sig-bsi-grundschutz / content

Security automation content in SCAP, Bash, Ansible, and other formats
https://www.open-scap.org/security-policies/scap-security-guide
Other
7 stars 1 forks source link

SYS.1.6.A12 #12

Open sluetze opened 11 months ago

benruland commented 10 months ago

The sources of images that have been classified as trusted and SHOULD be adequately documented along with the corresponding reasons.

This requirement needs to be adressed on an organizational level.

Eine Idee für eine Regel:

In addition, the process of how images or the software components contained in an image are obtained from trusted sources and eventually deployed to a productive environment SHOULD be adequately documented.

This requirement needs to be adressed on an organizational level.

Images used SHOULD have metadata that makes their function and history traceable.

This requirement can not be checked using the compliance operator. However, the existance of certain image labels should be checked with a container security solution.

signatures SHOULD secure each image against modification.

Signierte Images: Können wir hier etwas prüfen?

sluetze commented 10 months ago

signatures SHOULD secure each image against modification.

we could create a rule which checks if the openshift cluster is configured to reject unsigned images: https://docs.openshift.com/container-platform/4.14/security/container_security/security-container-signature.html

ermeratos commented 9 months ago

applications/openshift/integrity/

rules:
- reject_unsigned_images_by_default
lichtblaugue commented 1 month ago

Pushed new branch https://github.com/sig-bsi-grundschutz/content/commit/db3cb46e8c4ebe85f9f4496fcc511c5943e2b5cf

lichtblaugue commented 1 month ago

Create a new branch, now based on master https://github.com/sig-bsi-grundschutz/content/tree/sys-1-6-A12-A13

lichtblaugue commented 1 month ago

correct link https://github.com/sig-bsi-grundschutz/content/tree/sys-1-6-A12-A13new

sluetze commented 3 weeks ago

https://github.com/ComplianceAsCode/content/pull/12370