Container Platform Security Requirements Guide


Overview

Date Finding Count (173)
2023-11-30 CAT I (High): 6 CAT II (Med): 164 CAT III (Low): 3
STIG Description
This Security Requirements Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-233290 High The container platform must prohibit or restrict the use of protocols that transmit unencrypted authentication information or use flawed cryptographic algorithms for transmission.
V-233096 High For accounts using password authentication, the container platform must use FIPS-validated SHA-2 or later protocol to protect the integrity of the password authentication process.
V-233224 High The application must protect the confidentiality and integrity of transmitted information.
V-233185 High The container platform runtime must prohibit the instantiation of container images without explicit privileged status.
V-233289 High The container platform must use a FIPS-validated cryptographic module to implement encryption services for unclassified information requiring confidentiality.
V-233118 High The container platform must protect authenticity of communications sessions with the use of FIPS-validated 140-2 or 140-3 security requirements for cryptographic modules.
V-233058 Medium The container platform must protect audit information from unauthorized deletion.
V-233088 Medium The container platform must enforce a minimum 15-character password length.
V-233059 Medium The container platform must protect audit tools from unauthorized access.
V-233133 Medium The container platform must generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.
V-233021 Medium The container platform must automatically disable accounts after a 35-day period of account inactivity.
V-233020 Medium The container platform must automatically remove or disable temporary user accounts after 72 hours.
V-233023 Medium The container platform must automatically audit account modification.
V-233022 Medium The container platform must automatically audit account creation.
V-233025 Medium The container platform must automatically audit account removal actions.
V-233024 Medium The container platform must automatically audit account-disabling actions.
V-233027 Medium Least privilege access and need to know must be required to access the container platform runtime.
V-233026 Medium Least privilege access and need to know must be required to access the container platform registry.
V-233029 Medium The container platform must enforce approved authorizations for controlling the flow of information within the container platform based on organization-defined information flow control policies.
V-233028 Medium Least privilege access and need to know must be required to access the container platform keystore.
V-233042 Medium All audit records must identify what type of event has occurred within the container platform.
V-233041 Medium The container platform must initiate session auditing upon startup.
V-233211 Medium The container platform must implement NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
V-233095 Medium For container platform using password authentication, the application must store only cryptographic representations of passwords.
V-233102 Medium The container platform must obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.
V-233101 Medium The container platform must map the authenticated identity to the individual user or group account for PKI-based authentication.
V-233106 Medium The container platform must employ strong authenticators in the establishment of non-local maintenance and diagnostic sessions.
V-233105 Medium The container platform must provide an audit reduction capability that supports on-demand reporting requirements.
V-233108 Medium The application must terminate all network connections associated with a communications session at the end of the session, or as follows: for in-band management sessions (privileged sessions), the session must be terminated after 10 minutes of inactivity.
V-233097 Medium The container platform must enforce 24 hours (one day) as the minimum password lifetime.
V-233019 Medium The container platform must use a centralized user management solution to support account management functions.
V-233222 Medium The container platform must protect against or limit the effects of all types of denial-of-service (DoS) attacks by employing organization-defined security safeguards.
V-233056 Medium The container platform must protect audit information from any type of unauthorized read access.
V-233057 Medium The container platform must protect audit information from unauthorized modification.
V-233227 Medium The container platform must maintain the confidentiality and integrity of information during reception.
V-233049 Medium The container platform must generate audit records containing the full-text recording of privileged commands or the individual identities of group account users.
V-233052 Medium The container platform components must provide the ability to send audit logs to a central enterprise repository for review and analysis.
V-233182 Medium The container platform must record time stamps for audit records that meet a granularity of one second for a minimum degree of precision.
V-233229 Medium The container platform must implement organization-defined security safeguards to protect system CPU and memory from resource depletion and unauthorized code execution.
V-233181 Medium All audit records must use UTC or GMT time stamps.
V-233186 Medium The container platform registry must prohibit installation or modification of container images without explicit privileged status.
V-233192 Medium The container platform registry must employ a deny-all, permit-by-exception (whitelist) policy to allow only authorized container images in the container platform.
V-233184 Medium The container platform must prohibit the installation of patches and updates without explicit privileged status.
