Ensure that LUKS is configured on worker nodes
An XCCDF Rule
Description
OpenShift has an installation-time flag that can enable LUKS (TPM2 or TANG) full disk encryption at installation. The object
luksmust be present at install time in the
machineconfigfile prepared with the
install-config.yamlfile.
warning alert: Warning
This rule's check operates on the cluster configuration dump.
Therefore, you need to use a tool that can query the OCP API, retrieve the following:
-
/apis/machineconfiguration.openshift.io/v1/machineconfigsAPI endpoint, filter with with thejqutility using the following filter[.items[] | select(.metadata.name | test("^rendered-worker-[0-9a-z]+$|^rendered-master-[0-9a-z]+$"))] | map(.spec.config.storage.luks[0].clevis != null)and persist it to the local
Rationale
Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.
- ID
- xccdf_org.ssgproject.content_rule_luks_enabled_on_all_nodes
- Severity
- High
- References
- Updated