From b85f0f68157b5ccc04d3ea394f644206b4e13288 Mon Sep 17 00:00:00 2001 From: Benjamin Ruland Date: Fri, 4 Oct 2024 10:18:01 +0200 Subject: [PATCH] Adjusted rules for BSI APP.4.4.A18 according to review --- .../rule.yml | 16 ++++++++-------- .../project_template_network_policy/rule.yml | 2 -- controls/bsi_app_4_4.yml | 5 ++--- shared/references/cce-redhat-avail.txt | 1 - 4 files changed, 10 insertions(+), 14 deletions(-) diff --git a/applications/openshift/networking/configure_appropriate_network_policies/rule.yml b/applications/openshift/networking/configure_appropriate_network_policies/rule.yml index 1d94cb55641..3c517f03d73 100644 --- a/applications/openshift/networking/configure_appropriate_network_policies/rule.yml +++ b/applications/openshift/networking/configure_appropriate_network_policies/rule.yml @@ -1,9 +1,9 @@ documentation_complete: true -title: 'Ensure appropriate Network Policies are configured' +title: 'Ensure Appropriate Network Policies are Configured' description: |- - Configure Network Policies in any application namespace in an approrpriate way, so that + Configure Network Policies in any application namespace in an appropriate way, so that only the required communications are allowed. The Network Policies should precisely define source and target using label selectors and ports. @@ -24,20 +24,20 @@ rationale: |- severity: medium -identifiers: {} - -references: - bsi: APP.4.4.A19 +identifiers: + cce@ocp4: CCE-89537-5 ocil_clause: 'Network Policies need to be evaluated if they are appropriate' ocil: |- For each non-default namespace in the cluster, review the configured Network Policies - and ensure that they only allow the necessary network network connections. They should should + and ensure that they only allow the necessary network connections. They should precisely define source and target using label selectors and ports. 1. Get a list of existing projects(namespaces), exclude default, kube-*, openshift-* -
$ oc get namespaces -ojson | jq -r '[.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default") | .metadata.name]'
+
$ oc get namespaces -ojson | jq -r '[.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default" and ({{if ne .var_network_policies_namespaces_exempt_regex "None"}}.metadata.name | test("{{.var_network_policies_namespaces_exempt_regex}}") | not{{else}}true{{end}})) | .metadata.name]'
+ + Namespaces matching the variable ocp4-var-network-policies-namespaces-exempt-regex regex are excluded from this check. 2. For each of these namespaces, review the network policies:
$ oc get networkpolicies -n $namespace -o yaml
diff --git a/applications/openshift/networking/project_template_network_policy/rule.yml b/applications/openshift/networking/project_template_network_policy/rule.yml index cbda8e66cea..84c2b8aefde 100644 --- a/applications/openshift/networking/project_template_network_policy/rule.yml +++ b/applications/openshift/networking/project_template_network_policy/rule.yml @@ -34,7 +34,6 @@ ocil: |- return true. references: - bsi: APP.4.4.A18 srg: SRG-APP-000039-CTR-000110 identifiers: @@ -56,4 +55,3 @@ template: values: - value: "true" operation: "pattern match" - diff --git a/controls/bsi_app_4_4.yml b/controls/bsi_app_4_4.yml index dcb5ec8c4e0..c72c99e9888 100644 --- a/controls/bsi_app_4_4.yml +++ b/controls/bsi_app_4_4.yml @@ -486,9 +486,8 @@ controls: can only be changed by authorised persons and management services. notes: >- In a cluster using a network plugin that supports Kubernetes network policy, network isolation - is controlled entirely by NetworkPolicy objects. In OpenShift, the default plugins (OpenShift SDN, - OVN Kubernetes) supports using network policy. Support for NetworkPolicy objects is verified - using rules. + is controlled entirely by NetworkPolicy objects. In OpenShift, the default plugin (OVN-Kubernetes) + supports using network policy. Support for NetworkPolicy objects is verified using rules. Section 1-3: By default, all pods in a project are accessible from other pods and network endpoints. To isolate one or more pods in a project, you need to create NetworkPolicy objects in that project diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt index 2f20480572f..573b5988113 100644 --- a/shared/references/cce-redhat-avail.txt +++ b/shared/references/cce-redhat-avail.txt @@ -1800,7 +1800,6 @@ CCE-89531-8 CCE-89534-2 CCE-89535-9 CCE-89536-7 -CCE-89537-5 CCE-89539-1 CCE-89543-3 CCE-89544-1