5.2.10 Minimize access to privileged Security Context Constraints

Information

OpenShift has the concept of Security Context Constraints (SCCs) that supplement the Pod Security Admission controller.

SCCs allow you to group elevated container capabilities and assign those capabilities to users and groups. For example, you can have an SCC that restricts the ability to launch privileged containers and assign that SCC to all authenticated users. As a result, users requesting a pod that contains a privileged container will be rejected.

You can find more information on SCCs in the OpenShift documentation.

Rationale:

SCCs that contain the ability to permit privileged or elevated container action should be carefully managed. Users with access to such an SCC can leverage the privileged functionality granted by that SCC, increasing the risk of compromising the container or host.

Impact:

Users should only have access to SCCs that allow them to perform functions required by their roles, and no more, following the principle of least privilege.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Remove any users and groups who do not need access to an SCC, following the principle of least privilege.
You can remove users and groups from an SCC using the oc edit scc $NAME command.
Additionally, you can create your own SCCs that contain the container functionality you need for a particular use case and assign that SCC to users and groups if the default SCCs are not appropriate for your use case.

Default Value:

OpenShift provides the following SCCs by default:

'anyuid'

'hostaccess'

'hostmount-anyuid'

'hostnetwork'

'hostnetwork-v2'

'machine-api-termination-handler'

'node-exporter'

'nonroot'

'nonroot-v2'

'privileged'

'restricted'

'restricted-v2'

These default SCCs attempt to group similar privileged container functionality into a single SCC that fits particular use cases.

Please refer to the OpenShift documentation for a complete list of capabilities associated with each default SCC.

See Also

https://workbench.cisecurity.org/benchmarks/16094