From 6decd720af69fbfbecca21adbd04be668dd7ef99 Mon Sep 17 00:00:00 2001 From: sluetze <13255307+sluetze@users.noreply.github.com> Date: Tue, 16 Jul 2024 09:13:02 +0200 Subject: [PATCH] switch to automatic reference system --- .../openshift/api-server/api_server_anonymous_auth/rule.yml | 1 - .../openshift/general/general_namespace_separation/rule.yml | 3 --- .../openshift/general/general_node_separation/rule.yml | 3 --- applications/openshift/general/kubeadmin_removed/rule.yml | 1 - applications/openshift/kubelet/kubelet_anonymous_auth/rule.yml | 1 - applications/openshift/rbac/rbac_least_privilege/rule.yml | 1 - .../ocp_insecure_allowed_registries_for_import/rule.yml | 1 - .../openshift/registry/ocp_insecure_registries/rule.yml | 1 - .../scansetting_has_autoapplyremediations/rule.yml | 3 --- .../risk-assessment/scansettingbinding_exists/rule.yml | 1 - .../risk-assessment/scansettings_have_schedule/rule.yml | 1 - .../openshift/scc/scc_limit_host_dir_volume_plugin/rule.yml | 1 - applications/openshift/scc/scc_limit_ipc_namespace/rule.yml | 1 - .../openshift/scc/scc_limit_net_raw_capability/rule.yml | 1 - .../openshift/scc/scc_limit_network_namespace/rule.yml | 1 - .../openshift/scc/scc_limit_privileged_containers/rule.yml | 1 - .../openshift/scc/scc_limit_process_id_namespace/rule.yml | 1 - applications/openshift/scc/scc_limit_root_containers/rule.yml | 1 - controls/bsi_app_4_4.yml | 2 ++ .../selinux/coreos_enable_selinux_kernel_argument/rule.yml | 1 - linux_os/guide/system/selinux/selinux_policytype/rule.yml | 1 - linux_os/guide/system/selinux/selinux_state/rule.yml | 1 - 22 files changed, 2 insertions(+), 27 deletions(-) diff --git a/applications/openshift/api-server/api_server_anonymous_auth/rule.yml b/applications/openshift/api-server/api_server_anonymous_auth/rule.yml index 14dec34c9368..e2f4dcf67019 100644 --- a/applications/openshift/api-server/api_server_anonymous_auth/rule.yml +++ b/applications/openshift/api-server/api_server_anonymous_auth/rule.yml @@ -34,7 +34,6 @@ rationale: |- severity: medium references: - bsi: APP.4.4.A3 cis@ocp4: 1.2.1 nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1 nist: CM-6,CM-6(1) diff --git a/applications/openshift/general/general_namespace_separation/rule.yml b/applications/openshift/general/general_namespace_separation/rule.yml index 2fa4284870e8..c1b12e0fb702 100644 --- a/applications/openshift/general/general_namespace_separation/rule.yml +++ b/applications/openshift/general/general_namespace_separation/rule.yml @@ -11,9 +11,6 @@ rationale: |- level. It also allows you control the network flow from and to other namespaces more easily. -references: - bsi: APP.4.4.A1 - severity: medium identifiers: diff --git a/applications/openshift/general/general_node_separation/rule.yml b/applications/openshift/general/general_node_separation/rule.yml index 625aa0cad47a..bb74983a1df0 100644 --- a/applications/openshift/general/general_node_separation/rule.yml +++ b/applications/openshift/general/general_node_separation/rule.yml @@ -17,9 +17,6 @@ rationale: |- follow less strict requirements. An adversary which attacked a lighter protected workload now has additional obstacles for their movement towards the higher protected workloads. -references: - bsi: APP.4.4.A14,APP.4.4.A15 - severity: medium identifiers: diff --git a/applications/openshift/general/kubeadmin_removed/rule.yml b/applications/openshift/general/kubeadmin_removed/rule.yml index c97efa6d39ad..93fcb721b73c 100644 --- a/applications/openshift/general/kubeadmin_removed/rule.yml +++ b/applications/openshift/general/kubeadmin_removed/rule.yml @@ -22,7 +22,6 @@ identifiers: cce@ocp4: CCE-90387-2 references: - bsi: APP.4.4.A3 cis@ocp4: 3.1.1,5.1.1 nerc-cip: CIP-004-6 R2.2.2,CIP-004-6 R2.2.3,CIP-007-3 R.1.3,CIP-007-3 R2,CIP-007-3 R5,CIP-007-3 R5.1.1,CIP-007-3 R5.1.3,CIP-007-3 R5.2.1,CIP-007-3 R5.2.3,CIP-007-3 R6.1,CIP-007-3 R6.2,CIP-007-3 R6.3,CIP-007-3 R6.4 nist: AC-2(2),AC-2(7),AC-2(9),AC-2(10),AC-12(1),IA-2(5),MA-4,SC-12(1) diff --git a/applications/openshift/kubelet/kubelet_anonymous_auth/rule.yml b/applications/openshift/kubelet/kubelet_anonymous_auth/rule.yml index 5282464314a9..fb5bd9353e6d 100644 --- a/applications/openshift/kubelet/kubelet_anonymous_auth/rule.yml +++ b/applications/openshift/kubelet/kubelet_anonymous_auth/rule.yml @@ -35,7 +35,6 @@ rationale: |- severity: medium references: - bsi: APP.4.4.A3 cis@eks: 3.2.1 cis@ocp4: 4.2.2 nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1 diff --git a/applications/openshift/rbac/rbac_least_privilege/rule.yml b/applications/openshift/rbac/rbac_least_privilege/rule.yml index 5dce32016e28..277343e6e3b2 100644 --- a/applications/openshift/rbac/rbac_least_privilege/rule.yml +++ b/applications/openshift/rbac/rbac_least_privilege/rule.yml @@ -26,7 +26,6 @@ identifiers: cce@ocp4: CCE-90678-4 references: - bsi: APP.4.4.A3,APP.4.4.A7,APP.4.4.A9 cis@ocp4: 5.2.10 nist: AC-3,CM-5(6),IA-2,IA-2(5),AC-6(10),CM-11(2),CM-5(1),CM-7(5)(b) srg: SRG-APP-000033-CTR-000090,SRG-APP-000033-CTR-000095,SRG-APP-000033-CTR-000100,SRG-APP-000133-CTR-000290,SRG-APP-000133-CTR-000295,SRG-APP-000133-CTR-000300,SRG-APP-000133-CTR-000305,SRG-APP-000133-CTR-000310,SRG-APP-000148-CTR-000350,SRG-APP-000153-CTR-000375,SRG-APP-000340-CTR-000770,SRG-APP-000378-CTR-000880,SRG-APP-000378-CTR-000885,SRG-APP-000378-CTR-000890,SRG-APP-000380-CTR-000900,SRG-APP-000386-CTR-000920 diff --git a/applications/openshift/registry/ocp_insecure_allowed_registries_for_import/rule.yml b/applications/openshift/registry/ocp_insecure_allowed_registries_for_import/rule.yml index 8e8b2ca47a69..cbb7dc2feb38 100644 --- a/applications/openshift/registry/ocp_insecure_allowed_registries_for_import/rule.yml +++ b/applications/openshift/registry/ocp_insecure_allowed_registries_for_import/rule.yml @@ -30,7 +30,6 @@ identifiers: cce@ocp4: CCE-86235-9 references: - bsi: APP.4.4.A12 cis@ocp4: '5.5.1' nist: CM-5(3) srg: SRG-APP-000014-CTR-000035 diff --git a/applications/openshift/registry/ocp_insecure_registries/rule.yml b/applications/openshift/registry/ocp_insecure_registries/rule.yml index 9407e34646d8..955b671d2873 100644 --- a/applications/openshift/registry/ocp_insecure_registries/rule.yml +++ b/applications/openshift/registry/ocp_insecure_registries/rule.yml @@ -26,7 +26,6 @@ identifiers: cce@ocp4: CCE-86123-7 references: - bsi: APP.4.4.A12 cis@ocp4: '5.5.1' nist: CM-5(3) srg: SRG-APP-000014-CTR-000035 diff --git a/applications/openshift/risk-assessment/scansetting_has_autoapplyremediations/rule.yml b/applications/openshift/risk-assessment/scansetting_has_autoapplyremediations/rule.yml index 6d065facce26..cbcf36c1fdf7 100644 --- a/applications/openshift/risk-assessment/scansetting_has_autoapplyremediations/rule.yml +++ b/applications/openshift/risk-assessment/scansetting_has_autoapplyremediations/rule.yml @@ -26,9 +26,6 @@ ocil: |- filter will return at least one 'true'. Run the following jq query to identify the non-compliant scansettings objects: 
