Skip to content
Log In

Container Platform Security Requirements Guide

Rules, Groups, and Values defined within the XCCDF Benchmark

  • SRG-APP-000383

    Group
    Show

  • All non-essential, unnecessary, and unsecure DoD ports, protocols, and services must be disabled in the container platform.

    To properly offer services to the user and to orchestrate containers, the container platform may offer services that use ports and protocols that best fit those services. The container platform, wh...
    Rule Medium Severity
    Show

  • SRG-APP-000384

    Group
    Show

  • The container platform must prevent component execution in accordance with organization-defined policies regarding software program usage and restrictions, and/or rules authorizing the terms and conditions of software program usage.

    The container platform may offer components such as DNS services, firewall services, router services, or web services that are not required by every organization to meet their needs. Container plat...
    Rule Medium Severity
    Show

  • SRG-APP-000386

    Group
    Show

  • SRG-APP-000389

    Group
    Show

  • SRG-APP-000391

    Group
    Show

  • The container platform must be configured to use multi-factor authentication for user authentication.

    Controlling access to the container platform and its components is paramount in having a secure and stable system. Validating users is the first step in controlling the access. Users may be validat...
    Rule Medium Severity
    Show

  • SRG-APP-000400

    Group
    Show

  • The container platform must prohibit the use of cached authenticators after an organization-defined time period.

    If cached authentication information is out of date, the validity of the authentication information may be questionable.
    Rule Medium Severity
    Show

  • SRG-APP-000401

    Group
    Show

  • The container platform, for PKI-based authentication, must implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network.

    The potential of allowing access to users who are no longer authorized (have revoked certificates) increases unless a local cache of revocation data is configured.
    Rule Medium Severity
    Show

  • SRG-APP-000402

    Group
    Show

  • SRG-APP-000409

    Group
    Show

  • SRG-APP-000411

    Group
    Show

  • Container platform applications and Application Program Interfaces (API) used for nonlocal maintenance sessions must use FIPS-validated keyed-hash message authentication code (HMAC) to protect the integrity of nonlocal maintenance and diagnostic communications.

    Unapproved mechanisms that are used for authentication to the cryptographic module are not verified, and therefore cannot be relied on to provide confidentiality or integrity, and DoD data may be c...
    Rule Medium Severity
    Show

  • SRG-APP-000412

    Group
    Show

  • SRG-APP-000414

    Group
    Show

  • Vulnerability scanning applications must implement privileged access authorization to all container platform components, containers, and container images for selected organization-defined vulnerability scanning activities.

    In certain situations, the nature of the vulnerability scanning may be more intrusive, or the container platform component that is the subject of the scanning may contain highly sensitive informati...
    Rule Medium Severity
    Show

  • SRG-APP-000516

    Group
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules