diff --git a/applications/openshift/api-server/api_server_client_ca/rule.yml b/applications/openshift/api-server/api_server_client_ca/rule.yml index a0c3580bd349..71cee9acf7eb 100644 --- a/applications/openshift/api-server/api_server_client_ca/rule.yml +++ b/applications/openshift/api-server/api_server_client_ca/rule.yml @@ -38,7 +38,6 @@ rationale: |- severity: medium references: - bsi: APP.4.4.A17 cis@ocp4: 1.2.29 nerc-cip: CIP-003-8 R4.2,CIP-007-3 R5.1 nist: SC-8,SC-8(1),SC-8(2) diff --git a/applications/openshift/api-server/api_server_https_for_kubelet_conn/rule.yml b/applications/openshift/api-server/api_server_https_for_kubelet_conn/rule.yml index 74bcc1b8a2a8..a1da41915df5 100644 --- a/applications/openshift/api-server/api_server_https_for_kubelet_conn/rule.yml +++ b/applications/openshift/api-server/api_server_https_for_kubelet_conn/rule.yml @@ -25,7 +25,6 @@ rationale: |- severity: medium references: - bsi: APP.4.4.A17 cis: 1.2.4 nerc-cip: CIP-003-8 R4.2,CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R5.1,CIP-007-3 R6.1 nist: CM-6,CM-6(1),SC-8,SC-8(1) diff --git a/applications/openshift/api-server/api_server_kubelet_client_cert/rule.yml b/applications/openshift/api-server/api_server_kubelet_client_cert/rule.yml index 3e7e9ad8722e..280a90bc8353 100644 --- a/applications/openshift/api-server/api_server_kubelet_client_cert/rule.yml +++ b/applications/openshift/api-server/api_server_kubelet_client_cert/rule.yml @@ -39,7 +39,6 @@ platforms: severity: high references: - bsi: APP.4.4.A17 cis@ocp4: 1.2.5 nerc-cip: CIP-003-8 R4.2,CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R5.1,CIP-007-3 R6.1 nist: CM-6,CM-6(1),SC-8,SC-8(1) diff --git a/applications/openshift/api-server/api_server_kubelet_client_key/rule.yml b/applications/openshift/api-server/api_server_kubelet_client_key/rule.yml index bc20fd72998c..1368e60be598 100644 --- a/applications/openshift/api-server/api_server_kubelet_client_key/rule.yml +++ b/applications/openshift/api-server/api_server_kubelet_client_key/rule.yml @@ -39,7 +39,6 @@ platforms: severity: high references: - bsi: APP.4.4.A17 cis@ocp4: 1.2.5 nerc-cip: CIP-003-8 R4.2,CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R5.1,CIP-007-3 R6.1 nist: CM-6,CM-6(1),SC-8,SC-8(1) diff --git a/applications/openshift/api-server/api_server_tls_cert/rule.yml b/applications/openshift/api-server/api_server_tls_cert/rule.yml index 590b66f56cd2..53332478a6e0 100644 --- a/applications/openshift/api-server/api_server_tls_cert/rule.yml +++ b/applications/openshift/api-server/api_server_tls_cert/rule.yml @@ -39,7 +39,6 @@ identifiers: severity: medium references: - bsi: APP.4.4.A17 cis@ocp4: 1.2.28 nerc-cip: CIP-003-8 R4.2,CIP-007-3 R5.1 nist: SC-8,SC-8(1),SC-8(2) diff --git a/applications/openshift/api-server/api_server_tls_cipher_suites/rule.yml b/applications/openshift/api-server/api_server_tls_cipher_suites/rule.yml index 0e76ac52beb9..b9eccfe8cdec 100644 --- a/applications/openshift/api-server/api_server_tls_cipher_suites/rule.yml +++ b/applications/openshift/api-server/api_server_tls_cipher_suites/rule.yml @@ -38,7 +38,6 @@ rationale: |- severity: medium references: - bsi: APP.4.4.A17 cis@ocp4: 1.2.32 nist: CM-6 pcidss: Req-2.2,Req-2.2.3,Req-2.3 diff --git a/applications/openshift/api-server/api_server_tls_private_key/rule.yml b/applications/openshift/api-server/api_server_tls_private_key/rule.yml index 7601d7951c5a..f0fc2363c6ca 100644 --- a/applications/openshift/api-server/api_server_tls_private_key/rule.yml +++ b/applications/openshift/api-server/api_server_tls_private_key/rule.yml @@ -39,7 +39,6 @@ identifiers: severity: medium references: - bsi: APP.4.4.A17 cis@ocp4: 1.2.28 nerc-cip: CIP-003-8 R4.2,CIP-007-3 R5.1 nist: SC-8,SC-8(1),SC-8(2) diff --git a/applications/openshift/kubelet/kubelet_configure_client_ca/rule.yml b/applications/openshift/kubelet/kubelet_configure_client_ca/rule.yml index 585fb758ece1..df0c6741d6e0 100644 --- a/applications/openshift/kubelet/kubelet_configure_client_ca/rule.yml +++ b/applications/openshift/kubelet/kubelet_configure_client_ca/rule.yml @@ -46,7 +46,6 @@ identifiers: cce@ocp4: CCE-83724-5 references: - bsi: APP.4.4.A17 cis@eks: 3.2.3 cis@ocp4: 4.2.4 nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1 diff --git a/applications/openshift/kubelet/kubelet_configure_tls_cert/rule.yml b/applications/openshift/kubelet/kubelet_configure_tls_cert/rule.yml index da219ff66f2a..60d1df2ef0fa 100644 --- a/applications/openshift/kubelet/kubelet_configure_tls_cert/rule.yml +++ b/applications/openshift/kubelet/kubelet_configure_tls_cert/rule.yml @@ -30,7 +30,6 @@ platforms: - (ocp4.9 or ocp4.10 or ocp4.11 or ocp4.12 or ocp4.13 or ocp4.14 or ocp4.15 or ocp4.16 or ocp4.17) and not ocp4-on-hypershift-hosted references: - bsi: APP.4.4.A17 cis@ocp4: 4.2.9 nerc-cip: CIP-003-8 R4.2,CIP-007-3 R5.1 nist: SC-8,SC-8(1),SC-8(2) diff --git a/applications/openshift/kubelet/kubelet_configure_tls_key/rule.yml b/applications/openshift/kubelet/kubelet_configure_tls_key/rule.yml index f0ce917fc604..863d320117c7 100644 --- a/applications/openshift/kubelet/kubelet_configure_tls_key/rule.yml +++ b/applications/openshift/kubelet/kubelet_configure_tls_key/rule.yml @@ -30,7 +30,6 @@ platforms: - (ocp4.9 or ocp4.10 or ocp4.11 or ocp4.12 or ocp4.13 or ocp4.14 or ocp4.15 or ocp4.16 or ocp4.17) and not ocp4-on-hypershift-hosted references: - bsi: APP.4.4.A17 cis@ocp4: 4.2.9 nerc-cip: CIP-003-8 R4.2,CIP-007-3 R5.1 nist: SC-8,SC-8(1),SC-8(2) diff --git a/applications/openshift/kubelet/kubelet_configure_tls_min_version/rule.yml b/applications/openshift/kubelet/kubelet_configure_tls_min_version/rule.yml index 3753e709d64d..cd8973972c60 100644 --- a/applications/openshift/kubelet/kubelet_configure_tls_min_version/rule.yml +++ b/applications/openshift/kubelet/kubelet_configure_tls_min_version/rule.yml @@ -71,7 +71,6 @@ identifiers: cce@ocp4: CCE-86623-6 references: - bsi: APP.4.4.A17 nist: SC-8,SC-8(1) srg: SRG-APP-000014-CTR-000040,SRG-APP-000560-CTR-001340 diff --git a/applications/openshift/worker/file_groupowner_kubelet_conf/rule.yml b/applications/openshift/worker/file_groupowner_kubelet_conf/rule.yml index dc3a286e70d3..57bfbe483285 100644 --- a/applications/openshift/worker/file_groupowner_kubelet_conf/rule.yml +++ b/applications/openshift/worker/file_groupowner_kubelet_conf/rule.yml @@ -23,7 +23,6 @@ identifiers: cce@ocp4: CCE-84233-6 references: - bsi: APP.4.4.A17 cis@eks: 3.1.4 cis@ocp4: 4.1.6 nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1 diff --git a/applications/openshift/worker/file_groupowner_worker_ca/rule.yml b/applications/openshift/worker/file_groupowner_worker_ca/rule.yml index e3c200195688..38414d9fa4d6 100644 --- a/applications/openshift/worker/file_groupowner_worker_ca/rule.yml +++ b/applications/openshift/worker/file_groupowner_worker_ca/rule.yml @@ -18,7 +18,6 @@ identifiers: cce@ocp4: CCE-83440-8 references: - bsi: APP.4.4.A17 cis@ocp4: 