II - Mission Support Classified
Rules and Groups employed by this XCCDF Profile
-
SRG-APP-000190-CTR-000500
<GroupDescription></GroupDescription>Group -
The Lifetime Minutes and Renewal Threshold Minutes Login Session Controls on MKE must be set.
<VulnDiscussion>The "Lifetime Minutes" and "Renewal Threshold Minutes" login session controls in MKE are part of security features that help ...Rule Medium Severity -
SRG-APP-000133-CTR-000290
<GroupDescription></GroupDescription>Group -
In an MSR organization, user permissions and repositories must be configured.
<VulnDiscussion>Configuring user permissions, organizations, and repositories in MSR is crucial for maintaining a secure, organized, and effi...Rule Medium Severity -
SRG-APP-000141-CTR-000315
<GroupDescription></GroupDescription>Group -
User-managed resources must be created in dedicated namespaces.
<VulnDiscussion>Dedicated namespaces act as security boundaries, limiting the blast radius in case of security incidents or misconfigurations...Rule Medium Severity -
SRG-APP-000033-CTR-000095
<GroupDescription></GroupDescription>Group -
Least privilege access and need to know must be required to access MKE runtime and instantiate container images.
<VulnDiscussion>To control what is instantiated within MKE, it is important to control access to the runtime. Without this control, container...Rule High Severity -
SRG-APP-000142-CTR-000325
<GroupDescription></GroupDescription>Group -
Only required ports must be open on containers in MKE.
<VulnDiscussion>Ports, protocols, and services within MKE runtime must be controlled and conform to the PPSM CAL. Those ports, protocols, and...Rule High Severity -
SRG-APP-000172-CTR-000440
<GroupDescription></GroupDescription>Group -
FIPS mode must be enabled.
<VulnDiscussion>During any user authentication, MKE must use FIPS-validated SHA-2 or later protocol to protect the integrity of the password ...Rule High Severity -
SRG-APP-000023-CTR-000055
<GroupDescription></GroupDescription>Group -
MKE must be configured to integrate with an Enterprise Identity Provider.
<VulnDiscussion>Configuring MKE to integrate with an Enterprise Identity Provider enhances security, simplifies user management, ensures comp...Rule Medium Severity -
SRG-APP-000033-CTR-000095
<GroupDescription></GroupDescription>Group -
SSH must not run within Linux containers.
<VulnDiscussion>To limit the attack surface of MKE, it is important that the nonessential services are not installed. Containers are designed...Rule Medium Severity -
SRG-APP-000033-CTR-000100
<GroupDescription></GroupDescription>Group -
Swarm Secrets or Kubernetes Secrets must be used.
<VulnDiscussion>Swarm Secrets in Docker Swarm and Kubernetes Secrets both provide mechanisms for encrypting sensitive data at rest. This adds...Rule Medium Severity -
SRG-APP-000038-CTR-000105
<GroupDescription></GroupDescription>Group -
MKE must have Grants created to control authorization to cluster resources.
<VulnDiscussion>MKE uses Role-Based Access Controls (RBAC) to enforce approved authorizations for logical access to information and system re...Rule Medium Severity -
SRG-APP-000039-CTR-000110
<GroupDescription></GroupDescription>Group -
MKE host network namespace must not be shared.
<VulnDiscussion>MKE can be built with privileges that are not approved within the organization. To limit the attack surface of MKE, it is ess...Rule Medium Severity -
SRG-APP-000092-CTR-000165
<GroupDescription></GroupDescription>Group -
Audit logging must be enabled on MKE.
<VulnDiscussion>Enabling audit logging on MKE enhances security, supports compliance efforts, provides user accountability, and offers valuab...Rule Medium Severity -
SRG-APP-000109-CTR-000215
<GroupDescription></GroupDescription>Group -
MKE must be configured to send audit data to a centralized log server.
<VulnDiscussion>Sending audit data from MKE to a centralized log server enhances centralized monitoring, facilitates efficient incident respo...Rule Medium Severity -
SRG-APP-000141-CTR-000315
<GroupDescription></GroupDescription>Group -
MSR's self-signed certificates must be replaced with DOD trusted, signed certificates.
<VulnDiscussion>Self-signed certificates pose security risks, as they are not issued by a trusted third party. DOD trusted, signed certificat...Rule Medium Severity -
SRG-APP-000141-CTR-000315
<GroupDescription></GroupDescription>Group -
Allowing users and administrators to schedule containers on all nodes must be disabled.
<VulnDiscussion>MKE and MSR are set to disallow administrators and users to schedule containers. This setting must be checked for allowing ad...Rule Medium Severity -
SRG-APP-000141-CTR-000315
<GroupDescription></GroupDescription>Group -
MKE telemetry must be disabled.
<VulnDiscussion>MKE provides a telemetry service that automatically records and transmits data to Mirantis through an encrypted channel for m...Rule Medium Severity -
SRG-APP-000141-CTR-000315
<GroupDescription></GroupDescription>Group -
MSR telemetry must be disabled.
<VulnDiscussion>MSR provides a telemetry service that automatically records and transmits data to Mirantis through an encrypted channel for m...Rule Medium Severity -
SRG-APP-000141-CTR-000315
<GroupDescription></GroupDescription>Group -
For MKE's deployed on an Ubuntu host operating system, the AppArmor profile must be enabled.
<VulnDiscussion>AppArmor protects the Ubuntu OS and applications from various threats by enforcing security policy which is also known as App...Rule Medium Severity -
SRG-APP-000141-CTR-000315
<GroupDescription></GroupDescription>Group -
If MKE is deployed on a Red Hat or CentOS system, SELinux security must be enabled.
<VulnDiscussion>SELinux provides a Mandatory Access Control (MAC) system on RHEL and CentOS that greatly augments the default Discretionary A...Rule Medium Severity -
SRG-APP-000141-CTR-000315
<GroupDescription></GroupDescription>Group -
The Docker socket must not be mounted inside any containers.
<VulnDiscussion>The Docker socket docker.sock must not be mounted inside a container, with the exception case being during the installation o...Rule Medium Severity -
SRG-APP-000141-CTR-000315
<GroupDescription></GroupDescription>Group -
Linux Kernel capabilities must be restricted within containers.
<VulnDiscussion>By default, MKE starts containers with a restricted set of Linux Kernel Capabilities. Any process may be granted the required...Rule Medium Severity -
SRG-APP-000141-CTR-000315
<GroupDescription></GroupDescription>Group -
Incoming container traffic must be bound to a specific host interface.
<VulnDiscussion>Privileged ports are those ports below 1024 and that require system privileges for their use. If containers are able to use t...Rule Medium Severity -
SRG-APP-000141-CTR-000315
<GroupDescription></GroupDescription>Group -
CPU priority must be set appropriately on all containers.
<VulnDiscussion>All containers on a Docker host share the resources equally. By using the resource management capabilities of Docker host, su...Rule Medium Severity -
SRG-APP-000141-CTR-000315
<GroupDescription></GroupDescription>Group -
MKE must use a non-AUFS storage driver.
<VulnDiscussion>The aufs storage driver is an old driver based on a Linux kernel patch-set that is unlikely to be merged into the main Linux ...Rule Medium Severity -
SRG-APP-000141-CTR-000320
<GroupDescription></GroupDescription>Group -
MKE's self-signed certificates must be replaced with DOD trusted, signed certificates.
<VulnDiscussion>Self-signed certificates pose security risks, as they are not issued by a trusted third party. DOD trusted, signed certificat...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.