Hi
currently the test for the rule xccdf_org.ssgproject.content_rule_api_server_secure_port in the profile xccdf_org.ssgproject.content_profile_opencis-master in the file ssg-ocp3-ds.xml is wrong, since the rule checks for the existance of
I'm no SCAP specialist but it's better to enforce the value to be in the configuration file, this prevents issues if for some reason the default changes in future versions.
Description of problem:
Hi currently the test for the rule xccdf_org.ssgproject.content_rule_api_server_secure_port in the profile xccdf_org.ssgproject.content_profile_opencis-master in the file ssg-ocp3-ds.xml is wrong, since the rule checks for the existance of
kubernetesMasterConfig: apiServerArguments: secure-port:
see checks:
But the setting is only ok, if the port is set to a different value than 0 (regarding the description) - like
kubernetesMasterConfig: apiServerArguments: secure-port:
or is not set at all.
In my envoronments this value is not set at all - and this is ok. So the check should only check for the existance of
apiServerArguments: secure-port:
id this is the case - the result must be "false" - all other findings should be true
SCAP Security Guide Version:
latest
Operating System Version:
OpenShift 3.11 / RedHat Linux 7.8
Steps to Reproduce:
oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_opencis-master --rule xccdf_org.ssgproject.content_rule_api_server_secure_port --results /var/tmp/$(hostname)-hardening-ocp3-report.xml --report /var/tmp/$(hostname)-hardening-ocp3-report.html ssg-ocp3-ds.xml
Actual Results:
true, if apiServerArguments: secure-port:
Expected Results:
false, if apiServerArguments: secure-port:
Addition Information/Debugging Steps: