Skip to content

Commit

Permalink
Refined controls for BSI APP.4.4.A17 according to review
Browse files Browse the repository at this point in the history
  • Loading branch information
@benruland
benruland committed Oct 4, 2024
1 parent 17a5afb commit 669bfd2
Show file tree
Hide file tree
Showing 26 changed files with 2 additions and 27 deletions.
1 change: 0 additions & 1 deletion applications/openshift/api-server/api_server_client_ca/rule.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,6 @@ rationale: |-
severity: medium

references:
bsi: APP.4.4.A17
cis@ocp4: 1.2.29
nerc-cip: CIP-003-8 R4.2,CIP-007-3 R5.1
nist: SC-8,SC-8(1),SC-8(2)
Expand Down
1 change: 0 additions & 1 deletion applications/openshift/api-server/api_server_https_for_kubelet_conn/rule.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,6 @@ rationale: |-
severity: medium

references:
bsi: APP.4.4.A17
cis: 1.2.4
nerc-cip: CIP-003-8 R4.2,CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R5.1,CIP-007-3 R6.1
nist: CM-6,CM-6(1),SC-8,SC-8(1)
Expand Down
1 change: 0 additions & 1 deletion applications/openshift/api-server/api_server_kubelet_client_cert/rule.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,6 @@ platforms:
severity: high

references:
bsi: APP.4.4.A17
cis@ocp4: 1.2.5
nerc-cip: CIP-003-8 R4.2,CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R5.1,CIP-007-3 R6.1
nist: CM-6,CM-6(1),SC-8,SC-8(1)
Expand Down
1 change: 0 additions & 1 deletion applications/openshift/api-server/api_server_kubelet_client_key/rule.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,6 @@ platforms:
severity: high

references:
bsi: APP.4.4.A17
cis@ocp4: 1.2.5
nerc-cip: CIP-003-8 R4.2,CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R5.1,CIP-007-3 R6.1
nist: CM-6,CM-6(1),SC-8,SC-8(1)
Expand Down
1 change: 0 additions & 1 deletion applications/openshift/api-server/api_server_tls_cert/rule.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,6 @@ identifiers:
severity: medium

references:
bsi: APP.4.4.A17
cis@ocp4: 1.2.28
nerc-cip: CIP-003-8 R4.2,CIP-007-3 R5.1
nist: SC-8,SC-8(1),SC-8(2)
Expand Down
1 change: 0 additions & 1 deletion applications/openshift/api-server/api_server_tls_cipher_suites/rule.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,6 @@ rationale: |-
severity: medium

references:
bsi: APP.4.4.A17
cis@ocp4: 1.2.32
nist: CM-6
pcidss: Req-2.2,Req-2.2.3,Req-2.3
Expand Down
1 change: 0 additions & 1 deletion applications/openshift/api-server/api_server_tls_private_key/rule.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,6 @@ identifiers:
severity: medium

references:
bsi: APP.4.4.A17
cis@ocp4: 1.2.28
nerc-cip: CIP-003-8 R4.2,CIP-007-3 R5.1
nist: SC-8,SC-8(1),SC-8(2)
Expand Down
1 change: 0 additions & 1 deletion applications/openshift/kubelet/kubelet_configure_client_ca/rule.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,6 @@ identifiers:
cce@ocp4: CCE-83724-5

references:
bsi: APP.4.4.A17
cis@eks: 3.2.3
cis@ocp4: 4.2.4
nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
Expand Down
1 change: 0 additions & 1 deletion applications/openshift/kubelet/kubelet_configure_tls_cert/rule.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,6 @@ platforms:
- (ocp4.9 or ocp4.10 or ocp4.11 or ocp4.12 or ocp4.13 or ocp4.14 or ocp4.15 or ocp4.16 or ocp4.17) and not ocp4-on-hypershift-hosted

references:
bsi: APP.4.4.A17
cis@ocp4: 4.2.9
nerc-cip: CIP-003-8 R4.2,CIP-007-3 R5.1
nist: SC-8,SC-8(1),SC-8(2)
Expand Down
1 change: 0 additions & 1 deletion applications/openshift/kubelet/kubelet_configure_tls_key/rule.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,6 @@ platforms:
- (ocp4.9 or ocp4.10 or ocp4.11 or ocp4.12 or ocp4.13 or ocp4.14 or ocp4.15 or ocp4.16 or ocp4.17) and not ocp4-on-hypershift-hosted

references:
bsi: APP.4.4.A17
cis@ocp4: 4.2.9
nerc-cip: CIP-003-8 R4.2,CIP-007-3 R5.1
nist: SC-8,SC-8(1),SC-8(2)
Expand Down
1 change: 0 additions & 1 deletion applications/openshift/kubelet/kubelet_configure_tls_min_version/rule.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -71,7 +71,6 @@ identifiers:
cce@ocp4: CCE-86623-6

references:
bsi: APP.4.4.A17
nist: SC-8,SC-8(1)
srg: SRG-APP-000014-CTR-000040,SRG-APP-000560-CTR-001340

