Definition of Red Hat OpenShift Container Platform 4.12 Security Technical Implementation Guide for rhcos4

based on https://public.cyber.mil/stigs/downloads/

CNTR-OS-000010: OpenShift must use TLS 1.2 or greater for secure container image transport from trusted sources.

Description: None

Levels:

Automated: yes

No rules selected

CNTR-OS-000020: OpenShift must use TLS 1.2 or greater for secure communication.

Description: None

Levels:

Automated: yes

No rules selected

CNTR-OS-000030: OpenShift must use a centralized user management solution to support account management functions.

Description: None

Levels:

Automated: yes

No rules selected

CNTR-OS-000040: The kubeadmin account must be disabled.

Description: None

Levels:

Automated: yes

No rules selected

CNTR-OS-000050: OpenShift must automatically audit account creation.

Description: None

Levels:

Automated: yes

Selections:

CNTR-OS-000060: OpenShift must automatically audit account modification.

Description: None

Levels:

Automated: yes

Selections:

CNTR-OS-000070: OpenShift must generate audit rules to capture account related actions.

Description: None

Levels:

Automated: yes

Selections:

CNTR-OS-000080: Open Shift must automatically audit account removal actions.

Description: None

Levels:

Automated: yes

Selections:

CNTR-OS-000090: OpenShift RBAC access controls must be enforced.

Description: None

Levels:

Automated: yes

No rules selected

CNTR-OS-000100: OpenShift must enforce network policy on the namespace for controlling the flow of information within the container platform based on organization-defined information flow control policies.

Description: None

Levels:

Automated: yes

No rules selected

CNTR-OS-000110: OpenShift must enforce approved authorizations for controlling the flow of information within the container platform based on organization-defined information flow control policies.

Description: None

Levels:

Automated: yes

No rules selected

CNTR-OS-000130: OpenShift must display the Standard Mandatory DOD Notice and Consent Banner before granting access to platform components.

Description: None

Levels:

Automated: yes

No rules selected

CNTR-OS-000150: OpenShift must generate audit records for all DOD-defined auditable events within all components in the platform.

Description: None

Levels:

Automated: yes

Selections:

CNTR-OS-000160: OpenShift must generate audit records when successful/unsuccessful attempts to access privileges occur.

Description: None

Levels:

Automated: yes

Selections:

CNTR-OS-000170: Red Hat Enterprise Linux CoreOS (RHCOS) must initiate session audits at system startup.

Description: None

Levels:

Automated: yes

Selections:

CNTR-OS-000180: All audit records must identify what type of event has occurred within OpenShift.

Description: None

Levels:

Automated: yes

Selections:

CNTR-OS-000190: OpenShift audit records must have a date and time association with all events.

Description: None

Levels:

Automated: yes

Selections:

CNTR-OS-000200: All audit records must generate the event results within OpenShift.

Description: None

Levels:

Automated: yes

Selections:

CNTR-OS-000210: OpenShift must take appropriate action upon an audit failure.

Description: None

Levels:

Automated: yes

Selections:

CNTR-OS-000220: OpenShift components must provide the ability to send audit logs to a central enterprise repository for review and analysis.

Description: None

Levels:

Automated: yes

Selections:

CNTR-OS-000230: OpenShift must use internal system clocks to generate audit record time stamps.

Description: None

Levels:

Automated: yes

Selections:

CNTR-OS-000240: The Red Hat Enterprise Linux CoreOS (RHCOS) chrony Daemon must use multiple NTP servers to generate audit record time stamps.

Description: None

Levels:

Automated: yes

Selections:

CNTR-OS-000250: OpenShift must protect audit logs from any type of unauthorized access.

Description: None

Levels:

Automated: yes

Selections:

CNTR-OS-000260: OpenShift must protect system journal file from any type of unauthorized access by setting file permissions.

Description: None

Levels:

Automated: yes

Selections:

CNTR-OS-000270: OpenShift must protect system journal file from any type of unauthorized access by setting owner permissions.

Description: None

Levels:

Automated: yes

Selections:

CNTR-OS-000280: OpenShift must protect log directory from any type of unauthorized access by setting file permissions.

Description: None

Levels:

Automated: yes

Selections:

CNTR-OS-000290: OpenShift must protect log directory from any type of unauthorized access by setting owner permissions.

Description: None

Levels:

Automated: yes

Selections:

CNTR-OS-000300: OpenShift must protect pod log files from any type of unauthorized access by setting owner permissions.

Description: None

Levels:

Automated: yes

Selections:

CNTR-OS-000310: OpenShift must protect audit information from unauthorized modification.

Description: None

Levels:

Automated: yes

Selections:

CNTR-OS-000320: OpenShift must prevent unauthorized changes to logon UIDs.

