III - Administrative Sensitive
Rules and Groups employed by this XCCDF Profile
-
SRG-APP-000429
Group -
The container platform keystore must implement encryption to prevent unauthorized disclosure of information at rest within the container platform.
Container platform keystore is used for container deployments for persistent storage of all its REST API objects. These objects are sensitive in nature and should be encrypted at rest to avoid any ...Rule High Severity -
SRG-APP-000431
Group -
The container platform runtime must maintain separate execution domains for each container by assigning each container a separate address space.
Container namespace access is limited upon runtime execution. Each container is a distinct process so that communication between containers is performed in a manner controlled through security poli...Rule Medium Severity -
SRG-APP-000435
Group -
The container platform must protect against or limit the effects of all types of denial-of-service (DoS) attacks by employing organization-defined security safeguards.
DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. This require...Rule Medium Severity -
SRG-APP-000439
Group -
The application must protect the confidentiality and integrity of transmitted information.
Without protection of the transmitted information, confidentiality and integrity may be compromised since unprotected communications can be intercepted and either read or altered. This requiremen...Rule High Severity -
SRG-APP-000441
Group -
The container platform must maintain the confidentiality and integrity of information during preparation for transmission.
Information may be unintentionally or maliciously disclosed or modified during preparation for transmission within the container platform during aggregation, at protocol transformation points, and ...Rule Medium Severity -
SRG-APP-000442
Group -
The container platform must maintain the confidentiality and integrity of information during reception.
Information either can be unintentionally or maliciously disclosed or modified during reception for reception within the container platform during aggregation, at protocol transformation points, an...Rule Medium Severity -
SRG-APP-000447
Group -
The container platform must behave in a predictable and documented manner that reflects organizational and system objectives when invalid inputs are received.
Software or code parameters typically follow well-defined protocols that use structured messages (i.e., commands or queries) to communicate between software modules or system components. Structured...Rule Medium Severity -
SRG-APP-000450
Group -
The container platform must implement organization-defined security safeguards to protect system CPU and memory from resource depletion and unauthorized code execution.
The execution of images within the container platform runtime must implement organizational defined security safeguards to prevent distributed denial-of-service (DDOS) and other possible attacks ag...Rule Medium Severity -
SRG-APP-000454
Group -
The container platform must remove old components after updated versions have been installed.
Previous versions of container platform components that are not removed from the container platform after updates have been installed may be exploited by adversaries by causing older components to ...Rule Medium Severity -
SRG-APP-000454
Group -
The container platform registry must remove old container images after updating versions have been made available.
Obsolete and stale images need to be removed from the registry to ensure the container platform maintains a secure posture. While the storing of these images does not directly pose a threat, they d...Rule Medium Severity -
SRG-APP-000456
Group -
The container platform registry must contain the latest images with most recent updates and execute within the container platform runtime as authorized by IAVM, CTOs, DTMs, and STIGs.
Software supporting the container platform, images in the registry must stay up to date with the latest patches, service packs, and hot fixes. Not updating the container platform and container imag...Rule Medium Severity -
SRG-APP-000456
Group -
The container platform runtime must have updates installed within the time period directed by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).
The container platform runtime must be carefully monitored for vulnerabilities, and when problems are detected, they must be remediated quickly. A vulnerable runtime exposes all containers it suppo...Rule Medium Severity -
SRG-APP-000472
Group -
The organization-defined role must verify correct operation of security functions in the container platform.
Without verification, security functions may not operate correctly and this failure may go unnoticed within the container platform. The container platform components must identity and ensure the se...Rule Medium Severity -
SRG-APP-000473
Group -
The container platform must perform verification of the correct operation of security functions: upon system startup and/or restart; upon command by a user with privileged access; and/or every 30 days. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters.
Without verification, security functions may not operate correctly and this failure may go unnoticed within the container platform. Security functions are responsible for enforcing the system secu...Rule Medium Severity -
SRG-APP-000474
Group -
The container platform must provide system notifications to the system administrator and operational staff when anomalies in the operation of the organization-defined security functions are discovered.
If anomalies are not acted upon, security functions may fail to secure the container within the container platform runtime. Security functions are responsible for enforcing the system security pol...Rule Medium Severity -
SRG-APP-000492
Group -
The container platform must generate audit records when successful/unsuccessful attempts to access security objects occur.
The container platform and its components must generate audit records when successful and unsuccessful access security objects occur. All the components must use the same standard so that the event...Rule Medium Severity -
SRG-APP-000493
Group -
The container platform must generate audit records when successful/unsuccessful attempts to access security levels occur.
Unauthorized users could access the security levels to exploit vulnerabilities within the container platform component. All the components must use the same standard so that the events can be tied ...Rule Medium Severity -
SRG-APP-000494
Group -
The container platform must generate audit records when successful/unsuccessful attempts to access categories of information (e.g., classification levels) occur.
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an in...Rule Medium Severity -
SRG-APP-000495
Group -
The container platform must generate audit records when successful/unsuccessful attempts to modify privileges occur.
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an in...Rule Medium Severity -
SRG-APP-000496
Group -
The container platform must generate audit records when successful/unsuccessful attempts to modify security objects occur.
The container platform and its components must generate audit records when modifying security objects. All the components must use the same standard so that the events can be tied together to under...Rule Medium Severity -
SRG-APP-000497
Group -
The container platform must generate audit records when successful/unsuccessful attempts to modify security levels occur.
Unauthorized users could modify the security levels to exploit vulnerabilities within the container platform component. All the components must use the same standard so that the events can be tied ...Rule Medium Severity -
SRG-APP-000498
Group -
The container platform must generate audit records when successful/unsuccessful attempts to modify categories of information (e.g., classification levels) occur.
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an in...Rule Medium Severity -
SRG-APP-000499
Group -
The container platform must generate audit records when successful/unsuccessful attempts to delete privileges occur.
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an in...Rule Medium Severity -
SRG-APP-000500
Group -
The container platform must generate audit records when successful/unsuccessful attempts to delete security levels occur.
The container platform and its components must generate audit records when deleting security levels. All the components must use the same standard so that the events can be tied together to underst...Rule Medium Severity -
SRG-APP-000501
Group -
The container platform must generate audit records when successful/unsuccessful attempts to delete security objects occur.
Unauthorized users modify level the security levels to exploit vulnerabilities within the container platform component. All the components must use the same standard so that the events can be tied ...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.