Draft: Defined notes and rules for control BSI APP4.4.A17 - APP4.4.A19 #11659
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Benjamin Ruland <[email protected]>
openshift-ci
bot
added
the
do-not-merge/work-in-progress
|
Hi @benruland. Thanks for your PR. I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
This was referenced Mar 6, 2024
|
This datastream diff is auto generated by the check Click here to see the full diffNew content has different text for rule 'xccdf_org.ssgproject.content_rule_cluster_version_operator_exists'.
--- xccdf_org.ssgproject.content_rule_cluster_version_operator_exists
+++ xccdf_org.ssgproject.content_rule_cluster_version_operator_exists
@@ -21,6 +21,9 @@
file.
[reference]:
+APP.4.4.A17
+
+[reference]:
SA-10(1)
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_cluster_version_operator_verify_integrity'.
--- xccdf_org.ssgproject.content_rule_cluster_version_operator_verify_integrity
+++ xccdf_org.ssgproject.content_rule_cluster_version_operator_verify_integrity
@@ -18,6 +18,9 @@
file.
[reference]:
+APP.4.4.A17
+
+[reference]:
SA-10(1)
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_integrity_exists'.
--- xccdf_org.ssgproject.content_rule_file_integrity_exists
+++ xccdf_org.ssgproject.content_rule_file_integrity_exists
@@ -12,6 +12,9 @@
[warning]:
This rule's check operates on the cluster configuration dump.
Therefore, you need to use a tool that can query the OCP API, retrieve the /apis/fileintegrity.openshift.io/v1alpha1/fileintegrities?limit=5 API endpoint to the local /apis/fileintegrity.openshift.io/v1alpha1/fileintegrities?limit=5 file.
+
+[reference]:
+APP.4.4.A17
[reference]:
CIP-003-8 R4.2
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_restrict_service_account_tokens'.
--- xccdf_org.ssgproject.content_rule_accounts_restrict_service_account_tokens
+++ xccdf_org.ssgproject.content_rule_accounts_restrict_service_account_tokens
@@ -7,6 +7,9 @@
running in the pod explicitly needs to communicate with the API server.
To ensure pods do not automatically mount tokens, set
automountServiceAccountToken to false.
+
+[reference]:
+APP.4.4.A9
[reference]:
CIP-003-8 R6
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_unique_service_account'.
--- xccdf_org.ssgproject.content_rule_accounts_unique_service_account
+++ xccdf_org.ssgproject.content_rule_accounts_unique_service_account
@@ -10,6 +10,9 @@
where service_account_name is the name of a service account
that is needed in the project namespace.
+
+[reference]:
+APP.4.4.A9
[reference]:
CIP-003-8 R6
New content has different text for rule 'xccdf_org.ssgproject.content_rule_api_server_client_ca'.
--- xccdf_org.ssgproject.content_rule_api_server_client_ca
+++ xccdf_org.ssgproject.content_rule_api_server_client_ca
@@ -27,6 +27,9 @@
and persist it to the local
/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#d56e72c377d8f85e0601a704d4218064a0ea4a2235ceee82d20db6cdafc74608
file.
+
+[reference]:
+APP.4.4.A17
[reference]:
CIP-003-8 R4.2
New content has different text for rule 'xccdf_org.ssgproject.content_rule_api_server_https_for_kubelet_conn'.
--- xccdf_org.ssgproject.content_rule_api_server_https_for_kubelet_conn
+++ xccdf_org.ssgproject.content_rule_api_server_https_for_kubelet_conn
@@ -16,6 +16,9 @@
and persist it to the local
/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430
file.
+
+[reference]:
+APP.4.4.A17
[reference]:
CIP-003-8 R4.2
New content has different text for rule 'xccdf_org.ssgproject.content_rule_api_server_kubelet_client_cert'.
--- xccdf_org.ssgproject.content_rule_api_server_kubelet_client_cert
+++ xccdf_org.ssgproject.content_rule_api_server_kubelet_client_cert
@@ -23,6 +23,9 @@
and persist it to the local
/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#e5500055b4aa2fcf00dc09ad0e66e44b6b42d67f8d53d1e72ff81b32f0e09865
file.
