diff --git a/applications/openshift/accounts/accounts_no_clusterrolebindings_default_service_account/rule.yml b/applications/openshift/accounts/accounts_no_clusterrolebindings_default_service_account/rule.yml
index 0970c2df91b..7585129582b 100644
--- a/applications/openshift/accounts/accounts_no_clusterrolebindings_default_service_account/rule.yml
+++ b/applications/openshift/accounts/accounts_no_clusterrolebindings_default_service_account/rule.yml
@@ -5,7 +5,7 @@ title: 'Ensure no ClusterRoleBindings set for default Service Account'
description: |-
Using the default service account prevents accurate application
rights review and audit tracing. Instead of default, create
- a new and unique service account and associate the required ClusterRoleBindings.
+ a new and unique service account and associate the required ClusterRoleBindings.
rationale: |-
Kubernetes provides a default service account which is used by
@@ -20,8 +20,6 @@ severity: medium
identifiers: {}
-references:
- bsi: APP.4.4.A9
{{% set jqfilter = '[.items[] | select ( .subjects[]?.name == "default" ) | select(.subjects[].namespace | startswith("kube-") or startswith("openshift-") | not) | .metadata.name ] | unique' %}}
@@ -31,7 +29,7 @@ ocil: |-
Run the following command to retrieve a list of ClusterRoleBindings that are
associated to the default service account:
$ oc get clusterrolebindings -o json | jq '{{{ jqfilter }}}'
- There should be no ClusterRoleBindings associated with the the default service account
+ There should be no ClusterRoleBindings associated with the the default service account
in any namespace.
warnings:
diff --git a/applications/openshift/accounts/accounts_no_rolebindings_default_service_account/rule.yml b/applications/openshift/accounts/accounts_no_rolebindings_default_service_account/rule.yml
index 4726aa0471a..72d3ebe2a6f 100644
--- a/applications/openshift/accounts/accounts_no_rolebindings_default_service_account/rule.yml
+++ b/applications/openshift/accounts/accounts_no_rolebindings_default_service_account/rule.yml
@@ -5,7 +5,7 @@ title: 'Ensure no RoleBindings set for default Service Account'
description: |-
Using the default service account prevents accurate application
rights review and audit tracing. Instead of default, create
- a new and unique service account and associate the required RoleBindings.
+ a new and unique service account and associate the required RoleBindings.
rationale: |-
Kubernetes provides a default service account which is used by
@@ -20,9 +20,6 @@ severity: medium
identifiers: {}
-references:
- bsi: APP.4.4.A9
-
{{% set jqfilter = '[.items[] | select(.metadata.namespace | startswith("kube-") or startswith("openshift-") | not) | select ( .subjects[]?.name == "default" ) | .metadata.namespace + "/" + .metadata.name ] | unique' %}}
ocil_clause: 'default service account is given permissions using RoleBindings'
@@ -31,7 +28,7 @@ ocil: |-
Run the following command to retrieve a list of RoleBindings that are
associated to the default service account:
$ oc get rolebindings --all-namespaces -o json | jq '{{{ jqfilter }}}'
- There should be no RoleBindings associated with the the default service account
+ There should be no RoleBindings associated with the the default service account
in any namespace.
