Add BSI reference parser

yuumasato commented 1 month ago

This adds BSI to the standards annotation: policies.open-cluster-management.io/standards: BSI

And adds the requirement number to the following annotaions::

control.compliance.openshift.io/BSI
policies.open-cluster-management.io/controls

For example: $ oc get rule upstream-ocp4-kubeadmin-removed -oyaml

apiVersion: compliance.openshift.io/v1alpha1
...
kind: Rule
metadata:
  annotations:
    compliance.openshift.io/image-digest: pb-upstream-ocp49577j
    compliance.openshift.io/profiles: upstream-ocp4-high-rev-4,upstream-ocp4-pci-dss,upstream-ocp4-high,upstream-ocp4-pci-dss-3-2,upstream-ocp4-cis-1-4,upstream-ocp4-cis-1-5,upstream-ocp4-cis,upstream-ocp4-stig-v1r1,upstream-ocp4-nerc-cip,upstream-ocp4-bsi,upstream-ocp4-bsi-2022,upstream-ocp4-moderate-rev-4,upstream-ocp4-moderate,upstream-ocp4-pci-dss-4-0,upstream-ocp4-stig
    compliance.openshift.io/rule: kubeadmin-removed
    control.compliance.openshift.io/BSI: APP.4.4.A3
    control.compliance.openshift.io/CIS-OCP: 3.1.1;5.1.1
    control.compliance.openshift.io/NERC-CIP: CIP-004-6 R2.2.2;CIP-004-6 R2.2.3;CIP-007-3
      R.1.3;CIP-007-3 R2;CIP-007-3 R5;CIP-007-3 R5.1.1;CIP-007-3 R5.1.3;CIP-007-3
      R5.2.1;CIP-007-3 R5.2.3;CIP-007-3 R6.1;CIP-007-3 R6.2;CIP-007-3 R6.3;CIP-007-3
      R6.4
    control.compliance.openshift.io/NIST-800-53: AC-2(2);AC-2(7);AC-2(9);AC-2(10);AC-12(1);IA-2(5);MA-4;SC-12(1)
    control.compliance.openshift.io/PCI-DSS: Req-2.1
    control.compliance.openshift.io/STIG: SRG-APP-000023-CTR-000055;CNTR-OS-000030;CNTR-OS-000040;CNTR-OS-000440
    policies.open-cluster-management.io/controls: APP.4.4.A3,CIP-004-6 R2.2.2,CIP-004-6
      R2.2.3,CIP-007-3 R.1.3,CIP-007-3 R2,CIP-007-3 R5,CIP-007-3 R5.1.1,CIP-007-3
      R5.1.3,CIP-007-3 R5.2.1,CIP-007-3 R5.2.3,CIP-007-3 R6.1,CIP-007-3 R6.2,CIP-007-3
      R6.3,CIP-007-3 R6.4,AC-2(2),AC-2(7),AC-2(9),AC-2(10),AC-12(1),IA-2(5),MA-4,SC-12(1),Req-2.1,SRG-APP-000023-CTR-000055,3.1.1,5.1.1,CNTR-OS-000030,CNTR-OS-000040,CNTR-OS-000440
    policies.open-cluster-management.io/standards: BSI,NERC-CIP,NIST-800-53,PCI-DSS,STIG,CIS-OCP
  creationTimestamp: "2024-08-30T09:28:16Z"
...

openshift-ci[bot] commented 1 month ago

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: yuumasato

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files: - ~~[OWNERS](https://github.com/ComplianceAsCode/compliance-operator/blob/master/OWNERS)~~ [yuumasato] Approvers can indicate their approval by writing `/approve` in a comment Approvers can cancel approval by writing `/approve cancel` in a comment

github-actions[bot] commented 1 month ago

:robot: To deploy this PR, run the following command:

make catalog-deploy CATALOG_IMG=ghcr.io/complianceascode/compliance-operator-catalog:610-614012f6129e8fa1521e5116fbe498bff48b38e2

rhmdnd commented 1 month ago

Can we safely land this before the profile is available? IIUC - we should be able to land this code, but it will only get invoked if/when the operator parses the BSI profile.

I'm double checking if this can go in prior to the 1.6.0 release, or if we should wait for 1.7.0 development to open.

yuumasato commented 1 month ago

I think it is safe to merge before 1.6.0. But is should be fine to wait a bit more...

BhargaviGudi commented 1 week ago

/hold for test

BhargaviGudi commented 1 week ago

Verification passed with 4.17.0-0.nightly-2024-10-14-225948 + PR #610 + https://github.com/ComplianceAsCode/content code

$ oc get pb
NAME              CONTENTIMAGE                                 CONTENTFILE         STATUS
ocp4              ghcr.io/complianceascode/k8scontent:latest   ssg-ocp4-ds.xml     VALID
rhcos4            ghcr.io/complianceascode/k8scontent:latest   ssg-rhcos4-ds.xml   VALID
upstream-ocp4     openscap-ocp4-ds:latest                      ssg-ocp4-ds.xml     VALID
upstream-rhcos4   openscap-ocp4-ds:latest                      ssg-rhcos4-ds.xml   VALID
$ oc get rules -o json  | jq '.items[] | select(.metadata.annotations."control.compliance.openshift.io/BSI" != null) .metadata.name' | grep upstream &> BSIProfile
$ wc -l BSIProfile
83 BSIProfile
$ oc get rules -o json  | jq '.items[] | select(.metadata.annotations."control.compliance.openshift.io/BSI" == null) .metadata.name' | grep upstream | wc -l
998

$ while read rule; do echo "Rule: $rule"; oc get rule $rule -o=jsonpath={.metadata.annotations} | jq -r | grep -e "control.compliance.openshift.io/BSI" -e "policies.open-cluster-management.io/controls" -e "policies.open-cluster-management.io/standards"; done < BSIProfile

Rule: upstream-ocp4-accounts-no-clusterrolebindings-default-service-account
  "control.compliance.openshift.io/BSI": "APP.4.4.A9",
  "policies.open-cluster-management.io/controls": "APP.4.4.A9",
  "policies.open-cluster-management.io/standards": "BSI"
Rule: upstream-ocp4-accounts-no-rolebindings-default-service-account
  "control.compliance.openshift.io/BSI": "APP.4.4.A9",
  "policies.open-cluster-management.io/controls": "APP.4.4.A9",
  "policies.open-cluster-management.io/standards": "BSI"
Rule: upstream-ocp4-accounts-restrict-service-account-tokens
  "control.compliance.openshift.io/BSI": "APP.4.4.A9",
  "policies.open-cluster-management.io/controls": "CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1,CM-6,CM-6(1),Req-2.2,SRG-APP-000516-CTR-001325,5.1.6,APP.4.4.A9,2.2.1,2.2",
  "policies.open-cluster-management.io/standards": "NERC-CIP,NIST-800-53,PCI-DSS,STIG,CIS-OCP,BSI,PCI-DSS-4-0"
Rule: upstream-ocp4-accounts-unique-service-account
  "control.compliance.openshift.io/BSI": "APP.4.4.A9",
  "policies.open-cluster-management.io/controls": "CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1,CM-6,CM-6(1),Req-2.2,SRG-APP-000516-CTR-001325,5.1.5,APP.4.4.A9,2.2.1,2.2",
  "policies.open-cluster-management.io/standards": "NERC-CIP,NIST-800-53,PCI-DSS,STIG,CIS-OCP,BSI,PCI-DSS-4-0"
Rule: upstream-ocp4-api-server-anonymous-auth
  "control.compliance.openshift.io/BSI": "APP.4.4.A3",
  "policies.open-cluster-management.io/controls": "CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1,CM-6,CM-6(1),Req-2.2,SRG-APP-000516-CTR-001325,1.2.1,APP.4.4.A3,2.2.1,2.2",
  "policies.open-cluster-management.io/standards": "NERC-CIP,NIST-800-53,PCI-DSS,STIG,CIS-OCP,BSI,PCI-DSS-4-0"
Rule: upstream-ocp4-api-server-client-ca
  "control.compliance.openshift.io/BSI": "APP.4.4.A17",
  "policies.open-cluster-management.io/controls": "CIP-003-8 R4.2,CIP-007-3 R5.1,SC-8,SC-8(1),SC-8(2),Req-2.2,Req-2.2.3,Req-2.3,SRG-APP-000441-CTR-001090,SRG-APP-000442-CTR-001095,1.2.29,APP.4.4.A17,2.2.1,2.2.5,2.2.7,2.2",
  "policies.open-cluster-management.io/standards": "NERC-CIP,NIST-800-53,PCI-DSS,STIG,CIS-OCP,BSI,PCI-DSS-4-0"
Rule: upstream-ocp4-api-server-encryption-provider-cipher
  "control.compliance.openshift.io/BSI": "SYS.1.6.A8",
  "policies.open-cluster-management.io/controls": "CIP-003-8 R4.2,SC-28,SC-28(1),Req-2.2,SRG-APP-000429-CTR-001060,1.2.31,2.8,SYS.1.6.A8,2.2.1,2.2,3.5.1.3,3.5.1,3.5,CNTR-OS-000780",
  "policies.open-cluster-management.io/standards": "NERC-CIP,NIST-800-53,PCI-DSS,STIG,CIS-OCP,BSI,PCI-DSS-4-0"
Rule: upstream-ocp4-api-server-https-for-kubelet-conn
  "control.compliance.openshift.io/BSI": "APP.4.4.A17",
  "policies.open-cluster-management.io/controls": "CIP-003-8 R4.2,CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R5.1,CIP-007-3 R6.1,CM-6,CM-6(1),SC-8,SC-8(1),Req-2.2,Req-2.3,SRG-APP-000516-CTR-001325,1.2.4,APP.4.4.A17,2.2.1,2.2.7,2.2",
  "policies.open-cluster-management.io/standards": "NERC-CIP,NIST-800-53,PCI-DSS,STIG,CIS-OCP,BSI,PCI-DSS-4-0"
Rule: upstream-ocp4-api-server-kubelet-client-cert
  "control.compliance.openshift.io/BSI": "APP.4.4.A17",
  "policies.open-cluster-management.io/controls": "CIP-003-8 R4.2,CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R5.1,CIP-007-3 R6.1,CM-6,CM-6(1),SC-8,SC-8(1),Req-2.2,SRG-APP-000516-CTR-001325,1.2.5,APP.4.4.A17,2.2.1,2.2",
  "policies.open-cluster-management.io/standards": "NERC-CIP,NIST-800-53,PCI-DSS,STIG,CIS-OCP,BSI,PCI-DSS-4-0"
Rule: upstream-ocp4-api-server-kubelet-client-key
  "control.compliance.openshift.io/BSI": "APP.4.4.A17",
  "policies.open-cluster-management.io/controls": "CIP-003-8 R4.2,CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R5.1,CIP-007-3 R6.1,CM-6,CM-6(1),SC-8,SC-8(1),Req-2.2,SRG-APP-000516-CTR-001325,1.2.5,APP.4.4.A17,2.2.1,2.2",
  "policies.open-cluster-management.io/standards": "NERC-CIP,NIST-800-53,PCI-DSS,STIG,CIS-OCP,BSI,PCI-DSS-4-0"
Rule: upstream-ocp4-api-server-tls-cert
  "control.compliance.openshift.io/BSI": "APP.4.4.A17",
  "policies.open-cluster-management.io/controls": "CIP-003-8 R4.2,CIP-007-3 R5.1,SC-8,SC-8(1),SC-8(2),Req-2.2,Req-2.2.3,Req-2.3,SRG-APP-000441-CTR-001090,SRG-APP-000442-CTR-001095,1.2.28,APP.4.4.A17,2.2.1,2.2.5,2.2.7,2.2,4.2.1,4.2",
  "policies.open-cluster-management.io/standards": "NERC-CIP,NIST-800-53,PCI-DSS,STIG,CIS-OCP,BSI,PCI-DSS-4-0"
Rule: upstream-ocp4-api-server-tls-cipher-suites
  "control.compliance.openshift.io/BSI": "APP.4.4.A17",
  "policies.open-cluster-management.io/controls": "CM-6,Req-2.2,Req-2.2.3,Req-2.3,SRG-APP-000516-CTR-001325,1.2.32,APP.4.4.A17,2.2.1,2.2.5,2.2.7,2.2,4.2.1,4.2",
