File: rule.yml

package info (click to toggle)
scap-security-guide 0.1.78-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 114,600 kB
  • sloc: xml: 245,305; sh: 84,381; python: 33,093; makefile: 27
file content (73 lines) | stat: -rw-r--r-- 2,845 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
 
documentation_complete: true


title: 'Disable basic-auth-file for the API Server'

{{% set default_jqfilter = '.data."config.yaml" | fromjson' %}}
{{% set default_api_path = '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' %}}
{{% set hypershift_path = '/api/v1/namespaces/{{.hypershift_namespace_prefix}}-{{.hypershift_cluster}}/configmaps/kas-config' %}}
{{% set hypershift_jqfilter = '.data."config.json" | fromjson' %}}
{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~  default_api_path ~ '{{end}}' %}}
{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~  default_jqfilter ~ '{{end}}' %}}
{{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}}

description: |-
    Basic Authentication should not be used for any reason. If needed, edit API
    Edit the <tt>openshift-kube-apiserver</tt> configmap
    and remove the <tt>basic-auth-file</tt> parameter:
    <pre>
    "apiServerArguments":{
      ...
      "basic-auth-file":[
        "/path/to/any/file"
      ],
      ...
    </pre>

    Alternate authentication mechanisms such as tokens and certificates will need to be
    used. Username and password for basic authentication will be disabled.

rationale: |-
    Basic authentication uses plaintext credentials for authentication.
    Currently the basic authentication credentials last indefinitely, and
    the password cannot be changed without restarting the API Server. The
    Basic Authentication is currently supported for convenience and is
    not intended for production workloads.

identifiers:
  cce@ocp4: CCE-83936-5


severity: medium

references:
    cis@ocp4: 1.2.2
    nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
    nist: CM-6,CM-6(1)
    pcidss: Req-2.2
    srg: SRG-APP-000516-CTR-001325

platform: not ocp4-on-hypershift-hosted

ocil_clause: 'basic-auth-file is configured and enabled for the API server'

ocil: |-
    To verify that <tt>basic-auth-file</tt> is configured and enabled for the API server, run the following command:
    <pre>$ oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.apiServerArguments["basic-auth-file"]'</pre>
    The output should be empty as OpenShift does not support basic authentication at all.

warnings:
    - general: |-
        {{{ openshift_filtered_cluster_setting({custom_api_path: dump_path}) | indent(8) }}}

template:
    name: yamlfile_value
    vars:
        ocp_data: "true"
        filepath: {{{ openshift_filtered_path(default_api_path, default_jqfilter) }}}
        yamlpath: '.apiServerArguments[:]'
        check_existence: "none_exist"
        values:
            - key: 'basic-auth-file'
              type: "string"
              operation: "pattern match"