File: rule.yml

package info (click to toggle)
scap-security-guide 0.1.78-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 114,600 kB
  • sloc: xml: 245,305; sh: 84,381; python: 33,093; makefile: 27
file content (62 lines) | stat: -rw-r--r-- 2,352 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
 
documentation_complete: true


title: Ensure that the service-account-lookup argument is set to true

{{% set default_jqfilter = '.data."config.yaml" | fromjson' %}}
{{% set default_api_path = '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' %}}
{{% set hypershift_path = '/api/v1/namespaces/{{.hypershift_namespace_prefix}}-{{.hypershift_cluster}}/configmaps/kas-config' %}}
{{% set hypershift_jqfilter = '.data."config.json" | fromjson' %}}
{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~  default_api_path ~ '{{end}}' %}}
{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~  default_jqfilter ~ '{{end}}' %}}
{{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}}

description: Validate service account before validating token.

rationale: |-
  If <tt>service-account-lookup</tt> is not enabled, the apiserver
  only verifies that the authentication token is valid, and
  does not validate that the service account token mentioned
  in the request is actually present in etcd. This allows
  using a service account token even after the corresponding
  service account is deleted. This is an example of time of
  check to time of use security issue.

identifiers:
  cce@ocp4: CCE-83370-7

severity: medium

references:
  cis@ocp4: 1.2.25
  nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
  nist: CM-6,CM-6(1)
  pcidss: Req-2.2
  srg: SRG-APP-000516-CTR-001325

platform: not ocp4-on-hypershift-hosted

ocil_clause: 'API server argument <tt>--service-account-lookup</tt> contains <tt>true</tt>'

ocil: |-
  Run the following command:
  <pre>$ oc get configmap config -n openshift-kube-apiserver -o json | \
      jq -r '.data["config.yaml"]' | \
      jq -r '.apiServerArguments["service-account-lookup"]'</pre>
  The output should return <pre>true</pre>.

warnings:
- general: |-
    {{{ openshift_filtered_cluster_setting({custom_api_path: dump_path}) | indent(4) }}}

template:
  name: yamlfile_value
  vars:
    ocp_data: "true"
    entity_check: "at least one"
    filepath: {{{ openshift_filtered_path(default_api_path, default_jqfilter) }}}
    yamlpath: '.apiServerArguments["service-account-lookup"][:]'
    values:
    - value: 'true'
      operation: "pattern match"
      type: "string"