warnings:
diff --git a/applications/openshift/accounts/accounts_restrict_service_account_tokens/rule.yml b/applications/openshift/accounts/accounts_restrict_service_account_tokens/rule.yml
index fdb1062a7cb..d600683ecc0 100644
--- a/applications/openshift/accounts/accounts_restrict_service_account_tokens/rule.yml
+++ b/applications/openshift/accounts/accounts_restrict_service_account_tokens/rule.yml
@@ -17,7 +17,6 @@ rationale: |-
severity: medium
references:
- bsi: APP.4.4.A9
cis@ocp4: 5.1.6
nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
nist: CM-6,CM-6(1)
diff --git a/applications/openshift/accounts/accounts_unique_service_account/rule.yml b/applications/openshift/accounts/accounts_unique_service_account/rule.yml
index c0a0763a1dc..e50e7997c82 100644
--- a/applications/openshift/accounts/accounts_unique_service_account/rule.yml
+++ b/applications/openshift/accounts/accounts_unique_service_account/rule.yml
@@ -23,7 +23,6 @@ rationale: |-
severity: medium
references:
- bsi: APP.4.4.A9
cis@ocp4: 5.1.5
nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
nist: CM-6,CM-6(1)
diff --git a/applications/openshift/api-server/api_server_anonymous_auth/rule.yml b/applications/openshift/api-server/api_server_anonymous_auth/rule.yml
index 14dec34c936..e2f4dcf6701 100644
--- a/applications/openshift/api-server/api_server_anonymous_auth/rule.yml
+++ b/applications/openshift/api-server/api_server_anonymous_auth/rule.yml
@@ -34,7 +34,6 @@ rationale: |-
severity: medium
references:
- bsi: APP.4.4.A3
cis@ocp4: 1.2.1
nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
nist: CM-6,CM-6(1)
diff --git a/applications/openshift/etcd/etcd_backup/rule.yml b/applications/openshift/etcd/etcd_backup/rule.yml
index 9db8425b369..282f547be6d 100644
--- a/applications/openshift/etcd/etcd_backup/rule.yml
+++ b/applications/openshift/etcd/etcd_backup/rule.yml
@@ -19,9 +19,6 @@ rationale: |-
identifiers:
cce@ocp4: CCE-88188-8
-references:
- bsi: APP.4.4.A5
-
severity: medium
ocil_clause: 'etcd backup needs review'
diff --git a/applications/openshift/general/general_backup_solution_installed/rule.yml b/applications/openshift/general/general_backup_solution_installed/rule.yml
index ead60299b17..2570be1d7fe 100644
--- a/applications/openshift/general/general_backup_solution_installed/rule.yml
+++ b/applications/openshift/general/general_backup_solution_installed/rule.yml
@@ -12,9 +12,6 @@ rationale: |-
identifiers:
cce@ocp4: CCE-90185-0
-references:
- bsi: APP.4.4.A5
-
severity: medium
ocil_clause: 'No CRDs from a known backup solution installed'
diff --git a/applications/openshift/general/general_namespace_separation/rule.yml b/applications/openshift/general/general_namespace_separation/rule.yml
index 2fa4284870e..c1b12e0fb70 100644
--- a/applications/openshift/general/general_namespace_separation/rule.yml
+++ b/applications/openshift/general/general_namespace_separation/rule.yml
@@ -11,9 +11,6 @@ rationale: |-
level. It also allows you control the network flow from and to other namespaces
more easily.
-references:
- bsi: APP.4.4.A1
-
severity: medium
identifiers:
diff --git a/applications/openshift/general/general_network_separation/rule.yml b/applications/openshift/general/general_network_separation/rule.yml
index b581cc92c4d..8144cfc3ffa 100644
--- a/applications/openshift/general/general_network_separation/rule.yml
+++ b/applications/openshift/general/general_network_separation/rule.yml
@@ -9,9 +9,6 @@ description: |-
rationale: |-
Separation on a Network level might help to hinder lateral movement of an attacker and subsequently reduce the impact of an attack. It might also enable you to provide additional external network control (like firewalls).
-references:
- bsi: APP.4.4.A7
-
severity: medium
identifiers:
diff --git a/applications/openshift/general/general_node_separation/rule.yml b/applications/openshift/general/general_node_separation/rule.yml
index ec7f9850542..1e2e49bd723 100644
--- a/applications/openshift/general/general_node_separation/rule.yml
+++ b/applications/openshift/general/general_node_separation/rule.yml
@@ -12,9 +12,6 @@ description: |-
rationale: |-
Assigning workloads with high protection requirements to specific nodes creates and additional boundary (the node) between workloads of high protection requirements and workloads which might follow less strict requirements. An adversary which attacked a lighter protected workload now has additional obstacles for their movement towards the higher protected workloads.
