Container Platform Security Requirements Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
The container platform must require users to reauthenticate when organization-defined circumstances or situations require reauthentication.
Controlling user access is paramount in securing the container platform. During a user's access to the container platform, events may occur that change the user's access and which require reauthent...Rule Medium Severity -
The container platform must accept Personal Identity Verification (PIV) credentials from other federal agencies.
Controlling access to the container platform and its components is paramount in having a secure and stable system. Validating users is the first step in controlling the access. Users may be validat...Rule Medium Severity -
The container platform must audit non-local maintenance and diagnostic sessions' organization-defined audit events associated with non-local maintenance.
To fully investigate an attack, it is important to understand the event and those events taking place during the same time period. Often, non-local administrative access and diagnostic sessions are...Rule Medium Severity -
The container platform must configure web management tools and Application Program Interfaces (API) with FIPS-validated Advanced Encryption Standard (AES) cipher block algorithm to protect the confidentiality of maintenance and diagnostic communications for nonlocal maintenance sessions.
Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. Nonlocal maintenance and diagnostic activities are act...Rule Medium Severity -
The container platform keystore must implement encryption to prevent unauthorized disclosure of information at rest within the container platform.
Container platform keystore is used for container deployments for persistent storage of all its REST API objects. These objects are sensitive in nature and should be encrypted at rest to avoid any ...Rule High Severity -
The container platform must maintain the confidentiality and integrity of information during preparation for transmission.
Information may be unintentionally or maliciously disclosed or modified during preparation for transmission within the container platform during aggregation, at protocol transformation points, and ...Rule Medium Severity -
The container platform must behave in a predictable and documented manner that reflects organizational and system objectives when invalid inputs are received.
Software or code parameters typically follow well-defined protocols that use structured messages (i.e., commands or queries) to communicate between software modules or system components. Structured...Rule Medium Severity -
The container platform must remove old components after updated versions have been installed.
Previous versions of container platform components that are not removed from the container platform after updates have been installed may be exploited by adversaries by causing older components to ...Rule Medium Severity -
The container platform registry must remove old container images after updating versions have been made available.
Obsolete and stale images need to be removed from the registry to ensure the container platform maintains a secure posture. While the storing of these images does not directly pose a threat, they d...Rule Medium Severity -
The container platform runtime must have updates installed within the time period directed by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).
The container platform runtime must be carefully monitored for vulnerabilities, and when problems are detected, they must be remediated quickly. A vulnerable runtime exposes all containers it suppo...Rule Medium Severity -
The container platform must perform verification of the correct operation of security functions: upon system startup and/or restart; upon command by a user with privileged access; and/or every 30 days. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters.
Without verification, security functions may not operate correctly and this failure may go unnoticed within the container platform. Security functions are responsible for enforcing the system secu...Rule Medium Severity -
The container platform must generate audit records when successful/unsuccessful attempts to access security objects occur.
The container platform and its components must generate audit records when successful and unsuccessful access security objects occur. All the components must use the same standard so that the event...Rule Medium Severity -
The container platform must generate audit records when successful/unsuccessful attempts to modify security levels occur.
Unauthorized users could modify the security levels to exploit vulnerabilities within the container platform component. All the components must use the same standard so that the events can be tied ...Rule Medium Severity -
The container platform must generate audit records when successful/unsuccessful attempts to delete security objects occur.
Unauthorized users modify level the security levels to exploit vulnerabilities within the container platform component. All the components must use the same standard so that the events can be tied ...Rule Medium Severity -
The container platform must generate audit records when successful/unsuccessful logon attempts occur.
The container platform and its components must generate audit records when successful and unsuccessful logon attempts occur. The information system can determine if an account is compromised or is ...Rule Medium Severity -
The container platform must generate audit records when concurrent logons from different workstations and systems occur.
The container platform and its components must generate audit records for concurrent logons from workstations perform remote maintenance, runtime instances, connectivity to the container registry, ...Rule Medium Severity -
The container platform runtime must generate audit records when successful/unsuccessful attempts to access objects occur.
Container platform runtime objects are defined as configuration files, code, etc. This provides the ability to configure resources and software parameters prior to image execution from the containe...Rule Medium Severity -
The container runtime must generate audit records for all container execution, shutdown, restart events, and program initiations.
The container runtime must generate audit records that are specific to the security and mission needs of the organization. Without audit record, it would be difficult to establish, correlate, and i...Rule Medium Severity -
The container platform must use a valid FIPS 140-2 approved cryptographic modules to generate hashes.
The cryptographic module used must have at least one validated hash algorithm. This validated hash algorithm must be used to generate cryptographic hashes for all cryptographic security function wi...Rule Medium Severity -
The container platform must be able to store and instantiate industry standard container images.
Monitoring the container images and containers during their lifecycle is important to guarantee the container platform is secure. To monitor the containers and images, security tools can be put in ...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.