  "policies.open-cluster-management.io/standards": "NIST-800-53,PCI-DSS,STIG,CIS-OCP,BSI,PCI-DSS-4-0"
Rule: upstream-ocp4-api-server-tls-private-key
  "control.compliance.openshift.io/BSI": "APP.4.4.A17",
  "policies.open-cluster-management.io/controls": "CIP-003-8 R4.2,CIP-007-3 R5.1,SC-8,SC-8(1),SC-8(2),Req-2.2,Req-2.2.3,Req-2.3,SRG-APP-000441-CTR-001090,SRG-APP-000442-CTR-001095,1.2.28,APP.4.4.A17,2.2.1,2.2.5,2.2.7,2.2",
  "policies.open-cluster-management.io/standards": "NERC-CIP,NIST-800-53,PCI-DSS,STIG,CIS-OCP,BSI,PCI-DSS-4-0"
Rule: upstream-ocp4-api-server-tls-security-profile-not-old
  "control.compliance.openshift.io/BSI": "APP.4.4.A17",
  "policies.open-cluster-management.io/controls": "SC-8,SC-8(1),SRG-APP-000014-CTR-000040,APP.4.4.A17",
  "policies.open-cluster-management.io/standards": "NIST-800-53,STIG,BSI"
Rule: upstream-ocp4-cluster-version-operator-exists
  "control.compliance.openshift.io/BSI": "APP.4.4.A17",
  "policies.open-cluster-management.io/controls": "SA-10(1),SRG-APP-000384-CTR-000915,APP.4.4.A17,CNTR-OS-000740",
  "policies.open-cluster-management.io/standards": "NIST-800-53,STIG,BSI"
Rule: upstream-ocp4-cluster-version-operator-verify-integrity
  "control.compliance.openshift.io/BSI": "APP.4.4.A17",
  "policies.open-cluster-management.io/controls": "SA-10(1),SRG-APP-000384-CTR-000915,APP.4.4.A17,CNTR-OS-000740",
  "policies.open-cluster-management.io/standards": "NIST-800-53,STIG,BSI"
Rule: upstream-ocp4-configure-network-policies
  "control.compliance.openshift.io/BSI": "APP.4.4.A7;SYS.1.6.A5",
  "policies.open-cluster-management.io/controls": "CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1,CM-6,CM-6(1),Req-1.1.4,Req-1.2,Req-2.2,SRG-APP-000038-CTR-000105,5.3.1,APP.4.4.A7,SYS.1.6.A5,1.4.1,1.4,2.2.1,2.2,CNTR-OS-000100",
  "policies.open-cluster-management.io/standards": "NERC-CIP,NIST-800-53,PCI-DSS,STIG,CIS-OCP,BSI,PCI-DSS-4-0"
Rule: upstream-ocp4-configure-network-policies-namespaces
  "control.compliance.openshift.io/BSI": "APP.4.4.A7;SYS.1.6.A5",
  "policies.open-cluster-management.io/controls": "CIP-003-8 R4,CIP-003-8 R4.2,CIP-003-8 R5,CIP-003-8 R6,CIP-004-6 R2.2.4,CIP-004-6 R3,CIP-007-3 R2,CIP-007-3 R2.1,CIP-007-3 R2.2,CIP-007-3 R2.3,CIP-007-3 R5.1,CIP-007-3 R6.1,AC-4,AC-4(21),CA-3(5),CM-6,CM-6(1),CM-7,CM-7(1),SC-7,SC-7(3),SC-7(5),SC-7(8),SC-7(12),SC-7(13),SC-7(18),SC-7(10),SI-4(22),Req-1.1.4,Req-1.2,Req-1.2.1,Req-1.3.1,Req-1.3.2,Req-2.2,SRG-APP-000038-CTR-000105,5.3.2,APP.4.4.A7,SYS.1.6.A5,1.2.6,1.2,1.3.1,1.3,1.4.1,1.4,2.2.1,2.2,CNTR-OS-000100",
  "policies.open-cluster-management.io/standards": "NERC-CIP,NIST-800-53,PCI-DSS,STIG,CIS-OCP,BSI,PCI-DSS-4-0"
Rule: upstream-ocp4-etcd-backup
  "control.compliance.openshift.io/BSI": "APP.4.4.A5",
  "policies.open-cluster-management.io/controls": "APP.4.4.A5",
  "policies.open-cluster-management.io/standards": "BSI"
Rule: upstream-ocp4-file-groupowner-kubelet-conf
  "control.compliance.openshift.io/BSI": "APP.4.4.A17",
  "policies.open-cluster-management.io/controls": "CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1,CM-6,CM-6(1),SRG-APP-000516-CTR-001325,4.1.6,APP.4.4.A17,2.2.1,2.2",
  "policies.open-cluster-management.io/standards": "NERC-CIP,NIST-800-53,STIG,CIS-OCP,BSI,PCI-DSS-4-0"
Rule: upstream-ocp4-file-groupowner-worker-ca
  "control.compliance.openshift.io/BSI": "APP.4.4.A17",
  "policies.open-cluster-management.io/controls": "CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1,CM-6,CM-6(1),SRG-APP-000516-CTR-001325,4.1.8,APP.4.4.A17,2.2.1,2.2",
  "policies.open-cluster-management.io/standards": "NERC-CIP,NIST-800-53,STIG,CIS-OCP,BSI,PCI-DSS-4-0"
Rule: upstream-ocp4-file-groupowner-worker-kubeconfig
  "control.compliance.openshift.io/BSI": "APP.4.4.A17",
  "policies.open-cluster-management.io/controls": "CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1,CM-6,CM-6(1),SRG-APP-000516-CTR-001325,4.1.10,APP.4.4.A17,2.2.1,2.2",
  "policies.open-cluster-management.io/standards": "NERC-CIP,NIST-800-53,STIG,CIS-OCP,BSI,PCI-DSS-4-0"
Rule: upstream-ocp4-file-groupowner-worker-service
  "control.compliance.openshift.io/BSI": "APP.4.4.A17",
  "policies.open-cluster-management.io/controls": "CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1,CM-6,CM-6(1),SRG-APP-000516-CTR-001325,4.1.2,APP.4.4.A17,2.2.1,2.2",
  "policies.open-cluster-management.io/standards": "NERC-CIP,NIST-800-53,STIG,CIS-OCP,BSI,PCI-DSS-4-0"
Rule: upstream-ocp4-file-integrity-exists
  "control.compliance.openshift.io/BSI": "APP.4.4.A17",
