Defined notes and rules for control BSI APP4.4.A17 - APP4.4.A19 (Splitted into 3 PRs)

[benruland]

Description:
Notes / Rules for BSI APP4.4.A17 - APP4.4.A19 added.

Rationale:
As we have multiple customers asking for a BSI profile to be included in the compliance-operator, we are contributing a profile. To provide a better review process, the individual controle are implemented as separate PRs.

[openshift-ci]

Hi @benruland. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[github-actions]

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff

New content has different text for rule 'xccdf_org.ssgproject.content_rule_cluster_version_operator_exists'.
--- xccdf_org.ssgproject.content_rule_cluster_version_operator_exists
+++ xccdf_org.ssgproject.content_rule_cluster_version_operator_exists
@@ -21,6 +21,9 @@
     file.
 
 [reference]:
+APP.4.4.A17
+
+[reference]:
 SA-10(1)
 
 [reference]:

New content has different text for rule 'xccdf_org.ssgproject.content_rule_cluster_version_operator_verify_integrity'.
--- xccdf_org.ssgproject.content_rule_cluster_version_operator_verify_integrity
+++ xccdf_org.ssgproject.content_rule_cluster_version_operator_verify_integrity
@@ -18,6 +18,9 @@
     file.
 
 [reference]:
+APP.4.4.A17
+
+[reference]:
 SA-10(1)
 
 [reference]:

New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_integrity_exists'.
--- xccdf_org.ssgproject.content_rule_file_integrity_exists
+++ xccdf_org.ssgproject.content_rule_file_integrity_exists
@@ -12,6 +12,9 @@
 [warning]:
 This rule's check operates on the cluster configuration dump.
 Therefore, you need to use a tool that can query the OCP API, retrieve the /apis/fileintegrity.openshift.io/v1alpha1/fileintegrities?limit=5 API endpoint to the local /apis/fileintegrity.openshift.io/v1alpha1/fileintegrities?limit=5 file.
+
+[reference]:
+APP.4.4.A17
 
 [reference]:
 CIP-003-8 R4.2

New content has different text for rule 'xccdf_org.ssgproject.content_rule_api_server_client_ca'.
--- xccdf_org.ssgproject.content_rule_api_server_client_ca
+++ xccdf_org.ssgproject.content_rule_api_server_client_ca
@@ -27,6 +27,9 @@
     and persist it to the local
     /api/v1/namespaces/openshift-kube-apiserver/configmaps/config#d56e72c377d8f85e0601a704d4218064a0ea4a2235ceee82d20db6cdafc74608
     file.
+
+[reference]:
+APP.4.4.A17
 
 [reference]:
 CIP-003-8 R4.2

New content has different text for rule 'xccdf_org.ssgproject.content_rule_api_server_https_for_kubelet_conn'.
--- xccdf_org.ssgproject.content_rule_api_server_https_for_kubelet_conn
+++ xccdf_org.ssgproject.content_rule_api_server_https_for_kubelet_conn
@@ -16,6 +16,9 @@
     and persist it to the local
     /api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430
     file.
+
+[reference]:
+APP.4.4.A17
 
 [reference]:
 CIP-003-8 R4.2

New content has different text for rule 'xccdf_org.ssgproject.content_rule_api_server_kubelet_client_cert'.
--- xccdf_org.ssgproject.content_rule_api_server_kubelet_client_cert
+++ xccdf_org.ssgproject.content_rule_api_server_kubelet_client_cert
@@ -23,6 +23,9 @@
     and persist it to the local
     /api/v1/namespaces/openshift-kube-apiserver/configmaps/config#e5500055b4aa2fcf00dc09ad0e66e44b6b42d67f8d53d1e72ff81b32f0e09865
     file.
+
+[reference]:
+APP.4.4.A17
 
