-
Notifications
You must be signed in to change notification settings - Fork 673
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Draft: Defined notes and rules for control BSI APP4.4.A17 - APP4.4.A19 #11659
base: master
Are you sure you want to change the base?
Draft: Defined notes and rules for control BSI APP4.4.A17 - APP4.4.A19 #11659
Conversation
Signed-off-by: Benjamin Ruland <[email protected]>
Hi @benruland. Thanks for your PR. I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
This datastream diff is auto generated by the check Click here to see the full diffNew content has different text for rule 'xccdf_org.ssgproject.content_rule_cluster_version_operator_exists'.
--- xccdf_org.ssgproject.content_rule_cluster_version_operator_exists
+++ xccdf_org.ssgproject.content_rule_cluster_version_operator_exists
@@ -21,6 +21,9 @@
file.
[reference]:
+APP.4.4.A17
+
+[reference]:
SA-10(1)
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_cluster_version_operator_verify_integrity'.
--- xccdf_org.ssgproject.content_rule_cluster_version_operator_verify_integrity
+++ xccdf_org.ssgproject.content_rule_cluster_version_operator_verify_integrity
@@ -18,6 +18,9 @@
file.
[reference]:
+APP.4.4.A17
+
+[reference]:
SA-10(1)
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_integrity_exists'.
--- xccdf_org.ssgproject.content_rule_file_integrity_exists
+++ xccdf_org.ssgproject.content_rule_file_integrity_exists
@@ -12,6 +12,9 @@
[warning]:
This rule's check operates on the cluster configuration dump.
Therefore, you need to use a tool that can query the OCP API, retrieve the /apis/fileintegrity.openshift.io/v1alpha1/fileintegrities?limit=5 API endpoint to the local /apis/fileintegrity.openshift.io/v1alpha1/fileintegrities?limit=5 file.
+
+[reference]:
+APP.4.4.A17
[reference]:
CIP-003-8 R4.2
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_restrict_service_account_tokens'.
--- xccdf_org.ssgproject.content_rule_accounts_restrict_service_account_tokens
+++ xccdf_org.ssgproject.content_rule_accounts_restrict_service_account_tokens
@@ -7,6 +7,9 @@
running in the pod explicitly needs to communicate with the API server.
To ensure pods do not automatically mount tokens, set
automountServiceAccountToken to false.
+
+[reference]:
+APP.4.4.A9
[reference]:
CIP-003-8 R6
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_unique_service_account'.
--- xccdf_org.ssgproject.content_rule_accounts_unique_service_account
+++ xccdf_org.ssgproject.content_rule_accounts_unique_service_account
@@ -10,6 +10,9 @@
where service_account_name is the name of a service account
that is needed in the project namespace.
+
+[reference]:
+APP.4.4.A9
[reference]:
CIP-003-8 R6
New content has different text for rule 'xccdf_org.ssgproject.content_rule_api_server_client_ca'.
--- xccdf_org.ssgproject.content_rule_api_server_client_ca
+++ xccdf_org.ssgproject.content_rule_api_server_client_ca
@@ -27,6 +27,9 @@
and persist it to the local
/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#d56e72c377d8f85e0601a704d4218064a0ea4a2235ceee82d20db6cdafc74608
file.
+
+[reference]:
+APP.4.4.A17
[reference]:
CIP-003-8 R4.2
New content has different text for rule 'xccdf_org.ssgproject.content_rule_api_server_https_for_kubelet_conn'.
--- xccdf_org.ssgproject.content_rule_api_server_https_for_kubelet_conn
+++ xccdf_org.ssgproject.content_rule_api_server_https_for_kubelet_conn
@@ -16,6 +16,9 @@
and persist it to the local
/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430
file.
+
+[reference]:
+APP.4.4.A17
[reference]:
CIP-003-8 R4.2
New content has different text for rule 'xccdf_org.ssgproject.content_rule_api_server_kubelet_client_cert'.