  "policies.open-cluster-management.io/controls": "CIP-003-8 R4.2,CIP-003-8 R6,CIP-007-3 R4,CIP-007-3 R4.1,CIP-007-3 R4.2,SC-4(23),SI-6,SI-7,SI-7(1),CM-6(a),SI-7(2),SI-4(24),Req-10.5.5,Req-11.5,SRG-APP-000516-CTR-001325,APP.4.4.A17,10.3.4,10.3,11.5.2",
  "policies.open-cluster-management.io/standards": "NERC-CIP,NIST-800-53,PCI-DSS,STIG,BSI,PCI-DSS-4-0"
Rule: upstream-ocp4-file-integrity-notification-enabled
  "control.compliance.openshift.io/BSI": "APP.4.4.A17",
  "policies.open-cluster-management.io/controls": "SI-6,SI-7(2),SI-4(24),Req-11.5.1,Req-12.10.5,APP.4.4.A17,11.5.2",
  "policies.open-cluster-management.io/standards": "NIST-800-53,PCI-DSS,BSI,PCI-DSS-4-0"
Rule: upstream-ocp4-file-owner-kubelet
  "control.compliance.openshift.io/BSI": "APP.4.4.A17",
  "policies.open-cluster-management.io/controls": "CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1,CM-6,CM-6(1),SRG-APP-000516-CTR-001325,4.1.6,APP.4.4.A17,2.2.1,2.2",
  "policies.open-cluster-management.io/standards": "NERC-CIP,NIST-800-53,STIG,CIS-OCP,BSI,PCI-DSS-4-0"
Rule: upstream-ocp4-file-owner-kubelet-conf
  "control.compliance.openshift.io/BSI": "APP.4.4.A17",
  "policies.open-cluster-management.io/controls": "CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1,CM-6,CM-6(1),SRG-APP-000516-CTR-001325,4.1.6,APP.4.4.A17,2.2.1,2.2",
  "policies.open-cluster-management.io/standards": "NERC-CIP,NIST-800-53,STIG,CIS-OCP,BSI,PCI-DSS-4-0"
Rule: upstream-ocp4-file-owner-worker-ca
  "control.compliance.openshift.io/BSI": "APP.4.4.A17",
  "policies.open-cluster-management.io/controls": "CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1,CM-6,CM-6(1),SRG-APP-000516-CTR-001325,4.1.8,APP.4.4.A17,2.2.1,2.2",
  "policies.open-cluster-management.io/standards": "NERC-CIP,NIST-800-53,STIG,CIS-OCP,BSI,PCI-DSS-4-0"
Rule: upstream-ocp4-file-owner-worker-kubeconfig
  "control.compliance.openshift.io/BSI": "APP.4.4.A17",
  "policies.open-cluster-management.io/controls": "CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1,CM-6,CM-6(1),SRG-APP-000516-CTR-001325,4.1.10,APP.4.4.A17,2.2.1,2.2",
  "policies.open-cluster-management.io/standards": "NERC-CIP,NIST-800-53,STIG,CIS-OCP,BSI,PCI-DSS-4-0"
Rule: upstream-ocp4-file-owner-worker-service
  "control.compliance.openshift.io/BSI": "APP.4.4.A17",
  "policies.open-cluster-management.io/controls": "CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1,CM-6,CM-6(1),SRG-APP-000516-CTR-001325,4.1.2,APP.4.4.A17,2.2.1,2.2",
  "policies.open-cluster-management.io/standards": "NERC-CIP,NIST-800-53,STIG,CIS-OCP,BSI,PCI-DSS-4-0"
Rule: upstream-ocp4-file-permissions-kubelet
  "control.compliance.openshift.io/BSI": "APP.4.4.A17",
  "policies.open-cluster-management.io/controls": "CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1,CM-6,CM-6(1),SRG-APP-000516-CTR-001325,4.1.5,APP.4.4.A17",
  "policies.open-cluster-management.io/standards": "NERC-CIP,NIST-800-53,STIG,CIS-OCP,BSI"
Rule: upstream-ocp4-file-permissions-kubelet-conf
  "control.compliance.openshift.io/BSI": "APP.4.4.A17",
  "policies.open-cluster-management.io/controls": "CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1,CM-6,CM-6(1),SRG-APP-000516-CTR-001325,4.1.5,APP.4.4.A17,2.2.1,2.2",
  "policies.open-cluster-management.io/standards": "NERC-CIP,NIST-800-53,STIG,CIS-OCP,BSI,PCI-DSS-4-0"
Rule: upstream-ocp4-file-permissions-worker-ca
  "control.compliance.openshift.io/BSI": "APP.4.4.A17",
  "policies.open-cluster-management.io/controls": "CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1,CM-6,CM-6(1),SRG-APP-000516-CTR-001325,4.1.7,APP.4.4.A17,2.2.1,2.2",
  "policies.open-cluster-management.io/standards": "NERC-CIP,NIST-800-53,STIG,CIS-OCP,BSI,PCI-DSS-4-0"
Rule: upstream-ocp4-file-permissions-worker-kubeconfig
  "control.compliance.openshift.io/BSI": "APP.4.4.A17",
  "policies.open-cluster-management.io/controls": "CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1,CM-6,CM-6(1),SRG-APP-000516-CTR-001325,4.1.9,APP.4.4.A17,2.2.1,2.2",
  "policies.open-cluster-management.io/standards": "NERC-CIP,NIST-800-53,STIG,CIS-OCP,BSI,PCI-DSS-4-0"
Rule: upstream-ocp4-file-permissions-worker-service
  "control.compliance.openshift.io/BSI": "APP.4.4.A17",
  "policies.open-cluster-management.io/controls": "CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1,CM-6,CM-6(1),SRG-APP-000516-CTR-001325,4.1.1,APP.4.4.A17,2.2.1,2.2",
  "policies.open-cluster-management.io/standards": "NERC-CIP,NIST-800-53,STIG,CIS-OCP,BSI,PCI-DSS-4-0"
Rule: upstream-ocp4-general-backup-solution-installed
  "control.compliance.openshift.io/BSI": "APP.4.4.A5",
  "policies.open-cluster-management.io/controls": "APP.4.4.A5",
  "policies.open-cluster-management.io/standards": "BSI"
Rule: upstream-ocp4-general-namespace-separation
  "control.compliance.openshift.io/BSI": "APP.4.4.A1;SYS.1.6.A3",
  "policies.open-cluster-management.io/controls": "APP.4.4.A1,SYS.1.6.A3",
  "policies.open-cluster-management.io/standards": "BSI"
Rule: upstream-ocp4-general-network-separation
  "control.compliance.openshift.io/BSI": "APP.4.4.A7;SYS.1.6.A3;SYS.1.6.A5",
  "policies.open-cluster-management.io/controls": "APP.4.4.A7,SYS.1.6.A3,SYS.1.6.A5",
  "policies.open-cluster-management.io/standards": "BSI"
Rule: upstream-ocp4-general-node-separation
  "control.compliance.openshift.io/BSI": "APP.4.4.A15;SYS.1.6.A3",
  "policies.open-cluster-management.io/controls": "APP.4.4.A15,SYS.1.6.A3",
  "policies.open-cluster-management.io/standards": "BSI"
Rule: upstream-ocp4-kube-descheduler-lifecycle-policy
  "control.compliance.openshift.io/BSI": "APP.4.4.A21",
  "policies.open-cluster-management.io/controls": "APP.4.4.A21",
  "policies.open-cluster-management.io/standards": "BSI"
Rule: upstream-ocp4-kube-descheduler-operator-exists
  "control.compliance.openshift.io/BSI": "APP.4.4.A21",
  "policies.open-cluster-management.io/controls": "APP.4.4.A21",
  "policies.open-cluster-management.io/standards": "BSI"
Rule: upstream-ocp4-kube-descheduler-podlifetime
  "control.compliance.openshift.io/BSI": "APP.4.4.A21",
  "policies.open-cluster-management.io/controls": "APP.4.4.A21",
  "policies.open-cluster-management.io/standards": "BSI"
Rule: upstream-ocp4-kubeadmin-removed
  "control.compliance.openshift.io/BSI": "APP.4.4.A3",
  "policies.open-cluster-management.io/controls": "CIP-004-6 R2.2.2,CIP-004-6 R2.2.3,CIP-007-3 R.1.3,CIP-007-3 R2,CIP-007-3 R5,CIP-007-3 R5.1.1,CIP-007-3 R5.1.3,CIP-007-3 R5.2.1,CIP-007-3 R5.2.3,CIP-007-3 R6.1,CIP-007-3 R6.2,CIP-007-3 R6.3,CIP-007-3 R6.4,AC-2(2),AC-2(7),AC-2(9),AC-2(10),AC-12(1),IA-2(5),MA-4,SC-12(1),Req-2.1,SRG-APP-000023-CTR-000055,3.1.1,5.1.1,APP.4.4.A3,2.2.1,2.2.2,2.2,8.2.2,8.2,8.3,CNTR-OS-000030,CNTR-OS-000040,CNTR-OS-000440",
  "policies.open-cluster-management.io/standards": "NERC-CIP,NIST-800-53,PCI-DSS,STIG,CIS-OCP,BSI,PCI-DSS-4-0"
Rule: upstream-ocp4-kubelet-anonymous-auth
  "control.compliance.openshift.io/BSI": "APP.4.4.A3",
  "policies.open-cluster-management.io/controls": "CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1,CM-6,CM-6(1),SRG-APP-000516-CTR-001325,4.2.2,APP.4.4.A3,2.2.1,2.2",
  "policies.open-cluster-management.io/standards": "NERC-CIP,NIST-800-53,STIG,CIS-OCP,BSI,PCI-DSS-4-0"
Rule: upstream-ocp4-kubelet-configure-client-ca
  "control.compliance.openshift.io/BSI": "APP.4.4.A17",
  "policies.open-cluster-management.io/controls": "CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1,CM-6,CM-6(1),SRG-APP-000516-CTR-001325,4.2.4,APP.4.4.A17,2.2.1,2.2",
  "policies.open-cluster-management.io/standards": "NERC-CIP,NIST-800-53,STIG,CIS-OCP,BSI,PCI-DSS-4-0"
Rule: upstream-ocp4-kubelet-configure-tls-cert
  "control.compliance.openshift.io/BSI": "APP.4.4.A17",
  "policies.open-cluster-management.io/controls": "CIP-003-8 R4.2,CIP-007-3 R5.1,SC-8,SC-8(1),SC-8(2),Req-2.2,Req-2.2.3,Req-2.3,SRG-APP-000441-CTR-001090,SRG-APP-000442-CTR-001095,4.2.9,APP.4.4.A17,2.2.1,2.2.5,2.2.7,2.2",
  "policies.open-cluster-management.io/standards": "NERC-CIP,NIST-800-53,PCI-DSS,STIG,CIS-OCP,BSI,PCI-DSS-4-0"
Rule: upstream-ocp4-kubelet-configure-tls-cipher-suites
  "control.compliance.openshift.io/BSI": "APP.4.4.A17",
  "policies.open-cluster-management.io/controls": "CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1,CM-6,CM-6(1),SRG-APP-000516-CTR-001325,4.2.12,APP.4.4.A17,2.2.1,2.2",
  "policies.open-cluster-management.io/standards": "NERC-CIP,NIST-800-53,STIG,CIS-OCP,BSI,PCI-DSS-4-0"
Rule: upstream-ocp4-kubelet-configure-tls-key
  "control.compliance.openshift.io/BSI": "APP.4.4.A17",
  "policies.open-cluster-management.io/controls": "CIP-003-8 R4.2,CIP-007-3 R5.1,SC-8,SC-8(1),SC-8(2),Req-2.2,Req-2.2.3,Req-2.3,SRG-APP-000441-CTR-001090,SRG-APP-000442-CTR-001095,4.2.9,APP.4.4.A17,2.2.1,2.2.5,2.2.7,2.2",
  "policies.open-cluster-management.io/standards": "NERC-CIP,NIST-800-53,PCI-DSS,STIG,CIS-OCP,BSI,PCI-DSS-4-0"
Rule: upstream-ocp4-kubelet-configure-tls-min-version
  "control.compliance.openshift.io/BSI": "APP.4.4.A17",
  "policies.open-cluster-management.io/controls": "SC-8,SC-8(1),SRG-APP-000014-CTR-000040,SRG-APP-000560-CTR-001340,APP.4.4.A17,4.2.1,4.2,CNTR-OS-000020",
  "policies.open-cluster-management.io/standards": "NIST-800-53,STIG,BSI,PCI-DSS-4-0"
