UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Mirantis Kubernetes Engine Security Technical Implementation Guide


Overview

Date Finding Count (44)
2024-04-10 CAT I (High): 3 CAT II (Med): 40 CAT III (Low): 1
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-260906 High Least privilege access and need to know must be required to access MKE runtime and instantiate container images.
V-260907 High Only required ports must be open on containers in MKE.
V-260908 High FIPS mode must be enabled.
V-260913 Medium MKE host network namespace must not be shared.
V-260928 Medium The "Create repository on push" option in MSR must be disabled.
V-260903 Medium The Lifetime Minutes and Renewal Threshold Minutes Login Session Controls on MKE must be set.
V-260904 Medium In an MSR organization, user permissions and repositories must be configured.
V-260905 Medium User-managed resources must be created in dedicated namespaces.
V-260924 Medium Incoming container traffic must be bound to a specific host interface.
V-260925 Medium CPU priority must be set appropriately on all containers.
V-260909 Medium MKE must be configured to integrate with an Enterprise Identity Provider.
V-260920 Medium For MKE's deployed on an Ubuntu host operating system, the AppArmor profile must be enabled.
V-260921 Medium If MKE is deployed on a Red Hat or CentOS system, SELinux security must be enabled.
V-260922 Medium The Docker socket must not be mounted inside any containers.
V-260923 Medium Linux Kernel capabilities must be restricted within containers.
V-260944 Medium Older Universal Control Plane (MKE) and Docker Trusted Registry (DTR) images must be removed from all cluster nodes upon upgrading.
V-260945 Medium MKE must contain the latest updates.
V-260942 Medium MKE must only run signed images.
V-260943 Medium Vulnerability scanning must be enabled for all repositories in MSR.
V-260940 Medium Use of privileged Linux containers must be limited to system containers.
V-260941 Medium The network ports on all running containers must be limited to required ports.
V-260912 Medium MKE must have Grants created to control authorization to cluster resources.
V-260929 Medium Containers must not map to privileged ports.
V-260926 Medium MKE must use a non-AUFS storage driver.
V-260927 Medium MKE's self-signed certificates must be replaced with DOD trusted, signed certificates.
V-260919 Medium MSR telemetry must be disabled.
V-260918 Medium MKE telemetry must be disabled.
V-260915 Medium MKE must be configured to send audit data to a centralized log server.
V-260914 Medium Audit logging must be enabled on MKE.
V-260917 Medium Allowing users and administrators to schedule containers on all nodes must be disabled.
V-260916 Medium MSR's self-signed certificates must be replaced with DOD trusted, signed certificates.
V-260911 Medium Swarm Secrets or Kubernetes Secrets must be used.
V-260910 Medium SSH must not run within Linux containers.
V-260939 Medium MKE users must not have permissions to create containers or pods that share the host user namespace.
V-260938 Medium Docker CLI commands must be run with an MKE client trust bundle and without unnecessary permissions.
V-260937 Medium The default seccomp profile must not be disabled.
V-260936 Medium All containers must be restricted to mounting the root filesystem as read only.
V-260935 Medium Host IPC namespace must not be shared.
V-260934 Medium All containers must be restricted from acquiring additional privileges.
V-260933 Medium MKE must enable kernel protection.
V-260932 Medium MKE must preserve any information necessary to determine the cause of the disruption or failure.
V-260931 Medium IPSec network encryption must be configured.
V-260930 Medium MKE must not permit users to create pods that share host process namespace.
V-260946 Low MKE must display the Standard Mandatory DOD Notice and Consent Banner before granting access to platform components.