sig-bsi-grundschutz / content

Security automation content in SCAP, Bash, Ansible, and other formats
https://www.open-scap.org/security-policies/scap-security-guide
Other
7 stars 1 forks source link

APP.4.4.A10 #36

Closed sluetze closed 4 months ago

benruland commented 10 months ago

All automation software processes, such as CI/CD and their pipelines, SHOULD only operate with the rights that are strictly necessary.

Needs to be adressed on a organizational level adhering to the principle of least privilege for all service accounts. Example: Deployment using a well-configured OpenShift GitOps instance.

If different user groups can change configurations or start pods via automation software, this SHOULD be done for each group through separate processes that only have the rights necessary for the respective user group.

Needs to be adressed on a organizational level.

benruland commented 10 months ago

I have created a PR: ComplianceAsCode/content#11393

sluetze commented 10 months ago

Just a thought, but maybe this is too much: What about having checks to ensure a well-configure GitOps Instance? This would make it harder for people, who use other CIs, as they would have to exclude this rules.

sluetze commented 9 months ago

discussed this with benjamin, we cant make a well configured gitops/pipelines architecture, because of to many possible good architectures. we wont add checks for this. it will stay org-only

benruland commented 7 months ago

PR created: https://github.com/ComplianceAsCode/content/pull/11559

sluetze commented 4 months ago

merged upstream