Defined notes and rules for BSI SYS.1.6.A26

[sluetze]

Description:

Added notes and controls for BSI SYS.1.6 A17-A21

Rationale:

As we have multiple customers asking for a BSI profile to be included in the compliance-operator, we are contributing a profile. To provide a better review process, the individual controle are implemented as separate PRs.

• https://github.com/sig-bsi-grundschutz/content/issues/26

Review Hints:

sandboxed_containers_operator_configured:

• needs additional permissions these are in https://github.com/ComplianceAsCode/compliance-operator/pull/618
• the e2e test can take a long time, as it adds a mcp and needs to restart all nodes. The timeout is 3600s which is quite long and might need adjustments
• for the compliancecheck to succeed the finish of mcp is not needed, thus we might delete that testing alltogether
• OR adjust the compliancecheck to check if nodes provide the separation... which is another level of complication and access permissions
• the compliancecheck checks for a kataconfig, but this is only enough on baremetal deployments. on Azure, AWS, IBM Z and IBM LinuxOne there are additional configurations needed, which we do not check for (peerpods, and others)

[openshift-ci[bot]]

Hi @sluetze. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes-sigs/prow](https://github.com/kubernetes-sigs/prow/issues/new?title=Prow%20issue:) repository.

[github-actions[bot]]

Start a new ephemeral environment with changes proposed in this pull request:

ocp4 (from CTF) Environment (using Fedora as testing environment)

Fedora Testing Environment

Oracle Linux 8 Environment

[github-actions[bot]]

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff

```diff New content has different text for rule 'xccdf_org.ssgproject.content_rule_general_node_separation'. --- xccdf_org.ssgproject.content_rule_general_node_separation +++ xccdf_org.ssgproject.content_rule_general_node_separation @@ -15,5 +15,8 @@ [reference]: SYS.1.6.A3 +[reference]: +SYS.1.6.A26 + [rationale]: Assigning workloads with high protection requirements to specific nodes creates and additional boundary (the node) between workloads of high protection requirements and workloads which might follow less strict requirements. An adversary which attacked a lighter protected workload now has additional obstacles for their movement towards the higher protected workloads. ```

[codeclimate[bot]]

Code Climate has analyzed commit 575d3f7c and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 59.5% (0.0% change).

View more on Code Climate.