UCF STIG Viewer Logo

Rancher Government Solutions RKE2 Security Technical Implementation Guide


Date Finding Count (23)
2023-06-05 CAT I (High): 6 CAT II (Med): 17 CAT III (Low): 0
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles

Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-254558 High The Kubernetes API server must have the insecure port flag disabled.
V-254559 High The Kubernetes Kubelet must have the read-only port flag disabled.
V-254553 High Rancher RKE2 must protect authenticity of communications sessions with the use of FIPS-validated 140-2 or 140-3 security requirements for cryptographic modules.
V-254562 High The Kubernetes API server must have anonymous authentication disabled.
V-254561 High The Kubernetes kubelet must enable explicit authorization.
V-254560 High The Kubernetes API server must have the insecure bind address not set.
V-254556 Medium The Kubernetes Controller Manager must have secure binding.
V-254557 Medium The Kubernetes Kubelet must have anonymous authentication disabled.
V-254554 Medium RKE2 must use a centralized user management solution to support account management functions.
V-254555 Medium Rancher RKE2 components must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including SRGs, STIGs, NSA configuration guides, CTOs, and DTMs.
V-254574 Medium Rancher RKE2 must remove old components after updated versions have been installed.
V-254575 Medium Rancher RKE2 registry must contain the latest images with most recent updates and execute within Rancher RKE2 runtime as authorized by IAVM, CTOs, DTMs, and STIGs.
V-254570 Medium Rancher RKE2 runtime must maintain separate execution domains for each container by assigning each container a separate address space to prevent unauthorized and unintended information transfer via shared system resources.
V-254571 Medium Rancher RKE2 must prevent nonprivileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
V-254572 Medium Rancher RKE2 must prohibit the installation of patches, updates, and instantiation of container images without explicit privileged status.
V-254573 Medium Rancher RKE2 keystore must implement encryption to prevent unauthorized disclosure of information at rest within Rancher RKE2.
V-254567 Medium Rancher RKE2 must store only cryptographic representations of passwords.
V-254566 Medium Rancher RKE2 runtime must enforce ports, protocols, and services that adhere to the PPSM CAL.
V-254565 Medium Rancher RKE2 must be configured with only essential configurations.
V-254564 Medium Configuration and authentication files for Rancher RKE2 must be protected.
V-254563 Medium All audit records must identify any containers associated with the event within Rancher RKE2.
V-254569 Medium Rancher RKE2 runtime must isolate security functions from nonsecurity functions.
V-254568 Medium Rancher RKE2 must terminate all network connections associated with a communications session at the end of the session, or as follows: for in-band management sessions (privileged sessions), the session must be terminated after five minutes of inactivity.