From 4069d58a5bbdcacbef8a5c8f0f978d799a88d773 Mon Sep 17 00:00:00 2001 From: sluetze <13255307+sluetze@users.noreply.github.com> Date: Wed, 2 Oct 2024 13:21:34 +0200 Subject: [PATCH 1/4] Defined notes and rules for BSI SYS.1.6.A18 --- controls/bsi_sys_1_6.yml | 40 +++++++++++++++++++++++++++++++++++----- 1 file changed, 35 insertions(+), 5 deletions(-) diff --git a/controls/bsi_sys_1_6.yml b/controls/bsi_sys_1_6.yml index 01a4fda1616..8d5247637f7 100644 --- a/controls/bsi_sys_1_6.yml +++ b/controls/bsi_sys_1_6.yml @@ -446,14 +446,44 @@ controls: levels: - standard description: >- - System accounts within a container SHOULD have no permissions on the host system. If such + (1) System accounts within a container SHOULD have no permissions on the host system. (2) If such authorisation is required for operational reasons, it SHOULD only apply to the data and - system access that is absolutely necessary. The account in the container that is necessary to + system access that is absolutely necessary. (3) The account in the container that is necessary to exchange data SHOULD be known in the host system notes: >- - ToDo - status: manual - #rules: + Section 1: With OpenShift, accounts within the container are separated from the host system by + SELinux. This includes preventing the use of privileged user and group IDs as well as + corresponding rights extensions (SET-UID, Set-GID bit). A range of UIDs/GIDs is provided for + use in containers. + + Section 2: Security Context Constraints (SCCs) allow accounts in the container to gain + controlled access. + + Section 3: The host system Red Hat CoreOS is immutable. The changes to the host operating + system should only be made by OpenShift and should be necessary so that hardening by Red Hat + is not inadvertently undermined. + Since, in contrast to an unprotected container runtime environment, SELinux enforces the + separation between the container runtime and the operating system, this mirroring of account + names is not necessary. + status: automated + rules: + # Section 1 + - coreos_enable_selinux_kernel_argument + - selinux_policytype + - selinux_state + # Section 2 + - general_apply_scc + - scc_limit_privileged_containers + - scc_limit_root_containers + # inter process communication + - scc_limit_ipc_namespace + # process IDs + - scc_limit_process_id_namespace + # file system + - scc_limit_host_dir_volume_plugin + # network + - scc_limit_net_raw_capability + - scc_limit_network_namespace - id: SYS.1.6.A19 title: Including Data Stores in Containers From fe04161529329ff5173e32f6f6d100601a715685 Mon Sep 17 00:00:00 2001 From: sluetze <13255307+sluetze@users.noreply.github.com> Date: Wed, 2 Oct 2024 14:18:02 +0200 Subject: [PATCH 2/4] Defined notes and rules for BSI SYS.1.6.A19 --- controls/bsi_sys_1_6.yml | 30 ++++++++++++++++++++++++------ 1 file changed, 24 insertions(+), 6 deletions(-) diff --git a/controls/bsi_sys_1_6.yml b/controls/bsi_sys_1_6.yml index 8d5247637f7..d7118504b4d 100644 --- a/controls/bsi_sys_1_6.yml +++ b/controls/bsi_sys_1_6.yml @@ -490,15 +490,33 @@ controls: levels: - standard description: >- - Containers SHOULD ONLY be able to access the mass storage and directories necessary for - operation. Permissions SHOULD only be explicitly assigned where needed. If the container + (1) Containers SHOULD ONLY be able to access the mass storage and directories necessary for + operation. (2) Permissions SHOULD only be explicitly assigned where needed. (3) If the container runtime for a container includes local storage, the access rights in the file system SHOULD be - restricted to the service account of the container. If network storage is used, the permissions + restricted to the service account of the container. (4) If network storage is used, the permissions SHOULD be set on the network storage itself notes: >- - ToDo - status: manual - #rules: + Section 1: Applications can access persistent volumes (PVs) and temporary (ephemeral) storage + in OpenShift. Persisted volumes are connected as network storage, ephemeral storage serves + primarily as volatile, short-lived mass storage and is allocated within the container file + system. This configures which PV can be reached and the use of the ephemeral storage is + separated per pod. This means that each pod has its own volatile mass storage. Volumes can be + limited in size. + + Section 2: OpenShift implements the principle of least privileges. The definition is made via + an explicit configuration at the deployment level. + + Section 3: By default, no local storage is included. For reasons of reliability, this is + explicitly not recommended. + + Section 4: The network storage dictates the permissions. OpenShift supports this with the + dynamically assigned UID/GID of the projects (clients). + status: automated + rules: + # Section 1 + - scc_limit_host_dir_volume_plugin + # Section 2 + - rbac_least_privilege - id: SYS.1.6.A20 title: Protection of Configuration Data From ea370f15e0a6207378f7de6ce8fd0f9cf1cc62b3 Mon Sep 17 00:00:00 2001 From: sluetze <13255307+sluetze@users.noreply.github.com> Date: Wed, 2 Oct 2024 14:36:00 +0200 Subject: [PATCH 3/4] Defined notes and rules for BSI SYS.1.6.A20 --- controls/bsi_sys_1_6.yml | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/controls/bsi_sys_1_6.yml b/controls/bsi_sys_1_6.yml index d7118504b4d..c531fe998d1 100644 --- a/controls/bsi_sys_1_6.yml +++ b/controls/bsi_sys_1_6.yml @@ -523,15 +523,19 @@ controls: levels: - standard description: >- - Containers SHOULD ONLY be able to access the mass storage and directories necessary for - operation. Permissions SHOULD only be explicitly assigned where needed. If the container - runtime for a container includes local storage, the access rights in the file system SHOULD be - restricted to the service account of the container. If network storage is used, the permissions - SHOULD be set on the network storage itself + (1) Descriptions of container configuration data SHOULD be versioned. (2) Changes SHOULD be + documented in a comprehensible manner. notes: >- - ToDo - status: manual - #rules: + Section 1: OpenShift only maintains the current version of the configuration. It is therefore + recommended to use GitOps, in which the configuration is transferred from a git repository to + the OpenShift cluster. OpenShift includes OpenShift GitOps (based on the community project + ArgoCD), which supports easy implementation of a GitOps-based administration concept. + + Section 2: With a GitOps approach, all changes are documented in git. + status: automated + rules: + # Section 1,2 + - gitops_operator_exists - id: SYS.1.6.A21 title: Compile options for the compiler plugins From 79e44d47df9de26fcd3adf12b1e850e1b60473c4 Mon Sep 17 00:00:00 2001 From: sluetze <13255307+sluetze@users.noreply.github.com> Date: Wed, 2 Oct 2024 15:34:27 +0200 Subject: [PATCH 4/4] Defined notes and rules for BSI SYS.1.6.A21 --- controls/bsi_sys_1_6.yml | 47 ++++++++++++++++++++++++++++++++++------ 1 file changed, 40 insertions(+), 7 deletions(-) diff --git a/controls/bsi_sys_1_6.yml b/controls/bsi_sys_1_6.yml index c531fe998d1..5a6a7247f45 100644 --- a/controls/bsi_sys_1_6.yml +++ b/controls/bsi_sys_1_6.yml @@ -538,23 +538,56 @@ controls: - gitops_operator_exists - id: SYS.1.6.A21 - title: Compile options for the compiler plugins + title: Extended Security Policies levels: - elevated description: >- - Extended policies SHOULD restrict the permissions of containers. Mandatory Access Control - (MAC) or a comparable technology SHOULD enforce these policies. At minimum, policies + (1) Extended policies SHOULD restrict the permissions of containers. (2) Mandatory Access Control + (MAC) or a comparable technology SHOULD enforce these policies. (3) At minimum, policies SHOULD restrict the following types of access: • Incoming and outgoing network connections • File system access attempts • Kernel requests (syscalls) - A runtime SHOULD start containers in such a way that the kernel of the host system prevents + (4) A runtime SHOULD start containers in such a way that the kernel of the host system prevents all activities of the containers that are not allowed by the relevant policy (e.g. by setting up local packet filters or revoking permissions), or at least reports violations appropriately. notes: >- - ToDo - status: manual - #rules: + Section 1: By default, OpenShift blocks the containers' permissions (security-by-default). + + Section 2: OpenShift already uses SELinux Mandatory Access Control to restrict permissions by + default Using the Security Profiles Operator, workload-dependent SELinux + and Seccomp profiles can be created and managed. + + Section 3: These permissions are managed in OpenShift and controlled via Security Context + Constraints (SCCs). For tool-based policy management, ACS or Red Hat Advanced Cluster + Management (ACM) (with Kyverno or Open Policy Agent) can be used. + + Section 4: OpenShift already meets this requirement as standard (security-by-design). + status: automated + rules: + # Section 2 + - coreos_enable_selinux_kernel_argument + - selinux_policytype + - selinux_state + # Section 3 + - general_apply_scc + - scc_limit_privileged_containers + - scc_limit_root_containers + # inter process communication + - scc_limit_ipc_namespace + # process IDs + - scc_limit_process_id_namespace + # file system + - scc_limit_host_dir_volume_plugin + # network + - scc_limit_net_raw_capability + - scc_limit_network_namespace + # network policies + - configure_network_policies + - configure_network_policies_namespaces + - service_firewalld_enabled + # Section 3,4 + - security_profiles_operator_exists - id: SYS.1.6.A22 title: Provision for Investigations