Ensure that a OpenShift OAuth login template or a classification banner is set

An XCCDF Rule

Description

A legal notice must be configured.
This is achievable via the OAuth object by creating a custom login page, storing it in a Kubernetes Secret and referencing it in the appropriate field as described in the documentation
Another way of achieving this is via a custom classification banner which is possible to set via the ConsoleNotification CRD as described in the documentation

warning alert: Warning

This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the /apis/config.openshift.io/v1/oauths/cluster API endpoint to the local /apis/config.openshift.io/v1/oauths/cluster file /apis/console.openshift.io/v1/consolenotifications/classification-banner API endpoint to the local /apis/console.openshift.io/v1/consolenotifications/classification-banner file .

Rationale

Displays to users organization-defined system use notification message or banner before granting access to the system that provides privacy and security notices consistent with applicable federal laws.

ID: xccdf_org.ssgproject.content_rule_banner_or_login_template_set
Severity: Medium
References: AC-8

SRG-APP-000068-CTR-000120 SRG-APP-000069-CTR-000125

CCE-84195-7
Updated: about 1 year ago