UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

OpenShift keystore must implement encryption to prevent unauthorized disclosure of information at rest within the container platform.


Overview

Finding ID Version Rule ID IA Controls Severity
V-257564 CNTR-OS-000780 SV-257564r961602_rule Medium
Description
By default, etcd data is not encrypted in OpenShift Container Platform. Enable etcd encryption for the cluster to provide an additional layer of data security. For example, it can help protect the loss of sensitive data if an etcd backup is exposed to the incorrect parties. When users enable etcd encryption, the following OpenShift API server and Kubernetes API server resources are encrypted: Secrets Config maps Routes OAuth access tokens OAuth authorize tokens When users enable etcd encryption, encryption keys are created. These keys are rotated on a weekly basis. Users must have these keys to restore from an etcd backup.
STIG Date
Red Hat OpenShift Container Platform 4.12 Security Technical Implementation Guide 2024-06-10

Details

Check Text ( C-61299r921633_chk )
Review the API server encryption by running by executing the following:

oc edit apiserver

EXAMPLE OUTPUT
spec:
encryption:
type: aescbc

If the encryption type is not "aescbc", this is a finding.
Fix Text (F-61223r921634_fix)
Set API encryption type by executing the following:

oc edit apiserver

Set the encryption field type to aescbc:
spec:
encryption:
type: aescbc

Additional details about the configuration can be found in the documentation:
https://docs.openshift.com/container-platform/4.8/security/encrypting-etcd.html