-references:
- bsi: APP.4.4.A15
-
severity: medium
ocil_clause: 'Application placement on Nodes and Clusters needs review'
diff --git a/applications/openshift/general/kubeadmin_removed/rule.yml b/applications/openshift/general/kubeadmin_removed/rule.yml
index c97efa6d39a..93fcb721b73 100644
--- a/applications/openshift/general/kubeadmin_removed/rule.yml
+++ b/applications/openshift/general/kubeadmin_removed/rule.yml
@@ -22,7 +22,6 @@ identifiers:
cce@ocp4: CCE-90387-2
references:
- bsi: APP.4.4.A3
cis@ocp4: 3.1.1,5.1.1
nerc-cip: CIP-004-6 R2.2.2,CIP-004-6 R2.2.3,CIP-007-3 R.1.3,CIP-007-3 R2,CIP-007-3 R5,CIP-007-3 R5.1.1,CIP-007-3 R5.1.3,CIP-007-3 R5.2.1,CIP-007-3 R5.2.3,CIP-007-3 R6.1,CIP-007-3 R6.2,CIP-007-3 R6.3,CIP-007-3 R6.4
nist: AC-2(2),AC-2(7),AC-2(9),AC-2(10),AC-12(1),IA-2(5),MA-4,SC-12(1)
diff --git a/applications/openshift/general/liveness_readiness_probe_in_workload/rule.yml b/applications/openshift/general/liveness_readiness_probe_in_workload/rule.yml
index 40c5d783e2a..f2a6245c786 100644
--- a/applications/openshift/general/liveness_readiness_probe_in_workload/rule.yml
+++ b/applications/openshift/general/liveness_readiness_probe_in_workload/rule.yml
@@ -1,32 +1,29 @@
title: Ensure that all workloads have liveness and readiness probes
description: |-
- Configuring Kubernetes liveness and readiness probes is essential for ensuring the security and
+ Configuring Kubernetes liveness and readiness probes is essential for ensuring the security and
reliability of a system. These probes actively monitor container health and readiness, facilitating
- automatic actions like restarting or rescheduling unresponsive instances for improved reliability.
- They play a proactive role in issue detection, allowing timely problem resolution and contribute
+ automatic actions like restarting or rescheduling unresponsive instances for improved reliability.
+ They play a proactive role in issue detection, allowing timely problem resolution and contribute
to efficient scaling and traffic distribution.
rationale: |-
- Many applications running for long periods of time eventually transition to broken states, and
+ Many applications running for long periods of time eventually transition to broken states, and
cannot recover except by being restarted. Kubernetes provides liveness probes to detect and remedy
such situations.
- Sometimes, applications are temporarily unable to serve traffic. For example, an application might
+ Sometimes, applications are temporarily unable to serve traffic. For example, an application might
need to load large data or configuration files during startup, or depend on external services after
- startup. In such cases, you don't want to kill the application, but you don't want to send it
- requests either. Kubernetes provides readiness probes to detect and mitigate these situations.
- A pod with containers reporting that they are not ready does not receive traffic through Kubernetes
+ startup. In such cases, you don't want to kill the application, but you don't want to send it
+ requests either. Kubernetes provides readiness probes to detect and mitigate these situations.
+ A pod with containers reporting that they are not ready does not receive traffic through Kubernetes
Services.
