Skip to content
Log In

I - Mission Critical Classified

Rules and Groups employed by this XCCDF Profile

  • SRG-APP-000141-CTR-000320

    Group
    Show

  • The "Create repository on push" option in MSR must be disabled.

    Allowing repositories to be created on a push can override essential settings and must not be allowed.
    Rule Medium Severity
    Show

  • SRG-APP-000142-CTR-000330

    Group
    Show

  • Containers must not map to privileged ports.

    Privileged ports are those ports below 1024 and that require system privileges for their use. If containers are able to use these ports, the container must be run as a privileged user. MKE must sto...
    Rule Medium Severity
    Show

  • SRG-APP-000148-CTR-000345

    Group
    Show

  • MKE must not permit users to create pods that share host process namespace.

    Controlling information flow between MKE components and container user services instantiated by MKE must enforce organization-defined information flow policies. Example methods for information flow...
    Rule Medium Severity
    Show

  • SRG-APP-000158-CTR-000390

    Group
    Show

  • IPSec network encryption must be configured.

    IPsec encrypts the data traffic between nodes in a Kubernetes cluster, ensuring that the information exchanged is confidential and protected from unauthorized access. This is particularly important...
    Rule Medium Severity
    Show

  • SRG-APP-000226-CTR-000575

    Group
    Show

  • MKE must preserve any information necessary to determine the cause of the disruption or failure.

    When a failure occurs within MKE, preserving the state of MKE and its components, along with other container services, helps to facilitate container platform restart and return to the operational m...
    Rule Medium Severity
    Show

  • SRG-APP-000233-CTR-000585

    Group
    Show

  • MKE must enable kernel protection.

    System kernel is responsible for memory, disk, and task management. The kernel provides a gateway between the system hardware and software. Kubernetes requires kernel access to allocate resources t...
    Rule Medium Severity
    Show

  • SRG-APP-000243-CTR-000595

    Group
    Show

  • All containers must be restricted from acquiring additional privileges.

    To limit the attack surface of MKE, it is important that the nonessential services are not installed and access to the host system uses the concept of least privilege. Restrict the container from ...
    Rule Medium Severity
    Show

  • SRG-APP-000243-CTR-000600

    Group
    Show

  • Host IPC namespace must not be shared.

    IPC (POSIX/SysV IPC) namespace provides separation of named shared memory segments, semaphores, and message queues. IPC namespace on the host must not be shared with the containers and remain isola...
    Rule Medium Severity
    Show

  • SRG-APP-000342-CTR-000775

    Group
    Show

  • All containers must be restricted to mounting the root filesystem as read only.

    The container's root filesystem must be treated as a "golden image" by using Docker run's --read-only option. This prevents any writes to the container's root filesystem at container runtime and en...
    Rule Medium Severity
    Show

  • SRG-APP-000342-CTR-000775

    Group
    Show

  • The default seccomp profile must not be disabled.

    Seccomp filtering provides a means for a process to specify a filter for incoming system calls. The default seccomp profile works on a whitelist basis and allows 311 system calls, blocking all othe...
    Rule Medium Severity
    Show

  • SRG-APP-000342-CTR-000775

    Group
    Show

  • Docker CLI commands must be run with an MKE client trust bundle and without unnecessary permissions.

    Running docker CLI commands remotely with a client trust bundle ensures that authentication and role permissions are checked for the command. Using --privileged option or --user option in docker e...
    Rule Medium Severity
    Show

  • SRG-APP-000342-CTR-000775

    Group
    Show

  • MKE users must not have permissions to create containers or pods that share the host user namespace.

    To limit the attack surface of MKE, it is important that the nonessential services are not installed and access to the host system uses the concept of least privilege. User namespaces ensure that ...
    Rule Medium Severity
    Show

  • SRG-APP-000342-CTR-000775

    Group
    Show

  • Use of privileged Linux containers must be limited to system containers.

    Using the --privileged flag gives all Linux Kernel Capabilities to the container, thus overwriting the --cap-add and --cap-drop flags. The --privileged flag gives all capabilities to the container,...
    Rule Medium Severity
    Show

  • SRG-APP-000383-CTR-000910

    Group
    Show

  • The network ports on all running containers must be limited to required ports.

    To validate that the services are using only the approved ports and protocols, the organization must perform a periodic scan/review of MKE and disable functions, ports, protocols, and services deem...
    Rule Medium Severity
    Show

  • SRG-APP-000386-CTR-000920

    Group
    Show

  • MKE must only run signed images.

    Controlling the sources where container images can be pulled from allows the organization to define what software can be run within MKE. Allowing any container image to be introduced and instantiat...
    Rule Medium Severity
    Show

  • SRG-APP-000414-CTR-001010

    Group
    Show

  • Vulnerability scanning must be enabled for all repositories in MSR.

    Enabling vulnerability scanning for all repositories in Mirantis Secure Registry (MSR) is a critical security practice that helps organizations identify and mitigate potential security risks associ...
    Rule Medium Severity
    Show

  • SRG-APP-000454-CTR-001110

    Group
    Show

  • Older Universal Control Plane (MKE) and Docker Trusted Registry (DTR) images must be removed from all cluster nodes upon upgrading.

    When upgrading either the UCP or DTR components of MKE, the newer images are pulled (or unpacked if offline) onto engine nodes in a cluster. Once the upgrade is complete, one must manually remove a...
    Rule Medium Severity
    Show

  • SRG-APP-000456-CTR-001130

    Group
    Show

  • MKE must contain the latest updates.

    MKE must stay up to date with the latest patches, service packs, and hot fixes. Not updating MKE will expose the organization to vulnerabilities.
    Rule Medium Severity
    Show

  • SRG-APP-000068-CTR-000120

    Group
    Show

  • MKE must display the Standard Mandatory DOD Notice and Consent Banner before granting access to platform components.

    MKE has countless components where different access levels are needed. To control access, the user must first log in to MKE and then be presented with a DOD-approved use notification banner before ...
    Rule Low Severity
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules