From db3cb46e8c4ebe85f9f4496fcc511c5943e2b5cf Mon Sep 17 00:00:00 2001 From: lichtblaugue Date: Mon, 2 Sep 2024 14:56:19 +0200 Subject: [PATCH] Add new version of conntrols file for SYS.1.6.A12 and SYS.1.6.A13 --- controls/bsi_sys_1_6.yml | 45 +++++++++++++++++++++++++++------------- 1 file changed, 31 insertions(+), 14 deletions(-) diff --git a/controls/bsi_sys_1_6.yml b/controls/bsi_sys_1_6.yml index 0533a012f775..620523730b17 100644 --- a/controls/bsi_sys_1_6.yml +++ b/controls/bsi_sys_1_6.yml @@ -194,29 +194,46 @@ controls: levels: - standard description: >- - The sources of images that have been classified as trusted and SHOULD be adequately - documented along with the corresponding reasons. In addition, the process of how images or - the software components contained in an image are obtained from trusted sources and - eventually deployed to a productive environment SHOULD be adequately documented. - Images used SHOULD have metadata that makes their function and history traceable. Digital - signatures SHOULD secure each image against modification. + (1) There SHOULD be adequate documentation of which image sources have been classified + as trustworthy and why. + (2) In addition, the process SHOULD be adequately documented as to how images + or the software components contained in the image are obtained from trustworthy + sources and ultimately made available for production use. + (3) The images used SHOULD have metadata that makes the function and history of + the image understandable. + (4) Digital signatures SHOULD secure every image against change. notes: >- - ToDo - status: manual - #rules: - + Section 1: This requirement must be implemented organizationally. + Section 2: This requirement must be implemented organizationally. + Section 3: This requirement is solved using image labels. Red Hat Images contain the + labels io.k8s.description, summary, vender, version, url, vcs-ref and vcs-type, + through which the delivered images are transparent in their function and history. + For internal images, the existence of the labels can be ensured during application + development. + The existence of the corresponding labels can be ensured via ACS. + Section 4: OpenShift can be configured to assign a digital signature to each approved registry. + OpenShift then only executes images from this registry that are secured using this signature. + status: partial + rules: + # Section 4 + - reject_unsigned_images_by_default - id: SYS.1.6.A13 title: Release of Images levels: - standard description: >- - All images for productive operation SHOULD undergo a test and release process in the same - way as software products in accordance with module OPS.1.1.6 Software Tests and Approvals + Like software products, all images for production use SHOULD go through a testing + and release process in accordance with module OPS.1.1.6 Software testing and releases. notes: >- - ToDo + This requirement must be solved organizationally. + Note: OpenShift offers various CI/CD solutions that can be used for automation. + OpenShift Pipelines (Tekton-based) and traditional Jenkins are available directly in OpenShift. + If the user uses gitlab-ci or github Actions, the runners can be executed in OpenShift. + If the release process contains specific artifacts such as if you require SBOMs + or the ability to statically analyze Dockerfiles, Quay and ACS can provide the necessary functionality. status: manual - #rules: + rules: [] - id: SYS.1.6.A14 title: Updating Images