Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Defined notes for BSI SYS.1.6.A24 and A25 #12471

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
36 changes: 23 additions & 13 deletions controls/bsi_sys_1_6.yml
Original file line number Diff line number Diff line change
Expand Up @@ -533,30 +533,40 @@ controls:
levels:
- elevated
description: >-
The behaviour of containers and the applications or services running in them SHOULD be
monitored. Deviations from normal behaviour SHOULD be noticed and reported. The reports
(1) The behaviour of containers and the applications or services running in them SHOULD be
monitored. (2) Deviations from normal behaviour SHOULD be noticed and reported. (3) The reports
SHOULD be handled appropriately in a centralised process for security incident handling.
At minimum, the behaviour to be monitored SHOULD cover:
• Network connections
• Created processes
• File system access attempts
• Kernel requests (syscalls)
(4) At minimum, the behaviour to be monitored SHOULD cover:
(5) • Network connections
(6) • Created processes
(7) • File system access attempts
(8) • Kernel requests (syscalls)
notes: >-
ToDo
status: manual
#rules:
The requirement is not met by OpenShift itself but requires the implementation of additional
container runtime security solutions such as Red Hat Advanced Cluster Security (ACS).

Note: At the host level, Red Hat CoreOS supports auditd, which is enabled by default.
Policies for auditd can include network connections, created processes, file accesses and syscalls.
Red Hat CoreOS provides many sample policies that cover all of the areas described.
status: does not meet
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.


- id: SYS.1.6.A25
title: High Availability of Containerised Applications
levels:
- elevated
description: >-
In cases involving containerised applications with high availability requirements, the
(1) In cases involving containerised applications with high availability requirements, the
necessary level of availability SHOULD be defined (e.g. redundant at the host level)
notes: >-
ToDo
OpenShift offers multiple technical options by default (replicas, pod anti-affinities,
topology spread constraints). The applications needs to support this high availability.
Clusters can also be distributed across multiple fire zones (failure zones) within a region/location.
Multi-Cluster/Multi-Region distribution can be considered additionally, if required.

The decision of the most appropriate level needs to be done organizationally per application.
No rules are checked here, as no required level of high availability is stated in the requirement.
Note: Technical checks for this can be found at APP.4.4.A19: "High Availability of Kubernetes"
status: manual
#rules:

- id: SYS.1.6.A26
title: Advanced Isolation and Encapsulation of Containers
Expand Down
Loading