--- xccdf_org.ssgproject.content_rule_api_server_kubelet_client_cert
+++ xccdf_org.ssgproject.content_rule_api_server_kubelet_client_cert
@@ -23,6 +23,9 @@
and persist it to the local
/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#e5500055b4aa2fcf00dc09ad0e66e44b6b42d67f8d53d1e72ff81b32f0e09865
file.
+
+[reference]:
+APP.4.4.A17
[reference]:
CIP-003-8 R4.2
New content has different text for rule 'xccdf_org.ssgproject.content_rule_api_server_kubelet_client_key'.
--- xccdf_org.ssgproject.content_rule_api_server_kubelet_client_key
+++ xccdf_org.ssgproject.content_rule_api_server_kubelet_client_key
@@ -23,6 +23,9 @@
and persist it to the local
/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#1e2b7c1158e0b9a602cb20d62c82b4660907bb57b63dac11c6c7c64211c49c69
file.
+
+[reference]:
+APP.4.4.A17
[reference]:
CIP-003-8 R4.2
New content has different text for rule 'xccdf_org.ssgproject.content_rule_api_server_tls_cert'.
--- xccdf_org.ssgproject.content_rule_api_server_tls_cert
+++ xccdf_org.ssgproject.content_rule_api_server_tls_cert
@@ -26,6 +26,9 @@
and persist it to the local
/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#bca394347bab5b9902f1d1568d4f5d6e5498b01ec27ddf8231443e376b18757d
file.
+
+[reference]:
+APP.4.4.A17
[reference]:
CIP-003-8 R4.2
New content has different text for rule 'xccdf_org.ssgproject.content_rule_api_server_tls_cipher_suites'.
--- xccdf_org.ssgproject.content_rule_api_server_tls_cipher_suites
+++ xccdf_org.ssgproject.content_rule_api_server_tls_cipher_suites
@@ -35,6 +35,9 @@
server.
[reference]:
+APP.4.4.A17
+
+[reference]:
CM-6
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_api_server_tls_private_key'.
--- xccdf_org.ssgproject.content_rule_api_server_tls_private_key
+++ xccdf_org.ssgproject.content_rule_api_server_tls_private_key
@@ -26,6 +26,9 @@
and persist it to the local
/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#8c69c1fe6742f70a3a16c09461f57a19ef2a695143301cede2f2f5d307aa3508
file.
+
+[reference]:
+APP.4.4.A17
[reference]:
CIP-003-8 R4.2
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_integrity_notification_enabled'.
--- xccdf_org.ssgproject.content_rule_file_integrity_notification_enabled
+++ xccdf_org.ssgproject.content_rule_file_integrity_notification_enabled
@@ -16,6 +16,9 @@
and persist it to the local
/apis/monitoring.coreos.com/v1/prometheusrules#dda8d6e19f5a89264301ce56ece4df115a14d8a85e3ae6bd3cd8eccd234252c5
file.
+
+[reference]:
+APP.4.4.A17
[reference]:
SI-6
New content has different text for rule 'xccdf_org.ssgproject.content_rule_tls_version_check_apiserver'.
--- xccdf_org.ssgproject.content_rule_tls_version_check_apiserver
+++ xccdf_org.ssgproject.content_rule_tls_version_check_apiserver
@@ -16,6 +16,9 @@
file.
[reference]:
+APP.4.4.A17
+
+[reference]:
Req-4.1
[rationale]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_kubelet_configure_client_ca'.
--- xccdf_org.ssgproject.content_rule_kubelet_configure_client_ca
+++ xccdf_org.ssgproject.content_rule_kubelet_configure_client_ca
@@ -15,6 +15,9 @@
x509:
clientCAFile: /etc/kubernetes/kubelet-ca.crt
...
+
+[reference]:
+APP.4.4.A17
[reference]:
CIP-003-8 R6
New content has different text for rule 'xccdf_org.ssgproject.content_rule_kubelet_configure_tls_cert'.
--- xccdf_org.ssgproject.content_rule_kubelet_configure_tls_cert
+++ xccdf_org.ssgproject.content_rule_kubelet_configure_tls_cert
@@ -17,6 +17,9 @@
and persist it to the local
/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#e5500055b4aa2fcf00dc09ad0e66e44b6b42d67f8d53d1e72ff81b32f0e09865
file.
