Definition of Red Hat OpenShift Container Platform 4.12 Security Technical Implementation Guide for ocp4

CNTR-OS-000010: OpenShift must use TLS 1.2 or greater for secure container image transport from trusted sources.

Description: None

Levels:

medium

Automated: yes

Selections:

ocp_insecure_allowed_registries_for_import: Check configured allowed registries for import uses secure protocol
ocp_insecure_registries: Check if any insecure registry sources is configured

CNTR-OS-000020: OpenShift must use TLS 1.2 or greater for secure communication.

Description: None

Levels:

medium

Automated: yes

Selections:

api_server_tls_security_profile: Ensure APIServer is configured with secure tlsSecurityProfile
ingress_controller_tls_security_profile: Ensure IngressController is configured to use secure tlsSecurityProfile
kubelet_configure_tls_min_version: Ensure Kubelet is configured with allowed TLS versions

CNTR-OS-000030: OpenShift must use a centralized user management solution to support account management functions.

Description: None

Levels:

medium

Automated: yes

Selections:

idp_is_configured: Configure An Identity Provider
kubeadmin_removed: Ensure that the kubeadmin secret has been removed
ocp_idp_no_htpasswd: Do Not Use htpasswd-based IdP
ocp_no_ldap_insecure: Only Use LDAP-based IdPs with TLS

CNTR-OS-000040: The kubeadmin account must be disabled.

Description: None

Levels:

medium

Automated: yes

Selections:

idp_is_configured: Configure An Identity Provider
kubeadmin_removed: Ensure that the kubeadmin secret has been removed
ocp_idp_no_htpasswd: Do Not Use htpasswd-based IdP
ocp_no_ldap_insecure: Only Use LDAP-based IdPs with TLS

CNTR-OS-000050: OpenShift must automatically audit account creation.

Description: None

Levels:

medium

Automated: yes

No rules selected

CNTR-OS-000060: OpenShift must automatically audit account modification.

Description: None

Levels:

medium

Automated: yes

No rules selected

CNTR-OS-000070: OpenShift must generate audit rules to capture account related actions.

Description: None

Levels:

medium

Automated: yes

No rules selected

CNTR-OS-000080: Open Shift must automatically audit account removal actions.

Description: None

Levels:

medium

Automated: yes

No rules selected

CNTR-OS-000090: OpenShift RBAC access controls must be enforced.

Description: None

Levels:

high

Automated: yes

Selections:

rbac_least_privilege: Ensure that the RBAC setup follows the principle of least privilege

CNTR-OS-000100: OpenShift must enforce network policy on the namespace for controlling the flow of information within the container platform based on organization-defined information flow control policies.

Description: None

Levels:

medium

Automated: yes

Selections:

configure_network_policies: Ensure that the CNI in use supports Network Policies
configure_network_policies_namespaces: Ensure that application Namespaces have Network Policies defined.

CNTR-OS-000110: OpenShift must enforce approved authorizations for controlling the flow of information within the container platform based on organization-defined information flow control policies.

Description: None

Levels:

medium

Automated: yes

Selections:

project_config_and_template_network_policy: Ensure that project templates autocreate Network Policies

CNTR-OS-000130: OpenShift must display the Standard Mandatory DOD Notice and Consent Banner before granting access to platform components.

Description: None

Levels:

low

Automated: yes

Selections:

classification_banner: Enable Classification Banner on OpenShift Console
oauth_login_template_set: Ensure that the OpenShift OAuth login template is set
oauth_provider_selection_set: Ensure that the OpenShift OAuth provider selection is set
openshift_motd_exists: Ensure that the OpenShift MOTD is set

CNTR-OS-000150: OpenShift must generate audit records for all DOD-defined auditable events within all components in the platform.

Description: None

Levels:

medium

Automated: yes

Selections:

audit_profile_set: Ensure that the cluster's audit profile is properly set

CNTR-OS-000160: OpenShift must generate audit records when successful/unsuccessful attempts to access privileges occur.

Description: None

Levels:

medium

Automated: yes

No rules selected

CNTR-OS-000170: Red Hat Enterprise Linux CoreOS (RHCOS) must initiate session audits at system startup.

Description: None

Levels:

high

Automated: yes

Selections:

audit_log_forwarding_enabled: Ensure that Audit Log Forwarding Is Enabled
cluster_logging_operator_exist: Ensure that OpenShift Logging Operator is scanning the cluster

CNTR-OS-000180: All audit records must identify what type of event has occurred within OpenShift.

