MSR's self-signed certificates must be replaced with DOD trusted, signed certificates.

An XCCDF Rule

Description

<VulnDiscussion>Self-signed certificates pose security risks, as they are not issued by a trusted third party. DOD trusted, signed certificates have undergone a validation process by a trusted CA, reducing the risk of man-in-the-middle attacks and unauthorized access. Using these certificates enhances the trust and authenticity of the communication between clients and the MSR server.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-260916r966105_rule
Severity: Medium
References: CCI-000381
Updated: 19 days ago

If MSR is not being utilized, this is Not Applicable.

Ensure the certificates are from a trusted DOD CA.

1. Add the secret to the cluster by executing the following:
kubectl create secret tls <secret-name> --key <keyfile>.pem --cert <certfile>.pem

2. Update MSR with the custom certificate by executing the following:

helm upgrade msr [REPO_NAME]/msr --version <helm-chart-version> --set-file license=path/to/file/license.lic --set
nginx.webtls.create=false --set nginx.webtls.secretName="<secret-name>"

MSR's self-signed certificates must be replaced with DOD trusted, signed certificates.

Description

Remediation - Manual Procedure