Merge branch 'ComplianceAsCode:master' into patch-1

ComplianceAsCode · Feb 23, 2024 · 5bc7067 · 5bc7067
2 parents ed7f4a7 + 9c496b1
commit 5bc7067
Show file tree

Hide file tree

Showing 946 changed files with 11,828 additions and 3,567 deletions.
diff --git a/.github/workflows/k8s-content-pr.yaml b/.github/workflows/k8s-content-pr.yaml
@@ -11,7 +11,7 @@ jobs:
     name: Get PR number
     runs-on: ubuntu-latest
     outputs:
-      pr-number: ${{ steps.read-pr-number.outputs.pr-number }}
+      pr-number: ${{ steps.pr_number.outputs.pr_number }}
     steps:
       - name: 'Download artifacts'
         uses: actions/github-script@v7
@@ -36,8 +36,9 @@ jobs:
       - name: 'Unzip artifact'
         run: unzip pr_number.zip
       - name: 'Read PR number'
+        id: pr_number
         run: |
-          echo "pr-number=$(cat pr/pr_number)" >> "$GITHUB_OUTPUT"
+          echo "pr_number=$(cat pr_number)" >> "$GITHUB_OUTPUT"
 
   container-main:
     needs: 
@@ -62,7 +63,7 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@v3
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
       - name: Docker metadata
@@ -101,16 +102,23 @@ jobs:
       - container-main
       - get-pr-number
     runs-on: ubuntu-latest
-    name: Comment on the PR
+    name: Upsert comment on the PR
     steps:
-      - uses: actions/github-script@v7
+      - uses: thollander/actions-comment-pull-request@v2
         with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          script: |
-            await github.rest.issues.createComment({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              issue_number: ${{ needs.get-pr-number.outputs.pr-number }},
-              body: ':robot: The image for this PR is available at:
-            `ghcr.io/complianceascode/k8scontent:${{ needs.get-pr-number.outputs.pr-number }}`'
-            });
+          message: |
+            :robot: A k8s content image for this PR is available at:
+            `ghcr.io/complianceascode/k8scontent:${{ needs.get-pr-number.outputs.pr-number }}`
+
+            <details>
+            <summary>Click here to see how to deploy it</summary>
+
+            If you alread have Compliance Operator deployed:
+            ```utils/build_ds_container.py -i ghcr.io/complianceascode/k8scontent:${{ needs.get-pr-number.outputs.pr-number }}```
+
+            Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and:
+            ```CONTENT_IMAGE=ghcr.io/complianceascode/k8scontent:${{ needs.get-pr-number.outputs.pr-number }} make deploy-local```
+
+            </details>
+          comment_tag: kubernetes_content_image
+          pr_number: ${{ needs.get-pr-number.outputs.pr-number }}
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -13,6 +13,10 @@ if(SSG_LOG)
     set(LOG_LEVEL "DEBUG")
 endif()
 
+if(NOT SSG_THIN_DS)
+    set(SSG_THIN_DS_RULE_ID "off")
+endif()
+
 project(scap-security-guide NONE)
 
 list(APPEND CMAKE_MODULE_PATH "${PROJECT_SOURCE_DIR}/cmake")
@@ -275,6 +279,7 @@ message(STATUS "Separate SCAP files: ${SSG_SEPARATE_SCAP_FILES_ENABLED}")
 message(STATUS "Ansible Playbooks: ${SSG_ANSIBLE_PLAYBOOKS_ENABLED}")
 message(STATUS "Ansible Playbooks Per Rule: ${SSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED}")
 message(STATUS "Bash scripts: ${SSG_BASH_SCRIPTS_ENABLED}")
+message(STATUS "Thin data streams: ${SSG_THIN_DS}")
 if(SSG_JINJA2_CACHE_ENABLED)
     message(STATUS "jinja2 cache: enabled")
     message(STATUS "jinja2 cache dir: ${SSG_JINJA2_CACHE_DIR}")

diff --git a/README.md b/README.md
@@ -65,8 +65,6 @@ We use an OpenControl-inspired YAML rule format for input. Write once and
 generate security content in XCCDF, Ansible, and others.
 
 ```YAML
-prodtype: rhel7
-
 title: 'Configure The Number of Allowed Simultaneous Requests'
 
 description: |-

diff --git a/applications/openshift/api-server/api_server_anonymous_auth/rule.yml b/applications/openshift/api-server/api_server_anonymous_auth/rule.yml
@@ -34,6 +34,7 @@ rationale: |-
 severity: medium
 
 references:
+    bsi: APP.4.4.A3
     cis@ocp4: 1.2.1
     nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
     nist: CM-6,CM-6(1)

diff --git a/...cations/openshift/api-server/api_server_api_priority_flowschema_catch_all/oval/shared.xml b/...cations/openshift/api-server/api_server_api_priority_flowschema_catch_all/oval/shared.xml
@@ -1,11 +1,15 @@
 <def-group oval_version="5.11">
-  <definition class="compliance" id="api_server_api_priority_flowschema_catch_all" version="1">
-    {{{ oval_metadata("One of the flowschema versions should exist, but it doesn't matter which") }}}
-
-    <criteria operator="OR">
-      <extend_definition comment="flowschema v1alpha1" definition_ref="api_server_api_priority_v1alpha1_flowschema_catch_all" />
-      <extend_definition comment="flowschema v1beta1" definition_ref="api_server_api_priority_v1beta1_flowschema_catch_all" />
-      <extend_definition comment="flowschema v1beta2" definition_ref="api_server_api_priority_v1beta2_flowschema_catch_all" />
+  <definition class="compliance" id="api_server_api_priority_flowschema_catch_all" version="1"> {{{
+    oval_metadata("One of the flowschema versions should exist, but it doesn't matter which") }}} <criteria
+      operator="OR">
+      <extend_definition comment="flowschema v1alpha1"
+        definition_ref="api_server_api_priority_v1alpha1_flowschema_catch_all" />
+      <extend_definition comment="flowschema v1beta1"
+        definition_ref="api_server_api_priority_v1beta1_flowschema_catch_all" />
+      <extend_definition comment="flowschema v1beta2"
+        definition_ref="api_server_api_priority_v1beta2_flowschema_catch_all" />
+      <extend_definition comment="flowschema v1"
+        definition_ref="api_server_api_priority_v1_flowschema_catch_all" />
     </criteria>
 
   </definition>

diff --git a/applications/openshift/api-server/api_server_api_priority_flowschema_catch_all/rule.yml b/applications/openshift/api-server/api_server_api_priority_flowschema_catch_all/rule.yml
@@ -45,4 +45,4 @@ ocil: |-
 
 warnings:
     - general: |-
-        {{{ openshift_cluster_setting(["/apis/flowcontrol.apiserver.k8s.io/v1alpha1/flowschemas/catch-all", "/apis/flowcontrol.apiserver.k8s.io/v1beta1/flowschemas/catch-all", "/apis/flowcontrol.apiserver.k8s.io/v1beta2/flowschemas/catch-all"], true) | indent(8) }}}
+        {{{ openshift_cluster_setting(["/apis/flowcontrol.apiserver.k8s.io/v1alpha1/flowschemas/catch-all", "/apis/flowcontrol.apiserver.k8s.io/v1beta1/flowschemas/catch-all", "/apis/flowcontrol.apiserver.k8s.io/v1beta2/flowschemas/catch-all", "/apis/flowcontrol.apiserver.k8s.io/v1/flowschemas/catch-all"], true) | indent(8) }}}
diff --git a/applications/openshift/api-server/api_server_api_priority_v1_flowschema_catch_all/rule.yml b/applications/openshift/api-server/api_server_api_priority_v1_flowschema_catch_all/rule.yml
@@ -0,0 +1,67 @@
+documentation_complete: true
+
+title: 'Ensure catch-all FlowSchema object for API Priority and Fairness Exists'
+
+description: |-
+  Using <tt>APIPriorityAndFairness</tt> feature provides a fine-grained way
+  to control the behaviour of the Kubernetes API server in an overload
+  situation. The well-known FlowSchema <tt>catch-all</tt> should be available
+  to make sure that every request gets some kind of classification. By default,
+  the <tt>catch-all</tt> priority level only allows one concurrency share and
+  does not queue requests. To inspect all the <tt>FlowSchema</tt> objects, run:
+  <pre>oc get flowschema</pre>
+  To inspect the well-known <tt>catch-all</tt> object, run the following:
+  <pre>oc describe flowschema catch-all</pre>
+
+rationale: |-
+  The <tt>FlowSchema</tt> API objects enforce a limit on the
+  number of events that the API Server will accept in a given time slice
+  In a large multi-tenant cluster, there might be a small percentage of
+  misbehaving tenants which could have a significant impact on the
+  performance of the cluster overall. It is recommended to limit the rate
+  of events that the API Server will accept.
