diff --git a/applications/openshift/api-server/api_server_anonymous_auth/rule.yml b/applications/openshift/api-server/api_server_anonymous_auth/rule.yml index 14dec34c9368..e2f4dcf67019 100644 --- a/applications/openshift/api-server/api_server_anonymous_auth/rule.yml +++ b/applications/openshift/api-server/api_server_anonymous_auth/rule.yml @@ -34,7 +34,6 @@ rationale: |- severity: medium references: - bsi: APP.4.4.A3 cis@ocp4: 1.2.1 nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1 nist: CM-6,CM-6(1) diff --git a/applications/openshift/general/general_namespace_separation/rule.yml b/applications/openshift/general/general_namespace_separation/rule.yml index 9dcda426c984..dfaf268fb91a 100644 --- a/applications/openshift/general/general_namespace_separation/rule.yml +++ b/applications/openshift/general/general_namespace_separation/rule.yml @@ -11,9 +11,6 @@ rationale: |- level. It also allows you control the network flow from and to other namespaces more easily. -references: - bsi: APP.4.4.A1 - severity: medium ocil_clause: 'Application placement in namespaces needs review' diff --git a/applications/openshift/general/general_node_separation/rule.yml b/applications/openshift/general/general_node_separation/rule.yml index 625aa0cad47a..bb74983a1df0 100644 --- a/applications/openshift/general/general_node_separation/rule.yml +++ b/applications/openshift/general/general_node_separation/rule.yml @@ -17,9 +17,6 @@ rationale: |- follow less strict requirements. An adversary which attacked a lighter protected workload now has additional obstacles for their movement towards the higher protected workloads. -references: - bsi: APP.4.4.A14,APP.4.4.A15 - severity: medium identifiers: diff --git a/applications/openshift/general/kubeadmin_removed/rule.yml b/applications/openshift/general/kubeadmin_removed/rule.yml index c97efa6d39ad..93fcb721b73c 100644 --- a/applications/openshift/general/kubeadmin_removed/rule.yml +++ b/applications/openshift/general/kubeadmin_removed/rule.yml @@ -22,7 +22,6 @@ identifiers: cce@ocp4: CCE-90387-2 references: - bsi: APP.4.4.A3 cis@ocp4: 3.1.1,5.1.1 nerc-cip: CIP-004-6 R2.2.2,CIP-004-6 R2.2.3,CIP-007-3 R.1.3,CIP-007-3 R2,CIP-007-3 R5,CIP-007-3 R5.1.1,CIP-007-3 R5.1.3,CIP-007-3 R5.2.1,CIP-007-3 R5.2.3,CIP-007-3 R6.1,CIP-007-3 R6.2,CIP-007-3 R6.3,CIP-007-3 R6.4 nist: AC-2(2),AC-2(7),AC-2(9),AC-2(10),AC-12(1),IA-2(5),MA-4,SC-12(1) diff --git a/applications/openshift/kubelet/kubelet_anonymous_auth/rule.yml b/applications/openshift/kubelet/kubelet_anonymous_auth/rule.yml index 5282464314a9..fb5bd9353e6d 100644 --- a/applications/openshift/kubelet/kubelet_anonymous_auth/rule.yml +++ b/applications/openshift/kubelet/kubelet_anonymous_auth/rule.yml @@ -35,7 +35,6 @@ rationale: |- severity: medium references: - bsi: APP.4.4.A3 cis@eks: 3.2.1 cis@ocp4: 4.2.2 nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1 diff --git a/applications/openshift/rbac/rbac_least_privilege/rule.yml b/applications/openshift/rbac/rbac_least_privilege/rule.yml index 09040bb97bc5..277343e6e3b2 100644 --- a/applications/openshift/rbac/rbac_least_privilege/rule.yml +++ b/applications/openshift/rbac/rbac_least_privilege/rule.yml @@ -26,7 +26,6 @@ identifiers: cce@ocp4: CCE-90678-4 references: - bsi: APP.4.4.A3 cis@ocp4: 5.2.10 nist: AC-3,CM-5(6),IA-2,IA-2(5),AC-6(10),CM-11(2),CM-5(1),CM-7(5)(b) srg: SRG-APP-000033-CTR-000090,SRG-APP-000033-CTR-000095,SRG-APP-000033-CTR-000100,SRG-APP-000133-CTR-000290,SRG-APP-000133-CTR-000295,SRG-APP-000133-CTR-000300,SRG-APP-000133-CTR-000305,SRG-APP-000133-CTR-000310,SRG-APP-000148-CTR-000350,SRG-APP-000153-CTR-000375,SRG-APP-000340-CTR-000770,SRG-APP-000378-CTR-000880,SRG-APP-000378-CTR-000885,SRG-APP-000378-CTR-000890,SRG-APP-000380-CTR-000900,SRG-APP-000386-CTR-000920 diff --git a/applications/openshift/registry/ocp_insecure_allowed_registries_for_import/rule.yml b/applications/openshift/registry/ocp_insecure_allowed_registries_for_import/rule.yml index 8e8b2ca47a69..cbb7dc2feb38 100644 --- a/applications/openshift/registry/ocp_insecure_allowed_registries_for_import/rule.yml +++ b/applications/openshift/registry/ocp_insecure_allowed_registries_for_import/rule.yml @@ -30,7 +30,6 @@ identifiers: cce@ocp4: CCE-86235-9 references: - bsi: APP.4.4.A12 cis@ocp4: '5.5.1' nist: CM-5(3) srg: SRG-APP-000014-CTR-000035 diff --git a/applications/openshift/registry/ocp_insecure_registries/rule.yml b/applications/openshift/registry/ocp_insecure_registries/rule.yml index 9407e34646d8..955b671d2873 100644 --- a/applications/openshift/registry/ocp_insecure_registries/rule.yml +++ b/applications/openshift/registry/ocp_insecure_registries/rule.yml @@ -26,7 +26,6 @@ identifiers: cce@ocp4: CCE-86123-7 references: - bsi: APP.4.4.A12 cis@ocp4: '5.5.1' nist: CM-5(3) srg: SRG-APP-000014-CTR-000035 diff --git a/applications/openshift/risk-assessment/scansetting_has_autoapplyremediations/rule.yml b/applications/openshift/risk-assessment/scansetting_has_autoapplyremediations/rule.yml index 6d065facce26..cbcf36c1fdf7 100644 --- a/applications/openshift/risk-assessment/scansetting_has_autoapplyremediations/rule.yml +++ b/applications/openshift/risk-assessment/scansetting_has_autoapplyremediations/rule.yml @@ -26,9 +26,6 @@ ocil: |- filter will return at least one 'true'. Run the following jq query to identify the non-compliant scansettings objects: 
oc get scansettings -ojson | jq -r '[.items[] | select(.autoApplyRemediation != "" or .autoApplyRemediation != null) | .metadata.name]'
-references: - bsi: APP.4.4.A13 - severity: medium warnings: diff --git a/applications/openshift/risk-assessment/scansettingbinding_exists/rule.yml b/applications/openshift/risk-assessment/scansettingbinding_exists/rule.yml index a75346dc09ff..1f2b34c6e046 100644 --- a/applications/openshift/risk-assessment/scansettingbinding_exists/rule.yml +++ b/applications/openshift/risk-assessment/scansettingbinding_exists/rule.yml @@ -17,7 +17,6 @@ identifiers: cce@ocp4: CCE-83697-3 references: - bsi: APP.4.4.A13 nerc-cip: CIP-003-8 R1.3,CIP-003-8 R4.3,CIP-003-8 R6,CIP-004-6 4.1,CIP-004-6 4.2,CIP-004-6 R3,CIP-004-6 R4,CIP-004-6 R4.2,CIP-005-6 R1,CIP-005-6 R1.1,CIP-005-6 R1.2,CIP-007-3 R3,CIP-007-3 R3.1,CIP-007-3 R6.1,CIP-007-3 R8.4 nist: CM-6,CM-6(1),RA-5,RA-5(5),SA-4(8) pcidss: Req-2.2.4 diff --git a/applications/openshift/risk-assessment/scansettings_have_schedule/rule.yml b/applications/openshift/risk-assessment/scansettings_have_schedule/rule.yml index df1248a4866f..0f9444ea4248 100644 --- a/applications/openshift/risk-assessment/scansettings_have_schedule/rule.yml +++ b/applications/openshift/risk-assessment/scansettings_have_schedule/rule.yml @@ -18,7 +18,6 @@ identifiers: cce@ocp4: CCE-90762-6 references: - bsi: APP.4.4.A13 nist: SI-6(b) srg: SRG-APP-000473-CTR-001175 diff --git a/applications/openshift/scc/scc_limit_host_dir_volume_plugin/rule.yml b/applications/openshift/scc/scc_limit_host_dir_volume_plugin/rule.yml index 7cf4a76a2f63..a647219e09f5 100644 --- a/applications/openshift/scc/scc_limit_host_dir_volume_plugin/rule.yml +++ b/applications/openshift/scc/scc_limit_host_dir_volume_plugin/rule.yml @@ -21,7 +21,6 @@ identifiers: cce@ocp4: CCE-86255-7 references: - bsi: APP.4.4.A4 cis@ocp4: 5.2.12 nist: AC-6,AC-6(1) srg: SRG-APP-000142-CTR-000330 diff --git a/applications/openshift/scc/scc_limit_ipc_namespace/rule.yml b/applications/openshift/scc/scc_limit_ipc_namespace/rule.yml index e521a48e1ba2..4b4c512716de 100644 --- a/applications/openshift/scc/scc_limit_ipc_namespace/rule.yml +++ b/applications/openshift/scc/scc_limit_ipc_namespace/rule.yml @@ -21,7 +21,6 @@ identifiers: cce@ocp4: CCE-84042-1 references: - bsi: APP.4.4.A4 cis@ocp4: 5.2.3 nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1 nist: CM-6,CM-6(1) diff --git a/applications/openshift/scc/scc_limit_net_raw_capability/rule.yml b/applications/openshift/scc/scc_limit_net_raw_capability/rule.yml index ea964b23f46c..9404c6e54145 100644 --- a/applications/openshift/scc/scc_limit_net_raw_capability/rule.yml +++ b/applications/openshift/scc/scc_limit_net_raw_capability/rule.yml @@ -19,7 +19,6 @@ rationale: |- severity: medium references: - bsi: APP.4.4.A4 cis@ocp4: 5.2.7 nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1 nist: CM-6,CM-6(1) diff --git a/applications/openshift/scc/scc_limit_network_namespace/rule.yml b/applications/openshift/scc/scc_limit_network_namespace/rule.yml index a2744d8021cb..91c795a992df 100644 --- a/applications/openshift/scc/scc_limit_network_namespace/rule.yml +++ b/applications/openshift/scc/scc_limit_network_namespace/rule.yml @@ -21,7 +21,6 @@ identifiers: cce@ocp4: CCE-83492-9 references: - bsi: APP.4.4.A4 cis@ocp4: 5.2.4 nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1 nist: CM-6,CM-6(1) diff --git a/applications/openshift/scc/scc_limit_privileged_containers/rule.yml b/applications/openshift/scc/scc_limit_privileged_containers/rule.yml index d4bcc2491c80..bd6c5e43072e 100644 --- a/applications/openshift/scc/scc_limit_privileged_containers/rule.yml +++ b/applications/openshift/scc/scc_limit_privileged_containers/rule.yml @@ -18,7 +18,6 @@ rationale: |- severity: medium references: - bsi: APP.4.4.A4 cis@ocp4: 5.2.1 nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1 nist: CM-6,CM-6(1) diff --git