v2.9.0 RHEL9.4 RKE1.28.10+rke2r1 [Full]

Prev Next

Date of Release: 17/04/2025

Version Information

- Version Hardening References
Red Hat Enterprise Linux 9.4 USG STIGs ver 1 rel 14
Rancher Kubernetes Engine Government (RKE2) v1.28.10 CIS v1.23
Glasswall Halo 2.9.0 SAST, DAST, SCA and Container Security Reports available on request

System Requirements

Recommended

32 vCPU
64 GB RAM

Minimum

16 vCPU
32 GB RAM

Base OS Information

  • SELinux is Enforcing

  • No USG STIG banner message by default (configurable)

  • The local glasswall system account now requires a password to escalate privileges in the sudoers.

  • The bootloader password has been set in accordance with STIG requirements. This can be provided upon request.

  • Password history enforcement implemented as per SANS CIS Kubernetes Benchmark:

    • Password reuse is prohibited for a minimum of five generations.

  • Random number generator used for generating cryptographic keys has been enabled.

  • Audit policy log level for the kube-apiserver has been set to RequestResponse, as recommended by SANS CIS Kubernetes Benchmarks.

  • The kube-apiserver audit log path has been rerouted from /var/lib/rancher to /var/log/rancher for improved log visibility.

  • syslog can be configured on the virtual machine by referencing these steps

    • Optionally, syslog can be configured to send RKE2 audit logs by adding the below snippet into /etc/syslog-ng/syslog-ng.conf after the source s_pods block, and restarting the syslog daemon using sudo systemctl restart syslog-ng:
    source s_rke2 {
    wildcard-file(
        base-dir("/var/log/rancher")
        filename-pattern("*")
        recursive(yes)
        follow-freq(60)
    );
};
log { source(s_rke2); filter(f_default); destination(remote); };

  • Password quality policy updated to enforce:

    • Length: Minimum of 15 characters.
    • Complexity:
      • At least 1 uppercase letter (e.g., A)
      • At least 1 lowercase letter (e.g., a)
      • At least 1 digit (e.g., 1)
      • At least 1 special character (e.g., !)
    • Avoid:
      • More than 3 consecutive identical characters (e.g., aaa)
      • More than 4 consecutive characters of the same type (e.g., 1111, AAAA)
      • Passwords that are not significantly different (must differ by at least 8 characters)
      • Inclusion of username or dictionary-based words

  • AIDE has been preconfigured to run daily on key configuration files.

  • TLS Protocols and ciphers have been updated inline with the following:

ssl-ciphers: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA" 
ssl-protocols: "TLSv1.2 TLSv1.3

Kubernetes Information

Glasswall Halo Information

Currently deployed services and Helm charts:

  • cdrplatform-engine
  • cdrplatform-sync-api
  • cdrplatform-report-extractor
  • cdrplatform-portal
  • cdrplatform-policy-api
  • cdrplatform-api-access
  • cdrplatform-portal-access
  • cdrplatform-license-management
  • cdrplatform-cleanup
  • cdrplatform-async-api
  • cdrplatform-metrics-collation
  • cdrplatform-metrics-projection
  • cdrplatform-rabbitmq
  • cdrplatform-storage
  • nginx-ingress

Please refer to the Glasswall Halo V2.9.0 Release Notes for more information.