sig-bsi-grundschutz / content

Security automation content in SCAP, Bash, Ansible, and other formats
https://www.open-scap.org/security-policies/scap-security-guide
Other
7 stars 1 forks source link

APP.4.4.A17 #43

Closed sluetze closed 2 weeks ago

ermeratos commented 10 months ago

Nodes SHOULD send a cryptographically secured (and, if possible, TPM-verified) status message to the control plane.

This is already achieved natively by using RHCOS.

The control plane SHOULD ONLY accept nodes into a cluster that have successfully proven their integrity

Nodes need to authenticate with a certificate.

benruland commented 10 months ago

Fore sentence 1, we could verify security on the relevant components, that are associated to that process (relevant config files on nodes and control plane, TLS config on both sides:

For sentence 2, we could check, if the File Integrity Operator is installed, rule:

benruland commented 7 months ago

Implementation completed in https://github.com/ComplianceAsCode/content/pull/11659

benruland commented 3 months ago

During rebasing, I accidentially closed the previous PR. For better reviewability, I created a new PR: https://github.com/ComplianceAsCode/content/pull/12153

sluetze commented 2 weeks ago

/close as upstream is merged