File: rule.yml

package info (click to toggle)
scap-security-guide 0.1.78-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 114,600 kB
  • sloc: xml: 245,305; sh: 84,381; python: 33,093; makefile: 27
file content (60 lines) | stat: -rw-r--r-- 2,383 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
 
documentation_complete: true


title: Ensure that the bindAddress is set to a relevant secure port

{{% set default_jqfilter = '.data."config.yaml" | fromjson' %}}
{{% set default_api_path = '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' %}}
{{% set hypershift_path = '/api/v1/namespaces/{{.hypershift_namespace_prefix}}-{{.hypershift_cluster}}/configmaps/kas-config' %}}
{{% set hypershift_jqfilter = '.data."config.json" | fromjson' %}}
{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~  default_api_path ~ '{{end}}' %}}
{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~  default_jqfilter ~ '{{end}}' %}}
{{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}}

description: "The bindAddress is set by default to <tt>0.0.0.0:6443</tt>, and listening with TLS enabled."

rationale: |-
  The OpenShift API server is served over HTTPS with authentication and authorization;
  the secure API endpoint is bound to <tt>0.0.0.0:6443</tt> by default. In OpenShift, the only
  supported way to access the API server pod is through the load balancer and then through
  the internal service.  The value is set by the bindAddress argument under the servingInfo
  parameter.

identifiers:
  cce@ocp4: CCE-83646-0

severity: low

references:
    cis@ocp4: 1.2.18
    nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
    nist: CM-6,CM-6(1)
    pcidss: Req-2.2,Req-2.2.3,Req-2.3
    srg: SRG-APP-000516-CTR-001325

platform: not ocp4-on-hypershift-hosted

ocil_clause: '<tt>bindAddress</tt> allows unsecure connections'

ocil: |-
    Run the following command:
    <pre>oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq -r '.servingInfo["bindAddress"]'</pre>
    The output should return <pre>0.0.0.0:6443</pre>.

warnings:
- general: |-
    {{{ openshift_filtered_cluster_setting({custom_api_path: dump_path}) | indent(4) }}}

template:
  name: yamlfile_value
  vars:
    ocp_data: "true"
    entity_check: "all"
    filepath: {{{ openshift_filtered_path(default_api_path, default_jqfilter) }}}
    yamlpath: '.servingInfo["bindAddress"]'
    xccdf_variable: var_apiserver_bind_address
    embedded_data: "true"
    values:
    - value: '(.+)'
      operation: "pattern match"
      type: "string"