Defined notes and rules for BSI APP.4.4.A17

applications/openshift/api-server/api_server_client_ca/rule.yml

@@ -38,6 +38,7 @@ rationale: |-
 severity: medium
 
 references:
+    bsi: APP.4.4.A17
     cis@ocp4: 1.2.29
     nerc-cip: CIP-003-8 R4.2,CIP-007-3 R5.1
     nist: SC-8,SC-8(1),SC-8(2)

applications/openshift/api-server/api_server_https_for_kubelet_conn/rule.yml

@@ -25,6 +25,7 @@ rationale: |-
 severity: medium
 
 references:
+    bsi: APP.4.4.A17
     cis: 1.2.4
     nerc-cip: CIP-003-8 R4.2,CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R5.1,CIP-007-3 R6.1
     nist: CM-6,CM-6(1),SC-8,SC-8(1)

applications/openshift/api-server/api_server_kubelet_client_cert/rule.yml

@@ -39,6 +39,7 @@ platforms:
 severity: high
 
 references:
+    bsi: APP.4.4.A17
     cis@ocp4: 1.2.5
     nerc-cip: CIP-003-8 R4.2,CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R5.1,CIP-007-3 R6.1
     nist: CM-6,CM-6(1),SC-8,SC-8(1)

applications/openshift/api-server/api_server_kubelet_client_key/rule.yml

@@ -39,6 +39,7 @@ platforms:
 severity: high
 
 references:
+    bsi: APP.4.4.A17
     cis@ocp4: 1.2.5
     nerc-cip: CIP-003-8 R4.2,CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R5.1,CIP-007-3 R6.1
     nist: CM-6,CM-6(1),SC-8,SC-8(1)

applications/openshift/api-server/api_server_tls_cert/rule.yml

@@ -39,6 +39,7 @@ identifiers:
 severity: medium
 
 references:
+    bsi: APP.4.4.A17
     cis@ocp4: 1.2.28
     nerc-cip: CIP-003-8 R4.2,CIP-007-3 R5.1
     nist: SC-8,SC-8(1),SC-8(2)

applications/openshift/api-server/api_server_tls_cipher_suites/rule.yml

@@ -38,6 +38,7 @@ rationale: |-
 severity: medium
 
 references:
+    bsi: APP.4.4.A17
     cis@ocp4: 1.2.32
     nist: CM-6
     pcidss: Req-2.2,Req-2.2.3,Req-2.3

applications/openshift/api-server/api_server_tls_private_key/rule.yml

@@ -39,6 +39,7 @@ identifiers:
 severity: medium
 
 references:
+    bsi: APP.4.4.A17
     cis@ocp4: 1.2.28
     nerc-cip: CIP-003-8 R4.2,CIP-007-3 R5.1
     nist: SC-8,SC-8(1),SC-8(2)

applications/openshift/general/file_integrity_notification_enabled/rule.yml

@@ -15,6 +15,7 @@ identifiers:
   cce@ocp4: CCE-90572-9
 
 references:
+  bsi: APP.4.4.A17
   nist: SI-6,SI-7(2),SI-4(24)
   pcidss: Req-11.5.1,Req-12.10.5
 

applications/openshift/general/tls_version_check_apiserver/rule.yml

@@ -23,6 +23,7 @@ identifiers:
   cce@ocp4: CCE-85863-9
 
 references:
+  bsi: APP.4.4.A17
   pcidss: Req-4.1
 
 platform: not ocp4-on-hypershift-hosted

applications/openshift/integrity/cluster_version_operator_exists/rule.yml

@@ -17,6 +17,7 @@ identifiers:
   cce@ocp4: CCE-90670-1
 
 references:
+  bsi: APP.4.4.A17
   nist: SA-10(1)
   srg: SRG-APP-000384-CTR-000915
 

applications/openshift/integrity/cluster_version_operator_verify_integrity/rule.yml

@@ -15,6 +15,7 @@ identifiers:
   cce@ocp4: CCE-90671-9
 
 references:
+  bsi: APP.4.4.A17
   nist: SA-10(1)
   srg: SRG-APP-000384-CTR-000915
 

applications/openshift/integrity/file_integrity_exists/rule.yml

@@ -18,6 +18,7 @@ identifiers:
   cce@ocp4: CCE-83657-7
 
 references:
+  bsi: APP.4.4.A17
   nerc-cip: CIP-003-8 R4.2,CIP-003-8 R6,CIP-007-3 R4,CIP-007-3 R4.1,CIP-007-3 R4.2
   nist: SC-4(23),SI-6,SI-7,SI-7(1),CM-6(a),SI-7(2),SI-4(24)
   pcidss: Req-10.5.5,Req-11.5

