search

sig-bsi-grundschutz / content

Security automation content in SCAP, Bash, Ansible, and other formats
https://www.open-scap.org/security-policies/scap-security-guide
Other
7 stars 0 forks source link

SYS.1.6.A16 #16

Open sluetze opened 10 months ago

sluetze commented 1 month ago

Administrative access from a container to the container host and vice versa SHOULD in principle be viewed as administrative remote access.

Application containers can only access administrative services remotely. Privileged containers can gain access to the host, the host's file system, or the host's network. This is necessary, for example, for the infrastructure services of OpenShift (ingress router). Normal applications (application containers) may not receive such permissions.

There SHOULD NOT be remote administrative access to the container host from a container.

This requirement must be partially implemented organizationally and should be part of the guideline defined in SYS.1.6.A10. There may be exceptions for applications that should/need to make configurations to Kubernetes resources. This means they have administrative remote access to the corresponding Kubernetes resources. Remote access is controlled by Kubernetes and backup takes place via the Kubernetes functionalities (see module APP.4.4). The operating system including Mandatory Access Control is optimized as a runtime environment for Kubernetes. In general, it is possible to limit the provision/post-installation of remote access programs in the container.

Application containers SHOULD not contain any remote maintenance access.

This requirement should also be included in the policy described in SYS.1.6.A10. OpenShift only allows access to the configured ports. A container that provides remote maintenance access to these ports may not be released. Application containers should be administered exclusively via the container runtime. Using a policy, known remote access ports (e.g. 22, RDP, etc.) can be reported via ACS and their use prevented.

Administrative access to application containers SHOULD always take place via the container runtime.

This is standard in OpenShift environments. OpenShift offers a terminal login via the oc administration tool . Communication runs via the control plane to the container and is both authenticated and authorized.