 [reference]:
 CIP-003-8 R4.2

New content has different text for rule 'xccdf_org.ssgproject.content_rule_api_server_kubelet_client_key'.
--- xccdf_org.ssgproject.content_rule_api_server_kubelet_client_key
+++ xccdf_org.ssgproject.content_rule_api_server_kubelet_client_key
@@ -23,6 +23,9 @@
     and persist it to the local
     /api/v1/namespaces/openshift-kube-apiserver/configmaps/config#1e2b7c1158e0b9a602cb20d62c82b4660907bb57b63dac11c6c7c64211c49c69
     file.
+
+[reference]:
+APP.4.4.A17
 
 [reference]:
 CIP-003-8 R4.2

New content has different text for rule 'xccdf_org.ssgproject.content_rule_api_server_tls_cert'.
--- xccdf_org.ssgproject.content_rule_api_server_tls_cert
+++ xccdf_org.ssgproject.content_rule_api_server_tls_cert
@@ -26,6 +26,9 @@
     and persist it to the local
     /api/v1/namespaces/openshift-kube-apiserver/configmaps/config#bca394347bab5b9902f1d1568d4f5d6e5498b01ec27ddf8231443e376b18757d
     file.
+
+[reference]:
+APP.4.4.A17
 
 [reference]:
 CIP-003-8 R4.2

New content has different text for rule 'xccdf_org.ssgproject.content_rule_api_server_tls_cipher_suites'.
--- xccdf_org.ssgproject.content_rule_api_server_tls_cipher_suites
+++ xccdf_org.ssgproject.content_rule_api_server_tls_cipher_suites
@@ -35,6 +35,9 @@
 server.
 
 [reference]:
+APP.4.4.A17
+
+[reference]:
 CM-6
 
 [reference]:

New content has different text for rule 'xccdf_org.ssgproject.content_rule_api_server_tls_private_key'.
--- xccdf_org.ssgproject.content_rule_api_server_tls_private_key
+++ xccdf_org.ssgproject.content_rule_api_server_tls_private_key
@@ -26,6 +26,9 @@
     and persist it to the local
     /api/v1/namespaces/openshift-kube-apiserver/configmaps/config#8c69c1fe6742f70a3a16c09461f57a19ef2a695143301cede2f2f5d307aa3508
     file.
+
+[reference]:
+APP.4.4.A17
 
 [reference]:
 CIP-003-8 R4.2

New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_integrity_notification_enabled'.
--- xccdf_org.ssgproject.content_rule_file_integrity_notification_enabled
+++ xccdf_org.ssgproject.content_rule_file_integrity_notification_enabled
@@ -16,6 +16,9 @@
     and persist it to the local
     /apis/monitoring.coreos.com/v1/prometheusrules#dda8d6e19f5a89264301ce56ece4df115a14d8a85e3ae6bd3cd8eccd234252c5
     file.
+
+[reference]:
+APP.4.4.A17
 
 [reference]:
 SI-6

New content has different text for rule 'xccdf_org.ssgproject.content_rule_tls_version_check_apiserver'.
--- xccdf_org.ssgproject.content_rule_tls_version_check_apiserver
+++ xccdf_org.ssgproject.content_rule_tls_version_check_apiserver
@@ -16,6 +16,9 @@
     file.
 
 [reference]:
+APP.4.4.A17
+
+[reference]:
 Req-4.1
 
 [rationale]:

New content has different text for rule 'xccdf_org.ssgproject.content_rule_kubelet_configure_client_ca'.
--- xccdf_org.ssgproject.content_rule_kubelet_configure_client_ca
+++ xccdf_org.ssgproject.content_rule_kubelet_configure_client_ca
@@ -15,6 +15,9 @@
   x509:
     clientCAFile: /etc/kubernetes/kubelet-ca.crt
 ...
+
+[reference]:
+APP.4.4.A17
 
 [reference]:
 CIP-003-8 R6

New content has different text for rule 'xccdf_org.ssgproject.content_rule_kubelet_configure_tls_cert'.
--- xccdf_org.ssgproject.content_rule_kubelet_configure_tls_cert
+++ xccdf_org.ssgproject.content_rule_kubelet_configure_tls_cert
@@ -17,6 +17,9 @@
     and persist it to the local
     /api/v1/namespaces/openshift-kube-apiserver/configmaps/config#e5500055b4aa2fcf00dc09ad0e66e44b6b42d67f8d53d1e72ff81b32f0e09865
     file.
+
+[reference]:
+APP.4.4.A17
 