-references:
- bsi: APP.4.4.A11
-
severity: medium
ocil_clause: 'Liveness or readiness probe is not set'
ocil: |-
- Run the following command to retrieve a list of deployments, daemonsets and statefulsets that
+ Run the following command to retrieve a list of deployments, daemonsets and statefulsets that
do not have liveness or readiness probes set for their containers:
$ oc get deployments,statefulsets,daemonsets --all-namespaces -o json | jq '[ .items[] | select(.metadata.namespace | startswith("kube-") or startswith("openshift-") | not) | select( .spec.template.spec.containers[].readinessProbe != null and .spec.template.spec.containers[].livenessProbe != null ) | "\(.kind): \(.metadata.namespace)/\(.metadata.name)" ] | unique'
diff --git a/applications/openshift/kubelet/kubelet_anonymous_auth/rule.yml b/applications/openshift/kubelet/kubelet_anonymous_auth/rule.yml
index 5282464314a..fb5bd9353e6 100644
--- a/applications/openshift/kubelet/kubelet_anonymous_auth/rule.yml
+++ b/applications/openshift/kubelet/kubelet_anonymous_auth/rule.yml
@@ -35,7 +35,6 @@ rationale: |-
severity: medium
references:
- bsi: APP.4.4.A3
cis@eks: 3.2.1
cis@ocp4: 4.2.2
nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
diff --git a/applications/openshift/networking/configure_network_policies/rule.yml b/applications/openshift/networking/configure_network_policies/rule.yml
index ddcfc176714..e30efa56270 100644
--- a/applications/openshift/networking/configure_network_policies/rule.yml
+++ b/applications/openshift/networking/configure_network_policies/rule.yml
@@ -17,7 +17,6 @@ rationale: |-
severity: high
references:
- bsi: APP.4.4.A7
cis@ocp4: 5.3.1
nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
nist: CM-6,CM-6(1)
diff --git a/applications/openshift/networking/configure_network_policies_namespaces/rule.yml b/applications/openshift/networking/configure_network_policies_namespaces/rule.yml
index beda6190b2d..3804944cae5 100644
--- a/applications/openshift/networking/configure_network_policies_namespaces/rule.yml
+++ b/applications/openshift/networking/configure_network_policies_namespaces/rule.yml
@@ -17,7 +17,6 @@ rationale: |-
severity: high
references:
- bsi: APP.4.4.A7
cis@eks: 4.3.2
cis@ocp4: 5.3.2
nerc-cip: CIP-003-8 R4,CIP-003-8 R4.2,CIP-003-8 R5,CIP-003-8 R6,CIP-004-6 R2.2.4,CIP-004-6 R3,CIP-007-3 R2,CIP-007-3 R2.1,CIP-007-3 R2.2,CIP-007-3 R2.3,CIP-007-3 R5.1,CIP-007-3 R6.1
@@ -47,7 +46,7 @@ ocil: |-
following command {{{ ocil_oc_pipe_jq_filter('networkpolicies', networkpolicies_for_non_ctlplane_namespaces_filter, all_namespaces=true) }}}
Namespaces matching the variable ocp4-var-network-policies-namespaces-exempt-regex regex are excluded from this check.
-
+
Make sure that the namespaces displayed in the commands of the commands match.
