Ensure that the MachineSets provisioned by Azure have disk encryption enabled

An XCCDF Rule

Description

OpenShift has an option to provide the Disk Encryption Set [1] when deploying nodes on Azure. This enabled disk encryption and ensures that the OpenShift nodes have that enabled. [1] https://docs.openshift.com/container-platform/latest/machine_management/creating_machinesets/creating-machineset-azure.html#machineset-enabling-customer-managed-encryption-azure_creating-machineset-azure

warning alert: Warning

This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the following:

/apis/machine.openshift.io/v1beta1/machinesets?limit=500 API endpoint, filter with with the jq utility using the following filter [.items[] | select(.spec.template.spec.providerSpec.value.osDisk.managedDisk.diskEncryptionSet.id != null) | .metadata.name] and persist it to the local /apis/machine.openshift.io/v1beta1/machinesets?limit=500#b9dfb8d8585cff7f72cd7403be3b5790ff7716fbe23facf6e251712ade7d60c1 file.

Rationale

The usage of disk encryption for the nodes protects the data at rest and ensures that an attacker cannot easily exfiltrate the machine contents which may contain private keys or other sensitive material.

ID: xccdf_org.ssgproject.content_rule_azure_disk_encryption_enabled
Severity: High
References: Req-3.4.1

CCE-90322-9
Updated: about 1 year ago