From ae3e7906b48cefe6e5fffd26604e58f7b1197f8f Mon Sep 17 00:00:00 2001 From: lichtblaugue Date: Thu, 17 Oct 2024 14:24:47 +0200 Subject: [PATCH 1/6] Initial setup for rule SYS.1.6.A17 --- controls/bsi_sys_1_6.yml | 21 ++++++++++++++++----- 1 file changed, 16 insertions(+), 5 deletions(-) diff --git a/controls/bsi_sys_1_6.yml b/controls/bsi_sys_1_6.yml index 01a4fda1616..c9e9bf7c468 100644 --- a/controls/bsi_sys_1_6.yml +++ b/controls/bsi_sys_1_6.yml @@ -429,15 +429,26 @@ controls: levels: - standard description: >- - A container runtime and any instantiated containers SHOULD only be executed by a non- + (1) A container runtime and any instantiated containers SHOULD only be executed by a non- privileged system account that does not have (and cannot gain) elevated rights to the - container service or host operating system. The container runtime SHOULD be encapsulated + container service or host operating system. (2) The container runtime SHOULD be encapsulated by additional measures, such as using the virtualisation extensions of CPUs. - If containers are to take over tasks of the host system in exceptional cases, privileges on the - host system SHOULD be limited to the minimum necessary. Exceptions SHOULD be + (3) If containers are to take over tasks of the host system in exceptional cases, privileges on the + host system SHOULD be limited to the minimum necessary. (4)Exceptions SHOULD be adequately documented. notes: >- - ToDo + Section 1: With OpenShift, application containers run in the Security Context Constraint (SCC) “restricted” by default. + Section 2: OpenShift supports encapsulation by using SELinux. If necessary, + entire nodes can also be encapsulated via underlying virtualization. + This is always necessary when application containers require extended security context constraints (SCCs). + With the sandbox function based on Kata Containers, OpenShift provides a convenient way to isolate containers + using virtualization technology. + Section 3: OpenShift offers several SCC to restrict access to the network, + file system or the host itself. This should only be allowed for administrative applications + such as SIEM scanners or other infrastructure services that require access to the host. + These SCCs should never be given to application containers. + Section 4: These exceptions must be documented in the operational documentation. + A list of pods with the corresponding SCC annotation can serve as the basis for the documentation. status: manual #rules: From 8e36b6428e1e65122ec3aa8b1cac0284c06c1ad1 Mon Sep 17 00:00:00 2001 From: lichtblaugue Date: Wed, 23 Oct 2024 11:44:19 +0200 Subject: [PATCH 2/6] Existing scc rules added and sandbox rules copied from A26 --- .../rule.yml | 41 +++++++++++++++++++ .../rule.yml | 38 +++++++++++++++++ controls/bsi_sys_1_6.yml | 19 ++++++++- 3 files changed, 96 insertions(+), 2 deletions(-) create mode 100644 applications/openshift/general/sandboxed_containers_operator_configured/rule.yml create mode 100644 applications/openshift/general/sandboxed_containers_operator_exists/rule.yml diff --git a/applications/openshift/general/sandboxed_containers_operator_configured/rule.yml b/applications/openshift/general/sandboxed_containers_operator_configured/rule.yml new file mode 100644 index 00000000000..265226dc8a7 --- /dev/null +++ b/applications/openshift/general/sandboxed_containers_operator_configured/rule.yml @@ -0,0 +1,41 @@ + +title: Ensure that Sandboxed Containers Operator is Configured + +description: |- + {{{ weblink(link="https://docs.redhat.com/en/documentation/openshift_sandboxed_containers/1.7", + text="The Sandboxed Containers Operator") }}} + provides containers with a dedicated kernel by running them in a virtual machine. This allows for extended separation, as no kernel is shared. This is done by using RHCOS cluster extension and is only available on RHCOS nodes. + + It is only active, if it is correctly configured with a KataConfig AND you configured each pod spec with 
runtimeClassName: kata
. + + Be advised, that on AWS, Azure, IBM Z and IBM LinuxOne you need to enable PeerPods and confiugre additional resources. + +rationale: |- + Using separate kernels for each container provides for better isolation, and makes it harder for adveseries to move laterally to other containers or the container-host. + +severity: medium + +identifiers: + cce@ocp4: CCE-87430-5 + +ocil_clause: 'Sandboxed Containers Operator is not configured' + +ocil: |- + Run the following command to check if a KataConfig for the cluster exists: + 
$ oc get kataconfigs openshift-sandboxed-containers-operator
+ Make sure at least one KataConfig exists. + +warnings: +- general: |- + {{{ openshift_cluster_setting("/apis/kataconfiguration.openshift.io/v1/kataconfigs?limit=5") | indent(4) }}} + +template: + name: yamlfile_value + vars: + ocp_data: "true" + filepath: /apis/kataconfiguration.openshift.io/v1/kataconfigs?limit=5 + yamlpath: ".items[:].metadata.name" + entity_check: "at least one" + values: + - value: ".*" + operation: "pattern match" diff --git a/applications/openshift/general/sandboxed_containers_operator_exists/rule.yml b/applications/openshift/general/sandboxed_containers_operator_exists/rule.yml new file mode 100644 index 00000000000..85808b837b0 --- /dev/null +++ b/applications/openshift/general/sandboxed_containers_operator_exists/rule.yml @@ -0,0 +1,38 @@ + +title: Ensure that Sandboxed Containers Operator exists in the cluster + +description: |- + {{{ weblink(link="https://docs.redhat.com/en/documentation/openshift_sandboxed_containers/1.7", + text="The Sandboxed Containers Operator") }}} + provides containers with a dedicated kernel by running them in a virtual machine. This allows for extended separation, as no kernel is shared. This is done by using RHCOS cluster extension and is only available on RHCOS nodes. + +rationale: |- + Using separate kernels for each container provides for better isolation, and makes it harder for adveseries to move laterally to other containers or the container-host. + +severity: medium + +identifiers: + cce@ocp4: CCE-86496-7 + +ocil_clause: 'Sandboxed Containers Operator is not installed' + +ocil: |- + Run the following command to check if a subscription for the operator exists in the system: + 
$ oc get sub -n openshift-sandboxed-containers-operator
+ Make sure the Sandboxed Containers Operator is installed. + +warnings: +- general: |- + {{{ openshift_cluster_setting("/apis/operators.coreos.com/v1alpha1/subscriptions") | indent(4) }}} + +template: + name: yamlfile_value + vars: + ocp_data: "true" + filepath: '/apis/operators.coreos.com/v1alpha1/subscriptions' + yamlpath: ".items[:].status.installedCSV" + check_existence: "at_least_one_exists" + values: + - value: "sandboxed-containers-operator.*" + operation: "pattern match" + entity_check: "at least one" diff --git a/controls/bsi_sys_1_6.yml b/controls/bsi_sys_1_6.yml index c9e9bf7c468..2eddfe2762d 100644 --- a/controls/bsi_sys_1_6.yml +++ b/controls/bsi_sys_1_6.yml @@ -449,8 +449,23 @@ controls: These SCCs should never be given to application containers. Section 4: These exceptions must be documented in the operational documentation. A list of pods with the corresponding SCC annotation can serve as the basis for the documentation. - status: manual - #rules: + status: partial + rules: + # Section 1 and 3 + - scc_drop_container_capabilities + - scc_limit_container_allowed_capabilities + - scc_limit_host_dir_volume_plugin + - scc_limit_host_ports + - scc_limit_ipc_namespace + - scc_limit_net_raw_capability + - scc_limit_network_namespace + - scc_limit_privilege_escalation + - scc_limit_privileged_containers + - scc_limit_process_id_namespace + - scc_limit_root_containers + # Section 2 + - sandboxed_containers_operator_exists + - sandboxed_containers_operator_configured - id: SYS.1.6.A18 title: Application Services Accounts From 7663896638c993ee50031701cb5684636784c4cd Mon Sep 17 00:00:00 2001 From: lichtblaugue Date: Wed, 6 Nov 2024 15:19:46 +0100 Subject: [PATCH 3/6] Removing rules that already exist in another branch --- .../rule.yml | 41 ------------------- .../rule.yml | 38 ----------------- 2 files changed, 79 deletions(-) delete mode 100644 applications/openshift/general/sandboxed_containers_operator_configured/rule.yml delete mode 100644 applications/openshift/general/sandboxed_containers_operator_exists/rule.yml diff --git a/applications/openshift/general/sandboxed_containers_operator_configured/rule.yml b/applications/openshift/general/sandboxed_containers_operator_configured/rule.yml deleted file mode 100644 index 265226dc8a7..00000000000 --- a/applications/openshift/general/sandboxed_containers_operator_configured/rule.yml +++ /dev/null @@ -1,41 +0,0 @@ - -title: Ensure that Sandboxed Containers Operator is Configured - -description: |- - {{{ weblink(link="https://docs.redhat.com/en/documentation/openshift_sandboxed_containers/1.7", - text="The Sandboxed Containers Operator") }}} - provides containers with a dedicated kernel by running them in a virtual machine. This allows for extended separation, as no kernel is shared. This is done by using RHCOS cluster extension and is only available on RHCOS nodes. - - It is only active, if it is correctly configured with a KataConfig AND you configured each pod spec with 
runtimeClassName: kata
. - - Be advised, that on AWS, Azure, IBM Z and IBM LinuxOne you need to enable PeerPods and confiugre additional resources. - -rationale: |- - Using separate kernels for each container provides for better isolation, and makes it harder for adveseries to move laterally to other containers or the container-host. - -severity: medium - -identifiers: - cce@ocp4: CCE-87430-5 - -ocil_clause: 'Sandboxed Containers Operator is not configured' - -ocil: |- - Run the following command to check if a KataConfig for the cluster exists: - 
$ oc get kataconfigs openshift-sandboxed-containers-operator
- Make sure at least one KataConfig exists. - -warnings: -- general: |- - {{{ openshift_cluster_setting("/apis/kataconfiguration.openshift.io/v1/kataconfigs?limit=5") | indent(4) }}} - -template: - name: yamlfile_value - vars: - ocp_data: "true" - filepath: /apis/kataconfiguration.openshift.io/v1/kataconfigs?limit=5 - yamlpath: ".items[:].metadata.name" - entity_check: "at least one" - values: - - value: ".*" - operation: "pattern match" diff --git a/applications/openshift/general/sandboxed_containers_operator_exists/rule.yml b/applications/openshift/general/sandboxed_containers_operator_exists/rule.yml deleted file mode 100644 index 85808b837b0..00000000000 --- a/applications/openshift/general/sandboxed_containers_operator_exists/rule.yml +++ /dev/null @@ -1,38 +0,0 @@ - -title: Ensure that Sandboxed Containers Operator exists in the cluster - -description: |- - {{{ weblink(link="https://docs.redhat.com/en/documentation/openshift_sandboxed_containers/1.7", - text="The Sandboxed Containers Operator") }}} - provides containers with a dedicated kernel by running them in a virtual machine. This allows for extended separation, as no kernel is shared. This is done by using RHCOS cluster extension and is only available on RHCOS nodes. - -rationale: |- - Using separate kernels for each container provides for better isolation, and makes it harder for adveseries to move laterally to other containers or the container-host. - -severity: medium - -identifiers: - cce@ocp4: CCE-86496-7 - -ocil_clause: 'Sandboxed Containers Operator is not installed' - -ocil: |- - Run the following command to check if a subscription for the operator exists in the system: - 