 [reference]:
 CIP-003-8 R4.2

New content has different text for rule 'xccdf_org.ssgproject.content_rule_kubelet_configure_tls_cipher_suites'.
--- xccdf_org.ssgproject.content_rule_kubelet_configure_tls_cipher_suites
+++ xccdf_org.ssgproject.content_rule_kubelet_configure_tls_cipher_suites
@@ -29,6 +29,9 @@
 and var_kubelet_tls_cipher_suites have to be set
 
 [reference]:
+APP.4.4.A17
+
+[reference]:
 CIP-003-8 R6
 
 [reference]:

New content has different text for rule 'xccdf_org.ssgproject.content_rule_kubelet_configure_tls_key'.
--- xccdf_org.ssgproject.content_rule_kubelet_configure_tls_key
+++ xccdf_org.ssgproject.content_rule_kubelet_configure_tls_key
@@ -17,6 +17,9 @@
     and persist it to the local
     /api/v1/namespaces/openshift-kube-apiserver/configmaps/config#1e2b7c1158e0b9a602cb20d62c82b4660907bb57b63dac11c6c7c64211c49c69
     file.
+
+[reference]:
+APP.4.4.A17
 
 [reference]:
 CIP-003-8 R4.2

New content has different text for rule 'xccdf_org.ssgproject.content_rule_kubelet_configure_tls_min_version'.
--- xccdf_org.ssgproject.content_rule_kubelet_configure_tls_min_version
+++ xccdf_org.ssgproject.content_rule_kubelet_configure_tls_min_version
@@ -51,6 +51,9 @@
 the relevant documentation.
 
 [reference]:
+APP.4.4.A17
+
+[reference]:
 SC-8
 
 [reference]:

New content has different text for rule 'xccdf_org.ssgproject.content_rule_configure_network_policies'.
--- xccdf_org.ssgproject.content_rule_configure_network_policies
+++ xccdf_org.ssgproject.content_rule_configure_network_policies
@@ -19,7 +19,10 @@
     file.
 
 [reference]:
-APP.4.4.A7
+APP.4.4.7
+
+[reference]:
+APP.4.4.A18
 
 [reference]:
 CIP-003-8 R6

New content has different text for rule 'xccdf_org.ssgproject.content_rule_configure_network_policies_namespaces'.
--- xccdf_org.ssgproject.content_rule_configure_network_policies_namespaces
+++ xccdf_org.ssgproject.content_rule_configure_network_policies_namespaces
@@ -23,6 +23,9 @@
 
 [reference]:
 APP.4.4.A7
+
+[reference]:
+APP.4.4.A18
 
 [reference]:
 CIP-003-8 R4

New content has different text for rule 'xccdf_org.ssgproject.content_rule_project_template_network_policy'.
--- xccdf_org.ssgproject.content_rule_project_template_network_policy
+++ xccdf_org.ssgproject.content_rule_project_template_network_policy
@@ -19,6 +19,9 @@
     file.
 
 [reference]:
+APP.4.4.A18
+
+[reference]:
 SRG-APP-000039-CTR-000110
 
 [rationale]:

New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_kubelet_conf'.
--- xccdf_org.ssgproject.content_rule_file_groupowner_kubelet_conf
+++ xccdf_org.ssgproject.content_rule_file_groupowner_kubelet_conf
@@ -4,6 +4,9 @@
 
 [description]:
 To properly set the group owner of /etc/kubernetes/kubelet.conf, run the command: $ sudo chgrp root /etc/kubernetes/kubelet.conf
+
+[reference]:
+APP.4.4.A17
 
 [reference]:
 CIP-003-8 R6

New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_worker_ca'.
--- xccdf_org.ssgproject.content_rule_file_groupowner_worker_ca
+++ xccdf_org.ssgproject.content_rule_file_groupowner_worker_ca
@@ -4,6 +4,9 @@
 
