Defined notes and Rules for BSI APP.4.4.A6-7

applications/openshift/general/general_namespace_separation/rule.yml

@@ -16,6 +16,9 @@ references:
 
 severity: medium
 
+identifiers:
+ cce@ocp4: CCE-90279-1
+
 ocil_clause: 'Application placement in namespaces needs review'
 
 ocil: |-

applications/openshift/general/general_network_separation/rule.yml

@@ -0,0 +1,23 @@
+documentation_complete: true
+
+
+title: 'Create Network Boundaries between Functional Different Nodes'
+
+description: |-
+ Use different Networks for Control Plane, Worker and Individual Application Services.
+
+rationale: |-
+ Separation on a Network level might help to hinder lateral movement of an attacker and subsequently reduce the impact of an attack. It might also enable you to provide additional external network control (like firewalls).
+
+references:
+ bsi: APP.4.4.A7
+
+severity: medium
+
+identifiers:
+ cce@ocp4: CCE-86851-3
+
+ocil_clause: 'Network separation needs review'
+
+ocil: |-
+ Create separate Ingress Controllers for the API and your Applications. Also setup your environment in a way, that Control Plane Nodes are in another network than your worker nodes. If you implement multiple Nodes for different purposes evaluate if these should be in different network segments (i.e. Infra-Nodes, Storage-Nodes, ...).

applications/openshift/general/general_network_separation/tests/ocp4/e2e.yml

@@ -0,0 +1,2 @@
+---
+default_result: MANUAL

applications/openshift/networking/configure_network_policies/rule.yml

@@ -17,6 +17,7 @@ rationale: |-
 severity: high
 
 references:
+ bsi: APP.4.4.A7
  cis@ocp4: 5.3.1
  nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
  nist: CM-6,CM-6(1)

applications/openshift/networking/configure_network_policies_namespaces/rule.yml

@@ -17,6 +17,7 @@ rationale: |-
 severity: high
 
 references:
+ bsi: APP.4.4.A7
  cis@eks: 4.3.2
  cis@ocp4: 5.3.2
  nerc-cip: CIP-003-8 R4,CIP-003-8 R4.2,CIP-003-8 R5,CIP-003-8 R6,CIP-004-6 R2.2.4,CIP-004-6 R3,CIP-007-3 R2,CIP-007-3 R2.1,CIP-007-3 R2.2,CIP-007-3 R2.3,CIP-007-3 R5.1,CIP-007-3 R6.1

applications/openshift/networking/project_config_and_template_network_policy/rule.yml

@@ -58,6 +58,7 @@ identifiers:
  cce@ocp4: CCE-86070-0
 
 references:
+ bsi: APP.4.4.A7
  srg: SRG-APP-000039-CTR-000110
 
 warnings:

applications/openshift/rbac/rbac_least_privilege/rule.yml

@@ -26,7 +26,7 @@ identifiers:
  cce@ocp4: CCE-90678-4
 
 references:
- bsi: APP.4.4.A3
+ bsi: APP.4.4.A3,APP.4.4.A7
  cis@ocp4: 5.2.10
  nist: AC-3,CM-5(6),IA-2,IA-2(5),AC-6(10),CM-11(2),CM-5(1),CM-7(5)(b)
  srg: SRG-APP-000033-CTR-000090,SRG-APP-000033-CTR-000095,SRG-APP-000033-CTR-000100,SRG-APP-000133-CTR-000290,SRG-APP-000133-CTR-000295,SRG-APP-000133-CTR-000300,SRG-APP-000133-CTR-000305,SRG-APP-000133-CTR-000310,SRG-APP-000148-CTR-000350,SRG-APP-000153-CTR-000375,SRG-APP-000340-CTR-000770,SRG-APP-000378-CTR-000880,SRG-APP-000378-CTR-000885,SRG-APP-000378-CTR-000890,SRG-APP-000380-CTR-000900,SRG-APP-000386-CTR-000920

