From a6eb671cce141ac86967ccfbde27b2bd051d6e9f Mon Sep 17 00:00:00 2001
From: sluetze <13255307+sluetze@users.noreply.github.com>
Date: Tue, 16 Jul 2024 11:34:25 +0200
Subject: [PATCH 1/6] add automatic referencing
---
controls/bsi_sys_1_6.yml | 2 ++
1 file changed, 2 insertions(+)
diff --git a/controls/bsi_sys_1_6.yml b/controls/bsi_sys_1_6.yml
index 0533a012f77..01a3bd86557 100644
--- a/controls/bsi_sys_1_6.yml
+++ b/controls/bsi_sys_1_6.yml
@@ -18,6 +18,8 @@ levels:
inherits_from:
- standard
+reference_type: bsi
+
controls:
- id: SYS.1.6.A1
title: Planning Container Use
From 156dc3eb3a877bd5ba1fa0f477c352f492bc5af3 Mon Sep 17 00:00:00 2001
From: sluetze <13255307+sluetze@users.noreply.github.com>
Date: Tue, 16 Jul 2024 11:35:23 +0200
Subject: [PATCH 2/6] Defined notes and rules for BSI SYS.1.6.A1
---
controls/bsi_sys_1_6.yml | 17 ++++++++++-------
1 file changed, 10 insertions(+), 7 deletions(-)
diff --git a/controls/bsi_sys_1_6.yml b/controls/bsi_sys_1_6.yml
index 01a3bd86557..e4c47bd0774 100644
--- a/controls/bsi_sys_1_6.yml
+++ b/controls/bsi_sys_1_6.yml
@@ -26,22 +26,25 @@ controls:
levels:
- basic
description: >-
- Before containers are deployed, the goal of such a deployment (e.g. scaling, availability,
+ (1) Before containers are deployed, the goal of such a deployment (e.g. scaling, availability,
disposable containers for safety or CI/CD) SHOULD be determined so that all the security-
- related aspects of installation, operation, and decommissioning can be planned. The planning
- SHOULD also take into account the operational overhead resulting from container
- deployment or mixed operation. The planning MUST be adequately documented
+ related aspects of installation, operation, and decommissioning can be planned.
+ (2) The planning SHOULD also take into account the operational overhead resulting from container
+ deployment or mixed operation.
+ (3) The planning MUST be adequately documented
notes: >-
- This requirement can not be checked
+ This requirement must be implemented organizationally.
+ OpenShift supports all of the goals mentioned. Comprehensive handouts are available to carry
+ out and document the planning of container use, security and compliance, architecture and
+ installation on OpenShift (see https://www.redhat.com/en/resources/openshift-security-guide-ebook)
status: manual
- #rules:
- id: SYS.1.6.A2
title: Container Management Planning
levels:
- basic
description: >-
- The management of containers MUST ONLY be carried out in line with appropriate planning.
+ (1) The management of containers MUST ONLY be carried out in line with appropriate planning.
This planning MUST cover the entire lifecycle from commissioning to decommissioning,
including operation and updates. When planning container management, it MUST be taken
into account that the creator of a container is to be considered like an administrator due to the
From 683dba2b7b7395bbcecd7ba0e78eba9bc975a396 Mon Sep 17 00:00:00 2001
From: sluetze <13255307+sluetze@users.noreply.github.com>
Date: Tue, 16 Jul 2024 11:42:41 +0200
Subject: [PATCH 3/6] Defined notes and rules for BSI SYS.1.6.A2
---
controls/bsi_sys_1_6.yml | 19 ++++++++++++++-----
1 file changed, 14 insertions(+), 5 deletions(-)
diff --git a/controls/bsi_sys_1_6.yml b/controls/bsi_sys_1_6.yml
index e4c47bd0774..a8279b071a1 100644
--- a/controls/bsi_sys_1_6.yml
+++ b/controls/bsi_sys_1_6.yml
@@ -45,15 +45,24 @@ controls:
- basic
description: >-
(1) The management of containers MUST ONLY be carried out in line with appropriate planning.
- This planning MUST cover the entire lifecycle from commissioning to decommissioning,
- including operation and updates. When planning container management, it MUST be taken
+ (2) This planning MUST cover the entire lifecycle from commissioning to decommissioning,
+ including operation and updates. (3) When planning container management, it MUST be taken
into account that the creator of a container is to be considered like an administrator due to the
effects they have on parts of the operation.
- Containers MUST be started, stopped, and monitored via the management software used.
+ (4) Containers MUST be started, stopped, and monitored via the management software used.
notes: >-
- ToDo
+ This requirement must be implemented organizationally.
+ Through OpenShift GitOps, OpenShift technically supports this requirement with a standardized
+ approach to deployment, change handling and deprovisioning via kustomize or Helm charts.
+ OpenShift provides further support through operator-based applications and platform management
+ that automates the processes of commissioning, decommissioning and updates.
+
+ Section 4: Start, stop and monitoring is a basic function of OpenShift. It is not possible to
+ bypass the OpenShift methods to start and stop without manually connecting to a Container Host.
+ For monitoring purposes, OpenShift itself offers Prometheus-based monitoring.
