Defined notes and rules for control BSI APP4.4.A8 - APP4.4.A11

[benruland]

Description:

Notes / Rules for BSI APP4.4.A8 - APP4.4.A11 added.

Rationale:

As we have multiple customers asking for a BSI profile to be included in the compliance-operator, we are contributing a profile. To provide a better review process, the individual controle are implemented as separate PRs.

[openshift-ci[bot]]

Hi @benruland. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[github-actions[bot]]

Start a new ephemeral environment with changes proposed in this pull request:

ocp4 (from CTF) Environment (using Fedora as testing environment)

Fedora Testing Environment

Oracle Linux 8 Environment

[github-actions[bot]]

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff

New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_restrict_service_account_tokens'.
--- xccdf_org.ssgproject.content_rule_accounts_restrict_service_account_tokens
+++ xccdf_org.ssgproject.content_rule_accounts_restrict_service_account_tokens
@@ -7,6 +7,9 @@
 running in the pod explicitly needs to communicate with the API server.
 To ensure pods do not automatically mount tokens, set
 automountServiceAccountToken to false.
+
+[reference]:
+APP.4.4.A9
 
 [reference]:
 CIP-003-8 R6

New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_unique_service_account'.
--- xccdf_org.ssgproject.content_rule_accounts_unique_service_account
+++ xccdf_org.ssgproject.content_rule_accounts_unique_service_account
@@ -10,6 +10,9 @@
        
 where service_account_name is the name of a service account
 that is needed in the project namespace.
+
+[reference]:
+APP.4.4.A9
 
 [reference]:
 CIP-003-8 R6

New content has different text for rule 'xccdf_org.ssgproject.content_rule_configure_network_policies'.
--- xccdf_org.ssgproject.content_rule_configure_network_policies
+++ xccdf_org.ssgproject.content_rule_configure_network_policies
@@ -17,6 +17,9 @@
     and persist it to the local
     /apis/operator.openshift.io/v1/networks/cluster#35e33d6dc1252a03495b35bd1751cac70041a511fa4d282c300a8b83b83e3498
     file.
+
+[reference]:
+APP.4.4.A7
 
 [reference]:
 CIP-003-8 R6

New content has different text for rule 'xccdf_org.ssgproject.content_rule_configure_network_policies_namespaces'.
--- xccdf_org.ssgproject.content_rule_configure_network_policies_namespaces
+++ xccdf_org.ssgproject.content_rule_configure_network_policies_namespaces
@@ -20,6 +20,9 @@
     and persist it to the local
     /api/v1/namespaces#f673748db2dd4e4f0ad55d10ce5e86714c06da02b67ddb392582f71ef81efab2
     file.
+
+[reference]:
+APP.4.4.A7
 
 [reference]:
 CIP-003-8 R4

New content has different text for rule 'xccdf_org.ssgproject.content_rule_project_config_and_template_network_policy'.
--- xccdf_org.ssgproject.content_rule_project_config_and_template_network_policy
+++ xccdf_org.ssgproject.content_rule_project_config_and_template_network_policy
@@ -32,6 +32,9 @@
     file.
 
 [reference]:
+APP.4.4.A7
+
+[reference]:
 SRG-APP-000039-CTR-000110
 
 [reference]:

New content has different text for rule 'xccdf_org.ssgproject.content_rule_rbac_least_privilege'.
--- xccdf_org.ssgproject.content_rule_rbac_least_privilege
+++ xccdf_org.ssgproject.content_rule_rbac_least_privilege
@@ -28,6 +28,12 @@
 
 [reference]:
 APP.4.4.A3
+
+[reference]:
+APP.4.4.A7
+
+[reference]:
+APP.4.4.A9
 
 [reference]:
 AC-3

New content has different text for rule 'xccdf_org.ssgproject.content_rule_rbac_wildcard_use'.
--- xccdf_org.ssgproject.content_rule_rbac_wildcard_use
+++ xccdf_org.ssgproject.content_rule_rbac_wildcard_use
@@ -9,6 +9,9 @@
 wildcard * which matches all items. This violates the
 principle of least privilege and leaves a cluster in a more
 vulnerable state to privilege abuse.
+
+[reference]:
+APP.4.4.A9
 
 [reference]:
 CIP-003-8 R6

New content has different text for rule 'xccdf_org.ssgproject.content_rule_scansettingbinding_exists'.
--- xccdf_org.ssgproject.content_rule_scansettingbinding_exists
+++ xccdf_org.ssgproject.content_rule_scansettingbinding_exists
@@ -12,6 +12,9 @@
 [warning]:
 This rule's check operates on the cluster configuration dump.
 Therefore, you need to use a tool that can query the OCP API, retrieve the /apis/compliance.openshift.io/v1alpha1/scansettingbindings?limit=5 API endpoint to the local /apis/compliance.openshift.io/v1alpha1/scansettingbindings?limit=5 file.
+
+[reference]:
+APP.4.4.A13
 
 [reference]:
 CIP-003-8 R1.3

New content has different text for rule 'xccdf_org.ssgproject.content_rule_scansettings_have_schedule'.
--- xccdf_org.ssgproject.content_rule_scansettings_have_schedule
+++ xccdf_org.ssgproject.content_rule_scansettings_have_schedule
@@ -21,6 +21,9 @@
     file.
 
 [reference]:
+APP.4.4.A13
+
+[reference]:
 SI-6(b)
 
 [reference]:

New content has different text for rule 'xccdf_org.ssgproject.content_rule_scc_drop_container_capabilities'.
--- xccdf_org.ssgproject.content_rule_scc_drop_container_capabilities
+++ xccdf_org.ssgproject.content_rule_scc_drop_container_capabilities
@@ -8,6 +8,9 @@
 capabilities, the appropriate Security Context Constraints (SCCs)
 should set all capabilities as * or a list of capabilities in
 requiredDropCapabilities.
+
+[reference]:
+APP.4.4.A9
 
 [reference]:
 CIP-003-8 R6

New content has different text for rule 'xccdf_org.ssgproject.content_rule_scc_limit_container_allowed_capabilities'.
--- xccdf_org.ssgproject.content_rule_scc_limit_container_allowed_capabilities
+++ xccdf_org.ssgproject.content_rule_scc_limit_container_allowed_capabilities
@@ -47,6 +47,9 @@
     file.
 
 [reference]:
+APP.4.4.A9
+
+[reference]:
 CIP-003-8 R6
 
 [reference]:

New content has different text for rule 'xccdf_org.ssgproject.content_rule_scc_limit_host_dir_volume_plugin'.
--- xccdf_org.ssgproject.content_rule_scc_limit_host_dir_volume_plugin
+++ xccdf_org.ssgproject.content_rule_scc_limit_host_dir_volume_plugin
@@ -10,6 +10,9 @@
 
 [reference]:
 APP.4.4.A4
+
+[reference]:
+APP.4.4.A9
 
 [reference]:
 AC-6

New content has different text for rule 'xccdf_org.ssgproject.content_rule_scc_limit_host_ports'.
--- xccdf_org.ssgproject.content_rule_scc_limit_host_ports
+++ xccdf_org.ssgproject.content_rule_scc_limit_host_ports
@@ -7,6 +7,9 @@
 on the hosts. To prevent containers from binding to privileged ports
 on the host the appropriate Security Context Constraints (SCCs)
 should set allowHostPorts to false.
+
+[reference]:
+APP.4.4.A9
 
 [reference]:
 CM-6

New content has different text for rule 'xccdf_org.ssgproject.content_rule_scc_limit_ipc_namespace'.
--- xccdf_org.ssgproject.content_rule_scc_limit_ipc_namespace
+++ xccdf_org.ssgproject.content_rule_scc_limit_ipc_namespace
@@ -10,6 +10,9 @@
 
 [reference]:
 APP.4.4.A4
+
+[reference]:
+APP.4.4.A9
 
 [reference]:
 CIP-003-8 R6

New content has different text for rule 'xccdf_org.ssgproject.content_rule_scc_limit_net_raw_capability'.
--- xccdf_org.ssgproject.content_rule_scc_limit_net_raw_capability
+++ xccdf_org.ssgproject.content_rule_scc_limit_net_raw_capability
@@ -11,6 +11,9 @@
 
 [reference]:
 APP.4.4.A4
+
+[reference]:
+APP.4.4.A9
 
 [reference]:
 CIP-003-8 R6

New content has different text for rule 'xccdf_org.ssgproject.content_rule_scc_limit_network_namespace'.
--- xccdf_org.ssgproject.content_rule_scc_limit_network_namespace
+++ xccdf_org.ssgproject.content_rule_scc_limit_network_namespace
@@ -10,6 +10,9 @@
 
 [reference]:
 APP.4.4.A4
+
+[reference]:
+APP.4.4.A9
 
 [reference]:
 CIP-003-8 R6

New content has different text for rule 'xccdf_org.ssgproject.content_rule_scc_limit_privilege_escalation'.
--- xccdf_org.ssgproject.content_rule_scc_limit_privilege_escalation
+++ xccdf_org.ssgproject.content_rule_scc_limit_privilege_escalation
@@ -8,6 +8,9 @@
 To prevent containers from escalating privileges,
 the appropriate Security Context Constraints (SCCs)
 should set allowPrivilegeEscalation to false.
+
+[reference]:
+APP.4.4.A9
 
