sig-bsi-grundschutz / content

Security automation content in SCAP, Bash, Ansible, and other formats
https://www.open-scap.org/security-policies/scap-security-guide
Other
7 stars 1 forks source link

APP.4.4.A12 #38

Closed sluetze closed 2 weeks ago

benruland commented 10 months ago

If a separate registry for images or automation software, persistent volume management, configuration file storage, or similar is in use, its protection SHOULD at least consider: • Use of personal and service accounts for access • Encrypted communication on all network ports • Restrictive assignment of permissions to user and service accounts • Logging of changes • Regular data backups

This requirement needs to be adressed in the respective separate systems.

Of all the requirements, we could only check one: (Encrypted communication on all network ports for the image registry):

benruland commented 10 months ago

I have created a PR: ComplianceAsCode/content#11394

sluetze commented 9 months ago

Of all the requirements, we could only check one: (Encrypted communication on all network ports for the image registry):

I do not agree.

Use of personal and service accounts for access

rules:
# existing kubeadmin would show, that you do not follow personal and service accounts but may use a global privileged user
- kubeadmin_removed

Encrypted communication on all network ports

rules:
- ocp_insecure_registries
- ocp_insecure_allowed_registries_for_import
!!!!

Restrictive assignment of permissions to user and service accounts

rules:
- rbac_cluster_roles_defined
- rbac_roles_defined
- rbac_least_privilege
- rbac_limit_cluster_admin
- rbac_limit_secret_access
- rbac_wildcard_use

Logging of changes this is auditing imho

rules:
- audit_profile_set
# for me it is debatable if additional rules could apply, like
# cluster_logging_operator_exist
# audit_error_alert_exists
# audit_log_forwarding_uses_tls

Regular data backups there dont seem to be checks at the moment. But I maybe it is useful to check if velero APIs exist, or Red Hat OpenShift API for Data Protection is installed?

benruland commented 9 months ago

Hier ist eine breitere Meinung sicherlich sinnvoll, ob wir die beschriebenen Anforderungen auch für Kubernetes und etcd betrachten oder nur für externe Systeme, wie Registry etc. @oliverbutanowitz @ermeratos

sluetze commented 9 months ago

IG BVC:

Plattformbetreiber sollte zum Zugriffsmanagement einen zentralen Verzeichnisdienst nutzen.

(https://wikijs.opencode.de/igbvc-app-4-4.pdf)

rules:
  - idp_is_configured
sluetze commented 9 months ago

@benruland , while the associated PR is merged upstream, we miss a) the later decided sectioning b) the idp_is_configured (if you would also assume this as a match).

How do we proceed? Shall I keep this issue open or do we recreate one?

Also: Regarding if this is relevant for external systems or also for Kubernetes we should have talked with the customers on our meeting yesterday. Missed that opportunity, will add to the notes

benruland commented 3 weeks ago

@sluetze, from my understanding in our discussions we decided to keep the scope on OpenShift and not look at external systems like the container registry.

Hence, I would also not include the idp_is_configured rule, because the focus of that rule is OpenShift whereas the BSI control adresses external systems like the container registry.

If you agree, I will add the sectioning to my next PR which is for https://github.com/sig-bsi-grundschutz/content/issues/10

sluetze commented 3 weeks ago

Yes, you are right. Its external and thus the idp rule does not address it.