$ oc get sub -n openshift-sandboxed-containers-operator
- Make sure the Sandboxed Containers Operator is installed. - -warnings: -- general: |- - {{{ openshift_cluster_setting("/apis/operators.coreos.com/v1alpha1/subscriptions") | indent(4) }}} - -template: - name: yamlfile_value - vars: - ocp_data: "true" - filepath: '/apis/operators.coreos.com/v1alpha1/subscriptions' - yamlpath: ".items[:].status.installedCSV" - check_existence: "at_least_one_exists" - values: - - value: "sandboxed-containers-operator.*" - operation: "pattern match" - entity_check: "at least one" From 6c3e1dabd3b51352108ffbfdfed5d29fd9a4edea Mon Sep 17 00:00:00 2001 From: sluetze <13255307+sluetze@users.noreply.github.com> Date: Mon, 14 Oct 2024 15:20:56 +0200 Subject: [PATCH 4/6] add rule to check for sandboxed containers --- .../rule.yml | 38 +++++++++++++++++++ .../tests/ocp4/e2e-remediation.sh | 16 ++++++++ .../tests/ocp4/e2e.yml | 3 ++ .../e2e/sandboxed-containers-install.yaml | 28 ++++++++++++++ shared/references/cce-redhat-avail.txt | 1 - 5 files changed, 85 insertions(+), 1 deletion(-) create mode 100644 applications/openshift/general/sandboxed_containers_operator_exists/rule.yml create mode 100755 applications/openshift/general/sandboxed_containers_operator_exists/tests/ocp4/e2e-remediation.sh create mode 100644 applications/openshift/general/sandboxed_containers_operator_exists/tests/ocp4/e2e.yml create mode 100644 ocp-resources/e2e/sandboxed-containers-install.yaml diff --git a/applications/openshift/general/sandboxed_containers_operator_exists/rule.yml b/applications/openshift/general/sandboxed_containers_operator_exists/rule.yml new file mode 100644 index 00000000000..e61f83373da --- /dev/null +++ b/applications/openshift/general/sandboxed_containers_operator_exists/rule.yml @@ -0,0 +1,38 @@ + +title: Ensure that Sandboxed Containers Operator exists in the cluster + +description: |- + {{{ weblink(link="https://docs.redhat.com/en/documentation/openshift_sandboxed_containers/1.7", + text="The Sandboxed Containers Operator") }}} + provides containers with a dedicated kernel by running them in a virtual machine. This allows for extended separation, as no kernel is shared. This is done by using RHCOS cluster extension and is only available on RHCOS nodes. + +rationale: |- + Using separate Kernels for each container provides for better isolation, and makes it harder for adveseries to move laterally to other containers or the host. + +severity: medium + +identifiers: + cce@ocp4: CCE-86496-7 + +ocil_clause: 'Sandboxed Containers Operator is not installed' + +ocil: |- + Run the following command to check if a subscription for the operator exists in the system: + 
$ oc get sub -n openshift-sandboxed-containers-operator
+ Make sure the Sandboxed Containers Operator is installed. + +warnings: +- general: |- + {{{ openshift_cluster_setting("/apis/operators.coreos.com/v1alpha1/subscriptions") | indent(4) }}} + +template: + name: yamlfile_value + vars: + ocp_data: "true" + filepath: '/apis/operators.coreos.com/v1alpha1/subscriptions' + yamlpath: ".items[:].status.installedCSV" + check_existence: "at_least_one_exists" + values: + - value: "sandboxed-containers-operator.*" + operation: "pattern match" + entity_check: "at least one" diff --git a/applications/openshift/general/sandboxed_containers_operator_exists/tests/ocp4/e2e-remediation.sh b/applications/openshift/general/sandboxed_containers_operator_exists/tests/ocp4/e2e-remediation.sh new file mode 100755 index 00000000000..fa04b9a7434 --- /dev/null +++ b/applications/openshift/general/sandboxed_containers_operator_exists/tests/ocp4/e2e-remediation.sh @@ -0,0 +1,16 @@ +#!/bin/bash +set -xe + +echo "installing sandboxed-containers-operator" +oc apply -f ${ROOT_DIR}/ocp-resources/e2e/sandboxed-containers-install.yaml --server-side=true + +sleep 30 + +echo "waiting for sandboxed-containers-operator deployment to exist" +while [ -z "$(oc get -n openshift-sandboxed-containers-operator --ignore-not-found deployment/controller-manager)" ]; do + sleep 3 +done + +echo "waiting for sandboxed-containers-operator deployment to be ready" +oc wait -n openshift-sandboxed-containers-operator --for=condition=Available --timeout=300s \ + deployment/controller-manager diff --git a/applications/openshift/general/sandboxed_containers_operator_exists/tests/ocp4/e2e.yml b/applications/openshift/general/sandboxed_containers_operator_exists/tests/ocp4/e2e.yml new file mode 100644 index 00000000000..fd9b313e87b --- /dev/null +++ b/applications/openshift/general/sandboxed_containers_operator_exists/tests/ocp4/e2e.yml @@ -0,0 +1,3 @@ +--- +default_result: FAIL +result_after_remediation: PASS diff --git a/ocp-resources/e2e/sandboxed-containers-install.yaml b/ocp-resources/e2e/sandboxed-containers-install.yaml new file mode 100644 index 00000000000..53f0a8942e4 --- /dev/null +++ b/ocp-resources/e2e/sandboxed-containers-install.yaml @@ -0,0 +1,28 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: openshift-sandboxed-containers-operator + labels: + openshift.io/cluster-monitoring: "true" +--- +apiVersion: operators.coreos.com/v1 +kind: OperatorGroup +metadata: + name: sandboxed-containers-operator-group + namespace: openshift-sandboxed-containers-operator +spec: + targetNamespaces: + - openshift-sandboxed-containers-operator +--- +apiVersion: operators.coreos.com/v1alpha1 +kind: Subscription +metadata: + name: "sandboxed-containers-operator" + namespace: "openshift-sandboxed-containers-operator" +spec: + channel: stable + installPlanApproval: Automatic + name: sandboxed-containers-operator + source: redhat-operators + sourceNamespace: openshift-marketplace diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt index 0ff564b4ebd..c3acec4a97c 100644 --- a/shared/references/cce-redhat-avail.txt +++ b/shared/references/cce-redhat-avail.txt @@ -55,7 +55,6 @@ CCE-86484-3 CCE-86492-6 CCE-86493-4 CCE-86494-2 -CCE-86496-7 CCE-86497-5 CCE-86498-3 CCE-86499-1 From 14ae93f598e984653248f96215f068f6f746d2e4 Mon Sep 17 00:00:00 2001 From: sluetze <13255307+sluetze@users.noreply.github.com> Date: Mon, 14 Oct 2024 18:43:10 +0200 Subject: [PATCH 5/6] add rule to check for sandboxed containers config --- .../rule.yml | 41 +++++++++++++++++++ .../tests/ocp4/e2e-remediation.sh | 27 ++++++++++++ .../tests/ocp4/e2e.yml | 3 ++ .../rule.yml | 2 +- .../e2e/sandboxed-containers-instance.yaml | 12 ++++++ shared/references/cce-redhat-avail.txt | 1 - 6 files changed, 84 insertions(+), 2 deletions(-) create mode 100644 applications/openshift/general/sandboxed_containers_operator_configured/rule.yml create mode 100755 applications/openshift/general/sandboxed_containers_operator_configured/tests/ocp4/e2e-remediation.sh create mode 100644 applications/openshift/general/sandboxed_containers_operator_configured/tests/ocp4/e2e.yml create mode 100644 ocp-resources/e2e/sandboxed-containers-instance.yaml diff --git a/applications/openshift/general/sandboxed_containers_operator_configured/rule.yml