Merge pull request #55 from sig-bsi-grundschutz/app-4-4-A6-7

App 4 4 a6 7

applications/openshift/networking/configure_network_policies/rule.yml

@@ -17,6 +17,7 @@ rationale: |-
 severity: high
 
 references:
+    bsi: APP.4.4.A7
     cis@ocp4: 5.3.1
     nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
     nist: CM-6,CM-6(1)

applications/openshift/networking/configure_network_policies_namespaces/rule.yml

@@ -17,6 +17,7 @@ rationale: |-
 severity: high
 
 references:
+    bsi: APP.4.4.A7
     cis@eks: 4.3.2
     cis@ocp4: 5.3.2
     nerc-cip: CIP-003-8 R4,CIP-003-8 R4.2,CIP-003-8 R5,CIP-003-8 R6,CIP-004-6 R2.2.4,CIP-004-6 R3,CIP-007-3 R2,CIP-007-3 R2.1,CIP-007-3 R2.2,CIP-007-3 R2.3,CIP-007-3 R5.1,CIP-007-3 R6.1

applications/openshift/networking/project_config_and_template_network_policy/rule.yml

@@ -58,6 +58,7 @@ identifiers:
       cce@ocp4: CCE-86070-0
 
 references:
+    bsi: APP.4.4.A7
     srg: SRG-APP-000039-CTR-000110
 
 warnings:

applications/openshift/rbac/rbac_least_privilege/rule.yml

@@ -26,7 +26,7 @@ identifiers:
   cce@ocp4: CCE-90678-4
 
 references:
-    bsi: APP.4.4.A3
+    bsi: APP.4.4.A3,APP.4.4.A7
     cis@ocp4: 5.2.10
     nist: AC-3,CM-5(6),IA-2,IA-2(5),AC-6(10),CM-11(2),CM-5(1),CM-7(5)(b)
     srg: SRG-APP-000033-CTR-000090,SRG-APP-000033-CTR-000095,SRG-APP-000033-CTR-000100,SRG-APP-000133-CTR-000290,SRG-APP-000133-CTR-000295,SRG-APP-000133-CTR-000300,SRG-APP-000133-CTR-000305,SRG-APP-000133-CTR-000310,SRG-APP-000148-CTR-000350,SRG-APP-000153-CTR-000375,SRG-APP-000340-CTR-000770,SRG-APP-000378-CTR-000880,SRG-APP-000378-CTR-000885,SRG-APP-000378-CTR-000890,SRG-APP-000380-CTR-000900,SRG-APP-000386-CTR-000920

controls/bsi_app_4_4.yml

@@ -173,35 +173,45 @@ controls:
     levels:
     - standard
     description: >-
-      If an initialisation (e.g. of an application) takes place in a pod at start-up, this SHOULD take
-      place in a separate Init container. It SHOULD be ensured that the initialisation terminates all
-      processes that are already running. Kubernetes SHOULD ONLY start the other containers if
-      the initialisation is successful.
+      If an initialisation (e.g. of an application) takes place in a pod at start-up, this SHOULD take place in a separate Init container. It SHOULD be ensured that the initialisation terminates all processes that are already running. Kubernetes SHOULD ONLY start the other containers if the initialisation is successful.
     notes: >-
-      TBD
-    status: pending
+      OpenShift provides the necessary resource configurations via Kubernetes. Kubernetes ensures the (process) dependencies between init containers and “normal” containers of a pod.
+
+      The requirement must be implemented by application development.
+    status: inherently met
     rules: []
 
   - id: APP.4.4.A7
     title: Separation of Networks for Kubernetes
     levels:
     - standard
     description: >-
-      Networks for the administration of nodes, the control plane, and the individual networks of
-      application services SHOULD be separated.
-      Only the network ports of the pods necessary for operation SHOULD be released into the
-      designated networks. If a Kubernetes cluster contains multiple applications, all the network
-      connections between the Kubernetes namespaces SHOULD first be prohibited and only
-      required network connections permitted (whitelisting). The network ports necessary for the
-      administration of the nodes, the runtime, and Kubernetes (including its extensions) SHOULD
-      ONLY be accessible from the corresponding administration network and from pods that need
-      them.
-      Only selected administrators SHOULD be authorised in Kubernetes to manage the CNI and
-      create or change rules for the network.
+      (1) Networks for the administration of nodes, the control plane, and the individual networks of application services SHOULD be separated.
+      (2) Only the network ports of the pods necessary for operation SHOULD be released into the designated networks. (3) If a Kubernetes cluster contains multiple applications, all the network connections between the Kubernetes namespaces SHOULD first be prohibited and only required network connections permitted (whitelisting). (4) The network ports necessary for the administration of the nodes, the runtime, and Kubernetes (including its extensions) SHOULD ONLY be accessible from the corresponding administration network and from pods that need them.
+      (5) Only selected administrators SHOULD be authorised in Kubernetes to manage the CNI and create or change rules for the network.
     notes: >-
-      TBD
-    status: pending
-    rules: []
+      Section 1-3:
+      The requirements for restricting network ports and network connections between Kubernetes namespaces are already supported by OpenShift as standard using network policies and the option for default network policies (security by design).
+
+      The separation of the management network can also be implemented at the namespace level via network policies (incoming, the responsibility of the namespace administrator) and egress firewalls (outgoing, the responsibility of the cluster admins).
+
+      Externally exposed services can receive their own IP and thus data traffic can also be separated outside the platform. Inter-node communication is carried out via suitable tunnel protocols (VXLAN, GENEVE) and can also be encrypted using IPSec.
+
+      The determination of the necessary network policies for applications is supported by the network policy generator in ACS.
+      Section 4 is true by default
+      Section 5 maps to principle of least privilege
+    status: partial
+    rules:
+      # Section 1
+      # Section 2
+      - configure_network_policies
+      - configure_network_policies_namespaces
+      # Section 3
+      - project_config_and_template_network_policy
+      # Section 4, default
+      # Section 5
+      - rbac_least_privilege
+
 
   - id: APP.4.4.A8
     title: Securing Configuration Files on Kubernetes