Container Platform Security Requirements Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
SRG-APP-000508
Group -
Direct access to the container platform must generate audit records.
Direct access to the container platform and its components must generate audit records. All the components must use the same standard so that the events can be tied together to understand what took...Rule Medium Severity -
SRG-APP-000509
Group -
The container platform must generate audit records for all account creations, modifications, disabling, and termination events.
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an in...Rule Medium Severity -
SRG-APP-000510
Group -
SRG-APP-000514
Group -
SRG-APP-000516
Group -
Container platform components must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including SRGs, STIGs, NSA configuration guides, CTOs, and DTMs.
Container platform components are part of the overall container platform, offering services that enable the container platform to fully orchestrate user containers. These components may fall outsid...Rule Medium Severity -
SRG-APP-000516
Group -
SRG-APP-000516
Group -
The container platform must continuously scan components, containers, and images for vulnerabilities.
Finding vulnerabilities quickly within the container platform and within containers deployed within the platform is important to keep the overall platform secure. When a vulnerability within a comp...Rule Medium Severity -
SRG-APP-000560
Group -
SRG-APP-000605
Group -
SRG-APP-000610
Group -
SRG-APP-000635
Group -
The container platform must use a FIPS-validated cryptographic module to implement encryption services for unclassified information requiring confidentiality.
Unvalidated cryptography is viewed by NIST as providing no protection to the information or data. In effect, the data would be considered unprotected plaintext. If the agency specifies that the inf...Rule High Severity -
SRG-APP-000645
Group -
The container platform must prohibit or restrict the use of protocols that transmit unencrypted authentication information or use flawed cryptographic algorithms for transmission.
The use of secure ports, protocols and services within the container platform must be controlled and conform to the PPSM CAL. Those ports, protocols, and services that fall outside the PPSM CAL mus...Rule High Severity -
SRG-APP-000318
Group -
The container platform must enforce organization-defined circumstances and/or usage conditions for organization-defined accounts.
Activity under unusual conditions can indicate hostile activity. For example, what is normal activity during business hours can indicate hostile activity if it occurs during off hours. Depending o...Rule Medium Severity -
SRG-APP-000705
Group -
The container platform must disable accounts when the accounts are no longer associated to a user.
Disabling expired, inactive, or otherwise anomalous accounts supports the concepts of least privilege and least functionality which reduce the attack surface of the system.Rule Medium Severity -
SRG-APP-000745
Group -
SRG-APP-000795
Group -
SRG-APP-000820
Group -
The container platform must implement multifactor authentication for local; network; and/or remote access to privileged accounts; and/or nonprivileged accounts such that one of the factors is provided by a device separate from the system gaining access.
The purpose of requiring a device that is separate from the system to which the user is attempting to gain access for one of the factors during multifactor authentication is to reduce the likelihoo...Rule Medium Severity -
SRG-APP-000825
Group -
SRG-APP-000830
Group -
The container platform must for password-based authentication, maintain a list of commonly used, expected, or compromised passwords on an organization-defined frequency.
Password-based authentication applies to passwords regardless of whether they are used in single-factor or multi-factor authentication. Long passwords or passphrases are preferable over shorter pas...Rule Medium Severity -
SRG-APP-000835
Group -
SRG-APP-000840
Group -
SRG-APP-000845
Group -
SRG-APP-000855
Group -
SRG-APP-000860
Group -
SRG-APP-000865
Group -
SRG-APP-000880
Group -
The container platform must protect nonlocal maintenance sessions by separating the maintenance session from other network sessions with the system by logically separated communications paths.
Nonlocal maintenance and diagnostic activities are conducted by individuals who communicate through either an external or internal network. Communications paths can be logically separated using enc...Rule Medium Severity -
SRG-APP-000910
Group -
SRG-APP-000915
Group -
The container platform must provide protected storage for cryptographic keys with organization-defined safeguards and/or hardware protected key store.
A Trusted Platform Module (TPM) is an example of a hardware-protected data store that can be used to protect cryptographic keys.Rule Medium Severity -
SRG-APP-000920
Group -
SRG-APP-000247
Group -
The container must have resource request limits set.
Setting a container resource request limit allows the container platform to determine the best location for the container to execute. The container platform looks at the resources available and fin...Rule Medium Severity -
SRG-APP-000380
Group -
The container root filesystem must be mounted as read-only.
Any changes to a container must be made by rebuilding the image and redeploying the new container image. Once a container is running, changes to the root filesystem should not be needed, thus prese...Rule Medium Severity -
The container platform must use TLS 1.2 or greater for secure container image transport from trusted sources.
The authenticity and integrity of the container image during the container image lifecycle is part of the overall security posture of the container platform. This begins with the container image cr...Rule Medium Severity -
The container platform must use a centralized user management solution to support account management functions.
Enterprise environments make application account management challenging and complex. A manual process for account management functions adds the risk of a potential oversight or other error. A comp...Rule Medium Severity -
The container platform must automatically disable accounts after a 35-day period of account inactivity.
Attackers that are able to exploit an inactive account can potentially obtain and maintain undetected access to an application. Owners of inactive accounts will not notice if unauthorized access to...Rule Medium Severity -
The container platform must automatically audit account removal actions.
When application accounts are removed, user accessibility is affected. Once an attacker establishes access to an application, the attacker often attempts to remove authorized accounts to disrupt se...Rule Medium Severity -
The container platform must enforce approved authorizations for controlling the flow of information between interconnected systems and services based on organization-defined information flow control policies.
Controlling information flow between the container platform components and container user services instantiated by the container platform must enforce organization-defined information flow policies...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.