Red Hat OpenShift Container Platform 4.12 Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
OpenShift RBAC access controls must be enforced.
Controlling and limiting users access to system services and resources is key to securing the platform and limiting the intentional or unintentional compromising of the system and its services. Ope...Rule High Severity -
OpenShift must display the Standard Mandatory DOD Notice and Consent Banner before granting access to platform components.
OpenShift has countless components where different access levels are needed. To control access, the user must first log into the component and then be presented with a DOD-approved use notification...Rule Low Severity -
OpenShift must generate audit records for all DOD-defined auditable events within all components in the platform.
The OpenShift Platform supports three audit levels: Default, WriteRequestBodies, and AllRequestBodies. The identities of the users are logged for all three audit levels log level. The WriteRequestB...Rule Medium Severity -
All audit records must generate the event results within OpenShift.
Within the container platform, audit data can be generated from any of the deployed container platform components. Since the audit data may be part of a larger audit system, it is important for the...Rule Medium Severity -
OpenShift must take appropriate action upon an audit failure.
It is critical that when the container platform is at risk of failing to process audit logs as required that it takes action to mitigate the failure. Audit processing failures include software/hard...Rule Medium Severity -
The Red Hat Enterprise Linux CoreOS (RHCOS) chrony Daemon must use multiple NTP servers to generate audit record time stamps.
Utilizing multiple NTP servers for the chrony daemon in RHCOS ensures accurate and reliable audit record timestamps. It improves time synchronization, mitigates time drift, provides redundancy, and...Rule Medium Severity -
OpenShift must protect system journal file from any type of unauthorized access by setting owner permissions.
OpenShift follows the principle of least privilege, which aims to restrict access to resources based on user roles and responsibilities. This separation of privileges helps mitigate the risk of una...Rule Medium Severity -
OpenShift must protect log directory from any type of unauthorized access by setting file permissions.
Log files contain sensitive information such as user credentials, system configurations, and potentially even security-related events. Unauthorized access to log files can expose this sensitive dat...Rule Medium Severity -
OpenShift must protect audit tools from unauthorized access.
Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on au...Rule Medium Severity -
OpenShift must disable root and terminate network connections.
Direct login as the "root" user must be disabled to prevent unrestricted access and control over the entire system. Terminating an idle session within a short time reduces the window of opportuni...Rule High Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.