V-233285 Medium The container platform must use FIPS-validated SHA-2 or higher hash function for digital signature generation and verification (non-legacy use).
V-233284 Medium The container platform must validate certificates used for Transport Layer Security (TLS) functions by performing an RFC 5280-compliant certification path validation.
V-233123 Medium The container platform must preserve any information necessary to determine the cause of the disruption or failure.
V-233114 Medium The container platform must separate user functionality (including user interface services) from information system management functionality.
V-233055 Medium The container platform must use internal system clocks to generate audit record time stamps.
V-233047 Medium All audit records must identify any users associated with the event within the container platform.
V-233046 Medium All audit records must generate the event results within the container platform.
V-233045 Medium All audit records must identify the source of the event within the container platform.
V-233044 Medium All audit records must identify where in the container platform the event occurred.
V-233043 Medium The container platform audit records must have a date and time association with all events.
V-257291 Medium The container platform must enforce organization-defined circumstances and/or usage conditions for organization-defined accounts.
V-233210 Medium Vulnerability scanning applications must implement privileged access authorization to all container platform components, containers, and container images for selected organization-defined vulnerability scanning activities.
V-233040 Medium The container platform must generate audit records when successful/unsuccessful attempts to access privileges occur.
V-233195 Medium The container platform must be configured to use multi-factor authentication for user authentication.
V-233194 Medium The container platform must require devices to reauthenticate when organization-defined circumstances or situations requiring reauthentication.
V-233191 Medium The container platform must prevent component execution in accordance with organization-defined policies regarding software program usage and restrictions, and/or rules authorizing the terms and conditions of software program usage.
V-233190 Medium All non-essential, unnecessary, and unsecure DoD ports, protocols, and services must be disabled in the container platform.
V-233193 Medium The container platform must require users to reauthenticate when organization-defined circumstances or situations require reauthentication.
V-233048 Medium All audit records must identify any containers associated with the event within the container platform.
V-233208 Medium The container platform must configure web management tools and Application Program Interfaces (API) with FIPS-validated Advanced Encryption Standard (AES) cipher block algorithm to protect the confidentiality of maintenance and diagnostic communications for nonlocal maintenance sessions.
V-233078 Medium The container platform application program interface (API) must uniquely identify and authenticate processes acting on behalf of the users.
V-233079 Medium The container platform must use multifactor authentication for network access to privileged accounts.
V-233221 Medium The container platform runtime must maintain separate execution domains for each container by assigning each container a separate address space.
V-233072 Medium The container platform registry must contain only container images for those capabilities being offered by the container platform.
V-233073 Medium The container platform runtime must enforce ports, protocols, and services that adhere to the PPSM CAL.
V-233070 Medium Authentication files for the container platform must be protected.
V-233071 Medium The container platform must be configured with only essential configurations.
V-233076 Medium The container platform application program interface (API) must uniquely identify and authenticate users.
V-233077 Medium The container platform must uniquely identify and authenticate processes acting on behalf of the users.
V-233074 Medium The container platform runtime must enforce the use of ports that are non-privileged.
V-233075 Medium The container platform must uniquely identify and authenticate users.
V-233189 Medium The container platform must enforce access restrictions and support auditing of the enforcement actions.
V-233065 Medium The container platform must verify container images.
V-233162 Medium The container platform must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
V-233163 Medium Container images instantiated by the container platform must execute using least privileges.
V-233164 Medium The container platform must audit the execution of privileged functions.
V-233165 Medium The container platform must automatically lock an account until the locked account is released by an administrator when three unsuccessful login attempts in 15 minutes are exceeded.
V-233166 Medium The container platform must provide the configuration for organization-identified individuals or roles to change the auditing to be performed on all components, based on all selectable event criteria within organization-defined time thresholds.
V-233064 Medium The container platform must be built from verified packages.
V-233168 Medium The container platform must allocate audit record storage capacity in accordance with organization-defined audit record storage requirements.
V-233169 Medium Audit records must be stored at a secondary location.
V-233067 Medium The container platform must limit privileges to the container platform runtime.
V-233220 Medium The container platform keystore must implement encryption to prevent unauthorized disclosure of information at rest within the container platform.
V-233061 Medium The container platform must protect audit tools from unauthorized deletion.