Rule: upstream-ocp4-liveness-readiness-probe-in-workload
  "control.compliance.openshift.io/BSI": "APP.4.4.A11;SYS.1.6.A3",
  "policies.open-cluster-management.io/controls": "APP.4.4.A11,SYS.1.6.A3",
  "policies.open-cluster-management.io/standards": "BSI"
Rule: upstream-ocp4-ocp-allowed-registries
  "control.compliance.openshift.io/BSI": "SYS.1.6.A6",
  "policies.open-cluster-management.io/controls": "CM-5(3),CM-7(2),CM-7(5),CM-11,SRG-APP-000456-CTR-001125,5.5.1,SYS.1.6.A6,2.2.1,2.2,CNTR-OS-000890,CNTR-OS-000900",
  "policies.open-cluster-management.io/standards": "NIST-800-53,STIG,CIS-OCP,BSI,PCI-DSS-4-0"
Rule: upstream-ocp4-ocp-allowed-registries-for-import
  "control.compliance.openshift.io/BSI": "SYS.1.6.A6",
  "policies.open-cluster-management.io/controls": "CM-5(3),CM-7(2),CM-7(5),CM-11,SRG-APP-000456-CTR-001125,5.5.1,SYS.1.6.A6,2.2.1,2.2,CNTR-OS-000890,CNTR-OS-000900",
  "policies.open-cluster-management.io/standards": "NIST-800-53,STIG,CIS-OCP,BSI,PCI-DSS-4-0"
Rule: upstream-ocp4-ocp-insecure-allowed-registries-for-import
  "control.compliance.openshift.io/BSI": "APP.4.4.A12;SYS.1.6.A6",
  "policies.open-cluster-management.io/controls": "CM-5(3),SRG-APP-000014-CTR-000035,5.5.1,APP.4.4.A12,SYS.1.6.A6,2.2.1,2.2,CNTR-OS-000010",
  "policies.open-cluster-management.io/standards": "NIST-800-53,STIG,CIS-OCP,BSI,PCI-DSS-4-0"
Rule: upstream-ocp4-ocp-insecure-registries
  "control.compliance.openshift.io/BSI": "APP.4.4.A12;SYS.1.6.A6",
  "policies.open-cluster-management.io/controls": "CM-5(3),SRG-APP-000014-CTR-000035,5.5.1,APP.4.4.A12,SYS.1.6.A6,2.2.1,2.2,CNTR-OS-000010",
  "policies.open-cluster-management.io/standards": "NIST-800-53,STIG,CIS-OCP,BSI,PCI-DSS-4-0"
Rule: upstream-ocp4-project-config-and-template-network-policy
  "control.compliance.openshift.io/BSI": "APP.4.4.A7",
  "policies.open-cluster-management.io/controls": "SRG-APP-000039-CTR-000110,APP.4.4.A7,CNTR-OS-000110",
  "policies.open-cluster-management.io/standards": "STIG,BSI"
Rule: upstream-ocp4-rbac-cluster-roles-defined
  "control.compliance.openshift.io/BSI": "SYS.1.6.A8",
  "policies.open-cluster-management.io/controls": "Req-7.1.1,SYS.1.6.A8,7.2.1,7.2",
  "policies.open-cluster-management.io/standards": "PCI-DSS,BSI,PCI-DSS-4-0"
Rule: upstream-ocp4-rbac-least-privilege
  "control.compliance.openshift.io/BSI": "APP.4.4.A3;APP.4.4.A7;APP.4.4.A9;SYS.1.6.A8",
  "policies.open-cluster-management.io/controls": "AC-3,CM-5(6),IA-2,IA-2(5),AC-6(10),CM-11(2),CM-5(1),CM-7(5)(b),SRG-APP-000033-CTR-000090,SRG-APP-000033-CTR-000095,SRG-APP-000033-CTR-000100,SRG-APP-000133-CTR-000290,SRG-APP-000133-CTR-000295,SRG-APP-000133-CTR-000300,SRG-APP-000133-CTR-000305,SRG-APP-000133-CTR-000310,SRG-APP-000148-CTR-000350,SRG-APP-000153-CTR-000375,SRG-APP-000340-CTR-000770,SRG-APP-000378-CTR-000880,SRG-APP-000378-CTR-000885,SRG-APP-000378-CTR-000890,SRG-APP-000380-CTR-000900,SRG-APP-000386-CTR-000920,5.2.10,APP.4.4.A3,APP.4.4.A7,APP.4.4.A9,SYS.1.6.A8,2.2.1,2.2,CNTR-OS-000090",
  "policies.open-cluster-management.io/standards": "NIST-800-53,STIG,CIS-OCP,BSI,PCI-DSS-4-0"
Rule: upstream-ocp4-rbac-limit-cluster-admin
  "control.compliance.openshift.io/BSI": "SYS.1.6.A8",
  "policies.open-cluster-management.io/controls": "CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1,CM-6,CM-6(1),CM-8(3),Req-2.2,Req-7.1.2,Req-10.5.1,SRG-APP-000516-CTR-001325,5.1.1,SYS.1.6.A8,2.2.1,2.2,10.3.1,10.3",
  "policies.open-cluster-management.io/standards": "NERC-CIP,NIST-800-53,PCI-DSS,STIG,CIS-OCP,BSI,PCI-DSS-4-0"
Rule: upstream-ocp4-rbac-limit-secrets-access
  "control.compliance.openshift.io/BSI": "SYS.1.6.A8",
  "policies.open-cluster-management.io/controls": "CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1,CM-6,CM-6(1),Req-2.2,SRG-APP-000516-CTR-001325,5.1.2,SYS.1.6.A8,2.2.1,2.2",
  "policies.open-cluster-management.io/standards": "NERC-CIP,NIST-800-53,PCI-DSS,STIG,CIS-OCP,BSI,PCI-DSS-4-0"
Rule: upstream-ocp4-rbac-roles-defined
  "control.compliance.openshift.io/BSI": "SYS.1.6.A8",
  "policies.open-cluster-management.io/controls": "Req-7.1.1,SYS.1.6.A8,7.2.1,7.2",
  "policies.open-cluster-management.io/standards": "PCI-DSS,BSI,PCI-DSS-4-0"
Rule: upstream-ocp4-rbac-wildcard-use
  "control.compliance.openshift.io/BSI": "APP.4.4.A9;SYS.1.6.A8",
  "policies.open-cluster-management.io/controls": "CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1,CM-6,CM-6(1),Req-2.2,SRG-APP-000516-CTR-001325,5.1.3,APP.4.4.A9,SYS.1.6.A8,2.2.1,2.2",
  "policies.open-cluster-management.io/standards": "NERC-CIP,NIST-800-53,PCI-DSS,STIG,CIS-OCP,BSI,PCI-DSS-4-0"
