| V-257546 | High | OpenShift must protect authenticity of communications sessions with the use of FIPS-validated 140-2 or 140-3 validated cryptography. | FIPS compliance is one of the most critical components required in highly secure environments, to ensure that only supported cryptographic technologies are allowed on nodes.
Because FIPS must be... |
| V-257540 | High | OpenShift must disable root and terminate network connections. | Direct login as the "root" user must be disabled to prevent unrestricted access and control over the entire system.
Terminating an idle session within a short time reduces the window of... |
| V-257543 | High | OpenShift must use FIPS validated LDAP or OpenIDConnect. | Passwords need to be protected on entry, in transmission, during authentication, and when stored. If compromised at any of these security points, a nefarious user can use the password along with... |
| V-257583 | High | Red Hat Enterprise Linux CoreOS (RHCOS) must disable SSHD service. | Any direct remote access to the RHCOS nodes is not allowed. RHCOS is a single-purpose container operating system and is only supported as a component of the OpenShift Container Platform. Remote... |
| V-257557 | High | Container images instantiated by OpenShift must execute using least privileges. | Container images running on OpenShift must support running as any arbitrary UID. OpenShift will then assign a random, nonprivileged UID to the running container instance. This avoids the risk from... |
| V-257513 | High | OpenShift RBAC access controls must be enforced. | Controlling and limiting users access to system services and resources is key to securing the platform and limiting the intentional or unintentional compromising of the system and its services.... |
| V-257519 | High | Red Hat Enterprise Linux CoreOS (RHCOS) must initiate session audits at system startup. | Initiating session audits at system startup allows for comprehensive monitoring of user activities and system events from the moment the system is powered on. Audit logs capture information about... |
| V-257569 | Medium | Red Hat Enterprise Linux CoreOS (RHCOS) must implement ASLR (Address Space Layout Randomization) from unauthorized code execution. | ASLR is a security technique that randomizes the memory layout of processes, making it more difficult for attackers to predict the location of system components and exploit memory-based... |
| V-257517 | Medium | OpenShift must generate audit records for all DOD-defined auditable events within all components in the platform. | The OpenShift Platform supports three audit levels: Default, WriteRequestBodies, and AllRequestBodies. The identities of the users are logged for all three audit levels log level. The... |
| V-257514 | Medium | OpenShift must enforce network policy on the namespace for controlling the flow of information within the container platform based on organization-defined information flow control policies. | OpenShift provides several layers of protection to control the flow of information between the container platform components and user services. Each user project is given a separate namespace and... |
| V-257553 | Medium | OpenShift must prevent kernel profiling. | Kernel profiling involves monitoring and analyzing the behavior of the kernel, including its internal operations and system calls. This level of access and visibility into the kernel can... |
| V-257578 | Medium | OpenShift must generate audit records when successful/unsuccessful attempts to delete security objects occur. | By generating audit records for security object deletions, OpenShift enables administrators and security teams to track and investigate any unauthorized or suspicious removal of security objects.... |
| V-257536 | Medium | OpenShift must use FIPS-validated cryptographic mechanisms to protect the integrity of log information. | To fully investigate an incident and to have trust in the audit data that is generated, it is important to put in place data protections. Without integrity protections, unauthorized changes may be... |
| V-257537 | Medium | OpenShift must verify container images. | The container platform must be capable of validating that container images are signed and that the digital signature is from a recognized and source approved by the organization. Allowing any... |
| V-257532 | Medium | OpenShift must protect pod log files from any type of unauthorized access by setting owner permissions. | Pod log files may contain sensitive information such as application data, user credentials, or system configurations. Unauthorized access to these log files can expose sensitive data to malicious... |
| V-257510 | Medium | OpenShift must automatically audit account modification. | Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to modify an... |
| V-257562 | Medium | OpenShift must set server token max age no greater than eight hours. | The setting for OAuth server token max age is used to control the maximum duration for which an issued OAuth access token remains valid. Access tokens serve as a form of authentication and... |
| V-257563 | Medium | Vulnerability scanning applications must implement privileged access authorization to all OpenShift components, containers, and container images for selected organization-defined vulnerability scanning activities. | OpenShift uses service accounts to provide applications running on or off the platform access to the API service using the enforced RBAC policies. Vulnerability scanning applications that need... |
| V-257560 | Medium | OpenShift must enforce access restrictions and support auditing of the enforcement actions. | Enforcing access restrictions helps protect the OpenShift environment and its resources from unauthorized access, misuse, or malicious activities. By implementing access controls, OpenShift... |
| V-257561 | Medium | OpenShift must prevent the installation of patches, service packs, device drivers, or operating system components without verification they have been digitally signed using a certificate that is recognized and approved by the organization. | Integrity of the OpenShift platform is handled by the cluster version operator. The cluster version operator will by default GPG verify the integrity of the release image before applying it. The... |
| V-257548 | Medium | OpenShift must prevent unauthorized and unintended information transfer via shared system resources and enable page poisoning. | Enabling page poisoning in OpenShift improves memory safety, mitigates memory corruption vulnerabilities, aids in fault isolation, assists with debugging. It enhances the overall security and... |
| V-257549 | Medium | OpenShift must disable virtual syscalls. | Virtual syscalls are a mechanism that allows user-space programs to make privileged system calls without transitioning to kernel mode. However, this feature can introduce additional security... |
| V-257564 | Medium | OpenShift keystore must implement encryption to prevent unauthorized disclosure of information at rest within the container platform. | By default, etcd data is not encrypted in OpenShift Container Platform. Enable etcd encryption for the cluster to provide an additional layer of data security. For example, it can help protect the... |
| V-257565 | Medium | OpenShift must protect against or limit the effects of all types of Denial-of-Service (DoS) attacks by employing organization-defined security safeguards by including a default resource quota. | DNS attacks that are internal to the container platform (exploited or otherwise malicious applications) can have a limited blast radius by adhering to least privilege RBAC and Network... |
| V-257544 | Medium | OpenShift must terminate all network connections associated with a communications session at the end of the session, or as follows: for in-band management sessions (privileged sessions), the session must be terminated after 10 minutes of inactivity. | In OpenShift, the "session token inactivity timeout" on OAuth clients is set to ensure security and protect against potential unauthorized access to user sessions. OAuth is an open standard for... |
| V-257545 | Medium | OpenShift must separate user functionality (including user interface services) from information system management functionality. | Red Hat Enterprise Linux CoreOS (RHCOS) is a single-purpose container operating system. RHCOS is only supported as a component of the OpenShift Container Platform. Remote management of the RHCOS... |
| V-257547 | Medium | OpenShift runtime must isolate security functions from nonsecurity functions. | An isolation boundary provides access control and protects the integrity of the hardware, software, and firmware that perform security functions. Security functions are the hardware, software,... |
| V-257541 | Medium | OpenShift must use multifactor authentication for network access to accounts. | Without the use of multifactor authentication, the ease of access to privileged and nonprivileged functions is greatly increased.
