Skip to content

Commit

Permalink
Added note changes from review for BSI APP.4.4.A17
Browse files Browse the repository at this point in the history
  • Loading branch information
benruland committed Jul 15, 2024
1 parent 1b70c4d commit 0e0275f
Show file tree
Hide file tree
Showing 2 changed files with 9 additions and 20 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,6 @@ identifiers:
cce@ocp4: CCE-83495-2

references:
bsi: APP.4.4.A17
bsi: APP.4.4.A17
cis@ocp4: 4.1.8
nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
Expand Down
28 changes: 9 additions & 19 deletions controls/bsi_app_4_4.yml
Original file line number Diff line number Diff line change
Expand Up @@ -407,30 +407,20 @@ controls:
status: inherently met
rules: []

- id: APP.4.4.A17
title: Attestation of Nodes
levels:
- elevated
description: >-
(1) Nodes SHOULD send a cryptographically secured (and, if possible, TPM-verified) status
message to the control plane. (2) The control plane SHOULD ONLY accept nodes into a cluster
that have successfully proven their integrity.
notes: >-
OpenShift Nodes are using Red Hat CoreOS (RHCOS) by default, an immutable operating system.
While RHEL is also supported for Compute Nodes, RHCOS is mandatory for Control Plane Nodes and
recommended for all nodes. The correct version and configuration of RHCOS is verified
cryptographically with the desired state, that is managed by the Control Plane using MachineConfigs.
Any manual change on managed files is overwritten to ensure the desired state. Therefore, the
OpenShift Nodes are using Red Hat CoreOS (RHCOS) by default, an immutable operating system.
While RHEL is also supported for Compute Nodes, RHCOS is mandatory for Control Plane Nodes and
recommended for all nodes. The correct version and configuration of RHCOS is verified
cryptographically with the desired state, that is managed by the Control Plane using MachineConfigs.
Any manual change on managed files is overwritten to ensure the desired state. Therefore, the
control is mostly inheretly met when using CoreOS for all nodes.
Section 1: OpenShift uses an internal Certificate Authority (CA). The nodes (kubelet to API server
and MachineConfig daemon to MachineConfi server) are communicating using node-specific certificates,
and MachineConfig daemon to MachineConfig server) are communicating using node-specific certificates,
signed by this CA. Correct permissions of relevant files and secure TLS configuration are verified
using the referenced rules.
using the referenced rules. A TPM-verified status is not present with currently built-in mechanisms
of OpenShift.
Section 2: Using the Red Hat File Integrity Operator, all files on the RHCOS nodes can be
cryptographically checked for integrity using Advanced Intrusion Detection Environment (AIDE).
status: automated
status: partial
rules:
# Section 1 (worker / kubelet)
- file_groupowner_kubelet_conf
Expand Down

0 comments on commit 0e0275f

Please sign in to comment.