From 092385a4a8ba1e417960249145a495200f73d5fd Mon Sep 17 00:00:00 2001
From: Benjamin Ruland <benjamin.ruland@gmail.com>
Date: Fri, 4 Oct 2024 10:18:01 +0200
Subject: [PATCH] Adjusted rules for BSI APP.4.4.A18 according to review

---
 .../rule.yml                                       | 14 +++++++-------
 .../project_template_network_policy/rule.yml       |  2 --
 controls/bsi_app_4_4.yml                           |  5 ++---
 shared/references/cce-redhat-avail.txt             |  1 -
 4 files changed, 9 insertions(+), 13 deletions(-)

diff --git a/applications/openshift/networking/configure_appropriate_network_policies/rule.yml b/applications/openshift/networking/configure_appropriate_network_policies/rule.yml
index 1d94cb55641..6596b74ee5d 100644
--- a/applications/openshift/networking/configure_appropriate_network_policies/rule.yml
+++ b/applications/openshift/networking/configure_appropriate_network_policies/rule.yml
@@ -1,9 +1,9 @@
 documentation_complete: true
 
-title: 'Ensure appropriate Network Policies are configured'
+title: 'Ensure Appropriate Network Policies are Configured'
 
 description: |-
-  Configure Network Policies in any application namespace in an approrpriate way, so that
+  Configure Network Policies in any application namespace in an appropriate way, so that
   only the required communications are allowed. The Network Policies should precisely define
   source and target using label selectors and ports.
 
@@ -25,19 +25,19 @@ rationale: |-
 severity: medium
 
 identifiers: {}
-
-references:
-  bsi: APP.4.4.A19
+cce@ocp4: CCE-89537-5
 
 ocil_clause: 'Network Policies need to be evaluated if they are appropriate'
 
 ocil: |-
     For each non-default namespace in the cluster, review the configured Network Policies
-    and ensure that they only allow the necessary network network connections. They should should
+    and ensure that they only allow the necessary network connections. They should
     precisely define source and target using label selectors and ports.
 
     1. Get a list of existing projects(namespaces), exclude default, kube-*, openshift-*
-    <pre>$ oc get namespaces -ojson | jq -r '[.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default") | .metadata.name]'</pre>
+    <pre>$ oc get namespaces -ojson | jq -r '[.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default" and ({{if ne .var_network_policies_namespaces_exempt_regex "None"}}.metadata.name | test("{{.var_network_policies_namespaces_exempt_regex}}") | not{{else}}true{{end}})) | .metadata.name]'</pre>
+
+    Namespaces matching the variable <tt>ocp4-var-network-policies-namespaces-exempt-regex</tt> regex are excluded from this check.
 
     2. For each of these namespaces, review the network policies:
     <pre>$ oc get networkpolicies -n $namespace -o yaml</pre>
diff --git a/applications/openshift/networking/project_template_network_policy/rule.yml b/applications/openshift/networking/project_template_network_policy/rule.yml
index cbda8e66cea..84c2b8aefde 100644
--- a/applications/openshift/networking/project_template_network_policy/rule.yml
+++ b/applications/openshift/networking/project_template_network_policy/rule.yml
@@ -34,7 +34,6 @@ ocil: |-
     return true.
 
 references:
-    bsi: APP.4.4.A18
     srg: SRG-APP-000039-CTR-000110
 
 identifiers:
@@ -56,4 +55,3 @@ template:
     values:
       - value: "true"
         operation: "pattern match"
-
diff --git a/controls/bsi_app_4_4.yml b/controls/bsi_app_4_4.yml
index 460498ad4cd..fa2873058f6 100644
--- a/controls/bsi_app_4_4.yml
+++ b/controls/bsi_app_4_4.yml
@@ -437,9 +437,8 @@ controls:
       can only be changed by authorised persons and management services.
     notes: >-
       In a cluster using a network plugin that supports Kubernetes network policy, network isolation
-      is controlled entirely by NetworkPolicy objects. In OpenShift, the default plugins (OpenShift SDN,
-      OVN Kubernetes) supports using network policy. Support for NetworkPolicy objects is verified
-      using rules.
+      is controlled entirely by NetworkPolicy objects. In OpenShift, the default plugin (OVN-Kubernetes)
+      supports using network policy. Support for NetworkPolicy objects is verified using rules.
       
       Section 1-3: By default, all pods in a project are accessible from other pods and network endpoints.
       To isolate one or more pods in a project, you need to create NetworkPolicy objects in that project
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index 33debb230d4..06b5275169b 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -1818,7 +1818,6 @@ CCE-89531-8
 CCE-89534-2
 CCE-89535-9
 CCE-89536-7
-CCE-89537-5
 CCE-89539-1
 CCE-89543-3
 CCE-89544-1