Skip to content
Log In

Container Platform Security Requirements Guide

Rules, Groups, and Values defined within the XCCDF Benchmark

  • SRG-APP-000118

    Group
    Show

  • The container platform must protect audit information from any type of unauthorized read access.

    If audit data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult if not impossible to achieve. In ad...
    Rule Medium Severity
    Show

  • SRG-APP-000119

    Group
    Show

  • SRG-APP-000120

    Group
    Show

  • SRG-APP-000121

    Group
    Show

  • SRG-APP-000122

    Group
    Show

  • The container platform must protect audit tools from unauthorized modification.

    Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on au...
    Rule Medium Severity
    Show

  • SRG-APP-000123

    Group
    Show

  • The container platform must protect audit tools from unauthorized deletion.

    Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on au...
    Rule Medium Severity
    Show

  • SRG-APP-000126

    Group
    Show

  • The container platform must use FIPS validated cryptographic mechanisms to protect the integrity of log information.

    To fully investigate an incident and to have trust in the audit data that is generated, it is important to put in place data protections. Without integrity protections, unauthorized changes may be ...
    Rule Medium Severity
    Show

  • SRG-APP-000131

    Group
    Show

  • SRG-APP-000131

    Group
    Show

  • SRG-APP-000133

    Group
    Show

  • The container platform must limit privileges to the container platform registry.

    To control what is instantiated within the container platform, it is important to control access to the registry. Without this control, container images can be introduced and instantiated by accide...
    Rule Medium Severity
    Show

  • SRG-APP-000133

    Group
    Show

  • The container platform must limit privileges to the container platform runtime.

    To control what is instantiated within the container platform, it is important to control access to the runtime. Without this control, container platform specific services and customer services can...
    Rule Medium Severity
    Show

  • SRG-APP-000133

    Group
    Show

  • The container platform must limit privileges to the container platform keystore.

    The container platform keystore is used to store credentials used to build a trust between the container platform and some external source. This trust relationship is authorized by the organization...
    Rule Medium Severity
    Show

  • SRG-APP-000133

    Group
    Show

  • SRG-APP-000133

    Group
    Show

  • SRG-APP-000141

    Group
    Show

  • The container platform must be configured with only essential configurations.

    The container platform can be built with components that are not used for the intended purpose of the organization. To limit the attack surface of the container platform, it is essential that the n...
    Rule Medium Severity
    Show

  • SRG-APP-000141

    Group
    Show

  • The container platform registry must contain only container images for those capabilities being offered by the container platform.

    Allowing container images to reside within the container platform registry that are not essential to the capabilities being offered by the container platform becomes a potential security risk. By a...
    Rule Medium Severity
    Show

  • SRG-APP-000142

    Group
    Show

  • The container platform runtime must enforce ports, protocols, and services that adhere to the PPSM CAL.

    Ports, protocols, and services within the container platform runtime must be controlled and conform to the PPSM CAL. Those ports, protocols, and services that fall outside the PPSM CAL must be bloc...
    Rule Medium Severity
    Show

  • SRG-APP-000142

    Group
    Show

  • The container platform runtime must enforce the use of ports that are non-privileged.

    Privileged ports are those ports below 1024 and that require system privileges for their use. If containers are able to use these ports, the container must be run as a privileged user. The containe...
    Rule Medium Severity
    Show

  • SRG-APP-000148

    Group
    Show

  • SRG-APP-000148

    Group
    Show

  • The container platform application program interface (API) must uniquely identify and authenticate users.

    The container platform requires user accounts to perform container platform tasks. These tasks are often performed through the container platform API. Protecting the API from users who are not auth...
    Rule Medium Severity
    Show

  • SRG-APP-000148

    Group
    Show

  • The container platform must uniquely identify and authenticate processes acting on behalf of the users.

    The container platform will instantiate a container image and use the user privileges given to the user used to execute the container. To ensure accountability and prevent unauthenticated access to...
    Rule Medium Severity
    Show

  • SRG-APP-000148

    Group
    Show

  • SRG-APP-000149

    Group
    Show

  • SRG-APP-000150

    Group
    Show

  • SRG-APP-000151

    Group
    Show

  • The container platform must use multifactor authentication for local access to privileged accounts.

    To ensure accountability and prevent unauthenticated access, privileged users must utilize multifactor authentication to prevent potential misuse and compromise of the system. Multifactor authenti...
    Rule Medium Severity
    Show

  • SRG-APP-000152

    Group
    Show

  • The container platform must use multifactor authentication for local access to nonprivileged accounts.

    To ensure accountability, prevent unauthenticated access, and prevent misuse of the system, nonprivileged users must utilize multi-factor authentication for local access. Multifactor authenticatio...
    Rule Medium Severity
    Show

  • SRG-APP-000153

    Group
    Show

  • SRG-APP-000156

    Group
    Show

  • The container platform must use FIPS-validated SHA-1 or higher hash function to provide replay-resistant authentication mechanisms for network access to privileged accounts.

    A replay attack may enable an unauthorized user to gain access to the application. Authentication sessions between the authenticator and the application validating the user credentials must not be ...
    Rule Medium Severity
    Show

  • SRG-APP-000157

    Group
    Show

  • The container platform must implement replay-resistant authentication mechanisms for network access to nonprivileged accounts.

    A replay attack may enable an unauthorized user to gain access to the application. Authentication sessions between the authenticator and the application validating the user credentials must not be ...
    Rule Medium Severity
    Show

  • SRG-APP-000158

    Group
    Show

  • The container platform must uniquely identify all network-connected nodes before establishing any connection.

    A container platform usually consists of multiple nodes. It is important for these nodes to be uniquely identified before a connection is allowed. Without identifying the nodes, unidentified or unk...
    Rule Medium Severity
    Show

  • SRG-APP-000163

    Group
    Show

  • SRG-APP-000164

    Group
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules