Container Platform Security Requirements Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
The container platform must enforce approved authorizations for controlling the flow of information within the container platform based on organization-defined information flow control policies.
<VulnDiscussion>Controlling information flow between the container platform components and container user services instantiated by the contai...Rule Medium Severity -
SRG-APP-000039
<GroupDescription></GroupDescription>Group -
The container platform must enforce approved authorizations for controlling the flow of information between interconnected systems and services based on organization-defined information flow control policies.
<VulnDiscussion>Controlling information flow between the container platform components and container user services instantiated by the contai...Rule Medium Severity -
SRG-APP-000065
<GroupDescription></GroupDescription>Group -
The container platform must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.
<VulnDiscussion>By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise...Rule Medium Severity -
SRG-APP-000068
<GroupDescription></GroupDescription>Group -
The container platform must display the Standard Mandatory DoD Notice and Consent Banner before granting access to platform components.
<VulnDiscussion>The container platform has countless components where different access levels are needed. To control access, the user must fi...Rule Low Severity -
SRG-APP-000069
<GroupDescription></GroupDescription>Group -
The container platform must prohibit the installation of patches and updates without explicit privileged status.
<VulnDiscussion>Controlling access to those users and roles responsible for patching and updating the container platform reduces the risk of ...Rule Medium Severity -
SRG-APP-000378
<GroupDescription></GroupDescription>Group -
The container platform must maintain the confidentiality and integrity of information during reception.
<VulnDiscussion>Information either can be unintentionally or maliciously disclosed or modified during reception for reception within the cont...Rule Medium Severity -
SRG-APP-000447
<GroupDescription></GroupDescription>Group -
SRG-APP-000101
<GroupDescription></GroupDescription>Group -
The container platform must generate audit records containing the full-text recording of privileged commands or the individual identities of group account users.
<VulnDiscussion>During an investigation of an incident, it is important to fully understand what took place. Often, information is not part o...Rule Medium Severity -
SRG-APP-000109
<GroupDescription></GroupDescription>Group -
The container platform must restrict individuals' ability to launch organizationally defined denial-of-service (DoS) attacks against other information systems.
<VulnDiscussion>The container platform will offer services to users and these services share resources available on the hosting system. To sh...Rule Medium Severity -
SRG-APP-000266
<GroupDescription></GroupDescription>Group -
The container platform must generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.
<VulnDiscussion>The container platform is responsible for offering services to users. These services could be across diverse user groups and ...Rule Medium Severity -
SRG-APP-000290
<GroupDescription></GroupDescription>Group -
The container platform must protect audit tools from unauthorized deletion.
<VulnDiscussion>Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Therefore, pro...Rule Medium Severity -
SRG-APP-000126
<GroupDescription></GroupDescription>Group -
The container platform audit records must record user access start and end times.
<VulnDiscussion>The container platform must generate audit records showing start and end times for users and services acting on behalf of a u...Rule Medium Severity -
SRG-APP-000506
<GroupDescription></GroupDescription>Group -
The container platform must retain the Standard Mandatory DoD Notice and Consent Banner on the screen until users acknowledge the usage and conditions and take explicit actions to log on for further access.
<VulnDiscussion>The banner must be acknowledged by the user prior to allowing the user access to any container platform component. This provi...Rule Low Severity -
SRG-APP-000089
<GroupDescription></GroupDescription>Group -
The container platform must generate audit records for all DoD-defined auditable events within all components in the platform.
<VulnDiscussion>Within the container platform, audit data can be generated from any of the deployed container platform components. This audit...Rule Medium Severity -
SRG-APP-000090
<GroupDescription></GroupDescription>Group -
All audit records must identify the source of the event within the container platform.
<VulnDiscussion>Audit data is important when there are issues, to include security incidents that must be investigated. Since the audit data ...Rule Medium Severity -
SRG-APP-000099
<GroupDescription></GroupDescription>Group -
All audit records must generate the event results within the container platform.
<VulnDiscussion>Within the container platform, audit data can be generated from any of the deployed container platform components. This audit...Rule Medium Severity -
SRG-APP-000100
<GroupDescription></GroupDescription>Group -
All audit records must identify any users associated with the event within the container platform.
<VulnDiscussion>Without information that establishes the identity of the user associated with the events, security personnel cannot determine...Rule Medium Severity -
The container platform must use TLS 1.2 or greater for secure communication.
<VulnDiscussion>The authenticity and integrity of the container platform and communication between nodes and components must be secure. If an...Rule Medium Severity -
SRG-APP-000023
<GroupDescription></GroupDescription>Group -
Least privilege access and need to know must be required to access the container platform keystore.
<VulnDiscussion>The container platform keystore is used to store access keys and tokens for trusted access to and from the container platform...Rule Medium Severity -
SRG-APP-000038
<GroupDescription></GroupDescription>Group -
SRG-APP-000100
<GroupDescription></GroupDescription>Group -
All audit records must identify any containers associated with the event within the container platform.
<VulnDiscussion>Without information that establishes the identity of the containers offering user services or running on behalf of a user wit...Rule Medium Severity -
The container platform must generate audit records when concurrent logons from different workstations and systems occur.
<VulnDiscussion>The container platform and its components must generate audit records for concurrent logons from workstations perform remote ...Rule Medium Severity -
SRG-APP-000507
<GroupDescription></GroupDescription>Group -
The container platform runtime must enforce the use of ports that are non-privileged.
<VulnDiscussion>Privileged ports are those ports below 1024 and that require system privileges for their use. If containers are able to use t...Rule Medium Severity -
SRG-APP-000148
<GroupDescription></GroupDescription>Group -
The container platform must uniquely identify and authenticate users.
<VulnDiscussion>The container platform requires user accounts to perform container platform tasks. These tasks may pertain to the overall con...Rule Medium Severity -
SRG-APP-000148
<GroupDescription></GroupDescription>Group -
The container platform application program interface (API) must uniquely identify and authenticate users.
<VulnDiscussion>The container platform requires user accounts to perform container platform tasks. These tasks are often performed through th...Rule Medium Severity -
SRG-APP-000148
<GroupDescription></GroupDescription>Group -
The container platform must uniquely identify and authenticate processes acting on behalf of the users.
<VulnDiscussion>The container platform will instantiate a container image and use the user privileges given to the user used to execute the c...Rule Medium Severity -
SRG-APP-000148
<GroupDescription></GroupDescription>Group -
The container platform must limit privileges to the container platform keystore.
<VulnDiscussion>The container platform keystore is used to store credentials used to build a trust between the container platform and some ex...Rule Medium Severity -
SRG-APP-000133
<GroupDescription></GroupDescription>Group
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.