From 1b5f76e2a207960aa3588fb798ee7d9015f5f74d Mon Sep 17 00:00:00 2001
From: Benjamin Ruland <benjamin.ruland@gmail.com>
Date: Mon, 18 Dec 2023 15:50:41 +0100
Subject: [PATCH] Define notes and rules for BSI APP.4.4.A12

---
 .../ocp_insecure_allowed_registries_for_import/rule.yml  | 1 +
 .../openshift/registry/ocp_insecure_registries/rule.yml  | 1 +
 controls/bsi_app_4_4.yml                                 | 9 ++++++---
 3 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/applications/openshift/registry/ocp_insecure_allowed_registries_for_import/rule.yml b/applications/openshift/registry/ocp_insecure_allowed_registries_for_import/rule.yml
index 96ad5d0e3d6a..8fdf6b10ba24 100644
--- a/applications/openshift/registry/ocp_insecure_allowed_registries_for_import/rule.yml
+++ b/applications/openshift/registry/ocp_insecure_allowed_registries_for_import/rule.yml
@@ -34,6 +34,7 @@ references:
     cis@ocp4: '5.5.1'
     nist: CM-5(3)
     srg: SRG-APP-000014-CTR-000035
+    bsi: APP.4.4.A12
 
 ocil_clause: 'allowedRegistriesForImport is configured with insecure option for image access'
 
diff --git a/applications/openshift/registry/ocp_insecure_registries/rule.yml b/applications/openshift/registry/ocp_insecure_registries/rule.yml
index 7a377c760ed2..d3fedd64f5f7 100644
--- a/applications/openshift/registry/ocp_insecure_registries/rule.yml
+++ b/applications/openshift/registry/ocp_insecure_registries/rule.yml
@@ -30,6 +30,7 @@ references:
     cis@ocp4: '5.5.1'
     nist: CM-5(3)
     srg: SRG-APP-000014-CTR-000035
+    bsi: APP.4.4.A12
 
 ocil_clause: 'insecure registry sources is configured for image access'
 
diff --git a/controls/bsi_app_4_4.yml b/controls/bsi_app_4_4.yml
index ef5d88264a09..ad3b96ae3667 100644
--- a/controls/bsi_app_4_4.yml
+++ b/controls/bsi_app_4_4.yml
@@ -217,9 +217,12 @@ controls:
         • Logging of changes
         • Regular data backups.
     notes: >-
-      TBD
-    status: pending
-    rules: []
+      This requirement needs to be adressed in the respective separate systems.
+      However, one requirement can be checked automated: Encrypted communication all image registries.
+    status: automated
+    rules:
+      - ocp_insecure_registries
+      - ocp_insecure_allowed_registries_for_import
 
   - id: APP.4.4.A13
     title: Automated Configuration Auditing