Definition of Red Hat OpenShift Container Platform 4.12 Security Technical Implementation Guide for rhcos4

CNTR-OS-000010: OpenShift must use TLS 1.2 or greater for secure container image transport from trusted sources.

Description: None

• medium

Automated: yes

No rules selected

CNTR-OS-000020: OpenShift must use TLS 1.2 or greater for secure communication.

Description: None

• medium

Automated: yes

No rules selected

CNTR-OS-000030: OpenShift must use a centralized user management solution to support account management functions.

Description: None

• medium

Automated: yes

No rules selected

CNTR-OS-000040: The kubeadmin account must be disabled.

Description: None

• medium

Automated: yes

No rules selected

CNTR-OS-000050: OpenShift must automatically audit account creation.

Description: None

• medium

Automated: yes

• audit_rules_sysadmin_actions: Ensure auditd Collects System Administrator Actions
• audit_rules_usergroup_modification: Record Events that Modify User/Group Information

CNTR-OS-000060: OpenShift must automatically audit account modification.

Description: None

• medium

Automated: yes

• audit_rules_sysadmin_actions: Ensure auditd Collects System Administrator Actions
• audit_rules_usergroup_modification: Record Events that Modify User/Group Information

CNTR-OS-000070: OpenShift must generate audit rules to capture account related actions.

Description: None

• medium

Automated: yes

• audit_rules_sysadmin_actions: Ensure auditd Collects System Administrator Actions
• audit_rules_usergroup_modification: Record Events that Modify User/Group Information

CNTR-OS-000080: Open Shift must automatically audit account removal actions.

Description: None

• medium

Automated: yes

• audit_rules_privileged_commands_chage: Ensure auditd Collects Information on the Use of Privileged Commands - chage
• audit_rules_privileged_commands_dbus_daemon_launch_helper: Ensure auditd Collects Information on the Use of Privileged Commands - dbus helper
• audit_rules_privileged_commands_fusermount: Ensure auditd Collects Information on the Use of Privileged Commands - fusermount
• audit_rules_privileged_commands_fusermount3: Ensure auditd Collects Information on the Use of Privileged Commands - fusermount3
• audit_rules_privileged_commands_gpasswd: Ensure auditd Collects Information on the Use of Privileged Commands - gpasswd
• audit_rules_privileged_commands_grub2_set_bootflag: Ensure auditd Collects Information on the Use of Privileged Commands - grub2_set_bootflag
• audit_rules_privileged_commands_mount: Ensure auditd Collects Information on the Use of Privileged Commands - mount
• audit_rules_privileged_commands_mount_nfs: Ensure auditd Collects Information on the Use of Privileged Commands - mount.nfs
• audit_rules_privileged_commands_newgrp: Ensure auditd Collects Information on the Use of Privileged Commands - newgrp
• audit_rules_privileged_commands_pam_timestamp_check: Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check
• audit_rules_privileged_commands_passwd: Ensure auditd Collects Information on the Use of Privileged Commands - passwd
• audit_rules_privileged_commands_pkexec: Ensure auditd Collects Information on the Use of Privileged Commands - pkexec
• audit_rules_privileged_commands_polkit_helper: Ensure auditd Collects Information on the Use of Privileged Commands - polkit helper
• audit_rules_privileged_commands_ssh_keysign: Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign
• audit_rules_privileged_commands_sssd_krb5_child: Ensure auditd Collects Information on the Use of Privileged Commands - sssd_krb5_child
• audit_rules_privileged_commands_sssd_ldap_child: Ensure auditd Collects Information on the Use of Privileged Commands - sssd_ldap_child
• audit_rules_privileged_commands_sssd_proxy_child: Ensure auditd Collects Information on the Use of Privileged Commands - sssd_proxy_child
• audit_rules_privileged_commands_sssd_selinux_child: Ensure auditd Collects Information on the Use of Privileged Commands - sssd_selinux_child
• audit_rules_privileged_commands_su: Ensure auditd Collects Information on the Use of Privileged Commands - su
• audit_rules_privileged_commands_sudo: Ensure auditd Collects Information on the Use of Privileged Commands - sudo
• audit_rules_privileged_commands_umount: Ensure auditd Collects Information on the Use of Privileged Commands - umount
• audit_rules_privileged_commands_unix_chkpwd: Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwd
• audit_rules_privileged_commands_utempter: Ensure auditd Collects Information on the Use of Privileged Commands - utempter
• audit_rules_privileged_commands_write: Ensure auditd Collects Information on the Use of Privileged Commands - write

CNTR-OS-000090: OpenShift RBAC access controls must be enforced.

Description: None

• high

Automated: yes

No rules selected

CNTR-OS-000100: OpenShift must enforce network policy on the namespace for controlling the flow of information within the container platform based on organization-defined information flow control policies.

Description: None

• medium

Automated: yes

No rules selected

CNTR-OS-000110: OpenShift must enforce approved authorizations for controlling the flow of information within the container platform based on organization-defined information flow control policies.

Description: None

• medium

Automated: yes

No rules selected

CNTR-OS-000130: OpenShift must display the Standard Mandatory DOD Notice and Consent Banner before granting access to platform components.

Description: None

• low

Automated: yes

No rules selected

CNTR-OS-000150: OpenShift must generate audit records for all DOD-defined auditable events within all components in the platform.

