Merge pull request ComplianceAsCode#6594 from jhrozek/cis_1_2_21

CIS 1.2.21: Ensure that the metrics are protected by RBAC
brett060102 · Feb 3, 2021 · ee010d6 · ee010d6
2 parents 7a1973e + 1a00cfa
commit ee010d6
Show file tree

Hide file tree

Showing 5 changed files with 53 additions and 41 deletions.
diff --git a/applications/openshift/api-server/api_server_profiling/rule.yml b/applications/openshift/api-server/api_server_profiling/rule.yml
diff --git a/applications/openshift/api-server/api_server_profiling_protected_by_rbac/rule.yml b/applications/openshift/api-server/api_server_profiling_protected_by_rbac/rule.yml
@@ -0,0 +1,50 @@
+prodtype: ocp4
+
+title: 'Profiling is protected by RBAC'
+
+description: |-
+  Ensure that the cluster-debugger cluster role includes the /metrics
+  resource URL. This demonstrates that profiling is protected by RBAC, with a
+  specific cluster role to allow access.
+
+rationale: |-
+  Profiling allows for the identification of specific performance bottlenecks.
+  It generates a significant amount of program data that could potentially be
+  exploited to uncover system and program details. 
+  To ensure the collected data is not exploited, profiling endpoints are secured
+  via RBAC (see cluster-debugger role). By default, the profiling endpoints are
+  accessible only by users bound to cluster-admin or cluster-debugger role.
+  Profiling can not be disabled.
+
+identifiers:
+  cce@ocp4: CCE-84212-0
+
+references:
+  cis: 1.2.21
+
+severity: medium
+
+ocil_clause: |-
+    The <tt>cluster-debugger</tt> role isn't protecting <tt>/metrics</tt>
+
+ocil: |-
+    To verify that the <tt>cluster-debugger</tt> role is configured correctly,
+    run the following command:
+    <pre>$ oc get clusterroles cluster-debugger -o jsonpath='{.rules[0].nonResourceURLs}'</pre>
+    and verify that the <tt>/metrics</tt> path is included there.
+
+warnings:
+- general: |-
+    {{{ openshift_cluster_setting("/apis/rbac.authorization.k8s.io/v1/clusterroles/cluster-debugger") | indent(4) }}}
+
+template:
+  name: yamlfile_value
+  vars:
+    ocp_data: "true"
+    filepath: /apis/rbac.authorization.k8s.io/v1/clusterroles/cluster-debugger
+    yamlpath: '.rules[0].nonResourceURLs[:]'
+    entity_check: 'at least one'
+    values:
+    - value: '\/metrics'
+      operation: 'pattern match'
+      entity_check: 'at least one'
diff --git a/applications/openshift/api-server/api_server_profiling_protected_by_rbac/tests/ocp4/e2e.yml b/applications/openshift/api-server/api_server_profiling_protected_by_rbac/tests/ocp4/e2e.yml
@@ -0,0 +1,2 @@
+---
+default_result: PASS
diff --git a/ocp4/profiles/cis.profile b/ocp4/profiles/cis.profile
@@ -75,9 +75,7 @@ selections:
   # 1.2.20 Ensure that the --secure-port argument is not set to 0
     - api_server_bind_address
   # 1.2.21 Ensure that the --profiling argument is set to false
-    # (jhrozek): This rule should temporarily be commented out as OCP diverges from CIS
-    #            and we need to improve our reply to this control
-    # - api_server_profiling
+    - api_server_profiling_protected_by_rbac
   # 1.2.22 Ensure that the --audit-log-path argument is set
     - api_server_audit_log_path
     - openshift_api_server_audit_log_path

diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
@@ -559,7 +559,6 @@ CCE-84203-9
 CCE-84205-4
 CCE-84206-2
 CCE-84210-4
-CCE-84212-0
 CCE-84213-8
 CCE-84214-6
 CCE-84215-3