OpenShift must protect authenticity of communications sessions with the use of FIPS-validated 140-2 or 140-3 validated cryptography.
An XCCDF Rule
Description
<VulnDiscussion>FIPS compliance is one of the most critical components required in highly secure environments, to ensure that only supported cryptographic technologies are allowed on nodes. Because FIPS must be enabled before the operating system used by the cluster boots for the first time, FIPS cannot be disabled after a cluster is deployed. OpenShift employs industry-validated cryptographic algorithms, key management practices, and secure protocols, reducing the likelihood of cryptographic vulnerabilities and attacks. Satisfies: SRG-APP-000219-CTR-000550, SRG-APP-000635-CTR-001405, SRG-APP-000126-CTR-000275, SRG-APP-000411-CTR-000995, SRG-APP-000412-CTR-001000, SRG-APP-000416-CTR-001015, SRG-APP-000514-CTR-001315</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-257546r921581_rule
- Severity
- High
- References
- Updated
Remediation - Manual Procedure
Reinstall the OpenShift cluster in FIPS mode. The file install-config.yaml has a top-level key that enables FIPS mode for all nodes and the cluster platform layer. If the install-config.yaml was not backed up prior to consumption as part of the installation, recreate it. An example install-config.yaml with some sections trimmed out for brevity, and the "fips: true" key applied at the top level is shown below:
apiVersion: v1
baseDomain: example.com
controlPlane:
name: master