File: rule.yml

package info (click to toggle)
scap-security-guide 0.1.78-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 114,600 kB
  • sloc: xml: 245,305; sh: 84,381; python: 33,093; makefile: 27
file content (71 lines) | stat: -rw-r--r-- 2,625 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
 
documentation_complete: true


title: 'Configure the Service Account Public Key for the API Server'

{{% set default_jqfilter = '.data."config.yaml" | fromjson' %}}
{{% set default_api_path = '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' %}}
{{% set hypershift_path = '/api/v1/namespaces/{{.hypershift_namespace_prefix}}-{{.hypershift_cluster}}/configmaps/kas-config' %}}
{{% set hypershift_jqfilter = '.data."config.json" | fromjson' %}}
{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~  default_api_path ~ '{{end}}' %}}
{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~  default_jqfilter ~ '{{end}}' %}}
{{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}}

description: |-
    To ensure the API Server utilizes its own key pair,
    edit the <tt>openshift-kube-apiserver</tt> configmap
    and set the <tt>serviceAccountPublicKeyFiles</tt> parameter to the public
    key file for service accounts:
    <pre>
    ...
    "serviceAccountPublicKeyFiles":[
      "/etc/kubernetes/static-pod-resources/configmaps/sa-token-signing-certs"
    ],
    ...
    </pre>

rationale: |-
    By default if no <tt>service-account-key-file</tt> is specified
    to the apiserver, it uses the private key from the TLS serving
    certificate to verify service account tokens. To ensure that the
    keys for service account tokens are rotated as needed, a
    separate public/private key pair should be used for signing service
    account tokens.

identifiers:
  cce@ocp4: CCE-83350-9


severity: medium

references:
    cis@ocp4: 1.2.26
    nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
    nist: CM-6,CM-6(1)
    pcidss: Req-2.2,Req-2.2.3,Req-2.3
    srg: SRG-APP-000516-CTR-001325

platform: not ocp4-on-hypershift-hosted

ocil_clause: 'serviceAccountPublicKeyFiles is not configured correctly'

ocil: |-
    Run the following command:
    <pre>$ oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq -r .serviceAccountPublicKeyFiles</pre>
    The output should return configured certificate key file(s).

warnings:
- general: |-
    {{{ openshift_filtered_cluster_setting({custom_api_path: dump_path}) | indent(4) }}}

template:
  name: yamlfile_value
  vars:
    ocp_data: "true"
    entity_check: "at least one"
    filepath: {{{ openshift_filtered_path(default_api_path, default_jqfilter) }}}
    yamlpath: '.serviceAccountPublicKeyFiles[:]'
    values:
     - value: '.+'
       operation: "pattern match"
       type: "string"