a/applications/openshift/scc/scc_limit_process_id_namespace/rule.yml b/applications/openshift/scc/scc_limit_process_id_namespace/rule.yml index 272c58b177bb..44e38b05edfc 100644 --- a/applications/openshift/scc/scc_limit_process_id_namespace/rule.yml +++ b/applications/openshift/scc/scc_limit_process_id_namespace/rule.yml @@ -17,7 +17,6 @@ rationale: |- severity: medium references: - bsi: APP.4.4.A4 cis@ocp4: 5.2.2 nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1 nist: CM-6,CM-6(1) diff --git a/applications/openshift/scc/scc_limit_root_containers/rule.yml b/applications/openshift/scc/scc_limit_root_containers/rule.yml index b519f72c0e8c..df5727c4cd29 100644 --- a/applications/openshift/scc/scc_limit_root_containers/rule.yml +++ b/applications/openshift/scc/scc_limit_root_containers/rule.yml @@ -25,7 +25,6 @@ rationale: |- severity: medium references: - bsi: APP.4.4.A4 cis@ocp4: 5.2.6 nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1 nist: CM-6,CM-6(1) diff --git a/controls/bsi_app_4_4.yml b/controls/bsi_app_4_4.yml index 2382a4cff6a9..1641f348e255 100644 --- a/controls/bsi_app_4_4.yml +++ b/controls/bsi_app_4_4.yml @@ -18,6 +18,8 @@ levels: inherits_from: - standard +reference_type: bsi + controls: - id: APP.4.4.A1 title: Planning the Separation of the Applications diff --git a/linux_os/guide/system/selinux/coreos_enable_selinux_kernel_argument/rule.yml b/linux_os/guide/system/selinux/coreos_enable_selinux_kernel_argument/rule.yml index 15804c10fa89..23972e5939d7 100644 --- a/linux_os/guide/system/selinux/coreos_enable_selinux_kernel_argument/rule.yml +++ b/linux_os/guide/system/selinux/coreos_enable_selinux_kernel_argument/rule.yml @@ -19,7 +19,6 @@ identifiers: cce@rhcos4: CCE-83899-5 references: - bsi: APP.4.4.A4 cis-csc: 1,11,12,13,14,15,16,18,3,4,5,6,8,9 cobit5: APO01.06,APO11.04,APO13.01,BAI03.05,DSS01.05,DSS03.01,DSS05.02,DSS05.04,DSS05.05,DSS05.07,DSS06.02,DSS06.03,DSS06.06,MEA02.01 cui: 3.1.2,3.7.2 diff --git a/linux_os/guide/system/selinux/selinux_policytype/rule.yml b/linux_os/guide/system/selinux/selinux_policytype/rule.yml index 6b2a7b48048a..1899fe422239 100644 --- a/linux_os/guide/system/selinux/selinux_policytype/rule.yml +++ b/linux_os/guide/system/selinux/selinux_policytype/rule.yml @@ -35,7 +35,6 @@ identifiers: cce@sle15: CCE-91445-7 references: - bsi: APP.4.4.A4 cis-csc: 1,11,12,13,14,15,16,18,3,4,5,6,8,9 cobit5: APO01.06,APO11.04,APO13.01,BAI03.05,DSS01.05,DSS03.01,DSS05.02,DSS05.04,DSS05.05,DSS05.07,DSS06.02,DSS06.03,DSS06.06,MEA02.01 cui: 3.1.2,3.7.2 diff --git a/linux_os/guide/system/selinux/selinux_state/rule.yml b/linux_os/guide/system/selinux/selinux_state/rule.yml index fab00e74ad5a..7506764380ad 100644 --- a/linux_os/guide/system/selinux/selinux_state/rule.yml +++ b/linux_os/guide/system/selinux/selinux_state/rule.yml @@ -28,7 +28,6 @@ identifiers: cce@sle15: CCE-91446-5 references: - bsi: APP.4.4.A4 cis-csc: 1,11,12,13,14,15,16,18,3,4,5,6,8,9 cobit5: APO01.06,APO11.04,APO13.01,BAI03.05,DSS01.05,DSS03.01,DSS05.02,DSS05.04,DSS05.05,DSS05.07,DSS06.02,DSS06.03,DSS06.06,MEA02.01 cui: 3.1.2,3.7.2