File: rule.yml

package info (click to toggle)
scap-security-guide 0.1.78-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 114,600 kB
  • sloc: xml: 245,305; sh: 84,381; python: 33,093; makefile: 27
file content (66 lines) | stat: -rw-r--r-- 3,006 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
 
documentation_complete: true


title: 'Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used'

{{% set default_jqfilter = '[.data."config.yaml" | fromjson]' %}}
{{% set default_api_path = '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' %}}
{{% set hypershift_path = '/api/v1/namespaces/{{.hypershift_namespace_prefix}}-{{.hypershift_cluster}}/configmaps/kas-config' %}}
{{% set hypershift_jqfilter = '[.data."config.json" | fromjson]' %}}
{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~  default_api_path ~ '{{end}}' %}}
{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~  default_jqfilter ~ '{{end}}' %}}
{{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}}

description: |-
    Instead of using a customized SecurityContext for pods, a Pod Security
    Policy (PSP) or a SecurityContextConstraint should be used. These are
    cluster-level resources that control the actions that a pod can perform
    and what resource the pod may access. The <tt>SecurityContextDeny</tt>
    disallows folks from setting a pod's <tt>securityContext</tt> fields.
    Ensure that the list of admission controllers does not include
    SecurityContextDeny:
    <pre>$ oc -n openshift-kube-apiserver get configmap config -o json | jq -r '.data."config.yaml"' | jq '.apiServerArguments."enable-admission-plugins"' </pre>

rationale: |-
    The <tt>SecurityContextDeny</tt> admission control plugin disallows
    setting any security options for your pods. <tt>SecurityContextConstraints</tt>
    allow you to enforce RBAC rules on who can set these options on the pods, and
    what they're allowed to set. Thus, using the <tt>SecurityContextDeny</tt>
    will deter you from enforcing granular permissions on your pods.

identifiers:
  cce@ocp4: CCE-83586-8


severity: medium

references:
    cis@ocp4: 1.2.13
    nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
    nist: CM-6,CM-6(1)
    pcidss: Req-2.2
    srg: SRG-APP-000516-CTR-001325

platform: not ocp4-on-hypershift-hosted

ocil_clause: |-
    '<tt>enable-admission-plugins</tt>does not contain <tt>SecurityContextDeny</tt>'

ocil: |-
    The SecurityContextDeny plugin should not be enabled in the list of enabled plugins in the apiserver configuration:
    <pre>$ oc -n openshift-kube-apiserver get configmap config -o json | jq -r '.data."config.yaml"' | jq '.apiServerArguments."enable-admission-plugins"' </pre>

warnings:
- general: |-
    {{{ openshift_filtered_cluster_setting({custom_api_path: dump_path}) | indent(4) }}}

template:
  name: yamlfile_value
  vars:
    ocp_data: "true"
    check_existence: "none_exist"
    filepath: {{{ openshift_filtered_path(default_api_path, default_jqfilter) }}}
    yamlpath: '.apiServerArguments["enable-admission-plugins"][:]'
    values:
    - value: '^SecurityContextDeny$'
      operation: "pattern match"