Description: None

Levels:

medium

Automated: yes

No rules selected

CNTR-OS-000190: OpenShift audit records must have a date and time association with all events.

Description: None

Levels:

medium

Automated: yes

No rules selected

CNTR-OS-000200: All audit records must generate the event results within OpenShift.

Description: None

Levels:

medium

Automated: yes

Selections:

audit_error_alert_exists: Ensure that Audit Log Errors Emit Alerts

CNTR-OS-000210: OpenShift must take appropriate action upon an audit failure.

Description: None

Levels:

medium

Automated: yes

Selections:

audit_error_alert_exists: Ensure that Audit Log Errors Emit Alerts

CNTR-OS-000220: OpenShift components must provide the ability to send audit logs to a central enterprise repository for review and analysis.

Description: None

Levels:

medium

Automated: yes

Selections:

audit_log_forwarding_enabled: Ensure that Audit Log Forwarding Is Enabled
cluster_logging_operator_exist: Ensure that OpenShift Logging Operator is scanning the cluster

CNTR-OS-000230: OpenShift must use internal system clocks to generate audit record time stamps.

Description: None

Levels:

medium

Automated: yes

No rules selected

CNTR-OS-000240: The Red Hat Enterprise Linux CoreOS (RHCOS) chrony Daemon must use multiple NTP servers to generate audit record time stamps.

Description: None

Levels:

medium

Automated: yes

No rules selected

CNTR-OS-000250: OpenShift must protect audit logs from any type of unauthorized access.

Description: None

Levels:

medium

Automated: yes

Selections:

file_owner_groupowner_permissions_pod_logs: Kubernetes Pod Logs Must Be Owned and Group Owned By Root and have permissions 755

CNTR-OS-000260: OpenShift must protect system journal file from any type of unauthorized access by setting file permissions.

Description: None

Levels:

medium

Automated: yes

Selections:

file_owner_groupowner_permissions_pod_logs: Kubernetes Pod Logs Must Be Owned and Group Owned By Root and have permissions 755

CNTR-OS-000270: OpenShift must protect system journal file from any type of unauthorized access by setting owner permissions.

Description: None

Levels:

medium

Automated: yes

Selections:

file_owner_groupowner_permissions_pod_logs: Kubernetes Pod Logs Must Be Owned and Group Owned By Root and have permissions 755

CNTR-OS-000280: OpenShift must protect log directory from any type of unauthorized access by setting file permissions.

Description: None

Levels:

medium

Automated: yes

Selections:

file_owner_groupowner_permissions_pod_logs: Kubernetes Pod Logs Must Be Owned and Group Owned By Root and have permissions 755

CNTR-OS-000290: OpenShift must protect log directory from any type of unauthorized access by setting owner permissions.

Description: None

Levels:

medium

Automated: yes

Selections:

file_owner_groupowner_permissions_pod_logs: Kubernetes Pod Logs Must Be Owned and Group Owned By Root and have permissions 755

CNTR-OS-000300: OpenShift must protect pod log files from any type of unauthorized access by setting owner permissions.

Description: None

Levels:

medium

Automated: yes

Selections:

file_owner_groupowner_permissions_pod_logs: Kubernetes Pod Logs Must Be Owned and Group Owned By Root and have permissions 755

CNTR-OS-000310: OpenShift must protect audit information from unauthorized modification.

Description: None

Levels:

medium

Automated: yes

No rules selected

CNTR-OS-000320: OpenShift must prevent unauthorized changes to logon UIDs.

Description: None

Levels:

medium

Automated: yes

Selections:

rbac_logging_view: Ensure that the ClusterLogging and ClusterLoggingForwarder resources are protected from unauthorized access

CNTR-OS-000330: OpenShift must protect audit tools from unauthorized access.

Description: None

Levels:

medium

Automated: yes

Selections:

rbac_logging_del: Ensure that the ClusterLogging and ClusterLoggingForwarder resources are protected from unauthorized deletion
rbac_logging_mod: Ensure that the ClusterLogging and ClusterLoggingForwarder resources are protected from unauthorized modification
rbac_logging_view: Ensure that the ClusterLogging and ClusterLoggingForwarder resources are protected from unauthorized access

CNTR-OS-000340: OpenShift must use FIPS-validated cryptographic mechanisms to protect the integrity of log information.

Description: None

Levels:

medium

Automated: yes

Selections:

audit_log_forwarding_uses_tls: Ensure that Audit Log Forwarding Uses TLS
fips_mode_enabled_on_all_nodes: Ensure that FIPS mode is enabled on all cluster nodes

CNTR-OS-000360: OpenShift must verify container images.

Description: None

Levels:

medium

Automated: yes

Selections:

reject_unsigned_images_by_default: Ensure the Container Runtime rejects unsigned images by default

CNTR-OS-000380: OpenShift must contain only container images for those capabilities being offered by the container platform.

Description: None

Levels:

medium

Automated: no

No rules selected

CNTR-OS-000390: OpenShift runtime must enforce ports, protocols, and services that adhere to the PPSM CAL.

Description: None

Levels:

medium

Automated: no

No rules selected

CNTR-OS-000400: OpenShift must disable root and terminate network connections.

Description: None

Levels:

high

Automated: yes

Selections:

oauth_or_oauthclient_inactivity_timeout: Configure OAuth tokens to expire after a set period of inactivity

CNTR-OS-000430: OpenShift must use multifactor authentication for network access to accounts.

Description: None

Levels:

medium

Automated: no

No rules selected

CNTR-OS-000440: OpenShift must use FIPS-validated SHA-1 or higher hash function to provide replay-resistant authentication mechanisms for network access to privileged accounts.

Description: None

Levels:

medium

Automated: yes

Selections:

idp_is_configured: Configure An Identity Provider
kubeadmin_removed: Ensure that the kubeadmin secret has been removed
ocp_idp_no_htpasswd: Do Not Use htpasswd-based IdP

CNTR-OS-000460: OpenShift must use FIPS validated LDAP or OpenIDConnect.

Description: None

Levels:

high

Automated: no

No rules selected

CNTR-OS-000490: OpenShift must terminate all network connections associated with a communications session at the end of the session, or as follows: for in-band management sessions (privileged sessions), the session must be terminated after 10 minutes of inactivity.

Description: None

Levels:

medium

Automated: yes

Selections:

oauth_or_oauthclient_inactivity_timeout: Configure OAuth tokens to expire after a set period of inactivity

CNTR-OS-000500: OpenShift must separate user functionality (including user interface services) from information system management functionality.

Description: None

Levels:

medium

Automated: no

No rules selected

CNTR-OS-000510: OpenShift must protect authenticity of communications sessions with the use of FIPS-validated 140-2 or 140-3 validated cryptography.

Description: None

Levels:

high

Automated: yes

Selections:

audit_log_forwarding_uses_tls: Ensure that Audit Log Forwarding Uses TLS
fips_mode_enabled_on_all_nodes: Ensure that FIPS mode is enabled on all cluster nodes

CNTR-OS-000540: OpenShift runtime must isolate security functions from nonsecurity functions.

Description: None

Levels:

medium

Automated: yes

No rules selected

CNTR-OS-000560: OpenShift must prevent unauthorized and unintended information transfer via shared system resources and enable page poisoning.

Description: None

Levels:

medium

Automated: yes

No rules selected

CNTR-OS-000570: OpenShift must disable virtual syscalls.

Description: None

Levels:

medium

Automated: yes

No rules selected

CNTR-OS-000580: OpenShift must enable poisoning of SLUB/SLAB objects.

Description: None

Levels:

medium

Automated: yes

No rules selected

CNTR-OS-000590: OpenShift must set the sticky bit for world-writable directories.

Description: None

Levels:

medium

Automated: yes

No rules selected

CNTR-OS-000600: OpenShift must restrict access to the kernel buffer.

Description: None

Levels:

medium

Automated: yes

No rules selected

CNTR-OS-000610: OpenShift must prevent kernel profiling.

Description: None

Levels:

medium

Automated: yes

No rules selected

CNTR-OS-000620: OpenShift must restrict individuals the ability to launch organizational-defined Denial-of-Service (DOS) attacks against other information systems by setting a default Resource Quota.

Description: None

Levels:

medium

Automated: yes

Selections:

project_config_and_template_resource_quota: Ensure that project templates autocreate Resource Quotas
resource_requests_quota_per_project: Ensure workloads use resource requests and limits per namespace
routes_rate_limit: Ensure that all Routes has rate limit enabled

CNTR-OS-000630: OpenShift must restrict individuals the ability to launch organizational-defined Denial-of-Service (DOS) attacks against other information systems by rate-limiting.

