scap-security-guide/applications/openshift/api-server/api_server_openshift_https_serving_cert/rule.yml at b7c0f6b5b938806c5e943f149625524dec17d7c0 · yuumasato/scap-security-guide · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
documentation_complete: true


title: 'Ensure the openshift-oauth-apiserver service uses TLS'

description: |-
    By default, the OpenShift API Server uses TLS. HTTPS should be
    used for connections between openshift-apiserver and kube-apiserver.
    By default, the OpenShift OAuth API Server uses Intermediate profile which
    requires a minimum TLS version of 1.2.

rationale: |-
    Connections between the kube-apiserver and the extension
    openshift-apiserver could potentially carry sensitive data such
    as secrets and keys. It is important to use in-transit encryption
    for any communication between the kube-apiserver and the extension
    openshift-apiserver.

severity: medium

references:
    nerc-cip: CIP-003-8 R4.2,CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R5.1,CIP-007-3 R6.1
    nist: CM-6,CM-6(1),SC-8,SC-8(1)
    pcidss: Req-2.2,Req-2.2.3,Req-2.3
    srg: SRG-APP-000516-CTR-001325

ocil_clause: |-
    The openshift-apiserver TLS security profile is set to old.

ocil: |-
    Run the following command:
    <pre>$ oc get APIServer cluster -o yaml</pre>
    Verify that the <tt>tlsSecurityProfile</tt> is not type <tt>Old</tt>.

warnings:
    - general: |-
        {{{ openshift_cluster_setting("/apis/config.openshift.io/v1/apiservers/cluster") | indent(8) }}}