Multifactor authentication requires using two or more factors to... |
| V-257542 | Medium | OpenShift must use FIPS-validated SHA-1 or higher hash function to provide replay-resistant authentication mechanisms for network access to privileged accounts. | A replay attack may enable an unauthorized user to gain access to the application. Authentication sessions between the authenticator and the application validating the user credentials must not be... |
| V-257526 | Medium | The Red Hat Enterprise Linux CoreOS (RHCOS) chrony Daemon must use multiple NTP servers to generate audit record time stamps. | Utilizing multiple NTP servers for the chrony daemon in RHCOS ensures accurate and reliable audit record timestamps. It improves time synchronization, mitigates time drift, provides redundancy,... |
| V-257527 | Medium | OpenShift must protect audit logs from any type of unauthorized access. | If audit data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult, if not impossible, to achieve. In... |
| V-257524 | Medium | OpenShift components must provide the ability to send audit logs to a central enterprise repository for review and analysis. | Sending audit logs to a central enterprise repository allows for centralized log management. Instead of scattered logs across multiple OpenShift components, having a centralized repository... |
| V-257525 | Medium | OpenShift must use internal system clocks to generate audit record time stamps. | Knowing when a sequence of events for an incident occurred is crucial to understand what may have taken place. Without a common clock, the components generating audit events could be out of... |
| V-257522 | Medium | All audit records must generate the event results within OpenShift. | Within the container platform, audit data can be generated from any of the deployed container platform components. Since the audit data may be part of a larger audit system, it is important for... |
| V-257505 | Medium | OpenShift must use TLS 1.2 or greater for secure container image transport from trusted sources. | The authenticity and integrity of the container image during the container image lifecycle is part of the overall security posture of the container platform. This begins with the container image... |
| V-257520 | Medium | All audit records must identify what type of event has occurred within OpenShift. | Within the container platform, audit data can be generated from any of the deployed container platform components. This audit data is important when there are issues such as security incidents... |
| V-257521 | Medium | OpenShift audit records must have a date and time association with all events. | Within the container platform, audit data can be generated from any of the deployed container platform components. This audit data is important when there are issues, such as security incidents,... |
| V-257508 | Medium | The kubeadmin account must be disabled. | Using a centralized user management solution for account management functions enhances security, simplifies administration, improves user experience, facilitates compliance, and provides... |
| V-257509 | Medium | OpenShift must automatically audit account creation. | Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to create a new... |
| V-257528 | Medium | OpenShift must protect system journal file from any type of unauthorized access by setting file permissions. | It is a fundamental security practice to enforce the principle of least privilege, where only the necessary permissions are granted to authorized entities. OpenShift must protect the system... |
| V-257523 | Medium | OpenShift must take appropriate action upon an audit failure. | It is critical that when the container platform is at risk of failing to process audit logs as required that it takes action to mitigate the failure. Audit processing failures include... |
| V-257518 | Medium | OpenShift must generate audit records when successful/unsuccessful attempts to access privileges occur. | OpenShift and its components must generate audit records successful/unsuccessful attempts to access or delete security objects, security levels, and privileges occur.
All the components must use... |
| V-257539 | Medium | OpenShift runtime must enforce ports, protocols, and services that adhere to the PPSM CAL. | OpenShift Container Platform uses several IPV4 and IPV6 ports and protocols to facilitate cluster communication and coordination. Not all these ports are identified and approved by the PPSM CAL.... |
| V-257506 | Medium | OpenShift must use TLS 1.2 or greater for secure communication. | The authenticity and integrity of the container platform and communication between nodes and components must be secure. If an insecure protocol is used during transmission of data, the data can be... |
| V-257538 | Medium | OpenShift must contain only container images for those capabilities being offered by the container platform. | Allowing container images to reside within the container platform registry that are not essential to the capabilities being offered by the container platform becomes a potential security risk. By... |
| V-257580 | Medium | Red Hat Enterprise Linux CoreOS (RHCOS) must be configured to audit the loading and unloading of dynamic kernel modules. | By generating audit logs for the loading and unloading of dynamic kernel modules, OpenShift enables administrators and security teams to track and investigate any unauthorized or suspicious... |
| V-257581 | Medium | OpenShift audit records must record user access start and end times. | OpenShift must generate audit records showing start and end times for users and services acting on behalf of a user accessing the registry and keystore. These components must use the same standard... |
