File: shared.yml

package info (click to toggle)
scap-security-guide 0.1.78-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 114,600 kB
  • sloc: xml: 245,305; sh: 84,381; python: 33,093; makefile: 27
file content (81 lines) | stat: -rw-r--r-- 2,809 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
 
srg_requirement: |-
  {{{ full_name }}} must use a centralized user management solution to
  support account management functions.

vuldiscussion: |-
  OpenShift supports several different types of identity providers.
  In order to add users and grant access to OpenShift, an identity provider
  needs to be configured. Some of the identity provider types, such as
  HTPassword, only provide simple user management and are not intended
  for production. Other types are public services, like GitHub. These
  provider types may not be appropriate as they are managed by public
  service providers and therefore are unable to enforce the organizations
  account management requirements.

  After a new install, the default authentication uses kubeadmin as the
  default cluster-admin account.  This default account needs to be disabled,
  and another user account should be given cluster-admin rights.

checktext: |-
  Verify that the authentication operator is configure to use either an
  LDAP or a OpenIDConnect or an approved identity provider:

  > oc get oauth cluster -o jsonpath="{.spec.identityProviders}" | jq

  If any of the IDP provides' type is LDAP and any of them use the
  insecure flag, this is a finding.

fixtext: |-
  Configure OpenShift to use an appropriate Identity Provider. Do not use
  HTPasswd. Use either LDAP(AD), OpenIDConnect or an approved identity
  provider.

  Steps to configure LDAP provider:

    1. Create Secret for BIND DN password

    > oc create secret generic ldap-secret --from-literal=bindPassword=<secret> \
    -n openshift-config

    2. Create config map for LDAP Trust CA

    > oc create configmap ca-config-map --from-file=ca.crt=/path/to/ca -n \
    openshift-config

    3. Create LDAP Auth Config Resource YAML

    Using your preferred text editor, create a file named ldapidp.yaml using
    the example content (replacing config values as appropriate):

    apiVersion: config.openshift.io/v1 kind: OAuth metadata:
      name: cluster
    spec:
      identityProviders:
      - name: ldapidp
        mappingMethod: claim
        type: LDAP
        ldap:
          attributes:
            id:
            - dn
              email:
            - mail
              name:
            - cn
              preferredUsername:
            - uid
          bindDN: ""
          bindPassword:
            name: ldap-secret
          ca:
            name: ca-config-map
          insecure: false
          url: "ldaps://ldap.example.com/ou=users,dc=acme,dc=com?uid"

      4. Apply LDAP config to cluster

      > oc apply -f ldapidp.yaml

      For more information on configuring an
      LDAP provider refer to the documentation:
      https://docs.openshift.com/container-platform/4.8/authentication/identity_providers/configuring-ldap-identity-provider.html