+
+[reference]:
+APP.4.4.A17
[reference]:
CIP-003-8 R4.2
New content has different text for rule 'xccdf_org.ssgproject.content_rule_api_server_kubelet_client_key'.
--- xccdf_org.ssgproject.content_rule_api_server_kubelet_client_key
+++ xccdf_org.ssgproject.content_rule_api_server_kubelet_client_key
@@ -23,6 +23,9 @@
and persist it to the local
/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#1e2b7c1158e0b9a602cb20d62c82b4660907bb57b63dac11c6c7c64211c49c69
file.
+
+[reference]:
+APP.4.4.A17
[reference]:
CIP-003-8 R4.2
New content has different text for rule 'xccdf_org.ssgproject.content_rule_api_server_tls_cert'.
--- xccdf_org.ssgproject.content_rule_api_server_tls_cert
+++ xccdf_org.ssgproject.content_rule_api_server_tls_cert
@@ -26,6 +26,9 @@
and persist it to the local
/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#bca394347bab5b9902f1d1568d4f5d6e5498b01ec27ddf8231443e376b18757d
file.
+
+[reference]:
+APP.4.4.A17
[reference]:
CIP-003-8 R4.2
New content has different text for rule 'xccdf_org.ssgproject.content_rule_api_server_tls_cipher_suites'.
--- xccdf_org.ssgproject.content_rule_api_server_tls_cipher_suites
+++ xccdf_org.ssgproject.content_rule_api_server_tls_cipher_suites
@@ -35,6 +35,9 @@
server.
[reference]:
+APP.4.4.A17
+
+[reference]:
CM-6
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_api_server_tls_private_key'.
--- xccdf_org.ssgproject.content_rule_api_server_tls_private_key
+++ xccdf_org.ssgproject.content_rule_api_server_tls_private_key
@@ -26,6 +26,9 @@
and persist it to the local
/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#8c69c1fe6742f70a3a16c09461f57a19ef2a695143301cede2f2f5d307aa3508
file.
+
+[reference]:
+APP.4.4.A17
[reference]:
CIP-003-8 R4.2
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_integrity_notification_enabled'.
--- xccdf_org.ssgproject.content_rule_file_integrity_notification_enabled
+++ xccdf_org.ssgproject.content_rule_file_integrity_notification_enabled
@@ -16,6 +16,9 @@
and persist it to the local
/apis/monitoring.coreos.com/v1/prometheusrules#dda8d6e19f5a89264301ce56ece4df115a14d8a85e3ae6bd3cd8eccd234252c5
file.
+
+[reference]:
+APP.4.4.A17
[reference]:
SI-6
New content has different text for rule 'xccdf_org.ssgproject.content_rule_tls_version_check_apiserver'.
--- xccdf_org.ssgproject.content_rule_tls_version_check_apiserver
+++ xccdf_org.ssgproject.content_rule_tls_version_check_apiserver
@@ -16,6 +16,9 @@
file.
[reference]:
+APP.4.4.A17
+
+[reference]:
Req-4.1
[rationale]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_kubelet_configure_client_ca'.
--- xccdf_org.ssgproject.content_rule_kubelet_configure_client_ca
+++ xccdf_org.ssgproject.content_rule_kubelet_configure_client_ca
@@ -15,6 +15,9 @@
x509:
clientCAFile: /etc/kubernetes/kubelet-ca.crt
...
+
+[reference]:
+APP.4.4.A17
[reference]:
CIP-003-8 R6
New content has different text for rule 'xccdf_org.ssgproject.content_rule_kubelet_configure_tls_cert'.
--- xccdf_org.ssgproject.content_rule_kubelet_configure_tls_cert
+++ xccdf_org.ssgproject.content_rule_kubelet_configure_tls_cert
@@ -17,6 +17,9 @@
and persist it to the local
/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#e5500055b4aa2fcf00dc09ad0e66e44b6b42d67f8d53d1e72ff81b32f0e09865
file.
+
+[reference]:
+APP.4.4.A17
[reference]:
CIP-003-8 R4.2
New content has different text for rule 'xccdf_org.ssgproject.content_rule_kubelet_configure_tls_cipher_suites'.
