From 68f8102238007e98defe72b75628686ae7b1a812 Mon Sep 17 00:00:00 2001 From: sluetze <13255307+sluetze@users.noreply.github.com> Date: Fri, 5 Apr 2024 10:36:05 +0200 Subject: [PATCH 1/4] Defined notes and rules for control BSI APP.4.4.A6 --- controls/bsi_app_4_4.yml | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/controls/bsi_app_4_4.yml b/controls/bsi_app_4_4.yml index 8fd3dc9ff16..34dd5a8cfec 100644 --- a/controls/bsi_app_4_4.yml +++ b/controls/bsi_app_4_4.yml @@ -162,13 +162,12 @@ controls: levels: - standard description: >- - If an initialisation (e.g. of an application) takes place in a pod at start-up, this SHOULD take - place in a separate Init container. It SHOULD be ensured that the initialisation terminates all - processes that are already running. Kubernetes SHOULD ONLY start the other containers if - the initialisation is successful. + If an initialisation (e.g. of an application) takes place in a pod at start-up, this SHOULD take place in a separate Init container. It SHOULD be ensured that the initialisation terminates all processes that are already running. Kubernetes SHOULD ONLY start the other containers if the initialisation is successful. notes: >- - TBD - status: pending + OpenShift provides the necessary resource configurations via Kubernetes. Kubernetes ensures the (process) dependencies between init containers and “normal” containers of a pod. + + The requirement must be implemented by application development. + status: inherently met rules: [] - id: APP.4.4.A7 @@ -237,7 +236,7 @@ controls: start pods via automation software, this SHOULD be done for each group through separate processes that only have the rights necessary for the respective user group. notes: >- - This control needs to be adressed on an organizational level. All service accounts used by + This control needs to be adressed on an organizational level. All service accounts used by automation software need to adhere to the principle of least privilege. status: not applicable rules: [] From f7d31c85bf791f7c9bb205e02780b436683483fd Mon Sep 17 00:00:00 2001 From: sluetze <13255307+sluetze@users.noreply.github.com> Date: Fri, 5 Apr 2024 13:43:19 +0200 Subject: [PATCH 2/4] Defined notes and rules for APP.4.4.A7 --- .../configure_network_policies/rule.yml | 1 + .../rule.yml | 1 + .../rule.yml | 1 + .../rbac/rbac_least_privilege/rule.yml | 2 +- controls/bsi_app_4_4.yml | 39 ++++++++++++------- 5 files changed, 29 insertions(+), 15 deletions(-) diff --git a/applications/openshift/networking/configure_network_policies/rule.yml b/applications/openshift/networking/configure_network_policies/rule.yml index e30efa56270..ddcfc176714 100644 --- a/applications/openshift/networking/configure_network_policies/rule.yml +++ b/applications/openshift/networking/configure_network_policies/rule.yml @@ -17,6 +17,7 @@ rationale: |- severity: high references: + bsi: APP.4.4.A7 cis@ocp4: 5.3.1 nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1 nist: CM-6,CM-6(1) diff --git a/applications/openshift/networking/configure_network_policies_namespaces/rule.yml b/applications/openshift/networking/configure_network_policies_namespaces/rule.yml index c442dc51d16..5d4a24e69c9 100644 --- a/applications/openshift/networking/configure_network_policies_namespaces/rule.yml +++ b/applications/openshift/networking/configure_network_policies_namespaces/rule.yml @@ -17,6 +17,7 @@ rationale: |- severity: high references: + bsi: APP.4.4.A7 cis@eks: 4.3.2 cis@ocp4: 5.3.2 nerc-cip: CIP-003-8 R4,CIP-003-8 R4.2,CIP-003-8 R5,CIP-003-8 R6,CIP-004-6 R2.2.4,CIP-004-6 R3,CIP-007-3 R2,CIP-007-3 R2.1,CIP-007-3 R2.2,CIP-007-3 R2.3,CIP-007-3 R5.1,CIP-007-3 R6.1 diff --git a/applications/openshift/networking/project_config_and_template_network_policy/rule.yml b/applications/openshift/networking/project_config_and_template_network_policy/rule.yml index 72775ae6661..7aa79373244 100644 --- a/applications/openshift/networking/project_config_and_template_network_policy/rule.yml +++ b/applications/openshift/networking/project_config_and_template_network_policy/rule.yml @@ -58,6 +58,7 @@ identifiers: cce@ocp4: CCE-86070-0 references: + bsi: APP.4.4.A7 srg: SRG-APP-000039-CTR-000110 warnings: diff --git