Description: None

Levels:

Automated: yes

Selections:

CNTR-OS-000330: OpenShift must protect audit tools from unauthorized access.

Description: None

Levels:

Automated: yes

Selections:

CNTR-OS-000340: OpenShift must use FIPS-validated cryptographic mechanisms to protect the integrity of log information.

Description: None

Levels:

Automated: yes

No rules selected

CNTR-OS-000360: OpenShift must verify container images.

Description: None

Levels:

Automated: yes

No rules selected

CNTR-OS-000380: OpenShift must contain only container images for those capabilities being offered by the container platform.

Description: None

Levels:

Automated: no

No rules selected

CNTR-OS-000390: OpenShift runtime must enforce ports, protocols, and services that adhere to the PPSM CAL.

Description: None

Levels:

Automated: no

No rules selected

CNTR-OS-000400: OpenShift must disable root and terminate network connections.

Description: None

Levels:

Automated: yes

Selections:

CNTR-OS-000430: OpenShift must use multifactor authentication for network access to accounts.

Description: None

Levels:

Automated: no

No rules selected

CNTR-OS-000440: OpenShift must use FIPS-validated SHA-1 or higher hash function to provide replay-resistant authentication mechanisms for network access to privileged accounts.

Description: None

Levels:

Automated: yes

No rules selected

CNTR-OS-000460: OpenShift must use FIPS validated LDAP or OpenIDConnect.

Description: None

Levels:

Automated: no

No rules selected

CNTR-OS-000490: OpenShift must terminate all network connections associated with a communications session at the end of the session, or as follows: for in-band management sessions (privileged sessions), the session must be terminated after 10 minutes of inactivity.

Description: None

Levels:

Automated: yes

Selections:

CNTR-OS-000500: OpenShift must separate user functionality (including user interface services) from information system management functionality.

Description: None

Levels:

Automated: no

No rules selected

CNTR-OS-000510: OpenShift must protect authenticity of communications sessions with the use of FIPS-validated 140-2 or 140-3 validated cryptography.

Description: None

Levels:

Automated: yes

No rules selected

CNTR-OS-000540: OpenShift runtime must isolate security functions from nonsecurity functions.

Description: None

Levels:

Automated: yes

Selections:

CNTR-OS-000560: OpenShift must prevent unauthorized and unintended information transfer via shared system resources and enable page poisoning.

Description: None

Levels:

Automated: yes

Selections:

CNTR-OS-000570: OpenShift must disable virtual syscalls.

Description: None

Levels:

Automated: yes

Selections:

CNTR-OS-000580: OpenShift must enable poisoning of SLUB/SLAB objects.

Description: None

Levels:

Automated: yes

Selections:

CNTR-OS-000590: OpenShift must set the sticky bit for world-writable directories.

Description: None

Levels:

Automated: yes

Selections:

CNTR-OS-000600: OpenShift must restrict access to the kernel buffer.

Description: None

Levels:

Automated: yes

Selections:

CNTR-OS-000610: OpenShift must prevent kernel profiling.

Description: None

Levels:

Automated: yes

Selections:

CNTR-OS-000620: OpenShift must restrict individuals the ability to launch organizational-defined Denial-of-Service (DOS) attacks against other information systems by setting a default Resource Quota.

Description: None

Levels:

Automated: yes

No rules selected

CNTR-OS-000630: OpenShift must restrict individuals the ability to launch organizational-defined Denial-of-Service (DOS) attacks against other information systems by rate-limiting.

Description: None

Levels:

Automated: yes

No rules selected

CNTR-OS-000650: OpenShift must display an explicit logout message indicating the reliable termination of authenticated communication sessions.

Description: None

Levels:

Automated: yes

No rules selected

CNTR-OS-000660: Container images instantiated by OpenShift must execute using least privileges.

Description: None

Levels:

Automated: yes

No rules selected

CNTR-OS-000670: Red Hat Enterprise Linux CoreOS (RHCOS) must allocate audit record storage capacity to store at least one weeks' worth of audit records, when audit records are not immediately sent to a central audit record storage facility.

Description: None

Levels:

Automated: yes

Selections:

CNTR-OS-000690: OpenShift must configure Alert Manger Receivers to notify SA and ISSO of all audit failure events requiring real-time alerts.

Description: None

Levels:

Automated: no

No rules selected

CNTR-OS-000720: OpenShift must enforce access restrictions and support auditing of the enforcement actions.

Description: None

Levels:

Automated: yes

Selections:

CNTR-OS-000740: OpenShift must prevent the installation of patches, service packs, device drivers, or operating system components without verification they have been digitally signed using a certificate that is recognized and approved by the organization.

