From 702905f4d8a15662e9eeee1065b03b63a995ad99 Mon Sep 17 00:00:00 2001
From: sluetze <13255307+sluetze@users.noreply.github.com>
Date: Mon, 8 Jan 2024 16:34:57 +0100
Subject: [PATCH] fix bsi rhcos4 versioning and control usage

---
 controls/bsi_app_4_4.yml                  |  5 +++-
 products/rhcos4/profiles/bsi-2022.profile | 33 +++++++++++++++++++++++
 products/rhcos4/profiles/bsi.profile      | 18 ++++++++-----
 3 files changed, 48 insertions(+), 8 deletions(-)
 create mode 100644 products/rhcos4/profiles/bsi-2022.profile

diff --git a/controls/bsi_app_4_4.yml b/controls/bsi_app_4_4.yml
index ef5d88264a0..40f934fc927 100644
--- a/controls/bsi_app_4_4.yml
+++ b/controls/bsi_app_4_4.yml
@@ -83,7 +83,10 @@ controls:
     notes: >-
       Since these are OS based requirements, they are included in the rhcos4 bsi profile
     status: pending
-    # rules:
+    rules:
+      - coreos_enable_selinux_kernel_argument
+      - selinux_policytype
+      - selinux_state
 
   - id: APP.4.4.A5
     title: Backup in the Cluster
diff --git a/products/rhcos4/profiles/bsi-2022.profile b/products/rhcos4/profiles/bsi-2022.profile
new file mode 100644
index 00000000000..2962e4b69a8
--- /dev/null
+++ b/products/rhcos4/profiles/bsi-2022.profile
@@ -0,0 +1,33 @@
+documentation_complete: true
+
+title: 'DRAFT - BSI APP.4.4. and SYS.1.6'
+
+reference: https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Grundschutz/International/bsi_it_gs_comp_2022.pdf
+
+metadata:
+    SMEs:
+        - ermeratos
+        - benruland
+        - oliverbutanowitz
+        - sluetze
+    version: 2022
+
+description: |-
+    This profile defines a baseline that aligns to the BSI (Federal Office for Security Information) IT-Grundschutz
+    Basic-Protection.
+
+    This baseline implements OS-Level configuration requirements from the following
+    sources:
+
+    - Building-Block SYS.1.6 Containerisation
+    - Building-Block APP.4.4 Kubernetes
+
+    THIS DOES NOT INCLUDE REQUIREMENTS FOR A HARDENED LINUX FROM SYS.1.3 LINUX
+
+selections:
+    - bsi_app_4_4:all
+    - bsi_sys_1_6:all
+
+    # BSI APP.4.4.A4
+    - var_selinux_policy_name=targeted
+    - var_selinux_state=enforcing
diff --git a/products/rhcos4/profiles/bsi.profile b/products/rhcos4/profiles/bsi.profile
index 35c81aa8504..dda8371df08 100644
--- a/products/rhcos4/profiles/bsi.profile
+++ b/products/rhcos4/profiles/bsi.profile
@@ -2,6 +2,16 @@ documentation_complete: true
 
 title: 'DRAFT - BSI APP.4.4. and SYS.1.6'
 
+reference: https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Grundschutz/International/bsi_it_gs_comp_2022.pdf
+
+metadata:
+    SMEs:
+        - ermeratos
+        - benruland
+        - oliverbutanowitz
+        - sluetze
+    version: 2022
+
 description: |-
     This profile defines a baseline that aligns to the BSI (Federal Office for Security Information) IT-Grundschutz
     Basic-Protection.
@@ -14,10 +24,4 @@ description: |-
 
     THIS DOES NOT INCLUDE REQUIREMENTS FOR A HARDENED LINUX FROM SYS.1.3 LINUX
 
-selections:
-    # BSI APP.4.4.A4
-    - coreos_enable_selinux_kernel_argument
-    - var_selinux_policy_name=targeted
-    - selinux_policytype
-    - var_selinux_state=enforcing
-    - selinux_state
+extends: bsi-2022