From 1a00cfafae78de8b9f4e050cb75ba4a6be7f8a9c Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Wed, 3 Feb 2021 13:44:21 +0100 Subject: [PATCH] CIS 1.2.21: Ensure that the metrics are protected by RBAC Vanilla CIS k8s benchmark prescribes that profiling should be disabled. In OCP however, profiling is on by default and used by Prometheus. So instead of making sure profiling is disabled, let's make sure it is explicitly protected by RBAC by checking the cluster-debugger role for including the /metrics endpoint The previous rule is unused now and was removed. --- .../api-server/api_server_profiling/rule.yml | 37 -------------- .../rule.yml | 50 +++++++++++++++++++ .../tests/ocp4/e2e.yml | 2 + ocp4/profiles/cis.profile | 4 +- shared/references/cce-redhat-avail.txt | 1 - 5 files changed, 53 insertions(+), 41 deletions(-) delete mode 100644 applications/openshift/api-server/api_server_profiling/rule.yml create mode 100644 applications/openshift/api-server/api_server_profiling_protected_by_rbac/rule.yml create mode 100644 applications/openshift/api-server/api_server_profiling_protected_by_rbac/tests/ocp4/e2e.yml diff --git a/applications/openshift/api-server/api_server_profiling/rule.yml b/applications/openshift/api-server/api_server_profiling/rule.yml deleted file mode 100644 index 3215c9b25ab7..000000000000 --- a/applications/openshift/api-server/api_server_profiling/rule.yml +++ /dev/null @@ -1,37 +0,0 @@ -documentation_complete: true - -prodtype: ocp4 - -title: 'Disable Profiling on the API server' - -description: |- - To disable profiling, - edit the openshift-kube-apiserver configmap on the master node(s) - and set profiling to false: - 
-    "schedulerArguments":{
-      ...
-      "profiling":[
-        "false"
-      ],
-      ...
-
- -rationale: |- - Profiling allows for the identification of specific performance bottlenecks. It - generates a significant amount of program data that could potentially be - exploited to uncover system and program details. If the profiler is not - needed for troubleshooting purposes, it is recommended to turn off for - reduction of potential attack surface. - -severity: low - -references: - cis: 1.2.21 - -ocil_clause: 'profiling is enabled and is set to value of true' - -ocil: |- - Run the following command on the master node(s): - 
$ oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.schedulerArguments["profiling"]'
- The output should return 
false
. diff --git a/applications/openshift/api-server/api_server_profiling_protected_by_rbac/rule.yml b/applications/openshift/api-server/api_server_profiling_protected_by_rbac/rule.yml new file mode 100644 index 000000000000..34dbf69e6a0e --- /dev/null +++ b/applications/openshift/api-server/api_server_profiling_protected_by_rbac/rule.yml @@ -0,0 +1,50 @@ +prodtype: ocp4 + +title: 'Profiling is protected by RBAC' + +description: |- + Ensure that the cluster-debugger cluster role includes the /metrics + resource URL. This demonstrates that profiling is protected by RBAC, with a + specific cluster role to allow access. + +rationale: |- + Profiling allows for the identification of specific performance bottlenecks. + It generates a significant amount of program data that could potentially be + exploited to uncover system and program details. + To ensure the collected data is not exploited, profiling endpoints are secured + via RBAC (see cluster-debugger role). By default, the profiling endpoints are + accessible only by users bound to cluster-admin or cluster-debugger role. + Profiling can not be disabled. + +identifiers: + cce@ocp4: CCE-84212-0 + +references: + cis: 1.2.21 + +severity: medium + +ocil_clause: |- + The cluster-debugger role isn't protecting /metrics + +ocil: |- + To verify that the cluster-debugger role is configured correctly, + run the following command: + 
$ oc get clusterroles cluster-debugger -o jsonpath='{.rules[0].nonResourceURLs}'
+ and verify that the /metrics path is included there. + +warnings: +- general: |- + {{{ openshift_cluster_setting("/apis/rbac.authorization.k8s.io/v1/clusterroles/cluster-debugger") | indent(4) }}} + +template: + name: yamlfile_value + vars: + ocp_data: "true" + filepath: /apis/rbac.authorization.k8s.io/v1/clusterroles/cluster-debugger + yamlpath: '.rules[0].nonResourceURLs[:]' + entity_check: 'at least one' + values: + - value: '\/metrics' + operation: 'pattern match' + entity_check: 'at least one' diff --git a/applications/openshift/api-server/api_server_profiling_protected_by_rbac/tests/ocp4/e2e.yml b/applications/openshift/api-server/api_server_profiling_protected_by_rbac/tests/ocp4/e2e.yml new file mode 100644 index 000000000000..b49fd368b988 --- /dev/null +++ b/applications/openshift/api-server/api_server_profiling_protected_by_rbac/tests/ocp4/e2e.yml @@ -0,0 +1,2 @@ +--- +default_result: PASS diff --git a/ocp4/profiles/cis.profile b/ocp4/profiles/cis.profile index bd15e8b53e55..29003b7c7073 100644 --- a/ocp4/profiles/cis.profile +++ b/ocp4/profiles/cis.profile @@ -75,9 +75,7 @@ selections: # 1.2.20 Ensure that the --secure-port argument is not set to 0 - api_server_bind_address # 1.2.21 Ensure that the --profiling argument is set to false - # (jhrozek): This rule should temporarily be commented out as OCP diverges from CIS - # and we need to improve our reply to this control - # - api_server_profiling + - api_server_profiling_protected_by_rbac # 1.2.22 Ensure that the --audit-log-path argument is set - api_server_audit_log_path - openshift_api_server_audit_log_path diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt index a39b145df02b..7f4f535ab8fd 100644 --- a/shared/references/cce-redhat-avail.txt +++ b/shared/references/cce-redhat-avail.txt @@ -559,7 +559,6 @@ CCE-84203-9 CCE-84205-4 CCE-84206-2 CCE-84210-4 -CCE-84212-0 CCE-84213-8 CCE-84214-6 CCE-84215-3