Merge pull request #11437 from sig-bsi-grundschutz/bsi-sys-1-6

Add Control for BSI SYS 1.6
ComplianceAsCode · Feb 22, 2024 · 011089d · 011089d
2 parents 32f41d8 + e17a17c
commit 011089d
Show file tree

Hide file tree

Showing 22 changed files with 571 additions and 27 deletions.
diff --git a/applications/openshift/api-server/api_server_anonymous_auth/rule.yml b/applications/openshift/api-server/api_server_anonymous_auth/rule.yml
@@ -34,6 +34,7 @@ rationale: |-
 severity: medium
 
 references:
+    bsi: APP.4.4.A3
     cis@ocp4: 1.2.1
     nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
     nist: CM-6,CM-6(1)

diff --git a/applications/openshift/general/kubeadmin_removed/rule.yml b/applications/openshift/general/kubeadmin_removed/rule.yml
@@ -22,6 +22,7 @@ identifiers:
   cce@ocp4: CCE-90387-2
 
 references:
+  bsi: APP.4.4.A3
   cis@ocp4: 3.1.1,5.1.1
   nerc-cip: CIP-004-6 R2.2.2,CIP-004-6 R2.2.3,CIP-007-3 R.1.3,CIP-007-3 R2,CIP-007-3 R5,CIP-007-3 R5.1.1,CIP-007-3 R5.1.3,CIP-007-3 R5.2.1,CIP-007-3 R5.2.3,CIP-007-3 R6.1,CIP-007-3 R6.2,CIP-007-3 R6.3,CIP-007-3 R6.4
   nist: AC-2(2),AC-2(7),AC-2(9),AC-2(10),AC-12(1),IA-2(5),MA-4,SC-12(1)

diff --git a/applications/openshift/kubelet/kubelet_anonymous_auth/rule.yml b/applications/openshift/kubelet/kubelet_anonymous_auth/rule.yml
@@ -35,6 +35,7 @@ rationale: |-
 severity: medium
 
 references:
+    bsi: APP.4.4.A3
     cis@eks: 3.2.1
     cis@ocp4: 4.2.2
     nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1

diff --git a/applications/openshift/rbac/rbac_least_privilege/rule.yml b/applications/openshift/rbac/rbac_least_privilege/rule.yml
@@ -26,6 +26,7 @@ identifiers:
   cce@ocp4: CCE-90678-4
 
 references:
+    bsi: APP.4.4.A3
     cis@ocp4: 5.2.10
     nist: AC-3,CM-5(6),IA-2,IA-2(5),AC-6(10),CM-11(2),CM-5(1),CM-7(5)(b)
     srg: SRG-APP-000033-CTR-000090,SRG-APP-000033-CTR-000095,SRG-APP-000033-CTR-000100,SRG-APP-000133-CTR-000290,SRG-APP-000133-CTR-000295,SRG-APP-000133-CTR-000300,SRG-APP-000133-CTR-000305,SRG-APP-000133-CTR-000310,SRG-APP-000148-CTR-000350,SRG-APP-000153-CTR-000375,SRG-APP-000340-CTR-000770,SRG-APP-000378-CTR-000880,SRG-APP-000378-CTR-000885,SRG-APP-000378-CTR-000890,SRG-APP-000380-CTR-000900,SRG-APP-000386-CTR-000920

diff --git a/applications/openshift/scc/scc_limit_host_dir_volume_plugin/rule.yml b/applications/openshift/scc/scc_limit_host_dir_volume_plugin/rule.yml
@@ -21,6 +21,7 @@ identifiers:
   cce@ocp4: CCE-86255-7
 
 references:
+    bsi: APP.4.4.A4
     cis@ocp4: 5.2.12
     nist: AC-6,AC-6(1)
     srg: SRG-APP-000142-CTR-000330

diff --git a/applications/openshift/scc/scc_limit_ipc_namespace/rule.yml b/applications/openshift/scc/scc_limit_ipc_namespace/rule.yml
@@ -21,6 +21,7 @@ identifiers:
     cce@ocp4: CCE-84042-1
 
 references:
+    bsi: APP.4.4.A4
     cis@ocp4: 5.2.3
     nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
     nist: CM-6,CM-6(1)

diff --git a/applications/openshift/scc/scc_limit_net_raw_capability/rule.yml b/applications/openshift/scc/scc_limit_net_raw_capability/rule.yml
@@ -19,6 +19,7 @@ rationale: |-
 severity: medium
 