+
+identifiers:
+  cce@ocp4: CCE-86097-3
+
+platforms:
+  - ocp4.16
+
+severity: medium
+
+references:
+  cis@ocp4: 1.2.10
+  nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
+  nist: CM-6,CM-6(1)
+  pcidss: Req-2.2
+  srg: SRG-APP-000516-CTR-001325
+
+ocil_clause: 'A FlowSchema object <tt>catch-all</tt> exists'
+
+ocil: |-
+  Run the following commands:
+  <pre>oc get flowschema</pre>
+  and inspect the FlowSchema objects. Make sure that at least the <tt>catch-all</tt>
+  object exists by calling:
+  <pre>oc describe flowschema catch-all</pre>
+
+warnings:
+- general: |-
+    {{{ openshift_cluster_setting("/apis/flowcontrol.apiserver.k8s.io/v1/flowschemas/catch-all", true) | indent(4) }}}
+- dependency: |-
+    Note that this is only applicable in OpenShift Container Platform version 4.16
+    and higher
+
+template:
+  name: yamlfile_value
+  vars:
+    ocp_data: "true"
+    filepath: "/apis/flowcontrol.apiserver.k8s.io/v1/flowschemas/catch-all"
+    yamlpath: '.spec.rules[0].subjects[:].group["name"]'
+    check_existence: "at_least_one_exists"
+    entity_check: "at least one"
+    values:
+      - value: "system:authenticated"
+        operation: "pattern match"
+        check_existence: "at_least_one_exists"
+        entity_check: "at least one"
diff --git a/.../openshift/api-server/api_server_api_priority_v1_flowschema_catch_all/tests/ocp4/4.16.yml b/.../openshift/api-server/api_server_api_priority_v1_flowschema_catch_all/tests/ocp4/4.16.yml
@@ -0,0 +1,3 @@
+---
+default_result: PASS
+
diff --git a/...ations/openshift/api-server/api_server_api_priority_v1beta2_flowschema_catch_all/rule.yml b/...ations/openshift/api-server/api_server_api_priority_v1beta2_flowschema_catch_all/rule.yml
@@ -26,7 +26,7 @@ identifiers:
   cce@ocp4: CCE-86390-2
 
 platforms:
-  - ocp4.11 or ocp4.12 or ocp4.13
+  - ocp4.11 or ocp4.12 or ocp4.13 or ocp4.14 or ocp4.15
 
 severity: medium
 

diff --git a/...shift/api-server/api_server_api_priority_v1beta2_flowschema_catch_all/tests/ocp4/4.14.yml b/...shift/api-server/api_server_api_priority_v1beta2_flowschema_catch_all/tests/ocp4/4.14.yml
@@ -0,0 +1,3 @@
+---
+default_result: PASS
+
diff --git a/...shift/api-server/api_server_api_priority_v1beta2_flowschema_catch_all/tests/ocp4/4.15.yml b/...shift/api-server/api_server_api_priority_v1beta2_flowschema_catch_all/tests/ocp4/4.15.yml
@@ -0,0 +1,3 @@
+---
+default_result: PASS
+
diff --git a/applications/openshift/api-server/api_server_kubelet_client_cert/rule.yml b/applications/openshift/api-server/api_server_kubelet_client_cert/rule.yml
@@ -34,7 +34,7 @@ identifiers:
   cce@ocp4: CCE-84080-1
 
 platforms:
-  - (ocp4.9 or ocp4.10 or ocp4.11 or ocp4.12 or ocp4.13) and not ocp4-on-hypershift-hosted
+  - (ocp4.9 or ocp4.10 or ocp4.11 or ocp4.12 or ocp4.13 or ocp4.14 or ocp4.15 or ocp4.16) and not ocp4-on-hypershift-hosted
 
 severity: high
 

diff --git a/applications/openshift/api-server/api_server_kubelet_client_key/rule.yml b/applications/openshift/api-server/api_server_kubelet_client_key/rule.yml
@@ -34,7 +34,7 @@ identifiers:
   cce@ocp4: CCE-83591-8
 
 platforms:
-  - (ocp4.9 or ocp4.10 or ocp4.11 or ocp4.12 or ocp4.13) and not ocp4-on-hypershift-hosted
+  - (ocp4.9 or ocp4.10 or ocp4.11 or ocp4.12 or ocp4.13 or ocp4.14 or ocp4.15 or ocp4.16) and not ocp4-on-hypershift-hosted
 
 severity: high
 

diff --git a/...ications/openshift/authentication/oauth_or_oauthclient_token_maxage/kubernetes/shared.yml b/...ications/openshift/authentication/oauth_or_oauthclient_token_maxage/kubernetes/shared.yml
@@ -5,4 +5,4 @@ metadata:
   name: cluster
 spec:
   tokenConfig:
-    accessTokenMaxAgeSeconds: 28800
+    accessTokenMaxAgeSeconds: {{.var_oauth_token_maxage}}
diff --git a/applications/openshift/authentication/oauth_or_oauthclient_token_maxage/rule.yml b/applications/openshift/authentication/oauth_or_oauthclient_token_maxage/rule.yml
@@ -51,6 +51,7 @@ rationale: |-
 
 references:
   nist: AC-12
+  srg: SRG-APP-000400-CTR-000960
 
 identifiers:
     cce@ocp4: CCE-84162-7

diff --git a/applications/openshift/authentication/oauth_token_maxage/rule.yml b/applications/openshift/authentication/oauth_token_maxage/rule.yml
@@ -68,6 +68,4 @@ template:
         filepath: {{{ openshift_filtered_path(default_api_path, default_jqfilter) }}}
         yamlpath: ".tokenConfig.accessTokenMaxAgeSeconds"
         check_existence: "only_one_exists"
-        values:
-          - value: ".*"
-            operation: "pattern match"
+        xccdf_variable: var_oauth_token_maxage
diff --git a/applications/openshift/authentication/oauthclient_token_maxage/rule.yml b/applications/openshift/authentication/oauthclient_token_maxage/rule.yml
@@ -63,6 +63,4 @@ template:
         check_existence_yamlpath: ".items[:].grantMethod"
         check_existence: "all_exist"
         entity_check: "all"
-        values:
-            - value: ".*"
-              operation: "pattern match"
+        xccdf_variable: var_oauth_token_maxage
diff --git a/applications/openshift/authentication/var_oauth_token_maxage.var b/applications/openshift/authentication/var_oauth_token_maxage.var
@@ -0,0 +1,16 @@
+documentation_complete: true
+
+title: 'OAuth Token Maximum Age'
+
+description: 'Enter OAuth Token Maximum Age Timeout'
+
+type: number
+
+operator: equals
+
+interactive: true
+
+options:
+    default: 86400
+    24h: 86400
+    8h: 28800
diff --git a/applications/openshift/general/kubeadmin_removed/rule.yml b/applications/openshift/general/kubeadmin_removed/rule.yml
@@ -22,6 +22,7 @@ identifiers:
   cce@ocp4: CCE-90387-2
 
 references:
+  bsi: APP.4.4.A3
   cis@ocp4: 3.1.1,5.1.1
   nerc-cip: CIP-004-6 R2.2.2,CIP-004-6 R2.2.3,CIP-007-3 R.1.3,CIP-007-3 R2,CIP-007-3 R5,CIP-007-3 R5.1.1,CIP-007-3 R5.1.3,CIP-007-3 R5.2.1,CIP-007-3 R5.2.3,CIP-007-3 R6.1,CIP-007-3 R6.2,CIP-007-3 R6.3,CIP-007-3 R6.4
