search

sig-bsi-grundschutz / content

Security automation content in SCAP, Bash, Ansible, and other formats
https://www.open-scap.org/security-policies/scap-security-guide
Other
7 stars 0 forks source link

APP.4.4.A13 #39

Closed sluetze closed 1 month ago

nrrso commented 7 months ago

There SHOULD be an automated audit that checks the settings of nodes, of Kubernetes, and of the pods of applications against a defined list of allowed settings and standardised benchmarks.

# applications/openshift/risk-assessment/
rules:
- scansettingbinding_exists
- scansettings_have_schedule
- container_security_operator_exists

Kubernetes SHOULD enforce these established rules in each cluster by connecting appropriate tools.

This sentence is a bit vague. Sounds like a manual check.

benruland commented 7 months ago

The first control might inheretly be met, if a customer is using compliance operator with our now created BSI ruleset.

ermeratos commented 7 months ago

The quick check guide mentions Red Hat ACM and ACS. Since the rules are not really specified, we could just check for the general presence of policies or ACM/ACS. However, I'm still undecided because ACM/ACS has to be licensed separately, right?

sluetze commented 5 months ago

There SHOULD be an automatic audit of the settings of the nodes, Kubernetes and the application pods against a defined list of permitted settings and against standardized benchmarks.

OpenShift provides an audit log file for all actions carried out. The audit configuration of the Openshift API server and the nodes can be done centrally from ACM on a policy-based basis when using multiple clusters. Alternatively, the audit settings should be configured and activated for each cluster.

Red Hat Advanced Cluster Security for Kubernetes (ACS) can check all managed resources against standardized and customized benchmarks. Violations are reported via OpenShift monitoring and documented in the violation log in ACS. Some of the benchmarks are included, can be obtained from the community and supplemented with your own definitions.

In addition, the Compliance Operator is a tool available that can automatically check the settings of the Openshift cluster against a defined profile at configurable time intervals. This profile can be one of the profiles supplied (e.g. Essentials 8, Center for Internet Security and others) or a profile tailored to your own needs.

Kubernetes SHOULD enforce the established rules in the cluster by connecting suitable tools.

Using Red Hat Advanced Cluster Management for Kubernetes (ACM), policies can be created for all managed resources, which are then enforced when the resources are created.

sluetze commented 5 months ago 
# applications/openshift/risk-assessment/
rules:
- scansettingbinding_exists
- scansettings_have_schedule
- container_security_operator_exists

imho, container_security_operator_exists is not required here, since it is out of scope for enforcing the configuration. Also I do not think that ACM/ACS checks are required here.

I think the second requirement can be ensured by using autoapplyremediations of compliance-operator profile. There is no Rule for that, I ll add one.

sluetze commented 1 month ago

for reasons this was included in https://github.com/ComplianceAsCode/content/pull/11559