Skip to content
Log In

III - Administrative Classified

Rules and Groups employed by this XCCDF Profile

  • SRG-APP-000014-CTR-000035

    Group
    Show

  • OpenShift must use TLS 1.2 or greater for secure container image transport from trusted sources.

    The authenticity and integrity of the container image during the container image lifecycle is part of the overall security posture of the container platform. This begins with the container image cr...
    Rule Medium Severity
    Show

  • SRG-APP-000014-CTR-000040

    Group
    Show

  • OpenShift must use TLS 1.2 or greater for secure communication.

    The authenticity and integrity of the container platform and communication between nodes and components must be secure. If an insecure protocol is used during transmission of data, the data can be ...
    Rule Medium Severity
    Show

  • SRG-APP-000023-CTR-000055

    Group
    Show

  • OpenShift must use a centralized user management solution to support account management functions.

    OpenShift supports several different types of identity providers. To add users and grant access to OpenShift, an identity provider must be configured. Some of the identity provider types such as HT...
    Rule Medium Severity
    Show

  • SRG-APP-000023-CTR-000055

    Group
    Show

  • The kubeadmin account must be disabled.

    Using a centralized user management solution for account management functions enhances security, simplifies administration, improves user experience, facilitates compliance, and provides scalabilit...
    Rule Medium Severity
    Show

  • SRG-APP-000026-CTR-000070

    Group
    Show

  • OpenShift must automatically audit account creation.

    Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to create a new a...
    Rule Medium Severity
    Show

  • SRG-APP-000027-CTR-000075

    Group
    Show

  • OpenShift must automatically audit account modification.

    Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to modify an exis...
    Rule Medium Severity
    Show

  • SRG-APP-000028-CTR-000080

    Group
    Show

  • OpenShift must generate audit rules to capture account related actions.

    Account management actions, such as creation, modification, disabling, removal, and enabling are important changes within the system. When management actions are modified, user accessibility is af...
    Rule Medium Severity
    Show

  • SRG-APP-000029-CTR-000085

    Group
    Show

  • Open Shift must automatically audit account removal actions.

    When application accounts are removed, user accessibility is affected. Once an attacker establishes access to an application, the attacker often attempts to remove authorized accounts to disrupt se...
    Rule Medium Severity
    Show

  • SRG-APP-000033-CTR-000090

    Group
    Show

  • OpenShift RBAC access controls must be enforced.

    Controlling and limiting users access to system services and resources is key to securing the platform and limiting the intentional or unintentional compromising of the system and its services. Ope...
    Rule High Severity
    Show

  • SRG-APP-000038-CTR-000105

    Group
    Show

  • OpenShift must enforce network policy on the namespace for controlling the flow of information within the container platform based on organization-defined information flow control policies.

    OpenShift provides several layers of protection to control the flow of information between the container platform components and user services. Each user project is given a separate namespace and O...
    Rule Medium Severity
    Show

  • SRG-APP-000039-CTR-000110

    Group
    Show

  • OpenShift must enforce approved authorizations for controlling the flow of information within the container platform based on organization-defined information flow control policies.

    OpenShift provides several layers of protection to control the flow of information between the container platform components and user services. Each user project is given a separate namespace and O...
    Rule Medium Severity
    Show

  • SRG-APP-000068-CTR-000120

    Group
    Show

  • OpenShift must display the Standard Mandatory DOD Notice and Consent Banner before granting access to platform components.

    OpenShift has countless components where different access levels are needed. To control access, the user must first log into the component and then be presented with a DOD-approved use notification...
    Rule Low Severity
    Show

  • SRG-APP-000089-CTR-000150

    Group
    Show

  • OpenShift must generate audit records for all DOD-defined auditable events within all components in the platform.

