Red Hat OpenShift Container Platform 4.12 Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
OpenShift RBAC access controls must be enforced.
Controlling and limiting users access to system services and resources is key to securing the platform and limiting the intentional or unintentional compromising of the system and its services. Ope...Rule High Severity -
OpenShift must display the Standard Mandatory DOD Notice and Consent Banner before granting access to platform components.
OpenShift has countless components where different access levels are needed. To control access, the user must first log into the component and then be presented with a DOD-approved use notification...Rule Low Severity -
OpenShift must generate audit records for all DOD-defined auditable events within all components in the platform.
The OpenShift Platform supports three audit levels: Default, WriteRequestBodies, and AllRequestBodies. The identities of the users are logged for all three audit levels log level. The WriteRequestB...Rule Medium Severity -
All audit records must generate the event results within OpenShift.
Within the container platform, audit data can be generated from any of the deployed container platform components. Since the audit data may be part of a larger audit system, it is important for the...Rule Medium Severity -
OpenShift must take appropriate action upon an audit failure.
It is critical that when the container platform is at risk of failing to process audit logs as required that it takes action to mitigate the failure. Audit processing failures include software/hard...Rule Medium Severity -
The Red Hat Enterprise Linux CoreOS (RHCOS) chrony Daemon must use multiple NTP servers to generate audit record time stamps.
Utilizing multiple NTP servers for the chrony daemon in RHCOS ensures accurate and reliable audit record timestamps. It improves time synchronization, mitigates time drift, provides redundancy, and...Rule Medium Severity -
OpenShift must protect system journal file from any type of unauthorized access by setting owner permissions.
OpenShift follows the principle of least privilege, which aims to restrict access to resources based on user roles and responsibilities. This separation of privileges helps mitigate the risk of una...Rule Medium Severity -
OpenShift must protect log directory from any type of unauthorized access by setting file permissions.
Log files contain sensitive information such as user credentials, system configurations, and potentially even security-related events. Unauthorized access to log files can expose this sensitive dat...Rule Medium Severity -
OpenShift must protect audit tools from unauthorized access.
Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on au...Rule Medium Severity -
OpenShift must disable root and terminate network connections.
Direct login as the "root" user must be disabled to prevent unrestricted access and control over the entire system. Terminating an idle session within a short time reduces the window of opportuni...Rule High Severity -
OpenShift must use FIPS-validated SHA-1 or higher hash function to provide replay-resistant authentication mechanisms for network access to privileged accounts.
A replay attack may enable an unauthorized user to gain access to the application. Authentication sessions between the authenticator and the application validating the user credentials must not be ...Rule Medium Severity -
OpenShift must terminate all network connections associated with a communications session at the end of the session, or as follows: for in-band management sessions (privileged sessions), the session must be terminated after 10 minutes of inactivity.
In OpenShift, the "session token inactivity timeout" on OAuth clients is set to ensure security and protect against potential unauthorized access to user sessions. OAuth is an open standard for sec...Rule Medium Severity -
OpenShift must prevent kernel profiling.
Kernel profiling involves monitoring and analyzing the behavior of the kernel, including its internal operations and system calls. This level of access and visibility into the kernel can potentiall...Rule Medium Severity -
OpenShift must restrict individuals the ability to launch organizational-defined Denial-of-Service (DOS) attacks against other information systems by rate-limiting.
By setting rate limits, OpenShift can control the number of requests or connections allowed from a single source within a specific period. This prevents an excessive influx of requests that can ove...Rule Medium Severity -
Container images instantiated by OpenShift must execute using least privileges.
Container images running on OpenShift must support running as any arbitrary UID. OpenShift will then assign a random, nonprivileged UID to the running container instance. This avoids the risk from ...Rule High Severity -
OpenShift must configure Alert Manger Receivers to notify SA and ISSO of all audit failure events requiring real-time alerts.
It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of an impe...Rule Medium Severity -
OpenShift must set server token max age no greater than eight hours.
The setting for OAuth server token max age is used to control the maximum duration for which an issued OAuth access token remains valid. Access tokens serve as a form of authentication and authoriz...Rule Medium Severity -
OpenShift must protect against or limit the effects of all types of Denial-of-Service (DoS) attacks by employing organization-defined security safeguards by including a default resource quota.
DNS attacks that are internal to the container platform (exploited or otherwise malicious applications) can have a limited blast radius by adhering to least privilege RBAC and Network access: https...Rule Medium Severity -
OpenShift must protect against or limit the effects of all types of Denial-of-Service (DoS) attacks by defining resource quotas on a namespace.
OpenShift allows administrators to define resource quotas on a namespace basis. This allows tailoring of the shared resources based on a project needs. However, when a new project is created, unles...Rule Medium Severity -
Red Hat Enterprise Linux CoreOS (RHCOS) must implement nonexecutable data to protect its memory from unauthorized code execution.
The NX bit is a hardware feature that prevents the execution of code from data memory regions. By enabling NX bit execute protection, OpenShift ensures that malicious code or exploits cannot execut...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.