+
+[reference]:
+APP.4.4.A17
[reference]:
CIP-003-8 R4.2
New content has different text for rule 'xccdf_org.ssgproject.content_rule_kubelet_configure_tls_cipher_suites'.
--- xccdf_org.ssgproject.content_rule_kubelet_configure_tls_cipher_suites
+++ xccdf_org.ssgproject.content_rule_kubelet_configure_tls_cipher_suites
@@ -29,6 +29,9 @@
and var_kubelet_tls_cipher_suites have to be set
[reference]:
+APP.4.4.A17
+
+[reference]:
CIP-003-8 R6
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_kubelet_configure_tls_key'.
--- xccdf_org.ssgproject.content_rule_kubelet_configure_tls_key
+++ xccdf_org.ssgproject.content_rule_kubelet_configure_tls_key
@@ -17,6 +17,9 @@
and persist it to the local
/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#1e2b7c1158e0b9a602cb20d62c82b4660907bb57b63dac11c6c7c64211c49c69
file.
+
+[reference]:
+APP.4.4.A17
[reference]:
CIP-003-8 R4.2
New content has different text for rule 'xccdf_org.ssgproject.content_rule_kubelet_configure_tls_min_version'.
--- xccdf_org.ssgproject.content_rule_kubelet_configure_tls_min_version
+++ xccdf_org.ssgproject.content_rule_kubelet_configure_tls_min_version
@@ -51,6 +51,9 @@
the relevant documentation.
[reference]:
+APP.4.4.A17
+
+[reference]:
SC-8
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_configure_network_policies'.
--- xccdf_org.ssgproject.content_rule_configure_network_policies
+++ xccdf_org.ssgproject.content_rule_configure_network_policies
@@ -17,6 +17,12 @@
and persist it to the local
/apis/operator.openshift.io/v1/networks/cluster#35e33d6dc1252a03495b35bd1751cac70041a511fa4d282c300a8b83b83e3498
file.
+
+[reference]:
+APP.4.4.7
+
+[reference]:
+APP.4.4.A18
[reference]:
CIP-003-8 R6
New content has different text for rule 'xccdf_org.ssgproject.content_rule_configure_network_policies_namespaces'.
--- xccdf_org.ssgproject.content_rule_configure_network_policies_namespaces
+++ xccdf_org.ssgproject.content_rule_configure_network_policies_namespaces
@@ -20,6 +20,12 @@
and persist it to the local
/api/v1/namespaces#f673748db2dd4e4f0ad55d10ce5e86714c06da02b67ddb392582f71ef81efab2
file.
+
+[reference]:
+APP.4.4.A7
+
+[reference]:
+APP.4.4.A18
[reference]:
CIP-003-8 R4
New content has different text for rule 'xccdf_org.ssgproject.content_rule_project_config_and_template_network_policy'.
--- xccdf_org.ssgproject.content_rule_project_config_and_template_network_policy
+++ xccdf_org.ssgproject.content_rule_project_config_and_template_network_policy
@@ -32,6 +32,9 @@
file.
[reference]:
+APP.4.4.A7
+
+[reference]:
SRG-APP-000039-CTR-000110
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_project_template_network_policy'.
--- xccdf_org.ssgproject.content_rule_project_template_network_policy
+++ xccdf_org.ssgproject.content_rule_project_template_network_policy
@@ -19,6 +19,9 @@
file.
[reference]:
+APP.4.4.A18
+
+[reference]:
SRG-APP-000039-CTR-000110
[rationale]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_rbac_least_privilege'.
--- xccdf_org.ssgproject.content_rule_rbac_least_privilege
+++ xccdf_org.ssgproject.content_rule_rbac_least_privilege
@@ -28,6 +28,12 @@
[reference]:
APP.4.4.A3
+
+[reference]:
+APP.4.4.A7
+
+[reference]:
+APP.4.4.A9
[reference]:
AC-3
New content has different text for rule 'xccdf_org.ssgproject.content_rule_rbac_wildcard_use'.
