Check: CNTR-R2-000010
Rancher Government Solutions RKE2 STIG:
CNTR-R2-000010
(in versions v2 r1 through v1 r2)
Title
Rancher RKE2 must protect authenticity of communications sessions with the use of FIPS-validated 140-2 or 140-3 security requirements for cryptographic modules. (Cat I impact)
Discussion
Use strong TLS settings. RKE2 uses FIPS validated BoringCrypto modules. RKE2 Server can prohibit the use of SSL and unauthorized versions of TLS protocols to properly secure communication. There is a lot of traffic between RKE2 nodes to deploy, update, and delete resources so it is important to set strong TLS settings on top of this default feature. It is also important to use approved cypher suites. This ensures the protection of the transmitted information, confidentiality, and integrity so that the attacker cannot read or alter this communication. The use of unsupported protocol exposes vulnerabilities to the Kubernetes by rogue traffic interceptions, man-in-the-middle attacks, and impersonation of users or services from the container platform runtime, registry, and key store. To enable the enforcement of minimum version of TLS and cipher suites to be used by the various components of RKE2, the settings "tls-min-version" and "tls-cipher-suites" must be set. Further documentation of the FIPS modules can be found here: https://docs.rke2.io/security/fips_support. Satisfies: SRG-APP-000014-CTR-000035, SRG-APP-000014-CTR-000040, SRG-APP-000219-CTR-000550, SRG-APP-000441-CTR-001090, SRG-APP-000442-CTR-001095, SRG-APP-000514-CTR-001315, SRG-APP-000560-CTR-001340, SRG-APP-000605-CTR-001380, SRG-APP-000610-CTR-001385, SRG-APP-000635-CTR-001405, SRG-APP-000645-CTR-001410
Check Content
Use strong TLS settings. On an RKE2 server, run each command: /bin/ps -ef | grep kube-apiserver | grep -v grep /bin/ps -ef | grep kube-controller-manager | grep -v grep /bin/ps -ef | grep kube-scheduler | grep -v grep For each, look for the existence of tls-min-version (use this command for an aid "| grep tls-min-version"): If the setting "tls-min-version" is not configured or it is set to "VersionTLS10" or "VersionTLS11", this is a finding. For each, look for the existence of the tls-cipher-suites. If "tls-cipher-suites" is not set for all servers, or does not contain the following, this is a finding: --tls-cipher-suites=TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, 124 | P a g eTLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384
Fix Text
Use strong TLS settings. Edit the RKE2 Server configuration file on all RKE2 Server hosts, located at /etc/rancher/rke2/config.yaml, to contain the following: kube-controller-manager-arg: - "tls-min-version=VersionTLS12" [or higher] - "tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" kube-scheduler-arg: - "tls-min-version=VersionTLS12" - "tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" kube-apiserver-arg: - "tls-min-version=VersionTLS12" - "tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" Once configuration file is updated, restart the RKE2 Server. Run the command: systemctl restart rke2-server
Additional Identifiers
Rule ID: SV-254553r960759_rule
Vulnerability ID: V-254553
Group Title: SRG-APP-000014-CTR-000035
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000068 |
Implement cryptographic mechanisms to protect the confidentiality of remote access sessions. |
CCI-000185 |
For public key-based authentication, validate certificates by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information. |
CCI-000382 |
Configure the system to prohibit or restrict the use of organization-defined prohibited or restricted functions, system ports, protocols, software, and/or services. |
CCI-000803 |
Implement mechanisms for authentication to a cryptographic module that meet the requirements of applicable laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication. |
CCI-001184 |
Protect the authenticity of communications sessions. |
CCI-001453 |
Implement cryptographic mechanisms to protect the integrity of remote access sessions. |
CCI-002420 |
Maintain the confidentiality and/or integrity of information during preparation for transmission. |
CCI-002422 |
Maintain the confidentiality and/or integrity of information during reception. |
CCI-002450 |
Implement organization-defined types of cryptography for each specified cryptography use. |
Controls
Number | Title |
---|---|
AC-17(2) |
Protection of Confidentiality / Integrity Using Encryption |
CM-7 |
Least Functionality |
IA-5(2) |
Pki-based Authentication |
IA-7 |
Cryptographic Module Authentication |
SC-8(2) |
Pre / Post Transmission Handling |
SC-13 |
Cryptographic Protection |
SC-23 |
Session Authenticity |