File: rule.yml

package info (click to toggle)
scap-security-guide 0.1.78-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 114,600 kB
  • sloc: xml: 245,305; sh: 84,381; python: 33,093; makefile: 27
file content (64 lines) | stat: -rw-r--r-- 2,816 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
 
documentation_complete: true


title: "Ensure APIServer is configured with secure tlsSecurityProfile"

description: |-
    <p>
    The configuration <tt>tlsSecurityProfile</tt> specifies TLS configurations
    to be used while establishing connections with the externally exposed
    servers. Though secure transport mode is used for establishing connections,
    the protocols used may not always be strong enough to avoid interception and
    manipulation of the data in transport. TLS Security profile configured should
    not make use of any protocols, ciphers, and algorithms with known security
    vulnerabilities.
    </p>

    <p>
    <tt>tlsSecurityProfile</tt> can be configured to use one of custom, intermediate,
    modern, or old profile. Profile Old should be avoided at all times and when using
    custom profile one should be extremely careful as invalid configurations can be
    catastrophic. It is always advised to use highly secure intermediate or modern
    profiles and if unset a default is chosen.
    </p>

    <p>
    Update tlsSecurityProfile to Intermediate using the following command:
    {{% raw %}}<pre>oc patch apiservers.config.openshift.io cluster --type 'json' --patch '[{"op": "add", "path": "/spec/tlsSecurityProfile/intermediate", "value": {}}, {"op": "replace", "path": "/spec/tlsSecurityProfile/type", "value": "Intermediate"}'</pre>{{% endraw %}}
    </p>

    <p>
    For more information, follow
    OpenShift documentation:
    {{{ weblink(link="https://docs.openshift.com/container-platform/latest/security/tls-security-profiles.html",
                text="the relevant documentation") }}}.
    </p>

rationale: |-
    The authenticity and integrity of the container platform and communication
    between nodes and components must be secure. If an insecure protocol,
    cipher, or algorithms is used, during transmission of data, the data can be
    intercepted and manipulated. To thwart the manipulation of the data during
    transmission secure protocol, cipher and algorithms must be used.

severity: medium

identifiers:
    cce@ocp4: CCE-86232-6

references:
    nist: SC-8,SC-8(1)
    srg: SRG-APP-000014-CTR-000040,SRG-APP-000560-CTR-001340

ocil_clause: 'insecure tlsSecurityProfile is configured for accessing external services'

ocil: |-
    To check for the configured tlsSecurityProfile use below command:
    <tt>$ oc get apiservers.config.openshift.io cluster -o jsonpath='{.spec.tlsSecurityProfile}{"\n"}'</tt>
    The output shows the tlsSecurityProfile configured for API Server, and
    the profile configured should not be old or if custom the minimum TLS
    version configured should be TLSv1.2 or newer.

warnings:
    - general: |-
        {{{ openshift_cluster_setting("/apis/config.openshift.io/v1/apiservers/cluster") | indent(8) }}}