1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
|
title: "Only Use LDAP-based IdPs with TLS"
{{% set default_jqfilter = '.spec' %}}
{{% set default_api_path = '/apis/config.openshift.io/v1/oauths/cluster' %}}
{{% set hypershift_path = '/apis/hypershift.openshift.io/v1beta1/namespaces/{{.hypershift_namespace_prefix}}/hostedclusters/{{.hypershift_cluster}}' %}}
{{% set hypershift_jqfilter = '.spec.configuration.oauth' %}}
{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}}
{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}}
{{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}}
description: |-
<p>
For users to interact with OpenShift Container Platform, they must first
authenticate to the cluster. The authentication layer identifies the user
associated with requests to the OpenShift Container Platform API. The
authorization layer then uses information about the requesting user to
determine if the request is allowed.
{{{ weblink(link="https://docs.openshift.com/container-platform/latest/logging/cluster-logging-external.html",
text="Understanding authentication | Authentication | OpenShift Container Platform") }}}
</p>
<p>
The OpenShift Container Platform includes a built-in OAuth server for
token-based authentication. Developers and administrators obtain OAuth
access tokens to authenticate themselves to the API. It is recommended for
an administrator to configure OAuth to specify an identity provider after
the cluster is installed. User access to the cluster is managed through the
identity provider.
{{{ weblink(link="https://docs.openshift.com/container-platform/latest/authentication/understanding-identity-provider.html",
text="Understanding identity provider configuration | Authentication | OpenShift Container Platform") }}}
</p>
<p>
If the identity provider is LDAP, setting the <tt>insecure</tt> flag to true
would mean that passwords, such as the one used to authenticate the OAuth
proxy to the LDAP server would be transmitted in the clear, potentially
allowing an attacker to read the password if they captured the network
traffic.
</p>
rationale: |-
Transmitting authentication tokens as clear-text may leak them to
an attacker.
identifiers:
cce@ocp4: CCE-83699-9
references:
nerc-cip: CIP-003-8 R4.2,CIP-003-8 R5.1.1,CIP-003-8 R5.3,CIP-004-6 R2.2.3,CIP-004-6 R2.3,CIP-007-3 R5.1,CIP-007-3 R5.1.2,CIP-007-3 R5.2,CIP-007-3 R5.3.1,CIP-007-3 R5.3.2,CIP-007-3 R5.3.3
nist: IA-2(8),IA-2(9),SC-8
pcidss: Req-2.3
srg: SRG-APP-000023-CTR-000055
severity: high
ocil_clause: 'LDAP IDP provider is using the insecure flag'
ocil: |-
Run the following command to list the identity providers configured:
<pre>$ oc get oauths cluster -ojsonpath='{.spec.identityProviders}' | jq </pre>
If any of the IDP providers' type is LDAP, make sure the <tt>insecure</tt>
flag is not set or is set to <tt>false</tt>.
warnings:
- general: |-
{{{ openshift_filtered_cluster_setting({custom_api_path: dump_path}) | indent(4) }}}
template:
name: yamlfile_value
vars:
ocp_data: 'true'
filepath: {{{ openshift_filtered_path(default_api_path, default_jqfilter) }}}
yamlpath: ".identityProviders[:].ldap.insecure"
check_existence: "any_exist"
values:
- value: true
type: boolean
operation: "not equal"
|
