OpenShift runtime must have updates installed within the period directed by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-257572	CNTR-OS-000900	SV-257572r921659_rule		Medium

Description
OpenShift runtime must be carefully monitored for vulnerabilities, and when problems are detected, they must be remediated quickly. A vulnerable runtime exposes all containers it supports, as well as the host itself, to potentially significant risk. Organizations must use tools to look for Common Vulnerabilities and Exposures (CVEs) in the runtimes deployed, to upgrade any instances at risk, and to ensure that orchestrators only allow deployments to properly maintained runtimes. Satisfies: SRG-APP-000456-CTR-001130, SRG-APP-000456-CTR-001125

Description

OpenShift runtime must be carefully monitored for vulnerabilities, and when problems are detected, they must be remediated quickly. A vulnerable runtime exposes all containers it supports, as well as the host itself, to potentially significant risk. Organizations must use tools to look for Common Vulnerabilities and Exposures (CVEs) in the runtimes deployed, to upgrade any instances at risk, and to ensure that orchestrators only allow deployments to properly maintained runtimes. Satisfies: SRG-APP-000456-CTR-001130, SRG-APP-000456-CTR-001125

STIG	Date
Red Hat OpenShift Container Platform 4.12 Security Technical Implementation Guide	2023-08-28

Details

Check Text ( C-61307r921657_chk )
To list all the imagestreams and identify which imagestream tags are configured to periodically check for updates (imagePolicy = { scheduled: true }), execute the following: oc get imagestream --all-namespaces -o jsonpath='{range .items[]}{.metadata.name}{"\n"}{range .spec.tags[]}{"\t"}{.name}{": "}{.importPolicy}{"\n"}' The output will be similar to: httpd 2.4: {} 2.4-el7: {} 2.4-el8: {} latest: {} : installer latest: {"scheduled":true} : installer-artifacts latest: {"scheduled":true} : Review the listing, and for each imagestream tag version that does not have the value '{"scheduled":true}' that should otherwise check for updates, this is a finding.

Check Text ( C-61307r921657_chk )

To list all the imagestreams and identify which imagestream tags are configured to periodically check for updates (imagePolicy = { scheduled: true }), execute the following:

oc get imagestream --all-namespaces -o jsonpath='{range .items[*]}{.metadata.name}{"\n"}{range .spec.tags[*]}{"\t"}{.name}{": "}{.importPolicy}{"\n"}'

The output will be similar to:

httpd
2.4: {}
2.4-el7: {}
2.4-el8: {}
latest: {}
:
installer
latest: {"scheduled":true}
:
installer-artifacts
latest: {"scheduled":true}
:

Review the listing, and for each imagestream tag version that does not have the value '{"scheduled":true}' that should otherwise check for updates, this is a finding.

Fix Text (F-61231r921658_fix)
For container images that are not scheduled to check for updates that otherwise should, update the imagestream to schedule updates for each tag by executing the following: oc patch imagestream -n NAMESPACE --type merge -p '{"spec":{"tags":[{"name":"","importPolicy":{"scheduled":true}}]}}' where, NAME: The imagestream name to update NAMESPACE: The namespace the imagestream is in. This will most often be 'openshift'. TAG_NAME: The imagestream tag to update

Fix Text (F-61231r921658_fix)

For container images that are not scheduled to check for updates that otherwise should, update the imagestream to schedule updates for each tag by executing the following:

oc patch imagestream -n NAMESPACE --type merge -p '{"spec":{"tags":[{"name":"","importPolicy":{"scheduled":true}}]}}'

where,
NAME: The imagestream name to update
NAMESPACE: The namespace the imagestream is in. This will most often be 'openshift'.
TAG_NAME: The imagestream tag to update