controls/bsi_app_4_4.yml

@@ -162,35 +162,46 @@ controls:
  levels:
  - standard
  description: >-
- If an initialisation (e.g. of an application) takes place in a pod at start-up, this SHOULD take
- place in a separate Init container. It SHOULD be ensured that the initialisation terminates all
- processes that are already running. Kubernetes SHOULD ONLY start the other containers if
- the initialisation is successful.
+ If an initialisation (e.g. of an application) takes place in a pod at start-up, this SHOULD take place in a separate Init container. It SHOULD be ensured that the initialisation terminates all processes that are already running. Kubernetes SHOULD ONLY start the other containers if the initialisation is successful.
  notes: >-
- TBD
- status: pending
+ OpenShift provides the necessary resource configurations via Kubernetes. Kubernetes ensures the (process) dependencies between init containers and “normal” containers of a pod.
+
+ The requirement must be implemented by application development.
+ status: inherently met
  rules: []
 
  - id: APP.4.4.A7
  title: Separation of Networks for Kubernetes
  levels:
  - standard
  description: >-
- Networks for the administration of nodes, the control plane, and the individual networks of
- application services SHOULD be separated.
- Only the network ports of the pods necessary for operation SHOULD be released into the
- designated networks. If a Kubernetes cluster contains multiple applications, all the network
- connections between the Kubernetes namespaces SHOULD first be prohibited and only
- required network connections permitted (whitelisting). The network ports necessary for the
- administration of the nodes, the runtime, and Kubernetes (including its extensions) SHOULD
- ONLY be accessible from the corresponding administration network and from pods that need
- them.
- Only selected administrators SHOULD be authorised in Kubernetes to manage the CNI and
- create or change rules for the network.
+ (1) Networks for the administration of nodes, the control plane, and the individual networks of application services SHOULD be separated.
+ (2) Only the network ports of the pods necessary for operation SHOULD be released into the designated networks. (3) If a Kubernetes cluster contains multiple applications, all the network connections between the Kubernetes namespaces SHOULD first be prohibited and only required network connections permitted (whitelisting). (4) The network ports necessary for the administration of the nodes, the runtime, and Kubernetes (including its extensions) SHOULD ONLY be accessible from the corresponding administration network and from pods that need them.
+ (5) Only selected administrators SHOULD be authorised in Kubernetes to manage the CNI and create or change rules for the network.
  notes: >-
- TBD
- status: pending
- rules: []
+ Section 1-3:
+ The requirements for restricting network ports and network connections between Kubernetes namespaces are already supported by OpenShift as standard using network policies and the option for default network policies (security by design).
+
+ The separation of the management network can also be implemented at the namespace level via network policies (incoming, the responsibility of the namespace administrator) and egress firewalls (outgoing, the responsibility of the cluster admins).
+
+ Externally exposed services can receive their own IP and thus data traffic can also be separated outside the platform. Inter-node communication is carried out via suitable tunnel protocols (VXLAN, GENEVE) and can also be encrypted using IPSec.
+
+ The determination of the necessary network policies for applications is supported by the network policy generator in ACS.
+ Section 4 is true by default
+ Section 5 maps to principle of least privilege
+ status: partial
+ rules:
+ # Section 1
+ - general_network_separation
+ # Section 2
+ - configure_network_policies
+ - configure_network_policies_namespaces
+ # Section 3
+ - project_config_and_template_network_policy
+ # Section 4, default
+ # Section 5
+ - rbac_least_privilege
+
 
  - id: APP.4.4.A8
  title: Securing Configuration Files on Kubernetes
@@ -237,7 +248,7 @@ controls:
  start pods via automation software, this SHOULD be done for each group through separate
  processes that only have the rights necessary for the respective user group.
  notes: >-
- This control needs to be adressed on an organizational level. All service accounts used by 
+ This control needs to be adressed on an organizational level. All service accounts used by
  automation software need to adhere to the principle of least privilege.
  status: not applicable
  rules: []

shared/references/cce-redhat-avail.txt

@@ -316,7 +316,6 @@ CCE-86842-2
 CCE-86845-5
 CCE-86846-3
 CCE-86847-1
-CCE-86851-3
 CCE-86852-1
 CCE-86853-9
 CCE-86854-7
@@ -3270,7 +3269,6 @@ CCE-90275-9
 CCE-90276-7
 CCE-90277-5
 CCE-90278-3
-CCE-90279-1
 CCE-90280-9
 CCE-90281-7
 CCE-90282-5