warnings:
diff --git a/applications/openshift/networking/project_config_and_template_network_policy/rule.yml b/applications/openshift/networking/project_config_and_template_network_policy/rule.yml
index 7aa79373244..72775ae6661 100644
--- a/applications/openshift/networking/project_config_and_template_network_policy/rule.yml
+++ b/applications/openshift/networking/project_config_and_template_network_policy/rule.yml
@@ -58,7 +58,6 @@ identifiers:
cce@ocp4: CCE-86070-0
references:
- bsi: APP.4.4.A7
srg: SRG-APP-000039-CTR-000110
warnings:
diff --git a/applications/openshift/rbac/rbac_least_privilege/rule.yml b/applications/openshift/rbac/rbac_least_privilege/rule.yml
index 5dce32016e2..277343e6e3b 100644
--- a/applications/openshift/rbac/rbac_least_privilege/rule.yml
+++ b/applications/openshift/rbac/rbac_least_privilege/rule.yml
@@ -26,7 +26,6 @@ identifiers:
cce@ocp4: CCE-90678-4
references:
- bsi: APP.4.4.A3,APP.4.4.A7,APP.4.4.A9
cis@ocp4: 5.2.10
nist: AC-3,CM-5(6),IA-2,IA-2(5),AC-6(10),CM-11(2),CM-5(1),CM-7(5)(b)
srg: SRG-APP-000033-CTR-000090,SRG-APP-000033-CTR-000095,SRG-APP-000033-CTR-000100,SRG-APP-000133-CTR-000290,SRG-APP-000133-CTR-000295,SRG-APP-000133-CTR-000300,SRG-APP-000133-CTR-000305,SRG-APP-000133-CTR-000310,SRG-APP-000148-CTR-000350,SRG-APP-000153-CTR-000375,SRG-APP-000340-CTR-000770,SRG-APP-000378-CTR-000880,SRG-APP-000378-CTR-000885,SRG-APP-000378-CTR-000890,SRG-APP-000380-CTR-000900,SRG-APP-000386-CTR-000920
diff --git a/applications/openshift/rbac/rbac_wildcard_use/rule.yml b/applications/openshift/rbac/rbac_wildcard_use/rule.yml
index 2778d8061ae..9e589e15bce 100644
--- a/applications/openshift/rbac/rbac_wildcard_use/rule.yml
+++ b/applications/openshift/rbac/rbac_wildcard_use/rule.yml
@@ -20,7 +20,6 @@ rationale: |-
severity: medium
references:
- bsi: APP.4.4.A9
cis@ocp4: 5.1.3
nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
nist: CM-6,CM-6(1)
diff --git a/applications/openshift/registry/ocp_insecure_allowed_registries_for_import/rule.yml b/applications/openshift/registry/ocp_insecure_allowed_registries_for_import/rule.yml
index 8e8b2ca47a6..cbb7dc2feb3 100644
--- a/applications/openshift/registry/ocp_insecure_allowed_registries_for_import/rule.yml
+++ b/applications/openshift/registry/ocp_insecure_allowed_registries_for_import/rule.yml
@@ -30,7 +30,6 @@ identifiers:
cce@ocp4: CCE-86235-9
references:
- bsi: APP.4.4.A12
cis@ocp4: '5.5.1'
nist: CM-5(3)
srg: SRG-APP-000014-CTR-000035
diff --git a/applications/openshift/registry/ocp_insecure_registries/rule.yml b/applications/openshift/registry/ocp_insecure_registries/rule.yml
index 9407e34646d..955b671d287 100644
--- a/applications/openshift/registry/ocp_insecure_registries/rule.yml
+++ b/applications/openshift/registry/ocp_insecure_registries/rule.yml
@@ -26,7 +26,6 @@ identifiers:
cce@ocp4: CCE-86123-7
references:
- bsi: APP.4.4.A12
cis@ocp4: '5.5.1'
nist: CM-5(3)
srg: SRG-APP-000014-CTR-000035
diff --git a/applications/openshift/risk-assessment/scansetting_has_autoapplyremediations/rule.yml b/applications/openshift/risk-assessment/scansetting_has_autoapplyremediations/rule.yml
