Red Hat OpenShift Container Platform 4.12 Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
OpenShift must use multifactor authentication for network access to accounts.
Without the use of multifactor authentication, the ease of access to privileged and nonprivileged functions is greatly increased. Multifactor authentication requires using two or more factors to a...Rule Medium Severity -
SRG-APP-000156-CTR-000380
Group -
SRG-APP-000172-CTR-000440
Group -
OpenShift must use FIPS validated LDAP or OpenIDConnect.
Passwords need to be protected on entry, in transmission, during authentication, and when stored. If compromised at any of these security points, a nefarious user can use the password along with st...Rule High Severity -
SRG-APP-000190-CTR-000500
Group -
SRG-APP-000211-CTR-000530
Group -
OpenShift must separate user functionality (including user interface services) from information system management functionality.
Red Hat Enterprise Linux CoreOS (RHCOS) is a single-purpose container operating system. RHCOS is only supported as a component of the OpenShift Container Platform. Remote management of the RHCOS no...Rule Medium Severity -
SRG-APP-000219-CTR-000550
Group -
OpenShift must protect authenticity of communications sessions with the use of FIPS-validated 140-2 or 140-3 validated cryptography.
FIPS compliance is one of the most critical components required in highly secure environments, to ensure that only supported cryptographic technologies are allowed on nodes. Because FIPS must be e...Rule High Severity -
SRG-APP-000233-CTR-000585
Group -
OpenShift runtime must isolate security functions from nonsecurity functions.
An isolation boundary provides access control and protects the integrity of the hardware, software, and firmware that perform security functions. Security functions are the hardware, software, and/...Rule Medium Severity -
SRG-APP-000243-CTR-000600
Group -
OpenShift must prevent unauthorized and unintended information transfer via shared system resources and enable page poisoning.
Enabling page poisoning in OpenShift improves memory safety, mitigates memory corruption vulnerabilities, aids in fault isolation, assists with debugging. It enhances the overall security and stabi...Rule Medium Severity -
SRG-APP-000243-CTR-000600
Group -
OpenShift must disable virtual syscalls.
Virtual syscalls are a mechanism that allows user-space programs to make privileged system calls without transitioning to kernel mode. However, this feature can introduce additional security risks....Rule Medium Severity -
SRG-APP-000243-CTR-000600
Group -
OpenShift must enable poisoning of SLUB/SLAB objects.
By enabling poisoning of SLUB/SLAB objects, OpenShift can detect and identify use-after-free scenarios more effectively. The poisoned objects are marked as invalid or inaccessible, causing crashes ...Rule Medium Severity -
SRG-APP-000243-CTR-000600
Group -
OpenShift must set the sticky bit for world-writable directories.
Removing world-writable permissions or setting the sticky bit helps enforce access control on directories within the OpenShift platform. World-writable permissions allow any user to modify or delet...Rule Medium Severity -
SRG-APP-000243-CTR-000600
Group
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.