OpenShift must use multifactor authentication for network access to accounts.
An XCCDF Rule
Description
<VulnDiscussion>Without the use of multifactor authentication, the ease of access to privileged and nonprivileged functions is greatly increased. Multifactor authentication requires using two or more factors to achieve authentication. Factors include: (i) something a user knows (e.g., password/PIN); (ii) something a user has (e.g., cryptographic identification device, token); or (iii) something a user is (e.g., biometric). A privileged account is defined as an information system account with authorizations of a privileged user. A nonprivileged account is any information system account with authorizations of a nonprivileged user. Network access is defined as access to an information system by a user (or a process acting on behalf of a user) communicating through a network (e.g., local area network, wide area network, or the internet). Satisfies: SRG-APP-000149-CTR-000355, SRG-APP-000150-CTR-000360</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-257541r921566_rule
- Severity
- Medium
- References
- Updated
Remediation - Manual Procedure
Configure OpenShift to use an appropriate Identity Provider. Do not use HTPasswd. Use either LDAP(AD), OpenIDConnect, or an approved identity provider.
Steps to configure LDAP provider:
1. Create Secret for BIND DN password by executing the following: