add rules for APP.4.4.A15

sig-bsi-grundschutz · Apr 19, 2024 · 9bcd143 · 9bcd143
1 parent e559c4e
commit 9bcd143
Show file tree

Hide file tree

Showing 3 changed files with 32 additions and 6 deletions.
diff --git a/applications/openshift/general/general_node_separation/rule.yml b/applications/openshift/general/general_node_separation/rule.yml
@@ -0,0 +1,25 @@
+documentation_complete: true
+
+title: 'Create Boundaries between Resources using Nodes or Clusters'
+
+description: |-
+   Use Nodes or Clusters to isolate Workloads with high protection requirements.
+
+   Run the following command and review the pods and how they are deployed on Nodes. <pre>$ oc get pod -o=custom-columns=NAME:.metadata.name,NAMESPACE:.metadata.namespace,APP:.metadata.labels.app\.kubernetes\.io/name,NODE:.spec.nodeName --all-namespaces | grep -v "openshift-" </pre>
+   You can use labels or other data as custom field which helps you to identify parts of an application.
+   Ensure that Applications with high protection requirements are not colocated on Nodes or in Clusters with workloads of lower protection requirements.
+
+rationale: |-
+   Assigning workloads with high protection requirements to specific nodes creates and additional boundary (the node) between workloads of high protection requirements and workloads which might follow less strict requirements. An adversary which attacked a lighter protected workload now has additional obstacles for their movement towards the higher protected workloads.
+
+references:
+    bsi: APP.4.4.A15
+
+severity: medium
+
+ocil_clause: 'Application placement on Nodes and Clusters needs review'
+
+ocil: |-
+    Run the following command and review the pods and how they are deployed on nodes. <pre>$ oc get pod -o=custom-columns=NAME:.metadata.name,NAMESPACE:.metadata.namespace,APP:.metadata.labels.app\.kubernetes\.io/name,NODE:.spec.nodeName --all-namespaces | grep -v "openshift-" </pre>
+    You can use labels or other data as custom field which helps you to identify parts of an application.
+    Ensure that applications with high protection requirements are not colocated on nodes or in clusters with workloads of lower protection requirements.
diff --git a/applications/openshift/general/general_node_separation/tests/ocp4/e2e.yml b/applications/openshift/general/general_node_separation/tests/ocp4/e2e.yml
@@ -0,0 +1,2 @@
+---
+default_result: MANUAL
diff --git a/controls/bsi_app_4_4.yml b/controls/bsi_app_4_4.yml
@@ -318,12 +318,11 @@ controls:
     levels:
     - elevated
     description: >-
-      Applications with very high protection needs SHOULD each use their own Kubernetes clusters
-      or dedicated nodes that are not available for other applications
-    notes: >-
-      TBD
-    status: pending
-    rules: []
+      Applications with very high protection needs SHOULD each use their own Kubernetes clusters or dedicated nodes that are not available for other applications
+    notes: ''
+    status: manual
+    rules:
+      - general_node_separation
 
   - id: APP.4.4.A16
     title: Use of Operators