+ Using Advanced Cluster Security for Kubernetes (ACS), policy-based rules can also be used to
+ monitor the containers.
status: manual
- #rules:
- id: SYS.1.6.A3
title: Secure Use of Containerised IT Systems
From 7d2d4703b7e88ad659124a2d5d7815c851e8cf1a Mon Sep 17 00:00:00 2001
From: sluetze <13255307+sluetze@users.noreply.github.com>
Date: Tue, 16 Jul 2024 11:53:30 +0200
Subject: [PATCH 4/6] Defined notes and rules for BSI SYS.1.6.A3
---
controls/bsi_sys_1_6.yml | 64 ++++++++++++++++++++++++++++++++--------
1 file changed, 52 insertions(+), 12 deletions(-)
diff --git a/controls/bsi_sys_1_6.yml b/controls/bsi_sys_1_6.yml
index a8279b071a1..2f8120661cb 100644
--- a/controls/bsi_sys_1_6.yml
+++ b/controls/bsi_sys_1_6.yml
@@ -69,24 +69,64 @@ controls:
levels:
- basic
description: >-
- In the case of containerised IT systems, consideration MUST be given to how containerisation
+ (1) In the case of containerised IT systems, consideration MUST be given to how containerisation
affects the IT systems and applications operated, in particular the management and suitability
of the applications.
- Based on the protection needs of the applications, it MUST be checked whether the
+ (2) Based on the protection needs of the applications, it MUST be checked whether the
requirements for isolation and encapsulation of the containerised IT systems, virtual
- networks, and operated applications are sufficiently fulfilled. The mechanisms of the
- operating system in question SHOULD be included in this check. Since the host performs the
+ networks, and operated applications are sufficiently fulfilled. (3) The mechanisms of the
+ operating system in question SHOULD be included in this check. (4) Since the host performs the
function of a network component for virtual networks, the modules of the sub-layers NET.1
- Networks and NET.3 Network Components MUST be considered accordingly. Logical and
- overlay networks MUST also be considered and modelled. Furthermore, the containerised IT
+ Networks and NET.3 Network Components MUST be considered accordingly. (5) Logical and
+ overlay networks MUST also be considered and modelled. (6) Furthermore, the containerised IT
systems used MUST meet the requirements at hand regarding availability and data
- throughput.
- During operation, the performance and the state of the containerised IT systems SHOULD be
- monitored (health checks).
+ throughput.(7) During operation, the performance and the state of the containerised IT systems
+ SHOULD be monitored (health checks).
notes: >-
- ToDo
- status: manual
- #rules:
+ Section 1: This requirement must be implemented organizationally.
+ Note: This requirement is actively supported by OpenShift. For example, OpenShift does not
+ allow applications with fixed UID/GID settings as standard; on the contrary, these IDs are
+ assigned dynamically (security-by-design). The behavior can be adjusted by administrators,
+ for example for system tasks.
+
+ Section 2: This requirement must be implemented organizationally.
+ Note: OpenShift supports the requirements through strict client separation based on a “Project”
+ (an extension to the Kubernetes namespace). The containers are separated from each other and
+ from the host system via cgroups using SELinux. As long as all applications run “restricted”
+ in the Security Context Constraint (SCC), OpenShift maintains strict client separation.
+
+ Section 3: This requirement must be implemented organizationally.
+ OpenShift supports this requirement by leveraging SELinux with its cgroups to create the container sandbox.
+
+ Section 4: This requirement must be implemented organizationally.
+
+ Section 5: This requirement must be implemented organizationally.
+ Note: OpenShift supports different network infrastructures via the CNI plugin interface
+ (e.g. OVN-Kubernetes, OpenShift-SDN, hardware networks etc.) OVN-Kubernetes, hardware networks etc.)
+ The underlying network is abstracted by the network model in Openshift and usage is consistent
+ across containers. This allows OpenShift to uniformly implement network security features such
+ as: Firewall rules over network policies.
+
+ Section 6: This requirement must be implemented organizationally.
+ Note: OpenShift provides fine-grained metrics for external capacity management via monitoring.
+
+ Section 7: OpenShift offers automated checks for the availability and health of an application.
+ If the LivenessProbe (Health) repeatedly receives a negative result or is not reachable, the
+ affected pod with the container is restarted. Using ReadinessProbe, a container can control
+ whether it is ready to accept HTTP(S) based requests or not.
+ Note: Monitoring is considered in APP.4.4.A11.
+ status: automated
+ rules:
+ # Section 2
+ - general_namespace_separation
+ - general_node_separation
+ - general_network_separation
+ # Section 3:
+ - coreos_enable_selinux_kernel_argument
+ - selinux_state
+ - selinux_policytype
+ # Section 7
+ - liveness_readiness_probe_in_workload
- id: SYS.1.6.A4
title: Planning the Provision and Distribution of Images
From 32c3d63ac87fecd5d0eafcedbc8e4e1ea3ecb42f Mon Sep 17 00:00:00 2001
From: sluetze <13255307+sluetze@users.noreply.github.com>
Date: Tue, 16 Jul 2024 11:55:46 +0200
Subject: [PATCH 5/6] Defined notes and rules for BSI SYS.1.6.A4
---
controls/bsi_sys_1_6.yml | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
diff --git a/controls/bsi_sys_1_6.yml b/controls/bsi_sys_1_6.yml
index 2f8120661cb..5568f5ce0ee 100644
--- a/controls/bsi_sys_1_6.yml
+++ b/controls/bsi_sys_1_6.yml
@@ -136,9 +136,18 @@ controls:
The process for the provision and distribution of images MUST be planned and appropriately
documented.
notes: >-
- ToDo
+ This requirement must be implemented organizationally.
+ Note: OpenShift supports the requirement through the built-in functionalities and enables the
+ highest possible level of automation. On the one hand, CI/CD tools are delivered with OpenShift
+ pipelines and integrated into the platform. On the other hand, pre-configured build processes
+ based on Red Hat experience are available that are based on Source2Image and thus support
+ planning.
+ The built-in registry allows you to store images and other associated information, such as Helm
+ charts or SBOMs.