    The OpenShift Platform supports three audit levels: Default, WriteRequestBodies, and AllRequestBodies. The identities of the users are logged for all three audit levels log level. The WriteRequestB...
    Rule Medium Severity
    Show

  • SRG-APP-000091-CTR-000160

    Group
    Show

  • OpenShift must generate audit records when successful/unsuccessful attempts to access privileges occur.

    OpenShift and its components must generate audit records when successful/unsuccessful attempts to access or delete security objects, security levels, and privileges occur. All the components must ...
    Rule Medium Severity
    Show

  • SRG-APP-000092-CTR-000165

    Group
    Show

  • Red Hat Enterprise Linux CoreOS (RHCOS) must initiate session audits at system startup.

    Initiating session audits at system startup allows for comprehensive monitoring of user activities and system events from the moment the system is powered on. Audit logs capture information about l...
    Rule High Severity
    Show

  • SRG-APP-000095-CTR-000170

    Group
    Show

  • All audit records must identify what type of event has occurred within OpenShift.

    Within the container platform, audit data can be generated from any of the deployed container platform components. This audit data is important when there are issues such as security incidents that...
    Rule Medium Severity
    Show

  • SRG-APP-000096-CTR-000175

    Group
    Show

  • OpenShift audit records must have a date and time association with all events.

    Within the container platform, audit data can be generated from any of the deployed container platform components. This audit data is important when there are issues, such as security incidents, th...
    Rule Medium Severity
    Show

  • SRG-APP-000099-CTR-000190

    Group
    Show

  • All audit records must generate the event results within OpenShift.

    Within the container platform, audit data can be generated from any of the deployed container platform components. Since the audit data may be part of a larger audit system, it is important for the...
    Rule Medium Severity
    Show

  • SRG-APP-000109-CTR-000215

    Group
    Show

  • OpenShift must take appropriate action upon an audit failure.

    It is critical that when the container platform is at risk of failing to process audit logs as required that it takes action to mitigate the failure. Audit processing failures include software/hard...
    Rule Medium Severity
    Show

  • SRG-APP-000111-CTR-000220

    Group
    Show

  • OpenShift components must provide the ability to send audit logs to a central enterprise repository for review and analysis.

    Sending audit logs to a central enterprise repository allows for centralized log management. Instead of scattered logs across multiple OpenShift components, having a centralized repository simplifi...
    Rule Medium Severity
    Show

  • SRG-APP-000116-CTR-000235

    Group
    Show

  • OpenShift must use internal system clocks to generate audit record time stamps.

    Knowing when a sequence of events for an incident occurred is crucial to understand what may have taken place. Without a common clock, the components generating audit events could be out of synchro...
    Rule Medium Severity
    Show

  • SRG-APP-000116-CTR-000235

    Group
    Show

  • The Red Hat Enterprise Linux CoreOS (RHCOS) chrony Daemon must use multiple NTP servers to generate audit record time stamps.

    Utilizing multiple NTP servers for the chrony daemon in RHCOS ensures accurate and reliable audit record timestamps. It improves time synchronization, mitigates time drift, provides redundancy, and...
    Rule Medium Severity
    Show

  • SRG-APP-000118-CTR-000240

    Group
    Show

  • OpenShift must protect audit logs from any type of unauthorized access.

    If audit data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult, if not impossible, to achieve. In ...
    Rule Medium Severity
    Show

  • SRG-APP-000118-CTR-000240

    Group
    Show

  • OpenShift must protect system journal file from any type of unauthorized access by setting file permissions.

    It is a fundamental security practice to enforce the principle of least privilege, where only the necessary permissions are granted to authorized entities. OpenShift must protect the system journal...
    Rule Medium Severity
    Show

  • SRG-APP-000118-CTR-000240

    Group
    Show

  • OpenShift must protect system journal file from any type of unauthorized access by setting owner permissions.

    OpenShift follows the principle of least privilege, which aims to restrict access to resources based on user roles and responsibilities. This separation of privileges helps mitigate the risk of una...
    Rule Medium Severity
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules