From 1b70c4d117b0120861197b7dbde924c2c5d5028d Mon Sep 17 00:00:00 2001 From: Benjamin Ruland Date: Wed, 6 Mar 2024 14:17:57 +0100 Subject: [PATCH] Defined notes and rules for BSI APP.4.4.A17 --- .../api-server/api_server_client_ca/rule.yml | 1 + .../rule.yml | 1 + .../api_server_kubelet_client_cert/rule.yml | 1 + .../api_server_kubelet_client_key/rule.yml | 1 + .../api-server/api_server_tls_cert/rule.yml | 1 + .../api_server_tls_cipher_suites/rule.yml | 1 + .../api_server_tls_private_key/rule.yml | 1 + .../rule.yml | 1 + .../tls_version_check_apiserver/rule.yml | 1 + .../cluster_version_operator_exists/rule.yml | 1 + .../rule.yml | 1 + .../integrity/file_integrity_exists/rule.yml | 1 + .../kubelet_configure_client_ca/rule.yml | 1 + .../kubelet_configure_tls_cert/rule.yml | 1 + .../rule.yml | 1 + .../kubelet_configure_tls_key/rule.yml | 1 + .../rule.yml | 1 + .../file_groupowner_kubelet_conf/rule.yml | 1 + .../worker/file_groupowner_worker_ca/rule.yml | 1 + .../rule.yml | 1 + .../file_groupowner_worker_service/rule.yml | 1 + .../worker/file_owner_kubelet/rule.yml | 1 + .../worker/file_owner_kubelet_conf/rule.yml | 1 + .../worker/file_owner_worker_ca/rule.yml | 2 + .../file_owner_worker_kubeconfig/rule.yml | 1 + .../worker/file_owner_worker_service/rule.yml | 1 + .../worker/file_permissions_kubelet/rule.yml | 1 + .../file_permissions_kubelet_conf/rule.yml | 1 + .../file_permissions_worker_ca/rule.yml | 1 + .../rule.yml | 1 + .../file_permissions_worker_service/rule.yml | 1 + controls/bsi_app_4_4.yml | 58 +++++++++++++++++-- 32 files changed, 85 insertions(+), 5 deletions(-) diff --git a/applications/openshift/api-server/api_server_client_ca/rule.yml b/applications/openshift/api-server/api_server_client_ca/rule.yml index 71cee9acf7eb..a0c3580bd349 100644 --- a/applications/openshift/api-server/api_server_client_ca/rule.yml +++ b/applications/openshift/api-server/api_server_client_ca/rule.yml @@ -38,6 +38,7 @@ rationale: |- severity: medium references: + bsi: APP.4.4.A17 cis@ocp4: 1.2.29 nerc-cip: CIP-003-8 R4.2,CIP-007-3 R5.1 nist: SC-8,SC-8(1),SC-8(2) diff --git a/applications/openshift/api-server/api_server_https_for_kubelet_conn/rule.yml b/applications/openshift/api-server/api_server_https_for_kubelet_conn/rule.yml index a1da41915df5..74bcc1b8a2a8 100644 --- a/applications/openshift/api-server/api_server_https_for_kubelet_conn/rule.yml +++ b/applications/openshift/api-server/api_server_https_for_kubelet_conn/rule.yml @@ -25,6 +25,7 @@ rationale: |- severity: medium references: + bsi: APP.4.4.A17 cis: 1.2.4 nerc-cip: CIP-003-8 R4.2,CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R5.1,CIP-007-3 R6.1 nist: CM-6,CM-6(1),SC-8,SC-8(1) diff --git a/applications/openshift/api-server/api_server_kubelet_client_cert/rule.yml b/applications/openshift/api-server/api_server_kubelet_client_cert/rule.yml index c0e29775dcaa..d8775c0c90b5 100644 --- a/applications/openshift/api-server/api_server_kubelet_client_cert/rule.yml +++ b/applications/openshift/api-server/api_server_kubelet_client_cert/rule.yml @@ -39,6 +39,7 @@ platforms: severity: high references: + bsi: APP.4.4.A17 cis@ocp4: 1.2.5 nerc-cip: CIP-003-8 R4.2,CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R5.1,CIP-007-3 R6.1 nist: CM-6,CM-6(1),SC-8,SC-8(1) diff --git a/applications/openshift/api-server/api_server_kubelet_client_key/rule.yml b/applications/openshift/api-server/api_server_kubelet_client_key/rule.yml index 7a3e46f95cd9..de58de48bb4d 100644 --- a/applications/openshift/api-server/api_server_kubelet_client_key/rule.yml +++ b/applications/openshift/api-server/api_server_kubelet_client_key/rule.yml @@ -39,6 +39,7 @@ platforms: severity: high references: + bsi: APP.4.4.A17 cis@ocp4: 1.2.5 nerc-cip: CIP-003-8 R4.2,CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R5.1,CIP-007-3 R6.1 nist: CM-6,CM-6(1),SC-8,SC-8(1) diff --git a/applications/openshift/api-server/api_server_tls_cert/rule.yml b/applications/openshift/api-server/api_server_tls_cert/rule.yml index 53332478a6e0..590b66f56cd2 100644 --- a/applications/openshift/api-server/api_server_tls_cert/rule.yml +++ b/applications/openshift/api-server/api_server_tls_cert/rule.yml @@ -39,6 +39,7 @@ identifiers: severity: medium references: + bsi: APP.4.4.A17 cis@ocp4: 1.2.28 nerc-cip: CIP-003-8 R4.2,CIP-007-3 R5.1 nist: SC-8,SC-8(1),SC-8(2) diff --git a/applications/openshift/api-server/api_server_tls_cipher_suites/rule.yml b/applications/openshift/api-server/api_server_tls_cipher_suites/rule.yml index b9eccfe8cdec..0e76ac52beb9 100644 --- a/applications/openshift/api-server/api_server_tls_cipher_suites/rule.yml +++ b/applications/openshift/api-server/api_server_tls_cipher_suites/rule.yml @@ -38,6 +38,7 @@ rationale: |- severity: medium references: + bsi: APP.4.4.A17 cis@ocp4: 1.2.32 nist: CM-6 pcidss: Req-2.2,Req-2.2.3,Req-2.3 diff --git a/applications/openshift/api-server/api_server_tls_private_key/rule.yml b/applications/openshift/api-server/api_server_tls_private_key/rule.yml index f0fc2363c6ca..7601d7951c5a 100644 --- a/applications/openshift/api-server/api_server_tls_private_key/rule.yml +++ b/applications/openshift/api-server/api_server_tls_private_key/rule.yml @@ -39,6 +39,7 @@ identifiers: severity: medium references: + bsi: APP.4.4.A17 cis@ocp4: 1.2.28 nerc-cip: CIP-003-8 R4.2,CIP-007-3 R5.1 nist: SC-8,SC-8(1),SC-8(2) diff --git a/applications/openshift/general/file_integrity_notification_enabled/rule.yml b/applications/openshift/general/file_integrity_notification_enabled/rule.yml index 57e89ea09e29..a7e5c8c1e0be 100644 --- a/applications/openshift/general/file_integrity_notification_enabled/rule.yml +++ b/applications/openshift/general/file_integrity_notification_enabled/rule.yml @@ -15,6 +15,7 @@ identifiers: cce@ocp4: CCE-90572-9 references: + bsi: APP.4.4.A17 nist: SI-6,SI-7(2),SI-4(24) pcidss: Req-11.5.1,Req-12.10.5 diff --git a/applications/openshift/general/tls_version_check_apiserver/rule.yml b/applications/openshift/general/tls_version_check_apiserver/rule.yml index be5d1277cdb7..029ed31398c4 100644 --- a/applications/openshift/general/tls_version_check_apiserver/rule.yml +++ b/applications/openshift/general/tls_version_check_apiserver/rule.yml @@ -23,6 +23,7 @@ identifiers: cce@ocp4: CCE-85863-9 references: + bsi: APP.4.4.A17 pcidss: Req-4.1 platform: not ocp4-on-hypershift-hosted diff --git a/applications/openshift/integrity/cluster_version_operator_exists/rule.yml b/applications/openshift/integrity/cluster_version_operator_exists/rule.yml index 40b85bcbaffa..702a4e12e414 100644 --- a/applications/openshift/integrity/cluster_version_operator_exists/rule.yml +++ b/applications/openshift/integrity/cluster_version_operator_exists/rule.yml @@ -17,6 +17,7 @@ identifiers: cce@ocp4: CCE-90670-1 references: + bsi: APP.4.4.A17 nist: SA-10(1) srg: SRG-APP-000384-CTR-000915 diff --git a/applications/openshift/integrity/cluster_version_operator_verify_integrity/rule.yml