Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SIG BSI Methode #50

Open
sluetze opened this issue Dec 5, 2023 · 0 comments
Open

SIG BSI Methode #50

sluetze opened this issue Dec 5, 2023 · 0 comments

Comments

@sluetze
Copy link

sluetze commented Dec 5, 2023

Vorgehen Regelfindung:

  1. Englischen BSI Text holen und einfügen
  2. QuickCheck Interpretation abgleichen
  3. IG BvC Interpretation abgleichen (SYS.1.6, APP.4.4)
  4. Regeln in content suchen und hinzufügen
  5. Entsprechende Label (not-checkable, new-rules etc.) setzen

Coden:

  1. Neuer Branch für den Issue eröffnen
  2. Code hinzufügen
  3. Builden (./build_product ocp4 rhcos4)
  4. Profile Bundle erstellen und uploaden (./utils/build_ds_container.py -p)
  5. Sichttest auf OpenShift Cluster durchführen (Testergebnis stimmt mit erwartung überein)
  6. Möglichst auf einen Commit reduzieren, Message: "Defined notes and rules for control BSI APP4.4.Ann"

Mergen:

  1. Pull Request in ComplianceAsCode/content eröffnen (Template: Defined notes and rules for control BSI APP4.4.A10 ComplianceAsCode/content#11393
  2. PR in der Story verlinken
  3. Review durch mindestens einen weiteren Contributer
  4. Änderungen über Commit amending / Force Push hinzufügen für Clean Commit History
  5. Mit Upstream am Merge arbeiten

In den Control Files:
Die einzelnen Anforderungen in einer Anforderung (Sätze mit MUST, SHOULD usw.) werden logisch zusammengefasst und inline durchnummeriert.
In den Rules wird dann auf die entsprechende Section via Comment referenziert.

    description: >-
      (1) Kubernetes and all other control plane applications MUST authenticate and authorise each
      action taken by a user or, in automated mode, corresponding software.
      This applies whether the actions are taken via a client, a web interface, or a corresponding API.
      (2) Administrative actions MUST NOT be performed anonymously.
      (3) Each user MUST ONLY be granted the permissions they absolutely require.
      (4) Unlimited access rights MUST be granted in a very restrictive manner.
      (5) Only a small group of people SHOULD be authorised to define automation processes.
      (7) Only selected administrators SHOULD be given the right to create or change shares for persistent volumes in Kubernetes.
@sluetze sluetze pinned this issue Dec 5, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

When branches are created from issues, their pull requests are automatically linked.

1 participant