+ The abstractions available in Openshift allow the entire image distribution process to be
+ documented and controlled as code. This further allows the image distribution process to
+ be managed via OpenShift GitOps.
status: manual
- #rules:
- id: SYS.1.6.A5
title: Separation of Administration and Access Networks for Containers
From 32204e8ae32c7cfea2f21152a9de90588b7772ff Mon Sep 17 00:00:00 2001
From: sluetze <13255307+sluetze@users.noreply.github.com>
Date: Tue, 16 Jul 2024 09:13:02 +0200
Subject: [PATCH 6/6] switch to automatic reference system
---
.../rule.yml | 6 ++----
.../rule.yml | 7 ++-----
.../rule.yml | 1 -
.../accounts_unique_service_account/rule.yml | 1 -
.../api_server_anonymous_auth/rule.yml | 1 -
.../openshift/etcd/etcd_backup/rule.yml | 3 ---
.../rule.yml | 3 ---
.../general_namespace_separation/rule.yml | 3 ---
.../general_network_separation/rule.yml | 3 ---
.../general/general_node_separation/rule.yml | 3 ---
.../general/kubeadmin_removed/rule.yml | 1 -
.../rule.yml | 21 ++++++++-----------
.../kubelet/kubelet_anonymous_auth/rule.yml | 1 -
.../configure_network_policies/rule.yml | 1 -
.../rule.yml | 3 +--
.../rule.yml | 1 -
.../rbac/rbac_least_privilege/rule.yml | 1 -
.../openshift/rbac/rbac_wildcard_use/rule.yml | 1 -
.../rule.yml | 1 -
.../registry/ocp_insecure_registries/rule.yml | 1 -
.../rule.yml | 3 ---
.../scansettingbinding_exists/rule.yml | 1 -
.../scansettings_have_schedule/rule.yml | 1 -
.../scc_drop_container_capabilities/rule.yml | 1 -
.../rule.yml | 1 -
.../scc_limit_host_dir_volume_plugin/rule.yml | 1 -
.../scc/scc_limit_host_ports/rule.yml | 1 -
.../scc/scc_limit_ipc_namespace/rule.yml | 1 -
.../scc/scc_limit_net_raw_capability/rule.yml | 1 -
.../scc/scc_limit_network_namespace/rule.yml | 1 -
.../scc_limit_privilege_escalation/rule.yml | 1 -
.../scc_limit_privileged_containers/rule.yml | 1 -
.../scc_limit_process_id_namespace/rule.yml | 1 -
.../scc/scc_limit_root_containers/rule.yml | 1 -
controls/bsi_app_4_4.yml | 2 ++
.../rule.yml | 1 -
.../selinux/selinux_policytype/rule.yml | 1 -
.../system/selinux/selinux_state/rule.yml | 1 -
38 files changed, 16 insertions(+), 68 deletions(-)
diff --git a/applications/openshift/accounts/accounts_no_clusterrolebindings_default_service_account/rule.yml b/applications/openshift/accounts/accounts_no_clusterrolebindings_default_service_account/rule.yml
index 0970c2df91b..7585129582b 100644
--- a/applications/openshift/accounts/accounts_no_clusterrolebindings_default_service_account/rule.yml
+++ b/applications/openshift/accounts/accounts_no_clusterrolebindings_default_service_account/rule.yml
@@ -5,7 +5,7 @@ title: 'Ensure no ClusterRoleBindings set for default Service Account'
description: |-
Using the default service account prevents accurate application
rights review and audit tracing. Instead of default, create
- a new and unique service account and associate the required ClusterRoleBindings.
+ a new and unique service account and associate the required ClusterRoleBindings.
rationale: |-
Kubernetes provides a default service account which is used by
@@ -20,8 +20,6 @@ severity: medium
identifiers: {}
-references:
- bsi: APP.4.4.A9
{{% set jqfilter = '[.items[] | select ( .subjects[]?.name == "default" ) | select(.subjects[].namespace | startswith("kube-") or startswith("openshift-") | not) | .metadata.name ] | unique' %}}
@@ -31,7 +29,7 @@ ocil: |-
Run the following command to retrieve a list of ClusterRoleBindings that are
associated to the default service account:
$ oc get clusterrolebindings -o json | jq '{{{ jqfilter }}}'
- There should be no ClusterRoleBindings associated with the the default service account
+ There should be no ClusterRoleBindings associated with the the default service account
in any namespace.
warnings:
diff --git a/applications/openshift/accounts/accounts_no_rolebindings_default_service_account/rule.yml b/applications/openshift/accounts/accounts_no_rolebindings_default_service_account/rule.yml
index 4726aa0471a..72d3ebe2a6f 100644
--- a/applications/openshift/accounts/accounts_no_rolebindings_default_service_account/rule.yml
+++ b/applications/openshift/accounts/accounts_no_rolebindings_default_service_account/rule.yml
@@ -5,7 +5,7 @@ title: 'Ensure no RoleBindings set for default Service Account'
description: |-
Using the default service account prevents accurate application
rights review and audit tracing. Instead of default, create
- a new and unique service account and associate the required RoleBindings.