V-233060 Medium The container platform must protect audit tools from unauthorized modification.
V-233273 Medium Container platform components must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including SRGs, STIGs, NSA configuration guides, CTOs, and DTMs.
V-233230 Medium The container platform must remove old components after updated versions have been installed.
V-233069 Medium Configuration files for the container platform must be protected.
V-233068 Medium The container platform must limit privileges to the container platform keystore.
V-233231 Medium The container platform registry must remove old container images after updating versions have been made available.
V-233274 Medium The container platform must be able to store and instantiate industry standard container images.
V-233275 Medium The container platform must continuously scan components, containers, and images for vulnerabilities.
V-233276 Medium The container platform must prohibit communication using TLS versions 1.0 and 1.1, and SSL 2.0 and 3.0.
V-233066 Medium The container platform must limit privileges to the container platform registry.
V-233270 Medium The container runtime must generate audit records for all container execution, shutdown, restart events, and program initiations.
V-233271 Medium The container platform must use a valid FIPS 140-2 approved cryptographic modules to generate hashes.
V-233063 Medium The container platform must use FIPS validated cryptographic mechanisms to protect the integrity of log information.
V-233051 Medium The container platform must take appropriate action upon an audit failure.
V-233171 Medium The container platform must provide an immediate real-time alert to the SA and ISSO, at a minimum, of all audit failure events requiring real-time alerts.
V-233199 Medium The container platform must allow the use of a temporary password for system logons with an immediate change to a permanent password.
V-233234 Medium The container platform runtime must have updates installed within the time period directed by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).
V-233226 Medium The container platform must maintain the confidentiality and integrity of information during preparation for transmission.
V-233158 Medium The container platform must notify system administrator and ISSO of account enabling actions.
V-233129 Medium The container platform must restrict individuals' ability to launch organizationally defined denial-of-service (DoS) attacks against other information systems.
V-233090 Medium The container platform must enforce password complexity by requiring that at least one uppercase character be used.
V-233091 Medium The container platform must enforce password complexity by requiring that at least one lowercase character be used.
V-233092 Medium The container platform must enforce password complexity by requiring that at least one numeric character be used.
V-233093 Medium The container platform must enforce password complexity by requiring that at least one special character be used.
V-233094 Medium The container platform must require the change of at least 15 of the total number of characters when passwords are changed.
V-233188 Medium The container platform must enforce access restrictions for container platform configuration changes.
V-233269 Medium The container platform must generate audit records for all account creations, modifications, disabling, and termination events.
V-233268 Medium Direct access to the container platform must generate audit records.
V-233267 Medium The container platform runtime must generate audit records when successful/unsuccessful attempts to access objects occur.
V-233266 Medium The container platform must generate audit records when concurrent logons from different workstations and systems occur.
V-233265 Medium The container platform audit records must record user access start and end times.
V-233264 Medium The container platform must generate audit record for privileged activities.
V-233263 Medium The container platform must generate audit records when successful/unsuccessful logon attempts occur.
V-233262 Medium The container platform must generate audit records when successful/unsuccessful attempts to delete categories of information (e.g., classification levels) occur.
V-233261 Medium The container platform must generate audit records when successful/unsuccessful attempts to delete security objects occur.
V-233260 Medium The container platform must generate audit records when successful/unsuccessful attempts to delete security levels occur.
V-233146 Medium The container platform must notify system administrators and ISSO for account removal actions.
V-233201 Medium The container platform, for PKI-based authentication, must implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network.
V-233144 Medium The container platform must notify system administrators and ISSO when accounts are modified.
V-233145 Medium The container platform must notify system administrators and ISSO for account disabling actions.
V-233142 Medium The container platform must use cryptographic mechanisms to protect the integrity of audit tools.
V-233143 Medium The container platform must notify system administrators and ISSO when accounts are created.
V-233200 Medium The container platform must prohibit the use of cached authenticators after an organization-defined time period.
V-233015 Medium The container platform must use TLS 1.2 or greater for secure container image transport from trusted sources.
V-233016 Medium The container platform must use TLS 1.2 or greater for secure communication.
V-233233 Medium The container platform registry must contain the latest images with most recent updates and execute within the container platform runtime as authorized by IAVM, CTOs, DTMs, and STIGs.