 [description]:
 To properly set the group owner of /etc/kubernetes/kubelet-ca.crt, run the command: $ sudo chgrp root /etc/kubernetes/kubelet-ca.crt
+
+[reference]:
+APP.4.4.A17
 
 [reference]:
 CIP-003-8 R6

New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_worker_kubeconfig'.
--- xccdf_org.ssgproject.content_rule_file_groupowner_worker_kubeconfig
+++ xccdf_org.ssgproject.content_rule_file_groupowner_worker_kubeconfig
@@ -4,6 +4,9 @@
 
 [description]:
 To properly set the group owner of /var/lib/kubelet/kubeconfig, run the command: $ sudo chgrp root /var/lib/kubelet/kubeconfig
+
+[reference]:
+APP.4.4.A17
 
 [reference]:
 CIP-003-8 R6

New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_worker_service'.
--- xccdf_org.ssgproject.content_rule_file_groupowner_worker_service
+++ xccdf_org.ssgproject.content_rule_file_groupowner_worker_service
@@ -6,6 +6,9 @@
 '
   To properly set the group owner of /etc/systemd/system/kubelet.service, run the command:
   $ sudo chgrp root /etc/systemd/system/kubelet.service'
+
+[reference]:
+APP.4.4.A17
 
 [reference]:
 CIP-003-8 R6

New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_owner_kubelet'.
--- xccdf_org.ssgproject.content_rule_file_owner_kubelet
+++ xccdf_org.ssgproject.content_rule_file_owner_kubelet
@@ -4,6 +4,9 @@
 
 [description]:
 To properly set the owner of /var/lib/kubelet/config.json, run the command: $ sudo chown root /var/lib/kubelet/config.json
+
+[reference]:
+APP.4.4.A17
 
 [reference]:
 CIP-003-8 R6

New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_owner_kubelet_conf'.
--- xccdf_org.ssgproject.content_rule_file_owner_kubelet_conf
+++ xccdf_org.ssgproject.content_rule_file_owner_kubelet_conf
@@ -4,6 +4,9 @@
 
 [description]:
 To properly set the owner of /etc/kubernetes/kubelet.conf, run the command: $ sudo chown root /etc/kubernetes/kubelet.conf
+
+[reference]:
+APP.4.4.A17
 
 [reference]:
 CIP-003-8 R6

New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_owner_worker_ca'.
--- xccdf_org.ssgproject.content_rule_file_owner_worker_ca
+++ xccdf_org.ssgproject.content_rule_file_owner_worker_ca
@@ -4,6 +4,9 @@
 
 [description]:
 To properly set the owner of /etc/kubernetes/kubelet-ca.crt, run the command: $ sudo chown root /etc/kubernetes/kubelet-ca.crt
+
+[reference]:
+APP.4.4.A17
 
 [reference]:
 CIP-003-8 R6

New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_owner_worker_kubeconfig'.
--- xccdf_org.ssgproject.content_rule_file_owner_worker_kubeconfig
+++ xccdf_org.ssgproject.content_rule_file_owner_worker_kubeconfig
@@ -4,6 +4,9 @@
 
 [description]:
 To properly set the owner of /var/lib/kubelet/kubeconfig, run the command: $ sudo chown root /var/lib/kubelet/kubeconfig
+
+[reference]:
+APP.4.4.A17
 
 [reference]:
 CIP-003-8 R6

New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_owner_worker_service'.
--- xccdf_org.ssgproject.content_rule_file_owner_worker_service
+++ xccdf_org.ssgproject.content_rule_file_owner_worker_service
@@ -6,6 +6,9 @@
 '
   To properly set the owner of /etc/systemd/system/kubelet.service, run the command:
   $ sudo chown root /etc/systemd/system/kubelet.service '
+
+[reference]:
+APP.4.4.A17
 
 [reference]:
 CIP-003-8 R6

New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_permissions_kubelet'.
--- xccdf_org.ssgproject.content_rule_file_permissions_kubelet
+++ xccdf_org.ssgproject.content_rule_file_permissions_kubelet
@@ -5,6 +5,9 @@
 [description]:
 To properly set the permissions of /var/lib/kubelet/config.json, run the command:
 $ sudo chmod 0600 /var/lib/kubelet/config.json
+
+[reference]:
+APP.4.4.A17
 
