Container Platform Security Requirements Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
SRG-APP-000111
<GroupDescription></GroupDescription>Group -
The container platform components must provide the ability to send audit logs to a central enterprise repository for review and analysis.
<VulnDiscussion>The container platform components must send audit events to a central managed audit log repository to provide reporting, anal...Rule Medium Severity -
SRG-APP-000116
<GroupDescription></GroupDescription>Group -
The container platform must use internal system clocks to generate audit record time stamps.
<VulnDiscussion>Understanding when and sequence of events for an incident is crucial to understand what may have taken place. Without a commo...Rule Medium Severity -
SRG-APP-000118
<GroupDescription></GroupDescription>Group -
The container platform must protect audit information from any type of unauthorized read access.
<VulnDiscussion>If audit data were to become compromised, then competent forensic analysis and discovery of the true source of potentially ma...Rule Medium Severity -
SRG-APP-000119
<GroupDescription></GroupDescription>Group -
The container platform must protect audit information from unauthorized modification.
<VulnDiscussion>If audit data were to become compromised, then forensic analysis and discovery of the true source of potentially malicious sy...Rule Medium Severity -
SRG-APP-000120
<GroupDescription></GroupDescription>Group -
The container platform must protect audit information from unauthorized deletion.
<VulnDiscussion>If audit data were to become compromised, then forensic analysis and discovery of the true source of potentially malicious sy...Rule Medium Severity -
SRG-APP-000121
<GroupDescription></GroupDescription>Group -
The container platform must protect audit tools from unauthorized access.
<VulnDiscussion>Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Therefore, pro...Rule Medium Severity -
SRG-APP-000122
<GroupDescription></GroupDescription>Group -
The container platform must protect audit tools from unauthorized modification.
<VulnDiscussion>Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Therefore, pro...Rule Medium Severity -
SRG-APP-000123
<GroupDescription></GroupDescription>Group -
The container platform must use FIPS validated cryptographic mechanisms to protect the integrity of log information.
<VulnDiscussion>To fully investigate an incident and to have trust in the audit data that is generated, it is important to put in place data ...Rule Medium Severity -
SRG-APP-000131
<GroupDescription></GroupDescription>Group -
The container platform must be built from verified packages.
<VulnDiscussion>It is important to patch and upgrade the container platform when patches and upgrades are available. More important is to get...Rule Medium Severity -
SRG-APP-000131
<GroupDescription></GroupDescription>Group -
The container platform must verify container images.
<VulnDiscussion>The container platform must be capable of validating container images are signed and that the digital signature is from a rec...Rule Medium Severity -
SRG-APP-000133
<GroupDescription></GroupDescription>Group -
The container platform must limit privileges to the container platform registry.
<VulnDiscussion>To control what is instantiated within the container platform, it is important to control access to the registry. Without thi...Rule Medium Severity -
SRG-APP-000133
<GroupDescription></GroupDescription>Group -
The container platform must limit privileges to the container platform runtime.
<VulnDiscussion>To control what is instantiated within the container platform, it is important to control access to the runtime. Without this...Rule Medium Severity -
SRG-APP-000133
<GroupDescription></GroupDescription>Group -
The container platform application program interface (API) must uniquely identify and authenticate processes acting on behalf of the users.
<VulnDiscussion>The container platform API can be used to perform any task within the platform. Often, the API is used to create tasks that p...Rule Medium Severity -
SRG-APP-000149
<GroupDescription></GroupDescription>Group -
The container platform must use multifactor authentication for network access to privileged accounts.
<VulnDiscussion>Without the use of multifactor authentication, the ease of access to privileged functions is greatly increased. Multifactor ...Rule Medium Severity -
SRG-APP-000150
<GroupDescription></GroupDescription>Group -
The container platform must use multifactor authentication for network access to non-privileged accounts.
<VulnDiscussion>To ensure accountability and prevent unauthenticated access, non-privileged users must utilize multifactor authentication to ...Rule Medium Severity -
SRG-APP-000151
<GroupDescription></GroupDescription>Group -
The container platform must use multifactor authentication for local access to privileged accounts.
<VulnDiscussion>To ensure accountability and prevent unauthenticated access, privileged users must utilize multifactor authentication to prev...Rule Medium Severity -
SRG-APP-000152
<GroupDescription></GroupDescription>Group -
The container platform must use multifactor authentication for local access to nonprivileged accounts.
<VulnDiscussion>To ensure accountability, prevent unauthenticated access, and prevent misuse of the system, nonprivileged users must utilize ...Rule Medium Severity -
SRG-APP-000153
<GroupDescription></GroupDescription>Group -
The container platform must ensure users are authenticated with an individual authenticator prior to using a group authenticator.
<VulnDiscussion>To ensure individual accountability and prevent unauthorized access, application users must be individually identified and au...Rule Medium Severity -
SRG-APP-000156
<GroupDescription></GroupDescription>Group -
The container platform must use FIPS-validated SHA-1 or higher hash function to provide replay-resistant authentication mechanisms for network access to privileged accounts.
<VulnDiscussion>A replay attack may enable an unauthorized user to gain access to the application. Authentication sessions between the authen...Rule Medium Severity -
SRG-APP-000157
<GroupDescription></GroupDescription>Group -
The container platform must implement replay-resistant authentication mechanisms for network access to nonprivileged accounts.
<VulnDiscussion>A replay attack may enable an unauthorized user to gain access to the application. Authentication sessions between the authen...Rule Medium Severity -
SRG-APP-000158
<GroupDescription></GroupDescription>Group -
The container platform must enforce password complexity by requiring that at least one special character be used.
<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, ...Rule Medium Severity -
SRG-APP-000170
<GroupDescription></GroupDescription>Group -
The container platform must disable identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.
<VulnDiscussion>Inactive identifiers pose a risk to systems and applications. Attackers that are able to exploit an inactive identifier can p...Rule Medium Severity -
SRG-APP-000164
<GroupDescription></GroupDescription>Group -
The container platform must enforce a minimum 15-character password length.
<VulnDiscussion>The shorter the password, the lower the number of possible combinations that need to be tested before the password is comprom...Rule Medium Severity -
SRG-APP-000166
<GroupDescription></GroupDescription>Group -
The container platform must enforce password complexity by requiring that at least one uppercase character be used.
<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, ...Rule Medium Severity -
SRG-APP-000167
<GroupDescription></GroupDescription>Group -
The container platform must enforce password complexity by requiring that at least one lowercase character be used.
<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, ...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.