--- xccdf_org.ssgproject.content_rule_kubelet_configure_tls_cipher_suites
+++ xccdf_org.ssgproject.content_rule_kubelet_configure_tls_cipher_suites
@@ -29,6 +29,9 @@
and var_kubelet_tls_cipher_suites have to be set
[reference]:
+APP.4.4.A17
+
+[reference]:
CIP-003-8 R6
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_kubelet_configure_tls_key'.
--- xccdf_org.ssgproject.content_rule_kubelet_configure_tls_key
+++ xccdf_org.ssgproject.content_rule_kubelet_configure_tls_key
@@ -17,6 +17,9 @@
and persist it to the local
/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#1e2b7c1158e0b9a602cb20d62c82b4660907bb57b63dac11c6c7c64211c49c69
file.
+
+[reference]:
+APP.4.4.A17
[reference]:
CIP-003-8 R4.2
New content has different text for rule 'xccdf_org.ssgproject.content_rule_kubelet_configure_tls_min_version'.
--- xccdf_org.ssgproject.content_rule_kubelet_configure_tls_min_version
+++ xccdf_org.ssgproject.content_rule_kubelet_configure_tls_min_version
@@ -51,6 +51,9 @@
the relevant documentation.
[reference]:
+APP.4.4.A17
+
+[reference]:
SC-8
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_configure_network_policies'.
--- xccdf_org.ssgproject.content_rule_configure_network_policies
+++ xccdf_org.ssgproject.content_rule_configure_network_policies
@@ -17,6 +17,12 @@
and persist it to the local
/apis/operator.openshift.io/v1/networks/cluster#35e33d6dc1252a03495b35bd1751cac70041a511fa4d282c300a8b83b83e3498
file.
+
+[reference]:
+APP.4.4.7
+
+[reference]:
+APP.4.4.A18
[reference]:
CIP-003-8 R6
New content has different text for rule 'xccdf_org.ssgproject.content_rule_configure_network_policies_namespaces'.
--- xccdf_org.ssgproject.content_rule_configure_network_policies_namespaces
+++ xccdf_org.ssgproject.content_rule_configure_network_policies_namespaces
@@ -20,6 +20,12 @@
and persist it to the local
/api/v1/namespaces#f673748db2dd4e4f0ad55d10ce5e86714c06da02b67ddb392582f71ef81efab2
file.
+
+[reference]:
+APP.4.4.A7
+
+[reference]:
+APP.4.4.A18
[reference]:
CIP-003-8 R4
New content has different text for rule 'xccdf_org.ssgproject.content_rule_project_config_and_template_network_policy'.
--- xccdf_org.ssgproject.content_rule_project_config_and_template_network_policy
+++ xccdf_org.ssgproject.content_rule_project_config_and_template_network_policy
@@ -32,6 +32,9 @@
file.
[reference]:
+APP.4.4.A7
+
+[reference]:
SRG-APP-000039-CTR-000110
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_project_template_network_policy'.
--- xccdf_org.ssgproject.content_rule_project_template_network_policy
+++ xccdf_org.ssgproject.content_rule_project_template_network_policy
@@ -19,6 +19,9 @@
file.
[reference]:
+APP.4.4.A18
+
+[reference]:
SRG-APP-000039-CTR-000110
[rationale]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_rbac_least_privilege'.
--- xccdf_org.ssgproject.content_rule_rbac_least_privilege
+++ xccdf_org.ssgproject.content_rule_rbac_least_privilege
@@ -28,6 +28,12 @@
[reference]:
APP.4.4.A3
+
+[reference]:
+APP.4.4.A7
+
+[reference]:
+APP.4.4.A9
[reference]:
AC-3
New content has different text for rule 'xccdf_org.ssgproject.content_rule_rbac_wildcard_use'.
--- xccdf_org.ssgproject.content_rule_rbac_wildcard_use
+++ xccdf_org.ssgproject.content_rule_rbac_wildcard_use
@@ -9,6 +9,9 @@
wildcard * which matches all items. This violates the
principle of least privilege and leaves a cluster in a more
vulnerable state to privilege abuse.