 references:
+    bsi: APP.4.4.A4
     cis@ocp4: 5.2.7
     nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
     nist: CM-6,CM-6(1)

diff --git a/applications/openshift/scc/scc_limit_network_namespace/rule.yml b/applications/openshift/scc/scc_limit_network_namespace/rule.yml
@@ -21,6 +21,7 @@ identifiers:
     cce@ocp4: CCE-83492-9
 
 references:
+    bsi: APP.4.4.A4
     cis@ocp4: 5.2.4
     nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
     nist: CM-6,CM-6(1)

diff --git a/applications/openshift/scc/scc_limit_privileged_containers/rule.yml b/applications/openshift/scc/scc_limit_privileged_containers/rule.yml
@@ -18,6 +18,7 @@ rationale: |-
 severity: medium
 
 references:
+    bsi: APP.4.4.A4
     cis@ocp4: 5.2.1
     nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
     nist: CM-6,CM-6(1)

diff --git a/applications/openshift/scc/scc_limit_process_id_namespace/rule.yml b/applications/openshift/scc/scc_limit_process_id_namespace/rule.yml
@@ -17,6 +17,7 @@ rationale: |-
 severity: medium
 
 references:
+    bsi: APP.4.4.A4
     cis@ocp4: 5.2.2
     nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
     nist: CM-6,CM-6(1)

diff --git a/applications/openshift/scc/scc_limit_root_containers/rule.yml b/applications/openshift/scc/scc_limit_root_containers/rule.yml
@@ -25,6 +25,7 @@ rationale: |-
 severity: medium
 
 references:
+    bsi: APP.4.4.A4
     cis@ocp4: 5.2.6
     nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
     nist: CM-6,CM-6(1)

diff --git a/controls/bsi_app_4_4.yml b/controls/bsi_app_4_4.yml
@@ -1,3 +1,9 @@
+# In BSI Basic Protection are multiple Requirements in one control.
+# i.e. there are multiple sentences, some including a RFC2119 keyword
+# Since we must increase granularity to create a precise control,
+# we number each sentence with a RFC2119 keyword as a section, grouping sentences, which are logically connected.
+# we number inline in brackets, so the lookup is easy
+# we reference these numbers in comments over each rule or group of rules
 policy: 'BSI-APP-4-4'
 title: 'BSI APP.4.4 Kubernetes'
 id: bsi_app_4_4
@@ -76,14 +82,33 @@ controls:
     levels:
     - basic
     description: >-
-      The operating system kernel of nodes MUST have isolation mechanisms to restrict visibility
-      and resource usage among the corresponding pods (cf. Linux namespaces and cgroups). At
+      (1) The operating system kernel of nodes MUST have isolation mechanisms to restrict visibility
+      and resource usage among the corresponding pods (cf. Linux namespaces and cgroups). (2) At
       minimum, this isolation MUST include process IDs, inter-process communication, user IDs,
       the file system, and the network (including the hostname).
     notes: >-
-      Since these are OS based requirements, they are included in the rhcos4 bsi profile
-    status: pending
-    # rules:
+      Since these are OS based requirements, they are included in the rhcos4 bsi profile.
+      One of the key mechanisms in OCP4 to separate Workloads is SELinux. Thus this should be
+      enforced. Furthermore a admin should check the SCCs as they might lift some of the separations
+      between workloads and/or hosts.
+    status: inherently met
+    rules:
+      # Section 1
+      - coreos_enable_selinux_kernel_argument
+      - selinux_policytype
+      - selinux_state
+      # Section 2
+      - scc_limit_privileged_containers
+      - scc_limit_root_containers
+      # inter process communication
+      - scc_limit_ipc_namespace
+      # process IDs
+      - scc_limit_process_id_namespace
+      # file system
+      - scc_limit_host_dir_volume_plugin
+      # network
+      - scc_limit_net_raw_capability
+      - scc_limit_network_namespace
 
   - id: APP.4.4.A5
     title: Backup in the Cluster
@@ -219,7 +244,7 @@ controls:
         • Regular data backups.
     notes: >-
       This requirement needs to be adressed in the respective separate systems.
-      However, one requirement (Encrypted communication on all network ports) can partitially be 
+      However, one requirement (Encrypted communication on all network ports) can partitially be
       checked by ensuring that no registry is allowed in over insecure protocols
     status: partial
     rules: