Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Defined notes for BSI SYS.1.6.A16 #12529

Merged
merged 2 commits into from
Dec 9, 2024
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
48 changes: 42 additions & 6 deletions controls/bsi_sys_1_6.yml
Original file line number Diff line number Diff line change
Expand Up @@ -414,15 +414,51 @@ controls:
levels:
- standard
description: >-
In principle, administrative access from a container to the container host and vice versa
SHOULD be considered as administrative remote access. Remote administrative access
SHOULD NOT be established from a container to the container host. Application containers
SHOULD NOT contain remote maintenance access points. Administrative access to
(1)In principle, administrative access from a container to the container host and vice versa
SHOULD be considered as administrative remote access. (2) Remote administrative access
SHOULD NOT be established from a container to the container host. (3) Application containers
SHOULD NOT contain remote maintenance access points. (4) Administrative access to
application containers SHOULD always be carried out via the container runtime.
notes: >-
ToDo
Section 1: Application containers can only access administrative services remotely.
Privileged containers can gain access to the host, the host's file system, or the host's network.
This is necessary, for example, for the infrastructure services of OpenShift (ingress router).
Normal applications (application containers) may not receive such permissions.

Section 2: This requirement must be partially implemented organizationally and
should be part of the guideline defined in SYS.1.6.A10. There may be exceptions for applications
that should/need to make configurations to Kubernetes resources. This means they have
administrative remote access to the corresponding Kubernetes resources.
Remote access is controlled by Kubernetes and backup takes place via the Kubernetes
functionalities (see module APP.4.4). The operating system including Mandatory Access Control
is optimized as a runtime environment for Kubernetes. In general, it is possible to limit
the provision/post-installation of remote access programs in the container.
Also the container runtime security tools can detect, alert and remediate,
if remote access daemon processes such as SSHD are running in a container.

Section 3: This requirement should also be included in the policy described in SYS.1.6.A10.
OpenShift only allows access to the configured ports. A container that provides remote maintenance
access to these ports may not be released. Application containers should be administered
exclusively via the container runtime. Using a policy, known remote access ports
(e.g. 22, RDP, etc.) can be reported via ACS and their use prevented.

Section 4: This is standard in OpenShift environments. OpenShift offers a terminal login
via the oc administration tool. Communication runs via the control plane to the container
and is both authenticated and authorized.
status: manual
#rules:
rules:
# Section 2:
- scc_drop_container_capabilities
- scc_limit_container_allowed_capabilities
- scc_limit_host_dir_volume_plugin
- scc_limit_host_ports
- scc_limit_ipc_namespace
- scc_limit_net_raw_capability
- scc_limit_network_namespace
- scc_limit_privilege_escalation
- scc_limit_privileged_containers
- scc_limit_process_id_namespace
- scc_limit_root_containers

- id: SYS.1.6.A17
title: Running Containers Without Privileges
Expand Down
Loading