Add new version of conntrols file for SYS.1.6.A12 and SYS.1.6.A13

sig-bsi-grundschutz · Sep 2, 2024 · db3cb46 · db3cb46
1 parent f7fc5a2
commit db3cb46
Showing 1 changed file with 31 additions and 14 deletions.
diff --git a/controls/bsi_sys_1_6.yml b/controls/bsi_sys_1_6.yml
@@ -194,29 +194,46 @@ controls:
     levels:
     - standard
     description: >-
-      The sources of images that have been classified as trusted and SHOULD be adequately
-      documented along with the corresponding reasons. In addition, the process of how images or
-      the software components contained in an image are obtained from trusted sources and
-      eventually deployed to a productive environment SHOULD be adequately documented.
-      Images used SHOULD have metadata that makes their function and history traceable. Digital
-      signatures SHOULD secure each image against modification.
+      (1) There SHOULD be adequate documentation of which image sources have been classified
+      as trustworthy and why.
+      (2) In addition, the process SHOULD be adequately documented as to how images
+      or the software components contained in the image are obtained from trustworthy
+      sources and ultimately made available for production use.
+      (3) The images used SHOULD have metadata that makes the function and history of
+      the image understandable.
+      (4) Digital signatures SHOULD secure every image against change.
     notes: >-
-      ToDo
-    status: manual
-    #rules:
-
+      Section 1: This requirement must be implemented organizationally.
+      Section 2: This requirement must be implemented organizationally.
+      Section 3: This requirement is solved using image labels. Red Hat Images contain the
+      labels io.k8s.description, summary, vender, version, url, vcs-ref and vcs-type,
+      through which the delivered images are transparent in their function and history.
+      For internal images, the existence of the labels can be ensured during application
+      development.
+      The existence of the corresponding labels can be ensured via ACS.
+      Section 4: OpenShift can be configured to assign a digital signature to each approved registry.
+      OpenShift then only executes images from this registry that are secured using this signature.
+    status: partial
+    rules:
+      # Section 4
+      - reject_unsigned_images_by_default
 
   - id: SYS.1.6.A13
     title: Release of Images
     levels:
     - standard
     description: >-
-      All images for productive operation SHOULD undergo a test and release process in the same
-      way as software products in accordance with module OPS.1.1.6 Software Tests and Approvals
+      Like software products, all images for production use SHOULD go through a testing
+      and release process in accordance with module OPS.1.1.6 Software testing and releases.
     notes: >-
-      ToDo
+      This requirement must be solved organizationally.
+      Note: OpenShift offers various CI/CD solutions that can be used for automation.
+      OpenShift Pipelines (Tekton-based) and traditional Jenkins are available directly in OpenShift.
+      If the user uses gitlab-ci or github Actions, the runners can be executed in OpenShift.
+      If the release process contains specific artifacts such as if you require SBOMs
+      or the ability to statically analyze Dockerfiles, Quay and ACS can provide the necessary functionality.
     status: manual
-    #rules:
+    rules: []
 
   - id: SYS.1.6.A14
     title: Updating Images