BSI IT-Grundschutz (Basic Protection) Building Block SYS.1.6 and APP.4.4
Rules and Groups employed by this XCCDF Profile
-
Kubernetes Settings
Each section of this configuration guide includes information about the configuration of a Kubernetes cluster and a set of recommendations for hardening the configuration. For each hardening recomm...Group -
System and Software Integrity
System and software integrity can be gained by installing antivirus, increasing system encryption strength with FIPS, verifying installed software, enabling SELinux, installing an Intrusion Prevent...Group -
Ensure that Cluster Version Operator is deployed
Integrity of the OpenShift platform is handled to start by the cluster version operator. Cluster Version Operator will by default GPG verify the integrity of the release image before applying it. ...Rule Medium Severity -
Ensure that Cluster Version Operator verifies integrity
Integrity of the OpenShift platform is handled to start by the cluster version operator. Cluster Version Operator will by default GPG verify the integrity of the release image before applying it. ...Rule Medium Severity -
Ensure that File Integrity Operator is scanning the cluster
<a href="https://docs.openshift.com/container-platform/4.7/security/file_integrity_operator/file-integrity-operator-understanding.html">The File Integrity Operator</a> continually runs file integri...Rule Medium Severity -
Kubernetes - Account and Access Control
In traditional Unix security, if an attacker gains shell access to a certain login account, they can perform any action or access any file to which that account has access. The same idea applies to...Group -
Restrict Automounting of Service Account Tokens
Service accounts tokens should not be mounted in pods except where the workload running in the pod explicitly needs to communicate with the API server. To ensure pods do not automatically mount tok...Rule Medium Severity -
Ensure Usage of Unique Service Accounts
Using the <code>default</code> service account prevents accurate application rights review and audit tracing. Instead of <code>default</code>, create a new and unique service account with the follo...Rule Medium Severity -
OpenShift Kube API Server
This section contains recommendations for kube-apiserver configuration.Group -
Ensure that anonymous requests to the API Server are authorized
By default, anonymous access to the OpenShift API is enabled, but at the same time, all requests must be authorized. If no authentication mechanism is used, the request is assigned the <code>system...Rule Medium Severity -
Configure the Client Certificate Authority for the API Server
Certificates must be provided to fully setup TLS client certificate authentication. To ensure the API Server utilizes its own TLS certificates, the <code>clientCA</code> must be configured. Verify ...Rule Medium Severity -
Configure the Encryption Provider Cipher
<p> When you enable etcd encryption, the following OpenShift API server and Kubernetes API server resources are encrypted: <ul> <li>Secrets</li> <li>ConfigMaps</li> <li>Routes</li> <...Rule Medium Severity -
Ensure that the --kubelet-https argument is set to true
The kube-apiserver ensures https to the kubelet by default. The apiserver flag "--kubelet-https" is deprecated and should be either set to "true" or omitted from the argument list.Rule Medium Severity -
Configure the kubelet Certificate File for the API Server
To enable certificate based kubelet authentication, edit the <code>config</code> configmap in the <code>openshift-kube-apiserver</code> namespace and set the below parameter in the <code>config.yam...Rule High Severity -
Configure the kubelet Certificate Key for the API Server
To enable certificate based kubelet authentication, edit the <code>config</code> configmap in the <code>openshift-kube-apiserver</code> namespace and set the below parameter in the <code>config.yam...Rule High Severity -
Configure the Certificate for the API Server
To ensure the API Server utilizes its own TLS certificates, the <code>tls-cert-file</code> must be configured. Verify that the <code>apiServerArguments</code> section has the <code>tls-cert-file</c...Rule Medium Severity -
Use Strong Cryptographic Ciphers on the API Server
To ensure that the API Server is configured to only use strong cryptographic ciphers, verify the <code>openshift-kube-apiserver</code> configmap contains the following set of ciphers, with no addit...Rule Medium Severity -
Configure the Certificate Key for the API Server
To ensure the API Server utilizes its own TLS certificates, the <code>tls-private-key-file</code> must be configured. Verify that the <code>apiServerArguments</code> section has the <code>tls-priva...Rule Medium Severity -
Ensure APIServer is not configured with Old tlsSecurityProfile
The configuration <code>tlsSecurityProfile</code> specifies TLS configurations to be used while establishing connections with the externally exposed servers. Though secure transport mode is used fo...Rule Medium Severity -
OpenShift etcd Settings
Contains rules that check correct OpenShift etcd settings.Group -
Kubernetes - General Security Practices
Contains evaluations for general security practices for operating a Kubernetes environment.Group -
Ensure the notification is enabled for file integrity operator
The OpenShift platform provides the File Integrity Operator to monitor for unwanted file changes, and this control ensures proper notification alert is enabled so that system administrators and sec...Rule Medium Severity -
Apply Security Context to Your Pods and Containers
Apply Security Context to your Pods and ContainersRule Medium Severity -
Ensure that GitOps Operator is deployed
Red Hat OpenShift GitOps is a declarative continuous delivery platform based on Argo CD. It enables teams to adopt GitOps principles for managing cluster configurations and automating secure and re...Rule Medium Severity -
Ensure that the kubeadmin secret has been removed
