move bsi os checks into os profile

sluetze · benruland · commit 4321fcbfdfff · 2023-12-22T13:53:14.000+01:00
diff --git a/controls/bsi_app_4_4.yml b/controls/bsi_app_4_4.yml
@@ -81,16 +81,9 @@ controls:
       minimum, this isolation MUST include process IDs, inter-process communication, user IDs,
       the file system, and the network (including the hostname).
     notes: >-
-      TBD
+      Since these are OS based requirements, they are included in the rhcos4 bsi profile
     status: pending
-    rules:
-      - coreos_enable_selinux_kernel_argument
-      # the following var is in repo, but unknown to build scripts
-      # - var_selinux_policy_name=targeted
-      - selinux_policytype
-      # the following var is in repo, but unknown to build scripts
-      # - var_selinux_state=enforcing
-      - selinux_state
+    # rules:
 
   - id: APP.4.4.A5
     title: Backup in the Cluster
diff --git a/products/ocp4/profiles/bsi-node.profile b/products/ocp4/profiles/bsi-node.profile
@@ -28,4 +28,4 @@ description: |-
 filter_rules: '"ocp4-node" in platforms or "ocp4-master-node" in platforms or "ocp4-node-on-sdn" in platforms or "ocp4-node-on-ovn" in platforms'
 
 selections:
-    - bsi_app_4_4:all
+    - bsi_app_4_4:all
diff --git a/products/ocp4/profiles/bsi.profile b/products/ocp4/profiles/bsi.profile
@@ -32,4 +32,4 @@ selections:
     ### Helper Rules
     ### This is a helper rule to fetch the required api resource for detecting OCP version
     - version_detect_in_ocp
-    - version_detect_in_hypershift
+    - version_detect_in_hypershift
diff --git a/products/rhcos4/profiles/bsi.profile b/products/rhcos4/profiles/bsi.profile
@@ -0,0 +1,23 @@
+documentation_complete: true
+
+title: 'DRAFT - BSI APP.4.4. and SYS.1.6'
+
+description: |-
+    This profile defines a baseline that aligns to the BSI (Federal Office for Security Information) IT-Grundschutz
+    Basic-Protection.
+
+    This baseline implements OS-Level configuration requirements from the following
+    sources:
+
+    - Building-Block SYS.1.6 Containerisation
+    - Building-Block APP.4.4 Kubernetes
+
+    THIS DOES NOT INCLUDE REQUIREMENTS FOR A HARDENED LINUX FROM SYS.1.3 LINUX
+
+selections:
+    # BSI APP.4.4.A4
+    - coreos_enable_selinux_kernel_argument
+    - var_selinux_policy_name=targeted
+    - selinux_policytype
+    - var_selinux_state=enforcing
+    - selinux_state