   nist: AC-2(2),AC-2(7),AC-2(9),AC-2(10),AC-12(1),IA-2(5),MA-4,SC-12(1)

diff --git a/applications/openshift/kubelet/kubelet_anonymous_auth/rule.yml b/applications/openshift/kubelet/kubelet_anonymous_auth/rule.yml
@@ -35,6 +35,7 @@ rationale: |-
 severity: medium
 
 references:
+    bsi: APP.4.4.A3
     cis@eks: 3.2.1
     cis@ocp4: 4.2.2
     nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1

diff --git a/applications/openshift/kubelet/kubelet_configure_tls_cert/rule.yml b/applications/openshift/kubelet/kubelet_configure_tls_cert/rule.yml
@@ -27,7 +27,7 @@ identifiers:
     cce@ocp4: CCE-83396-2
 
 platforms:
-  - (ocp4.9 or ocp4.10 or ocp4.11 or ocp4.12 or ocp4.13) and not ocp4-on-hypershift-hosted
+  - (ocp4.9 or ocp4.10 or ocp4.11 or ocp4.12 or ocp4.13 or ocp4.14 or ocp4.15 or ocp4.16) and not ocp4-on-hypershift-hosted
 
 references:
     cis@ocp4: 4.2.9

diff --git a/applications/openshift/kubelet/kubelet_configure_tls_key/rule.yml b/applications/openshift/kubelet/kubelet_configure_tls_key/rule.yml
@@ -27,7 +27,7 @@ identifiers:
     cce@ocp4: CCE-90614-9
 
 platforms:
-  - (ocp4.9 or ocp4.10 or ocp4.11 or ocp4.12 or ocp4.13) and not ocp4-on-hypershift-hosted
+  - (ocp4.9 or ocp4.10 or ocp4.11 or ocp4.12 or ocp4.13 or ocp4.14 or ocp4.15 or ocp4.16) and not ocp4-on-hypershift-hosted
 
 references:
     cis@ocp4: 4.2.9

diff --git a/applications/openshift/logging/audit_profile_set/rule.yml b/applications/openshift/logging/audit_profile_set/rule.yml
@@ -57,7 +57,6 @@ references:
   nerc-cip: CIP-003-8 R4,CIP-003-8 R4.1,CIP-003-8 R4.2,CIP-003-8 R5.2,CIP-003-8 R6,CIP-004-6 R2.2.2,CIP-004-6 R2.2.3,CIP-004-6 R3.3,CIP-007-3 R.1.3,CIP-007-3 R5,CIP-007-3 R5.1.1,CIP-007-3 R5.2,CIP-007-3 R5.3.1,CIP-007-3 R5.3.2,CIP-007-3 R5.3.3,CIP-007-3 R6.5
   nist: AU-2,AU-3,AU-3(1),AU-6,AU-6(1),AU-7,AU-7(1),AU-8,AU-8(1),AU-9,AU-12,AU-12(1),AU-12(3),CM-5(1),SI-11,SI-12,SI-4(20),SI-4(23)
   pcidss: Req-2.2,Req-12.5.5
-  pcidss4: '10.2.2'
   srg: SRG-APP-000089-CTR-000150,SRG-APP-000090-CTR-000155,SRG-APP-000101-CTR-000205
 
 ocil_clause: 'The proper audit profile is not set'

diff --git a/applications/openshift/rbac/rbac_least_privilege/rule.yml b/applications/openshift/rbac/rbac_least_privilege/rule.yml
@@ -26,6 +26,7 @@ identifiers:
   cce@ocp4: CCE-90678-4
 
 references:
+    bsi: APP.4.4.A3
     cis@ocp4: 5.2.10
     nist: AC-3,CM-5(6),IA-2,IA-2(5),AC-6(10),CM-11(2),CM-5(1),CM-7(5)(b)
     srg: SRG-APP-000033-CTR-000090,SRG-APP-000033-CTR-000095,SRG-APP-000033-CTR-000100,SRG-APP-000133-CTR-000290,SRG-APP-000133-CTR-000295,SRG-APP-000133-CTR-000300,SRG-APP-000133-CTR-000305,SRG-APP-000133-CTR-000310,SRG-APP-000148-CTR-000350,SRG-APP-000153-CTR-000375,SRG-APP-000340-CTR-000770,SRG-APP-000378-CTR-000880,SRG-APP-000378-CTR-000885,SRG-APP-000378-CTR-000890,SRG-APP-000380-CTR-000900,SRG-APP-000386-CTR-000920

