OpenShift: Central Admin Secret Accessed
No violationsstackroxmediumruntimeAlert when the Central secret is accessed.
- Rationale
- The Central secret can be used to login to the Central user interface as the admin user. This secret is generally salted and hashed by default in the data.htpasswd field, but may contain a base64 encoded password in the field data.password (if deployed with an Operator). This field may be safely removed. This secret should only be accessed for break glass troubleshooting and initial configuration. An update or access of this secret may indicate that it will be used to administer and configure security controls.
- Remediation
- Ensure that the Central admin secret was accessed for valid buiness purposes.
CategoriesAnomalous ActivityKubernetes Events
Compliance mappingsView coverage →
- DORA EU 2022/2554
- Art. 10.1
- ISO/IEC 27001 2022
- A.8.16
- NIST SP 800-53 rev. 5
- AU-2SI-4
- PCI DSS 4.0
- 10.2.15.3.2
- SOC 2 2017 TSC
- CC7.2
Generated artifacts
1 of 5 targets supportedopenshift-central-admin-secret-accessed.yaml
- rule: openshift-central-admin-secret-accessed
desc: Alert when the Central secret is accessed.
condition: ka.target.resource in ("secrets") and ka.verb in ("get", "patch", "update") and ka.target.name in ("central-htpasswd") and not (ka.user.name in ("system:serviceaccount:openshift-authentication-operator:rhacs-operator-controller-manager", "system:serviceaccount:rhacs-operator:rhacs-operator-controller-manager"))
output: "K8s API: user=%ka.user.name verb=%ka.verb resource=%ka.target.resource name=%ka.target.name (policy=OpenShift: Central Admin Secret Accessed)"
priority: WARNING
source: k8s_audit
tags:
- stackrox-import
- policy
- k
IR (canonical)
{
"id": "da4e0776-159b-42a3-90a9-18cdd9b485ba",
"name": "OpenShift: Central Admin Secret Accessed",
"description": "Alert when the Central secret is accessed.",
"rationale": "The Central secret can be used to login to the Central user interface as the admin user. This secret is generally salted and hashed by default in the data.htpasswd field, but may contain a base64 encoded password in the field data.password (if deployed with an Operator). This field may be safely removed. This secret should only be accessed for break glass troubleshooting and initial configuration. An update or access of this secret may indicate that it will be used to administer and configure security controls.",
"remediation": "Ensure that the Central admin secret was accessed for valid buiness purposes.",
"severity": "medium",
"categories": [
"Anomalous Activity",
"Kubernetes Events"
],
"lifecycle": [
"runtime"
],
"eventSource": "audit-log",
"scope": [],
"exclusions": [],
"enforcement": {
"failBuild": false
},
"expression": {
"op": "and",
"children": [
{
"op": "criterion",
"field": "kubernetes-resource",
"values": [
"SECRETS"
],
"valuesOp": "or",
"negate": false
},
{
"op": "criterion",
"field": "kubernetes-api-verb",
"values": [
"GET",
"PATCH",
"UPDATE"
],
"valuesOp": "or",
"negate": false
},
{
"op": "criterion",
"field": "kubernetes-resource-name",
"values": [
"central-htpasswd"
],
"valuesOp": "or",
"negate": false
},
{
"op": "criterion",
"field": "kubernetes-user-name",
"values": [
"system:serviceaccount:openshift-authentication-operator:rhacs-operator-controller-manager",
"system:serviceaccount:rhacs-operator:rhacs-operator-controller-manager"
],
"valuesOp": "or",
"negate": true
}
]
},
"disabled": false
}Original StackRox JSON
{
"id": "da4e0776-159b-42a3-90a9-18cdd9b485ba",
"name": "OpenShift: Central Admin Secret Accessed",
"description": "Alert when the Central secret is accessed.",
"rationale": "The Central secret can be used to login to the Central user interface as the admin user. This secret is generally salted and hashed by default in the data.htpasswd field, but may contain a base64 encoded password in the field data.password (if deployed with an Operator). This field may be safely removed. This secret should only be accessed for break glass troubleshooting and initial configuration. An update or access of this secret may indicate that it will be used to administer and configure security controls.",
"remediation": "Ensure that the Central admin secret was accessed for valid buiness purposes.",
"disabled": false,
"categories": [
"Anomalous Activity",
"Kubernetes Events"
],
"lifecycleStages": [
"RUNTIME"
],
"eventSource": "AUDIT_LOG_EVENT",
"exclusions": [],
"scope": [],
"severity": "MEDIUM_SEVERITY",
"enforcementActions": [],
"policySections": [
{
"sectionName": "",
"policyGroups": [
{
"fieldName": "Kubernetes Resource",
"booleanOperator": "OR",
"negate": false,
"values": [
{
"value": "SECRETS"
}
]
},
{
"fieldName": "Kubernetes API Verb",
"booleanOperator": "OR",
"negate": false,
"values": [
{
"value": "GET"
},
{
"value": "PATCH"
},
{
"value": "UPDATE"
}
]
},
{
"fieldName": "Kubernetes Resource Name",
"booleanOperator": "OR",
"negate": false,
"values": [
{
"value": "central-htpasswd"
}
]
},
{
"fieldName": "Kubernetes User Name",
"booleanOperator": "OR",
"negate": true,
"values": [
{
"value": "system:serviceaccount:openshift-authentication-operator:rhacs-operator-controller-manager"
},
{
"value": "system:serviceaccount:rhacs-operator:rhacs-operator-controller-manager"
}
]
}
]
}
],
"notifiers": [],
"lastUpdated": null,
"SORTName": "",
"SORTLifecycleStage": "",
"SORTEnforcement": false,
"policyVersion": "1.1",
"mitreAttackVectors": [
{
"tactic": "TA0006",
"techniques": [
"T1552.007"
]
},
{
"tactic": "TA0007",
"techniques": [
"T1613"
]
}
],
"criteriaLocked": true,
"mitreVectorsLocked": true,
"isDefault": true,
"source": "IMPERATIVE"
}