a/applications/openshift/rbac/rbac_least_privilege/rule.yml b/applications/openshift/rbac/rbac_least_privilege/rule.yml index 09040bb97bc..7b7c7f06184 100644 --- a/applications/openshift/rbac/rbac_least_privilege/rule.yml +++ b/applications/openshift/rbac/rbac_least_privilege/rule.yml @@ -26,7 +26,7 @@ identifiers: cce@ocp4: CCE-90678-4 references: - bsi: APP.4.4.A3 + bsi: APP.4.4.A3,APP.4.4.A7 cis@ocp4: 5.2.10 nist: AC-3,CM-5(6),IA-2,IA-2(5),AC-6(10),CM-11(2),CM-5(1),CM-7(5)(b) srg: SRG-APP-000033-CTR-000090,SRG-APP-000033-CTR-000095,SRG-APP-000033-CTR-000100,SRG-APP-000133-CTR-000290,SRG-APP-000133-CTR-000295,SRG-APP-000133-CTR-000300,SRG-APP-000133-CTR-000305,SRG-APP-000133-CTR-000310,SRG-APP-000148-CTR-000350,SRG-APP-000153-CTR-000375,SRG-APP-000340-CTR-000770,SRG-APP-000378-CTR-000880,SRG-APP-000378-CTR-000885,SRG-APP-000378-CTR-000890,SRG-APP-000380-CTR-000900,SRG-APP-000386-CTR-000920 diff --git a/controls/bsi_app_4_4.yml b/controls/bsi_app_4_4.yml index 34dd5a8cfec..80456e99b88 100644 --- a/controls/bsi_app_4_4.yml +++ b/controls/bsi_app_4_4.yml @@ -175,21 +175,32 @@ controls: levels: - standard description: >- - Networks for the administration of nodes, the control plane, and the individual networks of - application services SHOULD be separated. - Only the network ports of the pods necessary for operation SHOULD be released into the - designated networks. If a Kubernetes cluster contains multiple applications, all the network - connections between the Kubernetes namespaces SHOULD first be prohibited and only - required network connections permitted (whitelisting). The network ports necessary for the - administration of the nodes, the runtime, and Kubernetes (including its extensions) SHOULD - ONLY be accessible from the corresponding administration network and from pods that need - them. - Only selected administrators SHOULD be authorised in Kubernetes to manage the CNI and - create or change rules for the network. + (1) Networks for the administration of nodes, the control plane, and the individual networks of application services SHOULD be separated. + (2) Only the network ports of the pods necessary for operation SHOULD be released into the designated networks. (3) If a Kubernetes cluster contains multiple applications, all the network connections between the Kubernetes namespaces SHOULD first be prohibited and only required network connections permitted (whitelisting). (4) The network ports necessary for the administration of the nodes, the runtime, and Kubernetes (including its extensions) SHOULD ONLY be accessible from the corresponding administration network and from pods that need them. + (5) Only selected administrators SHOULD be authorised in Kubernetes to manage the CNI and create or change rules for the network. notes: >- - TBD - status: pending - rules: [] + Section 1-3: + The requirements for restricting network ports and network connections between Kubernetes namespaces are already supported by OpenShift as standard using network policies and the option for default network policies (security by design). + + The separation of the management network can also be implemented at the namespace level via network policies (incoming, the responsibility of the namespace administrator) and egress firewalls (outgoing, the responsibility of the cluster admins). + + Externally exposed services can receive their own IP and thus data traffic can also be separated outside the platform. Inter-node communication is carried out via suitable tunnel protocols (VXLAN, GENEVE) and can also be encrypted using IPSec. + + The determination of the necessary network policies for applications is supported by the network policy generator in ACS. + Section 4 is true by default + Section 5 maps to principle of least privilege + status: partial + rules: + # Section 1 + # Section 2 + - configure_network_policies + - configure_network_policies_namespaces + # Section 3 + - project_config_and_template_network_policy + # Section 4, default + # Section 5 + - rbac_least_privilege + - id: APP.4.4.A8 title: Securing Configuration Files on Kubernetes From 7d9876285bcbc18cc97807a2698cc99a5426be0d Mon Sep 17 00:00:00 2001 From: sluetze <13255307+sluetze@users.noreply.github.com> Date: Fri, 31 May 2024 15:17:50 +0200 Subject: [PATCH 3/4] add general_network_separation manual rule --- .../general_network_separation/rule.yml | 20 +++++++++++++++++++ .../tests/ocp4/e2e.yml | 2 ++ controls/bsi_app_4_4.yml | 1 + 3 files changed, 23 insertions(+) create mode 100644 applications/openshift/general/general_network_separation/rule.yml create mode 100644 applications/openshift/general/general_network_separation/tests/ocp4/e2e.yml diff --git a/applications/openshift/general/general_network_separation/rule.yml b/applications/openshift/general/general_network_separation/rule.yml new file mode 100644 index 00000000000..dc13b182a1f --- /dev/null +++ b/applications/openshift/general/general_network_separation/rule.yml @@ -0,0 +1,20 @@ +documentation_complete: true + + +title: 'Create Network Boundaries between Functional Different Nodes' + +description: |- + Use different Networks for Control Plane, Worker and Individual Application Services. + +rationale: |- + Separation on a Network level might help to hinder lateral movement of an attacker and subsequently reduce the impact of an attack. It might also enable you to provide additional external network control (like firewalls). + +references: + bsi: APP.4.4.A7 + +severity: medium + +ocil_clause: 'Network separation needs review' + +ocil: |- + Create separate Ingress Controllers for the API and your Applications. Also setup your environment in a way, that Control Plane Nodes are in another network than your worker nodes. If you implement multiple Nodes for different purposes evaluate if these should be in different network segments (i.e. Infra-Nodes, Storage-Nodes, ...). diff --git a/applications/openshift/general/general_network_separation/tests/ocp4/e2e.yml b/applications/openshift/general/general_network_separation/tests/ocp4/e2e.yml new file mode 100644 index 00000000000..69a7d085eb4 --- /dev/null +++ b/applications/openshift/general/general_network_separation/tests/ocp4/e2e.yml @@ -0,0 +1,2 @@ +--- +default_result: MANUAL diff --git a/controls/bsi_app_4_4.yml b/controls/bsi_app_4_4.yml index 80456e99b88..55241359337 100644 --- a/controls/bsi_app_4_4.yml +++ b/controls/bsi_app_4_4.yml @@ -192,6 +192,7 @@ controls: status: partial rules: # Section 1 + - general_network_separation # Section 2 - configure_network_policies - configure_network_policies_namespaces From 42553b27f52cf7ed2127ab6e88b5a01307b99c68 Mon Sep 17 00:00:00 2001 From: sluetze <13255307+sluetze@users.noreply.github.com> Date: Sat, 1 Jun 2024 20:10:27 +0200 Subject: [PATCH 4/4] add identifiers to rules. --- .../openshift/general/general_namespace_separation/rule.yml | 3 +++ .../openshift/general/general_network_separation/rule.yml | 3 +++ shared/references/cce-redhat-avail.txt | 2 -- 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/applications/openshift/general/general_namespace_separation/rule.yml b/applications/openshift/general/general_namespace_separation/rule.yml index 9dcda426c98..2fa4284870e 100644 --- a/applications/openshift/general/general_namespace_separation/rule.yml +++ b/applications/openshift/general/general_namespace_separation/rule.yml @@ -16,6 +16,9 @@ references: severity: medium +identifiers: + cce@ocp4: CCE-90279-1 + ocil_clause: 'Application placement in namespaces needs review' ocil: |- diff --git a/applications/openshift/general/general_network_separation/rule.yml b/applications/openshift/general/general_network_separation/rule.yml index dc13b182a1f..b581cc92c4d 100644 --- a/applications/openshift/general/general_network_separation/rule.yml +++ b/applications/openshift/general/general_network_separation/rule.yml @@ -14,6 +14,9 @@ references: severity: medium +identifiers: + cce@ocp4: CCE-86851-3 + ocil_clause: 'Network separation needs review' ocil: |- diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt index 54a3219023c..44e713614d4 100644 --- a/shared/references/cce-redhat-avail.txt +++ b/shared/references/cce-redhat-avail.txt @@ -316,7 +316,6 @@ CCE-86842-2 CCE-86845-5 CCE-86846-3 CCE-86847-1 -CCE-86851-3 CCE-86852-1 CCE-86853-9 CCE-86854-7 @@ -3270,7 +3269,6 @@ CCE-90275-9 CCE-90276-7 CCE-90277-5 CCE-90278-3 -CCE-90279-1 CCE-90280-9 CCE-90281-7 CCE-90282-5