oc get scansettings -ojson | jq -r '[.items[] | select(.autoApplyRemediation != "" or .autoApplyRemediation != null) | .metadata.name]'
-references: - bsi: APP.4.4.A13 - severity: medium warnings: diff --git a/applications/openshift/risk-assessment/scansettingbinding_exists/rule.yml b/applications/openshift/risk-assessment/scansettingbinding_exists/rule.yml index a75346dc09ff..1f2b34c6e046 100644 --- a/applications/openshift/risk-assessment/scansettingbinding_exists/rule.yml +++ b/applications/openshift/risk-assessment/scansettingbinding_exists/rule.yml @@ -17,7 +17,6 @@ identifiers: cce@ocp4: CCE-83697-3 references: - bsi: APP.4.4.A13 nerc-cip: CIP-003-8 R1.3,CIP-003-8 R4.3,CIP-003-8 R6,CIP-004-6 4.1,CIP-004-6 4.2,CIP-004-6 R3,CIP-004-6 R4,CIP-004-6 R4.2,CIP-005-6 R1,CIP-005-6 R1.1,CIP-005-6 R1.2,CIP-007-3 R3,CIP-007-3 R3.1,CIP-007-3 R6.1,CIP-007-3 R8.4 nist: CM-6,CM-6(1),RA-5,RA-5(5),SA-4(8) pcidss: Req-2.2.4 diff --git a/applications/openshift/risk-assessment/scansettings_have_schedule/rule.yml b/applications/openshift/risk-assessment/scansettings_have_schedule/rule.yml index df1248a4866f..0f9444ea4248 100644 --- a/applications/openshift/risk-assessment/scansettings_have_schedule/rule.yml +++ b/applications/openshift/risk-assessment/scansettings_have_schedule/rule.yml @@ -18,7 +18,6 @@ identifiers: cce@ocp4: CCE-90762-6 references: - bsi: APP.4.4.A13 nist: SI-6(b) srg: SRG-APP-000473-CTR-001175 diff --git a/applications/openshift/scc/scc_limit_host_dir_volume_plugin/rule.yml b/applications/openshift/scc/scc_limit_host_dir_volume_plugin/rule.yml index 2a1f2bb877e1..a647219e09f5 100644 --- a/applications/openshift/scc/scc_limit_host_dir_volume_plugin/rule.yml +++ b/applications/openshift/scc/scc_limit_host_dir_volume_plugin/rule.yml @@ -21,7 +21,6 @@ identifiers: cce@ocp4: CCE-86255-7 references: - bsi: APP.4.4.A4,APP.4.4.A9 cis@ocp4: 5.2.12 nist: AC-6,AC-6(1) srg: SRG-APP-000142-CTR-000330 diff --git a/applications/openshift/scc/scc_limit_ipc_namespace/rule.yml b/applications/openshift/scc/scc_limit_ipc_namespace/rule.yml index e8bc677ac735..4b4c512716de 100644 --- a/applications/openshift/scc/scc_limit_ipc_namespace/rule.yml +++ b/applications/openshift/scc/scc_limit_ipc_namespace/rule.yml @@ -21,7 +21,6 @@ identifiers: cce@ocp4: CCE-84042-1 references: - bsi: APP.4.4.A4,APP.4.4.A9 cis@ocp4: 5.2.3 nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1 nist: CM-6,CM-6(1) diff --git a/applications/openshift/scc/scc_limit_net_raw_capability/rule.yml b/applications/openshift/scc/scc_limit_net_raw_capability/rule.yml index 2548821254d3..9404c6e54145 100644 --- a/applications/openshift/scc/scc_limit_net_raw_capability/rule.yml +++ b/applications/openshift/scc/scc_limit_net_raw_capability/rule.yml @@ -19,7 +19,6 @@ rationale: |- severity: medium references: - bsi: APP.4.4.A4,APP.4.4.A9 cis@ocp4: 5.2.7 nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1 nist: CM-6,CM-6(1) diff --git a/applications/openshift/scc/scc_limit_network_namespace/rule.yml b/applications/openshift/scc/scc_limit_network_namespace/rule.yml index bdc31e9a2289..91c795a992df 100644 --- a/applications/openshift/scc/scc_limit_network_namespace/rule.yml +++ b/applications/openshift/scc/scc_limit_network_namespace/rule.yml @@ -21,7 +21,6 @@ identifiers: cce@ocp4: CCE-83492-9 references: - bsi: APP.4.4.A4,APP.4.4.A9 cis@ocp4: 5.2.4 nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1 nist: CM-6,CM-6(1) diff --git a/applications/openshift/scc/scc_limit_privileged_containers/rule.yml b/applications/openshift/scc/scc_limit_privileged_containers/rule.yml