Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SYS.1.6.A21 #21

Closed
sluetze opened this issue Nov 7, 2023 · 2 comments
Closed

SYS.1.6.A21 #21

sluetze opened this issue Nov 7, 2023 · 2 comments
Assignees

Comments

@sluetze
Copy link

sluetze commented Nov 7, 2023

No description provided.

@sluetze
Copy link
Author

sluetze commented Jul 17, 2024

Advanced policies SHOULD limit container permissions.

By default, OpenShift blocks the containers' permissions (security-by-default).

Mandatory Access Control (MAC) or comparable technology SHOULD enforce these policies.

OpenShift already uses SELinux Mandatory Access Control to restrict permissions by default Using the Security Profiles Operator [SecurityProfile], workload-dependent SELinux and Seccomp profiles can be created and managed.

Policies SHOULD restrict at least the following access:

incoming and outgoing network connections,

file system accesses and

kernel requests (syscalls).

These permissions are managed in OpenShift and controlled via Security Context Constraints (SCCs). For tool-based policy management, ACS or Red Hat Advanced Cluster Management (ACM) (with Kyverno or Open Policy Agent) can be used.

The runtime SHOULD start the containers in such a way that the host system kernel prevents all activities of the containers that are not permitted by the policy (e.g. by setting up local packet filters or revoking permissions) or at least appropriately reports violations.

OpenShift already meets this requirement as standard (security-by-design).

@sluetze
Copy link
Author

sluetze commented Oct 28, 2024

merged upstream

@sluetze sluetze closed this as completed Oct 28, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
Development

No branches or pull requests

1 participant