+
+[reference]:
+APP.4.4.A9
[reference]:
CIP-003-8 R6
New content has different text for rule 'xccdf_org.ssgproject.content_rule_scansettingbinding_exists'.
--- xccdf_org.ssgproject.content_rule_scansettingbinding_exists
+++ xccdf_org.ssgproject.content_rule_scansettingbinding_exists
@@ -12,6 +12,9 @@
[warning]:
This rule's check operates on the cluster configuration dump.
Therefore, you need to use a tool that can query the OCP API, retrieve the /apis/compliance.openshift.io/v1alpha1/scansettingbindings?limit=5 API endpoint to the local /apis/compliance.openshift.io/v1alpha1/scansettingbindings?limit=5 file.
+
+[reference]:
+APP.4.4.A13
[reference]:
CIP-003-8 R1.3
New content has different text for rule 'xccdf_org.ssgproject.content_rule_scansettings_have_schedule'.
--- xccdf_org.ssgproject.content_rule_scansettings_have_schedule
+++ xccdf_org.ssgproject.content_rule_scansettings_have_schedule
@@ -21,6 +21,9 @@
file.
[reference]:
+APP.4.4.A13
+
+[reference]:
SI-6(b)
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_scc_drop_container_capabilities'.
--- xccdf_org.ssgproject.content_rule_scc_drop_container_capabilities
+++ xccdf_org.ssgproject.content_rule_scc_drop_container_capabilities
@@ -8,6 +8,9 @@
capabilities, the appropriate Security Context Constraints (SCCs)
should set all capabilities as * or a list of capabilities in
requiredDropCapabilities.
+
+[reference]:
+APP.4.4.A9
[reference]:
CIP-003-8 R6
New content has different text for rule 'xccdf_org.ssgproject.content_rule_scc_limit_container_allowed_capabilities'.
--- xccdf_org.ssgproject.content_rule_scc_limit_container_allowed_capabilities
+++ xccdf_org.ssgproject.content_rule_scc_limit_container_allowed_capabilities
@@ -47,6 +47,9 @@
file.
[reference]:
+APP.4.4.A9
+
+[reference]:
CIP-003-8 R6
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_scc_limit_host_dir_volume_plugin'.
--- xccdf_org.ssgproject.content_rule_scc_limit_host_dir_volume_plugin
+++ xccdf_org.ssgproject.content_rule_scc_limit_host_dir_volume_plugin
@@ -10,6 +10,9 @@
[reference]:
APP.4.4.A4
+
+[reference]:
+APP.4.4.A9
[reference]:
AC-6
New content has different text for rule 'xccdf_org.ssgproject.content_rule_scc_limit_host_ports'.
--- xccdf_org.ssgproject.content_rule_scc_limit_host_ports
+++ xccdf_org.ssgproject.content_rule_scc_limit_host_ports
@@ -7,6 +7,9 @@
on the hosts. To prevent containers from binding to privileged ports
on the host the appropriate Security Context Constraints (SCCs)
should set allowHostPorts to false.
+
+[reference]:
+APP.4.4.A9
[reference]:
CM-6
New content has different text for rule 'xccdf_org.ssgproject.content_rule_scc_limit_ipc_namespace'.
--- xccdf_org.ssgproject.content_rule_scc_limit_ipc_namespace
+++ xccdf_org.ssgproject.content_rule_scc_limit_ipc_namespace
@@ -10,6 +10,9 @@
[reference]:
APP.4.4.A4
+
+[reference]:
+APP.4.4.A9
[reference]:
CIP-003-8 R6
New content has different text for rule 'xccdf_org.ssgproject.content_rule_scc_limit_net_raw_capability'.
--- xccdf_org.ssgproject.content_rule_scc_limit_net_raw_capability
+++ xccdf_org.ssgproject.content_rule_scc_limit_net_raw_capability
@@ -11,6 +11,9 @@
[reference]:
APP.4.4.A4
+
+[reference]:
+APP.4.4.A9
[reference]:
CIP-003-8 R6
New content has different text for rule 'xccdf_org.ssgproject.content_rule_scc_limit_network_namespace'.
--- xccdf_org.ssgproject.content_rule_scc_limit_network_namespace
+++ xccdf_org.ssgproject.content_rule_scc_limit_network_namespace
@@ -10,6 +10,9 @@
[reference]:
APP.4.4.A4
+
+[reference]:
+APP.4.4.A9
[reference]:
CIP-003-8 R6
New content has different text for rule 'xccdf_org.ssgproject.content_rule_scc_limit_privilege_escalation'.
--- xccdf_org.ssgproject.content_rule_scc_limit_privilege_escalation
+++ xccdf_org.ssgproject.content_rule_scc_limit_privilege_escalation
@@ -8,6 +8,9 @@
To prevent containers from escalating privileges,
the appropriate Security Context Constraints (SCCs)
should set allowPrivilegeEscalation to false.
+
+[reference]:
+APP.4.4.A9
[reference]:
CIP-003-8 R6
New content has different text for rule 'xccdf_org.ssgproject.content_rule_scc_limit_privileged_containers'.
--- xccdf_org.ssgproject.content_rule_scc_limit_privileged_containers
+++ xccdf_org.ssgproject.content_rule_scc_limit_privileged_containers
@@ -10,6 +10,9 @@
[reference]:
APP.4.4.A4
+
+[reference]:
+APP.4.4.A9
[reference]:
CIP-003-8 R6
New content has different text for rule 'xccdf_org.ssgproject.content_rule_scc_limit_process_id_namespace'.
--- xccdf_org.ssgproject.content_rule_scc_limit_process_id_namespace
+++ xccdf_org.ssgproject.content_rule_scc_limit_process_id_namespace
@@ -10,6 +10,9 @@
[reference]:
APP.4.4.A4
+
+[reference]:
+APP.4.4.A9
[reference]:
CIP-003-8 R6
New content has different text for rule 'xccdf_org.ssgproject.content_rule_scc_limit_root_containers'.
--- xccdf_org.ssgproject.content_rule_scc_limit_root_containers
+++ xccdf_org.ssgproject.content_rule_scc_limit_root_containers
@@ -10,6 +10,9 @@
[reference]:
APP.4.4.A4
+
+[reference]:
+APP.4.4.A9
[reference]:
CIP-003-8 R6
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_kubelet_conf'.
--- xccdf_org.ssgproject.content_rule_file_groupowner_kubelet_conf
+++ xccdf_org.ssgproject.content_rule_file_groupowner_kubelet_conf
@@ -4,6 +4,9 @@
[description]:
To properly set the group owner of /etc/kubernetes/kubelet.conf, run the command: $ sudo chgrp root /etc/kubernetes/kubelet.conf
+
+[reference]:
+APP.4.4.A17
[reference]:
CIP-003-8 R6
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_worker_ca'.
--- xccdf_org.ssgproject.content_rule_file_groupowner_worker_ca
+++ xccdf_org.ssgproject.content_rule_file_groupowner_worker_ca
@@ -4,6 +4,9 @@
[description]:
To properly set the group owner of /etc/kubernetes/kubelet-ca.crt, run the command: $ sudo chgrp root /etc/kubernetes/kubelet-ca.crt
+
+[reference]:
+APP.4.4.A17
[reference]:
CIP-003-8 R6
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_worker_kubeconfig'.
--- xccdf_org.ssgproject.content_rule_file_groupowner_worker_kubeconfig
+++ xccdf_org.ssgproject.content_rule_file_groupowner_worker_kubeconfig
@@ -4,6 +4,9 @@
[description]:
To properly set the group owner of /var/lib/kubelet/kubeconfig, run the command: $ sudo chgrp root /var/lib/kubelet/kubeconfig
+
+[reference]:
+APP.4.4.A17
[reference]:
CIP-003-8 R6
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_worker_service'.
--- xccdf_org.ssgproject.content_rule_file_groupowner_worker_service
+++ xccdf_org.ssgproject.content_rule_file_groupowner_worker_service
@@ -6,6 +6,9 @@
'
To properly set the group owner of /etc/systemd/system/kubelet.service, run the command:
$ sudo chgrp root /etc/systemd/system/kubelet.service'
+
+[reference]:
+APP.4.4.A17
[reference]:
CIP-003-8 R6
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_owner_kubelet'.
--- xccdf_org.ssgproject.content_rule_file_owner_kubelet
+++ xccdf_org.ssgproject.content_rule_file_owner_kubelet
@@ -4,6 +4,9 @@
[description]:
To properly set the owner of /var/lib/kubelet/config.json, run the command: $ sudo chown root /var/lib/kubelet/config.json
+
+[reference]:
+APP.4.4.A17
[reference]:
CIP-003-8 R6
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_owner_kubelet_conf'.
--- xccdf_org.ssgproject.content_rule_file_owner_kubelet_conf
+++ xccdf_org.ssgproject.content_rule_file_owner_kubelet_conf
@@ -4,6 +4,9 @@
[description]:
To properly set the owner of /etc/kubernetes/kubelet.conf, run the command: $ sudo chown root /etc/kubernetes/kubelet.conf
+
+[reference]:
+APP.4.4.A17
[reference]:
CIP-003-8 R6
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_owner_worker_ca'.
--- xccdf_org.ssgproject.content_rule_file_owner_worker_ca
+++ xccdf_org.ssgproject.content_rule_file_owner_worker_ca
@@ -4,6 +4,9 @@
[description]:
To properly set the owner of /etc/kubernetes/kubelet-ca.crt, run the command: $ sudo chown root /etc/kubernetes/kubelet-ca.crt
+
+[reference]:
+APP.4.4.A17
[reference]:
CIP-003-8 R6
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_owner_worker_kubeconfig'.
--- xccdf_org.ssgproject.content_rule_file_owner_worker_kubeconfig
+++ xccdf_org.ssgproject.content_rule_file_owner_worker_kubeconfig
@@ -4,6 +4,9 @@
[description]:
To properly set the owner of /var/lib/kubelet/kubeconfig, run the command: $ sudo chown root /var/lib/kubelet/kubeconfig
+
+[reference]:
+APP.4.4.A17
[reference]:
CIP-003-8 R6
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_owner_worker_service'.
--- xccdf_org.ssgproject.content_rule_file_owner_worker_service
+++ xccdf_org.ssgproject.content_rule_file_owner_worker_service
@@ -6,6 +6,9 @@
'
To properly set the owner of /etc/systemd/system/kubelet.service, run the command:
$ sudo chown root /etc/systemd/system/kubelet.service '
+
+[reference]:
+APP.4.4.A17
[reference]:
CIP-003-8 R6
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_permissions_kubelet'.
--- xccdf_org.ssgproject.content_rule_file_permissions_kubelet
+++ xccdf_org.ssgproject.content_rule_file_permissions_kubelet
@@ -5,6 +5,9 @@
[description]:
To properly set the permissions of /var/lib/kubelet/config.json, run the command:
$ sudo chmod 0600 /var/lib/kubelet/config.json
+
+[reference]:
+APP.4.4.A17
[reference]:
CIP-003-8 R6
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_permissions_kubelet_conf'.
--- xccdf_org.ssgproject.content_rule_file_permissions_kubelet_conf
+++ xccdf_org.ssgproject.content_rule_file_permissions_kubelet_conf
@@ -5,6 +5,9 @@
[description]:
To properly set the permissions of /etc/kubernetes/kubelet.conf, run the command:
$ sudo chmod 0644 /etc/kubernetes/kubelet.conf
+
+[reference]:
+APP.4.4.A17
[reference]:
CIP-003-8 R6
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_permissions_worker_ca'.
--- xccdf_org.ssgproject.content_rule_file_permissions_worker_ca
+++ xccdf_org.ssgproject.content_rule_file_permissions_worker_ca
@@ -5,6 +5,9 @@
[description]:
To properly set the permissions of /etc/kubernetes/kubelet-ca.crt, run the command:
$ sudo chmod 0644 /etc/kubernetes/kubelet-ca.crt
+
+[reference]:
+APP.4.4.A17
[reference]:
CIP-003-8 R6
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_permissions_worker_kubeconfig'.