index 763a38072151..bd6c5e43072e 100644 --- a/applications/openshift/scc/scc_limit_privileged_containers/rule.yml +++ b/applications/openshift/scc/scc_limit_privileged_containers/rule.yml @@ -18,7 +18,6 @@ rationale: |- severity: medium references: - bsi: APP.4.4.A4,APP.4.4.A9 cis@ocp4: 5.2.1 nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1 nist: CM-6,CM-6(1) diff --git a/applications/openshift/scc/scc_limit_process_id_namespace/rule.yml b/applications/openshift/scc/scc_limit_process_id_namespace/rule.yml index 3b6b459d74e2..44e38b05edfc 100644 --- a/applications/openshift/scc/scc_limit_process_id_namespace/rule.yml +++ b/applications/openshift/scc/scc_limit_process_id_namespace/rule.yml @@ -17,7 +17,6 @@ rationale: |- severity: medium references: - bsi: APP.4.4.A4,APP.4.4.A9 cis@ocp4: 5.2.2 nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1 nist: CM-6,CM-6(1) diff --git a/applications/openshift/scc/scc_limit_root_containers/rule.yml b/applications/openshift/scc/scc_limit_root_containers/rule.yml index 29c4ca3ed4bc..df5727c4cd29 100644 --- a/applications/openshift/scc/scc_limit_root_containers/rule.yml +++ b/applications/openshift/scc/scc_limit_root_containers/rule.yml @@ -25,7 +25,6 @@ rationale: |- severity: medium references: - bsi: APP.4.4.A4,APP.4.4.A9 cis@ocp4: 5.2.6 nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1 nist: CM-6,CM-6(1) diff --git a/controls/bsi_app_4_4.yml b/controls/bsi_app_4_4.yml index 897828dda6fc..80221e688016 100644 --- a/controls/bsi_app_4_4.yml +++ b/controls/bsi_app_4_4.yml @@ -18,6 +18,8 @@ levels: inherits_from: - standard +reference_type: bsi + controls: - id: APP.4.4.A1 title: Planning the Separation of the Applications diff --git a/linux_os/guide/system/selinux/coreos_enable_selinux_kernel_argument/rule.yml b/linux_os/guide/system/selinux/coreos_enable_selinux_kernel_argument/rule.yml index 15804c10fa89..23972e5939d7 100644 --- a/linux_os/guide/system/selinux/coreos_enable_selinux_kernel_argument/rule.yml +++ b/linux_os/guide/system/selinux/coreos_enable_selinux_kernel_argument/rule.yml @@ -19,7 +19,6 @@ identifiers: cce@rhcos4: CCE-83899-5 references: - bsi: APP.4.4.A4 cis-csc: 1,11,12,13,14,15,16,18,3,4,5,6,8,9 cobit5: APO01.06,APO11.04,APO13.01,BAI03.05,DSS01.05,DSS03.01,DSS05.02,DSS05.04,DSS05.05,DSS05.07,DSS06.02,DSS06.03,DSS06.06,MEA02.01 cui: 3.1.2,3.7.2 diff --git a/linux_os/guide/system/selinux/selinux_policytype/rule.yml b/linux_os/guide/system/selinux/selinux_policytype/rule.yml index 89a14423ab8c..67579503d893 100644 --- a/linux_os/guide/system/selinux/selinux_policytype/rule.yml +++ b/linux_os/guide/system/selinux/selinux_policytype/rule.yml @@ -35,7 +35,6 @@ identifiers: cce@sle15: CCE-91445-7 references: - bsi: APP.4.4.A4 cis-csc: 1,11,12,13,14,15,16,18,3,4,5,6,8,9 cobit5: APO01.06,APO11.04,APO13.01,BAI03.05,DSS01.05,DSS03.01,DSS05.02,DSS05.04,DSS05.05,DSS05.07,DSS06.02,DSS06.03,DSS06.06,MEA02.01 cui: 3.1.2,3.7.2 diff --git a/linux_os/guide/system/selinux/selinux_state/rule.yml b/linux_os/guide/system/selinux/selinux_state/rule.yml index f53f6bae9291..5c6ac2894642 100644 --- a/linux_os/guide/system/selinux/selinux_state/rule.yml +++ b/linux_os/guide/system/selinux/selinux_state/rule.yml @@ -28,7 +28,6 @@ identifiers: cce@sle15: CCE-91446-5 references: - bsi: APP.4.4.A4 cis-csc: 1,11,12,13,14,15,16,18,3,4,5,6,8,9 cobit5: APO01.06,APO11.04,APO13.01,BAI03.05,DSS01.05,DSS03.01,DSS05.02,DSS05.04,DSS05.05,DSS05.07,DSS06.02,DSS06.03,DSS06.06,MEA02.01 cui: 3.1.2,3.7.2