+ a new and unique service account and associate the required RoleBindings.
rationale: |-
Kubernetes provides a default service account which is used by
@@ -20,9 +20,6 @@ severity: medium
identifiers: {}
-references:
- bsi: APP.4.4.A9
-
{{% set jqfilter = '[.items[] | select(.metadata.namespace | startswith("kube-") or startswith("openshift-") | not) | select ( .subjects[]?.name == "default" ) | .metadata.namespace + "/" + .metadata.name ] | unique' %}}
ocil_clause: 'default service account is given permissions using RoleBindings'
@@ -31,7 +28,7 @@ ocil: |-
Run the following command to retrieve a list of RoleBindings that are
associated to the default service account:
$ oc get rolebindings --all-namespaces -o json | jq '{{{ jqfilter }}}'
- There should be no RoleBindings associated with the the default service account
+ There should be no RoleBindings associated with the the default service account
in any namespace.
warnings:
diff --git a/applications/openshift/accounts/accounts_restrict_service_account_tokens/rule.yml b/applications/openshift/accounts/accounts_restrict_service_account_tokens/rule.yml
index fdb1062a7cb..d600683ecc0 100644
--- a/applications/openshift/accounts/accounts_restrict_service_account_tokens/rule.yml
+++ b/applications/openshift/accounts/accounts_restrict_service_account_tokens/rule.yml
@@ -17,7 +17,6 @@ rationale: |-
severity: medium
references:
- bsi: APP.4.4.A9
cis@ocp4: 5.1.6
nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
nist: CM-6,CM-6(1)
diff --git a/applications/openshift/accounts/accounts_unique_service_account/rule.yml b/applications/openshift/accounts/accounts_unique_service_account/rule.yml
index c0a0763a1dc..e50e7997c82 100644
--- a/applications/openshift/accounts/accounts_unique_service_account/rule.yml
+++ b/applications/openshift/accounts/accounts_unique_service_account/rule.yml
@@ -23,7 +23,6 @@ rationale: |-
severity: medium
references:
- bsi: APP.4.4.A9
cis@ocp4: 5.1.5
nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
nist: CM-6,CM-6(1)
diff --git a/applications/openshift/api-server/api_server_anonymous_auth/rule.yml b/applications/openshift/api-server/api_server_anonymous_auth/rule.yml
index 14dec34c936..e2f4dcf6701 100644
--- a/applications/openshift/api-server/api_server_anonymous_auth/rule.yml
+++ b/applications/openshift/api-server/api_server_anonymous_auth/rule.yml
@@ -34,7 +34,6 @@ rationale: |-
severity: medium
references:
- bsi: APP.4.4.A3
cis@ocp4: 1.2.1
nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
nist: CM-6,CM-6(1)
diff --git a/applications/openshift/etcd/etcd_backup/rule.yml b/applications/openshift/etcd/etcd_backup/rule.yml
index 9db8425b369..282f547be6d 100644
--- a/applications/openshift/etcd/etcd_backup/rule.yml
+++ b/applications/openshift/etcd/etcd_backup/rule.yml
@@ -19,9 +19,6 @@ rationale: |-
identifiers:
cce@ocp4: CCE-88188-8
-references:
- bsi: APP.4.4.A5
-
severity: medium
ocil_clause: 'etcd backup needs review'
diff --git a/applications/openshift/general/general_backup_solution_installed/rule.yml b/applications/openshift/general/general_backup_solution_installed/rule.yml
index ead60299b17..2570be1d7fe 100644
--- a/applications/openshift/general/general_backup_solution_installed/rule.yml
+++ b/applications/openshift/general/general_backup_solution_installed/rule.yml
@@ -12,9 +12,6 @@ rationale: |-
identifiers:
cce@ocp4: CCE-90185-0
-references:
- bsi: APP.4.4.A5
-
severity: medium
ocil_clause: 'No CRDs from a known backup solution installed'
diff --git a/applications/openshift/general/general_namespace_separation/rule.yml b/applications/openshift/general/general_namespace_separation/rule.yml
index 2fa4284870e..c1b12e0fb70 100644
--- a/applications/openshift/general/general_namespace_separation/rule.yml
+++ b/applications/openshift/general/general_namespace_separation/rule.yml
@@ -11,9 +11,6 @@ rationale: |-
level. It also allows you control the network flow from and to other namespaces
more easily.
-references:
- bsi: APP.4.4.A1
-
severity: medium
identifiers:
diff --git a/applications/openshift/general/general_network_separation/rule.yml b/applications/openshift/general/general_network_separation/rule.yml
index b581cc92c4d..8144cfc3ffa 100644
--- a/applications/openshift/general/general_network_separation/rule.yml
+++ b/applications/openshift/general/general_network_separation/rule.yml
@@ -9,9 +9,6 @@ description: |-
rationale: |-
Separation on a Network level might help to hinder lateral movement of an attacker and subsequently reduce the impact of an attack. It might also enable you to provide additional external network control (like firewalls).
-references:
- bsi: APP.4.4.A7
-
severity: medium
identifiers:
diff --git a/applications/openshift/general/general_node_separation/rule.yml b/applications/openshift/general/general_node_separation/rule.yml
index ec7f9850542..1e2e49bd723 100644
--- a/applications/openshift/general/general_node_separation/rule.yml
+++ b/applications/openshift/general/general_node_separation/rule.yml
@@ -12,9 +12,6 @@ description: |-
rationale: |-
Assigning workloads with high protection requirements to specific nodes creates and additional boundary (the node) between workloads of high protection requirements and workloads which might follow less strict requirements. An adversary which attacked a lighter protected workload now has additional obstacles for their movement towards the higher protected workloads.
-references:
- bsi: APP.4.4.A15
-
severity: medium
ocil_clause: 'Application placement on Nodes and Clusters needs review'
diff --git a/applications/openshift/general/kubeadmin_removed/rule.yml b/applications/openshift/general/kubeadmin_removed/rule.yml
index c97efa6d39a..93fcb721b73 100644
--- a/applications/openshift/general/kubeadmin_removed/rule.yml
+++ b/applications/openshift/general/kubeadmin_removed/rule.yml
@@ -22,7 +22,6 @@ identifiers:
cce@ocp4: CCE-90387-2
references:
- bsi: APP.4.4.A3
cis@ocp4: 3.1.1,5.1.1
nerc-cip: CIP-004-6 R2.2.2,CIP-004-6 R2.2.3,CIP-007-3 R.1.3,CIP-007-3 R2,CIP-007-3 R5,CIP-007-3 R5.1.1,CIP-007-3 R5.1.3,CIP-007-3 R5.2.1,CIP-007-3 R5.2.3,CIP-007-3 R6.1,CIP-007-3 R6.2,CIP-007-3 R6.3,CIP-007-3 R6.4
nist: AC-2(2),AC-2(7),AC-2(9),AC-2(10),AC-12(1),IA-2(5),MA-4,SC-12(1)
diff --git a/applications/openshift/general/liveness_readiness_probe_in_workload/rule.yml b/applications/openshift/general/liveness_readiness_probe_in_workload/rule.yml
index 40c5d783e2a..f2a6245c786 100644
--- a/applications/openshift/general/liveness_readiness_probe_in_workload/rule.yml
+++ b/applications/openshift/general/liveness_readiness_probe_in_workload/rule.yml
@@ -1,32 +1,29 @@
title: Ensure that all workloads have liveness and readiness probes
description: |-
- Configuring Kubernetes liveness and readiness probes is essential for ensuring the security and
+ Configuring Kubernetes liveness and readiness probes is essential for ensuring the security and
reliability of a system. These probes actively monitor container health and readiness, facilitating
- automatic actions like restarting or rescheduling unresponsive instances for improved reliability.
- They play a proactive role in issue detection, allowing timely problem resolution and contribute
+ automatic actions like restarting or rescheduling unresponsive instances for improved reliability.
+ They play a proactive role in issue detection, allowing timely problem resolution and contribute
to efficient scaling and traffic distribution.
rationale: |-
- Many applications running for long periods of time eventually transition to broken states, and
+ Many applications running for long periods of time eventually transition to broken states, and
cannot recover except by being restarted. Kubernetes provides liveness probes to detect and remedy
such situations.
- Sometimes, applications are temporarily unable to serve traffic. For example, an application might
+ Sometimes, applications are temporarily unable to serve traffic. For example, an application might
need to load large data or configuration files during startup, or depend on external services after
- startup. In such cases, you don't want to kill the application, but you don't want to send it
- requests either. Kubernetes provides readiness probes to detect and mitigate these situations.
- A pod with containers reporting that they are not ready does not receive traffic through Kubernetes
+ startup. In such cases, you don't want to kill the application, but you don't want to send it
+ requests either. Kubernetes provides readiness probes to detect and mitigate these situations.
+ A pod with containers reporting that they are not ready does not receive traffic through Kubernetes
Services.
-references:
- bsi: APP.4.4.A11
-
severity: medium
ocil_clause: 'Liveness or readiness probe is not set'
ocil: |-
- Run the following command to retrieve a list of deployments, daemonsets and statefulsets that
+ Run the following command to retrieve a list of deployments, daemonsets and statefulsets that
do not have liveness or readiness probes set for their containers:
$ oc get deployments,statefulsets,daemonsets --all-namespaces -o json | jq '[ .items[] | select(.metadata.namespace | startswith("kube-") or startswith("openshift-") | not) | select( .spec.template.spec.containers[].readinessProbe != null and .spec.template.spec.containers[].livenessProbe != null ) | "\(.kind): \(.metadata.namespace)/\(.metadata.name)" ] | unique'
diff --git a/applications/openshift/kubelet/kubelet_anonymous_auth/rule.yml b/applications/openshift/kubelet/kubelet_anonymous_auth/rule.yml
index 5282464314a..fb5bd9353e6 100644
--- a/applications/openshift/kubelet/kubelet_anonymous_auth/rule.yml
+++ b/applications/openshift/kubelet/kubelet_anonymous_auth/rule.yml
@@ -35,7 +35,6 @@ rationale: |-
severity: medium
references:
- bsi: APP.4.4.A3
cis@eks: 3.2.1
cis@ocp4: 4.2.2
nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
diff --git a/applications/openshift/networking/configure_network_policies/rule.yml b/applications/openshift/networking/configure_network_policies/rule.yml
index ddcfc176714..e30efa56270 100644
--- a/applications/openshift/networking/configure_network_policies/rule.yml
+++ b/applications/openshift/networking/configure_network_policies/rule.yml
@@ -17,7 +17,6 @@ rationale: |-
severity: high
references:
- bsi: APP.4.4.A7
cis@ocp4: 5.3.1
nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
nist: CM-6,CM-6(1)
diff --git a/applications/openshift/networking/configure_network_policies_namespaces/rule.yml b/applications/openshift/networking/configure_network_policies_namespaces/rule.yml
index beda6190b2d..3804944cae5 100644
--- a/applications/openshift/networking/configure_network_policies_namespaces/rule.yml
+++ b/applications/openshift/networking/configure_network_policies_namespaces/rule.yml
@@ -17,7 +17,6 @@ rationale: |-
severity: high
references:
- bsi: APP.4.4.A7
cis@eks: 4.3.2
cis@ocp4: 5.3.2
nerc-cip: CIP-003-8 R4,CIP-003-8 R4.2,CIP-003-8 R5,CIP-003-8 R6,CIP-004-6 R2.2.4,CIP-004-6 R3,CIP-007-3 R2,CIP-007-3 R2.1,CIP-007-3 R2.2,CIP-007-3 R2.3,CIP-007-3 R5.1,CIP-007-3 R6.1
@@ -47,7 +46,7 @@ ocil: |-
following command {{{ ocil_oc_pipe_jq_filter('networkpolicies', networkpolicies_for_non_ctlplane_namespaces_filter, all_namespaces=true) }}}
Namespaces matching the variable ocp4-var-network-policies-namespaces-exempt-regex regex are excluded from this check.
