1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
|
documentation_complete: true
title: 'Ensure all admission control plugins are enabled'
{{% set default_jqfilter = '[.data."config.yaml" | fromjson | .apiServerArguments | select(has("disable-admission-plugins")) | if ."disable-admission-plugins" != ["PodSecurity"] then ."disable-admission-plugins" else empty end]' %}}
{{% set default_api_path = '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' %}}
{{% set hypershift_path = '/api/v1/namespaces/{{.hypershift_namespace_prefix}}-{{.hypershift_cluster}}/configmaps/kas-config' %}}
{{% set hypershift_jqfilter = '[.data."config.json" | fromjson | .apiServerArguments | select(has("disable-admission-plugins")) | if ."disable-admission-plugins" != ["PodSecurity"] then ."disable-admission-plugins" else empty end]' %}}
{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}}
{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}}
{{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}}
description: |-
To make sure none of them is explicitly disabled except PodSecurity, run the following command:
<pre>$ oc -n openshift-kube-apiserver get configmap config -o json | jq -r '{{{ default_jqfilter }}}'</pre>
and make sure the output is empty.
rationale: |-
Several hardening controls depend on certain API server admission plugins
being enabled. Checking that no admission control plugins are disabled
helps assert that all the critical admission control plugins are indeed
enabled and providing the security benefits required.
identifiers:
cce@ocp4: CCE-83799-7
severity: medium
references:
cis@ocp4: 1.2.13,1.2.14,1.2.14,1.2.15,1.2.16,1.2.17
nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
nist: CM-6,CM-6(1)
pcidss: Req-2.2
srg: SRG-APP-000516-CTR-001325
platform: not ocp4-on-hypershift-hosted
ocil_clause: 'No admission plugins are disabled'
ocil: |-
To verify that the list of disabled admission plugins is empty, run the following command:
<pre>$oc -n openshift-kube-apiserver get configmap config -o json | jq -r '{{{ default_jqfilter }}}'</pre>
There should be no output.
warnings:
- general: |-
{{{ openshift_filtered_cluster_setting({custom_api_path: dump_path}) | indent(4) }}}
template:
name: yamlfile_value
vars:
ocp_data: "true"
filepath: |-
{{{ openshift_filtered_path(default_api_path, default_jqfilter) }}}
yamlpath: "[:]"
check_existence: "none_exist"
entity_check: "all"
values:
- value: "(.*?)"
operation: "pattern match"
|