b/applications/openshift/general/sandboxed_containers_operator_configured/rule.yml new file mode 100644 index 00000000000..265226dc8a7 --- /dev/null +++ b/applications/openshift/general/sandboxed_containers_operator_configured/rule.yml @@ -0,0 +1,41 @@ + +title: Ensure that Sandboxed Containers Operator is Configured + +description: |- + {{{ weblink(link="https://docs.redhat.com/en/documentation/openshift_sandboxed_containers/1.7", + text="The Sandboxed Containers Operator") }}} + provides containers with a dedicated kernel by running them in a virtual machine. This allows for extended separation, as no kernel is shared. This is done by using RHCOS cluster extension and is only available on RHCOS nodes. + + It is only active, if it is correctly configured with a KataConfig AND you configured each pod spec with 
runtimeClassName: kata
. + + Be advised, that on AWS, Azure, IBM Z and IBM LinuxOne you need to enable PeerPods and confiugre additional resources. + +rationale: |- + Using separate kernels for each container provides for better isolation, and makes it harder for adveseries to move laterally to other containers or the container-host. + +severity: medium + +identifiers: + cce@ocp4: CCE-87430-5 + +ocil_clause: 'Sandboxed Containers Operator is not configured' + +ocil: |- + Run the following command to check if a KataConfig for the cluster exists: + 
$ oc get kataconfigs openshift-sandboxed-containers-operator
+ Make sure at least one KataConfig exists. + +warnings: +- general: |- + {{{ openshift_cluster_setting("/apis/kataconfiguration.openshift.io/v1/kataconfigs?limit=5") | indent(4) }}} + +template: + name: yamlfile_value + vars: + ocp_data: "true" + filepath: /apis/kataconfiguration.openshift.io/v1/kataconfigs?limit=5 + yamlpath: ".items[:].metadata.name" + entity_check: "at least one" + values: + - value: ".*" + operation: "pattern match" diff --git a/applications/openshift/general/sandboxed_containers_operator_configured/tests/ocp4/e2e-remediation.sh b/applications/openshift/general/sandboxed_containers_operator_configured/tests/ocp4/e2e-remediation.sh new file mode 100755 index 00000000000..55a5e6035ac --- /dev/null +++ b/applications/openshift/general/sandboxed_containers_operator_configured/tests/ocp4/e2e-remediation.sh @@ -0,0 +1,27 @@ +#!/bin/bash +set -xe + +echo "installing sandboxed-containers-operator" +oc apply -f ${ROOT_DIR}/ocp-resources/e2e/sandboxed-containers-install.yaml --server-side=true + +sleep 30 + +echo "waiting for sandboxed-containers-operator deployment to exist" +while [ -z "$(oc get -n openshift-sandboxed-containers-operator --ignore-not-found deployment/controller-manager)" ]; do + sleep 3 +done + +# we need to wait for the pods to be ready, otherwise there is no webhook endpoint +# for the kataconfig +echo "waiting for sandboxed-containers-operator pods to be ready" +oc wait -n openshift-sandboxed-containers-operator --for=condition=ContainersReady=true \ +--timeout=300s pods -l control-plane=controller-manager + +echo "configuring kataconfig" +oc apply -f ${ROOT_DIR}/ocp-resources/e2e/sandboxed-containers-instance.yaml --server-side=true + +echo "check, that the mcp was updated" +oc wait --for=condition=Updated --timeout=3600s machineconfigpool/kata-oc + +echo "waiting for the cluster to become stable" +oc adm wait-for-stable-cluster --minimum-stable-period 1m diff --git a/applications/openshift/general/sandboxed_containers_operator_configured/tests/ocp4/e2e.yml b/applications/openshift/general/sandboxed_containers_operator_configured/tests/ocp4/e2e.yml new file mode 100644 index 00000000000..fd9b313e87b --- /dev/null +++ b/applications/openshift/general/sandboxed_containers_operator_configured/tests/ocp4/e2e.yml @@ -0,0 +1,3 @@ +--- +default_result: FAIL +result_after_remediation: PASS diff --git a/applications/openshift/general/sandboxed_containers_operator_exists/rule.yml b/applications/openshift/general/sandboxed_containers_operator_exists/rule.yml index e61f83373da..85808b837b0 100644 --- a/applications/openshift/general/sandboxed_containers_operator_exists/rule.yml +++ b/applications/openshift/general/sandboxed_containers_operator_exists/rule.yml @@ -7,7 +7,7 @@ description: |- provides containers with a dedicated kernel by running them in a virtual machine. This allows for extended separation, as no kernel is shared. This is done by using RHCOS cluster extension and is only available on RHCOS nodes. rationale: |- - Using separate Kernels for each container provides for better isolation, and makes it harder for adveseries to move laterally to other containers or the host. + Using separate kernels for each container provides for better isolation, and makes it harder for adveseries to move laterally to other containers or the container-host. severity: medium diff --git a/ocp-resources/e2e/sandboxed-containers-instance.yaml b/ocp-resources/e2e/sandboxed-containers-instance.yaml new file mode 100644 index 00000000000..1c44b70c7fe --- /dev/null +++ b/ocp-resources/e2e/sandboxed-containers-instance.yaml @@ -0,0 +1,12 @@ +apiVersion: kataconfiguration.openshift.io/v1 +kind: KataConfig +metadata: + name: example-kataconfig +spec: + checkNodeEligibility: false + enablePeerPods: false + kataConfigPoolSelector: + matchExpressions: + - key: node-role.kubernetes.io/worker + operator: Exists + logLevel: info diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt index c3acec4a97c..d082e2e2dcb 100644 --- a/shared/references/cce-redhat-avail.txt +++ b/shared/references/cce-redhat-avail.txt @@ -520,7 +520,6 @@ CCE-87419-8 CCE-87422-2 CCE-87426-3 CCE-87427-1 -CCE-87430-5 CCE-87431-3 CCE-87432-1 CCE-87434-7 From c880d3bbfc5d03a165fed83e5f0b5f83a9c71d95 Mon Sep 17 00:00:00 2001 From: sluetze <13255307+sluetze@users.noreply.github.com> Date: Mon, 14 Oct 2024 18:43:53 +0200 Subject: [PATCH 6/6] Defined notes and rules for BSI SYS.1.6.A26 --- controls/bsi_sys_1_6.yml | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/controls/bsi_sys_1_6.yml b/controls/bsi_sys_1_6.yml index 2eddfe2762d..51e136110ef 100644 --- a/controls/bsi_sys_1_6.yml +++ b/controls/bsi_sys_1_6.yml @@ -589,13 +589,18 @@ controls: levels: - elevated description: >- - If further isolation and encapsulation of containers is required, the following measures + (1) If further isolation and encapsulation of containers is required, the following measures SHOULD be considered for increased effectiveness: - • Fixed assignment of containers to container hosts - • Execution of the individual containers and/or the container host by means of + (2) • Fixed assignment of containers to container hosts + (3) • Execution of the individual containers and/or the container host by means of hypervisors - • Fixed assignment of a single container to a single container host + (4) • Fixed assignment of a single container to a single container host notes: >- - ToDo + Section 1,2,4: OpenShift offers the option of binding containers (in pods) to specific nodes using node labels and node selectors in the deployment descriptors. Section 3: These can also be made available as virtual machines via hypervisors (via IaaS or via OpenShift Sandboxes). This implements all three assignments mentioned in the requirement. status: manual - #rules: + rules: + # Section 1,2,4 + - general_node_separation + # Section 3 + - sandboxed_containers_operator_exists + - sandboxed_containers_operator_configured