Description: None

Levels:

medium

Automated: yes

Selections:

project_config_and_template_resource_quota: Ensure that project templates autocreate Resource Quotas
resource_requests_quota_per_project: Ensure workloads use resource requests and limits per namespace
routes_rate_limit: Ensure that all Routes has rate limit enabled

CNTR-OS-000650: OpenShift must display an explicit logout message indicating the reliable termination of authenticated communication sessions.

Description: None

Levels:

low

Automated: yes

Selections:

oauth_logout_url_set: Ensure that the OpenShift OAuth logout URL is set

CNTR-OS-000660: Container images instantiated by OpenShift must execute using least privileges.

Description: None

Levels:

high

Automated: yes

Selections:

scc_limit_host_dir_volume_plugin: Limit Containers Ability to use the HostDir volume plugin
scc_limit_host_ports: Limit Containers Ability to bind to privileged ports
scc_limit_ipc_namespace: Limit Access to the Host IPC Namespace
scc_limit_network_namespace: Limit Access to the Host Network Namespace
scc_limit_privileged_containers: Limit Privileged Container Use
scc_limit_process_id_namespace: Limit Access to the Host Process ID Namespace
scc_limit_root_containers: Limit Container Running As Root User

CNTR-OS-000670: Red Hat Enterprise Linux CoreOS (RHCOS) must allocate audit record storage capacity to store at least one weeks' worth of audit records, when audit records are not immediately sent to a central audit record storage facility.

Description: None

Levels:

low

Automated: yes

No rules selected

CNTR-OS-000690: OpenShift must configure Alert Manger Receivers to notify SA and ISSO of all audit failure events requiring real-time alerts.

Description: None

Levels:

medium

Automated: no

No rules selected

CNTR-OS-000720: OpenShift must enforce access restrictions and support auditing of the enforcement actions.

Description: None

Levels:

medium

Automated: yes

No rules selected

CNTR-OS-000740: OpenShift must prevent the installation of patches, service packs, device drivers, or operating system components without verification they have been digitally signed using a certificate that is recognized and approved by the organization.

Description: None

Levels:

medium

Automated: yes

Selections:

cluster_version_operator_exists: Ensure that Cluster Version Operator is deployed
cluster_version_operator_verify_integrity: Ensure that Cluster Version Operator verifies integrity

CNTR-OS-000760: OpenShift must set server token max age no greater than eight hours.

Description: None

Levels:

medium

Automated: yes

Selections:

oauth_or_oauthclient_token_maxage: Configure OAuth tokens to expire after a set period of inactivity

CNTR-OS-000770: Vulnerability scanning applications must implement privileged access authorization to all OpenShift components, containers, and container images for selected organization-defined vulnerability scanning activities.

Description: None

Levels:

medium

Automated: no

No rules selected

CNTR-OS-000780: OpenShift keystore must implement encryption to prevent unauthorized disclosure of information at rest within the container platform.

Description: None

Levels:

medium

Automated: yes

Selections:

api_server_encryption_provider_cipher: Configure the Encryption Provider Cipher

CNTR-OS-000800: OpenShift must protect against or limit the effects of all types of Denial-of-Service (DoS) attacks by employing organization-defined security safeguards by including a default resource quota.

Description: None

Levels:

medium

Automated: yes

Selections:

project_config_and_template_resource_quota: Ensure that project templates autocreate Resource Quotas
resource_requests_quota_per_project: Ensure workloads use resource requests and limits per namespace
routes_rate_limit: Ensure that all Routes has rate limit enabled

CNTR-OS-000810: OpenShift must protect against or limit the effects of all types of Denial-of-Service (DoS) attacks by defining resource quotas on a namespace.

Description: None

Levels:

medium

Automated: yes

Selections:

project_config_and_template_resource_quota: Ensure that project templates autocreate Resource Quotas
resource_requests_quota_per_project: Ensure workloads use resource requests and limits per namespace
routes_rate_limit: Ensure that all Routes has rate limit enabled

CNTR-OS-000820: OpenShift must protect the confidentiality and integrity of transmitted information.

Description: None

Levels:

medium

Automated: no

No rules selected

CNTR-OS-000860: Red Hat Enterprise Linux CoreOS (RHCOS) must implement nonexecutable data to protect its memory from unauthorized code execution.

Description: None

Levels:

medium

Automated: yes

Selections:

resource_requests_quota_per_project: Ensure workloads use resource requests and limits per namespace

CNTR-OS-000870: Red Hat Enterprise Linux CoreOS (RHCOS) must implement ASLR (Address Space Layout Randomization) from unauthorized code execution.

Description: None

Levels:

medium

Automated: yes

Selections:

resource_requests_quota_per_project: Ensure workloads use resource requests and limits per namespace

CNTR-OS-000880: OpenShift must remove old components after updated versions have been installed.

Description: None

Levels:

medium

Automated: yes

Selections:

image_pruner_active: Configure ImagePruner so that images that are no longer needed are automatically removed

CNTR-OS-000890: OpenShift must contain the latest images with most recent updates and execute within the container platform runtime as authorized by IAVM, CTOs, DTMs, and STIGs.

Description: None

Levels:

medium

Automated: yes

Selections:

imagestream_sets_schedule: All configured ImageStreams are configured to periodically check for updates
ocp_allowed_registries: Allowed registries are configured
ocp_allowed_registries_for_import: Allowed registries for import are configured

CNTR-OS-000900: OpenShift runtime must have updates installed within the period directed by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).

Description: None

Levels:

medium

Automated: yes

Selections:

imagestream_sets_schedule: All configured ImageStreams are configured to periodically check for updates
ocp_allowed_registries: Allowed registries are configured
ocp_allowed_registries_for_import: Allowed registries for import are configured

CNTR-OS-000910: The Compliance Operator must be configured.

Description: None

Levels:

medium

Automated: yes

Selections:

scansettingbinding_exists: Ensure that Compliance Operator is scanning the cluster

CNTR-OS-000920: OpenShift must perform verification of the correct operation of security functions: upon startup and/or restart; upon command by a user with privileged access; and/or every 30 days.

Description: None

Levels:

medium

Automated: yes

Selections:

scansettings_have_schedule: Ensure that Compliance Operator scans are running periodically

CNTR-OS-000930: OpenShift must generate audit records when successful/unsuccessful attempts to modify privileges occur.

Description: None

Levels:

medium

Automated: yes

No rules selected

CNTR-OS-000940: OpenShift must generate audit records when successful/unsuccessful attempts to modify security objects occur.

Description: None

Levels:

medium

Automated: yes

No rules selected

CNTR-OS-000950: OpenShift must generate audit records when successful/unsuccessful attempts to delete privileges occur.

Description: None

Levels:

medium

Automated: yes

No rules selected

CNTR-OS-000960: OpenShift must generate audit records when successful/unsuccessful attempts to delete security objects occur.

Description: None

Levels:

medium

Automated: yes

No rules selected

CNTR-OS-000970: OpenShift must generate audit records when successful/unsuccessful logon attempts occur.

Description: None

Levels:

medium

Automated: yes

No rules selected

CNTR-OS-000980: Red Hat Enterprise Linux CoreOS (RHCOS) must be configured to audit the loading and unloading of dynamic kernel modules.

Description: None

Levels:

medium

Automated: yes

No rules selected

CNTR-OS-000990: OpenShift audit records must record user access start and end times.

Description: None

Levels:

medium

Automated: yes

No rules selected

CNTR-OS-001000: OpenShift must generate audit records when concurrent logons from different workstations and systems occur.

Description: None

Levels:

medium

Automated: yes

No rules selected

CNTR-OS-001010: Red Hat Enterprise Linux CoreOS (RHCOS) must disable SSHD service.

Description: None

Levels:

high

Automated: yes

No rules selected

CNTR-OS-001020: Red Hat Enterprise Linux CoreOS (RHCOS) must disable USB Storage kernel module.

Description: None

Levels:

medium

Automated: yes

No rules selected

CNTR-OS-001030: Red Hat Enterprise Linux CoreOS (RHCOS) must use USBGuard for hosts that include a USB Controller.

Description: None

Levels:

medium

Automated: yes

No rules selected

CNTR-OS-001060: OpenShift must continuously scan components, containers, and images for vulnerabilities.

Description: None

Levels:

medium

Automated: yes

Selections:

container_security_operator_exists: Make sure the Container Security Operator is installed

CNTR-OS-001080: OpenShift must use FIPS-validated SHA-2 or higher hash function for digital signature generation and verification (nonlegacy use).

Description: None

Levels:

medium

Automated: yes

Selections:

fips_mode_enabled_on_all_nodes: Ensure that FIPS mode is enabled on all cluster nodes