add rules for app.4.4.a13 section1

sig-bsi-grundschutz · Apr 16, 2024 · 5f11569 · 5f11569
1 parent 61b02e4
commit 5f11569
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 8 deletions.
diff --git a/applications/openshift/risk-assessment/scansettingbinding_exists/rule.yml b/applications/openshift/risk-assessment/scansettingbinding_exists/rule.yml
@@ -17,6 +17,7 @@ identifiers:
   cce@ocp4: CCE-83697-3
 
 references:
+  bsi: APP.4.4.A13
   nerc-cip: CIP-003-8 R1.3,CIP-003-8 R4.3,CIP-003-8 R6,CIP-004-6 4.1,CIP-004-6 4.2,CIP-004-6 R3,CIP-004-6 R4,CIP-004-6 R4.2,CIP-005-6 R1,CIP-005-6 R1.1,CIP-005-6 R1.2,CIP-007-3 R3,CIP-007-3 R3.1,CIP-007-3 R6.1,CIP-007-3 R8.4
   nist: CM-6,CM-6(1),RA-5,RA-5(5),SA-4(8)
   pcidss: Req-2.2.4

diff --git a/applications/openshift/risk-assessment/scansettings_have_schedule/rule.yml b/applications/openshift/risk-assessment/scansettings_have_schedule/rule.yml
@@ -18,6 +18,7 @@ identifiers:
   cce@ocp4: CCE-90762-6
 
 references:
+  bsi: APP.4.4.A13
   nist: SI-6(b)
   srg: SRG-APP-000473-CTR-001175
 

diff --git a/controls/bsi_app_4_4.yml b/controls/bsi_app_4_4.yml
@@ -237,7 +237,7 @@ controls:
       start pods via automation software, this SHOULD be done for each group through separate
       processes that only have the rights necessary for the respective user group.
     notes: >-
-      This control needs to be adressed on an organizational level. All service accounts used by 
+      This control needs to be adressed on an organizational level. All service accounts used by
       automation software need to adhere to the principle of least privilege.
     status: not applicable
     rules: []
@@ -284,15 +284,15 @@ controls:
     levels:
     - elevated
     description: >-
-      There SHOULD be an automated audit that checks the settings of nodes, of Kubernetes, and of
-      the pods of applications against a defined list of allowed settings and standardised
-      benchmarks.
-      Kubernetes SHOULD enforce these established rules in each cluster by connecting appropriate
-      tools.
+      (1) There SHOULD be an automated audit that checks the settings of nodes, of Kubernetes, and of the pods of applications against a defined list of allowed settings and standardised benchmarks.
+      (2) Kubernetes SHOULD enforce these established rules in each cluster by connecting appropriate tools.
     notes: >-
-      TBD
+      Section 1 is addressed by the compliance operator itself. The standardized Benchmarks can be just the BSI Profile, or additionally a hardening standard like the CIS Benchmark.
+      Section 2 can be addressed by using auto-remediation of compliance-operator or for workloads by using Advanced Cluster Security or similar tools.
     status: pending
-    rules: []
+    rules:
+      - scansettingbinding_exists
+      - scansettings_have_schedule
 
   - id: APP.4.4.A14
     title: Use of Dedicated Nodes