Ensure that Cluster Version Operator verifies integrity

An XCCDF Rule

Description

Integrity of the OpenShift platform is handled to start by the cluster version operator. Cluster Version Operator will by default GPG verify the integrity of the release image before applying it. This rule check if there is an unverified cluster image.

warning alert: Warning

This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the following:

/apis/config.openshift.io/v1/clusterversions/version API endpoint, filter with with the jq utility using the following filter [.status.history[0:-1]|.[]|.verified] and persist it to the local /apis/config.openshift.io/v1/clusterversions/version#69adcfd65c8b8d723e4a7118c170f634cebbb349e9b554dd15001e6551a586f8 file.

Rationale

Unverified cluster image will compromise the system integrity. Integrity check prevent a malicious actor from using a unauthorized system image, hence it will ensure the image has not been tampered with, or corrupted.

ID: xccdf_org.ssgproject.content_rule_cluster_version_operator_verify_integrity
Severity: Medium
References: SA-10(1)

SRG-APP-000384-CTR-000915

CCE-90671-9
Updated: about 1 year ago