Description: None

• medium

Automated: yes

• service_auditd_enabled: Enable auditd Service

CNTR-OS-000160: OpenShift must generate audit records when successful/unsuccessful attempts to access privileges occur.

Description: None

• medium

Automated: yes

• audit_access_failed: Configure auditing of unsuccessful file accesses
• audit_create_failed: Configure auditing of unsuccessful file creations
• audit_modify_failed: Configure auditing of unsuccessful file modifications
• audit_rules_dac_modification_chmod: Record Events that Modify the System's Discretionary Access Controls - chmod
• audit_rules_dac_modification_chown: Record Events that Modify the System's Discretionary Access Controls - chown
• audit_rules_dac_modification_fchmod: Record Events that Modify the System's Discretionary Access Controls - fchmod
• audit_rules_dac_modification_fchmodat: Record Events that Modify the System's Discretionary Access Controls - fchmodat
• audit_rules_dac_modification_fchown: Record Events that Modify the System's Discretionary Access Controls - fchown
• audit_rules_dac_modification_fchownat: Record Events that Modify the System's Discretionary Access Controls - fchownat
• audit_rules_dac_modification_fremovexattr: Record Events that Modify the System's Discretionary Access Controls - fremovexattr
• audit_rules_dac_modification_fsetxattr: Record Events that Modify the System's Discretionary Access Controls - fsetxattr
• audit_rules_dac_modification_lchown: Record Events that Modify the System's Discretionary Access Controls - lchown
• audit_rules_dac_modification_lremovexattr: Record Events that Modify the System's Discretionary Access Controls - lremovexattr
• audit_rules_dac_modification_lsetxattr: Record Events that Modify the System's Discretionary Access Controls - lsetxattr
• audit_rules_dac_modification_removexattr: Record Events that Modify the System's Discretionary Access Controls - removexattr
• audit_rules_dac_modification_setxattr: Record Events that Modify the System's Discretionary Access Controls - setxattr

CNTR-OS-000170: Red Hat Enterprise Linux CoreOS (RHCOS) must initiate session audits at system startup.

Description: None

• high

Automated: yes

• coreos_audit_backlog_limit_kernel_argument: Extend Audit Backlog Limit for the Audit Daemon
• coreos_audit_option: Enable Auditing for Processes Which Start Prior to the Audit Daemon

CNTR-OS-000180: All audit records must identify what type of event has occurred within OpenShift.

Description: None

• medium

Automated: yes

• service_auditd_enabled: Enable auditd Service

CNTR-OS-000190: OpenShift audit records must have a date and time association with all events.

Description: None

• medium

Automated: yes

• auditd_data_disk_error_action: Configure auditd Disk Error Action on Disk Error
• auditd_data_retention_max_log_file_action_stig: Configure auditd max_log_file_action Upon Reaching Maximum Log Size
• auditd_log_format: Resolve information before writing to audit logs

CNTR-OS-000200: All audit records must generate the event results within OpenShift.

Description: None

• medium

Automated: yes

• auditd_data_disk_error_action: Configure auditd Disk Error Action on Disk Error
• auditd_data_retention_max_log_file_action_stig: Configure auditd max_log_file_action Upon Reaching Maximum Log Size
• auditd_log_format: Resolve information before writing to audit logs
• partition_for_var_log_audit: Ensure /var/log/audit Located On Separate Partition

CNTR-OS-000210: OpenShift must take appropriate action upon an audit failure.

Description: None

• medium

Automated: yes

• auditd_data_disk_error_action: Configure auditd Disk Error Action on Disk Error
• auditd_data_retention_max_log_file_action_stig: Configure auditd max_log_file_action Upon Reaching Maximum Log Size
• auditd_log_format: Resolve information before writing to audit logs

CNTR-OS-000220: OpenShift components must provide the ability to send audit logs to a central enterprise repository for review and analysis.

Description: None

• medium

Automated: yes

• coreos_audit_backlog_limit_kernel_argument: Extend Audit Backlog Limit for the Audit Daemon
• coreos_audit_option: Enable Auditing for Processes Which Start Prior to the Audit Daemon

CNTR-OS-000230: OpenShift must use internal system clocks to generate audit record time stamps.

Description: None

• medium

Automated: yes

• chronyd_or_ntpd_specify_remote_server: Specify a Remote NTP Server
• service_chronyd_or_ntpd_enabled: Enable the NTP Daemon

CNTR-OS-000240: The Red Hat Enterprise Linux CoreOS (RHCOS) chrony Daemon must use multiple NTP servers to generate audit record time stamps.

Description: None

• medium

Automated: yes

• chronyd_or_ntpd_specify_remote_server: Specify a Remote NTP Server
• service_chronyd_or_ntpd_enabled: Enable the NTP Daemon

CNTR-OS-000250: OpenShift must protect audit logs from any type of unauthorized access.

Description: None

• medium

Automated: yes

• file_groupowner_system_journal: Verify Group Who Owns the system journal
• file_groupowner_var_log: Verify Group Who Owns /var/log Directory
• file_owner_system_journal: Verify Owner on the system journal
• file_owner_var_log: Verify User Who Owns /var/log Directory
• file_ownership_var_log_audit: System Audit Logs Must Be Owned By Root
• file_permissions_system_journal: Verify Permissions on the system journal
• file_permissions_var_log: Verify Permissions on /var/log Directory
• file_permissions_var_log_audit: System Audit Logs Must Have Mode 0640 or Less Permissive

CNTR-OS-000260: OpenShift must protect system journal file from any type of unauthorized access by setting file permissions.

Description: None

• medium

Automated: yes

• file_groupowner_system_journal: Verify Group Who Owns the system journal
• file_groupowner_var_log: Verify Group Who Owns /var/log Directory
• file_owner_system_journal: Verify Owner on the system journal
• file_owner_var_log: Verify User Who Owns /var/log Directory
• file_ownership_var_log_audit: System Audit Logs Must Be Owned By Root
• file_permissions_system_journal: Verify Permissions on the system journal
• file_permissions_var_log: Verify Permissions on /var/log Directory
• file_permissions_var_log_audit: System Audit Logs Must Have Mode 0640 or Less Permissive

CNTR-OS-000270: OpenShift must protect system journal file from any type of unauthorized access by setting owner permissions.

Description: None

• medium

Automated: yes

• file_groupowner_system_journal: Verify Group Who Owns the system journal
• file_groupowner_var_log: Verify Group Who Owns /var/log Directory
• file_owner_system_journal: Verify Owner on the system journal
• file_owner_var_log: Verify User Who Owns /var/log Directory
• file_ownership_var_log_audit: System Audit Logs Must Be Owned By Root
• file_permissions_system_journal: Verify Permissions on the system journal
• file_permissions_var_log: Verify Permissions on /var/log Directory
• file_permissions_var_log_audit: System Audit Logs Must Have Mode 0640 or Less Permissive

CNTR-OS-000280: OpenShift must protect log directory from any type of unauthorized access by setting file permissions.

Description: None

• medium

Automated: yes

• file_groupowner_system_journal: Verify Group Who Owns the system journal
• file_groupowner_var_log: Verify Group Who Owns /var/log Directory
• file_owner_system_journal: Verify Owner on the system journal
• file_owner_var_log: Verify User Who Owns /var/log Directory
• file_ownership_var_log_audit: System Audit Logs Must Be Owned By Root
• file_permissions_system_journal: Verify Permissions on the system journal
• file_permissions_var_log: Verify Permissions on /var/log Directory
• file_permissions_var_log_audit: System Audit Logs Must Have Mode 0640 or Less Permissive

CNTR-OS-000290: OpenShift must protect log directory from any type of unauthorized access by setting owner permissions.

Description: None

• medium

Automated: yes

• file_groupowner_system_journal: Verify Group Who Owns the system journal
• file_groupowner_var_log: Verify Group Who Owns /var/log Directory
• file_owner_system_journal: Verify Owner on the system journal
• file_owner_var_log: Verify User Who Owns /var/log Directory
• file_ownership_var_log_audit: System Audit Logs Must Be Owned By Root
• file_permissions_system_journal: Verify Permissions on the system journal
• file_permissions_var_log: Verify Permissions on /var/log Directory
• file_permissions_var_log_audit: System Audit Logs Must Have Mode 0640 or Less Permissive

CNTR-OS-000300: OpenShift must protect pod log files from any type of unauthorized access by setting owner permissions.

Description: None

• medium

Automated: yes

• file_groupowner_system_journal: Verify Group Who Owns the system journal
• file_groupowner_var_log: Verify Group Who Owns /var/log Directory
• file_owner_system_journal: Verify Owner on the system journal
• file_owner_var_log: Verify User Who Owns /var/log Directory
• file_ownership_var_log_audit: System Audit Logs Must Be Owned By Root
• file_permissions_system_journal: Verify Permissions on the system journal
• file_permissions_var_log: Verify Permissions on /var/log Directory
• file_permissions_var_log_audit: System Audit Logs Must Have Mode 0640 or Less Permissive

CNTR-OS-000310: OpenShift must protect audit information from unauthorized modification.

Description: None

• medium

Automated: yes

• audit_rules_immutable: Make the auditd Configuration Immutable

CNTR-OS-000320: OpenShift must prevent unauthorized changes to logon UIDs.

Description: None

• medium

Automated: yes

• audit_immutable_login_uids: Configure immutable Audit login UIDs

CNTR-OS-000330: OpenShift must protect audit tools from unauthorized access.

Description: None

• medium

Automated: yes

• audit_immutable_login_uids: Configure immutable Audit login UIDs

CNTR-OS-000340: OpenShift must use FIPS-validated cryptographic mechanisms to protect the integrity of log information.

Description: None

• medium

Automated: yes

No rules selected

CNTR-OS-000360: OpenShift must verify container images.

Description: None

• medium

Automated: yes

No rules selected

CNTR-OS-000380: OpenShift must contain only container images for those capabilities being offered by the container platform.

Description: None

• medium

Automated: no

No rules selected

CNTR-OS-000390: OpenShift runtime must enforce ports, protocols, and services that adhere to the PPSM CAL.

Description: None

• medium

Automated: no

No rules selected

CNTR-OS-000400: OpenShift must disable root and terminate network connections.

Description: None

• high

Automated: yes

• sshd_disable_root_login: Disable SSH Root Login

CNTR-OS-000430: OpenShift must use multifactor authentication for network access to accounts.

Description: None

• medium

Automated: no

No rules selected

CNTR-OS-000440: OpenShift must use FIPS-validated SHA-1 or higher hash function to provide replay-resistant authentication mechanisms for network access to privileged accounts.

Description: None

• medium

Automated: yes

No rules selected

CNTR-OS-000460: OpenShift must use FIPS validated LDAP or OpenIDConnect.