--- xccdf_org.ssgproject.content_rule_rbac_wildcard_use
+++ xccdf_org.ssgproject.content_rule_rbac_wildcard_use
@@ -9,6 +9,9 @@
wildcard * which matches all items. This violates the
principle of least privilege and leaves a cluster in a more
vulnerable state to privilege abuse.
+
+[reference]:
+APP.4.4.A9
[reference]:
CIP-003-8 R6
New content has different text for rule 'xccdf_org.ssgproject.content_rule_scansettingbinding_exists'.
--- xccdf_org.ssgproject.content_rule_scansettingbinding_exists
+++ xccdf_org.ssgproject.content_rule_scansettingbinding_exists
@@ -12,6 +12,9 @@
[warning]:
This rule's check operates on the cluster configuration dump.
Therefore, you need to use a tool that can query the OCP API, retrieve the /apis/compliance.openshift.io/v1alpha1/scansettingbindings?limit=5 API endpoint to the local /apis/compliance.openshift.io/v1alpha1/scansettingbindings?limit=5 file.
+
+[reference]:
+APP.4.4.A13
[reference]:
CIP-003-8 R1.3
New content has different text for rule 'xccdf_org.ssgproject.content_rule_scansettings_have_schedule'.
--- xccdf_org.ssgproject.content_rule_scansettings_have_schedule
+++ xccdf_org.ssgproject.content_rule_scansettings_have_schedule
@@ -21,6 +21,9 @@
file.
[reference]:
+APP.4.4.A13
+
+[reference]:
SI-6(b)
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_scc_drop_container_capabilities'.
--- xccdf_org.ssgproject.content_rule_scc_drop_container_capabilities
+++ xccdf_org.ssgproject.content_rule_scc_drop_container_capabilities
@@ -8,6 +8,9 @@
capabilities, the appropriate Security Context Constraints (SCCs)
should set all capabilities as * or a list of capabilities in
requiredDropCapabilities.
+
+[reference]:
+APP.4.4.A9
[reference]:
CIP-003-8 R6
New content has different text for rule 'xccdf_org.ssgproject.content_rule_scc_limit_container_allowed_capabilities'.
--- xccdf_org.ssgproject.content_rule_scc_limit_container_allowed_capabilities
+++ xccdf_org.ssgproject.content_rule_scc_limit_container_allowed_capabilities
@@ -47,6 +47,9 @@
file.
[reference]:
+APP.4.4.A9
+
+[reference]:
CIP-003-8 R6
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_scc_limit_host_dir_volume_plugin'.
--- xccdf_org.ssgproject.content_rule_scc_limit_host_dir_volume_plugin
+++ xccdf_org.ssgproject.content_rule_scc_limit_host_dir_volume_plugin
@@ -10,6 +10,9 @@
[reference]:
APP.4.4.A4
+
+[reference]:
+APP.4.4.A9
[reference]:
AC-6
New content has different text for rule 'xccdf_org.ssgproject.content_rule_scc_limit_host_ports'.
--- xccdf_org.ssgproject.content_rule_scc_limit_host_ports
+++ xccdf_org.ssgproject.content_rule_scc_limit_host_ports
@@ -7,6 +7,9 @@
on the hosts. To prevent containers from binding to privileged ports
on the host the appropriate Security Context Constraints (SCCs)
should set allowHostPorts to false.
+
+[reference]:
+APP.4.4.A9
[reference]:
CM-6
New content has different text for rule 'xccdf_org.ssgproject.content_rule_scc_limit_ipc_namespace'.
--- xccdf_org.ssgproject.content_rule_scc_limit_ipc_namespace
+++ xccdf_org.ssgproject.content_rule_scc_limit_ipc_namespace
@@ -10,6 +10,9 @@
[reference]:
APP.4.4.A4
+
+[reference]:
+APP.4.4.A9
[reference]:
CIP-003-8 R6
New content has different text for rule 'xccdf_org.ssgproject.content_rule_scc_limit_net_raw_capability'.