4.1.8 nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1 nist: CM-6,CM-6(1) diff --git a/applications/openshift/worker/file_groupowner_worker_kubeconfig/rule.yml b/applications/openshift/worker/file_groupowner_worker_kubeconfig/rule.yml index 2abf55b4d143..aa1216029b04 100644 --- a/applications/openshift/worker/file_groupowner_worker_kubeconfig/rule.yml +++ b/applications/openshift/worker/file_groupowner_worker_kubeconfig/rule.yml @@ -18,7 +18,6 @@ identifiers: cce@ocp4: CCE-83409-3 references: - bsi: APP.4.4.A17 cis@ocp4: 4.1.10 nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1 nist: CM-6,CM-6(1) diff --git a/applications/openshift/worker/file_groupowner_worker_service/rule.yml b/applications/openshift/worker/file_groupowner_worker_service/rule.yml index f4442d0f0b75..1ed92064a513 100644 --- a/applications/openshift/worker/file_groupowner_worker_service/rule.yml +++ b/applications/openshift/worker/file_groupowner_worker_service/rule.yml @@ -20,7 +20,6 @@ identifiers: cce@ocp4: CCE-83975-3 references: - bsi: APP.4.4.A17 cis@ocp4: 4.1.2 nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1 nist: CM-6,CM-6(1) diff --git a/applications/openshift/worker/file_owner_kubelet/rule.yml b/applications/openshift/worker/file_owner_kubelet/rule.yml index 6d8a6b7496ea..5bce6a47ce62 100644 --- a/applications/openshift/worker/file_owner_kubelet/rule.yml +++ b/applications/openshift/worker/file_owner_kubelet/rule.yml @@ -20,7 +20,6 @@ identifiers: cce@ocp4: CCE-85900-9 references: - bsi: APP.4.4.A17 cis@ocp4: 4.1.6 nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1 nist: CM-6,CM-6(1) diff --git a/applications/openshift/worker/file_owner_kubelet_conf/rule.yml b/applications/openshift/worker/file_owner_kubelet_conf/rule.yml index 364ce229ad72..f262b9e779d2 100644 --- a/applications/openshift/worker/file_owner_kubelet_conf/rule.yml +++ b/applications/openshift/worker/file_owner_kubelet_conf/rule.yml @@ -24,7 +24,6 @@ identifiers: cce@ocp4: CCE-83976-1 references: - bsi: APP.4.4.A17 cis@eks: 3.1.4 cis@ocp4: 4.1.6 nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1 diff --git a/applications/openshift/worker/file_owner_worker_ca/rule.yml b/applications/openshift/worker/file_owner_worker_ca/rule.yml index f4eef80c9c14..2cd85ac2901e 100644 --- a/applications/openshift/worker/file_owner_worker_ca/rule.yml +++ b/applications/openshift/worker/file_owner_worker_ca/rule.yml @@ -18,7 +18,6 @@ identifiers: cce@ocp4: CCE-83495-2 references: - bsi: APP.4.4.A17 cis@ocp4: 4.1.8 nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1 nist: CM-6,CM-6(1) diff --git a/applications/openshift/worker/file_owner_worker_kubeconfig/rule.yml b/applications/openshift/worker/file_owner_worker_kubeconfig/rule.yml index 4d24dab27028..baa3d32f589e 100644 --- a/applications/openshift/worker/file_owner_worker_kubeconfig/rule.yml +++ b/applications/openshift/worker/file_owner_worker_kubeconfig/rule.yml @@ -18,7 +18,6 @@ identifiers: cce@ocp4: CCE-83408-5 references: - bsi: APP.4.4.A17 cis@eks: 3.1.2 cis@ocp4: 4.1.10 nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1 diff --git a/applications/openshift/worker/file_owner_worker_service/rule.yml b/applications/openshift/worker/file_owner_worker_service/rule.yml index faa89195b900..9ab9b1902d44 100644 --- a/applications/openshift/worker/file_owner_worker_service/rule.yml +++ b/applications/openshift/worker/file_owner_worker_service/rule.yml @@ -20,7 +20,6 @@ identifiers: cce@ocp4: CCE-84193-2 references: - bsi: APP.4.4.A17 cis@ocp4: 4.1.2 nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1 nist: CM-6,CM-6(1) diff --git a/applications/openshift/worker/file_permissions_kubelet/rule.yml b/applications/openshift/worker/file_permissions_kubelet/rule.yml index 3d4e3f3d8062..6e131af119eb 100644 --- a/applications/openshift/worker/file_permissions_kubelet/rule.yml +++ b/applications/openshift/worker/file_permissions_kubelet/rule.yml @@ -23,7 +23,6 @@ identifiers: cce@ocp4: CCE-85896-9 references: - bsi: APP.4.4.A17 cis@ocp4: 4.1.5 nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1 nist: CM-6,CM-6(1) diff --git a/applications/openshift/worker/file_permissions_kubelet_conf/rule.yml b/applications/openshift/worker/file_permissions_kubelet_conf/rule.yml index 9df1bbe945ad..fe7f58b3c1a3 100644 --- a/applications/openshift/worker/file_permissions_kubelet_conf/rule.yml +++ b/applications/openshift/worker/file_permissions_kubelet_conf/rule.yml @@ -26,7 +26,6 @@ identifiers: cce@ocp4: CCE-83470-5 references: - bsi: APP.4.4.A17 cis@eks: 3.1.3 cis@ocp4: 4.1.5 nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1 diff --git a/applications/openshift/worker/file_permissions_worker_ca/rule.yml b/applications/openshift/worker/file_permissions_worker_ca/rule.yml index d4b43414cbc4..55c9c89d0649 100644 --- a/applications/openshift/worker/file_permissions_worker_ca/rule.yml +++ b/applications/openshift/worker/file_permissions_worker_ca/rule.yml @@ -20,7 +20,6 @@ identifiers: cce@ocp4: CCE-83493-7 references: - bsi: APP.4.4.A17 cis@ocp4: 4.1.7 nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1 nist: CM-6,CM-6(1) diff --git a/applications/openshift/worker/file_permissions_worker_kubeconfig/rule.yml b/applications/openshift/worker/file_permissions_worker_kubeconfig/rule.yml index 4ee5537119d2..9ae997b0eef5 100644 --- a/applications/openshift/worker/file_permissions_worker_kubeconfig/rule.yml +++ b/applications/openshift/worker/file_permissions_worker_kubeconfig/rule.yml @@ -29,7 +29,6 @@ identifiers: cce@ocp4: CCE-83509-0 references: - bsi: APP.4.4.A17 cis@eks: 3.1.1 cis@ocp4: 4.1.9 nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1 diff --git a/applications/openshift/worker/file_permissions_worker_service/rule.yml b/applications/openshift/worker/file_permissions_worker_service/rule.yml index 7449cab20175..dec05ebc4dbe 100644 --- a/applications/openshift/worker/file_permissions_worker_service/rule.yml +++ b/applications/openshift/worker/file_permissions_worker_service/rule.yml @@ -21,7 +21,6 @@ identifiers: cce@ocp4: CCE-83455-6 references: - bsi: APP.4.4.A17 cis@ocp4: 4.1.1 nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1 nist: CM-6,CM-6(1) diff --git a/controls/bsi_app_4_4.yml b/controls/bsi_app_4_4.yml index 296ac445f503..338c57f6e719 100644 --- a/controls/bsi_app_4_4.yml +++ b/controls/bsi_app_4_4.yml @@ -414,8 +414,8 @@ controls: levels: - elevated description: >- - Nodes SHOULD send a cryptographically secured (and, if possible, TPM-verified) status - message to the control plane. The control plane SHOULD ONLY accept nodes into a cluster + (1) Nodes SHOULD send a cryptographically secured (and, if possible, TPM-verified) status + message to the control plane. (2) The control plane SHOULD ONLY accept nodes into a cluster that have successfully proven their integrity. notes: >- OpenShift Nodes are using Red Hat CoreOS (RHCOS) by default, an immutable operating system.