Description: None

• high

Automated: no

No rules selected

CNTR-OS-000490: OpenShift must terminate all network connections associated with a communications session at the end of the session, or as follows: for in-band management sessions (privileged sessions), the session must be terminated after 10 minutes of inactivity.

Description: None

• medium

Automated: yes

• sshd_disable_root_login: Disable SSH Root Login

CNTR-OS-000500: OpenShift must separate user functionality (including user interface services) from information system management functionality.

Description: None

• medium

Automated: no

No rules selected

CNTR-OS-000510: OpenShift must protect authenticity of communications sessions with the use of FIPS-validated 140-2 or 140-3 validated cryptography.

Description: None

• high

Automated: yes

No rules selected

CNTR-OS-000540: OpenShift runtime must isolate security functions from nonsecurity functions.

Description: None

• medium

Automated: yes

• coreos_enable_selinux_kernel_argument: Ensure SELinux Not Disabled in the kernel arguments
• selinux_policytype: Configure SELinux Policy
• selinux_state: Ensure SELinux State is Enforcing

CNTR-OS-000560: OpenShift must prevent unauthorized and unintended information transfer via shared system resources and enable page poisoning.

Description: None

• medium

Automated: yes

• coreos_page_poison_kernel_argument: Enable page allocator poisoning
• coreos_slub_debug_kernel_argument: Enable SLUB/SLAB allocator poisoning
• coreos_vsyscall_kernel_argument: Disable vsyscalls
• sysctl_kernel_dmesg_restrict: Restrict Access to Kernel Message Buffer
• sysctl_kernel_perf_event_paranoid: Disallow kernel profiling by unprivileged users

CNTR-OS-000570: OpenShift must disable virtual syscalls.

Description: None

• medium

Automated: yes

• coreos_page_poison_kernel_argument: Enable page allocator poisoning
• coreos_slub_debug_kernel_argument: Enable SLUB/SLAB allocator poisoning
• coreos_vsyscall_kernel_argument: Disable vsyscalls
• sysctl_kernel_dmesg_restrict: Restrict Access to Kernel Message Buffer
• sysctl_kernel_perf_event_paranoid: Disallow kernel profiling by unprivileged users

CNTR-OS-000580: OpenShift must enable poisoning of SLUB/SLAB objects.

Description: None

• medium

Automated: yes

• coreos_page_poison_kernel_argument: Enable page allocator poisoning
• coreos_slub_debug_kernel_argument: Enable SLUB/SLAB allocator poisoning
• coreos_vsyscall_kernel_argument: Disable vsyscalls
• sysctl_kernel_dmesg_restrict: Restrict Access to Kernel Message Buffer
• sysctl_kernel_perf_event_paranoid: Disallow kernel profiling by unprivileged users

CNTR-OS-000590: OpenShift must set the sticky bit for world-writable directories.

Description: None

• medium

Automated: yes

• coreos_page_poison_kernel_argument: Enable page allocator poisoning
• coreos_slub_debug_kernel_argument: Enable SLUB/SLAB allocator poisoning
• coreos_vsyscall_kernel_argument: Disable vsyscalls
• sysctl_kernel_dmesg_restrict: Restrict Access to Kernel Message Buffer
• sysctl_kernel_perf_event_paranoid: Disallow kernel profiling by unprivileged users

CNTR-OS-000600: OpenShift must restrict access to the kernel buffer.

Description: None

• medium

Automated: yes

• coreos_page_poison_kernel_argument: Enable page allocator poisoning
• coreos_slub_debug_kernel_argument: Enable SLUB/SLAB allocator poisoning
• coreos_vsyscall_kernel_argument: Disable vsyscalls
• sysctl_kernel_dmesg_restrict: Restrict Access to Kernel Message Buffer
• sysctl_kernel_perf_event_paranoid: Disallow kernel profiling by unprivileged users

CNTR-OS-000610: OpenShift must prevent kernel profiling.

Description: None

• medium

Automated: yes

• coreos_page_poison_kernel_argument: Enable page allocator poisoning
• coreos_slub_debug_kernel_argument: Enable SLUB/SLAB allocator poisoning
• coreos_vsyscall_kernel_argument: Disable vsyscalls
• sysctl_kernel_dmesg_restrict: Restrict Access to Kernel Message Buffer
• sysctl_kernel_perf_event_paranoid: Disallow kernel profiling by unprivileged users

CNTR-OS-000620: OpenShift must restrict individuals the ability to launch organizational-defined Denial-of-Service (DOS) attacks against other information systems by setting a default Resource Quota.

Description: None

• medium

Automated: yes

No rules selected

CNTR-OS-000630: OpenShift must restrict individuals the ability to launch organizational-defined Denial-of-Service (DOS) attacks against other information systems by rate-limiting.

Description: None

• medium

Automated: yes

No rules selected

CNTR-OS-000650: OpenShift must display an explicit logout message indicating the reliable termination of authenticated communication sessions.

Description: None

• low

Automated: yes

No rules selected

CNTR-OS-000660: Container images instantiated by OpenShift must execute using least privileges.

Description: None

• high

Automated: yes

No rules selected

CNTR-OS-000670: Red Hat Enterprise Linux CoreOS (RHCOS) must allocate audit record storage capacity to store at least one weeks' worth of audit records, when audit records are not immediately sent to a central audit record storage facility.

Description: None

• low

Automated: yes

• auditd_data_disk_error_action: Configure auditd Disk Error Action on Disk Error
• auditd_data_retention_max_log_file_action_stig: Configure auditd max_log_file_action Upon Reaching Maximum Log Size
• auditd_log_format: Resolve information before writing to audit logs
• partition_for_var_log_audit: Ensure /var/log/audit Located On Separate Partition

CNTR-OS-000690: OpenShift must configure Alert Manger Receivers to notify SA and ISSO of all audit failure events requiring real-time alerts.

Description: None

• medium

Automated: no

No rules selected

CNTR-OS-000720: OpenShift must enforce access restrictions and support auditing of the enforcement actions.

Description: None

• medium

Automated: yes

• audit_rules_suid_privilege_function: Record Events When Privileged Executables Are Run

CNTR-OS-000740: OpenShift must prevent the installation of patches, service packs, device drivers, or operating system components without verification they have been digitally signed using a certificate that is recognized and approved by the organization.

Description: None

• medium

Automated: yes

No rules selected

CNTR-OS-000760: OpenShift must set server token max age no greater than eight hours.

Description: None

• medium

Automated: yes

No rules selected

CNTR-OS-000770: Vulnerability scanning applications must implement privileged access authorization to all OpenShift components, containers, and container images for selected organization-defined vulnerability scanning activities.

Description: None

• medium

Automated: no

No rules selected

CNTR-OS-000780: OpenShift keystore must implement encryption to prevent unauthorized disclosure of information at rest within the container platform.

Description: None

• medium

Automated: yes

No rules selected

CNTR-OS-000800: OpenShift must protect against or limit the effects of all types of Denial-of-Service (DoS) attacks by employing organization-defined security safeguards by including a default resource quota.

Description: None

• medium

Automated: yes

No rules selected

CNTR-OS-000810: OpenShift must protect against or limit the effects of all types of Denial-of-Service (DoS) attacks by defining resource quotas on a namespace.

Description: None

• medium

Automated: yes

• bios_enable_execution_restrictions: Enable NX or XD Support in the BIOS
• sysctl_kernel_randomize_va_space: Enable Randomized Layout of Virtual Address Space

CNTR-OS-000820: OpenShift must protect the confidentiality and integrity of transmitted information.

Description: None

• medium

Automated: no

No rules selected

CNTR-OS-000860: Red Hat Enterprise Linux CoreOS (RHCOS) must implement nonexecutable data to protect its memory from unauthorized code execution.

Description: None

• medium

Automated: yes

• bios_enable_execution_restrictions: Enable NX or XD Support in the BIOS
• sysctl_kernel_randomize_va_space: Enable Randomized Layout of Virtual Address Space

CNTR-OS-000870: Red Hat Enterprise Linux CoreOS (RHCOS) must implement ASLR (Address Space Layout Randomization) from unauthorized code execution.

Description: None

• medium

Automated: yes

• bios_enable_execution_restrictions: Enable NX or XD Support in the BIOS
• sysctl_kernel_randomize_va_space: Enable Randomized Layout of Virtual Address Space

CNTR-OS-000880: OpenShift must remove old components after updated versions have been installed.

Description: None

• medium

Automated: yes

No rules selected

CNTR-OS-000890: OpenShift must contain the latest images with most recent updates and execute within the container platform runtime as authorized by IAVM, CTOs, DTMs, and STIGs.

Description: None

• medium

Automated: yes

No rules selected

CNTR-OS-000900: OpenShift runtime must have updates installed within the period directed by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).

Description: None

• medium

Automated: yes

No rules selected

CNTR-OS-000910: The Compliance Operator must be configured.

Description: None

• medium

Automated: yes

No rules selected

CNTR-OS-000920: OpenShift must perform verification of the correct operation of security functions: upon startup and/or restart; upon command by a user with privileged access; and/or every 30 days.

Description: None

• medium

Automated: yes

No rules selected

CNTR-OS-000930: OpenShift must generate audit records when successful/unsuccessful attempts to modify privileges occur.