| V-257582 | Medium | OpenShift must generate audit records when concurrent logons from different workstations and systems occur. | OpenShift and its components must generate audit records for concurrent logons from workstations perform remote maintenance, runtime instances, connectivity to the container registry, and... |
| V-257584 | Medium | Red Hat Enterprise Linux CoreOS (RHCOS) must disable USB Storage kernel module. | Disabling the USB Storage kernel module helps protect against potential data exfiltration or unauthorized access to sensitive data. USB storage devices can be used to transfer data in and out of... |
| V-257507 | Medium | OpenShift must use a centralized user management solution to support account management functions. | OpenShift supports several different types of identity providers. To add users and grant access to OpenShift, an identity provider must be configured. Some of the identity provider types such as... |
| V-257586 | Medium | OpenShift must continuously scan components, containers, and images for vulnerabilities. | Finding vulnerabilities quickly within the container platform and within containers deployed within the platform is important to keep the overall platform secure. When a vulnerability within a... |
| V-257585 | Medium | Red Hat Enterprise Linux CoreOS (RHCOS) must use USBGuard for hosts that include a USB Controller. | USBGuard adds an extra layer of security to the overall OpenShift infrastructure. It provides an additional control mechanism to prevent potential security threats originating from USB devices. By... |
| V-257534 | Medium | OpenShift must prevent unauthorized changes to logon UIDs. | Logon UIDs are used to uniquely identify and authenticate users within the system. By preventing unauthorized changes to logon UIDs, OpenShift ensures that user identities remain consistent and... |
| V-257555 | Medium | OpenShift must restrict individuals the ability to launch organizational-defined Denial-of-Service (DOS) attacks against other information systems by rate-limiting. | By setting rate limits, OpenShift can control the number of requests or connections allowed from a single source within a specific period. This prevents an excessive influx of requests that can... |
| V-257566 | Medium | OpenShift must protect against or limit the effects of all types of Denial-of-Service (DoS) attacks by defining resource quotas on a namespace. | OpenShift allows administrators to define resource quotas on a namespace basis. This allows tailoring of the shared resources based on a project needs. However, when a new project is created,... |
| V-257535 | Medium | OpenShift must protect audit tools from unauthorized access. | Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on... |
| V-257587 | Medium | OpenShift must use FIPS-validated SHA-2 or higher hash function for digital signature generation and verification (nonlegacy use). | Using a FIPS-validated SHA-2 or higher hash function for digital signature generation and verification in OpenShift ensures strong cryptographic security, compliance with industry standards, and... |
| V-257567 | Medium | OpenShift must protect the confidentiality and integrity of transmitted information. | OpenShift provides for two types of application level ingress types, Routes, and Ingresses. Routes have been a part of OpenShift since version 3. Ingresses were promoted out of beta in Aug 2020... |
| V-257575 | Medium | OpenShift must generate audit records when successful/unsuccessful attempts to modify privileges occur. | Audit records provide a crucial source of information for security monitoring and incident response. By generating audit records for privilege modification attempts, OpenShift enables... |
| V-257574 | Medium | OpenShift must perform verification of the correct operation of security functions: upon startup and/or restart; upon command by a user with privileged access; and/or every 30 days. | Security functionality includes, but is not limited to, establishing system accounts, configuring access authorization (i.e., permissions, privileges), setting events to be audited, and setting... |
| V-257577 | Medium | OpenShift must generate audit records when successful/unsuccessful attempts to delete privileges occur. | Audit records for unsuccessful attempts to delete privileges help in identifying unauthorized activities or potential attacks. If an unauthorized entity attempts to remove privileges, the audit... |
| V-257576 | Medium | OpenShift must generate audit records when successful/unsuccessful attempts to modify security objects occur. | OpenShift and its components must generate audit records when modifying security objects. All the components must use the same standard so that the events can be tied together to understand what... |
| V-257571 | Medium | OpenShift must contain the latest images with most recent updates and execute within the container platform runtime as authorized by IAVM, CTOs, DTMs, and STIGs. | It is critical to the security and stability of the container platform and the software services running on the platform to ensure that images are deployed through a trusted software supply chain.... |
| V-257559 | Medium | OpenShift must configure Alert Manger Receivers to notify SA and ISSO of all audit failure events requiring real-time alerts. | It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of an... |
| V-257573 | Medium | The Compliance Operator must be configured. | The Compliance Operator enables continuous compliance monitoring within OpenShift. It regularly assesses the environment against defined compliance policies and automatically detects and reports... |
| V-257572 | Medium | OpenShift runtime must have updates installed within the period directed by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs). | OpenShift runtime must be carefully monitored for vulnerabilities, and when problems are detected, they must be remediated quickly. A vulnerable runtime exposes all containers it supports, as well... |
| V-257533 | Medium | OpenShift must protect audit information from unauthorized modification. | If audit data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult if not impossible to achieve. In... |
| V-257554 | Medium | OpenShift must restrict individuals the ability to launch organizational-defined Denial-of-Service (DOS) attacks against other information systems by setting a default Resource Quota. | OpenShift allows administrators to define resource quotas on a namespace basis. This allows tailoring of the shared resources based on a project needs. However, when a new project is created,... |
| V-257579 | Medium | OpenShift must generate audit records when successful/unsuccessful logon attempts occur. | Audit records provide valuable information for security monitoring and intrusion detection. By generating audit logs for logon attempts, OpenShift enables administrators and security teams to... |
| V-257552 | Medium | OpenShift must restrict access to the kernel buffer. | Restricting access to the kernel buffer in OpenShift is crucial for preventing unauthorized access, protecting system stability, mitigating kernel-level attacks, preventing information leakage,... |
| V-257551 | Medium | OpenShift must set the sticky bit for world-writable directories. | Removing world-writable permissions or setting the sticky bit helps enforce access control on directories within the OpenShift platform. World-writable permissions allow any user to modify or... |
| V-257550 | Medium | OpenShift must enable poisoning of SLUB/SLAB objects. | By enabling poisoning of SLUB/SLAB objects, OpenShift can detect and identify use-after-free scenarios more effectively. The poisoned objects are marked as invalid or inaccessible, causing crashes... |
| V-257531 | Medium | OpenShift must protect log directory from any type of unauthorized access by setting owner permissions. | OpenShift follows the principle of least privilege, which aims to restrict access to resources based on user roles and responsibilities. This separation of privileges helps mitigate the risk of... |
| V-257511 | Medium | OpenShift must generate audit rules to capture account related actions. | Account management actions, such as creation, modification, disabling, removal, and enabling are important changes within the system.
When management actions are modified, user accessibility is... |
| V-257512 | Medium | Open Shift must automatically audit account removal actions. | When application accounts are removed, user accessibility is affected. Once an attacker establishes access to an application, the attacker often attempts to remove authorized accounts to disrupt... |
| V-257515 | Medium | OpenShift must enforce approved authorizations for controlling the flow of information within the container platform based on organization-defined information flow control policies. | OpenShift provides several layers of protection to control the flow of information between the container platform components and user services. Each user project is given a separate namespace and... |
| V-257530 | Medium | OpenShift must protect log directory from any type of unauthorized access by setting file permissions. | Log files contain sensitive information such as user credentials, system configurations, and potentially even security-related events. Unauthorized access to log files can expose this sensitive... |
| V-257529 | Medium | OpenShift must protect system journal file from any type of unauthorized access by setting owner permissions. | OpenShift follows the principle of least privilege, which aims to restrict access to resources based on user roles and responsibilities. This separation of privileges helps mitigate the risk of... |
| V-257568 | Medium | Red Hat Enterprise Linux CoreOS (RHCOS) must implement nonexecutable data to protect its memory from unauthorized code execution. | The NX bit is a hardware feature that prevents the execution of code from data memory regions. By enabling NX bit execute protection, OpenShift ensures that malicious code or exploits cannot... |
| V-257570 | Medium | OpenShift must remove old components after updated versions have been installed. | Previous versions of OpenShift components that are not removed from the container platform after updates have been installed may be exploited by adversaries by causing older components to execute... |
| V-257556 | Low | OpenShift must display an explicit logout message indicating the reliable termination of authenticated communication sessions. | The OpenShift CLI tool includes an explicit logout option.
The web console's default logout will invalidate the user's session token and redirect back to the console page, which will redirect... |
| V-257558 | Low | Red Hat Enterprise Linux CoreOS (RHCOS) must allocate audit record storage capacity to store at least one weeks' worth of audit records, when audit records are not immediately sent to a central audit record storage facility. | To ensure RHCOS has a sufficient storage capacity in which to write the audit logs, operating systems need to be able to allocate audit record storage capacity. The task of allocating audit record... |
| V-257516 | Low | OpenShift must display the Standard Mandatory DOD Notice and Consent Banner before granting access to platform components. | OpenShift has countless components where different access levels are needed. To control access, the user must first log into the component and then be presented with a DOD-approved use... |
