Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-260908 | CNTR-MK-000870 | SV-260908r966081_rule | High |
Description |
---|
During any user authentication, MKE must use FIPS-validated SHA-2 or later protocol to protect the integrity of the password authentication process. FIPS mode enforces the use of cryptographic algorithms and modules. This ensures a higher level of cryptographic security, reducing the risk of vulnerabilities related to cryptographic functions. FIPS-compliant cryptographic modules are designed to provide strong protection for sensitive data. Enabling FIPS mode helps safeguard cryptographic operations, securing data both at rest and in transit within containerized applications. |
STIG | Date |
---|---|
Mirantis Kubernetes Engine Security Technical Implementation Guide | 2024-04-10 |
Check Text ( C-64637r966079_chk ) |
---|
On the MKE controller, verify FIPS mode is enabled. Execute the following command through the CLI: docker info The "Security Options" section in the response must show a "fips" label, indicating that, when configured, the remotely accessible MKE UI uses FIPS-validated digital signatures in conjunction with an approved hash function to protect the integrity of remote access sessions. If the "fips" label is not shown in the "Security Options" section, then this is a finding. |
Fix Text (F-64545r966080_fix) |
---|
If the operating system has FIPS enabled, FIPS mode is enabled by default in MCR. The preferred method is to ensure FIPS mode is set on the operating system prior to installation. If a change is required on a deployed system, create the directory if it does not exist by executing the following: mkdir -p /etc/systemd/system/docker.service.d/ Create a file called /etc/systemd/system/docker.service.d/fips-module.conf and add the following: [Service] Environment="DOCKER_FIPS=1" Reload the Docker configuration to systemd by executing the following: sudo systemctl daemon-reload Restart the Docker service by executing the following: sudo systemctl restart docker |