index 6d065facce2..cbcf36c1fdf 100644
--- a/applications/openshift/risk-assessment/scansetting_has_autoapplyremediations/rule.yml
+++ b/applications/openshift/risk-assessment/scansetting_has_autoapplyremediations/rule.yml
@@ -26,9 +26,6 @@ ocil: |-
filter will return at least one 'true'. Run the following jq query to identify the non-compliant scansettings objects:
oc get scansettings -ojson | jq -r '[.items[] | select(.autoApplyRemediation != "" or .autoApplyRemediation != null) | .metadata.name]'
-references:
- bsi: APP.4.4.A13
-
severity: medium
warnings:
diff --git a/applications/openshift/risk-assessment/scansettingbinding_exists/rule.yml b/applications/openshift/risk-assessment/scansettingbinding_exists/rule.yml
index a75346dc09f..1f2b34c6e04 100644
--- a/applications/openshift/risk-assessment/scansettingbinding_exists/rule.yml
+++ b/applications/openshift/risk-assessment/scansettingbinding_exists/rule.yml
@@ -17,7 +17,6 @@ identifiers:
cce@ocp4: CCE-83697-3
references:
- bsi: APP.4.4.A13
nerc-cip: CIP-003-8 R1.3,CIP-003-8 R4.3,CIP-003-8 R6,CIP-004-6 4.1,CIP-004-6 4.2,CIP-004-6 R3,CIP-004-6 R4,CIP-004-6 R4.2,CIP-005-6 R1,CIP-005-6 R1.1,CIP-005-6 R1.2,CIP-007-3 R3,CIP-007-3 R3.1,CIP-007-3 R6.1,CIP-007-3 R8.4
nist: CM-6,CM-6(1),RA-5,RA-5(5),SA-4(8)
pcidss: Req-2.2.4
diff --git a/applications/openshift/risk-assessment/scansettings_have_schedule/rule.yml b/applications/openshift/risk-assessment/scansettings_have_schedule/rule.yml
index df1248a4866..0f9444ea424 100644
--- a/applications/openshift/risk-assessment/scansettings_have_schedule/rule.yml
+++ b/applications/openshift/risk-assessment/scansettings_have_schedule/rule.yml
@@ -18,7 +18,6 @@ identifiers:
cce@ocp4: CCE-90762-6
references:
- bsi: APP.4.4.A13
nist: SI-6(b)
srg: SRG-APP-000473-CTR-001175
diff --git a/applications/openshift/scc/scc_drop_container_capabilities/rule.yml b/applications/openshift/scc/scc_drop_container_capabilities/rule.yml
index e883fb90269..7ed4e5dfde8 100644
--- a/applications/openshift/scc/scc_drop_container_capabilities/rule.yml
+++ b/applications/openshift/scc/scc_drop_container_capabilities/rule.yml
@@ -20,7 +20,6 @@ rationale: |-
severity: medium
references:
- bsi: APP.4.4.A9
cis@ocp4: 5.2.9
nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
nist: CM-6,CM-6(1)
diff --git a/applications/openshift/scc/scc_limit_container_allowed_capabilities/rule.yml b/applications/openshift/scc/scc_limit_container_allowed_capabilities/rule.yml
index 38751948fe3..647e58743cb 100644
--- a/applications/openshift/scc/scc_limit_container_allowed_capabilities/rule.yml
+++ b/applications/openshift/scc/scc_limit_container_allowed_capabilities/rule.yml
@@ -50,7 +50,6 @@ rationale: |-
severity: medium
references:
- bsi: APP.4.4.A9
cis@ocp4: 5.2.8
nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
nist: CM-6,CM-6(1)
diff --git a/applications/openshift/scc/scc_limit_host_dir_volume_plugin/rule.yml b/applications/openshift/scc/scc_limit_host_dir_volume_plugin/rule.yml
index 2a1f2bb877e..a647219e09f 100644
--- a/applications/openshift/scc/scc_limit_host_dir_volume_plugin/rule.yml
+++ b/applications/openshift/scc/scc_limit_host_dir_volume_plugin/rule.yml
