Merge pull request #12529 from sig-bsi-grundschutz/sys-1-6-A16

Defined notes for BSI SYS.1.6.A16
ComplianceAsCode · Dec 9, 2024 · 3081d84 · 3081d84
2 parents 41429f5 + f95750d
commit 3081d84
Showing 1 changed file with 42 additions and 6 deletions.
diff --git a/controls/bsi_sys_1_6.yml b/controls/bsi_sys_1_6.yml
@@ -462,15 +462,51 @@ controls:
     levels:
     - standard
     description: >-
-      In principle, administrative access from a container to the container host and vice versa
-      SHOULD be considered as administrative remote access. Remote administrative access
-      SHOULD NOT be established from a container to the container host. Application containers
-      SHOULD NOT contain remote maintenance access points. Administrative access to
+      (1)In principle, administrative access from a container to the container host and vice versa
+      SHOULD be considered as administrative remote access. (2) Remote administrative access
+      SHOULD NOT be established from a container to the container host. (3) Application containers
+      SHOULD NOT contain remote maintenance access points. (4) Administrative access to
       application containers SHOULD always be carried out via the container runtime.
     notes: >-
-      ToDo
+      Section 1: Application containers can only access administrative services remotely.
+      Privileged containers can gain access to the host, the host's file system, or the host's network.
+      This is necessary, for example, for the infrastructure services of OpenShift (ingress router).
+      Normal applications (application containers) may not receive such permissions.
+
+      Section 2: This requirement must be partially implemented organizationally and
+      should be part of the guideline defined in SYS.1.6.A10. There may be exceptions for applications
+      that should/need to make configurations to Kubernetes resources. This means they have
+      administrative remote access to the corresponding Kubernetes resources.
+      Remote access is controlled by Kubernetes and backup takes place via the Kubernetes
+      functionalities (see module APP.4.4). The operating system including Mandatory Access Control
+      is optimized as a runtime environment for Kubernetes. In general, it is possible to limit
+      the provision/post-installation of remote access programs in the container.
+      Also the container runtime security tools can detect, alert and remediate,
+      if remote access daemon processes such as SSHD are running in a container.
+
+      Section 3: This requirement should also be included in the policy described in SYS.1.6.A10.
+      OpenShift only allows access to the configured ports. A container that provides remote maintenance
+      access to these ports may not be released. Application containers should be administered
+      exclusively via the container runtime. Using a policy, known remote access ports
+      (e.g. 22, RDP, etc.) can be reported via ACS and their use prevented.
+
+      Section 4: This is standard in OpenShift environments. OpenShift offers a terminal login
+      via the oc administration tool. Communication runs via the control plane to the container
+      and is both authenticated and authorized.
     status: manual
-    #rules:
+    rules:
+      #  Section 2:
+      - scc_drop_container_capabilities
+      - scc_limit_container_allowed_capabilities
+      - scc_limit_host_dir_volume_plugin
+      - scc_limit_host_ports
+      - scc_limit_ipc_namespace
+      - scc_limit_net_raw_capability
+      - scc_limit_network_namespace
+      - scc_limit_privilege_escalation
+      - scc_limit_privileged_containers
+      - scc_limit_process_id_namespace
+      - scc_limit_root_containers
 
   - id: SYS.1.6.A17
     title: Running Containers Without Privileges