From 32204e8ae32c7cfea2f21152a9de90588b7772ff Mon Sep 17 00:00:00 2001 From: sluetze <13255307+sluetze@users.noreply.github.com> Date: Tue, 16 Jul 2024 09:13:02 +0200 Subject: [PATCH] switch to automatic reference system --- .../rule.yml | 6 ++---- .../rule.yml | 7 ++----- .../rule.yml | 1 - .../accounts_unique_service_account/rule.yml | 1 - .../api_server_anonymous_auth/rule.yml | 1 - .../openshift/etcd/etcd_backup/rule.yml | 3 --- .../rule.yml | 3 --- .../general_namespace_separation/rule.yml | 3 --- .../general_network_separation/rule.yml | 3 --- .../general/general_node_separation/rule.yml | 3 --- .../general/kubeadmin_removed/rule.yml | 1 - .../rule.yml | 21 ++++++++----------- .../kubelet/kubelet_anonymous_auth/rule.yml | 1 - .../configure_network_policies/rule.yml | 1 - .../rule.yml | 3 +-- .../rule.yml | 1 - .../rbac/rbac_least_privilege/rule.yml | 1 - .../openshift/rbac/rbac_wildcard_use/rule.yml | 1 - .../rule.yml | 1 - .../registry/ocp_insecure_registries/rule.yml | 1 - .../rule.yml | 3 --- .../scansettingbinding_exists/rule.yml | 1 - .../scansettings_have_schedule/rule.yml | 1 - .../scc_drop_container_capabilities/rule.yml | 1 - .../rule.yml | 1 - .../scc_limit_host_dir_volume_plugin/rule.yml | 1 - .../scc/scc_limit_host_ports/rule.yml | 1 - .../scc/scc_limit_ipc_namespace/rule.yml | 1 - .../scc/scc_limit_net_raw_capability/rule.yml | 1 - .../scc/scc_limit_network_namespace/rule.yml | 1 - .../scc_limit_privilege_escalation/rule.yml | 1 - .../scc_limit_privileged_containers/rule.yml | 1 - .../scc_limit_process_id_namespace/rule.yml | 1 - .../scc/scc_limit_root_containers/rule.yml | 1 - controls/bsi_app_4_4.yml | 2 ++ .../rule.yml | 1 - .../selinux/selinux_policytype/rule.yml | 1 - .../system/selinux/selinux_state/rule.yml | 1 - 38 files changed, 16 insertions(+), 68 deletions(-) diff --git a/applications/openshift/accounts/accounts_no_clusterrolebindings_default_service_account/rule.yml b/applications/openshift/accounts/accounts_no_clusterrolebindings_default_service_account/rule.yml index 0970c2df91b..7585129582b 100644 --- a/applications/openshift/accounts/accounts_no_clusterrolebindings_default_service_account/rule.yml +++ b/applications/openshift/accounts/accounts_no_clusterrolebindings_default_service_account/rule.yml @@ -5,7 +5,7 @@ title: 'Ensure no ClusterRoleBindings set for default Service Account' description: |- Using the default service account prevents accurate application rights review and audit tracing. Instead of default, create - a new and unique service account and associate the required ClusterRoleBindings. + a new and unique service account and associate the required ClusterRoleBindings. rationale: |- Kubernetes provides a default service account which is used by @@ -20,8 +20,6 @@ severity: medium identifiers: {} -references: - bsi: APP.4.4.A9 {{% set jqfilter = '[.items[] | select ( .subjects[]?.name == "default" ) | select(.subjects[].namespace | startswith("kube-") or startswith("openshift-") | not) | .metadata.name ] | unique' %}} @@ -31,7 +29,7 @@ ocil: |- Run the following command to retrieve a list of ClusterRoleBindings that are associated to the default service account:
$ oc get clusterrolebindings -o json | jq '{{{ jqfilter }}}'- There should be no ClusterRoleBindings associated with the the default service account + There should be no ClusterRoleBindings associated with the the default service account in any namespace. warnings: diff --git a/applications/openshift/accounts/accounts_no_rolebindings_default_service_account/rule.yml b/applications/openshift/accounts/accounts_no_rolebindings_default_service_account/rule.yml index 4726aa0471a..72d3ebe2a6f 100644 --- a/applications/openshift/accounts/accounts_no_rolebindings_default_service_account/rule.yml +++ b/applications/openshift/accounts/accounts_no_rolebindings_default_service_account/rule.yml @@ -5,7 +5,7 @@ title: 'Ensure no RoleBindings set for default Service Account' description: |- Using the default service account prevents accurate application rights review and audit tracing. Instead of default, create - a new and unique service account and associate the required RoleBindings. + a new and unique service account and associate the required RoleBindings. rationale: |- Kubernetes provides a default service account which is used by @@ -20,9 +20,6 @@ severity: medium identifiers: {} -references: - bsi: APP.4.4.A9 - {{% set jqfilter = '[.items[] | select(.metadata.namespace | startswith("kube-") or startswith("openshift-") | not) | select ( .subjects[]?.name == "default" ) | .metadata.namespace + "/" + .metadata.name ] | unique' %}} ocil_clause: 'default service account is given permissions using RoleBindings' @@ -31,7 +28,7 @@ ocil: |- Run the following command to retrieve a list of RoleBindings that are associated to the default service account:
$ oc get rolebindings --all-namespaces -o json | jq '{{{ jqfilter }}}'- There should be no RoleBindings associated with the the default service account + There should be no RoleBindings associated with the the default service account in any namespace. warnings: diff --git a/applications/openshift/accounts/accounts_restrict_service_account_tokens/rule.yml b/applications/openshift/accounts/accounts_restrict_service_account_tokens/rule.yml index fdb1062a7cb..d600683ecc0 100644 --- a/applications/openshift/accounts/accounts_restrict_service_account_tokens/rule.yml +++ b/applications/openshift/accounts/accounts_restrict_service_account_tokens/rule.yml @@ -17,7 +17,6 @@ rationale: |- severity: medium references: - bsi: APP.4.4.A9 cis@ocp4: 5.1.6 nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1 nist: CM-6,CM-6(1) diff --git a/applications/openshift/accounts/accounts_unique_service_account/rule.yml b/applications/openshift/accounts/accounts_unique_service_account/rule.yml index c0a0763a1dc..e50e7997c82 100644 --- a/applications/openshift/accounts/accounts_unique_service_account/rule.yml +++ b/applications/openshift/accounts/accounts_unique_service_account/rule.yml @@ -23,7 +23,6 @@ rationale: |- severity: medium references: - bsi: APP.4.4.A9 cis@ocp4: 5.1.5 nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1 nist: CM-6,CM-6(1) diff --git a/applications/openshift/api-server/api_server_anonymous_auth/rule.yml b/applications/openshift/api-server/api_server_anonymous_auth/rule.yml index 14dec34c936..e2f4dcf6701 100644 --- a/applications/openshift/api-server/api_server_anonymous_auth/rule.yml +++ b/applications/openshift/api-server/api_server_anonymous_auth/rule.yml @@ -34,7 +34,6 @@ rationale: |- severity: medium references: - bsi: APP.4.4.A3 cis@ocp4: 1.2.1 nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1 nist: CM-6,CM-6(1) diff --git a/applications/openshift/etcd/etcd_backup/rule.yml b/applications/openshift/etcd/etcd_backup/rule.yml index 9db8425b369..282f547be6d 100644 --- a/applications/openshift/etcd/etcd_backup/rule.yml +++ b/applications/openshift/etcd/etcd_backup/rule.yml @@ -19,9 +19,6 @@ rationale: |- identifiers: cce@ocp4: CCE-88188-8 -references: - bsi: APP.4.4.A5 - severity: medium ocil_clause: 'etcd backup needs review' diff --git a/applications/openshift/general/general_backup_solution_installed/rule.yml b/applications/openshift/general/general_backup_solution_installed/rule.yml index ead60299b17..2570be1d7fe 100644 --- a/applications/openshift/general/general_backup_solution_installed/rule.yml +++ b/applications/openshift/general/general_backup_solution_installed/rule.yml @@ -12,9 +12,6 @@ rationale: |- identifiers: cce@ocp4: CCE-90185-0 -references: - bsi: APP.4.4.A5 - severity: medium ocil_clause: 'No CRDs from a known backup solution installed' diff --git a/applications/openshift/general/general_namespace_separation/rule.yml b/applications/openshift/general/general_namespace_separation/rule.yml index 2fa4284870e..c1b12e0fb70 100644 --- a/applications/openshift/general/general_namespace_separation/rule.yml +++ b/applications/openshift/general/general_namespace_separation/rule.yml @@ -11,9 +11,6 @@ rationale: |- level. It also allows you control the network flow from and to other namespaces more easily. -references: - bsi: APP.4.4.A1 - severity: medium identifiers: diff --git a/applications/openshift/general/general_network_separation/rule.yml b/applications/openshift/general/general_network_separation/rule.yml index b581cc92c4d..8144cfc3ffa 100644 --- a/applications/openshift/general/general_network_separation/rule.yml +++ b/applications/openshift/general/general_network_separation/rule.yml @@ -9,9 +9,6 @@ description: |- rationale: |- Separation on a Network level might help to hinder lateral movement of an attacker and subsequently reduce the impact of an attack. It might also enable you to provide additional external network control (like firewalls). -references: - bsi: APP.4.4.A7 - severity: medium identifiers: diff --git a/applications/openshift/general/general_node_separation/rule.yml b/applications/openshift/general/general_node_separation/rule.yml index ec7f9850542..1e2e49bd723 100644 --- a/applications/openshift/general/general_node_separation/rule.yml +++ b/applications/openshift/general/general_node_separation/rule.yml @@ -12,9 +12,6 @@ description: |- rationale: |- Assigning workloads with high protection requirements to specific nodes creates and additional boundary (the node) between workloads of high protection requirements and workloads which might follow less strict requirements. An adversary which attacked a lighter protected workload now has additional obstacles for their movement towards the higher protected workloads. -references: - bsi: APP.4.4.A15 - severity: medium ocil_clause: 'Application placement on Nodes and Clusters needs review' diff --git a/applications/openshift/general/kubeadmin_removed/rule.yml b/applications/openshift/general/kubeadmin_removed/rule.yml index c97efa6d39a..93fcb721b73 100644 --- a/applications/openshift/general/kubeadmin_removed/rule.yml +++ b/applications/openshift/general/kubeadmin_removed/rule.yml @@ -22,7 +22,6 @@ identifiers: cce@ocp4: CCE-90387-2 references: - bsi: APP.4.4.A3 cis@ocp4: 3.1.1,5.1.1 nerc-cip: CIP-004-6 R2.2.2,CIP-004-6 R2.2.3,CIP-007-3 R.1.3,CIP-007-3 R2,CIP-007-3 R5,CIP-007-3 R5.1.1,CIP-007-3 R5.1.3,CIP-007-3 R5.2.1,CIP-007-3 R5.2.3,CIP-007-3 R6.1,CIP-007-3 R6.2,CIP-007-3 R6.3,CIP-007-3 R6.4 nist: AC-2(2),AC-2(7),AC-2(9),AC-2(10),AC-12(1),IA-2(5),MA-4,SC-12(1) diff --git a/applications/openshift/general/liveness_readiness_probe_in_workload/rule.yml b/applications/openshift/general/liveness_readiness_probe_in_workload/rule.yml index 40c5d783e2a..f2a6245c786 100644 --- a/applications/openshift/general/liveness_readiness_probe_in_workload/rule.yml +++ b/applications/openshift/general/liveness_readiness_probe_in_workload/rule.yml @@ -1,32 +1,29 @@ title: Ensure that all workloads have liveness and readiness probes description: |- - Configuring Kubernetes liveness and readiness probes is essential for ensuring the security and + Configuring Kubernetes liveness and readiness probes is essential for ensuring the security and reliability of a system. These probes actively monitor container health and readiness, facilitating - automatic actions like restarting or rescheduling unresponsive instances for improved reliability. - They play a proactive role in issue detection, allowing timely problem resolution and contribute + automatic actions like restarting or rescheduling unresponsive instances for improved reliability. + They play a proactive role in issue detection, allowing timely problem resolution and contribute to efficient scaling and traffic distribution. rationale: |- - Many applications running for long periods of time eventually transition to broken states, and + Many applications running for long periods of time eventually transition to broken states, and cannot recover except by being restarted. Kubernetes provides liveness probes to detect and remedy such situations. - Sometimes, applications are temporarily unable to serve traffic. For example, an application might + Sometimes, applications are temporarily unable to serve traffic. For example, an application might need to load large data or configuration files during startup, or depend on external services after - startup. In such cases, you don't want to kill the application, but you don't want to send it - requests either. Kubernetes provides readiness probes to detect and mitigate these situations. - A pod with containers reporting that they are not ready does not receive traffic through Kubernetes + startup. In such cases, you don't want to kill the application, but you don't want to send it + requests either. Kubernetes provides readiness probes to detect and mitigate these situations. + A pod with containers reporting that they are not ready does not receive traffic through Kubernetes Services. -references: - bsi: APP.4.4.A11 - severity: medium ocil_clause: 'Liveness or readiness probe is not set' ocil: |- - Run the following command to retrieve a list of deployments, daemonsets and statefulsets that + Run the following command to retrieve a list of deployments, daemonsets and statefulsets that do not have liveness or readiness probes set for their containers:
$ oc get deployments,statefulsets,daemonsets --all-namespaces -o json | jq '[ .items[] | select(.metadata.namespace | startswith("kube-") or startswith("openshift-") | not) | select( .spec.template.spec.containers[].readinessProbe != null and .spec.template.spec.containers[].livenessProbe != null ) | "\(.kind): \(.metadata.namespace)/\(.metadata.name)" ] | unique'diff --git a/applications/openshift/kubelet/kubelet_anonymous_auth/rule.yml b/applications/openshift/kubelet/kubelet_anonymous_auth/rule.yml index 5282464314a..fb5bd9353e6 100644 --- a/applications/openshift/kubelet/kubelet_anonymous_auth/rule.yml +++ b/applications/openshift/kubelet/kubelet_anonymous_auth/rule.yml @@ -35,7 +35,6 @@ rationale: |- severity: medium references: - bsi: APP.4.4.A3 cis@eks: 3.2.1 cis@ocp4: 4.2.2 nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1 diff --git a/applications/openshift/networking/configure_network_policies/rule.yml b/applications/openshift/networking/configure_network_policies/rule.yml index ddcfc176714..e30efa56270 100644 --- a/applications/openshift/networking/configure_network_policies/rule.yml +++ b/applications/openshift/networking/configure_network_policies/rule.yml @@ -17,7 +17,6 @@ rationale: |- severity: high references: - bsi: APP.4.4.A7 cis@ocp4: 5.3.1 nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1 nist: CM-6,CM-6(1) diff --git a/applications/openshift/networking/configure_network_policies_namespaces/rule.yml b/applications/openshift/networking/configure_network_policies_namespaces/rule.yml index beda6190b2d..3804944cae5 100644 --- a/applications/openshift/networking/configure_network_policies_namespaces/rule.yml +++ b/applications/openshift/networking/configure_network_policies_namespaces/rule.yml @@ -17,7 +17,6 @@ rationale: |- severity: high references: - bsi: APP.4.4.A7 cis@eks: 4.3.2 cis@ocp4: 5.3.2 nerc-cip: CIP-003-8 R4,CIP-003-8 R4.2,CIP-003-8 R5,CIP-003-8 R6,CIP-004-6 R2.2.4,CIP-004-6 R3,CIP-007-3 R2,CIP-007-3 R2.1,CIP-007-3 R2.2,CIP-007-3 R2.3,CIP-007-3 R5.1,CIP-007-3 R6.1 @@ -47,7 +46,7 @@ ocil: |- following command {{{ ocil_oc_pipe_jq_filter('networkpolicies', networkpolicies_for_non_ctlplane_namespaces_filter, all_namespaces=true) }}} Namespaces matching the variable ocp4-var-network-policies-namespaces-exempt-regex regex are excluded from this check. - + Make sure that the namespaces displayed in the commands of the commands match. warnings: diff --git a/applications/openshift/networking/project_config_and_template_network_policy/rule.yml b/applications/openshift/networking/project_config_and_template_network_policy/rule.yml index 7aa79373244..72775ae6661 100644 --- a/applications/openshift/networking/project_config_and_template_network_policy/rule.yml +++ b/applications/openshift/networking/project_config_and_template_network_policy/rule.yml @@ -58,7 +58,6 @@ identifiers: cce@ocp4: CCE-86070-0 references: - bsi: APP.4.4.A7 srg: SRG-APP-000039-CTR-000110 warnings: diff --git a/applications/openshift/rbac/rbac_least_privilege/rule.yml b/applications/openshift/rbac/rbac_least_privilege/rule.yml index 5dce32016e2..277343e6e3b 100644 --- a/applications/openshift/rbac/rbac_least_privilege/rule.yml +++ b/applications/openshift/rbac/rbac_least_privilege/rule.yml @@ -26,7 +26,6 @@ identifiers: cce@ocp4: CCE-90678-4 references: - bsi: APP.4.4.A3,APP.4.4.A7,APP.4.4.A9 cis@ocp4: 5.2.10 nist: AC-3,CM-5(6),IA-2,IA-2(5),AC-6(10),CM-11(2),CM-5(1),CM-7(5)(b) srg: SRG-APP-000033-CTR-000090,SRG-APP-000033-CTR-000095,SRG-APP-000033-CTR-000100,SRG-APP-000133-CTR-000290,SRG-APP-000133-CTR-000295,SRG-APP-000133-CTR-000300,SRG-APP-000133-CTR-000305,SRG-APP-000133-CTR-000310,SRG-APP-000148-CTR-000350,SRG-APP-000153-CTR-000375,SRG-APP-000340-CTR-000770,SRG-APP-000378-CTR-000880,SRG-APP-000378-CTR-000885,SRG-APP-000378-CTR-000890,SRG-APP-000380-CTR-000900,SRG-APP-000386-CTR-000920 diff --git a/applications/openshift/rbac/rbac_wildcard_use/rule.yml b/applications/openshift/rbac/rbac_wildcard_use/rule.yml index 2778d8061ae..9e589e15bce 100644 --- a/applications/openshift/rbac/rbac_wildcard_use/rule.yml +++ b/applications/openshift/rbac/rbac_wildcard_use/rule.yml @@ -20,7 +20,6 @@ rationale: |- severity: medium references: - bsi: APP.4.4.A9 cis@ocp4: 5.1.3 nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1 nist: CM-6,CM-6(1) diff --git a/applications/openshift/registry/ocp_insecure_allowed_registries_for_import/rule.yml b/applications/openshift/registry/ocp_insecure_allowed_registries_for_import/rule.yml index 8e8b2ca47a6..cbb7dc2feb3 100644 --- a/applications/openshift/registry/ocp_insecure_allowed_registries_for_import/rule.yml +++ b/applications/openshift/registry/ocp_insecure_allowed_registries_for_import/rule.yml @@ -30,7 +30,6 @@ identifiers: cce@ocp4: CCE-86235-9 references: - bsi: APP.4.4.A12 cis@ocp4: '5.5.1' nist: CM-5(3) srg: SRG-APP-000014-CTR-000035 diff --git a/applications/openshift/registry/ocp_insecure_registries/rule.yml b/applications/openshift/registry/ocp_insecure_registries/rule.yml index 9407e34646d..955b671d287 100644 --- a/applications/openshift/registry/ocp_insecure_registries/rule.yml +++ b/applications/openshift/registry/ocp_insecure_registries/rule.yml @@ -26,7 +26,6 @@ identifiers: cce@ocp4: CCE-86123-7 references: - bsi: APP.4.4.A12 cis@ocp4: '5.5.1' nist: CM-5(3) srg: SRG-APP-000014-CTR-000035 diff --git a/applications/openshift/risk-assessment/scansetting_has_autoapplyremediations/rule.yml b/applications/openshift/risk-assessment/scansetting_has_autoapplyremediations/rule.yml index 6d065facce2..cbcf36c1fdf 100644 --- a/applications/openshift/risk-assessment/scansetting_has_autoapplyremediations/rule.yml +++ b/applications/openshift/risk-assessment/scansetting_has_autoapplyremediations/rule.yml @@ -26,9 +26,6 @@ ocil: |- filter will return at least one 'true'. Run the following jq query to identify the non-compliant scansettings objects:
oc get scansettings -ojson | jq -r '[.items[] | select(.autoApplyRemediation != "" or .autoApplyRemediation != null) | .metadata.name]'-references: - bsi: APP.4.4.A13 - severity: medium warnings: diff --git a/applications/openshift/risk-assessment/scansettingbinding_exists/rule.yml b/applications/openshift/risk-assessment/scansettingbinding_exists/rule.yml index a75346dc09f..1f2b34c6e04 100644 --- a/applications/openshift/risk-assessment/scansettingbinding_exists/rule.yml +++ b/applications/openshift/risk-assessment/scansettingbinding_exists/rule.yml @@ -17,7 +17,6 @@ identifiers: cce@ocp4: CCE-83697-3 references: - bsi: APP.4.4.A13 nerc-cip: CIP-003-8 R1.3,CIP-003-8 R4.3,CIP-003-8 R6,CIP-004-6 4.1,CIP-004-6 4.2,CIP-004-6 R3,CIP-004-6 R4,CIP-004-6 R4.2,CIP-005-6 R1,CIP-005-6 R1.1,CIP-005-6 R1.2,CIP-007-3 R3,CIP-007-3 R3.1,CIP-007-3 R6.1,CIP-007-3 R8.4 nist: CM-6,CM-6(1),RA-5,RA-5(5),SA-4(8) pcidss: Req-2.2.4 diff --git a/applications/openshift/risk-assessment/scansettings_have_schedule/rule.yml b/applications/openshift/risk-assessment/scansettings_have_schedule/rule.yml index df1248a4866..0f9444ea424 100644 --- a/applications/openshift/risk-assessment/scansettings_have_schedule/rule.yml +++ b/applications/openshift/risk-assessment/scansettings_have_schedule/rule.yml @@ -18,7 +18,6 @@ identifiers: cce@ocp4: CCE-90762-6 references: - bsi: APP.4.4.A13 nist: SI-6(b) srg: SRG-APP-000473-CTR-001175 diff --git a/applications/openshift/scc/scc_drop_container_capabilities/rule.yml b/applications/openshift/scc/scc_drop_container_capabilities/rule.yml index e883fb90269..7ed4e5dfde8 100644 --- a/applications/openshift/scc/scc_drop_container_capabilities/rule.yml +++ b/applications/openshift/scc/scc_drop_container_capabilities/rule.yml @@ -20,7 +20,6 @@ rationale: |- severity: medium references: - bsi: APP.4.4.A9 cis@ocp4: 5.2.9 nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1 nist: CM-6,CM-6(1) diff --git a/applications/openshift/scc/scc_limit_container_allowed_capabilities/rule.yml