Add Notes and Controls for SYS.1.6.A1-A4

applications/openshift/accounts/accounts_no_clusterrolebindings_default_service_account/rule.yml

@@ -5,7 +5,7 @@ title: 'Ensure no ClusterRoleBindings set for default Service Account'
 description: |-
     Using the <tt>default</tt> service account prevents accurate application
     rights review and audit tracing. Instead of <tt>default</tt>, create
-    a new and unique service account and associate the required ClusterRoleBindings. 
+    a new and unique service account and associate the required ClusterRoleBindings.
 
 rationale: |-
     Kubernetes provides a default service account which is used by
@@ -20,8 +20,6 @@ severity: medium
 
 identifiers: {}
 
-references:
-    bsi: APP.4.4.A9
 
 {{% set jqfilter = '[.items[] | select ( .subjects[]?.name == "default" ) | select(.subjects[].namespace | startswith("kube-") or startswith("openshift-") | not) | .metadata.name ] | unique' %}}
 
@@ -31,7 +29,7 @@ ocil: |-
     Run the following command to retrieve a list of ClusterRoleBindings that are
     associated to the default service account:
     <pre>$ oc get clusterrolebindings -o json | jq '{{{ jqfilter }}}'</pre>
-    There should be no ClusterRoleBindings associated with the the default service account 
+    There should be no ClusterRoleBindings associated with the the default service account
     in any namespace.
 
 warnings:

applications/openshift/accounts/accounts_no_rolebindings_default_service_account/rule.yml

@@ -5,7 +5,7 @@ title: 'Ensure no RoleBindings set for default Service Account'
 description: |-
     Using the <tt>default</tt> service account prevents accurate application
     rights review and audit tracing. Instead of <tt>default</tt>, create
-    a new and unique service account and associate the required RoleBindings. 
+    a new and unique service account and associate the required RoleBindings.
 
 rationale: |-
     Kubernetes provides a default service account which is used by
@@ -20,9 +20,6 @@ severity: medium
 
 identifiers: {}
 
-references:
-    bsi: APP.4.4.A9
-
 {{% set jqfilter = '[.items[] | select(.metadata.namespace | startswith("kube-") or startswith("openshift-") | not) | select ( .subjects[]?.name == "default" ) | .metadata.namespace + "/" + .metadata.name ] | unique' %}}
 
 ocil_clause: 'default service account is given permissions using RoleBindings'
@@ -31,7 +28,7 @@ ocil: |-
     Run the following command to retrieve a list of RoleBindings that are
     associated to the default service account:
     <pre>$ oc get rolebindings --all-namespaces -o json | jq '{{{ jqfilter }}}'</pre>
-    There should be no RoleBindings associated with the the default service account 
+    There should be no RoleBindings associated with the the default service account
     in any namespace.
 
 warnings:

applications/openshift/accounts/accounts_restrict_service_account_tokens/rule.yml

@@ -17,7 +17,6 @@ rationale: |-
 severity: medium
 
 references:
-    bsi: APP.4.4.A9
     cis@ocp4: 5.1.6
     nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
     nist: CM-6,CM-6(1)

applications/openshift/accounts/accounts_unique_service_account/rule.yml

@@ -23,7 +23,6 @@ rationale: |-
 severity: medium
 
 references:
-    bsi: APP.4.4.A9
     cis@ocp4: 5.1.5
     nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
     nist: CM-6,CM-6(1)

applications/openshift/api-server/api_server_anonymous_auth/rule.yml

@@ -34,7 +34,6 @@ rationale: |-
 severity: medium
 
 references:
-    bsi: APP.4.4.A3
     cis@ocp4: 1.2.1
     nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
     nist: CM-6,CM-6(1)

applications/openshift/etcd/etcd_backup/rule.yml

@@ -19,9 +19,6 @@ rationale: |-
 identifiers:
     cce@ocp4: CCE-88188-8
 
-references:
-    bsi: APP.4.4.A5
-
 severity: medium
 
 ocil_clause: 'etcd backup needs review'

applications/openshift/general/general_backup_solution_installed/rule.yml

@@ -12,9 +12,6 @@ rationale: |-
 identifiers:
     cce@ocp4: CCE-90185-0
 
-references:
-    bsi: APP.4.4.A5
-
 severity: medium
 
 ocil_clause: 'No CRDs from a known backup solution installed'

applications/openshift/general/general_namespace_separation/rule.yml

@@ -11,9 +11,6 @@ rationale: |-
    level. It also allows you control the network flow from and to other namespaces
    more easily.
 