The kubeadmin user is meant to be a temporary user used for bootstrapping purposes. It is preferable to assign system administrators whose users are backed by an Identity Provider. <br> Make sure ...Rule Medium Severity -
Ensure TLS v1.2 is minimum for Openshift APIServer
Verify tls version for the openshift APIServer.Rule Medium Severity -
This is a helper rule to fetch the required api resource for detecting HyperShift OCP version
no descriptionRule Medium Severity -
This is a helper rule to fetch the required api resource for detecting OCP version
no descriptionRule Medium Severity -
Kubernetes Kubelet Settings
The Kubernetes Kubelet is an agent that runs on each node in the cluster. It makes sure that containers are running in a pod. The kubelet takes a set of PodSpecs that are provided through various ...Group -
Ensure That The kubelet Client Certificate Is Correctly Set
To ensure the kubelet TLS client certificate is configured, edit the kubelet configuration file <code>/etc/kubernetes/kubelet.conf</code> and configure the kubelet certificate file. <pre>tlsCertFil...Rule Medium Severity -
Ensure That The kubelet Server Key Is Correctly Set
To ensure the kubelet TLS private server key certificate is configured, edit the kubelet configuration file <code>/etc/kubernetes/kubelet.conf</code> and configure the kubelet private key file. <pr...Rule Medium Severity -
Kubernetes - Network Configuration and Firewalls
Most systems must be connected to a network of some sort, and this brings with it the substantial risk of network attack. This section discusses the security impact of decisions about networking wh...Group -
Ensure that the CNI in use supports Network Policies
There are a variety of CNI plugins available for Kubernetes. If the CNI in use does not support Network Policies it may not be possible to effectively restrict traffic in the cluster. OpenShift sup...Rule High Severity -
Ensure that application Namespaces have Network Policies defined.
Use network policies to isolate traffic in your cluster network.Rule High Severity -
Ensure that project templates autocreate Network Policies
Configure a template for newly created projects to use default network policies and make sure this template is referenced from the default project template. The OpenShift Container Platform API se...Rule Medium Severity -
Role-based Access Control
Role-based access control (RBAC) objects determine whether a user is allowed to perform a given action within a project. Cluster administrators can use the cluster roles and bindings to control wh...Group -
Ensure cluster roles are defined in the cluster
<p> RBAC is a critical feature in terms of security for Kubernetes and OpenShift. It enables administrators to segment the privileges granted to a service account, and thus allows us...Rule Medium Severity -
Ensure that the RBAC setup follows the principle of least privilege
Role-based access control (RBAC) objects determine whether a user is allowed to perform a given action within a project. If users or groups exist that are bound to roles they must not have, modify...Rule High Severity -
Ensure that the cluster-admin role is only used where required
The RBAC role cluster-admin provides wide-ranging powers over the environment and should be used only where and when needed.Rule Medium Severity -
Limit Access to Kubernetes Secrets
The Kubernetes API stores secrets, which may be service account tokens for the Kubernetes API or credentials used by workloads in the cluster. Access to these secrets should be restricted to the sm...Rule Medium Severity -
Ensure roles are defined in the cluster
<p> RBAC is a critical feature in terms of security for Kubernetes and OpenShift. It enables administrators to segment the privileges granted to a service account, and thus allows us...Rule Medium Severity -
Minimize Wildcard Usage in Cluster and Local Roles
Kubernetes Cluster and Local Roles provide access to resources based on sets of objects and actions that can be taken on those objects. It is possible to set either of these using a wildcard <code>...Rule Medium Severity -
Kubernetes - Registry Security Practices
Contains evaluations for Kubernetes registry security practices, and cluster-wide registry configuration.Group -
Allowed registries are configured
The configuration <code>registrySources.allowedRegistries</code> determines the permitted registries that the OpenShift container runtime can access for builds and pods. This configuration setting ...Rule Medium Severity -
Allowed registries for import are configured
The configuration <code>allowedRegistriesForImport</code> limits the container image registries from which normal users may import images. This is important to control, as a user who can stand up a...Rule Medium Severity -
Check configured allowed registries for import uses secure protocol
The configuration <code>allowedRegistriesForImport</code> limits the container image registries from which normal users may import images. This is a list of the registries that can be trusted to co...Rule Medium Severity -
Check if any insecure registry sources is configured
The configuration <code>registrySources.insecureRegistries</code> determines the insecure registries that the OpenShift container runtime can access for builds and pods. This configuration setting ...Rule Medium Severity -
OpenShift - Risk Assessment Settings
Contains evaluations for the cluster's risk assessment configuration settings.Group -
Ensure that Compliance Operator is scanning the cluster
<a href="https://docs.openshift.com/container-platform/latest/security/compliance_operator/compliance-operator-understanding.html#compliance-operator-understanding">The Compliance Operator</a> scan...Rule Medium Severity -
Ensure that Compliance Operator scans are running periodically
<a href="https://docs.openshift.com/container-platform/latest/security/compliance_operator/compliance-operator-understanding.html#compliance-operator-understanding">The Compliance Operator</a> scan...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.