Rule: upstream-ocp4-reject-unsigned-images-by-default
  "control.compliance.openshift.io/BSI": "SYS.1.6.A6",
  "policies.open-cluster-management.io/controls": "CM-5(3),CM-7(2),CM-7(5),CM-11,SA-10(1),SRG-APP-000131-CTR-000285,SYS.1.6.A6,CNTR-OS-000360",
  "policies.open-cluster-management.io/standards": "NIST-800-53,STIG,BSI"
Rule: upstream-ocp4-scansetting-has-autoapplyremediations
  "control.compliance.openshift.io/BSI": "APP.4.4.A13",
  "policies.open-cluster-management.io/controls": "APP.4.4.A13",
  "policies.open-cluster-management.io/standards": "BSI"
Rule: upstream-ocp4-scansettingbinding-exists
  "control.compliance.openshift.io/BSI": "APP.4.4.A13",
  "policies.open-cluster-management.io/controls": "CIP-003-8 R1.3,CIP-003-8 R4.3,CIP-003-8 R6,CIP-004-6 4.1,CIP-004-6 4.2,CIP-004-6 R3,CIP-004-6 R4,CIP-004-6 R4.2,CIP-005-6 R1,CIP-005-6 R1.1,CIP-005-6 R1.2,CIP-007-3 R3,CIP-007-3 R3.1,CIP-007-3 R6.1,CIP-007-3 R8.4,CM-6,CM-6(1),RA-5,RA-5(5),SA-4(8),Req-2.2.4,SRG-APP-000472-CTR-001170,APP.4.4.A13,2.2.1,2.2.6,2.2,CNTR-OS-000910",
  "policies.open-cluster-management.io/standards": "NERC-CIP,NIST-800-53,PCI-DSS,STIG,BSI,PCI-DSS-4-0"
Rule: upstream-ocp4-scansettings-have-schedule
  "control.compliance.openshift.io/BSI": "APP.4.4.A13",
  "policies.open-cluster-management.io/controls": "SI-6(b),SRG-APP-000473-CTR-001175,APP.4.4.A13,CNTR-OS-000920",
  "policies.open-cluster-management.io/standards": "NIST-800-53,STIG,BSI"
Rule: upstream-ocp4-scc-drop-container-capabilities
  "control.compliance.openshift.io/BSI": "APP.4.4.A9",
  "policies.open-cluster-management.io/controls": "CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1,CM-6,CM-6(1),Req-2.2,SRG-APP-000516-CTR-001325,5.2.9,APP.4.4.A9,2.2.1,2.2",
  "policies.open-cluster-management.io/standards": "NERC-CIP,NIST-800-53,PCI-DSS,STIG,CIS-OCP,BSI,PCI-DSS-4-0"
Rule: upstream-ocp4-scc-limit-container-allowed-capabilities
  "control.compliance.openshift.io/BSI": "APP.4.4.A9",
  "policies.open-cluster-management.io/controls": "CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1,CM-6,CM-6(1),Req-2.2,SRG-APP-000516-CTR-001325,5.2.8,APP.4.4.A9,2.2.1,2.2",
  "policies.open-cluster-management.io/standards": "NERC-CIP,NIST-800-53,PCI-DSS,STIG,CIS-OCP,BSI,PCI-DSS-4-0"
Rule: upstream-ocp4-scc-limit-host-dir-volume-plugin
  "control.compliance.openshift.io/BSI": "APP.4.4.A4;APP.4.4.A9",
  "policies.open-cluster-management.io/controls": "AC-6,AC-6(1),SRG-APP-000142-CTR-000330,5.2.12,APP.4.4.A4,APP.4.4.A9,CNTR-OS-000660",
  "policies.open-cluster-management.io/standards": "NIST-800-53,STIG,CIS-OCP,BSI"
Rule: upstream-ocp4-scc-limit-host-ports
  "control.compliance.openshift.io/BSI": "APP.4.4.A9",
  "policies.open-cluster-management.io/controls": "CM-6,CM-6(1),SRG-APP-000142-CTR-000330,APP.4.4.A9,CNTR-OS-000660",
  "policies.open-cluster-management.io/standards": "NIST-800-53,STIG,BSI"
Rule: upstream-ocp4-scc-limit-ipc-namespace
  "control.compliance.openshift.io/BSI": "APP.4.4.A4;APP.4.4.A9",
  "policies.open-cluster-management.io/controls": "CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1,CM-6,CM-6(1),Req-2.2,SRG-APP-000516-CTR-001325,5.2.3,APP.4.4.A4,APP.4.4.A9,2.2.1,2.2,CNTR-OS-000660",
  "policies.open-cluster-management.io/standards": "NERC-CIP,NIST-800-53,PCI-DSS,STIG,CIS-OCP,BSI,PCI-DSS-4-0"
Rule: upstream-ocp4-scc-limit-net-raw-capability
  "control.compliance.openshift.io/BSI": "APP.4.4.A4;APP.4.4.A9",
  "policies.open-cluster-management.io/controls": "CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1,CM-6,CM-6(1),Req-2.2,SRG-APP-000516-CTR-001325,5.2.7,APP.4.4.A4,APP.4.4.A9,2.2.1,2.2",
  "policies.open-cluster-management.io/standards": "NERC-CIP,NIST-800-53,PCI-DSS,STIG,CIS-OCP,BSI,PCI-DSS-4-0"
Rule: upstream-ocp4-scc-limit-network-namespace
  "control.compliance.openshift.io/BSI": "APP.4.4.A4;APP.4.4.A9",
  "policies.open-cluster-management.io/controls": "CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1,CM-6,CM-6(1),Req-2.2,SRG-APP-000142-CTR-000330,5.2.4,APP.4.4.A4,APP.4.4.A9,2.2.1,2.2,CNTR-OS-000660",
  "policies.open-cluster-management.io/standards": "NERC-CIP,NIST-800-53,PCI-DSS,STIG,CIS-OCP,BSI,PCI-DSS-4-0"
Rule: upstream-ocp4-scc-limit-privilege-escalation
  "control.compliance.openshift.io/BSI": "APP.4.4.A9",
  "policies.open-cluster-management.io/controls": "CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1,CM-6,CM-6(1),Req-2.2,SRG-APP-000516-CTR-001325,5.2.5,APP.4.4.A9,2.2.1,2.2",
  "policies.open-cluster-management.io/standards": "NERC-CIP,NIST-800-53,PCI-DSS,STIG,CIS-OCP,BSI,PCI-DSS-4-0"
