From 44ba7b15a4b55e430e1efd76d36151eddf4f1043 Mon Sep 17 00:00:00 2001
From: lichtblaugue <guenther.lichtblau@eviden.com>
Date: Thu, 17 Oct 2024 14:13:23 +0200
Subject: [PATCH 1/2] Initial setup for rule SYS.1.6.A16

---
 controls/bsi_sys_1_6.yml | 42 +++++++++++++++++++++++++++++++++-------
 1 file changed, 35 insertions(+), 7 deletions(-)

diff --git a/controls/bsi_sys_1_6.yml b/controls/bsi_sys_1_6.yml
index 01a4fda1616..27de43eb2bd 100644
--- a/controls/bsi_sys_1_6.yml
+++ b/controls/bsi_sys_1_6.yml
@@ -414,15 +414,43 @@ controls:
     levels:
     - standard
     description: >-
-      In principle, administrative access from a container to the container host and vice versa
-      SHOULD be considered as administrative remote access. Remote administrative access
-      SHOULD NOT be established from a container to the container host. Application containers
-      SHOULD NOT contain remote maintenance access points. Administrative access to
+      (1)In principle, administrative access from a container to the container host and vice versa
+      SHOULD be considered as administrative remote access. (2) Remote administrative access
+      SHOULD NOT be established from a container to the container host. (3) Application containers
+      SHOULD NOT contain remote maintenance access points. (4) Administrative access to
       application containers SHOULD always be carried out via the container runtime.
     notes: >-
-      ToDo
-    status: manual
-    #rules:
+      Section 1: Application containers can only access administrative services remotely.
+      Privileged containers can gain access to the host, the host's file system, or the host's network.
+      This is necessary, for example, for the infrastructure services of OpenShift (ingress router).
+      Normal applications (application containers) may not receive such permissions.
+
+      Section 2: This requirement must be partially implemented organizationally and
+      should be part of the guideline defined in SYS.1.6.A10. There may be exceptions for applications
+      that should/need to make configurations to Kubernetes resources. This means they have
+      administrative remote access to the corresponding Kubernetes resources.
+      Remote access is controlled by Kubernetes and backup takes place via the Kubernetes
+      functionalities (see module APP.4.4). The operating system including Mandatory Access Control
+      is optimized as a runtime environment for Kubernetes. In general, it is possible to limit
+      the provision/post-installation of remote access programs in the container.
+      Also the container runtime security tools can detect, alert and remediate,
+      if remote access daemon processes such as SSHD are running in a container.
+
+      Section 3: This requirement should also be included in the policy described in SYS.1.6.A10.
+      OpenShift only allows access to the configured ports. A container that provides remote maintenance
+      access to these ports may not be released. Application containers should be administered
+      exclusively via the container runtime. Using a policy, known remote access ports
+      (e.g. 22, RDP, etc.) can be reported via ACS and their use prevented.
+
+      Section 4: This is standard in OpenShift environments. OpenShift offers a terminal login
+      via the oc administration tool. Communication runs via the control plane to the container
+      and is both authenticated and authorized.
+    status: automated
+    rules:
+      #  Section 2:
+      - scc_limit_host_dir_volume_plugin
+      - scc_limit_container_allowed_capabilities
+      - scc_limit_privilege_escalation
 
   - id: SYS.1.6.A17
     title: Running Containers Without Privileges

From f95750d2deddad666c146bd49c515713a18d365c Mon Sep 17 00:00:00 2001
From: lichtblaugue <guenther.lichtblau@eviden.com>
Date: Wed, 23 Oct 2024 10:40:41 +0200
Subject: [PATCH 2/2] As suggested all scc rules added

---
 controls/bsi_sys_1_6.yml | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/controls/bsi_sys_1_6.yml b/controls/bsi_sys_1_6.yml
index 27de43eb2bd..dc2ed093861 100644
--- a/controls/bsi_sys_1_6.yml
+++ b/controls/bsi_sys_1_6.yml
@@ -445,12 +445,20 @@ controls:
       Section 4: This is standard in OpenShift environments. OpenShift offers a terminal login
       via the oc administration tool. Communication runs via the control plane to the container
       and is both authenticated and authorized.
-    status: automated
+    status: manual
     rules:
       #  Section 2:
-      - scc_limit_host_dir_volume_plugin
+      - scc_drop_container_capabilities
       - scc_limit_container_allowed_capabilities
+      - scc_limit_host_dir_volume_plugin
+      - scc_limit_host_ports
+      - scc_limit_ipc_namespace
+      - scc_limit_net_raw_capability
+      - scc_limit_network_namespace
       - scc_limit_privilege_escalation
+      - scc_limit_privileged_containers
+      - scc_limit_process_id_namespace
+      - scc_limit_root_containers
 
   - id: SYS.1.6.A17
     title: Running Containers Without Privileges