ComplianceAsCode
Defined notes and rules for control BSI APP4.4.A8 - APP4.4.A11
Description:
Notes / Rules for BSI APP4.4.A8 - APP4.4.A11 added.
Rationale:
As we have multiple customers asking for a BSI profile to be included in the compliance-operator, we are contributing a profile. To provide a better review process, the individual controle are implemented as separate PRs.
Hi @benruland. Thanks for your PR.
I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.
Once the patch is verified, the new status will be reflected by the ok-to-test label.
I understand the commands that are listed here.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.
![openshift-ci[bot] avatar](https://avatars.githubusercontent.com/in/91280?v=4 "Published by a pub.dev verified publisher"){kind=small}
Start a new ephemeral environment with changes proposed in this pull request:
ocp4 (from CTF) Environment (using Fedora as testing environment)
Fedora Testing Environment
Oracle Linux 8 Environment
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
This datastream diff is auto generated by the check Compare DS/Generate Diff
Click here to see the full diff
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_restrict_service_account_tokens'.
--- xccdf_org.ssgproject.content_rule_accounts_restrict_service_account_tokens
+++ xccdf_org.ssgproject.content_rule_accounts_restrict_service_account_tokens
@@ -7,6 +7,9 @@
running in the pod explicitly needs to communicate with the API server.
To ensure pods do not automatically mount tokens, set
automountServiceAccountToken to false.
+
+[reference]:
+APP.4.4.A9
[reference]:
CIP-003-8 R6
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_unique_service_account'.
--- xccdf_org.ssgproject.content_rule_accounts_unique_service_account
+++ xccdf_org.ssgproject.content_rule_accounts_unique_service_account
@@ -10,6 +10,9 @@
where service_account_name is the name of a service account
that is needed in the project namespace.
+
+[reference]:
+APP.4.4.A9
[reference]:
CIP-003-8 R6
New content has different text for rule 'xccdf_org.ssgproject.content_rule_configure_network_policies'.
--- xccdf_org.ssgproject.content_rule_configure_network_policies
+++ xccdf_org.ssgproject.content_rule_configure_network_policies
@@ -17,6 +17,9 @@
and persist it to the local
/apis/operator.openshift.io/v1/networks/cluster#35e33d6dc1252a03495b35bd1751cac70041a511fa4d282c300a8b83b83e3498
file.
+
+[reference]:
+APP.4.4.A7
[reference]:
CIP-003-8 R6
New content has different text for rule 'xccdf_org.ssgproject.content_rule_configure_network_policies_namespaces'.
--- xccdf_org.ssgproject.content_rule_configure_network_policies_namespaces
+++ xccdf_org.ssgproject.content_rule_configure_network_policies_namespaces
@@ -20,6 +20,9 @@
and persist it to the local
/api/v1/namespaces#f673748db2dd4e4f0ad55d10ce5e86714c06da02b67ddb392582f71ef81efab2
file.
+
+[reference]:
+APP.4.4.A7
[reference]:
CIP-003-8 R4
New content has different text for rule 'xccdf_org.ssgproject.content_rule_project_config_and_template_network_policy'.
--- xccdf_org.ssgproject.content_rule_project_config_and_template_network_policy
+++ xccdf_org.ssgproject.content_rule_project_config_and_template_network_policy
@@ -32,6 +32,9 @@
file.
[reference]:
+APP.4.4.A7
+
+[reference]:
SRG-APP-000039-CTR-000110
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_rbac_least_privilege'.
--- xccdf_org.ssgproject.content_rule_rbac_least_privilege
+++ xccdf_org.ssgproject.content_rule_rbac_least_privilege
@@ -28,6 +28,12 @@
[reference]:
APP.4.4.A3
+
+[reference]:
+APP.4.4.A7
+
+[reference]:
+APP.4.4.A9
[reference]:
AC-3
New content has different text for rule 'xccdf_org.ssgproject.content_rule_rbac_wildcard_use'.
--- xccdf_org.ssgproject.content_rule_rbac_wildcard_use
+++ xccdf_org.ssgproject.content_rule_rbac_wildcard_use
@@ -9,6 +9,9 @@
wildcard * which matches all items. This violates the
principle of least privilege and leaves a cluster in a more
vulnerable state to privilege abuse.
+
+[reference]:
+APP.4.4.A9
[reference]:
CIP-003-8 R6
New content has different text for rule 'xccdf_org.ssgproject.content_rule_scansettingbinding_exists'.
--- xccdf_org.ssgproject.content_rule_scansettingbinding_exists
+++ xccdf_org.ssgproject.content_rule_scansettingbinding_exists
@@ -12,6 +12,9 @@
[warning]:
This rule's check operates on the cluster configuration dump.
Therefore, you need to use a tool that can query the OCP API, retrieve the /apis/compliance.openshift.io/v1alpha1/scansettingbindings?limit=5 API endpoint to the local /apis/compliance.openshift.io/v1alpha1/scansettingbindings?limit=5 file.
+
+[reference]:
+APP.4.4.A13
[reference]:
CIP-003-8 R1.3
New content has different text for rule 'xccdf_org.ssgproject.content_rule_scansettings_have_schedule'.
--- xccdf_org.ssgproject.content_rule_scansettings_have_schedule
+++ xccdf_org.ssgproject.content_rule_scansettings_have_schedule
@@ -21,6 +21,9 @@
file.
[reference]:
+APP.4.4.A13
+
+[reference]:
SI-6(b)
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_scc_drop_container_capabilities'.
--- xccdf_org.ssgproject.content_rule_scc_drop_container_capabilities
+++ xccdf_org.ssgproject.content_rule_scc_drop_container_capabilities
@@ -8,6 +8,9 @@
capabilities, the appropriate Security Context Constraints (SCCs)
should set all capabilities as * or a list of capabilities in
requiredDropCapabilities.
+
+[reference]:
+APP.4.4.A9
[reference]:
CIP-003-8 R6
New content has different text for rule 'xccdf_org.ssgproject.content_rule_scc_limit_container_allowed_capabilities'.
--- xccdf_org.ssgproject.content_rule_scc_limit_container_allowed_capabilities
+++ xccdf_org.ssgproject.content_rule_scc_limit_container_allowed_capabilities
@@ -47,6 +47,9 @@
file.
[reference]:
+APP.4.4.A9
+
+[reference]:
CIP-003-8 R6
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_scc_limit_host_dir_volume_plugin'.
--- xccdf_org.ssgproject.content_rule_scc_limit_host_dir_volume_plugin
+++ xccdf_org.ssgproject.content_rule_scc_limit_host_dir_volume_plugin
@@ -10,6 +10,9 @@
[reference]:
APP.4.4.A4
+
+[reference]:
+APP.4.4.A9
[reference]:
AC-6
New content has different text for rule 'xccdf_org.ssgproject.content_rule_scc_limit_host_ports'.
--- xccdf_org.ssgproject.content_rule_scc_limit_host_ports
+++ xccdf_org.ssgproject.content_rule_scc_limit_host_ports
@@ -7,6 +7,9 @@
on the hosts. To prevent containers from binding to privileged ports
on the host the appropriate Security Context Constraints (SCCs)
should set allowHostPorts to false.
+
+[reference]:
+APP.4.4.A9
[reference]:
CM-6
New content has different text for rule 'xccdf_org.ssgproject.content_rule_scc_limit_ipc_namespace'.
--- xccdf_org.ssgproject.content_rule_scc_limit_ipc_namespace
+++ xccdf_org.ssgproject.content_rule_scc_limit_ipc_namespace
@@ -10,6 +10,9 @@
[reference]:
APP.4.4.A4
+
+[reference]:
+APP.4.4.A9
[reference]:
CIP-003-8 R6
New content has different text for rule 'xccdf_org.ssgproject.content_rule_scc_limit_net_raw_capability'.
--- xccdf_org.ssgproject.content_rule_scc_limit_net_raw_capability
+++ xccdf_org.ssgproject.content_rule_scc_limit_net_raw_capability
@@ -11,6 +11,9 @@
[reference]:
APP.4.4.A4
+
+[reference]:
+APP.4.4.A9
[reference]:
CIP-003-8 R6
New content has different text for rule 'xccdf_org.ssgproject.content_rule_scc_limit_network_namespace'.
--- xccdf_org.ssgproject.content_rule_scc_limit_network_namespace
+++ xccdf_org.ssgproject.content_rule_scc_limit_network_namespace
@@ -10,6 +10,9 @@
[reference]:
APP.4.4.A4
+
+[reference]:
+APP.4.4.A9
[reference]:
CIP-003-8 R6
New content has different text for rule 'xccdf_org.ssgproject.content_rule_scc_limit_privilege_escalation'.
--- xccdf_org.ssgproject.content_rule_scc_limit_privilege_escalation
+++ xccdf_org.ssgproject.content_rule_scc_limit_privilege_escalation
@@ -8,6 +8,9 @@
To prevent containers from escalating privileges,
the appropriate Security Context Constraints (SCCs)
should set allowPrivilegeEscalation to false.
+
+[reference]:
+APP.4.4.A9
[reference]:
CIP-003-8 R6
New content has different text for rule 'xccdf_org.ssgproject.content_rule_scc_limit_privileged_containers'.