Description: None

• medium

Automated: yes

• audit_immutable_login_uids: Configure immutable Audit login UIDs
• audit_rules_dac_modification_chmod: Record Events that Modify the System's Discretionary Access Controls - chmod
• audit_rules_dac_modification_chown: Record Events that Modify the System's Discretionary Access Controls - chown
• audit_rules_dac_modification_fchmod: Record Events that Modify the System's Discretionary Access Controls - fchmod
• audit_rules_dac_modification_fchmodat: Record Events that Modify the System's Discretionary Access Controls - fchmodat
• audit_rules_dac_modification_fchown: Record Events that Modify the System's Discretionary Access Controls - fchown
• audit_rules_dac_modification_fchownat: Record Events that Modify the System's Discretionary Access Controls - fchownat
• audit_rules_dac_modification_fremovexattr: Record Events that Modify the System's Discretionary Access Controls - fremovexattr
• audit_rules_dac_modification_fsetxattr: Record Events that Modify the System's Discretionary Access Controls - fsetxattr
• audit_rules_dac_modification_lchown: Record Events that Modify the System's Discretionary Access Controls - lchown
• audit_rules_dac_modification_lremovexattr: Record Events that Modify the System's Discretionary Access Controls - lremovexattr
• audit_rules_dac_modification_lsetxattr: Record Events that Modify the System's Discretionary Access Controls - lsetxattr
• audit_rules_dac_modification_removexattr: Record Events that Modify the System's Discretionary Access Controls - removexattr
• audit_rules_dac_modification_setxattr: Record Events that Modify the System's Discretionary Access Controls - setxattr
• audit_rules_dac_modification_umount: Record Events that Modify the System's Discretionary Access Controls - umount
• audit_rules_dac_modification_umount2: Record Events that Modify the System's Discretionary Access Controls - umount2
• audit_rules_execution_chacl: Record Any Attempts to Run chacl
• audit_rules_execution_chcon: Record Any Attempts to Run chcon
• audit_rules_execution_semanage: Record Any Attempts to Run semanage
• audit_rules_execution_setfacl: Record Any Attempts to Run setfacl
• audit_rules_execution_setfiles: Record Any Attempts to Run setfiles
• audit_rules_execution_setsebool: Record Any Attempts to Run setsebool
• audit_rules_file_deletion_events_rename: Ensure auditd Collects File Deletion Events by User - rename
• audit_rules_file_deletion_events_renameat: Ensure auditd Collects File Deletion Events by User - renameat
• audit_rules_file_deletion_events_rmdir: Ensure auditd Collects File Deletion Events by User - rmdir
• audit_rules_file_deletion_events_unlink: Ensure auditd Collects File Deletion Events by User - unlink
• audit_rules_file_deletion_events_unlinkat: Ensure auditd Collects File Deletion Events by User - unlinkat
• audit_rules_kernel_module_loading_delete: Ensure auditd Collects Information on Kernel Module Unloading - delete_module
• audit_rules_kernel_module_loading_finit: Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module
• audit_rules_kernel_module_loading_init: Ensure auditd Collects Information on Kernel Module Loading - init_module
• audit_rules_login_events_lastlog: Record Attempts to Alter Logon and Logout Events - lastlog
• audit_rules_media_export: Ensure auditd Collects Information on Exporting to Media (successful)
• audit_rules_privileged_commands_chage: Ensure auditd Collects Information on the Use of Privileged Commands - chage
• audit_rules_privileged_commands_chsh: Ensure auditd Collects Information on the Use of Privileged Commands - chsh
• audit_rules_privileged_commands_crontab: Ensure auditd Collects Information on the Use of Privileged Commands - crontab
• audit_rules_privileged_commands_gpasswd: Ensure auditd Collects Information on the Use of Privileged Commands - gpasswd
• audit_rules_privileged_commands_kmod: Ensure auditd Collects Information on the Use of Privileged Commands - kmod
• audit_rules_privileged_commands_newgrp: Ensure auditd Collects Information on the Use of Privileged Commands - newgrp
• audit_rules_privileged_commands_pam_timestamp_check: Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check
• audit_rules_privileged_commands_passwd: Ensure auditd Collects Information on the Use of Privileged Commands - passwd
• audit_rules_privileged_commands_postdrop: Ensure auditd Collects Information on the Use of Privileged Commands - postdrop
• audit_rules_privileged_commands_postqueue: Ensure auditd Collects Information on the Use of Privileged Commands - postqueue
• audit_rules_privileged_commands_ssh_agent: Record Any Attempts to Run ssh-agent
• audit_rules_privileged_commands_ssh_keysign: Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign
• audit_rules_privileged_commands_su: Ensure auditd Collects Information on the Use of Privileged Commands - su
• audit_rules_privileged_commands_sudo: Ensure auditd Collects Information on the Use of Privileged Commands - sudo
• audit_rules_privileged_commands_sudoedit: Ensure auditd Collects Information on the Use of Privileged Commands - sudoedit
• audit_rules_privileged_commands_unix_chkpwd: Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwd
• audit_rules_privileged_commands_unix_update: Ensure auditd Collects Information on the Use of Privileged Commands - unix_update
• audit_rules_privileged_commands_userhelper: Ensure auditd Collects Information on the Use of Privileged Commands - userhelper
• audit_rules_privileged_commands_usermod: Ensure auditd Collects Information on the Use of Privileged Commands - usermod
• audit_rules_sudoers: Ensure auditd Collects System Administrator Actions - /etc/sudoers
• audit_rules_sudoers_d: Ensure auditd Collects System Administrator Actions - /etc/sudoers.d/
• audit_rules_unsuccessful_file_modification_creat: Record Unsuccessful Access Attempts to Files - creat
• audit_rules_unsuccessful_file_modification_ftruncate: Record Unsuccessful Access Attempts to Files - ftruncate
• audit_rules_unsuccessful_file_modification_open: Record Unsuccessful Access Attempts to Files - open
• audit_rules_unsuccessful_file_modification_open_by_handle_at: Record Unsuccessful Access Attempts to Files - open_by_handle_at
• audit_rules_unsuccessful_file_modification_openat: Record Unsuccessful Access Attempts to Files - openat
• audit_rules_unsuccessful_file_modification_truncate: Record Unsuccessful Access Attempts to Files - truncate
• audit_rules_usergroup_modification_group: Record Events that Modify User/Group Information - /etc/group
• audit_rules_usergroup_modification_gshadow: Record Events that Modify User/Group Information - /etc/gshadow
• audit_rules_usergroup_modification_opasswd: Record Events that Modify User/Group Information - /etc/security/opasswd
• audit_rules_usergroup_modification_passwd: Record Events that Modify User/Group Information - /etc/passwd
• audit_rules_usergroup_modification_shadow: Record Events that Modify User/Group Information - /etc/shadow

CNTR-OS-000940: OpenShift must generate audit records when successful/unsuccessful attempts to modify security objects occur.