Rule: upstream-ocp4-scc-limit-privileged-containers
  "control.compliance.openshift.io/BSI": "APP.4.4.A4;APP.4.4.A9",
  "policies.open-cluster-management.io/controls": "CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1,CM-6,CM-6(1),Req-2.2,SRG-APP-000342-CTR-000775,SRG-APP-000142-CTR-000330,5.2.1,APP.4.4.A4,APP.4.4.A9,2.2.1,2.2,CNTR-OS-000660",
  "policies.open-cluster-management.io/standards": "NERC-CIP,NIST-800-53,PCI-DSS,STIG,CIS-OCP,BSI,PCI-DSS-4-0"
Rule: upstream-ocp4-scc-limit-process-id-namespace
  "control.compliance.openshift.io/BSI": "APP.4.4.A4;APP.4.4.A9",
  "policies.open-cluster-management.io/controls": "CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1,CM-6,CM-6(1),Req-2.2,SRG-APP-000516-CTR-001325,5.2.2,APP.4.4.A4,APP.4.4.A9,2.2.1,2.2,CNTR-OS-000660",
  "policies.open-cluster-management.io/standards": "NERC-CIP,NIST-800-53,PCI-DSS,STIG,CIS-OCP,BSI,PCI-DSS-4-0"
Rule: upstream-ocp4-scc-limit-root-containers
  "control.compliance.openshift.io/BSI": "APP.4.4.A4;APP.4.4.A9",
  "policies.open-cluster-management.io/controls": "CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1,CM-6,CM-6(1),Req-2.2,SRG-APP-000342-CTR-000775,5.2.6,APP.4.4.A4,APP.4.4.A9,2.2.1,2.2,CNTR-OS-000660",
  "policies.open-cluster-management.io/standards": "NERC-CIP,NIST-800-53,PCI-DSS,STIG,CIS-OCP,BSI,PCI-DSS-4-0"
Rule: upstream-ocp4-secrets-consider-external-storage
  "control.compliance.openshift.io/BSI": "SYS.1.6.A8",
  "policies.open-cluster-management.io/controls": "CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1,CM-6,CM-6(1),Req-2.2,SRG-APP-000516-CTR-001325,5.4.2,SYS.1.6.A8,2.2.1,2.2",
  "policies.open-cluster-management.io/standards": "NERC-CIP,NIST-800-53,PCI-DSS,STIG,CIS-OCP,BSI,PCI-DSS-4-0"
Rule: upstream-ocp4-secrets-no-environment-variables
  "control.compliance.openshift.io/BSI": "SYS.1.6.A8",
  "policies.open-cluster-management.io/controls": "CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1,CM-6,CM-6(1),Req-2.2,SRG-APP-000516-CTR-001325,5.4.1,SYS.1.6.A8,2.2.1,2.2",
  "policies.open-cluster-management.io/standards": "NERC-CIP,NIST-800-53,PCI-DSS,STIG,CIS-OCP,BSI,PCI-DSS-4-0"
Rule: upstream-ocp4-tls-version-check-apiserver
  "control.compliance.openshift.io/BSI": "APP.4.4.A17",
  "policies.open-cluster-management.io/controls": "Req-4.1,APP.4.4.A17,4.2.1,4.2",
  "policies.open-cluster-management.io/standards": "PCI-DSS,BSI,PCI-DSS-4-0"
Rule: upstream-rhcos4-coreos-enable-selinux-kernel-argument
  "control.compliance.openshift.io/BSI": "APP.4.4.A4;SYS.1.6.A3",
  "policies.open-cluster-management.io/controls": "CIP-003-8 R5.1.1,CIP-003-8 R5.3,CIP-004-6 R2.2.3,CIP-004-6 R2.3,CIP-007-3 R5.1,CIP-007-3 R5.1.2,CIP-007-3 R5.2,CIP-007-3 R5.3.1,CIP-007-3 R5.3.2,CIP-007-3 R5.3.3,AC-3,AC-3(3)(a),SRG-APP-000233-CTR-000585,APP.4.4.A4,SYS.1.6.A3,CNTR-OS-000540",
  "policies.open-cluster-management.io/standards": "NERC-CIP,NIST-800-53,STIG,BSI"
Rule: upstream-rhcos4-selinux-policytype
  "control.compliance.openshift.io/BSI": "APP.4.4.A4;SYS.1.6.A3",
  "policies.open-cluster-management.io/controls": "CIP-003-8 R5.1.1,CIP-003-8 R5.2,CIP-003-8 R5.3,CIP-004-6 R2.2.3,CIP-004-6 R2.3,CIP-004-6 R3.3,CIP-007-3 R5.1,CIP-007-3 R5.1.2,CIP-007-3 R5.2,CIP-007-3 R5.3.1,CIP-007-3 R5.3.2,CIP-007-3 R5.3.3,CIP-007-3 R6.5,AC-3,AC-3(3)(a),AU-9,SC-7(21),SRG-APP-000233-CTR-000585,APP.4.4.A4,SYS.1.6.A3,1.2.6,1.2,CNTR-OS-000540",
  "policies.open-cluster-management.io/standards": "NERC-CIP,NIST-800-53,STIG,BSI,PCI-DSS-4-0"
Rule: upstream-rhcos4-selinux-state
  "control.compliance.openshift.io/BSI": "APP.4.4.A4;SYS.1.6.A3",
  "policies.open-cluster-management.io/controls": "CIP-003-8 R5.1.1,CIP-003-8 R5.2,CIP-003-8 R5.3,CIP-004-6 R2.2.3,CIP-004-6 R2.3,CIP-004-6 R3.3,CIP-007-3 R5.1,CIP-007-3 R5.1.2,CIP-007-3 R5.2,CIP-007-3 R5.3.1,CIP-007-3 R5.3.2,CIP-007-3 R5.3.3,CIP-007-3 R6.5,AC-3,AC-3(3)(a),AU-9,SC-7(21),APP.4.4.A4,SYS.1.6.A3,1.2.6,1.2,CNTR-OS-000540",
  "policies.open-cluster-management.io/standards": "NERC-CIP,NIST-800-53,BSI,PCI-DSS-4-0,STIG"
Rule: upstream-rhcos4-service-firewalld-enabled
  "control.compliance.openshift.io/BSI": "SYS.1.6.A5",
  "policies.open-cluster-management.io/controls": "CIP-003-8 R4,CIP-003-8 R5,CIP-004-6 R3,AC-4,CM-7(b),CA-3(5),SC-7(21),CM-6(a),SYS.1.6.A5,1.2.1,1.2",
  "policies.open-cluster-management.io/standards": "NERC-CIP,NIST-800-53,BSI,PCI-DSS-4-0"

BhargaviGudi commented 1 week ago

/unhold /label qe-approved

yuumasato commented 1 week ago

@rhmdnd @Vincent056 should be good to go

ComplianceAsCode / compliance-operator

Add BSI reference parser #610