From 241636c5cc395c80676cae46c578cb3ef6ff8e3e Mon Sep 17 00:00:00 2001 From: Benjamin Ruland Date: Mon, 15 Jul 2024 16:41:15 +0200 Subject: [PATCH] Added note changes from review for BSI APP.4.4.A17 --- .../worker/file_owner_worker_ca/rule.yml | 1 - controls/bsi_app_4_4.yml | 23 ++++++++++--------- 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/applications/openshift/worker/file_owner_worker_ca/rule.yml b/applications/openshift/worker/file_owner_worker_ca/rule.yml index 0d1902c929b..f4eef80c9c1 100644 --- a/applications/openshift/worker/file_owner_worker_ca/rule.yml +++ b/applications/openshift/worker/file_owner_worker_ca/rule.yml @@ -18,7 +18,6 @@ identifiers: cce@ocp4: CCE-83495-2 references: - bsi: APP.4.4.A17 bsi: APP.4.4.A17 cis@ocp4: 4.1.8 nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1 diff --git a/controls/bsi_app_4_4.yml b/controls/bsi_app_4_4.yml index c2e67e50242..d68776ee52b 100644 --- a/controls/bsi_app_4_4.yml +++ b/controls/bsi_app_4_4.yml @@ -412,25 +412,26 @@ controls: levels: - elevated description: >- - (1) Nodes SHOULD send a cryptographically secured (and, if possible, TPM-verified) status - message to the control plane. (2) The control plane SHOULD ONLY accept nodes into a cluster + Nodes SHOULD send a cryptographically secured (and, if possible, TPM-verified) status + message to the control plane. The control plane SHOULD ONLY accept nodes into a cluster that have successfully proven their integrity. notes: >- - OpenShift Nodes are using Red Hat CoreOS (RHCOS) by default, an immutable operating system. - While RHEL is also supported for Compute Nodes, RHCOS is mandatory for Control Plane Nodes and - recommended for all nodes. The correct version and configuration of RHCOS is verified - cryptographically with the desired state, that is managed by the Control Plane using MachineConfigs. - Any manual change on managed files is overwritten to ensure the desired state. Therefore, the + OpenShift Nodes are using Red Hat CoreOS (RHCOS) by default, an immutable operating system. + While RHEL is also supported for Compute Nodes, RHCOS is mandatory for Control Plane Nodes and + recommended for all nodes. The correct version and configuration of RHCOS is verified + cryptographically with the desired state, that is managed by the Control Plane using MachineConfigs. + Any manual change on managed files is overwritten to ensure the desired state. Therefore, the control is mostly inheretly met when using CoreOS for all nodes. - + Section 1: OpenShift uses an internal Certificate Authority (CA). The nodes (kubelet to API server - and MachineConfig daemon to MachineConfi server) are communicating using node-specific certificates, + and MachineConfig daemon to MachineConfig server) are communicating using node-specific certificates, signed by this CA. Correct permissions of relevant files and secure TLS configuration are verified - using the referenced rules. + using the referenced rules. A TPM-verified status is not present with currently built-in mechanisms + of OpenShift. Section 2: Using the Red Hat File Integrity Operator, all files on the RHCOS nodes can be cryptographically checked for integrity using Advanced Intrusion Detection Environment (AIDE). - status: automated + status: partial rules: # Section 1 (worker / kubelet) - file_groupowner_kubelet_conf