-
+
Make sure that the namespaces displayed in the commands of the commands match.
warnings:
diff --git a/applications/openshift/networking/project_config_and_template_network_policy/rule.yml b/applications/openshift/networking/project_config_and_template_network_policy/rule.yml
index 7aa79373244..72775ae6661 100644
--- a/applications/openshift/networking/project_config_and_template_network_policy/rule.yml
+++ b/applications/openshift/networking/project_config_and_template_network_policy/rule.yml
@@ -58,7 +58,6 @@ identifiers:
cce@ocp4: CCE-86070-0
references:
- bsi: APP.4.4.A7
srg: SRG-APP-000039-CTR-000110
warnings:
diff --git a/applications/openshift/rbac/rbac_least_privilege/rule.yml b/applications/openshift/rbac/rbac_least_privilege/rule.yml
index 5dce32016e2..277343e6e3b 100644
--- a/applications/openshift/rbac/rbac_least_privilege/rule.yml
+++ b/applications/openshift/rbac/rbac_least_privilege/rule.yml
@@ -26,7 +26,6 @@ identifiers:
cce@ocp4: CCE-90678-4
references:
- bsi: APP.4.4.A3,APP.4.4.A7,APP.4.4.A9
cis@ocp4: 5.2.10
nist: AC-3,CM-5(6),IA-2,IA-2(5),AC-6(10),CM-11(2),CM-5(1),CM-7(5)(b)
srg: SRG-APP-000033-CTR-000090,SRG-APP-000033-CTR-000095,SRG-APP-000033-CTR-000100,SRG-APP-000133-CTR-000290,SRG-APP-000133-CTR-000295,SRG-APP-000133-CTR-000300,SRG-APP-000133-CTR-000305,SRG-APP-000133-CTR-000310,SRG-APP-000148-CTR-000350,SRG-APP-000153-CTR-000375,SRG-APP-000340-CTR-000770,SRG-APP-000378-CTR-000880,SRG-APP-000378-CTR-000885,SRG-APP-000378-CTR-000890,SRG-APP-000380-CTR-000900,SRG-APP-000386-CTR-000920
diff --git a/applications/openshift/rbac/rbac_wildcard_use/rule.yml b/applications/openshift/rbac/rbac_wildcard_use/rule.yml
index 2778d8061ae..9e589e15bce 100644
--- a/applications/openshift/rbac/rbac_wildcard_use/rule.yml
+++ b/applications/openshift/rbac/rbac_wildcard_use/rule.yml
@@ -20,7 +20,6 @@ rationale: |-
severity: medium
references:
- bsi: APP.4.4.A9
cis@ocp4: 5.1.3
nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
nist: CM-6,CM-6(1)
diff --git a/applications/openshift/registry/ocp_insecure_allowed_registries_for_import/rule.yml b/applications/openshift/registry/ocp_insecure_allowed_registries_for_import/rule.yml
index 8e8b2ca47a6..cbb7dc2feb3 100644
--- a/applications/openshift/registry/ocp_insecure_allowed_registries_for_import/rule.yml
+++ b/applications/openshift/registry/ocp_insecure_allowed_registries_for_import/rule.yml
@@ -30,7 +30,6 @@ identifiers:
cce@ocp4: CCE-86235-9
references:
- bsi: APP.4.4.A12
cis@ocp4: '5.5.1'
nist: CM-5(3)
srg: SRG-APP-000014-CTR-000035
diff --git a/applications/openshift/registry/ocp_insecure_registries/rule.yml b/applications/openshift/registry/ocp_insecure_registries/rule.yml
index 9407e34646d..955b671d287 100644
--- a/applications/openshift/registry/ocp_insecure_registries/rule.yml
+++ b/applications/openshift/registry/ocp_insecure_registries/rule.yml
@@ -26,7 +26,6 @@ identifiers:
cce@ocp4: CCE-86123-7
references:
- bsi: APP.4.4.A12
cis@ocp4: '5.5.1'
nist: CM-5(3)
srg: SRG-APP-000014-CTR-000035
diff --git a/applications/openshift/risk-assessment/scansetting_has_autoapplyremediations/rule.yml b/applications/openshift/risk-assessment/scansetting_has_autoapplyremediations/rule.yml
index 6d065facce2..cbcf36c1fdf 100644
--- a/applications/openshift/risk-assessment/scansetting_has_autoapplyremediations/rule.yml
+++ b/applications/openshift/risk-assessment/scansetting_has_autoapplyremediations/rule.yml
@@ -26,9 +26,6 @@ ocil: |-
filter will return at least one 'true'. Run the following jq query to identify the non-compliant scansettings objects:
oc get scansettings -ojson | jq -r '[.items[] | select(.autoApplyRemediation != "" or .autoApplyRemediation != null) | .metadata.name]'
-references:
- bsi: APP.4.4.A13
-
severity: medium
warnings:
diff --git a/applications/openshift/risk-assessment/scansettingbinding_exists/rule.yml b/applications/openshift/risk-assessment/scansettingbinding_exists/rule.yml
index a75346dc09f..1f2b34c6e04 100644
--- a/applications/openshift/risk-assessment/scansettingbinding_exists/rule.yml
+++ b/applications/openshift/risk-assessment/scansettingbinding_exists/rule.yml
@@ -17,7 +17,6 @@ identifiers:
cce@ocp4: CCE-83697-3
references:
- bsi: APP.4.4.A13
nerc-cip: CIP-003-8 R1.3,CIP-003-8 R4.3,CIP-003-8 R6,CIP-004-6 4.1,CIP-004-6 4.2,CIP-004-6 R3,CIP-004-6 R4,CIP-004-6 R4.2,CIP-005-6 R1,CIP-005-6 R1.1,CIP-005-6 R1.2,CIP-007-3 R3,CIP-007-3 R3.1,CIP-007-3 R6.1,CIP-007-3 R8.4
nist: CM-6,CM-6(1),RA-5,RA-5(5),SA-4(8)
pcidss: Req-2.2.4
diff --git a/applications/openshift/risk-assessment/scansettings_have_schedule/rule.yml b/applications/openshift/risk-assessment/scansettings_have_schedule/rule.yml
index df1248a4866..0f9444ea424 100644
--- a/applications/openshift/risk-assessment/scansettings_have_schedule/rule.yml
+++ b/applications/openshift/risk-assessment/scansettings_have_schedule/rule.yml
@@ -18,7 +18,6 @@ identifiers:
cce@ocp4: CCE-90762-6
references:
- bsi: APP.4.4.A13
nist: SI-6(b)
srg: SRG-APP-000473-CTR-001175
diff --git a/applications/openshift/scc/scc_drop_container_capabilities/rule.yml b/applications/openshift/scc/scc_drop_container_capabilities/rule.yml
index e883fb90269..7ed4e5dfde8 100644
--- a/applications/openshift/scc/scc_drop_container_capabilities/rule.yml
+++ b/applications/openshift/scc/scc_drop_container_capabilities/rule.yml
@@ -20,7 +20,6 @@ rationale: |-
severity: medium
references:
- bsi: APP.4.4.A9
cis@ocp4: 5.2.9
nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
nist: CM-6,CM-6(1)
diff --git a/applications/openshift/scc/scc_limit_container_allowed_capabilities/rule.yml b/applications/openshift/scc/scc_limit_container_allowed_capabilities/rule.yml
index 38751948fe3..647e58743cb 100644
--- a/applications/openshift/scc/scc_limit_container_allowed_capabilities/rule.yml
+++ b/applications/openshift/scc/scc_limit_container_allowed_capabilities/rule.yml
@@ -50,7 +50,6 @@ rationale: |-
severity: medium
references:
- bsi: APP.4.4.A9
cis@ocp4: 5.2.8
nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
nist: CM-6,CM-6(1)
diff --git a/applications/openshift/scc/scc_limit_host_dir_volume_plugin/rule.yml b/applications/openshift/scc/scc_limit_host_dir_volume_plugin/rule.yml
index 2a1f2bb877e..a647219e09f 100644
--- a/applications/openshift/scc/scc_limit_host_dir_volume_plugin/rule.yml
+++ b/applications/openshift/scc/scc_limit_host_dir_volume_plugin/rule.yml
@@ -21,7 +21,6 @@ identifiers:
cce@ocp4: CCE-86255-7
references:
- bsi: APP.4.4.A4,APP.4.4.A9
cis@ocp4: 5.2.12
nist: AC-6,AC-6(1)
srg: SRG-APP-000142-CTR-000330
diff --git a/applications/openshift/scc/scc_limit_host_ports/rule.yml b/applications/openshift/scc/scc_limit_host_ports/rule.yml
index a211cb16e0e..c015e319d07 100644
--- a/applications/openshift/scc/scc_limit_host_ports/rule.yml
+++ b/applications/openshift/scc/scc_limit_host_ports/rule.yml
@@ -24,7 +24,6 @@ identifiers:
cce@ocp4: CCE-86205-2
references:
- bsi: APP.4.4.A9
nist: CM-6,CM-6(1)
srg: SRG-APP-000142-CTR-000330
diff --git a/applications/openshift/scc/scc_limit_ipc_namespace/rule.yml b/applications/openshift/scc/scc_limit_ipc_namespace/rule.yml
index e8bc677ac73..4b4c512716d 100644
--- a/applications/openshift/scc/scc_limit_ipc_namespace/rule.yml
+++ b/applications/openshift/scc/scc_limit_ipc_namespace/rule.yml
@@ -21,7 +21,6 @@ identifiers:
cce@ocp4: CCE-84042-1
references:
- bsi: APP.4.4.A4,APP.4.4.A9
cis@ocp4: 5.2.3
nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
nist: CM-6,CM-6(1)
diff --git a/applications/openshift/scc/scc_limit_net_raw_capability/rule.yml b/applications/openshift/scc/scc_limit_net_raw_capability/rule.yml
index 2548821254d..9404c6e5414 100644
--- a/applications/openshift/scc/scc_limit_net_raw_capability/rule.yml
+++ b/applications/openshift/scc/scc_limit_net_raw_capability/rule.yml
@@ -19,7 +19,6 @@ rationale: |-
severity: medium
references:
- bsi: APP.4.4.A4,APP.4.4.A9
cis@ocp4: 5.2.7
nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
nist: CM-6,CM-6(1)
diff --git a/applications/openshift/scc/scc_limit_network_namespace/rule.yml b/applications/openshift/scc/scc_limit_network_namespace/rule.yml
index bdc31e9a228..91c795a992d 100644
--- a/applications/openshift/scc/scc_limit_network_namespace/rule.yml
+++ b/applications/openshift/scc/scc_limit_network_namespace/rule.yml
@@ -21,7 +21,6 @@ identifiers:
cce@ocp4: CCE-83492-9
references:
- bsi: APP.4.4.A4,APP.4.4.A9
cis@ocp4: 5.2.4
nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
nist: CM-6,CM-6(1)
diff --git a/applications/openshift/scc/scc_limit_privilege_escalation/rule.yml b/applications/openshift/scc/scc_limit_privilege_escalation/rule.yml
index fdb33fc2bf5..4d194c37b43 100644
--- a/applications/openshift/scc/scc_limit_privilege_escalation/rule.yml
+++ b/applications/openshift/scc/scc_limit_privilege_escalation/rule.yml
@@ -22,7 +22,6 @@ identifiers:
cce@ocp4: CCE-83447-3
references:
- bsi: APP.4.4.A9
cis@ocp4: 5.2.5
nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
nist: CM-6,CM-6(1)
diff --git a/applications/openshift/scc/scc_limit_privileged_containers/rule.yml b/applications/openshift/scc/scc_limit_privileged_containers/rule.yml
index 763a3807215..bd6c5e43072 100644
--- a/applications/openshift/scc/scc_limit_privileged_containers/rule.yml
+++ b/applications/openshift/scc/scc_limit_privileged_containers/rule.yml
@@ -18,7 +18,6 @@ rationale: |-
severity: medium
references:
- bsi: APP.4.4.A4,APP.4.4.A9
cis@ocp4: 5.2.1
nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
nist: CM-6,CM-6(1)
diff --git a/applications/openshift/scc/scc_limit_process_id_namespace/rule.yml b/applications/openshift/scc/scc_limit_process_id_namespace/rule.yml
index 3b6b459d74e..44e38b05edf 100644
--- a/applications/openshift/scc/scc_limit_process_id_namespace/rule.yml
+++ b/applications/openshift/scc/scc_limit_process_id_namespace/rule.yml
@@ -17,7 +17,6 @@ rationale: |-
severity: medium
references:
- bsi: APP.4.4.A4,APP.4.4.A9
cis@ocp4: 5.2.2
nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
nist: CM-6,CM-6(1)
diff --git a/applications/openshift/scc/scc_limit_root_containers/rule.yml b/applications/openshift/scc/scc_limit_root_containers/rule.yml
index 29c4ca3ed4b..df5727c4cd2 100644
--- a/applications/openshift/scc/scc_limit_root_containers/rule.yml
+++ b/applications/openshift/scc/scc_limit_root_containers/rule.yml
@@ -25,7 +25,6 @@ rationale: |-
severity: medium
references:
- bsi: APP.4.4.A4,APP.4.4.A9
cis@ocp4: 5.2.6
nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
nist: CM-6,CM-6(1)
diff --git a/controls/bsi_app_4_4.yml b/controls/bsi_app_4_4.yml
index 9b55dec984e..809f8023c5e 100644
--- a/controls/bsi_app_4_4.yml
+++ b/controls/bsi_app_4_4.yml
@@ -18,6 +18,8 @@ levels:
inherits_from:
- standard
+reference_type: bsi
+
controls:
- id: APP.4.4.A1
title: Planning the Separation of the Applications
diff --git a/linux_os/guide/system/selinux/coreos_enable_selinux_kernel_argument/rule.yml b/linux_os/guide/system/selinux/coreos_enable_selinux_kernel_argument/rule.yml
index 15804c10fa8..23972e5939d 100644
--- a/linux_os/guide/system/selinux/coreos_enable_selinux_kernel_argument/rule.yml
+++ b/linux_os/guide/system/selinux/coreos_enable_selinux_kernel_argument/rule.yml
@@ -19,7 +19,6 @@ identifiers:
cce@rhcos4: CCE-83899-5
references:
- bsi: APP.4.4.A4
cis-csc: 1,11,12,13,14,15,16,18,3,4,5,6,8,9
cobit5: APO01.06,APO11.04,APO13.01,BAI03.05,DSS01.05,DSS03.01,DSS05.02,DSS05.04,DSS05.05,DSS05.07,DSS06.02,DSS06.03,DSS06.06,MEA02.01
cui: 3.1.2,3.7.2
diff --git a/linux_os/guide/system/selinux/selinux_policytype/rule.yml b/linux_os/guide/system/selinux/selinux_policytype/rule.yml
index 89a14423ab8..67579503d89 100644
--- a/linux_os/guide/system/selinux/selinux_policytype/rule.yml
+++ b/linux_os/guide/system/selinux/selinux_policytype/rule.yml
@@ -35,7 +35,6 @@ identifiers:
cce@sle15: CCE-91445-7
references:
- bsi: APP.4.4.A4
cis-csc: 1,11,12,13,14,15,16,18,3,4,5,6,8,9
cobit5: APO01.06,APO11.04,APO13.01,BAI03.05,DSS01.05,DSS03.01,DSS05.02,DSS05.04,DSS05.05,DSS05.07,DSS06.02,DSS06.03,DSS06.06,MEA02.01
cui: 3.1.2,3.7.2
diff --git a/linux_os/guide/system/selinux/selinux_state/rule.yml b/linux_os/guide/system/selinux/selinux_state/rule.yml
index f53f6bae929..5c6ac289464 100644
--- a/linux_os/guide/system/selinux/selinux_state/rule.yml
+++ b/linux_os/guide/system/selinux/selinux_state/rule.yml
@@ -28,7 +28,6 @@ identifiers:
cce@sle15: CCE-91446-5
references:
- bsi: APP.4.4.A4
cis-csc: 1,11,12,13,14,15,16,18,3,4,5,6,8,9
cobit5: APO01.06,APO11.04,APO13.01,BAI03.05,DSS01.05,DSS03.01,DSS05.02,DSS05.04,DSS05.05,DSS05.07,DSS06.02,DSS06.03,DSS06.06,MEA02.01
cui: 3.1.2,3.7.2