V-233202 Medium The container platform must accept Personal Identity Verification (PIV) credentials from other federal agencies.
V-233207 Medium Container platform applications and Application Program Interfaces (API) used for nonlocal maintenance sessions must use FIPS-validated keyed-hash message authentication code (HMAC) to protect the integrity of nonlocal maintenance and diagnostic communications.
V-233206 Medium The container platform must audit non-local maintenance and diagnostic sessions' organization-defined audit events associated with non-local maintenance.
V-233083 Medium The container platform must ensure users are authenticated with an individual authenticator prior to using a group authenticator.
V-233253 Medium The container platform must generate audit records when successful/unsuccessful attempts to access security levels occur.
V-233081 Medium The container platform must use multifactor authentication for local access to privileged accounts.
V-233080 Medium The container platform must use multifactor authentication for network access to non-privileged accounts.
V-233087 Medium The container platform must disable identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.
V-233086 Medium The container platform must uniquely identify all network-connected nodes before establishing any connection.
V-233254 Medium The container platform must generate audit records when successful/unsuccessful attempts to access categories of information (e.g., classification levels) occur.
V-233255 Medium The container platform must generate audit records when successful/unsuccessful attempts to modify privileges occur.
V-233089 Medium The container platform must prohibit password reuse for a minimum of five generations.
V-233259 Medium The container platform must generate audit records when successful/unsuccessful attempts to delete privileges occur.
V-233155 Medium The container platform must terminate shared/group account credentials when members leave the group.
V-233157 Medium The container platform must automatically audit account-enabling actions.
V-233252 Medium The container platform must generate audit records when successful/unsuccessful attempts to access security objects occur.
V-233082 Medium The container platform must use multifactor authentication for local access to non-privileged accounts.
V-233256 Medium The container platform must generate audit records when successful/unsuccessful attempts to modify security objects occur.
V-233257 Medium The container platform must generate audit records when successful/unsuccessful attempts to modify security levels occur.
V-233244 Medium The container platform must provide system notifications to the system administrator and operational staff when anomalies in the operation of the organization-defined security functions are discovered.
V-233128 Medium The container platform must prevent unauthorized and unintended information transfer via shared system resources.
V-233085 Medium The container platform must implement replay-resistant authentication mechanisms for network access to non-privileged accounts.
V-233243 Medium The container platform must perform verification of the correct operation of security functions: upon system startup and/or restart; upon command by a user with privileged access; and/or every 30 days. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters.
V-233242 Medium The organization-defined role must verify correct operation of security functions in the container platform.
V-233125 Medium The container platform runtime must isolate security functions from non-security functions.
V-233126 Medium The container platform must never automatically remove or disable emergency accounts.
V-233084 Medium The container platform must use FIPS-validated SHA-1 or higher hash function to provide replay-resistant authentication mechanisms for network access to privileged accounts.
V-233122 Medium The container platform runtime must fail to a secure state if system initialization fails, shutdown fails, or aborts fail.
V-233170 Medium The container platform must provide an immediate warning to the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of repository maximum audit record storage capacity.
V-233098 Medium The container platform must enforce a 60-day maximum password lifetime restriction.
V-233228 Medium The container platform must behave in a predictable and documented manner that reflects organizational and system objectives when invalid inputs are received.
V-233038 Medium The container platform must generate audit records for all DoD-defined auditable events within all components in the platform.
V-233039 Medium The container platform must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited.
V-233031 Medium The container platform must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.
V-233258 Medium The container platform must generate audit records when successful/unsuccessful attempts to modify categories of information (e.g., classification levels) occur.
V-233030 Medium The container platform must enforce approved authorizations for controlling the flow of information between interconnected systems and services based on organization-defined information flow control policies.
V-233127 Medium The container platform must prohibit containers from accessing privileged resources.
V-233033 Low The container platform must retain the Standard Mandatory DoD Notice and Consent Banner on the screen until users acknowledge the usage and conditions and take explicit actions to log on for further access.
V-233149 Low Access to the container platform must display an explicit logout message to user indicating the reliable termination of authenticated communication sessions.
V-233032 Low The container platform must display the Standard Mandatory DoD Notice and Consent Banner before granting access to platform components.