 [reference]:
 CIP-003-8 R6

New content has different text for rule 'xccdf_org.ssgproject.content_rule_scc_limit_privileged_containers'.
--- xccdf_org.ssgproject.content_rule_scc_limit_privileged_containers
+++ xccdf_org.ssgproject.content_rule_scc_limit_privileged_containers
@@ -10,6 +10,9 @@
 
 [reference]:
 APP.4.4.A4
+
+[reference]:
+APP.4.4.A9
 
 [reference]:
 CIP-003-8 R6

New content has different text for rule 'xccdf_org.ssgproject.content_rule_scc_limit_process_id_namespace'.
--- xccdf_org.ssgproject.content_rule_scc_limit_process_id_namespace
+++ xccdf_org.ssgproject.content_rule_scc_limit_process_id_namespace
@@ -10,6 +10,9 @@
 
 [reference]:
 APP.4.4.A4
+
+[reference]:
+APP.4.4.A9
 
 [reference]:
 CIP-003-8 R6

New content has different text for rule 'xccdf_org.ssgproject.content_rule_scc_limit_root_containers'.
--- xccdf_org.ssgproject.content_rule_scc_limit_root_containers
+++ xccdf_org.ssgproject.content_rule_scc_limit_root_containers
@@ -10,6 +10,9 @@
 
 [reference]:
 APP.4.4.A4
+
+[reference]:
+APP.4.4.A9
 
 [reference]:
 CIP-003-8 R6

[github-actions[bot]]

:robot: A k8s content image for this PR is available at: ghcr.io/complianceascode/k8scontent:11559 This image was built from commit: 3dd2ce3954b9da6a7b8af2c7d15a5fd31e315569

Click here to see how to deploy it

If you alread have Compliance Operator deployed: utils/build_ds_container.py -i ghcr.io/complianceascode/k8scontent:11559

Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and: CONTENT_IMAGE=ghcr.io/complianceascode/k8scontent:11559 make deploy-local

[benruland]

The Automatus tests keep on failing. I need advise how to fix this / or can it be ignored?

Locally, the created tests run fine, e.g.:

$ tests/test_rule_in_container.sh \
     --dontclean --logdir logs_bash \
     --remediate-using bash \
     --name ssg_test_suite \
     --datastream build/ssg-ocp4-ds.xml \
     accounts_no_clusterrolebindings_default_service_account

Setting console output to log level INFO
INFO - The base image option has been specified, choosing Podman-based test environment.
INFO - Logging into logs_bash-1/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_accounts_no_clusterrolebindings_default_service_account
INFO - Script clusterrolebindings_other_serviceaccounts.pass.sh using profile (all) OK
INFO - Script clusterrolebindings_serviceaccounts.fail.sh using profile (all) OK
INFO - Script no_clusterrolebindings.pass.sh using profile (all) OK

[codeclimate[bot]]

Code Climate has analyzed commit 42f881bf and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 59.8% (0.0% change).

View more on Code Climate.

[xiaojiey]

/hold for test

[yuumasato]

/ok-to-test

[yuumasato]

/test help

[openshift-ci[bot]]

@yuumasato: The specified target(s) for /test were not found. The following commands are available to trigger required jobs:

• /test 4.13-e2e-aws-ocp4-bsi
• /test 4.13-e2e-aws-ocp4-bsi-node
• /test 4.13-e2e-aws-ocp4-cis
• /test 4.13-e2e-aws-ocp4-cis-node
• /test 4.13-e2e-aws-ocp4-e8
• /test 4.13-e2e-aws-ocp4-high
• /test 4.13-e2e-aws-ocp4-high-node
• /test 4.13-e2e-aws-ocp4-moderate
• /test 4.13-e2e-aws-ocp4-moderate-node
• /test 4.13-e2e-aws-ocp4-pci-dss
• /test 4.13-e2e-aws-ocp4-pci-dss-node
• /test 4.13-e2e-aws-ocp4-stig
• /test 4.13-e2e-aws-ocp4-stig-node
• /test 4.13-e2e-aws-rhcos4-bsi
• /test 4.13-e2e-aws-rhcos4-e8
• /test 4.13-e2e-aws-rhcos4-high
• /test 4.13-e2e-aws-rhcos4-moderate
• /test 4.13-e2e-aws-rhcos4-stig
• /test 4.13-images
• /test 4.14-e2e-aws-ocp4-bsi
• /test 4.14-e2e-aws-ocp4-bsi-node
• /test 4.14-e2e-aws-rhcos4-bsi
• /test 4.14-images
• /test 4.15-e2e-aws-ocp4-bsi
• /test 4.15-e2e-aws-ocp4-bsi-node
• /test 4.15-e2e-aws-ocp4-cis
• /test 4.15-e2e-aws-ocp4-cis-node
• /test 4.15-e2e-aws-ocp4-e8
• /test 4.15-e2e-aws-ocp4-high
• /test 4.15-e2e-aws-ocp4-high-node
• /test 4.15-e2e-aws-ocp4-moderate
• /test 4.15-e2e-aws-ocp4-moderate-node
• /test 4.15-e2e-aws-ocp4-pci-dss
• /test 4.15-e2e-aws-ocp4-pci-dss-node
• /test 4.15-e2e-aws-ocp4-stig
• /test 4.15-e2e-aws-ocp4-stig-node
• /test 4.15-e2e-aws-rhcos4-bsi
• /test 4.15-e2e-aws-rhcos4-e8
• /test 4.15-e2e-aws-rhcos4-high
• /test 4.15-e2e-aws-rhcos4-moderate
• /test 4.15-e2e-aws-rhcos4-stig
• /test 4.15-images
• /test 4.16-e2e-aws-ocp4-bsi
• /test 4.16-e2e-aws-ocp4-bsi-node
• /test 4.16-e2e-aws-ocp4-cis
• /test 4.16-e2e-aws-ocp4-cis-node
• /test 4.16-e2e-aws-ocp4-e8
• /test 4.16-e2e-aws-ocp4-high
• /test 4.16-e2e-aws-ocp4-high-node
• /test 4.16-e2e-aws-ocp4-moderate
• /test 4.16-e2e-aws-ocp4-moderate-node
• /test 4.16-e2e-aws-ocp4-pci-dss
• /test 4.16-e2e-aws-ocp4-pci-dss-node
• /test 4.16-e2e-aws-ocp4-stig
• /test 4.16-e2e-aws-ocp4-stig-node
• /test 4.16-e2e-aws-rhcos4-bsi
• /test 4.16-e2e-aws-rhcos4-e8
• /test 4.16-e2e-aws-rhcos4-high
• /test 4.16-e2e-aws-rhcos4-moderate
• /test 4.16-e2e-aws-rhcos4-stig
• /test 4.16-images
• /test e2e-aws-ocp4-bsi
• /test e2e-aws-ocp4-bsi-node
• /test e2e-aws-ocp4-cis
• /test e2e-aws-ocp4-cis-node
• /test e2e-aws-ocp4-e8
• /test e2e-aws-ocp4-high
• /test e2e-aws-ocp4-high-node
• /test e2e-aws-ocp4-moderate
• /test e2e-aws-ocp4-moderate-node
• /test e2e-aws-ocp4-pci-dss
• /test e2e-aws-ocp4-pci-dss-node
• /test e2e-aws-ocp4-stig
• /test e2e-aws-ocp4-stig-node
• /test e2e-aws-rhcos4-bsi
• /test e2e-aws-rhcos4-e8
• /test e2e-aws-rhcos4-high
• /test e2e-aws-rhcos4-moderate
• /test e2e-aws-rhcos4-stig
• /test images

Use /test all to run the following jobs that were automatically triggered:

• pull-ci-ComplianceAsCode-content-master-4.13-images
• pull-ci-ComplianceAsCode-content-master-4.14-images
• pull-ci-ComplianceAsCode-content-master-4.15-images
• pull-ci-ComplianceAsCode-content-master-4.16-images
• pull-ci-ComplianceAsCode-content-master-images

In response to this:

/test help

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[yuumasato]

/test e2e-aws-ocp4-bsi /test e2e-aws-ocp4-bsi-node /test e2e-aws-rhcos4-bsi

[codeclimate[bot]]

Code Climate has analyzed commit 3dd2ce39 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 59.4% (0.0% change).

View more on Code Climate.

[yuumasato]

/test e2e-aws-ocp4-bsi /test e2e-aws-ocp4-bsi-node /test e2e-aws-rhcos4-bsi

[openshift-ci[bot]]

@benruland: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-ocp4-bsi	3dd2ce3954b9da6a7b8af2c7d15a5fd31e315569	link	true	/test e2e-aws-ocp4-bsi
ci/prow/e2e-aws-rhcos4-bsi	3dd2ce3954b9da6a7b8af2c7d15a5fd31e315569	link	true	/test e2e-aws-rhcos4-bsi
ci/prow/e2e-aws-ocp4-bsi-node	3dd2ce3954b9da6a7b8af2c7d15a5fd31e315569	link	true	/test e2e-aws-ocp4-bsi-node

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[yuumasato]

Skipping the ansible hardening tests.