Red Hat OpenShift Container Platform 4.12 Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
SRG-APP-000435-CTR-001070
Group -
SRG-APP-000435-CTR-001070
Group -
SRG-APP-000439-CTR-001080
Group -
OpenShift must protect the confidentiality and integrity of transmitted information.
OpenShift provides for two types of application level ingress types, Routes, and Ingresses. Routes have been a part of OpenShift since version 3. Ingresses were promoted out of beta in Aug 2020 (ku...Rule Medium Severity -
SRG-APP-000450-CTR-001105
Group -
SRG-APP-000450-CTR-001105
Group -
Red Hat Enterprise Linux CoreOS (RHCOS) must implement ASLR (Address Space Layout Randomization) from unauthorized code execution.
ASLR is a security technique that randomizes the memory layout of processes, making it more difficult for attackers to predict the location of system components and exploit memory-based vulnerabili...Rule Medium Severity -
SRG-APP-000454-CTR-001110
Group -
OpenShift must remove old components after updated versions have been installed.
Previous versions of OpenShift components that are not removed from the container platform after updates have been installed may be exploited by adversaries by causing older components to execute w...Rule Medium Severity -
SRG-APP-000456-CTR-001125
Group -
SRG-APP-000456-CTR-001130
Group -
OpenShift runtime must have updates installed within the period directed by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).
OpenShift runtime must be carefully monitored for vulnerabilities, and when problems are detected, they must be remediated quickly. A vulnerable runtime exposes all containers it supports, as well ...Rule Medium Severity -
SRG-APP-000472-CTR-001170
Group -
SRG-APP-000473-CTR-001175
Group -
OpenShift must perform verification of the correct operation of security functions: upon startup and/or restart; upon command by a user with privileged access; and/or every 30 days.
Security functionality includes, but is not limited to, establishing system accounts, configuring access authorization (i.e., permissions, privileges), setting events to be audited, and setting int...Rule Medium Severity -
SRG-APP-000495-CTR-001235
Group -
SRG-APP-000496-CTR-001240
Group -
OpenShift must generate audit records when successful/unsuccessful attempts to modify security objects occur.
OpenShift and its components must generate audit records when modifying security objects. All the components must use the same standard so that the events can be tied together to understand what to...Rule Medium Severity -
SRG-APP-000499-CTR-001255
Group -
OpenShift must generate audit records when successful/unsuccessful attempts to delete privileges occur.
Audit records for unsuccessful attempts to delete privileges help in identifying unauthorized activities or potential attacks. If an unauthorized entity attempts to remove privileges, the audit rec...Rule Medium Severity -
SRG-APP-000501-CTR-001265
Group -
OpenShift must generate audit records when successful/unsuccessful attempts to delete security objects occur.
By generating audit records for security object deletions, OpenShift enables administrators and security teams to track and investigate any unauthorized or suspicious removal of security objects. T...Rule Medium Severity -
SRG-APP-000503-CTR-001275
Group -
SRG-APP-000504-CTR-001280
Group -
Red Hat Enterprise Linux CoreOS (RHCOS) must be configured to audit the loading and unloading of dynamic kernel modules.
By generating audit logs for the loading and unloading of dynamic kernel modules, OpenShift enables administrators and security teams to track and investigate any unauthorized or suspicious changes...Rule Medium Severity -
SRG-APP-000505-CTR-001285
Group -
OpenShift audit records must record user access start and end times.
OpenShift must generate audit records showing start and end times for users and services acting on behalf of a user accessing the registry and keystore. These components must use the same standard ...Rule Medium Severity -
SRG-APP-000506-CTR-001290
Group -
OpenShift must generate audit records when concurrent logons from different workstations and systems occur.
OpenShift and its components must generate audit records for concurrent logons from workstations perform remote maintenance, runtime instances, connectivity to the container registry, and keystore....Rule Medium Severity -
SRG-APP-000141-CTR-000315
Group -
SRG-APP-000141-CTR-000315
Group -
Red Hat Enterprise Linux CoreOS (RHCOS) must disable USB Storage kernel module.
Disabling the USB Storage kernel module helps protect against potential data exfiltration or unauthorized access to sensitive data. USB storage devices can be used to transfer data in and out of th...Rule Medium Severity -
SRG-APP-000141-CTR-000315
Group -
Red Hat Enterprise Linux CoreOS (RHCOS) must use USBGuard for hosts that include a USB Controller.
USBGuard adds an extra layer of security to the overall OpenShift infrastructure. It provides an additional control mechanism to prevent potential security threats originating from USB devices. By ...Rule Medium Severity -
SRG-APP-000516-CTR-001335
Group -
OpenShift must continuously scan components, containers, and images for vulnerabilities.
Finding vulnerabilities quickly within the container platform and within containers deployed within the platform is important to keep the overall platform secure. When a vulnerability within a comp...Rule Medium Severity -
SRG-APP-000610-CTR-001385
Group -
OpenShift must use TLS 1.2 or greater for secure container image transport from trusted sources.
The authenticity and integrity of the container image during the container image lifecycle is part of the overall security posture of the container platform. This begins with the container image cr...Rule Medium Severity -
OpenShift must automatically audit account creation.
Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to create a new a...Rule Medium Severity -
OpenShift must generate audit rules to capture account related actions.
Account management actions, such as creation, modification, disabling, removal, and enabling are important changes within the system. When management actions are modified, user accessibility is af...Rule Medium Severity -
OpenShift RBAC access controls must be enforced.
Controlling and limiting users access to system services and resources is key to securing the platform and limiting the intentional or unintentional compromising of the system and its services. Ope...Rule High Severity -
OpenShift must display the Standard Mandatory DOD Notice and Consent Banner before granting access to platform components.
OpenShift has countless components where different access levels are needed. To control access, the user must first log into the component and then be presented with a DOD-approved use notification...Rule Low Severity -
OpenShift must generate audit records for all DOD-defined auditable events within all components in the platform.
The OpenShift Platform supports three audit levels: Default, WriteRequestBodies, and AllRequestBodies. The identities of the users are logged for all three audit levels log level. The WriteRequestB...Rule Medium Severity -
All audit records must generate the event results within OpenShift.
Within the container platform, audit data can be generated from any of the deployed container platform components. Since the audit data may be part of a larger audit system, it is important for the...Rule Medium Severity -
OpenShift must take appropriate action upon an audit failure.
It is critical that when the container platform is at risk of failing to process audit logs as required that it takes action to mitigate the failure. Audit processing failures include software/hard...Rule Medium Severity -
The Red Hat Enterprise Linux CoreOS (RHCOS) chrony Daemon must use multiple NTP servers to generate audit record time stamps.
Utilizing multiple NTP servers for the chrony daemon in RHCOS ensures accurate and reliable audit record timestamps. It improves time synchronization, mitigates time drift, provides redundancy, and...Rule Medium Severity -
OpenShift must protect system journal file from any type of unauthorized access by setting owner permissions.
OpenShift follows the principle of least privilege, which aims to restrict access to resources based on user roles and responsibilities. This separation of privileges helps mitigate the risk of una...Rule Medium Severity -
OpenShift must protect log directory from any type of unauthorized access by setting file permissions.
Log files contain sensitive information such as user credentials, system configurations, and potentially even security-related events. Unauthorized access to log files can expose this sensitive dat...Rule Medium Severity -
OpenShift must protect audit tools from unauthorized access.
Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on au...Rule Medium Severity -
OpenShift must disable root and terminate network connections.
Direct login as the "root" user must be disabled to prevent unrestricted access and control over the entire system. Terminating an idle session within a short time reduces the window of opportuni...Rule High Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.