Defined notes and rules for APP.4.4.A7

ComplianceAsCode · Apr 5, 2024 · f7d31c8 · f7d31c8
1 parent 68f8102
commit f7d31c8
Show file tree

Hide file tree

Showing 5 changed files with 29 additions and 15 deletions.
diff --git a/applications/openshift/networking/configure_network_policies/rule.yml b/applications/openshift/networking/configure_network_policies/rule.yml
@@ -17,6 +17,7 @@ rationale: |-
 severity: high
 
 references:
+    bsi: APP.4.4.A7
     cis@ocp4: 5.3.1
     nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
     nist: CM-6,CM-6(1)

diff --git a/applications/openshift/networking/configure_network_policies_namespaces/rule.yml b/applications/openshift/networking/configure_network_policies_namespaces/rule.yml
@@ -17,6 +17,7 @@ rationale: |-
 severity: high
 
 references:
+    bsi: APP.4.4.A7
     cis@eks: 4.3.2
     cis@ocp4: 5.3.2
     nerc-cip: CIP-003-8 R4,CIP-003-8 R4.2,CIP-003-8 R5,CIP-003-8 R6,CIP-004-6 R2.2.4,CIP-004-6 R3,CIP-007-3 R2,CIP-007-3 R2.1,CIP-007-3 R2.2,CIP-007-3 R2.3,CIP-007-3 R5.1,CIP-007-3 R6.1

diff --git a/applications/openshift/networking/project_config_and_template_network_policy/rule.yml b/applications/openshift/networking/project_config_and_template_network_policy/rule.yml
@@ -58,6 +58,7 @@ identifiers:
       cce@ocp4: CCE-86070-0
 
 references:
+    bsi: APP.4.4.A7
     srg: SRG-APP-000039-CTR-000110
 
 warnings:

diff --git a/applications/openshift/rbac/rbac_least_privilege/rule.yml b/applications/openshift/rbac/rbac_least_privilege/rule.yml
@@ -26,7 +26,7 @@ identifiers:
   cce@ocp4: CCE-90678-4
 
 references:
-    bsi: APP.4.4.A3
+    bsi: APP.4.4.A3,APP.4.4.A7
     cis@ocp4: 5.2.10
     nist: AC-3,CM-5(6),IA-2,IA-2(5),AC-6(10),CM-11(2),CM-5(1),CM-7(5)(b)
     srg: SRG-APP-000033-CTR-000090,SRG-APP-000033-CTR-000095,SRG-APP-000033-CTR-000100,SRG-APP-000133-CTR-000290,SRG-APP-000133-CTR-000295,SRG-APP-000133-CTR-000300,SRG-APP-000133-CTR-000305,SRG-APP-000133-CTR-000310,SRG-APP-000148-CTR-000350,SRG-APP-000153-CTR-000375,SRG-APP-000340-CTR-000770,SRG-APP-000378-CTR-000880,SRG-APP-000378-CTR-000885,SRG-APP-000378-CTR-000890,SRG-APP-000380-CTR-000900,SRG-APP-000386-CTR-000920

diff --git a/controls/bsi_app_4_4.yml b/controls/bsi_app_4_4.yml
@@ -175,21 +175,32 @@ controls:
     levels:
     - standard
     description: >-
-      Networks for the administration of nodes, the control plane, and the individual networks of
-      application services SHOULD be separated.
-      Only the network ports of the pods necessary for operation SHOULD be released into the
-      designated networks. If a Kubernetes cluster contains multiple applications, all the network
-      connections between the Kubernetes namespaces SHOULD first be prohibited and only
-      required network connections permitted (whitelisting). The network ports necessary for the
-      administration of the nodes, the runtime, and Kubernetes (including its extensions) SHOULD
-      ONLY be accessible from the corresponding administration network and from pods that need
-      them.
-      Only selected administrators SHOULD be authorised in Kubernetes to manage the CNI and
-      create or change rules for the network.
+      (1) Networks for the administration of nodes, the control plane, and the individual networks of application services SHOULD be separated.
+      (2) Only the network ports of the pods necessary for operation SHOULD be released into the designated networks. (3) If a Kubernetes cluster contains multiple applications, all the network connections between the Kubernetes namespaces SHOULD first be prohibited and only required network connections permitted (whitelisting). (4) The network ports necessary for the administration of the nodes, the runtime, and Kubernetes (including its extensions) SHOULD ONLY be accessible from the corresponding administration network and from pods that need them.
+      (5) Only selected administrators SHOULD be authorised in Kubernetes to manage the CNI and create or change rules for the network.
     notes: >-
-      TBD
-    status: pending
-    rules: []
+      Section 1-3:
+      The requirements for restricting network ports and network connections between Kubernetes namespaces are already supported by OpenShift as standard using network policies and the option for default network policies (security by design).
+
+      The separation of the management network can also be implemented at the namespace level via network policies (incoming, the responsibility of the namespace administrator) and egress firewalls (outgoing, the responsibility of the cluster admins).
+
+      Externally exposed services can receive their own IP and thus data traffic can also be separated outside the platform. Inter-node communication is carried out via suitable tunnel protocols (VXLAN, GENEVE) and can also be encrypted using IPSec.
+
+      The determination of the necessary network policies for applications is supported by the network policy generator in ACS.
+      Section 4 is true by default
+      Section 5 maps to principle of least privilege
+    status: partial
+    rules:
+      # Section 1
+      # Section 2
+      - configure_network_policies
+      - configure_network_policies_namespaces
+      # Section 3
+      - project_config_and_template_network_policy
+      # Section 4, default
+      # Section 5
+      - rbac_least_privilege
+
 
   - id: APP.4.4.A8
     title: Securing Configuration Files on Kubernetes