@@ -21,7 +21,6 @@ identifiers:
cce@ocp4: CCE-86255-7
references:
- bsi: APP.4.4.A4,APP.4.4.A9
cis@ocp4: 5.2.12
nist: AC-6,AC-6(1)
srg: SRG-APP-000142-CTR-000330
diff --git a/applications/openshift/scc/scc_limit_host_ports/rule.yml b/applications/openshift/scc/scc_limit_host_ports/rule.yml
index a211cb16e0e..c015e319d07 100644
--- a/applications/openshift/scc/scc_limit_host_ports/rule.yml
+++ b/applications/openshift/scc/scc_limit_host_ports/rule.yml
@@ -24,7 +24,6 @@ identifiers:
cce@ocp4: CCE-86205-2
references:
- bsi: APP.4.4.A9
nist: CM-6,CM-6(1)
srg: SRG-APP-000142-CTR-000330
diff --git a/applications/openshift/scc/scc_limit_ipc_namespace/rule.yml b/applications/openshift/scc/scc_limit_ipc_namespace/rule.yml
index e8bc677ac73..4b4c512716d 100644
--- a/applications/openshift/scc/scc_limit_ipc_namespace/rule.yml
+++ b/applications/openshift/scc/scc_limit_ipc_namespace/rule.yml
@@ -21,7 +21,6 @@ identifiers:
cce@ocp4: CCE-84042-1
references:
- bsi: APP.4.4.A4,APP.4.4.A9
cis@ocp4: 5.2.3
nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
nist: CM-6,CM-6(1)
diff --git a/applications/openshift/scc/scc_limit_net_raw_capability/rule.yml b/applications/openshift/scc/scc_limit_net_raw_capability/rule.yml
index 2548821254d..9404c6e5414 100644
--- a/applications/openshift/scc/scc_limit_net_raw_capability/rule.yml
+++ b/applications/openshift/scc/scc_limit_net_raw_capability/rule.yml
@@ -19,7 +19,6 @@ rationale: |-
severity: medium
references:
- bsi: APP.4.4.A4,APP.4.4.A9
cis@ocp4: 5.2.7
nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
nist: CM-6,CM-6(1)
diff --git a/applications/openshift/scc/scc_limit_network_namespace/rule.yml b/applications/openshift/scc/scc_limit_network_namespace/rule.yml
index bdc31e9a228..91c795a992d 100644
--- a/applications/openshift/scc/scc_limit_network_namespace/rule.yml
+++ b/applications/openshift/scc/scc_limit_network_namespace/rule.yml
@@ -21,7 +21,6 @@ identifiers:
cce@ocp4: CCE-83492-9
references:
- bsi: APP.4.4.A4,APP.4.4.A9
cis@ocp4: 5.2.4
nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
nist: CM-6,CM-6(1)
diff --git a/applications/openshift/scc/scc_limit_privilege_escalation/rule.yml b/applications/openshift/scc/scc_limit_privilege_escalation/rule.yml
index fdb33fc2bf5..4d194c37b43 100644
--- a/applications/openshift/scc/scc_limit_privilege_escalation/rule.yml
+++ b/applications/openshift/scc/scc_limit_privilege_escalation/rule.yml
@@ -22,7 +22,6 @@ identifiers:
cce@ocp4: CCE-83447-3
references:
- bsi: APP.4.4.A9
cis@ocp4: 5.2.5
nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
nist: CM-6,CM-6(1)
diff --git a/applications/openshift/scc/scc_limit_privileged_containers/rule.yml b/applications/openshift/scc/scc_limit_privileged_containers/rule.yml
index 763a3807215..bd6c5e43072 100644
--- a/applications/openshift/scc/scc_limit_privileged_containers/rule.yml
+++ b/applications/openshift/scc/scc_limit_privileged_containers/rule.yml
@@ -18,7 +18,6 @@ rationale: |-
severity: medium
references:
- bsi: APP.4.4.A4,APP.4.4.A9
cis@ocp4: 5.2.1
nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
nist: CM-6,CM-6(1)
diff --git a/applications/openshift/scc/scc_limit_process_id_namespace/rule.yml b/applications/openshift/scc/scc_limit_process_id_namespace/rule.yml
index 3b6b459d74e..44e38b05edf 100644
--- a/applications/openshift/scc/scc_limit_process_id_namespace/rule.yml
+++ b/applications/openshift/scc/scc_limit_process_id_namespace/rule.yml
@@ -17,7 +17,6 @@ rationale: |-
severity: medium
references:
- bsi: APP.4.4.A4,APP.4.4.A9
cis@ocp4: 5.2.2
nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
nist: CM-6,CM-6(1)
diff --git a/applications/openshift/scc/scc_limit_root_containers/rule.yml b/applications/openshift/scc/scc_limit_root_containers/rule.yml
index 29c4ca3ed4b..df5727c4cd2 100644
--- a/applications/openshift/scc/scc_limit_root_containers/rule.yml
+++ b/applications/openshift/scc/scc_limit_root_containers/rule.yml
@@ -25,7 +25,6 @@ rationale: |-
severity: medium
references:
- bsi: APP.4.4.A4,APP.4.4.A9
cis@ocp4: 5.2.6
nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
nist: CM-6,CM-6(1)
diff --git a/controls/bsi_app_4_4.yml b/controls/bsi_app_4_4.yml
index 9b55dec984e..809f8023c5e 100644
--- a/controls/bsi_app_4_4.yml
+++ b/controls/bsi_app_4_4.yml
@@ -18,6 +18,8 @@ levels:
inherits_from:
- standard
+reference_type: bsi
+
controls:
- id: APP.4.4.A1
title: Planning the Separation of the Applications
diff --git a/linux_os/guide/system/selinux/coreos_enable_selinux_kernel_argument/rule.yml b/linux_os/guide/system/selinux/coreos_enable_selinux_kernel_argument/rule.yml
index 15804c10fa8..23972e5939d 100644
--- a/linux_os/guide/system/selinux/coreos_enable_selinux_kernel_argument/rule.yml
+++ b/linux_os/guide/system/selinux/coreos_enable_selinux_kernel_argument/rule.yml
@@ -19,7 +19,6 @@ identifiers:
cce@rhcos4: CCE-83899-5
references:
- bsi: APP.4.4.A4
cis-csc: 1,11,12,13,14,15,16,18,3,4,5,6,8,9
cobit5: APO01.06,APO11.04,APO13.01,BAI03.05,DSS01.05,DSS03.01,DSS05.02,DSS05.04,DSS05.05,DSS05.07,DSS06.02,DSS06.03,DSS06.06,MEA02.01
cui: 3.1.2,3.7.2
diff --git a/linux_os/guide/system/selinux/selinux_policytype/rule.yml b/linux_os/guide/system/selinux/selinux_policytype/rule.yml
index 89a14423ab8..67579503d89 100644
--- a/linux_os/guide/system/selinux/selinux_policytype/rule.yml
+++ b/linux_os/guide/system/selinux/selinux_policytype/rule.yml
@@ -35,7 +35,6 @@ identifiers:
cce@sle15: CCE-91445-7
references:
- bsi: APP.4.4.A4
cis-csc: 1,11,12,13,14,15,16,18,3,4,5,6,8,9
cobit5: APO01.06,APO11.04,APO13.01,BAI03.05,DSS01.05,DSS03.01,DSS05.02,DSS05.04,DSS05.05,DSS05.07,DSS06.02,DSS06.03,DSS06.06,MEA02.01
cui: 3.1.2,3.7.2
diff --git a/linux_os/guide/system/selinux/selinux_state/rule.yml b/linux_os/guide/system/selinux/selinux_state/rule.yml
index f53f6bae929..5c6ac289464 100644
--- a/linux_os/guide/system/selinux/selinux_state/rule.yml
+++ b/linux_os/guide/system/selinux/selinux_state/rule.yml
@@ -28,7 +28,6 @@ identifiers:
cce@sle15: CCE-91446-5
references:
- bsi: APP.4.4.A4
cis-csc: 1,11,12,13,14,15,16,18,3,4,5,6,8,9
cobit5: APO01.06,APO11.04,APO13.01,BAI03.05,DSS01.05,DSS03.01,DSS05.02,DSS05.04,DSS05.05,DSS05.07,DSS06.02,DSS06.03,DSS06.06,MEA02.01
cui: 3.1.2,3.7.2