Check: CNTR-RM-001730
Rancher Government Solutions Multi-Cluster Manager STIG:
CNTR-RM-001730
(in versions v1 r2 through v1 r1)
Title
Rancher MCM must prohibit or restrict the use of protocols that transmit unencrypted authentication information or use flawed cryptographic algorithms for transmission. (Cat I impact)
Discussion
The container platform and its components will adhere to NIST 800-52R2. To ensure that traffic coming through the ingress controller is re-encrypted internally, switch off port 80 on the service object and direct ingress traffic to port 443 over HTTPS.
Check Content
Navigate to Triple Bar Symbol(Global) >> <local cluster>. From the kubectl shell (>_) execute: kubectl get ingress -n cattle-system rancher -o yaml verify: spec: rules: - host: rancher.example.com < Caution-http://rancher.example.com > http: paths: - backend: service: name: rancher port: number: 443 kubectl get svc rancher -n cattle-system -o yaml Verify: spec: clusterIP: 10.43.145.4 clusterIPs: - 10.43.145.4 ipFamilies: - IPv4 ipFamilyPolicy: SingleStack ports: - name: https-internal port: 443 protocol: TCP targetPort: 443 If the output does not match the above, this is a finding.
Fix Text
From the dropdown select Global >> <local cluster>. From the kubectl shell (>_) execute the following: kubectl patch -n cattle-system service rancher -p '{"spec":{"ports":[{"port":443,"targetPort":443}]}}' export RANCHER_HOSTNAME=rancher.disa-eval-2-6.tomatodamato.com < Caution-http://rancher.disa-eval-2-6.tomatodamato.com > kubectl -n cattle-system patch ingress rancher -p "{\"metadata\":{\"annotations\":{\"nginx.ingress.Kubernetes.io/backend-protocol\ < Caution-http://nginx.ingress.Kubernetes.io/backend-protocol\ > ":\"HTTPS\"}},\"spec\":{\"rules\":[{\"host\":\"$RANCHER_HOSTNAME\",\"http\":{\"paths\":[{\"backend\":{\"service\":{\"name\":\"rancher\",\"port\":{\"number\":443}}},\"pathType\":\"ImplementationSpecific\"}]}}]}}" kubectl patch -n cattle-system service rancher --type=json -p '[{"op":"remove","path":"/spec/ports/0"}]'
Additional Identifiers
Rule ID: SV-252849r819997_rule
Vulnerability ID: V-252849
Group Title: SRG-APP-000645-CTR-001410
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000382 |
The organization configures the information system to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services. |
Controls
Number | Title |
---|---|
CM-7 |
Least Functionality |