File: rule.yml

package info (click to toggle)
scap-security-guide 0.1.78-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 114,600 kB
  • sloc: xml: 245,305; sh: 84,381; python: 33,093; makefile: 27
file content (68 lines) | stat: -rw-r--r-- 2,485 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
 
documentation_complete: true


title: 'Disable Use of the Insecure Bind Address'

{{% set default_jqfilter = '.data."config.yaml" | fromjson | .apiServerArguments' %}}
{{% set default_api_path = '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' %}}
{{% set hypershift_path = '/api/v1/namespaces/{{.hypershift_namespace_prefix}}-{{.hypershift_cluster}}/configmaps/kas-config' %}}
{{% set hypershift_jqfilter = '.data."config.json" | fromjson | .apiServerArguments' %}}
{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~  default_api_path ~ '{{end}}' %}}
{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~  default_jqfilter ~ '{{end}}' %}}
{{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}}

description: |-
    OpenShift should not bind to non-loopback insecure addresses.
    Edit the <tt>openshift-kube-apiserver</tt> configmap
    and remove the <tt>insecure-bind-address</tt> if it exists:
    <pre>
    "apiServerArguments":{
      ...
      "insecure-bind-address":[
        "127.0.0.1"
      ],
      ...
    </pre>

rationale: |-
    If the API Server is bound to an insecure address the installation would
    be susceptible to unauthenticated and unencrypted access to the master node(s).
    The API Server does not perform authentication checking for insecure
    binds and the traffic is generally not encrypted.

identifiers:
  cce@ocp4: CCE-83955-5

severity: medium

references:
    cis@ocp4: 1.2.16
    nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
    nist: CM-6,CM-6(1)
    pcidss: Req-2.2
    srg: SRG-APP-000516-CTR-001325

platform: not ocp4-on-hypershift-hosted

ocil_clause: 'insecure-bind-address is exists and has not been removed</tt>'

ocil: |-
    Run the following command:
    <pre>$ oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.apiServerArguments["insecure-bind-address"]'</pre>
    The output should be empty.

warnings:
- general: |-
    {{{ openshift_filtered_cluster_setting({custom_api_path: dump_path}) | indent(4) }}}

template:
  name: yamlfile_value
  vars:
    ocp_data: "true"
    check_existence: "none_exist"
    filepath: {{{ openshift_filtered_path(default_api_path, default_jqfilter) }}}
    yamlpath: '.apiServerArguments[:]'
    values:
    - value: 'insecure-bind-address'
      operation: "pattern match"
      type: "string"