POLICY_TEMPLATE_KINDS": "LimitRange, Pod, Namespace"
    
  6. Click Save.

  7. Restart the <mcm-chart-release-name>-policy-adapter pod by removing it.

    1. From the navigation menu, click Workloads > Pods.
    2. Search for the <mcm-chart-release-name>-policy-adapter pod.
    3. Click the Actions icon and select Delete Pod.

Non-security findings are skipped.

Learn how to view your security findings from the console. For more information, see the Viewing security findings section on the Managing a security policy page.

Security Advisor API

Before you run Security Advisor API commands, retrieve the authentication token and download the CA certificate for your cluster. For more information, see Preparing to run component or management API commands. Complete the following steps to access the SA API:

  1. Access the SA API by providing your user access token. Run the following command to specify your token:

    curl -k --request GET --url "https://<Cluster Master Host>:<Cluster Master API Port>/findings/v1/id-mycluster-account/providers/security-advisor/occurrences" --header 'accept: application/json' --header "Authorization: Bearer $ACCESS_TOKEN"
    
    • (Optional) Access the SA API by providing the ID token and access token. Run the following command shows to specify both tokens:

      curl -k --request GET  --url "https://<Cluster Master Host>:<Cluster Master API Port>/findings/v1/id-mycluster-account/providers/security-advisor/occurrences" --header 'accept: application/json' --header "Authorization: Bearer $ID_TOKEN" --header "AccessToken: $ACCESS_TOKEN"
      
  2. To access the SA API with an API key, provide only the ID token for authorization. Run the following command to obtain the token from an API key:

    curl -k -X POST -H "Content-Type: application/x-www-form-urlencoded" -H "Accept: application/json" -d "grant_type=urn:ibm:params:oauth:grant-type:apikey&apikey=$API_KEY&response_type=cloud_iam" https://<Cluster Master Host>:<Cluster Master API Port>/iam-token/oidc/token
    
    • The following sample command shows how to specify the token that is obtained from the API key to make API requests to the Security Advisor. The ID_TOKEN is the value returned as the access_token from the previous command:

      curl -k --request GET  --url "https://<Cluster Master Host>:<Cluster Master API Port>/findings/v1/id-mycluster-account/providers/security-advisor/occurrences" --header 'accept: application/json' --header "Authorization: Bearer $ID_TOKEN"
      

    Notes:

    • You can replace the -k option in the curl commands with --cacert <downloaded CA cert file> to create a secure connection.
    • You are able to modify the id-mycluster-account value. Run the following command to decide which account ID to use for the SA API: cloudctl iam accounts.

You can access the SA API. For more information, see Security findings API.

Security Advisor RBAC

Security Advisor supports role-based access control for SA APIs. View the following access control table:

Table 1. Security Advisor API roles and actions
Access control Role Description
security-advisor.metadata.write Operator Create SA metadata
security-advisor.metadata.read Viewer Query and read SA metadata
security-advisor.findings.read Viewer Query and read SA findings
security-advisor.metadata.delete Operator Delete SA metadata
security-advisor.findings.delete Operator Delete SA findings
security-advisor.findings.write Editor Create SA findings
security-advisor.findings.update Editor Update SA findings
security-advisor.metadata.update Operator Update SA metadata

Third-party data providers

Third-party providers must have access control to the Security Advisor services. See the following descriptions of the SA Grafeas services:

IAM access control policies exist on each of the SA Grafeas service IDs. Any API keys created are limited to only the functions described previously.

See IBM Cloud Pak for Multicloud Management Governance and risk for more policy topics.