--- xccdf_org.ssgproject.content_rule_file_permissions_worker_kubeconfig
+++ xccdf_org.ssgproject.content_rule_file_permissions_worker_kubeconfig
@@ -5,6 +5,9 @@
[description]:
To properly set the permissions of /var/lib/kubelet/kubeconfig, run the command:
$ sudo chmod 0600 /var/lib/kubelet/kubeconfig
+
+[reference]:
+APP.4.4.A17
[reference]:
CIP-003-8 R6
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_permissions_worker_service'.
--- xccdf_org.ssgproject.content_rule_file_permissions_worker_service
+++ xccdf_org.ssgproject.content_rule_file_permissions_worker_service
@@ -5,6 +5,9 @@
[description]:
To properly set the permissions of /etc/systemd/system/kubelet.service, run the command:
$ sudo chmod 0644 /etc/systemd/system/kubelet.service
+
+[reference]:
+APP.4.4.A17
[reference]:
CIP-003-8 R6 |
|
Start a new ephemeral environment with changes proposed in this pull request: ocp4 (from CTF) Environment (using Fedora as testing environment) Fedora Testing Environment Oracle Linux 8 Environment |
benruland
commented
Mar 6, 2024
|
🤖 A k8s content image for this PR is available at: Click here to see how to deploy itIf you alread have Compliance Operator deployed: Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and: |
benruland
commented
Mar 6, 2024
sluetze
suggested changes
Mar 14, 2024
There was a problem hiding this comment.
@benruland this one is a biggy. I think the only mandatory change is the doubled bsi: reference and the partial/automated state. lets discuss the other points.
| disallow all but the necessary network connections within the Kubernetes namespace. These | ||
| (1) Pods SHOULD ONLY be able to communicate with each other through the necessary network | ||
| ports, even within a Kubernetes namespace. (2) There SHOULD be rules within the CNI that | ||
| disallow all but the necessary network connections within the Kubernetes namespace. (3) These |
There was a problem hiding this comment.
not sure if a manual rule for section 3 would help or only create work.
What about cases, where someone creates "ANY-ANY" network policies and lovely selects all available pods?
Or is this more something we would expect to be solved in the application development/review cycle?
There was a problem hiding this comment.
I am actually surprised that noone has yet created such a rule yet.
However, I do not have a clear opinion yet, if the manual rule will add value or if this should be marked as "organizational measure". From a responsibility perspective, I would definately seet it at app dev/review.
There was a problem hiding this comment.
if i remember the discussions with the customers right, they opted for more rules (even if manual) instead of missing anything. There must be tailoring / review of the manual rules done at each customer anyway. Maybe a manual rule with the tenor "review netpols if they only include relevant connections and are using the criteria service name, labels, etc. pp. OR ensure there is a check in the app dev/review" this would make it transparent in the CO.
On the other hand, you already mentioned this in the notes. But the notes are not visible in the CO outputs.
| restarted in a short time at another site. | ||
| Should a restart be required, all the necessary configuration files, images, user data, network | ||
| connections, and other resources required for operation (including the necessary hardware) | ||
| (2) Should a restart be required, all the necessary configuration files, images, user data, |
There was a problem hiding this comment.
not sure if we have a rule for this, but this would also require no local node storage used.
There was a problem hiding this comment.
It feels too fine-grained for me here. This requirement would also be necessary for any pod high availabily, would't it? Do we have a separate control for that?
For me, section 2 focuses on the "cluster restart in other site" scenario, which is largely to be ensured organizationally
There was a problem hiding this comment.
there is no control for that in APP.4.4 . you are correct, I am to fine-grained here
…luster)rolebindings_default_service_account
|
In the future, for APP.4.4.18, we might need to also look at AdminNetworkPolicy, currently in TechPreviewNoUpgrade state. |
|
/ok-to-test |
|
/test e2e-aws-ocp4-bsi |
App 4 4 a13 a16
Bsi app 4.4 a8to11
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description:
Notes / Rules for BSI APP4.4.A17 - APP4.4.A19 added.
Rationale:
As we have multiple customers asking for a BSI profile to be included in the compliance-operator, we are contributing a profile. To provide a better review process, the individual controle are implemented as separate PRs.