Skip to content

Commit

Permalink
add manual rules to APP.4.4.A4
Browse files Browse the repository at this point in the history
sluetze committed Feb 22, 2024
1 parent 0c95f55 commit e17a17c
Showing 8 changed files with 27 additions and 4 deletions.
Original file line number Diff line number Diff line change
@@ -21,6 +21,7 @@ identifiers:
cce@ocp4: CCE-86255-7

references:
bsi: APP.4.4.A4
cis@ocp4: 5.2.12
nist: AC-6,AC-6(1)
srg: SRG-APP-000142-CTR-000330
Original file line number Diff line number Diff line change
@@ -21,6 +21,7 @@ identifiers:
cce@ocp4: CCE-84042-1

references:
bsi: APP.4.4.A4
cis@ocp4: 5.2.3
nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
nist: CM-6,CM-6(1)
Original file line number Diff line number Diff line change
@@ -19,6 +19,7 @@ rationale: |-
severity: medium

references:
bsi: APP.4.4.A4
cis@ocp4: 5.2.7
nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
nist: CM-6,CM-6(1)
Original file line number Diff line number Diff line change
@@ -21,6 +21,7 @@ identifiers:
cce@ocp4: CCE-83492-9

references:
bsi: APP.4.4.A4
cis@ocp4: 5.2.4
nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
nist: CM-6,CM-6(1)
Original file line number Diff line number Diff line change
@@ -18,6 +18,7 @@ rationale: |-
severity: medium

references:
bsi: APP.4.4.A4
cis@ocp4: 5.2.1
nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
nist: CM-6,CM-6(1)
Original file line number Diff line number Diff line change
@@ -17,6 +17,7 @@ rationale: |-
severity: medium

references:
bsi: APP.4.4.A4
cis@ocp4: 5.2.2
nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
nist: CM-6,CM-6(1)
Original file line number Diff line number Diff line change
@@ -25,6 +25,7 @@ rationale: |-
severity: medium

references:
bsi: APP.4.4.A4
cis@ocp4: 5.2.6
nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
nist: CM-6,CM-6(1)
24 changes: 20 additions & 4 deletions controls/bsi_app_4_4.yml
Original file line number Diff line number Diff line change
@@ -82,17 +82,33 @@ controls:
levels:
- basic
description: >-
The operating system kernel of nodes MUST have isolation mechanisms to restrict visibility
and resource usage among the corresponding pods (cf. Linux namespaces and cgroups). At
(1) The operating system kernel of nodes MUST have isolation mechanisms to restrict visibility
and resource usage among the corresponding pods (cf. Linux namespaces and cgroups). (2) At
minimum, this isolation MUST include process IDs, inter-process communication, user IDs,
the file system, and the network (including the hostname).
notes: >-
Since these are OS based requirements, they are included in the rhcos4 bsi profile
status: pending
Since these are OS based requirements, they are included in the rhcos4 bsi profile.
One of the key mechanisms in OCP4 to separate Workloads is SELinux. Thus this should be
enforced. Furthermore a admin should check the SCCs as they might lift some of the separations
between workloads and/or hosts.
status: inherently met
rules:
# Section 1
- coreos_enable_selinux_kernel_argument
- selinux_policytype
- selinux_state
# Section 2
- scc_limit_privileged_containers
- scc_limit_root_containers
# inter process communication
- scc_limit_ipc_namespace
# process IDs
- scc_limit_process_id_namespace
# file system
- scc_limit_host_dir_volume_plugin
# network
- scc_limit_net_raw_capability
- scc_limit_network_namespace

- id: APP.4.4.A5
title: Backup in the Cluster

0 comments on commit e17a17c

Please sign in to comment.