Skip to content

Commit

Permalink
switch to automatic reference system
Browse files Browse the repository at this point in the history
  • Loading branch information
sluetze committed Jul 18, 2024
1 parent 32c3d63 commit 32204e8
Show file tree
Hide file tree
Showing 38 changed files with 16 additions and 68 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ title: 'Ensure no ClusterRoleBindings set for default Service Account'
description: |-
Using the <tt>default</tt> service account prevents accurate application
rights review and audit tracing. Instead of <tt>default</tt>, create
a new and unique service account and associate the required ClusterRoleBindings.
a new and unique service account and associate the required ClusterRoleBindings.
rationale: |-
Kubernetes provides a default service account which is used by
Expand All @@ -20,8 +20,6 @@ severity: medium

identifiers: {}

references:
bsi: APP.4.4.A9

{{% set jqfilter = '[.items[] | select ( .subjects[]?.name == "default" ) | select(.subjects[].namespace | startswith("kube-") or startswith("openshift-") | not) | .metadata.name ] | unique' %}}

Expand All @@ -31,7 +29,7 @@ ocil: |-
Run the following command to retrieve a list of ClusterRoleBindings that are
associated to the default service account:
<pre>$ oc get clusterrolebindings -o json | jq '{{{ jqfilter }}}'</pre>
There should be no ClusterRoleBindings associated with the the default service account
There should be no ClusterRoleBindings associated with the the default service account
in any namespace.
warnings:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ title: 'Ensure no RoleBindings set for default Service Account'
description: |-
Using the <tt>default</tt> service account prevents accurate application
rights review and audit tracing. Instead of <tt>default</tt>, create
a new and unique service account and associate the required RoleBindings.
a new and unique service account and associate the required RoleBindings.
rationale: |-
Kubernetes provides a default service account which is used by
Expand All @@ -20,9 +20,6 @@ severity: medium

identifiers: {}

references:
bsi: APP.4.4.A9

{{% set jqfilter = '[.items[] | select(.metadata.namespace | startswith("kube-") or startswith("openshift-") | not) | select ( .subjects[]?.name == "default" ) | .metadata.namespace + "/" + .metadata.name ] | unique' %}}

ocil_clause: 'default service account is given permissions using RoleBindings'
Expand All @@ -31,7 +28,7 @@ ocil: |-
Run the following command to retrieve a list of RoleBindings that are
associated to the default service account:
<pre>$ oc get rolebindings --all-namespaces -o json | jq '{{{ jqfilter }}}'</pre>
There should be no RoleBindings associated with the the default service account
There should be no RoleBindings associated with the the default service account
in any namespace.
warnings:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,6 @@ rationale: |-
severity: medium

references:
bsi: APP.4.4.A9
cis@ocp4: 5.1.6
nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
nist: CM-6,CM-6(1)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,6 @@ rationale: |-
severity: medium

references:
bsi: APP.4.4.A9
cis@ocp4: 5.1.5
nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
nist: CM-6,CM-6(1)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,6 @@ rationale: |-
severity: medium

references:
bsi: APP.4.4.A3
cis@ocp4: 1.2.1
nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
nist: CM-6,CM-6(1)
Expand Down
3 changes: 0 additions & 3 deletions applications/openshift/etcd/etcd_backup/rule.yml
Original file line number Diff line number Diff line change
Expand Up @@ -19,9 +19,6 @@ rationale: |-
identifiers:
cce@ocp4: CCE-88188-8

references:
bsi: APP.4.4.A5

severity: medium

ocil_clause: 'etcd backup needs review'
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -12,9 +12,6 @@ rationale: |-
identifiers:
cce@ocp4: CCE-90185-0

references:
bsi: APP.4.4.A5

severity: medium

ocil_clause: 'No CRDs from a known backup solution installed'
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -11,9 +11,6 @@ rationale: |-
level. It also allows you control the network flow from and to other namespaces
more easily.
references:
bsi: APP.4.4.A1

severity: medium

identifiers:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -9,9 +9,6 @@ description: |-
rationale: |-
Separation on a Network level might help to hinder lateral movement of an attacker and subsequently reduce the impact of an attack. It might also enable you to provide additional external network control (like firewalls).
references:
bsi: APP.4.4.A7

