File: rule.yml

package info (click to toggle)
scap-security-guide 0.1.78-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 114,600 kB
  • sloc: xml: 245,305; sh: 84,381; python: 33,093; makefile: 27
file content (109 lines) | stat: -rw-r--r-- 4,551 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
 
documentation_complete: true


title: 'Configure the Encryption Provider Cipher'

{{% set default_jqfilter = '[.spec.encryption.type]' %}}
{{% set default_api_path = '/apis/config.openshift.io/v1/apiservers/cluster' %}}
{{% set hypershift_path = '/apis/hypershift.openshift.io/v1beta1/namespaces/{{.hypershift_namespace_prefix}}/hostedclusters/{{.hypershift_cluster}}' %}}
{{% set hypershift_jqfilter = '[.spec.secretEncryption.type]' %}}
{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~  default_api_path ~ '{{end}}' %}}
{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~  default_jqfilter ~ '{{end}}' %}}
{{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}}

description: |-
    <p>
    When you enable etcd encryption, the following OpenShift API server
    and Kubernetes API server resources are encrypted:
    <ul>
      <li>Secrets</li>
      <li>ConfigMaps</li>
      <li>Routes</li>
      <li>OAuth access tokens</li>
      <li>OAuth authorize tokens</li>
    </ul>
    </p>
    <p>
    When you enable etcd encryption, encryption keys are created. These
    keys are rotated on a weekly basis. You must have these keys in order
    to restore from an etcd backup.
    </p>
    <p>
    To ensure the correct cipher, set the encryption type to <tt>aescbc</tt> or
    <tt>aesgcm</tt> in the <tt>apiserver</tt> object which configures the API
    server itself.
    <pre>
    spec:
      encryption:
        type: aescbc
    </pre>
    </p>
    <p>
    For more information, follow
    {{{ weblink(link="https://docs.openshift.com/container-platform/latest/security/encrypting-etcd.html",
                text="the relevant documentation") }}}.
    </p>

rationale: |-
    etcd is a highly available key-value store used by OpenShift deployments
    for persistent storage of all REST API objects. These objects are
    sensitive in nature and should be encrypted at rest to avoid any
    disclosures. Where etcd encryption is used, it is important to ensure that the
    appropriate set of encryption providers is used. Currently, <tt>aescbc</tt>
    and <tt>aesgcm</tt> are the only types supported by OCP.

identifiers:
  cce@ocp4: CCE-83585-0

severity: medium

references:
    cis@ocp4: 1.2.31,2.8
    nerc-cip: CIP-003-8 R4.2
    nist: SC-28,SC-28(1)
    pcidss: Req-2.2
    srg: SRG-APP-000429-CTR-001060

platform: not ocp4-on-hypershift-hosted

ocil_clause: '<tt>aescbc</tt> or <tt>aesgcm</tt> is not configured as the encryption provider'

ocil: |-
    OpenShift supports encryption of data at rest of etcd datastore, but it is
    up to the customer to configure. The asecbc and aesgcm ciphers are
    available for use within OpenShift. Keys are stored on the filesystem of
    the master and automatically rotated. Run the following command to review
    the Encrypted status condition for the OpenShift API server to verify that its
    resources were successfully encrypted:
    <pre>
    # encrypt the etcd datastore
    $ oc get openshiftapiserver -o=jsonpath='{range .items[0].status.conditions[?(@.type=="Encrypted")]}{.status}{"\n"}{.reason}{"\n"}{.message}{"\n"}{end}'
    <pre>
    The output shows <tt>EncryptionCompleted</tt> upon successful encryption.
    If the output shows <tt>EncryptionInProgress</tt> this means that encryption is still in
    progress. Wait a few minutes and try again.
    To display the encryption configured, run the following command:
    <pre>$ oc get --raw {{.var_apiserver_encryption_path}} | jq {{.var_apiserver_encryption_filter}} </pre>
    If the output does not list <tt>aescbc</tt> or <tt>aesgcm</tt>, the encryption is not configured correctly.

warnings:
- general: |-
    {{{ openshift_filtered_cluster_setting({custom_api_path: dump_path}) | indent(4) }}}

template:
  name: yamlfile_value
  vars:
    ocp_data: "true"
    entity_check: "all"
    filepath: {{{ openshift_filtered_path(default_api_path, default_jqfilter) }}}
    yamlpath: "[:]"
    check_existence: "at_least_one_exists"
    values:
        # aesgcm is available for OpenShift 4.13 and newer, but we include it
        # in our check here since it's not possible to set the encryption
        # provider type to aesgcm on OpenShift versions older than 4.13, which
        # simplifies the rule since we don't have to modify the check based on
        # the OpenShift version CPE.
        - value: "aescbc|aesgcm"
          type: "string"
          operation: "pattern match"