--- xccdf_org.ssgproject.content_rule_scc_limit_net_raw_capability
+++ xccdf_org.ssgproject.content_rule_scc_limit_net_raw_capability
@@ -11,6 +11,9 @@
[reference]:
APP.4.4.A4
+
+[reference]:
+APP.4.4.A9
[reference]:
CIP-003-8 R6
New content has different text for rule 'xccdf_org.ssgproject.content_rule_scc_limit_network_namespace'.
--- xccdf_org.ssgproject.content_rule_scc_limit_network_namespace
+++ xccdf_org.ssgproject.content_rule_scc_limit_network_namespace
@@ -10,6 +10,9 @@
[reference]:
APP.4.4.A4
+
+[reference]:
+APP.4.4.A9
[reference]:
CIP-003-8 R6
New content has different text for rule 'xccdf_org.ssgproject.content_rule_scc_limit_privilege_escalation'.
--- xccdf_org.ssgproject.content_rule_scc_limit_privilege_escalation
+++ xccdf_org.ssgproject.content_rule_scc_limit_privilege_escalation
@@ -8,6 +8,9 @@
To prevent containers from escalating privileges,
the appropriate Security Context Constraints (SCCs)
should set allowPrivilegeEscalation to false.
+
+[reference]:
+APP.4.4.A9
[reference]:
CIP-003-8 R6
New content has different text for rule 'xccdf_org.ssgproject.content_rule_scc_limit_privileged_containers'.
--- xccdf_org.ssgproject.content_rule_scc_limit_privileged_containers
+++ xccdf_org.ssgproject.content_rule_scc_limit_privileged_containers
@@ -10,6 +10,9 @@
[reference]:
APP.4.4.A4
+
+[reference]:
+APP.4.4.A9
[reference]:
CIP-003-8 R6
New content has different text for rule 'xccdf_org.ssgproject.content_rule_scc_limit_process_id_namespace'.
--- xccdf_org.ssgproject.content_rule_scc_limit_process_id_namespace
+++ xccdf_org.ssgproject.content_rule_scc_limit_process_id_namespace
@@ -10,6 +10,9 @@
[reference]:
APP.4.4.A4
+
+[reference]:
+APP.4.4.A9
[reference]:
CIP-003-8 R6
New content has different text for rule 'xccdf_org.ssgproject.content_rule_scc_limit_root_containers'.
--- xccdf_org.ssgproject.content_rule_scc_limit_root_containers
+++ xccdf_org.ssgproject.content_rule_scc_limit_root_containers
@@ -10,6 +10,9 @@
[reference]:
APP.4.4.A4
+
+[reference]:
+APP.4.4.A9
[reference]:
CIP-003-8 R6
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_kubelet_conf'.
--- xccdf_org.ssgproject.content_rule_file_groupowner_kubelet_conf
+++ xccdf_org.ssgproject.content_rule_file_groupowner_kubelet_conf
@@ -4,6 +4,9 @@
[description]:
To properly set the group owner of /etc/kubernetes/kubelet.conf, run the command: $ sudo chgrp root /etc/kubernetes/kubelet.conf
+
+[reference]:
+APP.4.4.A17
[reference]:
CIP-003-8 R6
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_worker_ca'.
--- xccdf_org.ssgproject.content_rule_file_groupowner_worker_ca
+++ xccdf_org.ssgproject.content_rule_file_groupowner_worker_ca
@@ -4,6 +4,9 @@
[description]:
To properly set the group owner of /etc/kubernetes/kubelet-ca.crt, run the command: $ sudo chgrp root /etc/kubernetes/kubelet-ca.crt
+
+[reference]:
+APP.4.4.A17
[reference]:
CIP-003-8 R6
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_worker_kubeconfig'.
--- xccdf_org.ssgproject.content_rule_file_groupowner_worker_kubeconfig
+++ xccdf_org.ssgproject.content_rule_file_groupowner_worker_kubeconfig
@@ -4,6 +4,9 @@
[description]:
To properly set the group owner of /var/lib/kubelet/kubeconfig, run the command: $ sudo chgrp root /var/lib/kubelet/kubeconfig
+
+[reference]:
+APP.4.4.A17
[reference]:
CIP-003-8 R6
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_worker_service'.
--- xccdf_org.ssgproject.content_rule_file_groupowner_worker_service
+++ xccdf_org.ssgproject.content_rule_file_groupowner_worker_service
@@ -6,6 +6,9 @@
'
To properly set the group owner of /etc/systemd/system/kubelet.service, run the command:
$ sudo chgrp root /etc/systemd/system/kubelet.service'
+
+[reference]:
+APP.4.4.A17
[reference]:
CIP-003-8 R6
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_owner_kubelet'.
--- xccdf_org.ssgproject.content_rule_file_owner_kubelet
+++ xccdf_org.ssgproject.content_rule_file_owner_kubelet
@@ -4,6 +4,9 @@
[description]:
To properly set the owner of /var/lib/kubelet/config.json, run the command: $ sudo chown root /var/lib/kubelet/config.json
+
+[reference]:
+APP.4.4.A17
[reference]:
CIP-003-8 R6
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_owner_kubelet_conf'.
--- xccdf_org.ssgproject.content_rule_file_owner_kubelet_conf
+++ xccdf_org.ssgproject.content_rule_file_owner_kubelet_conf
@@ -4,6 +4,9 @@
[description]:
To properly set the owner of /etc/kubernetes/kubelet.conf, run the command: $ sudo chown root /etc/kubernetes/kubelet.conf
+
+[reference]:
+APP.4.4.A17
[reference]:
CIP-003-8 R6
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_owner_worker_ca'.
--- xccdf_org.ssgproject.content_rule_file_owner_worker_ca
+++ xccdf_org.ssgproject.content_rule_file_owner_worker_ca
@@ -4,6 +4,9 @@
[description]:
To properly set the owner of /etc/kubernetes/kubelet-ca.crt, run the command: $ sudo chown root /etc/kubernetes/kubelet-ca.crt
+
+[reference]:
+APP.4.4.A17
[reference]:
CIP-003-8 R6
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_owner_worker_kubeconfig'.
--- xccdf_org.ssgproject.content_rule_file_owner_worker_kubeconfig
+++ xccdf_org.ssgproject.content_rule_file_owner_worker_kubeconfig
@@ -4,6 +4,9 @@
[description]:
To properly set the owner of /var/lib/kubelet/kubeconfig, run the command: $ sudo chown root /var/lib/kubelet/kubeconfig
+
+[reference]:
+APP.4.4.A17
[reference]:
CIP-003-8 R6
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_owner_worker_service'.
--- xccdf_org.ssgproject.content_rule_file_owner_worker_service
+++ xccdf_org.ssgproject.content_rule_file_owner_worker_service
@@ -6,6 +6,9 @@
'
To properly set the owner of /etc/systemd/system/kubelet.service, run the command:
$ sudo chown root /etc/systemd/system/kubelet.service '
+
+[reference]:
+APP.4.4.A17
[reference]:
CIP-003-8 R6
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_permissions_kubelet'.
--- xccdf_org.ssgproject.content_rule_file_permissions_kubelet
+++ xccdf_org.ssgproject.content_rule_file_permissions_kubelet
@@ -5,6 +5,9 @@
[description]:
To properly set the permissions of /var/lib/kubelet/config.json, run the command:
$ sudo chmod 0600 /var/lib/kubelet/config.json
+
+[reference]:
+APP.4.4.A17
[reference]:
CIP-003-8 R6
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_permissions_kubelet_conf'.
--- xccdf_org.ssgproject.content_rule_file_permissions_kubelet_conf
+++ xccdf_org.ssgproject.content_rule_file_permissions_kubelet_conf
@@ -5,6 +5,9 @@
[description]:
To properly set the permissions of /etc/kubernetes/kubelet.conf, run the command:
$ sudo chmod 0644 /etc/kubernetes/kubelet.conf
+
+[reference]:
+APP.4.4.A17
[reference]:
CIP-003-8 R6
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_permissions_worker_ca'.