severity: medium

identifiers:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -12,9 +12,6 @@ description: |-
rationale: |-
Assigning workloads with high protection requirements to specific nodes creates and additional boundary (the node) between workloads of high protection requirements and workloads which might follow less strict requirements. An adversary which attacked a lighter protected workload now has additional obstacles for their movement towards the higher protected workloads.
references:
bsi: APP.4.4.A15

severity: medium

ocil_clause: 'Application placement on Nodes and Clusters needs review'
Expand Down
1 change: 0 additions & 1 deletion applications/openshift/general/kubeadmin_removed/rule.yml
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,6 @@ identifiers:
cce@ocp4: CCE-90387-2

references:
bsi: APP.4.4.A3
cis@ocp4: 3.1.1,5.1.1
nerc-cip: CIP-004-6 R2.2.2,CIP-004-6 R2.2.3,CIP-007-3 R.1.3,CIP-007-3 R2,CIP-007-3 R5,CIP-007-3 R5.1.1,CIP-007-3 R5.1.3,CIP-007-3 R5.2.1,CIP-007-3 R5.2.3,CIP-007-3 R6.1,CIP-007-3 R6.2,CIP-007-3 R6.3,CIP-007-3 R6.4
nist: AC-2(2),AC-2(7),AC-2(9),AC-2(10),AC-12(1),IA-2(5),MA-4,SC-12(1)
Expand Down
Original file line number Diff line number Diff line change
@@ -1,32 +1,29 @@
title: Ensure that all workloads have liveness and readiness probes

description: |-
Configuring Kubernetes liveness and readiness probes is essential for ensuring the security and
Configuring Kubernetes liveness and readiness probes is essential for ensuring the security and
reliability of a system. These probes actively monitor container health and readiness, facilitating
automatic actions like restarting or rescheduling unresponsive instances for improved reliability.
They play a proactive role in issue detection, allowing timely problem resolution and contribute
automatic actions like restarting or rescheduling unresponsive instances for improved reliability.
They play a proactive role in issue detection, allowing timely problem resolution and contribute
to efficient scaling and traffic distribution.
rationale: |-
Many applications running for long periods of time eventually transition to broken states, and
Many applications running for long periods of time eventually transition to broken states, and
cannot recover except by being restarted. Kubernetes provides liveness probes to detect and remedy
such situations.
Sometimes, applications are temporarily unable to serve traffic. For example, an application might
Sometimes, applications are temporarily unable to serve traffic. For example, an application might
need to load large data or configuration files during startup, or depend on external services after
startup. In such cases, you don't want to kill the application, but you don't want to send it
requests either. Kubernetes provides readiness probes to detect and mitigate these situations.
A pod with containers reporting that they are not ready does not receive traffic through Kubernetes
startup. In such cases, you don't want to kill the application, but you don't want to send it
requests either. Kubernetes provides readiness probes to detect and mitigate these situations.
A pod with containers reporting that they are not ready does not receive traffic through Kubernetes
Services.
references:
bsi: APP.4.4.A11

severity: medium

ocil_clause: 'Liveness or readiness probe is not set'

ocil: |-
Run the following command to retrieve a list of deployments, daemonsets and statefulsets that
Run the following command to retrieve a list of deployments, daemonsets and statefulsets that
do not have liveness or readiness probes set for their containers:
<pre>$ oc get deployments,statefulsets,daemonsets --all-namespaces -o json | jq '[ .items[] | select(.metadata.namespace | startswith("kube-") or startswith("openshift-") | not) | select( .spec.template.spec.containers[].readinessProbe != null and .spec.template.spec.containers[].livenessProbe != null ) | "\(.kind): \(.metadata.namespace)/\(.metadata.name)" ] | unique'</pre>
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,6 @@ rationale: |-
severity: medium

references:
bsi: APP.4.4.A3
cis@eks: 3.2.1
cis@ocp4: 4.2.2
nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,6 @@ rationale: |-
severity: high

references:
bsi: APP.4.4.A7
cis@ocp4: 5.3.1
nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
nist: CM-6,CM-6(1)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,6 @@ rationale: |-
severity: high