b/applications/openshift/integrity/cluster_version_operator_verify_integrity/rule.yml index cfd6151186d1..43b3c36c6492 100644 --- a/applications/openshift/integrity/cluster_version_operator_verify_integrity/rule.yml +++ b/applications/openshift/integrity/cluster_version_operator_verify_integrity/rule.yml @@ -15,6 +15,7 @@ identifiers: cce@ocp4: CCE-90671-9 references: + bsi: APP.4.4.A17 nist: SA-10(1) srg: SRG-APP-000384-CTR-000915 diff --git a/applications/openshift/integrity/file_integrity_exists/rule.yml b/applications/openshift/integrity/file_integrity_exists/rule.yml index b3cac663ac5f..b22e58aabf56 100644 --- a/applications/openshift/integrity/file_integrity_exists/rule.yml +++ b/applications/openshift/integrity/file_integrity_exists/rule.yml @@ -18,6 +18,7 @@ identifiers: cce@ocp4: CCE-83657-7 references: + bsi: APP.4.4.A17 nerc-cip: CIP-003-8 R4.2,CIP-003-8 R6,CIP-007-3 R4,CIP-007-3 R4.1,CIP-007-3 R4.2 nist: SC-4(23),SI-6,SI-7,SI-7(1),CM-6(a),SI-7(2),SI-4(24) pcidss: Req-10.5.5,Req-11.5 diff --git a/applications/openshift/kubelet/kubelet_configure_client_ca/rule.yml b/applications/openshift/kubelet/kubelet_configure_client_ca/rule.yml index df0c6741d6e0..585fb758ece1 100644 --- a/applications/openshift/kubelet/kubelet_configure_client_ca/rule.yml +++ b/applications/openshift/kubelet/kubelet_configure_client_ca/rule.yml @@ -46,6 +46,7 @@ identifiers: cce@ocp4: CCE-83724-5 references: + bsi: APP.4.4.A17 cis@eks: 3.2.3 cis@ocp4: 4.2.4 nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1 diff --git a/applications/openshift/kubelet/kubelet_configure_tls_cert/rule.yml b/applications/openshift/kubelet/kubelet_configure_tls_cert/rule.yml index 28053c9ccf34..c3c49d10b469 100644 --- a/applications/openshift/kubelet/kubelet_configure_tls_cert/rule.yml +++ b/applications/openshift/kubelet/kubelet_configure_tls_cert/rule.yml @@ -30,6 +30,7 @@ platforms: - (ocp4.9 or ocp4.10 or ocp4.11 or ocp4.12 or ocp4.13 or ocp4.14 or ocp4.15 or ocp4.16) and not ocp4-on-hypershift-hosted references: + bsi: APP.4.4.A17 cis@ocp4: 4.2.9 nerc-cip: CIP-003-8 R4.2,CIP-007-3 R5.1 nist: SC-8,SC-8(1),SC-8(2) diff --git a/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites/rule.yml b/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites/rule.yml index 4dd35fdaa914..5eb20db16ebf 100644 --- a/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites/rule.yml +++ b/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites/rule.yml @@ -40,6 +40,7 @@ identifiers: cce@ocp4: CCE-86030-4 references: + bsi: APP.4.4.A17 cis@ocp4: 4.2.12 nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1 nist: CM-6,CM-6(1) diff --git a/applications/openshift/kubelet/kubelet_configure_tls_key/rule.yml b/applications/openshift/kubelet/kubelet_configure_tls_key/rule.yml index 69593fe6dd4a..e225e86d63f5 100644 --- a/applications/openshift/kubelet/kubelet_configure_tls_key/rule.yml +++ b/applications/openshift/kubelet/kubelet_configure_tls_key/rule.yml @@ -30,6 +30,7 @@ platforms: - (ocp4.9 or ocp4.10 or ocp4.11 or ocp4.12 or ocp4.13 or ocp4.14 or ocp4.15 or ocp4.16) and not ocp4-on-hypershift-hosted references: + bsi: APP.4.4.A17 cis@ocp4: 4.2.9 nerc-cip: CIP-003-8 R4.2,CIP-007-3 R5.1 nist: SC-8,SC-8(1),SC-8(2) diff --git a/applications/openshift/kubelet/kubelet_configure_tls_min_version/rule.yml b/applications/openshift/kubelet/kubelet_configure_tls_min_version/rule.yml index cd8973972c60..3753e709d64d 100644 --- a/applications/openshift/kubelet/kubelet_configure_tls_min_version/rule.yml +++ b/applications/openshift/kubelet/kubelet_configure_tls_min_version/rule.yml @@ -71,6 +71,7 @@ identifiers: cce@ocp4: CCE-86623-6 references: + bsi: APP.4.4.A17 nist: SC-8,SC-8(1) srg: SRG-APP-000014-CTR-000040,SRG-APP-000560-CTR-001340 diff --git a/applications/openshift/worker/file_groupowner_kubelet_conf/rule.yml b/applications/openshift/worker/file_groupowner_kubelet_conf/rule.yml index 57bfbe483285..dc3a286e70d3 100644 --- a/applications/openshift/worker/file_groupowner_kubelet_conf/rule.yml +++ b/applications/openshift/worker/file_groupowner_kubelet_conf/rule.yml @@ -23,6 +23,7 @@ identifiers: cce@ocp4: CCE-84233-6 references: + bsi: APP.4.4.A17 cis@eks: 3.1.4 cis@ocp4: 4.1.6 nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1 diff --git a/applications/openshift/worker/file_groupowner_worker_ca/rule.yml b/applications/openshift/worker/file_groupowner_worker_ca/rule.yml index 38414d9fa4d6..e3c200195688 100644 --- a/applications/openshift/worker/file_groupowner_worker_ca/rule.yml +++ b/applications/openshift/worker/file_groupowner_worker_ca/rule.yml @@ -18,6 +18,7 @@ identifiers: cce@ocp4: CCE-83440-8 references: + bsi: APP.4.4.A17 cis@ocp4: 4.1.8 nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1 nist: CM-6,CM-6(1) diff --git a/applications/openshift/worker/file_groupowner_worker_kubeconfig/rule.yml b/applications/openshift/worker/file_groupowner_worker_kubeconfig/rule.yml index aa1216029b04..2abf55b4d143 100644 --- a/applications/openshift/worker/file_groupowner_worker_kubeconfig/rule.yml +++ b/applications/openshift/worker/file_groupowner_worker_kubeconfig/rule.yml @@ -18,6 +18,7 @@ identifiers: cce@ocp4: CCE-83409-3 references: + bsi: APP.4.4.A17 cis@ocp4: 4.1.10 nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1 nist: CM-6,CM-6(1) diff --git a/applications/openshift/worker/file_groupowner_worker_service/rule.yml b/applications/openshift/worker/file_groupowner_worker_service/rule.yml index 1ed92064a513..f4442d0f0b75 100644 --- a/applications/openshift/worker/file_groupowner_worker_service/rule.yml +++ b/applications/openshift/worker/file_groupowner_worker_service/rule.yml @@ -20,6 +20,7 @@ identifiers: cce@ocp4: CCE-83975-3 references: + bsi: APP.4.4.A17 cis@ocp4: 4.1.2 nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1 nist: CM-6,CM-6(1) diff --git a/applications/openshift/worker/file_owner_kubelet/rule.yml b/applications/openshift/worker/file_owner_kubelet/rule.yml index 5bce6a47ce62..6d8a6b7496ea 100644 --- a/applications/openshift/worker/file_owner_kubelet/rule.yml +++ b/applications/openshift/worker/file_owner_kubelet/rule.yml @@ -20,6 +20,7 @@ identifiers: cce@ocp4: CCE-85900-9 references: + bsi: APP.4.4.A17 cis@ocp4: 4.1.6 nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1 nist: CM-6,CM-6(1) diff --git a/applications/openshift/worker/file_owner_kubelet_conf/rule.yml b/applications/openshift/worker/file_owner_kubelet_conf/rule.yml index f262b9e779d2..364ce229ad72 100644 --- a/applications/openshift/worker/file_owner_kubelet_conf/rule.yml +++ b/applications/openshift/worker/file_owner_kubelet_conf/rule.yml @@ -24,6 +24,7 @@ identifiers: cce@ocp4: CCE-83976-1 references: + bsi: APP.4.4.A17 cis@eks: 3.1.4 cis@ocp4: 4.1.6 nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1 diff --git a/applications/openshift/worker/file_owner_worker_ca/rule.yml b/applications/openshift/worker/file_owner_worker_ca/rule.yml index 2cd85ac2901e..0d1902c929be 100644 --- a/applications/openshift/worker/file_owner_worker_ca/rule.yml +++ b/applications/openshift/worker/file_owner_worker_ca/rule.yml @@ -18,6 +18,8 @@ identifiers: cce@ocp4: CCE-83495-2 references: + bsi: APP.4.4.A17 + bsi: APP.4.4.A17 cis@ocp4: 4.1.8 nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1 nist: CM-6,CM-6(1) diff --git a/applications/openshift/worker/file_owner_worker_kubeconfig/rule.yml b/applications/openshift/worker/file_owner_worker_kubeconfig/rule.yml index baa3d32f589e..4d24dab27028 100644 --- a/applications/openshift/worker/file_owner_worker_kubeconfig/rule.yml +++ b/applications/openshift/worker/file_owner_worker_kubeconfig/rule.yml @@ -18,6 +18,7 @@ identifiers: cce@ocp4: CCE-83408-5 references: + bsi: APP.4.4.A17 cis@eks: 3.1.2 cis@ocp4: 4.1.10 nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1 diff --git a/applications/openshift/worker/file_owner_worker_service/rule.yml b/applications/openshift/worker/file_owner_worker_service/rule.yml index 9ab9b1902d44..faa89195b900 100644 --- a/applications/openshift/worker/file_owner_worker_service/rule.yml +++ b/applications/openshift/worker/file_owner_worker_service/rule.yml @@ -20,6 +20,7 @@ identifiers: cce@ocp4: CCE-84193-2 references: + bsi: APP.4.4.A17 cis@ocp4: 4.1.2 nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1 nist: CM-6,CM-6(1) diff --git a/applications/openshift/worker/file_permissions_kubelet/rule.yml b/applications/openshift/worker/file_permissions_kubelet/rule.yml index 6e131af119eb..3d4e3f3d8062 100644 --- a/applications/openshift/worker/file_permissions_kubelet/rule.yml +++ b/applications/openshift/worker/file_permissions_kubelet/rule.yml @@ -23,6 +23,7 @@ identifiers: cce@ocp4: CCE-85896-9 references: + bsi: APP.4.4.A17 cis@ocp4: 4.1.5 nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1 nist: CM-6,CM-6(1) diff --git a/applications/openshift/worker/file_permissions_kubelet_conf/rule.yml b/applications/openshift/worker/file_permissions_kubelet_conf/rule.yml index fe7f58b3c1a3..9df1bbe945ad 100644 --- a/applications/openshift/worker/file_permissions_kubelet_conf/rule.yml +++ b/applications/openshift/worker/file_permissions_kubelet_conf/rule.yml @@ -26,6 +26,7 @@ identifiers: cce@ocp4: CCE-83470-5 references: + bsi: APP.4.4.A17 cis@eks: 3.1.3 cis@ocp4: 4.1.5 nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1 diff --git a/applications/openshift/worker/file_permissions_worker_ca/rule.yml b/applications/openshift/worker/file_permissions_worker_ca/rule.yml index 55c9c89d0649..d4b43414cbc4 100644 --- a/applications/openshift/worker/file_permissions_worker_ca/rule.yml +++ b/applications/openshift/worker/file_permissions_worker_ca/rule.yml @@ -20,6 +20,7 @@ identifiers: cce@ocp4: CCE-83493-7 references: + bsi: APP.4.4.A17 cis@ocp4: 4.1.7 nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1 nist: CM-6,CM-6(1) diff --git a/applications/openshift/worker/file_permissions_worker_kubeconfig/rule.yml b/applications/openshift/worker/file_permissions_worker_kubeconfig/rule.yml index 9ae997b0eef5..4ee5537119d2 100644 --- a/applications/openshift/worker/file_permissions_worker_kubeconfig/rule.yml +++ b/applications/openshift/worker/file_permissions_worker_kubeconfig/rule.yml @@ -29,6 +29,7 @@ identifiers: cce@ocp4: CCE-83509-0 references: + bsi: APP.4.4.A17 cis@eks: 3.1.1 cis@ocp4: 4.1.9 nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1 diff --git a/applications/openshift/worker/file_permissions_worker_service/rule.yml b/applications/openshift/worker/file_permissions_worker_service/rule.yml index dec05ebc4dbe..7449cab20175 100644 --- a/applications/openshift/worker/file_permissions_worker_service/rule.yml +++ b/applications/openshift/worker/file_permissions_worker_service/rule.yml @@ -21,6 +21,7 @@ identifiers: cce@ocp4: CCE-83455-6 references: + bsi: APP.4.4.A17 cis@ocp4: 4.1.1 nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1 nist: CM-6,CM-6(1) diff --git a/controls/bsi_app_4_4.yml b/controls/bsi_app_4_4.yml index 9b55dec984e1..c2e67e502420 100644 --- a/controls/bsi_app_4_4.yml +++ b/controls/bsi_app_4_4.yml @@ -412,13 +412,61 @@ controls: levels: - elevated description: >- - Nodes SHOULD send a cryptographically secured (and, if possible, TPM-verified) status - message to the control plane. The control plane SHOULD ONLY accept nodes into a cluster + (1) Nodes SHOULD send a cryptographically secured (and, if possible, TPM-verified) status + message to the control plane. (2) The control plane SHOULD ONLY accept nodes into a cluster that have successfully proven their integrity. notes: >- - TBD - status: pending - rules: [] + OpenShift Nodes are using Red Hat CoreOS (RHCOS) by default, an immutable operating system. + While RHEL is also supported for Compute Nodes, RHCOS is mandatory for Control Plane Nodes and + recommended for all nodes. The correct version and configuration of RHCOS is verified + cryptographically with the desired state, that is managed by the Control Plane using MachineConfigs. + Any manual change on managed files is overwritten to ensure the desired state. Therefore, the + control is mostly inheretly met when using CoreOS for all nodes. + + Section 1: OpenShift uses an internal Certificate Authority (CA). The nodes (kubelet to API server + and MachineConfig daemon to MachineConfi server) are communicating using node-specific certificates, + signed by this CA. Correct permissions of relevant files and secure TLS configuration are verified + using the referenced rules. + + Section 2: Using the Red Hat File Integrity Operator, all files on the RHCOS nodes can be + cryptographically checked for integrity using Advanced Intrusion Detection Environment (AIDE). + status: automated + rules: + # Section 1 (worker / kubelet) + - file_groupowner_kubelet_conf + - file_groupowner_worker_ca + - file_groupowner_worker_kubeconfig + - file_groupowner_worker_service + - file_owner_kubelet + - file_owner_kubelet_conf + - file_owner_worker_ca + - file_owner_worker_kubeconfig + - file_owner_worker_service + - file_permissions_kubelet + - file_permissions_kubelet_conf + - file_permissions_worker_ca + - file_permissions_worker_kubeconfig + - file_permissions_worker_service + - kubelet_configure_client_ca + - kubelet_configure_tls_cert + - kubelet_configure_tls_cipher_suites + - kubelet_configure_tls_key + - kubelet_configure_tls_min_version + # Section 1 (API Server) + - api_server_client_ca + - api_server_kubelet_client_cert + - api_server_kubelet_client_key + - api_server_https_for_kubelet_conn + - api_server_tls_cert + - api_server_tls_cipher_suites + - api_server_tls_private_key + - api_server_tls_security_profile_not_old + - tls_version_check_apiserver + # Section 2 + - cluster_version_operator_exists + - cluster_version_operator_verify_integrity + - file_integrity_exists + - file_integrity_notification_enabled - id: APP.4.4.A18 title: Use of Micro-Segmentation