fix bsi rhcos4 versioning and control usage

sig-bsi-grundschutz · Jan 8, 2024 · 702905f · 702905f
1 parent c52dcc6
commit 702905f
Show file tree

Hide file tree

Showing 3 changed files with 48 additions and 8 deletions.
diff --git a/controls/bsi_app_4_4.yml b/controls/bsi_app_4_4.yml
@@ -83,7 +83,10 @@ controls:
     notes: >-
       Since these are OS based requirements, they are included in the rhcos4 bsi profile
     status: pending
-    # rules:
+    rules:
+      - coreos_enable_selinux_kernel_argument
+      - selinux_policytype
+      - selinux_state
 
   - id: APP.4.4.A5
     title: Backup in the Cluster

diff --git a/products/rhcos4/profiles/bsi-2022.profile b/products/rhcos4/profiles/bsi-2022.profile
@@ -0,0 +1,33 @@
+documentation_complete: true
+
+title: 'DRAFT - BSI APP.4.4. and SYS.1.6'
+
+reference: https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Grundschutz/International/bsi_it_gs_comp_2022.pdf
+
+metadata:
+    SMEs:
+        - ermeratos
+        - benruland
+        - oliverbutanowitz
+        - sluetze
+    version: 2022
+
+description: |-
+    This profile defines a baseline that aligns to the BSI (Federal Office for Security Information) IT-Grundschutz
+    Basic-Protection.
+
+    This baseline implements OS-Level configuration requirements from the following
+    sources:
+
+    - Building-Block SYS.1.6 Containerisation
+    - Building-Block APP.4.4 Kubernetes
+
+    THIS DOES NOT INCLUDE REQUIREMENTS FOR A HARDENED LINUX FROM SYS.1.3 LINUX
+
+selections:
+    - bsi_app_4_4:all
+    - bsi_sys_1_6:all
+
+    # BSI APP.4.4.A4
+    - var_selinux_policy_name=targeted
+    - var_selinux_state=enforcing
diff --git a/products/rhcos4/profiles/bsi.profile b/products/rhcos4/profiles/bsi.profile
@@ -2,6 +2,16 @@ documentation_complete: true
 
 title: 'DRAFT - BSI APP.4.4. and SYS.1.6'
 
+reference: https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Grundschutz/International/bsi_it_gs_comp_2022.pdf
+
+metadata:
+    SMEs:
+        - ermeratos
+        - benruland
+        - oliverbutanowitz
+        - sluetze
+    version: 2022
+
 description: |-
     This profile defines a baseline that aligns to the BSI (Federal Office for Security Information) IT-Grundschutz
     Basic-Protection.
@@ -14,10 +24,4 @@ description: |-
 
     THIS DOES NOT INCLUDE REQUIREMENTS FOR A HARDENED LINUX FROM SYS.1.3 LINUX
 
-selections:
-    # BSI APP.4.4.A4
-    - coreos_enable_selinux_kernel_argument
-    - var_selinux_policy_name=targeted
-    - selinux_policytype
-    - var_selinux_state=enforcing
-    - selinux_state
+extends: bsi-2022