1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
|
srg_requirement: |-
{{{ full_name }}} must use TLS 1.2 or greater for
secure communication.
vuldiscussion: |-
The authenticity and integrity of the container platform and communication
between nodes and components must be secure. If an insecure protocol
is used during transmission of data, the data can be intercepted and
manipulated. The manipulation of data can be used to inject status changes
of the container platform, causing the execution of containers or reporting
an incorrect healthcheck. To thwart the manipulation of the data during
transmission, a secure protocol (TLS 1.2 or newer) must be used. Further
guidance on secure transport protocols can be found in NIST SP 800-52.
checktext: |-
Verify that the control plane TLS Security Profile is not set to old,
or a custom profile that does not enforce TLS 1.2 or above.
> oc get APIServer cluster -o jsonpath='{.spec.tlsSecurityProfile}'
If the above returns a TLS profile of "Old", this is a finding.
If the above returns a TLS profile of "Custom" and the minTLSVersion
is not set to "VersionTLS12" or greater, this is a finding.
fixtext: |-
Edit the apiserver/cluster resource and set the TLS Security Profile to Intermediate
> oc edit APIServer cluster
set to the following
apiVersion: config.openshift.io/v1
kind: APIServer
...
spec:
tlsSecurityProfile:
intermediate: {}
type: Intermediate
|