applications/openshift/kubelet/kubelet_configure_client_ca/rule.yml

@@ -46,6 +46,7 @@ identifiers:
     cce@ocp4: CCE-83724-5
 
 references:
+    bsi: APP.4.4.A17
     cis@eks: 3.2.3
     cis@ocp4: 4.2.4
     nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1

applications/openshift/kubelet/kubelet_configure_tls_cert/rule.yml

@@ -30,6 +30,7 @@ platforms:
   - (ocp4.9 or ocp4.10 or ocp4.11 or ocp4.12 or ocp4.13 or ocp4.14 or ocp4.15 or ocp4.16) and not ocp4-on-hypershift-hosted
 
 references:
+    bsi: APP.4.4.A17
     cis@ocp4: 4.2.9
     nerc-cip: CIP-003-8 R4.2,CIP-007-3 R5.1
     nist: SC-8,SC-8(1),SC-8(2)

applications/openshift/kubelet/kubelet_configure_tls_cipher_suites/rule.yml

@@ -40,6 +40,7 @@ identifiers:
     cce@ocp4: CCE-86030-4
 
 references:
+  bsi: APP.4.4.A17
   cis@ocp4: 4.2.12
   nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
   nist: CM-6,CM-6(1)

applications/openshift/kubelet/kubelet_configure_tls_key/rule.yml

@@ -30,6 +30,7 @@ platforms:
   - (ocp4.9 or ocp4.10 or ocp4.11 or ocp4.12 or ocp4.13 or ocp4.14 or ocp4.15 or ocp4.16) and not ocp4-on-hypershift-hosted
 
 references:
+    bsi: APP.4.4.A17
     cis@ocp4: 4.2.9
     nerc-cip: CIP-003-8 R4.2,CIP-007-3 R5.1
     nist: SC-8,SC-8(1),SC-8(2)

applications/openshift/kubelet/kubelet_configure_tls_min_version/rule.yml

@@ -71,6 +71,7 @@ identifiers:
     cce@ocp4: CCE-86623-6
 
 references:
+    bsi: APP.4.4.A17
     nist: SC-8,SC-8(1)
     srg: SRG-APP-000014-CTR-000040,SRG-APP-000560-CTR-001340
 

applications/openshift/worker/file_groupowner_kubelet_conf/rule.yml

@@ -23,6 +23,7 @@ identifiers:
     cce@ocp4: CCE-84233-6
 
 references:
+    bsi: APP.4.4.A17
     cis@eks: 3.1.4
     cis@ocp4: 4.1.6
     nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1

applications/openshift/worker/file_groupowner_worker_ca/rule.yml

@@ -18,6 +18,7 @@ identifiers:
     cce@ocp4: CCE-83440-8
 
 references:
+    bsi: APP.4.4.A17
     cis@ocp4: 4.1.8
     nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
     nist: CM-6,CM-6(1)

applications/openshift/worker/file_groupowner_worker_kubeconfig/rule.yml

@@ -18,6 +18,7 @@ identifiers:
     cce@ocp4: CCE-83409-3
 
 references:
+    bsi: APP.4.4.A17
     cis@ocp4: 4.1.10
     nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
     nist: CM-6,CM-6(1)

applications/openshift/worker/file_groupowner_worker_service/rule.yml

@@ -20,6 +20,7 @@ identifiers:
     cce@ocp4: CCE-83975-3
 
 references:
+    bsi: APP.4.4.A17
     cis@ocp4: 4.1.2
     nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
     nist: CM-6,CM-6(1)

applications/openshift/worker/file_owner_kubelet/rule.yml

@@ -20,6 +20,7 @@ identifiers:
     cce@ocp4: CCE-85900-9
 
 references:
+    bsi: APP.4.4.A17
     cis@ocp4: 4.1.6
     nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
     nist: CM-6,CM-6(1)

applications/openshift/worker/file_owner_kubelet_conf/rule.yml

@@ -24,6 +24,7 @@ identifiers:
     cce@ocp4: CCE-83976-1
 
 references:
+    bsi: APP.4.4.A17
     cis@eks: 3.1.4
     cis@ocp4: 4.1.6
     nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1

applications/openshift/worker/file_owner_worker_ca/rule.yml

@@ -18,6 +18,7 @@ identifiers:
     cce@ocp4: CCE-83495-2
 
 references:
+    bsi: APP.4.4.A17
     cis@ocp4: 4.1.8
     nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
     nist: CM-6,CM-6(1)

applications/openshift/worker/file_owner_worker_kubeconfig/rule.yml

@@ -18,6 +18,7 @@ identifiers:
     cce@ocp4: CCE-83408-5
 
 references:
+    bsi: APP.4.4.A17
     cis@eks: 3.1.2
     cis@ocp4: 4.1.10
     nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1

applications/openshift/worker/file_owner_worker_service/rule.yml

@@ -20,6 +20,7 @@ identifiers:
     cce@ocp4: CCE-84193-2
 
 references:
+    bsi: APP.4.4.A17
     cis@ocp4: 4.1.2
     nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
     nist: CM-6,CM-6(1)

applications/openshift/worker/file_permissions_kubelet/rule.yml

@@ -23,6 +23,7 @@ identifiers:
     cce@ocp4: CCE-85896-9
 
 references:
+    bsi: APP.4.4.A17
     cis@ocp4: 4.1.5
     nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
     nist: CM-6,CM-6(1)

applications/openshift/worker/file_permissions_kubelet_conf/rule.yml

@@ -26,6 +26,7 @@ identifiers:
     cce@ocp4: CCE-83470-5
 
 references:
+    bsi: APP.4.4.A17
     cis@eks: 3.1.3
     cis@ocp4: 4.1.5
     nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1

applications/openshift/worker/file_permissions_worker_ca/rule.yml

@@ -20,6 +20,7 @@ identifiers:
     cce@ocp4: CCE-83493-7
 
 references:
+    bsi: APP.4.4.A17
     cis@ocp4: 4.1.7
     nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
     nist: CM-6,CM-6(1)

applications/openshift/worker/file_permissions_worker_kubeconfig/rule.yml

@@ -29,6 +29,7 @@ identifiers:
     cce@ocp4: CCE-83509-0
 
 references:
+    bsi: APP.4.4.A17
     cis@eks: 3.1.1
     cis@ocp4: 4.1.9
     nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1

applications/openshift/worker/file_permissions_worker_service/rule.yml

@@ -21,6 +21,7 @@ identifiers:
     cce@ocp4: CCE-83455-6
 
 references:
+    bsi: APP.4.4.A17
     cis@ocp4: 4.1.1
     nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
     nist: CM-6,CM-6(1)

controls/bsi_app_4_4.yml

@@ -416,9 +416,58 @@ controls:
       message to the control plane. The control plane SHOULD ONLY accept nodes into a cluster
       that have successfully proven their integrity.
     notes: >-
-      TBD
-    status: pending
-    rules: []
+      OpenShift Nodes are using Red Hat CoreOS (RHCOS) by default, an immutable operating system.
+      While RHEL is also supported for Compute Nodes, RHCOS is mandatory for Control Plane Nodes and
+      recommended for all nodes. The correct version and configuration of RHCOS is verified
+      cryptographically with the desired state, that is managed by the Control Plane using MachineConfigs.
+      Any manual change on managed files is overwritten to ensure the desired state. Therefore, the
+      control is mostly inheretly met when using CoreOS for all nodes.
+
+      Section 1: OpenShift uses an internal Certificate Authority (CA). The nodes (kubelet to API server
+      and MachineConfig daemon to MachineConfig server) are communicating using node-specific certificates,
+      signed by this CA. Correct permissions of relevant files and secure TLS configuration are verified
+      using the referenced rules. A TPM-verified status is not present with currently built-in mechanisms
+      of OpenShift.
+
+      Section 2: Using the Red Hat File Integrity Operator, all files on the RHCOS nodes can be
+      cryptographically checked for integrity using Advanced Intrusion Detection Environment (AIDE).
+    status: partial
+    rules:
+      # Section 1 (worker / kubelet)
+      - file_groupowner_kubelet_conf
+      - file_groupowner_worker_ca
+      - file_groupowner_worker_kubeconfig
+      - file_groupowner_worker_service
+      - file_owner_kubelet
+      - file_owner_kubelet_conf
+      - file_owner_worker_ca
+      - file_owner_worker_kubeconfig
+      - file_owner_worker_service
+      - file_permissions_kubelet
+      - file_permissions_kubelet_conf
+      - file_permissions_worker_ca
+      - file_permissions_worker_kubeconfig
+      - file_permissions_worker_service
+      - kubelet_configure_client_ca
+      - kubelet_configure_tls_cert
+      - kubelet_configure_tls_cipher_suites
+      - kubelet_configure_tls_key
+      - kubelet_configure_tls_min_version
+      # Section 1 (API Server)
+      - api_server_client_ca
+      - api_server_kubelet_client_cert
+      - api_server_kubelet_client_key
+      - api_server_https_for_kubelet_conn
+      - api_server_tls_cert
+      - api_server_tls_cipher_suites
+      - api_server_tls_private_key
+      - api_server_tls_security_profile_not_old
+      - tls_version_check_apiserver
+      # Section 2
+      - cluster_version_operator_exists
+      - cluster_version_operator_verify_integrity
+      - file_integrity_exists
+      - file_integrity_notification_enabled
 
   - id: APP.4.4.A18
     title: Use of Micro-Segmentation