search

sig-bsi-grundschutz / content

Security automation content in SCAP, Bash, Ansible, and other formats
https://www.open-scap.org/security-policies/scap-security-guide
Other
7 stars 1 forks source link

SYS.1.6.A8 #8

Closed sluetze closed 3 weeks ago

sluetze commented 3 months ago

Credentials MUST be stored and managed so that only authorized people and containers can access them.

OpenShift offers secrets that are only available to the containers and the people authorized via RBAC in the tenant or project (client).

In particular, it MUST be ensured that access data is only stored in specially protected locations and not in the images.

This requirement must be enforced as part of application development. OpenShift offers suitable mechanisms (secrets) with encryption of the etcd store if necessary.

The credential management mechanisms provided by the container service management software SHOULD be used.

OpenShift offers corresponding mechanisms (secrets). Unless the secrets are dynamically generated, third-party/community tools such as SealedSecrets or HashiCorp Vault can help securely deploy the secrets.

At least the following credentials MUST be stored securely:

passwords of all accounts,

API keys for services used by the application,

keys for symmetric encryption as well

private key for public key authentication.

This requirement must be implemented organizationally.

All of this information can and should be managed in Secrets.

sluetze commented 3 weeks ago

https://github.com/ComplianceAsCode/content/pull/12247 was merged, closing