Description: None

Levels:

Automated: yes

No rules selected

CNTR-OS-000760: OpenShift must set server token max age no greater than eight hours.

Description: None

Levels:

Automated: yes

No rules selected

CNTR-OS-000770: Vulnerability scanning applications must implement privileged access authorization to all OpenShift components, containers, and container images for selected organization-defined vulnerability scanning activities.

Description: None

Levels:

Automated: no

No rules selected

CNTR-OS-000780: OpenShift keystore must implement encryption to prevent unauthorized disclosure of information at rest within the container platform.

Description: None

Levels:

Automated: yes

No rules selected

CNTR-OS-000800: OpenShift must protect against or limit the effects of all types of Denial-of-Service (DoS) attacks by employing organization-defined security safeguards by including a default resource quota.

Description: None

Levels:

Automated: yes

No rules selected

CNTR-OS-000810: OpenShift must protect against or limit the effects of all types of Denial-of-Service (DoS) attacks by defining resource quotas on a namespace.

Description: None

Levels:

Automated: yes

Selections:

CNTR-OS-000820: OpenShift must protect the confidentiality and integrity of transmitted information.

Description: None

Levels:

Automated: no

No rules selected

CNTR-OS-000860: Red Hat Enterprise Linux CoreOS (RHCOS) must implement nonexecutable data to protect its memory from unauthorized code execution.

Description: None

Levels:

Automated: yes

Selections:

CNTR-OS-000870: Red Hat Enterprise Linux CoreOS (RHCOS) must implement ASLR (Address Space Layout Randomization) from unauthorized code execution.

Description: None

Levels:

Automated: yes

Selections:

CNTR-OS-000880: OpenShift must remove old components after updated versions have been installed.

Description: None

Levels:

Automated: yes

No rules selected

CNTR-OS-000890: OpenShift must contain the latest images with most recent updates and execute within the container platform runtime as authorized by IAVM, CTOs, DTMs, and STIGs.

Description: None

Levels:

Automated: yes

No rules selected

CNTR-OS-000900: OpenShift runtime must have updates installed within the period directed by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).

Description: None

Levels:

Automated: yes

No rules selected

CNTR-OS-000910: The Compliance Operator must be configured.

Description: None

Levels:

Automated: yes

No rules selected

CNTR-OS-000920: OpenShift must perform verification of the correct operation of security functions: upon startup and/or restart; upon command by a user with privileged access; and/or every 30 days.

Description: None

Levels:

Automated: yes

No rules selected

CNTR-OS-000930: OpenShift must generate audit records when successful/unsuccessful attempts to modify privileges occur.

Description: None

Levels:

Automated: yes

Selections:

CNTR-OS-000940: OpenShift must generate audit records when successful/unsuccessful attempts to modify security objects occur.

Description: None

Levels:

Automated: yes

Selections:

CNTR-OS-000950: OpenShift must generate audit records when successful/unsuccessful attempts to delete privileges occur.

Description: None

Levels:

Automated: yes

Selections:

CNTR-OS-000960: OpenShift must generate audit records when successful/unsuccessful attempts to delete security objects occur.

Description: None

Levels:

Automated: yes

Selections:

CNTR-OS-000970: OpenShift must generate audit records when successful/unsuccessful logon attempts occur.

Description: None

Levels:

Automated: yes

Selections:

CNTR-OS-000980: Red Hat Enterprise Linux CoreOS (RHCOS) must be configured to audit the loading and unloading of dynamic kernel modules.

Description: None

Levels:

Automated: yes

Selections:

CNTR-OS-000990: OpenShift audit records must record user access start and end times.

Description: None

Levels:

Automated: yes

Selections:

CNTR-OS-001000: OpenShift must generate audit records when concurrent logons from different workstations and systems occur.

Description: None

Levels:

Automated: yes

Selections:

CNTR-OS-001010: Red Hat Enterprise Linux CoreOS (RHCOS) must disable SSHD service.

Description: None

Levels:

Automated: yes

Selections:

CNTR-OS-001020: Red Hat Enterprise Linux CoreOS (RHCOS) must disable USB Storage kernel module.

Description: None

Levels:

Automated: yes

Selections:

CNTR-OS-001030: Red Hat Enterprise Linux CoreOS (RHCOS) must use USBGuard for hosts that include a USB Controller.

Description: None

Levels:

Automated: yes

Selections:

CNTR-OS-001060: OpenShift must continuously scan components, containers, and images for vulnerabilities.

Description: None

Levels:

Automated: yes

No rules selected

CNTR-OS-001080: OpenShift must use FIPS-validated SHA-2 or higher hash function for digital signature generation and verification (nonlegacy use).

Description: None

Levels:

Automated: yes

No rules selected