-references:
-    bsi: APP.4.4.A1
-
 severity: medium
 
 identifiers:

applications/openshift/general/general_network_separation/rule.yml

@@ -9,9 +9,6 @@ description: |-
 rationale: |-
    Separation on a Network level might help to hinder lateral movement of an attacker and subsequently reduce the impact of an attack. It might also enable you to provide additional external network control (like firewalls).
 
-references:
-    bsi: APP.4.4.A7
-
 severity: medium
 
 identifiers:

applications/openshift/general/general_node_separation/rule.yml

@@ -12,9 +12,6 @@ description: |-
 rationale: |-
    Assigning workloads with high protection requirements to specific nodes creates and additional boundary (the node) between workloads of high protection requirements and workloads which might follow less strict requirements. An adversary which attacked a lighter protected workload now has additional obstacles for their movement towards the higher protected workloads.
 
-references:
-    bsi: APP.4.4.A15
-
 severity: medium
 
 ocil_clause: 'Application placement on Nodes and Clusters needs review'

applications/openshift/general/kubeadmin_removed/rule.yml

@@ -22,7 +22,6 @@ identifiers:
   cce@ocp4: CCE-90387-2
 
 references:
-  bsi: APP.4.4.A3
   cis@ocp4: 3.1.1,5.1.1
   nerc-cip: CIP-004-6 R2.2.2,CIP-004-6 R2.2.3,CIP-007-3 R.1.3,CIP-007-3 R2,CIP-007-3 R5,CIP-007-3 R5.1.1,CIP-007-3 R5.1.3,CIP-007-3 R5.2.1,CIP-007-3 R5.2.3,CIP-007-3 R6.1,CIP-007-3 R6.2,CIP-007-3 R6.3,CIP-007-3 R6.4
   nist: AC-2(2),AC-2(7),AC-2(9),AC-2(10),AC-12(1),IA-2(5),MA-4,SC-12(1)

applications/openshift/general/liveness_readiness_probe_in_workload/rule.yml

@@ -1,32 +1,29 @@
 title: Ensure that all workloads have liveness and readiness probes
 
 description: |-
-  Configuring Kubernetes liveness and readiness probes is essential for ensuring the security and 
+  Configuring Kubernetes liveness and readiness probes is essential for ensuring the security and
   reliability of a system. These probes actively monitor container health and readiness, facilitating
-  automatic actions like restarting or rescheduling unresponsive instances for improved reliability. 
-  They play a proactive role in issue detection, allowing timely problem resolution and contribute 
+  automatic actions like restarting or rescheduling unresponsive instances for improved reliability.
+  They play a proactive role in issue detection, allowing timely problem resolution and contribute
   to efficient scaling and traffic distribution.
 
 rationale: |-
-  Many applications running for long periods of time eventually transition to broken states, and 
+  Many applications running for long periods of time eventually transition to broken states, and
   cannot recover except by being restarted. Kubernetes provides liveness probes to detect and remedy
   such situations.
-  Sometimes, applications are temporarily unable to serve traffic. For example, an application might 
+  Sometimes, applications are temporarily unable to serve traffic. For example, an application might
   need to load large data or configuration files during startup, or depend on external services after
-  startup. In such cases, you don't want to kill the application, but you don't want to send it 
-  requests either. Kubernetes provides readiness probes to detect and mitigate these situations. 
-  A pod with containers reporting that they are not ready does not receive traffic through Kubernetes 
+  startup. In such cases, you don't want to kill the application, but you don't want to send it
+  requests either. Kubernetes provides readiness probes to detect and mitigate these situations.
+  A pod with containers reporting that they are not ready does not receive traffic through Kubernetes
   Services.
 
-references:
-  bsi: APP.4.4.A11
-
 severity: medium
 
 ocil_clause: 'Liveness or readiness probe is not set'
 
 ocil: |-
-    Run the following command to retrieve a list of deployments, daemonsets and statefulsets that 
+    Run the following command to retrieve a list of deployments, daemonsets and statefulsets that
     do not have liveness or readiness probes set for their containers:
     <pre>$ oc get deployments,statefulsets,daemonsets --all-namespaces -o json | jq '[ .items[] | select(.metadata.namespace | startswith("kube-") or startswith("openshift-") | not) | select( .spec.template.spec.containers[].readinessProbe != null and .spec.template.spec.containers[].livenessProbe != null ) | "\(.kind): \(.metadata.namespace)/\(.metadata.name)" ] | unique'</pre>
 

applications/openshift/kubelet/kubelet_anonymous_auth/rule.yml

@@ -35,7 +35,6 @@ rationale: |-
 severity: medium
 
 references:
-    bsi: APP.4.4.A3
     cis@eks: 3.2.1
     cis@ocp4: 4.2.2
     nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1