Description: None

• medium

Automated: yes

• audit_rules_dac_modification_fremovexattr: Record Events that Modify the System's Discretionary Access Controls - fremovexattr
• audit_rules_dac_modification_fsetxattr: Record Events that Modify the System's Discretionary Access Controls - fsetxattr
• audit_rules_dac_modification_lremovexattr: Record Events that Modify the System's Discretionary Access Controls - lremovexattr
• audit_rules_dac_modification_lsetxattr: Record Events that Modify the System's Discretionary Access Controls - lsetxattr
• audit_rules_dac_modification_removexattr: Record Events that Modify the System's Discretionary Access Controls - removexattr
• audit_rules_execution_chcon: Record Any Attempts to Run chcon
• audit_rules_execution_semanage: Record Any Attempts to Run semanage
• audit_rules_execution_setfiles: Record Any Attempts to Run setfiles
• audit_rules_execution_setsebool: Record Any Attempts to Run setsebool
• audit_rules_usergroup_modification_opasswd: Record Events that Modify User/Group Information - /etc/security/opasswd

CNTR-OS-000950: OpenShift must generate audit records when successful/unsuccessful attempts to delete privileges occur.

Description: None

• medium

Automated: yes

• audit_rules_dac_modification_chmod: Record Events that Modify the System's Discretionary Access Controls - chmod
• audit_rules_dac_modification_chown: Record Events that Modify the System's Discretionary Access Controls - chown
• audit_rules_dac_modification_fchmod: Record Events that Modify the System's Discretionary Access Controls - fchmod
• audit_rules_dac_modification_fchmodat: Record Events that Modify the System's Discretionary Access Controls - fchmodat
• audit_rules_dac_modification_fchown: Record Events that Modify the System's Discretionary Access Controls - fchown
• audit_rules_dac_modification_fchownat: Record Events that Modify the System's Discretionary Access Controls - fchownat
• audit_rules_dac_modification_fremovexattr: Record Events that Modify the System's Discretionary Access Controls - fremovexattr
• audit_rules_dac_modification_lchown: Record Events that Modify the System's Discretionary Access Controls - lchown
• audit_rules_dac_modification_lremovexattr: Record Events that Modify the System's Discretionary Access Controls - lremovexattr
• audit_rules_dac_modification_removexattr: Record Events that Modify the System's Discretionary Access Controls - removexattr
• audit_rules_execution_chacl: Record Any Attempts to Run chacl
• audit_rules_file_deletion_events_rename: Ensure auditd Collects File Deletion Events by User - rename
• audit_rules_file_deletion_events_renameat: Ensure auditd Collects File Deletion Events by User - renameat
• audit_rules_file_deletion_events_rmdir: Ensure auditd Collects File Deletion Events by User - rmdir
• audit_rules_file_deletion_events_unlink: Ensure auditd Collects File Deletion Events by User - unlink
• audit_rules_file_deletion_events_unlinkat: Ensure auditd Collects File Deletion Events by User - unlinkat
• audit_rules_privileged_commands_pt_chown: Ensure auditd Collects Information on the Use of Privileged Commands - pt_chown
• audit_rules_privileged_commands_su: Ensure auditd Collects Information on the Use of Privileged Commands - su
• audit_rules_privileged_commands_sudo: Ensure auditd Collects Information on the Use of Privileged Commands - sudo
• audit_rules_privileged_commands_usermod: Ensure auditd Collects Information on the Use of Privileged Commands - usermod
• audit_rules_sudoers: Ensure auditd Collects System Administrator Actions - /etc/sudoers
• audit_rules_sudoers_d: Ensure auditd Collects System Administrator Actions - /etc/sudoers.d/
• audit_rules_usergroup_modification_group: Record Events that Modify User/Group Information - /etc/group
• audit_rules_usergroup_modification_gshadow: Record Events that Modify User/Group Information - /etc/gshadow
• audit_rules_usergroup_modification_passwd: Record Events that Modify User/Group Information - /etc/passwd
• audit_rules_usergroup_modification_shadow: Record Events that Modify User/Group Information - /etc/shadow

CNTR-OS-000960: OpenShift must generate audit records when successful/unsuccessful attempts to delete security objects occur.

Description: None

• medium

Automated: yes

• audit_delete_failed: Configure auditing of unsuccessful file deletions
• audit_rules_dac_modification_fsetxattr: Record Events that Modify the System's Discretionary Access Controls - fsetxattr
• audit_rules_dac_modification_lremovexattr: Record Events that Modify the System's Discretionary Access Controls - lremovexattr
• audit_rules_dac_modification_lsetxattr: Record Events that Modify the System's Discretionary Access Controls - lsetxattr
• audit_rules_dac_modification_removexattr: Record Events that Modify the System's Discretionary Access Controls - removexattr
• audit_rules_execution_chcon: Record Any Attempts to Run chcon
• audit_rules_file_deletion_events_rename: Ensure auditd Collects File Deletion Events by User - rename
• audit_rules_file_deletion_events_renameat: Ensure auditd Collects File Deletion Events by User - renameat
• audit_rules_file_deletion_events_rmdir: Ensure auditd Collects File Deletion Events by User - rmdir
• audit_rules_file_deletion_events_unlink: Ensure auditd Collects File Deletion Events by User - unlink
• audit_rules_file_deletion_events_unlinkat: Ensure auditd Collects File Deletion Events by User - unlinkat
• audit_rules_privileged_commands_chage: Ensure auditd Collects Information on the Use of Privileged Commands - chage
• audit_rules_privileged_commands_pt_chown: Ensure auditd Collects Information on the Use of Privileged Commands - pt_chown
• audit_rules_unsuccessful_file_modification_rename: Record Unsuccessful Delete Attempts to Files - rename
• audit_rules_unsuccessful_file_modification_renameat: Record Unsuccessful Delete Attempts to Files - renameat
• audit_rules_unsuccessful_file_modification_unlink: Record Unsuccessful Delete Attempts to Files - unlink
• audit_rules_unsuccessful_file_modification_unlinkat: Record Unsuccessful Delete Attempts to Files - unlinkat

