Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

APP.4.4.A12 #38

Closed
sluetze opened this issue Nov 7, 2023 · 8 comments
Closed

APP.4.4.A12 #38

sluetze opened this issue Nov 7, 2023 · 8 comments
Assignees
@benruland
Labels
new-rules Issue which requires us to write new rules org-only This Requirement of BSI is ONLY an organizational Requirement ready-for-review An implementation and a PR have been created

Comments

@sluetze
Copy link

sluetze commented Nov 7, 2023

No description provided.

@benruland benruland added new-rules Issue which requires us to write new rules org-only This Requirement of BSI is ONLY an organizational Requirement and removed org-only This Requirement of BSI is ONLY an organizational Requirement new-rules Issue which requires us to write new rules labels Dec 5, 2023
@benruland benruland added org-only This Requirement of BSI is ONLY an organizational Requirement new-rules Issue which requires us to write new rules labels Dec 18, 2023
@benruland
Copy link

benruland commented Dec 18, 2023
edited
Loading

If a separate registry for images or automation software, persistent volume management,
configuration file storage, or similar is in use, its protection SHOULD at least consider:
• Use of personal and service accounts for access
• Encrypted communication on all network ports
• Restrictive assignment of permissions to user and service accounts
• Logging of changes
• Regular data backups

This requirement needs to be adressed in the respective separate systems.

Of all the requirements, we could only check one: (Encrypted communication on all network ports for the image registry):

  • Check object image.config.openshift.io/cluster, if registrySources.insecureRegistries is not set

@benruland benruland added the ready-for-review An implementation and a PR have been created label Dec 18, 2023
@benruland
Copy link

I have created a PR: ComplianceAsCode#11394

@sluetze
Copy link
Author

sluetze commented Jan 5, 2024

Of all the requirements, we could only check one: (Encrypted communication on all network ports for the image registry):

I do not agree.

Use of personal and service accounts for access

rules:
# existing kubeadmin would show, that you do not follow personal and service accounts but may use a global privileged user
  - kubeadmin_removed

Encrypted communication on all network ports

rules:
  - ocp_insecure_registries
  - ocp_insecure_allowed_registries_for_import
  !!!!

Restrictive assignment of permissions to user and service accounts

rules:
  - rbac_cluster_roles_defined
  - rbac_roles_defined
  - rbac_least_privilege
  - rbac_limit_cluster_admin
  - rbac_limit_secret_access
  - rbac_wildcard_use

Logging of changes
this is auditing imho

rules:
  - audit_profile_set
  # for me it is debatable if additional rules could apply, like
  # cluster_logging_operator_exist
  # audit_error_alert_exists
  # audit_log_forwarding_uses_tls

Regular data backups
there dont seem to be checks at the moment. But I maybe it is useful to check if velero APIs exist, or Red Hat OpenShift API for Data Protection is installed?

@benruland
Copy link

Hier ist eine breitere Meinung sicherlich sinnvoll, ob wir die beschriebenen Anforderungen auch für Kubernetes und etcd betrachten oder nur für externe Systeme, wie Registry etc. @oliverbutanowitz @ermeratos

@sluetze
Copy link
Author

sluetze commented Jan 5, 2024

IG BVC:

Plattformbetreiber sollte zum Zugriffsmanagement einen zentralen Verzeichnisdienst
nutzen.

(https://wikijs.opencode.de/igbvc-app-4-4.pdf)

rules:
  - idp_is_configured

@sluetze
Copy link
Author

sluetze commented Jan 30, 2024
edited
Loading

@benruland , while the associated PR is merged upstream, we miss
a) the later decided sectioning
b) the idp_is_configured (if you would also assume this as a match).

How do we proceed? Shall I keep this issue open or do we recreate one?

Also: Regarding if this is relevant for external systems or also for Kubernetes we should have talked with the customers on our meeting yesterday. Missed that opportunity, will add to the notes

@benruland
Copy link

@sluetze, from my understanding in our discussions we decided to keep the scope on OpenShift and not look at external systems like the container registry.

Hence, I would also not include the idp_is_configured rule, because the focus of that rule is OpenShift whereas the BSI control adresses external systems like the container registry.

If you agree, I will add the sectioning to my next PR which is for #10

@sluetze
Copy link
Author

sluetze commented Oct 4, 2024

Yes, you are right. Its external and thus the idp rule does not address it.

@sluetze sluetze closed this as completed Oct 15, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@benruland benruland

Labels
new-rules Issue which requires us to write new rules org-only This Requirement of BSI is ONLY an organizational Requirement ready-for-review An implementation and a PR have been created
Projects
sig-bsi-grundschutz tracking
Status: Done
Milestone
No milestone
Development

When branches are created from issues, their pull requests are automatically linked.

bsi-app-4.4-a12 sig-bsi-grundschutz/content
2 participants
@benruland @sluetze