Closed sluetze closed 6 months ago
This (manual) rule could also add value:
rbac_limit_cluster_admin
I think these rules might be relevant as well:
rules:
- idp_is_configured
- ocp_idp_no_htpasswd (not sure about this)
- ocp_no_ldap_insecure
There are other rules under openshift/authentication/*
which cover timeout, maxage and inactivity of oauth-tokens and make sense, but the control does not explicitly mention them, so I haven't included them.
I think these rules might be relevant as well:
rules: - idp_is_configured - ocp_idp_no_htpasswd (not sure about this) - ocp_no_ldap_insecure
There are other rules under
openshift/authentication/*
which cover timeout, maxage and inactivity of oauth-tokens and make sense, but the control does not explicitly mention them, so I haven't included them.
I am fine with idp_is_configured
since this might also stop people from removing kubeadmin without adding an IDP. Without IDP (no matter if htpasswd or not) and without kubeadmin, they lose access. I think with no_htpasswd we are overstretching the requirement.
ocp_no_ldap_insecure
is imho out of scope. this is more APP.2.3.A6 which is not in focus. Maybe because of the structure of BSI Grundschutz we might have to also take a look into other buildingblocks and add such rules. Ill also take this over into customer meeting to get their input
I agree to not include the timeout controls, since they are not mentioned.