File: rule.yml

package info (click to toggle)
scap-security-guide 0.1.78-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 114,600 kB
  • sloc: xml: 245,305; sh: 84,381; python: 33,093; makefile: 27
file content (71 lines) | stat: -rw-r--r-- 2,784 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
 
documentation_complete: true


title: 'Configure the etcd Certificate Key for the API Server'

{{% set default_jqfilter = '.data."config.yaml" | fromjson' %}}
{{% set default_api_path = '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' %}}
{{% set hypershift_path = '/api/v1/namespaces/{{.hypershift_namespace_prefix}}-{{.hypershift_cluster}}/configmaps/kas-config' %}}
{{% set hypershift_jqfilter = '.data."config.json" | fromjson' %}}
{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~  default_api_path ~ '{{end}}' %}}
{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~  default_jqfilter ~ '{{end}}' %}}
{{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}}

description: |-
    To ensure etcd is configured to make use of TLS encryption for client
    communications, follow the OpenShift documentation and setup the TLS
    connection between the API Server and etcd. Then, verify
    that <tt>apiServerArguments</tt> has the <tt>etcd-keyfile</tt> configured in
    the <tt>openshift-kube-apiserver</tt> configmap to something similar to:
    <pre>
    ...
    "etcd-keyfile": [
        "/etc/kubernetes/static-pod-resources/secrets/etcd-client/tls.key"
    ],
    ...
    </pre>

rationale: |-
    etcd is a highly-available key-value store used by OpenShift deployments
    for persistent storage of all REST API objects. These objects are sensitive
    in nature and should be protected by client authentication. This requires the
    API Server to identify itself to the etcd server using a client certificate
    and key.

identifiers:
  cce@ocp4: CCE-83546-2


severity: medium

references:
    cis@ocp4: 1.2.27
    nerc-cip: CIP-003-8 R4.2,CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R5.1,CIP-007-3 R6.1
    nist: CM-6,CM-6(1),SC-8,SC-8(1)
    pcidss: Req-2.2,Req-2.2.3,Req-2.3
    srg: SRG-APP-000516-CTR-001325

platform: not ocp4-on-hypershift-hosted

ocil_clause: '<tt>keyFile</tt> does not exist or is not configured to valid certificates'

ocil: |-
    Run the following command:
    <pre>$ oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq -r '.apiServerArguments."etcd-keyfile"'</pre>
    The output should return a configured certificate key file.

warnings:
- general: |-
    {{{ openshift_filtered_cluster_setting({custom_api_path: dump_path}) | indent(4) }}}

template:
  name: yamlfile_value
  vars:
    ocp_data: "true"
    entity_check: "all"
    filepath: {{{ openshift_filtered_path(default_api_path, default_jqfilter) }}}
    yamlpath: '.apiServerArguments["etcd-keyfile"][:]'
    values:
     - value: '.*\.key'
       operation: "pattern match"
       type: "string"