diff --git a/...penshift/risk-assessment/container_security_operator_exists/tests/ocp4/e2e-remediation.sh b/...penshift/risk-assessment/container_security_operator_exists/tests/ocp4/e2e-remediation.sh
@@ -14,3 +14,8 @@ done
 echo "waiting for container-security-operator deployment to be ready"
 oc wait -nopenshift-operators --for=condition=Available  --timeout=300s \
     deployment/container-security-operator
+
+echo "waiting the subscription to have .status.installedCSV"
+while [ -z "$(oc get subscription container-security-operator -nopenshift-operators -o jsonpath='{.status.installedCSV}')" ]; do
+    sleep 3
+done
diff --git a/applications/openshift/scc/scc_limit_host_dir_volume_plugin/rule.yml b/applications/openshift/scc/scc_limit_host_dir_volume_plugin/rule.yml
@@ -21,6 +21,7 @@ identifiers:
   cce@ocp4: CCE-86255-7
 
 references:
+    bsi: APP.4.4.A4
     cis@ocp4: 5.2.12
     nist: AC-6,AC-6(1)
     srg: SRG-APP-000142-CTR-000330

diff --git a/applications/openshift/scc/scc_limit_ipc_namespace/rule.yml b/applications/openshift/scc/scc_limit_ipc_namespace/rule.yml
@@ -21,6 +21,7 @@ identifiers:
     cce@ocp4: CCE-84042-1
 
 references:
+    bsi: APP.4.4.A4
     cis@ocp4: 5.2.3
     nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
     nist: CM-6,CM-6(1)

diff --git a/applications/openshift/scc/scc_limit_net_raw_capability/rule.yml b/applications/openshift/scc/scc_limit_net_raw_capability/rule.yml
@@ -19,6 +19,7 @@ rationale: |-
 severity: medium
 
 references:
+    bsi: APP.4.4.A4
     cis@ocp4: 5.2.7
     nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
     nist: CM-6,CM-6(1)

diff --git a/applications/openshift/scc/scc_limit_network_namespace/rule.yml b/applications/openshift/scc/scc_limit_network_namespace/rule.yml
@@ -21,6 +21,7 @@ identifiers:
     cce@ocp4: CCE-83492-9
 
 references:
+    bsi: APP.4.4.A4
     cis@ocp4: 5.2.4
     nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
     nist: CM-6,CM-6(1)

diff --git a/applications/openshift/scc/scc_limit_privileged_containers/rule.yml b/applications/openshift/scc/scc_limit_privileged_containers/rule.yml
@@ -18,6 +18,7 @@ rationale: |-
 severity: medium
 
 references:
+    bsi: APP.4.4.A4
     cis@ocp4: 5.2.1
     nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
     nist: CM-6,CM-6(1)

diff --git a/applications/openshift/scc/scc_limit_process_id_namespace/rule.yml b/applications/openshift/scc/scc_limit_process_id_namespace/rule.yml
@@ -17,6 +17,7 @@ rationale: |-
 severity: medium
 
 references:
+    bsi: APP.4.4.A4
     cis@ocp4: 5.2.2
     nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
     nist: CM-6,CM-6(1)

diff --git a/applications/openshift/scc/scc_limit_root_containers/rule.yml b/applications/openshift/scc/scc_limit_root_containers/rule.yml
@@ -25,6 +25,7 @@ rationale: |-
 severity: medium
 
 references:
+    bsi: APP.4.4.A4
     cis@ocp4: 5.2.6
     nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
     nist: CM-6,CM-6(1)