Ensure that full disk encryption is configured on cluster nodes

An XCCDF Rule

Description

When full disk encryption is chosen as a way to protect card data at rest, OpenShift can provide several solutions depending on the hosting environment. While LUKS (with TPM2 or Tang) can be used for bare metal use cases, cloud-provider specific disk encryption can be used as well. [1][2] [1] https://docs.openshift.com/container-platform/latest/machine_management/creating_machinesets/creating-machineset-azure.html#machineset-enabling-customer-managed-encryption-azure_creating-machineset-azure [2] https://docs.openshift.com/container-platform/latest/machine_management/creating_machinesets/creating-machineset-gcp.html#machineset-enabling-customer-managed-encryption_creating-machineset-gcp

warning alert: Warning

This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the following:

/apis/machineconfiguration.openshift.io/v1/machineconfigs API endpoint, filter with with the jq utility using the following filter [.items[] | select(.metadata.name | test("^rendered-worker-[0-9a-z]+$|^rendered-master-[0-9a-z]+$"))] | map(.spec.fips == true) and persist it to the local /apis/machineconfiguration.openshift.io/v1/machineconfigs#ab7e02a1c3f44ae48f843ce3dee7b948d624d2f702b9428760efbfd4653847ba file.
/apis/machineconfiguration.openshift.io/v1/machineconfigs API endpoint, filter with with the jq utility using the following filter [.items[] | select(.metadata.name | test("^rendered-worker-[0-9a-z]+$|^rendered-master-[0-9a-z]+$"))] | map(.spec.config.storage.luks[0].clevis != null) and persist it to the local /apis/machineconfiguration.openshift.io/v1/machineconfigs#9fab597988075d76a1c081cdc533f05623251a854b9936a08ae52cca5fc5a311 file.
/apis/machine.openshift.io/v1beta1/machinesets?limit=500 API endpoint, filter with with the jq utility using the following filter [.items[] | .spec.template.spec.providerSpec.value.blockDevices[0].ebs.encrypted] | map(. == true) and persist it to the local /apis/machine.openshift.io/v1beta1/machinesets?limit=500#06ea2adfb5429a7351e7bd78b7ec378225e0d3256c4c9e4e3b2ce59900959267 file.
/apis/machine.openshift.io/v1beta1/machinesets?limit=500 API endpoint, filter with with the jq utility using the following filter [.items[] | select(.spec.template.spec.providerSpec.value.osDisk.managedDisk.diskEncryptionSet.id != null) | .metadata.name] and persist it to the local /apis/machine.openshift.io/v1beta1/machinesets?limit=500#b9dfb8d8585cff7f72cd7403be3b5790ff7716fbe23facf6e251712ade7d60c1 file.
/apis/machine.openshift.io/v1beta1/machinesets?limit=500 API endpoint, filter with with the jq utility using the following filter [.items[] | select(.spec.template.spec.providerSpec.value.disks[0].encryptionKey.kmsKey.name != null) | .metadata.name] and persist it to the local /apis/machine.openshift.io/v1beta1/machinesets?limit=500#4de267a890d70235b0f43110ee972bee760ecce356b1e9cb910f99cc33a02cc2 file.

Rationale

Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.

ID: xccdf_org.ssgproject.content_rule_machine_volume_encrypted
Severity: High
References: Req-3.4.1

CCE-85858-9
Updated: about 1 year ago