references:
bsi: APP.4.4.A7
cis@eks: 4.3.2
cis@ocp4: 5.3.2
nerc-cip: CIP-003-8 R4,CIP-003-8 R4.2,CIP-003-8 R5,CIP-003-8 R6,CIP-004-6 R2.2.4,CIP-004-6 R3,CIP-007-3 R2,CIP-007-3 R2.1,CIP-007-3 R2.2,CIP-007-3 R2.3,CIP-007-3 R5.1,CIP-007-3 R6.1
Expand Down Expand Up @@ -47,7 +46,7 @@ ocil: |-
following command <tt>{{{ ocil_oc_pipe_jq_filter('networkpolicies', networkpolicies_for_non_ctlplane_namespaces_filter, all_namespaces=true) }}}</tt>
Namespaces matching the variable <tt>ocp4-var-network-policies-namespaces-exempt-regex</tt> regex are excluded from this check.
Make sure that the namespaces displayed in the commands of the commands match.
warnings:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,6 @@ identifiers:
cce@ocp4: CCE-86070-0

references:
bsi: APP.4.4.A7
srg: SRG-APP-000039-CTR-000110

warnings:
Expand Down
1 change: 0 additions & 1 deletion applications/openshift/rbac/rbac_least_privilege/rule.yml
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,6 @@ identifiers:
cce@ocp4: CCE-90678-4

references:
bsi: APP.4.4.A3,APP.4.4.A7,APP.4.4.A9
cis@ocp4: 5.2.10
nist: AC-3,CM-5(6),IA-2,IA-2(5),AC-6(10),CM-11(2),CM-5(1),CM-7(5)(b)
srg: SRG-APP-000033-CTR-000090,SRG-APP-000033-CTR-000095,SRG-APP-000033-CTR-000100,SRG-APP-000133-CTR-000290,SRG-APP-000133-CTR-000295,SRG-APP-000133-CTR-000300,SRG-APP-000133-CTR-000305,SRG-APP-000133-CTR-000310,SRG-APP-000148-CTR-000350,SRG-APP-000153-CTR-000375,SRG-APP-000340-CTR-000770,SRG-APP-000378-CTR-000880,SRG-APP-000378-CTR-000885,SRG-APP-000378-CTR-000890,SRG-APP-000380-CTR-000900,SRG-APP-000386-CTR-000920
Expand Down
1 change: 0 additions & 1 deletion applications/openshift/rbac/rbac_wildcard_use/rule.yml
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,6 @@ rationale: |-
severity: medium

references:
bsi: APP.4.4.A9
cis@ocp4: 5.1.3
nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
nist: CM-6,CM-6(1)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,6 @@ identifiers:
cce@ocp4: CCE-86235-9

references:
bsi: APP.4.4.A12
cis@ocp4: '5.5.1'
nist: CM-5(3)
srg: SRG-APP-000014-CTR-000035
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,6 @@ identifiers:
cce@ocp4: CCE-86123-7

references:
bsi: APP.4.4.A12
cis@ocp4: '5.5.1'
nist: CM-5(3)
srg: SRG-APP-000014-CTR-000035
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -26,9 +26,6 @@ ocil: |-
filter will return at least one 'true'. Run the following jq query to identify the non-compliant scansettings objects:
<pre>oc get scansettings -ojson | jq -r '[.items[] | select(.autoApplyRemediation != "" or .autoApplyRemediation != null) | .metadata.name]'</pre>
references:
bsi: APP.4.4.A13

severity: medium

warnings:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,6 @@ identifiers:
cce@ocp4: CCE-83697-3

references:
bsi: APP.4.4.A13
nerc-cip: CIP-003-8 R1.3,CIP-003-8 R4.3,CIP-003-8 R6,CIP-004-6 4.1,CIP-004-6 4.2,CIP-004-6 R3,CIP-004-6 R4,CIP-004-6 R4.2,CIP-005-6 R1,CIP-005-6 R1.1,CIP-005-6 R1.2,CIP-007-3 R3,CIP-007-3 R3.1,CIP-007-3 R6.1,CIP-007-3 R8.4
nist: CM-6,CM-6(1),RA-5,RA-5(5),SA-4(8)
pcidss: Req-2.2.4
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,6 @@ identifiers:
cce@ocp4: CCE-90762-6

references:
bsi: APP.4.4.A13
nist: SI-6(b)
srg: SRG-APP-000473-CTR-001175

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,6 @@ rationale: |-
severity: medium

references:
bsi: APP.4.4.A9
cis@ocp4: 5.2.9
nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
nist: CM-6,CM-6(1)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,6 @@ rationale: |-
severity: medium

references:
bsi: APP.4.4.A9
cis@ocp4: 5.2.8
nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
nist: CM-6,CM-6(1)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,6 @@ identifiers:
cce@ocp4: CCE-86255-7

references:
bsi: APP.4.4.A4,APP.4.4.A9
cis@ocp4: 5.2.12
nist: AC-6,AC-6(1)
srg: SRG-APP-000142-CTR-000330
Expand Down
1 change: 0 additions & 1 deletion applications/openshift/scc/scc_limit_host_ports/rule.yml
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,6 @@ identifiers:
cce@ocp4: CCE-86205-2

references:
bsi: APP.4.4.A9
nist: CM-6,CM-6(1)
srg: SRG-APP-000142-CTR-000330

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,6 @@ identifiers:
cce@ocp4: CCE-84042-1

references:
bsi: APP.4.4.A4,APP.4.4.A9
cis@ocp4: 5.2.3
nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
nist: CM-6,CM-6(1)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,6 @@ rationale: |-
severity: medium

references:
bsi: APP.4.4.A4,APP.4.4.A9
cis@ocp4: 5.2.7
nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
nist: CM-6,CM-6(1)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,6 @@ identifiers:
cce@ocp4: CCE-83492-9

references:
bsi: APP.4.4.A4,APP.4.4.A9
cis@ocp4: 5.2.4
nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
nist: CM-6,CM-6(1)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,6 @@ identifiers:
cce@ocp4: CCE-83447-3

references:
bsi: APP.4.4.A9
cis@ocp4: 5.2.5
nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
nist: CM-6,CM-6(1)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,6 @@ rationale: |-
severity: medium

references:
bsi: APP.4.4.A4,APP.4.4.A9
cis@ocp4: 5.2.1
nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
nist: CM-6,CM-6(1)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,6 @@ rationale: |-
severity: medium

references:
bsi: APP.4.4.A4,APP.4.4.A9
cis@ocp4: 5.2.2
nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
nist: CM-6,CM-6(1)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,6 @@ rationale: |-
severity: medium

references:
bsi: APP.4.4.A4,APP.4.4.A9
cis@ocp4: 5.2.6
nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
nist: CM-6,CM-6(1)
Expand Down
2 changes: 2 additions & 0 deletions controls/bsi_app_4_4.yml
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,8 @@ levels:
inherits_from:
- standard

reference_type: bsi

controls:
- id: APP.4.4.A1
title: Planning the Separation of the Applications
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,6 @@ identifiers:
cce@rhcos4: CCE-83899-5

references:
bsi: APP.4.4.A4
cis-csc: 1,11,12,13,14,15,16,18,3,4,5,6,8,9
cobit5: APO01.06,APO11.04,APO13.01,BAI03.05,DSS01.05,DSS03.01,DSS05.02,DSS05.04,DSS05.05,DSS05.07,DSS06.02,DSS06.03,DSS06.06,MEA02.01
cui: 3.1.2,3.7.2
Expand Down
1 change: 0 additions & 1 deletion linux_os/guide/system/selinux/selinux_policytype/rule.yml
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,6 @@ identifiers:
cce@sle15: CCE-91445-7

references:
bsi: APP.4.4.A4
cis-csc: 1,11,12,13,14,15,16,18,3,4,5,6,8,9
cobit5: APO01.06,APO11.04,APO13.01,BAI03.05,DSS01.05,DSS03.01,DSS05.02,DSS05.04,DSS05.05,DSS05.07,DSS06.02,DSS06.03,DSS06.06,MEA02.01
cui: 3.1.2,3.7.2
Expand Down
1 change: 0 additions & 1 deletion linux_os/guide/system/selinux/selinux_state/rule.yml
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,6 @@ identifiers:
cce@sle15: CCE-91446-5

references:
bsi: APP.4.4.A4
cis-csc: 1,11,12,13,14,15,16,18,3,4,5,6,8,9
cobit5: APO01.06,APO11.04,APO13.01,BAI03.05,DSS01.05,DSS03.01,DSS05.02,DSS05.04,DSS05.05,DSS05.07,DSS06.02,DSS06.03,DSS06.06,MEA02.01
cui: 3.1.2,3.7.2
Expand Down

0 comments on commit 32204e8

Please sign in to comment.