Expand Down
1 change: 0 additions & 1 deletion applications/openshift/worker/file_groupowner_kubelet_conf/rule.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,6 @@ identifiers:
cce@ocp4: CCE-84233-6

references:
bsi: APP.4.4.A17
cis@eks: 3.1.4
cis@ocp4: 4.1.6
nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
Expand Down
1 change: 0 additions & 1 deletion applications/openshift/worker/file_groupowner_worker_ca/rule.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,6 @@ identifiers:
cce@ocp4: CCE-83440-8

references:
bsi: APP.4.4.A17
cis@ocp4: 4.1.8
nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
nist: CM-6,CM-6(1)
Expand Down
1 change: 0 additions & 1 deletion applications/openshift/worker/file_groupowner_worker_kubeconfig/rule.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,6 @@ identifiers:
cce@ocp4: CCE-83409-3

references:
bsi: APP.4.4.A17
cis@ocp4: 4.1.10
nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
nist: CM-6,CM-6(1)
Expand Down
1 change: 0 additions & 1 deletion applications/openshift/worker/file_groupowner_worker_service/rule.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,6 @@ identifiers:
cce@ocp4: CCE-83975-3

references:
bsi: APP.4.4.A17
cis@ocp4: 4.1.2
nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
nist: CM-6,CM-6(1)
Expand Down
1 change: 0 additions & 1 deletion applications/openshift/worker/file_owner_kubelet/rule.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,6 @@ identifiers:
cce@ocp4: CCE-85900-9

references:
bsi: APP.4.4.A17
cis@ocp4: 4.1.6
nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
nist: CM-6,CM-6(1)
Expand Down
1 change: 0 additions & 1 deletion applications/openshift/worker/file_owner_kubelet_conf/rule.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,6 @@ identifiers:
cce@ocp4: CCE-83976-1

references:
bsi: APP.4.4.A17
cis@eks: 3.1.4
cis@ocp4: 4.1.6
nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
Expand Down
1 change: 0 additions & 1 deletion applications/openshift/worker/file_owner_worker_ca/rule.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,6 @@ identifiers:
cce@ocp4: CCE-83495-2

references:
bsi: APP.4.4.A17
cis@ocp4: 4.1.8
nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
nist: CM-6,CM-6(1)
Expand Down
1 change: 0 additions & 1 deletion applications/openshift/worker/file_owner_worker_kubeconfig/rule.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,6 @@ identifiers:
cce@ocp4: CCE-83408-5

references:
bsi: APP.4.4.A17
cis@eks: 3.1.2
cis@ocp4: 4.1.10
nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
Expand Down
1 change: 0 additions & 1 deletion applications/openshift/worker/file_owner_worker_service/rule.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,6 @@ identifiers:
cce@ocp4: CCE-84193-2

references:
bsi: APP.4.4.A17
cis@ocp4: 4.1.2
nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
nist: CM-6,CM-6(1)
Expand Down
1 change: 0 additions & 1 deletion applications/openshift/worker/file_permissions_kubelet/rule.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,6 @@ identifiers:
cce@ocp4: CCE-85896-9

references:
bsi: APP.4.4.A17
cis@ocp4: 4.1.5
nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
nist: CM-6,CM-6(1)
Expand Down
1 change: 0 additions & 1 deletion applications/openshift/worker/file_permissions_kubelet_conf/rule.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,6 @@ identifiers:
cce@ocp4: CCE-83470-5

references:
bsi: APP.4.4.A17
cis@eks: 3.1.3
cis@ocp4: 4.1.5
nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
Expand Down
1 change: 0 additions & 1 deletion applications/openshift/worker/file_permissions_worker_ca/rule.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,6 @@ identifiers:
cce@ocp4: CCE-83493-7

references:
bsi: APP.4.4.A17
cis@ocp4: 4.1.7
nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
nist: CM-6,CM-6(1)
Expand Down
1 change: 0 additions & 1 deletion applications/openshift/worker/file_permissions_worker_kubeconfig/rule.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,6 @@ identifiers:
cce@ocp4: CCE-83509-0

references:
bsi: APP.4.4.A17
cis@eks: 3.1.1
cis@ocp4: 4.1.9
nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
Expand Down
1 change: 0 additions & 1 deletion applications/openshift/worker/file_permissions_worker_service/rule.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,6 @@ identifiers:
cce@ocp4: CCE-83455-6

references:
bsi: APP.4.4.A17
cis@ocp4: 4.1.1
nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
nist: CM-6,CM-6(1)
Expand Down
4 changes: 2 additions & 2 deletions controls/bsi_app_4_4.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -414,8 +414,8 @@ controls:
levels:
- elevated
description: >-
Nodes SHOULD send a cryptographically secured (and, if possible, TPM-verified) status
message to the control plane. The control plane SHOULD ONLY accept nodes into a cluster
(1) Nodes SHOULD send a cryptographically secured (and, if possible, TPM-verified) status
message to the control plane. (2) The control plane SHOULD ONLY accept nodes into a cluster
that have successfully proven their integrity.
notes: >-
OpenShift Nodes are using Red Hat CoreOS (RHCOS) by default, an immutable operating system.
Expand Down

0 comments on commit 669bfd2

Please sign in to comment.