CNTR-OS-000970: OpenShift must generate audit records when successful/unsuccessful logon attempts occur.

Description: None

• medium

Automated: yes

• audit_rules_login_events_faillock: Record Attempts to Alter Logon and Logout Events - faillock
• audit_rules_login_events_lastlog: Record Attempts to Alter Logon and Logout Events - lastlog
• audit_rules_login_events_tallylog: Record Attempts to Alter Logon and Logout Events - tallylog
• audit_rules_sudoers: Ensure auditd Collects System Administrator Actions - /etc/sudoers
• audit_rules_sudoers_d: Ensure auditd Collects System Administrator Actions - /etc/sudoers.d/
• audit_rules_usergroup_modification_group: Record Events that Modify User/Group Information - /etc/group
• audit_rules_usergroup_modification_gshadow: Record Events that Modify User/Group Information - /etc/gshadow
• audit_rules_usergroup_modification_opasswd: Record Events that Modify User/Group Information - /etc/security/opasswd
• audit_rules_usergroup_modification_passwd: Record Events that Modify User/Group Information - /etc/passwd
• audit_rules_usergroup_modification_shadow: Record Events that Modify User/Group Information - /etc/shadow

CNTR-OS-000980: Red Hat Enterprise Linux CoreOS (RHCOS) must be configured to audit the loading and unloading of dynamic kernel modules.

Description: None

• medium

Automated: yes

• audit_rules_kernel_module_loading_delete: Ensure auditd Collects Information on Kernel Module Unloading - delete_module
• audit_rules_kernel_module_loading_finit: Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module
• audit_rules_kernel_module_loading_init: Ensure auditd Collects Information on Kernel Module Loading - init_module
• audit_rules_privileged_commands_kmod: Ensure auditd Collects Information on the Use of Privileged Commands - kmod

CNTR-OS-000990: OpenShift audit records must record user access start and end times.

Description: None

• medium

Automated: yes

• audit_rules_session_events: Record Attempts to Alter Process and Session Initiation Information

CNTR-OS-001000: OpenShift must generate audit records when concurrent logons from different workstations and systems occur.

Description: None

• medium

Automated: yes

• audit_rules_login_events_faillock: Record Attempts to Alter Logon and Logout Events - faillock
• audit_rules_login_events_lastlog: Record Attempts to Alter Logon and Logout Events - lastlog

CNTR-OS-001010: Red Hat Enterprise Linux CoreOS (RHCOS) must disable SSHD service.

Description: None

• high

Automated: yes

• configure_usbguard_auditbackend: Log USBGuard daemon audit events using Linux Audit
• kernel_module_usb-storage_disabled: Disable Modprobe Loading of USB Storage Driver
• package_usbguard_installed: Install usbguard Package
• service_sshd_disabled: Disable SSH Server If Possible
• service_usbguard_enabled: Enable the USBGuard Service
• usbguard_allow_hid_and_hub: Authorize Human Interface Devices and USB hubs in USBGuard daemon

CNTR-OS-001020: Red Hat Enterprise Linux CoreOS (RHCOS) must disable USB Storage kernel module.

Description: None

• medium

Automated: yes

• configure_usbguard_auditbackend: Log USBGuard daemon audit events using Linux Audit
• kernel_module_usb-storage_disabled: Disable Modprobe Loading of USB Storage Driver
• package_usbguard_installed: Install usbguard Package
• service_sshd_disabled: Disable SSH Server If Possible
• service_usbguard_enabled: Enable the USBGuard Service
• usbguard_allow_hid_and_hub: Authorize Human Interface Devices and USB hubs in USBGuard daemon

CNTR-OS-001030: Red Hat Enterprise Linux CoreOS (RHCOS) must use USBGuard for hosts that include a USB Controller.

Description: None

• medium

Automated: yes

• configure_usbguard_auditbackend: Log USBGuard daemon audit events using Linux Audit
• kernel_module_usb-storage_disabled: Disable Modprobe Loading of USB Storage Driver
• package_usbguard_installed: Install usbguard Package
• service_sshd_disabled: Disable SSH Server If Possible
• service_usbguard_enabled: Enable the USBGuard Service
• usbguard_allow_hid_and_hub: Authorize Human Interface Devices and USB hubs in USBGuard daemon

CNTR-OS-001060: OpenShift must continuously scan components, containers, and images for vulnerabilities.

Description: None

• medium

Automated: yes

No rules selected

CNTR-OS-001080: OpenShift must use FIPS-validated SHA-2 or higher hash function for digital signature generation and verification (nonlegacy use).

Description: None

• medium

Automated: yes

No rules selected