b/applications/openshift/scc/scc_limit_container_allowed_capabilities/rule.yml index 38751948fe3..647e58743cb 100644 --- a/applications/openshift/scc/scc_limit_container_allowed_capabilities/rule.yml +++ b/applications/openshift/scc/scc_limit_container_allowed_capabilities/rule.yml @@ -50,7 +50,6 @@ rationale: |- severity: medium references: - bsi: APP.4.4.A9 cis@ocp4: 5.2.8 nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1 nist: CM-6,CM-6(1) diff --git a/applications/openshift/scc/scc_limit_host_dir_volume_plugin/rule.yml b/applications/openshift/scc/scc_limit_host_dir_volume_plugin/rule.yml index 2a1f2bb877e..a647219e09f 100644 --- a/applications/openshift/scc/scc_limit_host_dir_volume_plugin/rule.yml +++ b/applications/openshift/scc/scc_limit_host_dir_volume_plugin/rule.yml @@ -21,7 +21,6 @@ identifiers: cce@ocp4: CCE-86255-7 references: - bsi: APP.4.4.A4,APP.4.4.A9 cis@ocp4: 5.2.12 nist: AC-6,AC-6(1) srg: SRG-APP-000142-CTR-000330 diff --git a/applications/openshift/scc/scc_limit_host_ports/rule.yml b/applications/openshift/scc/scc_limit_host_ports/rule.yml index a211cb16e0e..c015e319d07 100644 --- a/applications/openshift/scc/scc_limit_host_ports/rule.yml +++ b/applications/openshift/scc/scc_limit_host_ports/rule.yml @@ -24,7 +24,6 @@ identifiers: cce@ocp4: CCE-86205-2 references: - bsi: APP.4.4.A9 nist: CM-6,CM-6(1) srg: SRG-APP-000142-CTR-000330 diff --git a/applications/openshift/scc/scc_limit_ipc_namespace/rule.yml b/applications/openshift/scc/scc_limit_ipc_namespace/rule.yml index e8bc677ac73..4b4c512716d 100644 --- a/applications/openshift/scc/scc_limit_ipc_namespace/rule.yml +++ b/applications/openshift/scc/scc_limit_ipc_namespace/rule.yml @@ -21,7 +21,6 @@ identifiers: cce@ocp4: CCE-84042-1 references: - bsi: APP.4.4.A4,APP.4.4.A9 cis@ocp4: 5.2.3 nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1 nist: CM-6,CM-6(1) diff --git a/applications/openshift/scc/scc_limit_net_raw_capability/rule.yml b/applications/openshift/scc/scc_limit_net_raw_capability/rule.yml index 2548821254d..9404c6e5414 100644 --- a/applications/openshift/scc/scc_limit_net_raw_capability/rule.yml +++ b/applications/openshift/scc/scc_limit_net_raw_capability/rule.yml @@ -19,7 +19,6 @@ rationale: |- severity: medium references: - bsi: APP.4.4.A4,APP.4.4.A9 cis@ocp4: 5.2.7 nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1 nist: CM-6,CM-6(1) diff --git a/applications/openshift/scc/scc_limit_network_namespace/rule.yml b/applications/openshift/scc/scc_limit_network_namespace/rule.yml index bdc31e9a228..91c795a992d 100644 --- a/applications/openshift/scc/scc_limit_network_namespace/rule.yml +++ b/applications/openshift/scc/scc_limit_network_namespace/rule.yml @@ -21,7 +21,6 @@ identifiers: cce@ocp4: CCE-83492-9 references: - bsi: APP.4.4.A4,APP.4.4.A9 cis@ocp4: 5.2.4 nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1 nist: CM-6,CM-6(1) diff --git a/applications/openshift/scc/scc_limit_privilege_escalation/rule.yml b/applications/openshift/scc/scc_limit_privilege_escalation/rule.yml index fdb33fc2bf5..4d194c37b43 100644 --- a/applications/openshift/scc/scc_limit_privilege_escalation/rule.yml +++ b/applications/openshift/scc/scc_limit_privilege_escalation/rule.yml @@ -22,7 +22,6 @@ identifiers: cce@ocp4: CCE-83447-3 references: - bsi: APP.4.4.A9 cis@ocp4: 5.2.5 nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1 nist: CM-6,CM-6(1) diff --git a/applications/openshift/scc/scc_limit_privileged_containers/rule.yml b/applications/openshift/scc/scc_limit_privileged_containers/rule.yml index 763a3807215..bd6c5e43072 100644 --- a/applications/openshift/scc/scc_limit_privileged_containers/rule.yml +++ b/applications/openshift/scc/scc_limit_privileged_containers/rule.yml @@ -18,7 +18,6 @@ rationale: |- severity: medium references: - bsi: APP.4.4.A4,APP.4.4.A9 cis@ocp4: 5.2.1 nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1 nist: CM-6,CM-6(1) diff --git a/applications/openshift/scc/scc_limit_process_id_namespace/rule.yml b/applications/openshift/scc/scc_limit_process_id_namespace/rule.yml index 3b6b459d74e..44e38b05edf 100644 --- a/applications/openshift/scc/scc_limit_process_id_namespace/rule.yml +++ b/applications/openshift/scc/scc_limit_process_id_namespace/rule.yml @@ -17,7 +17,6 @@ rationale: |- severity: medium references: - bsi: APP.4.4.A4,APP.4.4.A9 cis@ocp4: 5.2.2 nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1 nist: CM-6,CM-6(1) diff --git a/applications/openshift/scc/scc_limit_root_containers/rule.yml b/applications/openshift/scc/scc_limit_root_containers/rule.yml index 29c4ca3ed4b..df5727c4cd2 100644 --- a/applications/openshift/scc/scc_limit_root_containers/rule.yml +++ b/applications/openshift/scc/scc_limit_root_containers/rule.yml @@ -25,7 +25,6 @@ rationale: |- severity: medium references: - bsi: APP.4.4.A4,APP.4.4.A9 cis@ocp4: 5.2.6 nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1 nist: CM-6,CM-6(1) diff --git a/controls/bsi_app_4_4.yml b/controls/bsi_app_4_4.yml index 9b55dec984e..809f8023c5e 100644 --- a/controls/bsi_app_4_4.yml +++ b/controls/bsi_app_4_4.yml @@ -18,6 +18,8 @@ levels: inherits_from: - standard +reference_type: bsi + controls: - id: APP.4.4.A1 title: Planning the Separation of the Applications diff --git a/linux_os/guide/system/selinux/coreos_enable_selinux_kernel_argument/rule.yml b/linux_os/guide/system/selinux/coreos_enable_selinux_kernel_argument/rule.yml index 15804c10fa8..23972e5939d 100644 --- a/linux_os/guide/system/selinux/coreos_enable_selinux_kernel_argument/rule.yml +++ b/linux_os/guide/system/selinux/coreos_enable_selinux_kernel_argument/rule.yml @@ -19,7 +19,6 @@ identifiers: cce@rhcos4: CCE-83899-5 references: - bsi: APP.4.4.A4 cis-csc: 1,11,12,13,14,15,16,18,3,4,5,6,8,9 cobit5: APO01.06,APO11.04,APO13.01,BAI03.05,DSS01.05,DSS03.01,DSS05.02,DSS05.04,DSS05.05,DSS05.07,DSS06.02,DSS06.03,DSS06.06,MEA02.01 cui: 3.1.2,3.7.2 diff --git a/linux_os/guide/system/selinux/selinux_policytype/rule.yml b/linux_os/guide/system/selinux/selinux_policytype/rule.yml index 89a14423ab8..67579503d89 100644 --- a/linux_os/guide/system/selinux/selinux_policytype/rule.yml +++ b/linux_os/guide/system/selinux/selinux_policytype/rule.yml @@ -35,7 +35,6 @@ identifiers: cce@sle15: CCE-91445-7 references: - bsi: APP.4.4.A4 cis-csc: 1,11,12,13,14,15,16,18,3,4,5,6,8,9 cobit5: APO01.06,APO11.04,APO13.01,BAI03.05,DSS01.05,DSS03.01,DSS05.02,DSS05.04,DSS05.05,DSS05.07,DSS06.02,DSS06.03,DSS06.06,MEA02.01 cui: 3.1.2,3.7.2 diff --git a/linux_os/guide/system/selinux/selinux_state/rule.yml b/linux_os/guide/system/selinux/selinux_state/rule.yml index f53f6bae929..5c6ac289464 100644 --- a/linux_os/guide/system/selinux/selinux_state/rule.yml +++ b/linux_os/guide/system/selinux/selinux_state/rule.yml @@ -28,7 +28,6 @@ identifiers: cce@sle15: CCE-91446-5 references: - bsi: APP.4.4.A4 cis-csc: 1,11,12,13,14,15,16,18,3,4,5,6,8,9 cobit5: APO01.06,APO11.04,APO13.01,BAI03.05,DSS01.05,DSS03.01,DSS05.02,DSS05.04,DSS05.05,DSS05.07,DSS06.02,DSS06.03,DSS06.06,MEA02.01 cui: 3.1.2,3.7.2