forked from ComplianceAsCode/content
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
CIS 1.2.21: Ensure that the metrics are protected by RBAC
Vanilla CIS k8s benchmark prescribes that profiling should be disabled. In OCP however, profiling is on by default and used by Prometheus. So instead of making sure profiling is disabled, let's make sure it is explicitly protected by RBAC by checking the cluster-debugger role for including the /metrics endpoint The previous rule is unused now and was removed.
- Loading branch information
Showing
5 changed files
with
53 additions
and
41 deletions.
There are no files selected for viewing
37 changes: 0 additions & 37 deletions
37
applications/openshift/api-server/api_server_profiling/rule.yml
This file was deleted.
Oops, something went wrong.
50 changes: 50 additions & 0 deletions
50
applications/openshift/api-server/api_server_profiling_protected_by_rbac/rule.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,50 @@ | ||
prodtype: ocp4 | ||
|
||
title: 'Profiling is protected by RBAC' | ||
|
||
description: |- | ||
Ensure that the cluster-debugger cluster role includes the /metrics | ||
resource URL. This demonstrates that profiling is protected by RBAC, with a | ||
specific cluster role to allow access. | ||
rationale: |- | ||
Profiling allows for the identification of specific performance bottlenecks. | ||
It generates a significant amount of program data that could potentially be | ||
exploited to uncover system and program details. | ||
To ensure the collected data is not exploited, profiling endpoints are secured | ||
via RBAC (see cluster-debugger role). By default, the profiling endpoints are | ||
accessible only by users bound to cluster-admin or cluster-debugger role. | ||
Profiling can not be disabled. | ||
identifiers: | ||
cce@ocp4: CCE-84212-0 | ||
|
||
references: | ||
cis: 1.2.21 | ||
|
||
severity: medium | ||
|
||
ocil_clause: |- | ||
The <tt>cluster-debugger</tt> role isn't protecting <tt>/metrics</tt> | ||
ocil: |- | ||
To verify that the <tt>cluster-debugger</tt> role is configured correctly, | ||
run the following command: | ||
<pre>$ oc get clusterroles cluster-debugger -o jsonpath='{.rules[0].nonResourceURLs}'</pre> | ||
and verify that the <tt>/metrics</tt> path is included there. | ||
warnings: | ||
- general: |- | ||
{{{ openshift_cluster_setting("/apis/rbac.authorization.k8s.io/v1/clusterroles/cluster-debugger") | indent(4) }}} | ||
template: | ||
name: yamlfile_value | ||
vars: | ||
ocp_data: "true" | ||
filepath: /apis/rbac.authorization.k8s.io/v1/clusterroles/cluster-debugger | ||
yamlpath: '.rules[0].nonResourceURLs[:]' | ||
entity_check: 'at least one' | ||
values: | ||
- value: '\/metrics' | ||
operation: 'pattern match' | ||
entity_check: 'at least one' |
2 changes: 2 additions & 0 deletions
2
applications/openshift/api-server/api_server_profiling_protected_by_rbac/tests/ocp4/e2e.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
--- | ||
default_result: PASS |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -559,7 +559,6 @@ CCE-84203-9 | |
CCE-84205-4 | ||
CCE-84206-2 | ||
CCE-84210-4 | ||
CCE-84212-0 | ||
CCE-84213-8 | ||
CCE-84214-6 | ||
CCE-84215-3 | ||
|