1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
|
title: 'Profiling is protected by RBAC'
description: |-
Ensure that the cluster-debugger cluster role includes the /metrics
resource URL. This demonstrates that profiling is protected by RBAC, with a
specific cluster role to allow access.
rationale: |-
Profiling allows for the identification of specific performance bottlenecks.
It generates a significant amount of program data that could potentially be
exploited to uncover system and program details.
To ensure the collected data is not exploited, profiling endpoints are secured
via RBAC (see cluster-debugger role). By default, the profiling endpoints are
accessible only by users bound to cluster-admin or cluster-debugger role.
Profiling can not be disabled.
identifiers:
cce@ocp4: CCE-84212-0
references:
cis@ocp4: 1.2.19
nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
nist: CM-6,CM-6(1)
pcidss: Req-2.2
srg: SRG-APP-000516-CTR-001325
severity: medium
ocil_clause: |-
The <tt>cluster-debugger</tt> role isn't protecting <tt>/metrics</tt>
ocil: |-
To verify that the <tt>cluster-debugger</tt> role is configured correctly,
run the following command:
<pre>$ oc get clusterroles cluster-debugger -o jsonpath='{.rules[0].nonResourceURLs}'</pre>
and verify that the <tt>/metrics</tt> path is included there.
warnings:
- general: |-
{{{ openshift_cluster_setting("/apis/rbac.authorization.k8s.io/v1/clusterroles/cluster-debugger") | indent(4) }}}
template:
name: yamlfile_value
vars:
ocp_data: "true"
filepath: /apis/rbac.authorization.k8s.io/v1/clusterroles/cluster-debugger
yamlpath: '.rules[0].nonResourceURLs[:]'
entity_check: 'at least one'
values:
- value: '\/metrics'
operation: 'pattern match'
entity_check: 'at least one'
|