--- xccdf_org.ssgproject.content_rule_scc_limit_privileged_containers
+++ xccdf_org.ssgproject.content_rule_scc_limit_privileged_containers
@@ -10,6 +10,9 @@
[reference]:
APP.4.4.A4
+
+[reference]:
+APP.4.4.A9
[reference]:
CIP-003-8 R6
New content has different text for rule 'xccdf_org.ssgproject.content_rule_scc_limit_process_id_namespace'.
--- xccdf_org.ssgproject.content_rule_scc_limit_process_id_namespace
+++ xccdf_org.ssgproject.content_rule_scc_limit_process_id_namespace
@@ -10,6 +10,9 @@
[reference]:
APP.4.4.A4
+
+[reference]:
+APP.4.4.A9
[reference]:
CIP-003-8 R6
New content has different text for rule 'xccdf_org.ssgproject.content_rule_scc_limit_root_containers'.
--- xccdf_org.ssgproject.content_rule_scc_limit_root_containers
+++ xccdf_org.ssgproject.content_rule_scc_limit_root_containers
@@ -10,6 +10,9 @@
[reference]:
APP.4.4.A4
+
+[reference]:
+APP.4.4.A9
[reference]:
CIP-003-8 R6
:robot: A k8s content image for this PR is available at:
ghcr.io/complianceascode/k8scontent:11559
This image was built from commit: 3dd2ce3954b9da6a7b8af2c7d15a5fd31e315569
Click here to see how to deploy it
If you alread have Compliance Operator deployed:
utils/build_ds_container.py -i ghcr.io/complianceascode/k8scontent:11559
Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and:
CONTENT_IMAGE=ghcr.io/complianceascode/k8scontent:11559 make deploy-local
The Automatus tests keep on failing. I need advise how to fix this / or can it be ignored?
Locally, the created tests run fine, e.g.:
$ tests/test_rule_in_container.sh \
--dontclean --logdir logs_bash \
--remediate-using bash \
--name ssg_test_suite \
--datastream build/ssg-ocp4-ds.xml \
accounts_no_clusterrolebindings_default_service_account
Setting console output to log level INFO
INFO - The base image option has been specified, choosing Podman-based test environment.
INFO - Logging into logs_bash-1/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_accounts_no_clusterrolebindings_default_service_account
INFO - Script clusterrolebindings_other_serviceaccounts.pass.sh using profile (all) OK
INFO - Script clusterrolebindings_serviceaccounts.fail.sh using profile (all) OK
INFO - Script no_clusterrolebindings.pass.sh using profile (all) OK
Code Climate has analyzed commit 42f881bf and detected 0 issues on this pull request.
The test coverage on the diff in this pull request is 100.0% (50% is the threshold).
This pull request will bring the total coverage in the repository to 59.8% (0.0% change).
View more on Code Climate.
![qlty-cloud-legacy[bot] avatar](https://avatars.githubusercontent.com/in/9403?v=4 "Published by a pub.dev verified publisher"){kind=small}
@yuumasato: The specified target(s) for /test were not found.
The following commands are available to trigger required jobs:
-
/test 4.13-e2e-aws-ocp4-bsi -
/test 4.13-e2e-aws-ocp4-bsi-node -
/test 4.13-e2e-aws-ocp4-cis -
/test 4.13-e2e-aws-ocp4-cis-node -
/test 4.13-e2e-aws-ocp4-e8 -
/test 4.13-e2e-aws-ocp4-high -
/test 4.13-e2e-aws-ocp4-high-node -
/test 4.13-e2e-aws-ocp4-moderate -
/test 4.13-e2e-aws-ocp4-moderate-node -
/test 4.13-e2e-aws-ocp4-pci-dss -
/test 4.13-e2e-aws-ocp4-pci-dss-node -
/test 4.13-e2e-aws-ocp4-stig -
/test 4.13-e2e-aws-ocp4-stig-node -
/test 4.13-e2e-aws-rhcos4-bsi -
/test 4.13-e2e-aws-rhcos4-e8 -
/test 4.13-e2e-aws-rhcos4-high -
/test 4.13-e2e-aws-rhcos4-moderate -
/test 4.13-e2e-aws-rhcos4-stig -
/test 4.13-images -
/test 4.14-e2e-aws-ocp4-bsi -
/test 4.14-e2e-aws-ocp4-bsi-node -
/test 4.14-e2e-aws-rhcos4-bsi -
/test 4.14-images -
/test 4.15-e2e-aws-ocp4-bsi -
/test 4.15-e2e-aws-ocp4-bsi-node -
/test 4.15-e2e-aws-ocp4-cis -
/test 4.15-e2e-aws-ocp4-cis-node -
/test 4.15-e2e-aws-ocp4-e8 -
/test 4.15-e2e-aws-ocp4-high -
/test 4.15-e2e-aws-ocp4-high-node -
/test 4.15-e2e-aws-ocp4-moderate -
/test 4.15-e2e-aws-ocp4-moderate-node -
/test 4.15-e2e-aws-ocp4-pci-dss -
/test 4.15-e2e-aws-ocp4-pci-dss-node -
/test 4.15-e2e-aws-ocp4-stig -
/test 4.15-e2e-aws-ocp4-stig-node -
/test 4.15-e2e-aws-rhcos4-bsi -
/test 4.15-e2e-aws-rhcos4-e8 -
/test 4.15-e2e-aws-rhcos4-high -
/test 4.15-e2e-aws-rhcos4-moderate -
/test 4.15-e2e-aws-rhcos4-stig -
/test 4.15-images -
/test 4.16-e2e-aws-ocp4-bsi -
/test 4.16-e2e-aws-ocp4-bsi-node -
/test 4.16-e2e-aws-ocp4-cis -
/test 4.16-e2e-aws-ocp4-cis-node -
/test 4.16-e2e-aws-ocp4-e8 -
/test 4.16-e2e-aws-ocp4-high -
/test 4.16-e2e-aws-ocp4-high-node -
/test 4.16-e2e-aws-ocp4-moderate -
/test 4.16-e2e-aws-ocp4-moderate-node -
/test 4.16-e2e-aws-ocp4-pci-dss -
/test 4.16-e2e-aws-ocp4-pci-dss-node -
/test 4.16-e2e-aws-ocp4-stig -
/test 4.16-e2e-aws-ocp4-stig-node -
/test 4.16-e2e-aws-rhcos4-bsi -
/test 4.16-e2e-aws-rhcos4-e8 -
/test 4.16-e2e-aws-rhcos4-high -
/test 4.16-e2e-aws-rhcos4-moderate -
/test 4.16-e2e-aws-rhcos4-stig -
/test 4.16-images -
/test e2e-aws-ocp4-bsi -
/test e2e-aws-ocp4-bsi-node -
/test e2e-aws-ocp4-cis -
/test e2e-aws-ocp4-cis-node -
/test e2e-aws-ocp4-e8 -
/test e2e-aws-ocp4-high -
/test e2e-aws-ocp4-high-node -
/test e2e-aws-ocp4-moderate -
/test e2e-aws-ocp4-moderate-node -
/test e2e-aws-ocp4-pci-dss -
/test e2e-aws-ocp4-pci-dss-node -
/test e2e-aws-ocp4-stig -
/test e2e-aws-ocp4-stig-node -
/test e2e-aws-rhcos4-bsi -
/test e2e-aws-rhcos4-e8 -
/test e2e-aws-rhcos4-high -
/test e2e-aws-rhcos4-moderate -
/test e2e-aws-rhcos4-stig -
/test images
Use /test all to run the following jobs that were automatically triggered:
-
pull-ci-ComplianceAsCode-content-master-4.13-images -
pull-ci-ComplianceAsCode-content-master-4.14-images -
pull-ci-ComplianceAsCode-content-master-4.15-images -
pull-ci-ComplianceAsCode-content-master-4.16-images -
pull-ci-ComplianceAsCode-content-master-images
In response to this:
/test help
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.
/test e2e-aws-ocp4-bsi /test e2e-aws-ocp4-bsi-node /test e2e-aws-rhcos4-bsi
Code Climate has analyzed commit 3dd2ce39 and detected 0 issues on this pull request.
The test coverage on the diff in this pull request is 100.0% (50% is the threshold).
This pull request will bring the total coverage in the repository to 59.4% (0.0% change).
View more on Code Climate.
/test e2e-aws-ocp4-bsi /test e2e-aws-ocp4-bsi-node /test e2e-aws-rhcos4-bsi
@benruland: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:
| Test name | Commit | Details | Required | Rerun command |
|---|---|---|---|---|
| ci/prow/e2e-aws-ocp4-bsi | 3dd2ce3954b9da6a7b8af2c7d15a5fd31e315569 | link | true | /test e2e-aws-ocp4-bsi |
| ci/prow/e2e-aws-rhcos4-bsi | 3dd2ce3954b9da6a7b8af2c7d15a5fd31e315569 | link | true | /test e2e-aws-rhcos4-bsi |
| ci/prow/e2e-aws-ocp4-bsi-node | 3dd2ce3954b9da6a7b8af2c7d15a5fd31e315569 | link | true | /test e2e-aws-ocp4-bsi-node |
Full PR test history. Your PR dashboard.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.