--- xccdf_org.ssgproject.content_rule_file_permissions_worker_ca
+++ xccdf_org.ssgproject.content_rule_file_permissions_worker_ca
@@ -5,6 +5,9 @@
[description]:
To properly set the permissions of /etc/kubernetes/kubelet-ca.crt, run the command:
$ sudo chmod 0644 /etc/kubernetes/kubelet-ca.crt
+
+[reference]:
+APP.4.4.A17
[reference]:
CIP-003-8 R6
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_permissions_worker_kubeconfig'.
--- xccdf_org.ssgproject.content_rule_file_permissions_worker_kubeconfig
+++ xccdf_org.ssgproject.content_rule_file_permissions_worker_kubeconfig
@@ -5,6 +5,9 @@
[description]:
To properly set the permissions of /var/lib/kubelet/kubeconfig, run the command:
$ sudo chmod 0600 /var/lib/kubelet/kubeconfig
+
+[reference]:
+APP.4.4.A17
[reference]:
CIP-003-8 R6
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_permissions_worker_service'.
--- xccdf_org.ssgproject.content_rule_file_permissions_worker_service
+++ xccdf_org.ssgproject.content_rule_file_permissions_worker_service
@@ -5,6 +5,9 @@
[description]:
To properly set the permissions of /etc/systemd/system/kubelet.service, run the command:
$ sudo chmod 0644 /etc/systemd/system/kubelet.service
+
+[reference]:
+APP.4.4.A17
[reference]:
CIP-003-8 R6 |
🤖 A k8s content image for this PR is available at: Click here to see how to deploy itIf you alread have Compliance Operator deployed: Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@benruland this one is a biggy. I think the only mandatory change is the doubled bsi: reference and the partial/automated state. lets discuss the other points.
disallow all but the necessary network connections within the Kubernetes namespace. These | ||
(1) Pods SHOULD ONLY be able to communicate with each other through the necessary network | ||
ports, even within a Kubernetes namespace. (2) There SHOULD be rules within the CNI that | ||
disallow all but the necessary network connections within the Kubernetes namespace. (3) These |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
not sure if a manual rule for section 3 would help or only create work.
What about cases, where someone creates "ANY-ANY" network policies and lovely selects all available pods?
Or is this more something we would expect to be solved in the application development/review cycle?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am actually surprised that noone has yet created such a rule yet.
However, I do not have a clear opinion yet, if the manual rule will add value or if this should be marked as "organizational measure". From a responsibility perspective, I would definately seet it at app dev/review.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if i remember the discussions with the customers right, they opted for more rules (even if manual) instead of missing anything. There must be tailoring / review of the manual rules done at each customer anyway. Maybe a manual rule with the tenor "review netpols if they only include relevant connections and are using the criteria service name, labels, etc. pp. OR ensure there is a check in the app dev/review" this would make it transparent in the CO.
On the other hand, you already mentioned this in the notes. But the notes are not visible in the CO outputs.
restarted in a short time at another site. | ||
Should a restart be required, all the necessary configuration files, images, user data, network | ||
connections, and other resources required for operation (including the necessary hardware) | ||
(2) Should a restart be required, all the necessary configuration files, images, user data, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
not sure if we have a rule for this, but this would also require no local node storage used.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It feels too fine-grained for me here. This requirement would also be necessary for any pod high availabily, would't it? Do we have a separate control for that?
For me, section 2 focuses on the "cluster restart in other site" scenario, which is largely to be ensured organizationally
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
there is no control for that in APP.4.4 . you are correct, I am to fine-grained here
…luster)rolebindings_default_service_account
In the future, for APP.4.4.18, we might need to also look at AdminNetworkPolicy, currently in TechPreviewNoUpgrade state. |
/ok-to-test |
/test e2e-aws-ocp4-bsi |
App 4 4 a13 a16
Bsi app 4.4 a8to11
Description:
Notes / Rules for BSI APP4.4.A17 - APP4.4.A19 added.
Rationale:
As we have multiple customers asking for a BSI profile to be included in the compliance-operator, we are contributing a profile. To provide a better review process, the individual controle are implemented as separate PRs.