Skip to content

Commit

Permalink
Merge pull request #12470 from sig-bsi-grundschutz/bsi-sys-1.6-a22-23
Browse files Browse the repository at this point in the history
Defined notes for BSI SYS.1.6.A22 and A23
  • Loading branch information
yuumasato authored Nov 29, 2024
2 parents 16eaa39 + 645418c commit bbdb1f8
Showing 1 changed file with 23 additions and 8 deletions.
31 changes: 23 additions & 8 deletions controls/bsi_sys_1_6.yml
Original file line number Diff line number Diff line change
Expand Up @@ -623,24 +623,39 @@ controls:
levels:
- elevated
description: >-
In order to have containers available for later investigation in case they are needed, an image
(1) In order to have containers available for later investigation in case they are needed, an image
of each container's state SHOULD be created according to specified rules.
notes: >-
ToDo
The OpenShift container runtime environment used does not provide a function for creating a memory
image of a running container.
The running containers can be listed and different parameters can be queried and saved for them.
Further data (such as running processes) can be queried via the host. Using the operating system,
memory dumps (core dump) or file system data (ephemeral and persistent) can also be backed up.
To fully address the requirement and automatically capture an image of a container based on rules,
one needs to utilize an additional 3rd Party solution.
status: manual
#rules:

- id: SYS.1.6.A23
title: Compile options for various kernel behaviors
title: Container Immutability
levels:
- elevated
description: >-
Containers SHOULD not be able to change their file system during runtime. File systems
SHOULD not be integrated with write permissions.
(1) Containers SHOULD not be able to change their file system during runtime.
(2) File systems SHOULD not be integrated with write permissions.
notes: >-
ToDo
Section 1: This requirement must be implemented organizationally.
Note: By default, Red Hat recommends building containers so that the runtime UID does not have write
permissions in the container. If the file system is changed (e.g. for a file system-based cache),
this change will be lost when you restart, as the unchangeable image will be loaded again.
Section 2: By default, local file systems are not mounted in containers. Containers access PVs that are
integrated via OpenShift. Alternatively, ephemeral volumes can be used as volatile storage.
The requirement to mount file systems without write permissions must be implemented organizationally:
- The container's root file system can be restricted to ReadOnly via the SecurityContext.
- Every container's VolumeMount can be specified as read only.
status: manual
#rules:

- id: SYS.1.6.A24
title: Host-Based Attack Detection
Expand Down

0 comments on commit bbdb1f8

Please sign in to comment.