Ensure that FIPS mode is enabled on all cluster nodes

An XCCDF Rule

Description

OpenShift has an installation-time flag that can enable FIPS mode for the cluster. The flag

fips: true

must be enabled at install time in the

install-config.yaml

file.

warning alert: Warning

This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the following:

/apis/machineconfiguration.openshift.io/v1/machineconfigs API endpoint, filter with with the jq utility using the following filter [.items[] | select(.metadata.name | test("^rendered-worker-[0-9a-z]+$|^rendered-master-[0-9a-z]+$"))] | map(.spec.fips == true) and persist it to the local /apis/machineconfiguration.openshift.io/v1/machineconfigs#ab7e02a1c3f44ae48f843ce3dee7b948d624d2f702b9428760efbfd4653847ba file.

Rationale

Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.

ID: xccdf_org.ssgproject.content_rule_fips_mode_enabled_on_all_nodes
Severity: High
References: CIP-003-8 R4.2 CIP-007-3 R5.1 CIP-007-3 R7.1

AC-17(2) CM-3(6) IA-7 SC-12(2) SC-12(3) SC-13

Req-3.4.1

SRG-APP-000126-CTR-000275 SRG-APP-000219-CTR-000550 SRG-APP-000411-CTR-000995 SRG-APP-000412-CTR-001000 SRG-APP-000416-CTR-001015 SRG-APP-000514-CTR-001315 SRG-APP-000610-CTR-001385 SRG-APP-000635-CTR-001405

CCE-85860-5
Updated: about 1 year ago