 [reference]:
 CIP-003-8 R6

New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_permissions_kubelet_conf'.
--- xccdf_org.ssgproject.content_rule_file_permissions_kubelet_conf
+++ xccdf_org.ssgproject.content_rule_file_permissions_kubelet_conf
@@ -5,6 +5,9 @@
 [description]:
 To properly set the permissions of /etc/kubernetes/kubelet.conf, run the command:
 $ sudo chmod 0644 /etc/kubernetes/kubelet.conf
+
+[reference]:
+APP.4.4.A17
 
 [reference]:
 CIP-003-8 R6

New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_permissions_worker_ca'.
--- xccdf_org.ssgproject.content_rule_file_permissions_worker_ca
+++ xccdf_org.ssgproject.content_rule_file_permissions_worker_ca
@@ -5,6 +5,9 @@
 [description]:
 To properly set the permissions of /etc/kubernetes/kubelet-ca.crt, run the command:
 $ sudo chmod 0644 /etc/kubernetes/kubelet-ca.crt
+
+[reference]:
+APP.4.4.A17
 
 [reference]:
 CIP-003-8 R6

New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_permissions_worker_kubeconfig'.
--- xccdf_org.ssgproject.content_rule_file_permissions_worker_kubeconfig
+++ xccdf_org.ssgproject.content_rule_file_permissions_worker_kubeconfig
@@ -5,6 +5,9 @@
 [description]:
 To properly set the permissions of /var/lib/kubelet/kubeconfig, run the command:
 $ sudo chmod 0600 /var/lib/kubelet/kubeconfig
+
+[reference]:
+APP.4.4.A17
 
 [reference]:
 CIP-003-8 R6

New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_permissions_worker_service'.
--- xccdf_org.ssgproject.content_rule_file_permissions_worker_service
+++ xccdf_org.ssgproject.content_rule_file_permissions_worker_service
@@ -5,6 +5,9 @@
 [description]:
 To properly set the permissions of /etc/systemd/system/kubelet.service, run the command:
 $ sudo chmod 0644 /etc/systemd/system/kubelet.service
+
+[reference]:
+APP.4.4.A17
 
 [reference]:
 CIP-003-8 R6

[github-actions]

Start a new ephemeral environment with changes proposed in this pull request:

ocp4 (from CTF) Environment (using Fedora as testing environment)

Fedora Testing Environment

Oracle Linux 8 Environment

[github-actions]

🤖 A k8s content image for this PR is available at:
ghcr.io/complianceascode/k8scontent:11659
This image was built from commit: c660330

Click here to see how to deploy it

If you alread have Compliance Operator deployed:
utils/build_ds_container.py -i ghcr.io/complianceascode/k8scontent:11659

Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and:
CONTENT_IMAGE=ghcr.io/complianceascode/k8scontent:11659 make deploy-local

[sluetze]

@benruland this one is a biggy. I think the only mandatory change is the doubled bsi: reference and the partial/automated state. lets discuss the other points.

[benruland]

In the future, for APP.4.4.18, we might need to also look at AdminNetworkPolicy, currently in TechPreviewNoUpgrade state.

[yuumasato]

/ok-to-test

[yuumasato]

/test e2e-aws-ocp4-bsi
/test e2e-aws-ocp4-bsi-node
/test e2e-aws-rhcos4-bsi

[benruland]

@sluetze @ermeratos, I am finished content-wise. Please have a look.
@yuumasato A lot of tests are failing but I am unsure if this is expected. Could you also have a look?

I know this is a big MR with a couple of new rules. The majority of new lines is, however, produced by test cases.

[benruland]

I accidentially reset the branch to the master branch and removed all my commits. I have just re-added them and will re-open this PR as soon as GitHub notices them

[benruland]

I was unable to reopen the PR and split up the changes into 3 PRs for better reviewability