applications/openshift/networking/configure_network_policies/rule.yml

@@ -17,7 +17,6 @@ rationale: |-
 severity: high
 
 references:
-    bsi: APP.4.4.A7
     cis@ocp4: 5.3.1
     nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
     nist: CM-6,CM-6(1)

applications/openshift/networking/configure_network_policies_namespaces/rule.yml

@@ -17,7 +17,6 @@ rationale: |-
 severity: high
 
 references:
-    bsi: APP.4.4.A7
     cis@eks: 4.3.2
     cis@ocp4: 5.3.2
     nerc-cip: CIP-003-8 R4,CIP-003-8 R4.2,CIP-003-8 R5,CIP-003-8 R6,CIP-004-6 R2.2.4,CIP-004-6 R3,CIP-007-3 R2,CIP-007-3 R2.1,CIP-007-3 R2.2,CIP-007-3 R2.3,CIP-007-3 R5.1,CIP-007-3 R6.1
@@ -47,7 +46,7 @@ ocil: |-
     following command <tt>{{{ ocil_oc_pipe_jq_filter('networkpolicies', networkpolicies_for_non_ctlplane_namespaces_filter, all_namespaces=true) }}}</tt>
 
     Namespaces matching the variable <tt>ocp4-var-network-policies-namespaces-exempt-regex</tt> regex are excluded from this check.
-    
+
     Make sure that the namespaces displayed in the commands of the commands match.
 
 warnings:

applications/openshift/networking/project_config_and_template_network_policy/rule.yml

@@ -58,7 +58,6 @@ identifiers:
       cce@ocp4: CCE-86070-0
 
 references:
-    bsi: APP.4.4.A7
     srg: SRG-APP-000039-CTR-000110
 
 warnings:

applications/openshift/rbac/rbac_least_privilege/rule.yml

@@ -26,7 +26,6 @@ identifiers:
   cce@ocp4: CCE-90678-4
 
 references:
-    bsi: APP.4.4.A3,APP.4.4.A7,APP.4.4.A9
     cis@ocp4: 5.2.10
     nist: AC-3,CM-5(6),IA-2,IA-2(5),AC-6(10),CM-11(2),CM-5(1),CM-7(5)(b)
     srg: SRG-APP-000033-CTR-000090,SRG-APP-000033-CTR-000095,SRG-APP-000033-CTR-000100,SRG-APP-000133-CTR-000290,SRG-APP-000133-CTR-000295,SRG-APP-000133-CTR-000300,SRG-APP-000133-CTR-000305,SRG-APP-000133-CTR-000310,SRG-APP-000148-CTR-000350,SRG-APP-000153-CTR-000375,SRG-APP-000340-CTR-000770,SRG-APP-000378-CTR-000880,SRG-APP-000378-CTR-000885,SRG-APP-000378-CTR-000890,SRG-APP-000380-CTR-000900,SRG-APP-000386-CTR-000920

applications/openshift/rbac/rbac_wildcard_use/rule.yml

@@ -20,7 +20,6 @@ rationale: |-
 severity: medium
 
 references:
-    bsi: APP.4.4.A9
     cis@ocp4: 5.1.3
     nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
     nist: CM-6,CM-6(1)

applications/openshift/registry/ocp_insecure_allowed_registries_for_import/rule.yml

@@ -30,7 +30,6 @@ identifiers:
     cce@ocp4: CCE-86235-9
 
 references:
-    bsi: APP.4.4.A12
     cis@ocp4: '5.5.1'
     nist: CM-5(3)
     srg: SRG-APP-000014-CTR-000035

applications/openshift/registry/ocp_insecure_registries/rule.yml

@@ -26,7 +26,6 @@ identifiers:
     cce@ocp4: CCE-86123-7
 
 references:
-    bsi: APP.4.4.A12
     cis@ocp4: '5.5.1'
     nist: CM-5(3)
     srg: SRG-APP-000014-CTR-000035

applications/openshift/risk-assessment/scansetting_has_autoapplyremediations/rule.yml

@@ -26,9 +26,6 @@ ocil: |-
     filter will return at least one 'true'. Run the following jq query to identify the non-compliant scansettings objects:
     <pre>oc get scansettings -ojson | jq -r '[.items[] | select(.autoApplyRemediation != "" or .autoApplyRemediation != null) | .metadata.name]'</pre>
 
