Ensure that cluster-wide proxy is set

An XCCDF Rule

Description

Production environments can deny direct access to the Internet and instead have an HTTP or HTTPS proxy available.

The Proxy object is used to manage the cluster-wide egress proxy. Setting this will ensure that containers get the appropriate environment variables set to ensure traffic goes to the proxy per organizational requirements.

For more information, see the relevant documentation.

warning alert: Warning

This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the /apis/config.openshift.io/v1/proxies/cluster API endpoint to the local /apis/config.openshift.io/v1/proxies/cluster file.

Rationale

External networks tend to be outside of organizational control. By ensuring that egress traffic goes through an authorized proxy, one is able to ensure that expected and safe traffic is coming out, and malicious actors aren't leaking sensitive information, or calling back from a central command center to get further instructions upon intrusion.

ID: xccdf_org.ssgproject.content_rule_cluster_wide_proxy_set
Severity: Medium
References: CIP-004-6 R2.2.4 CIP-004-6 R3 CIP-007-3 R5.1 CIP-007-3 R6.1

SC-7(8)

CCE-90765-9
Updated: about 1 year ago