File: rule.yml

package info (click to toggle)
scap-security-guide 0.1.78-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 114,600 kB
  • sloc: xml: 245,305; sh: 84,381; python: 33,093; makefile: 27
file content (71 lines) | stat: -rw-r--r-- 2,954 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
 
documentation_complete: true


title: 'Configure the API Server Minimum Request Timeout'

{{% set default_jqfilter = '.data."config.yaml" | fromjson' %}}
{{% set default_api_path = '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' %}}
{{% set hypershift_path = '/api/v1/namespaces/{{.hypershift_namespace_prefix}}-{{.hypershift_cluster}}/configmaps/kas-config' %}}
{{% set hypershift_jqfilter = '.data."config.json" | fromjson' %}}
{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~  default_api_path ~ '{{end}}' %}}
{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~  default_jqfilter ~ '{{end}}' %}}
{{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}}

description: |-
    The API server minimum request timeout defines the minimum number of
    seconds a handler must keep a request open before timing it out. To set this,
    edit the <tt>openshift-kube-apiserver</tt> configmap and set
    <tt>min-request-timeout</tt> under the <tt>apiServerArguments</tt> field:
    <pre>
    "apiServerArguments":{
      ...
      "min-request-timeout":[
        {{{ xccdf_value("var_api_min_request_timeout") }}}
      ],
      ...
    </pre>

rationale: |-
    Setting global request timeout allows extending the API Server request
    timeout limit to a duration appropriate to the user's connection speed.  By
    default, it is set to 1800 seconds which might not be suitable for some
    environments. Setting the limit too low may result in excessive timeouts,
    and a limit that is too large may exhaust the API Server resources making
    it prone to Denial-of-Service attack. It is recommended to set this limit
    as appropriate and change the default limit of 1800 seconds only if needed.

severity: medium

references:
    cis@ocp4: 1.2.24
    nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
    nist: CM-6,CM-6(1)
    pcidss: Req-2.2
    srg: SRG-APP-000516-CTR-001325

platform: not ocp4-on-hypershift-hosted

ocil_clause: '<tt>min-request-timeout</tt> is not set or is not set to an appropriate value'

ocil: |-
    Run the following command:
    <pre>$ oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.apiServerArguments["min-request-timeout"]'</pre>
    The output should return <pre>{{ .var_api_min_request_timeout }}</pre>.

warnings:
- general: |-
    {{{ openshift_filtered_cluster_setting({custom_api_path: dump_path}) | indent(4) }}}

template:
  name: yamlfile_value
  vars:
    ocp_data: "true"
    entity_check: "at least one"
    filepath: {{{ openshift_filtered_path(default_api_path, default_jqfilter) }}}
    yamlpath: '.apiServerArguments["min-request-timeout"][:]'
    xccdf_variable: var_api_min_request_timeout
    embedded_data: "true"
    values:
    - value: '(\d*)'
      operation: "pattern match"
      type: "string"