-references:
-  bsi: APP.4.4.A13
-
 severity: medium
 
 warnings:

applications/openshift/risk-assessment/scansettingbinding_exists/rule.yml

@@ -17,7 +17,6 @@ identifiers:
   cce@ocp4: CCE-83697-3
 
 references:
-  bsi: APP.4.4.A13
   nerc-cip: CIP-003-8 R1.3,CIP-003-8 R4.3,CIP-003-8 R6,CIP-004-6 4.1,CIP-004-6 4.2,CIP-004-6 R3,CIP-004-6 R4,CIP-004-6 R4.2,CIP-005-6 R1,CIP-005-6 R1.1,CIP-005-6 R1.2,CIP-007-3 R3,CIP-007-3 R3.1,CIP-007-3 R6.1,CIP-007-3 R8.4
   nist: CM-6,CM-6(1),RA-5,RA-5(5),SA-4(8)
   pcidss: Req-2.2.4

applications/openshift/risk-assessment/scansettings_have_schedule/rule.yml

@@ -18,7 +18,6 @@ identifiers:
   cce@ocp4: CCE-90762-6
 
 references:
-  bsi: APP.4.4.A13
   nist: SI-6(b)
   srg: SRG-APP-000473-CTR-001175
 

applications/openshift/scc/scc_drop_container_capabilities/rule.yml

@@ -20,7 +20,6 @@ rationale: |-
 severity: medium
 
 references:
-    bsi: APP.4.4.A9
     cis@ocp4: 5.2.9
     nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
     nist: CM-6,CM-6(1)

applications/openshift/scc/scc_limit_container_allowed_capabilities/rule.yml

@@ -50,7 +50,6 @@ rationale: |-
 severity: medium
 
 references:
-    bsi: APP.4.4.A9
     cis@ocp4: 5.2.8
     nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
     nist: CM-6,CM-6(1)

applications/openshift/scc/scc_limit_host_dir_volume_plugin/rule.yml

@@ -21,7 +21,6 @@ identifiers:
   cce@ocp4: CCE-86255-7
 
 references:
-    bsi: APP.4.4.A4,APP.4.4.A9
     cis@ocp4: 5.2.12
     nist: AC-6,AC-6(1)
     srg: SRG-APP-000142-CTR-000330

applications/openshift/scc/scc_limit_host_ports/rule.yml

@@ -24,7 +24,6 @@ identifiers:
     cce@ocp4: CCE-86205-2
 
 references:
-    bsi: APP.4.4.A9
     nist: CM-6,CM-6(1)
     srg: SRG-APP-000142-CTR-000330
 

applications/openshift/scc/scc_limit_ipc_namespace/rule.yml

@@ -21,7 +21,6 @@ identifiers:
     cce@ocp4: CCE-84042-1
 
 references:
-    bsi: APP.4.4.A4,APP.4.4.A9
     cis@ocp4: 5.2.3
     nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
     nist: CM-6,CM-6(1)

applications/openshift/scc/scc_limit_net_raw_capability/rule.yml

@@ -19,7 +19,6 @@ rationale: |-
 severity: medium
 
 references:
-    bsi: APP.4.4.A4,APP.4.4.A9
     cis@ocp4: 5.2.7
     nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
     nist: CM-6,CM-6(1)

applications/openshift/scc/scc_limit_network_namespace/rule.yml

@@ -21,7 +21,6 @@ identifiers:
     cce@ocp4: CCE-83492-9
 
 references:
-    bsi: APP.4.4.A4,APP.4.4.A9
     cis@ocp4: 5.2.4
     nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
     nist: CM-6,CM-6(1)

applications/openshift/scc/scc_limit_privilege_escalation/rule.yml

@@ -22,7 +22,6 @@ identifiers:
     cce@ocp4: CCE-83447-3
 
 references:
-    bsi: APP.4.4.A9
     cis@ocp4: 5.2.5
     nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
     nist: CM-6,CM-6(1)

applications/openshift/scc/scc_limit_privileged_containers/rule.yml

@@ -18,7 +18,6 @@ rationale: |-
 severity: medium
 
 references:
-    bsi: APP.4.4.A4,APP.4.4.A9
     cis@ocp4: 5.2.1
     nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
     nist: CM-6,CM-6(1)

applications/openshift/scc/scc_limit_process_id_namespace/rule.yml

@@ -17,7 +17,6 @@ rationale: |-
 severity: medium
 
 references:
-    bsi: APP.4.4.A4,APP.4.4.A9
     cis@ocp4: 5.2.2
     nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
     nist: CM-6,CM-6(1)

applications/openshift/scc/scc_limit_root_containers/rule.yml

@@ -25,7 +25,6 @@ rationale: |-
 severity: medium
 
 references:
-    bsi: APP.4.4.A4,APP.4.4.A9
     cis@ocp4: 5.2.6
     nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
     nist: CM-6,CM-6(1)

controls/bsi_app_4_4.yml

@@ -18,6 +18,8 @@ levels:
     inherits_from:
     - standard
 
+reference_type: bsi
+
 controls:
   - id: APP.4.4.A1
     title: Planning the Separation of the Applications