OpenShift must separate user functionality (including user interface services) from information system management functionality.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-257545	CNTR-OS-000500	SV-257545r921578_rule		Medium

Description
Red Hat Enterprise Linux CoreOS (RHCOS) is a single-purpose container operating system. RHCOS is only supported as a component of the OpenShift Container Platform. Remote management of the RHCOS nodes is performed at the OpenShift Container Platform API level. Any direct access to the RHCOS nodes is unnecessary. RHCOS only has two user accounts defined, root(0) and core(1000). These are the only two user accounts that should exist on the RHCOS nodes. As any administrative access or actions are to be done through the OpenShift Container Platform's administrative APIs, direct logon access to the RHCOS host must be disabled.

Description

Red Hat Enterprise Linux CoreOS (RHCOS) is a single-purpose container operating system. RHCOS is only supported as a component of the OpenShift Container Platform. Remote management of the RHCOS nodes is performed at the OpenShift Container Platform API level. Any direct access to the RHCOS nodes is unnecessary. RHCOS only has two user accounts defined, root(0) and core(1000). These are the only two user accounts that should exist on the RHCOS nodes. As any administrative access or actions are to be done through the OpenShift Container Platform's administrative APIs, direct logon access to the RHCOS host must be disabled.

STIG	Date
Red Hat OpenShift Container Platform 4.12 Security Technical Implementation Guide	2023-08-28

Details

Check Text ( C-61280r921576_chk )
Verify that root and core are the only user accounts on the nodes by executing the following: for node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n "$HOSTNAME "; cat /etc/passwd' 2>/dev/null; done The output will look similar to: root:x:0:0:root:/root:/bin/bash core:x:1000:1000:CoreOS Admin:/var/home/core:/bin/bash containers:x:993:995:User for housing the sub ID range for containers:/var/home/containers:/sbin/nologin If there are any user accounts in addition to root, containers, and core, this is a finding. Verify the root and core users are set to disable password logon by executing the following: for node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n "$HOSTNAME "; grep -e "^root" -e "^core" /etc/shadow' 2>/dev/null; done The output will look similar to: root::18367:0:99999:7::: core::18939:0:99999:7::: If the password entry has anything other than '*', this is a finding.

Check Text ( C-61280r921576_chk )

Verify that root and core are the only user accounts on the nodes by executing the following:

for node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n "$HOSTNAME "; cat /etc/passwd' 2>/dev/null; done

The output will look similar to:

root:x:0:0:root:/root:/bin/bash
core:x:1000:1000:CoreOS Admin:/var/home/core:/bin/bash
containers:x:993:995:User for housing the sub ID range for containers:/var/home/containers:/sbin/nologin

If there are any user accounts in addition to root, containers, and core, this is a finding.

Verify the root and core users are set to disable password logon by executing the following:

for node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n "$HOSTNAME "; grep -e "^root" -e "^core" /etc/shadow' 2>/dev/null; done

The output will look similar to:

root:*:18367:0:99999:7:::
core:*:18939:0:99999:7:::

If the password entry has anything other than '*', this is a finding.

Fix Text (F-61204r921577_fix)
Disable and remove passwords from root and core accounts by executing the following: for node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'usermod -p "" root; usermod -p "" core' 2>/dev/null; done Remove any additional user accounts from the nodes by executing the following: oc debug node/ -- chroot /host /bin/bash -c 'userdel '