Red Hat OpenShift Container Platform 4.12 Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
SRG-APP-000014-CTR-000035
Group -
SRG-APP-000014-CTR-000040
Group -
OpenShift must use TLS 1.2 or greater for secure communication.
The authenticity and integrity of the container platform and communication between nodes and components must be secure. If an insecure protocol is used during transmission of data, the data can be ...Rule Medium Severity -
SRG-APP-000023-CTR-000055
Group -
OpenShift must use a centralized user management solution to support account management functions.
OpenShift supports several different types of identity providers. To add users and grant access to OpenShift, an identity provider must be configured. Some of the identity provider types such as HT...Rule Medium Severity -
SRG-APP-000023-CTR-000055
Group -
The kubeadmin account must be disabled.
Using a centralized user management solution for account management functions enhances security, simplifies administration, improves user experience, facilitates compliance, and provides scalabilit...Rule Medium Severity -
SRG-APP-000026-CTR-000070
Group -
SRG-APP-000027-CTR-000075
Group -
OpenShift must automatically audit account modification.
Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to modify an exis...Rule Medium Severity -
SRG-APP-000028-CTR-000080
Group -
SRG-APP-000029-CTR-000085
Group -
Open Shift must automatically audit account removal actions.
When application accounts are removed, user accessibility is affected. Once an attacker establishes access to an application, the attacker often attempts to remove authorized accounts to disrupt se...Rule Medium Severity -
SRG-APP-000033-CTR-000090
Group -
SRG-APP-000038-CTR-000105
Group -
OpenShift must enforce network policy on the namespace for controlling the flow of information within the container platform based on organization-defined information flow control policies.
OpenShift provides several layers of protection to control the flow of information between the container platform components and user services. Each user project is given a separate namespace and O...Rule Medium Severity -
SRG-APP-000039-CTR-000110
Group -
OpenShift must enforce approved authorizations for controlling the flow of information within the container platform based on organization-defined information flow control policies.
OpenShift provides several layers of protection to control the flow of information between the container platform components and user services. Each user project is given a separate namespace and O...Rule Medium Severity -
SRG-APP-000068-CTR-000120
Group -
SRG-APP-000089-CTR-000150
Group -
SRG-APP-000091-CTR-000160
Group -
OpenShift must generate audit records when successful/unsuccessful attempts to access privileges occur.
OpenShift and its components must generate audit records when successful/unsuccessful attempts to access or delete security objects, security levels, and privileges occur. All the components must ...Rule Medium Severity -
SRG-APP-000092-CTR-000165
Group -
Red Hat Enterprise Linux CoreOS (RHCOS) must initiate session audits at system startup.
Initiating session audits at system startup allows for comprehensive monitoring of user activities and system events from the moment the system is powered on. Audit logs capture information about l...Rule High Severity -
SRG-APP-000095-CTR-000170
Group -
All audit records must identify what type of event has occurred within OpenShift.
Within the container platform, audit data can be generated from any of the deployed container platform components. This audit data is important when there are issues such as security incidents that...Rule Medium Severity -
SRG-APP-000096-CTR-000175
Group -
OpenShift audit records must have a date and time association with all events.
Within the container platform, audit data can be generated from any of the deployed container platform components. This audit data is important when there are issues, such as security incidents, th...Rule Medium Severity -
SRG-APP-000099-CTR-000190
Group -
SRG-APP-000109-CTR-000215
Group -
SRG-APP-000111-CTR-000220
Group -
OpenShift components must provide the ability to send audit logs to a central enterprise repository for review and analysis.
Sending audit logs to a central enterprise repository allows for centralized log management. Instead of scattered logs across multiple OpenShift components, having a centralized repository simplifi...Rule Medium Severity -
SRG-APP-000116-CTR-000235
Group -
OpenShift must use internal system clocks to generate audit record time stamps.
Knowing when a sequence of events for an incident occurred is crucial to understand what may have taken place. Without a common clock, the components generating audit events could be out of synchro...Rule Medium Severity -
SRG-APP-000116-CTR-000235
Group -
SRG-APP-000118-CTR-000240
Group -
OpenShift must protect audit logs from any type of unauthorized access.
If audit data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult, if not impossible, to achieve. In ...Rule Medium Severity -
SRG-APP-000118-CTR-000240
Group -
OpenShift must protect system journal file from any type of unauthorized access by setting file permissions.
It is a fundamental security practice to enforce the principle of least privilege, where only the necessary permissions are granted to authorized entities. OpenShift must protect the system journal...Rule Medium Severity -
SRG-APP-000118-CTR-000240
Group -
SRG-APP-000118-CTR-000240
Group -
SRG-APP-000118-CTR-000240
Group -
OpenShift must protect log directory from any type of unauthorized access by setting owner permissions.
OpenShift follows the principle of least privilege, which aims to restrict access to resources based on user roles and responsibilities. This separation of privileges helps mitigate the risk of una...Rule Medium Severity -
SRG-APP-000118-CTR-000240
Group -
OpenShift must protect pod log files from any type of unauthorized access by setting owner permissions.
Pod log files may contain sensitive information such as application data, user credentials, or system configurations. Unauthorized access to these log files can expose sensitive data to malicious a...Rule Medium Severity -
SRG-APP-000119-CTR-000245
Group -
OpenShift must protect audit information from unauthorized modification.
If audit data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult if not impossible to achieve. In ad...Rule Medium Severity -
SRG-APP-000121-CTR-000255
Group -
OpenShift must prevent unauthorized changes to logon UIDs.
Logon UIDs are used to uniquely identify and authenticate users within the system. By preventing unauthorized changes to logon UIDs, OpenShift ensures that user identities remain consistent and acc...Rule Medium Severity -
SRG-APP-000121-CTR-000255
Group
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.