UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Red Hat OpenShift Container Platform 4.12 Security Technical Implementation Guide


Overview

Date Finding Count (83)
2024-06-10 CAT I (High): 7 CAT II (Med): 73 CAT III (Low): 3
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC II - Mission Support Public)

Finding ID Severity Title
V-257546 High OpenShift must protect authenticity of communications sessions with the use of FIPS-validated 140-2 or 140-3 validated cryptography.
V-257540 High OpenShift must disable root and terminate network connections.
V-257543 High OpenShift must use FIPS validated LDAP or OpenIDConnect.
V-257583 High Red Hat Enterprise Linux CoreOS (RHCOS) must disable SSHD service.
V-257557 High Container images instantiated by OpenShift must execute using least privileges.
V-257513 High OpenShift RBAC access controls must be enforced.
V-257519 High Red Hat Enterprise Linux CoreOS (RHCOS) must initiate session audits at system startup.
V-257569 Medium Red Hat Enterprise Linux CoreOS (RHCOS) must implement ASLR (Address Space Layout Randomization) from unauthorized code execution.
V-257517 Medium OpenShift must generate audit records for all DOD-defined auditable events within all components in the platform.
V-257514 Medium OpenShift must enforce network policy on the namespace for controlling the flow of information within the container platform based on organization-defined information flow control policies.
V-257553 Medium OpenShift must prevent kernel profiling.
V-257578 Medium OpenShift must generate audit records when successful/unsuccessful attempts to delete security objects occur.
V-257536 Medium OpenShift must use FIPS-validated cryptographic mechanisms to protect the integrity of log information.
V-257537 Medium OpenShift must verify container images.
V-257532 Medium OpenShift must protect pod log files from any type of unauthorized access by setting owner permissions.
V-257510 Medium OpenShift must automatically audit account modification.
V-257562 Medium OpenShift must set server token max age no greater than eight hours.
V-257563 Medium Vulnerability scanning applications must implement privileged access authorization to all OpenShift components, containers, and container images for selected organization-defined vulnerability scanning activities.
V-257560 Medium OpenShift must enforce access restrictions and support auditing of the enforcement actions.
V-257561 Medium OpenShift must prevent the installation of patches, service packs, device drivers, or operating system components without verification they have been digitally signed using a certificate that is recognized and approved by the organization.
V-257548 Medium OpenShift must prevent unauthorized and unintended information transfer via shared system resources and enable page poisoning.
V-257549 Medium OpenShift must disable virtual syscalls.
V-257564 Medium OpenShift keystore must implement encryption to prevent unauthorized disclosure of information at rest within the container platform.
V-257565 Medium OpenShift must protect against or limit the effects of all types of Denial-of-Service (DoS) attacks by employing organization-defined security safeguards by including a default resource quota.
V-257544 Medium OpenShift must terminate all network connections associated with a communications session at the end of the session, or as follows: for in-band management sessions (privileged sessions), the session must be terminated after 10 minutes of inactivity.
V-257545 Medium OpenShift must separate user functionality (including user interface services) from information system management functionality.
V-257547 Medium OpenShift runtime must isolate security functions from nonsecurity functions.
V-257541 Medium OpenShift must use multifactor authentication for network access to accounts.
V-257542 Medium OpenShift must use FIPS-validated SHA-1 or higher hash function to provide replay-resistant authentication mechanisms for network access to privileged accounts.
V-257526 Medium The Red Hat Enterprise Linux CoreOS (RHCOS) chrony Daemon must use multiple NTP servers to generate audit record time stamps.
V-257527 Medium OpenShift must protect audit logs from any type of unauthorized access.
V-257524 Medium OpenShift components must provide the ability to send audit logs to a central enterprise repository for review and analysis.
V-257525 Medium OpenShift must use internal system clocks to generate audit record time stamps.
V-257522 Medium All audit records must generate the event results within OpenShift.
V-257505 Medium OpenShift must use TLS 1.2 or greater for secure container image transport from trusted sources.
V-257520 Medium All audit records must identify what type of event has occurred within OpenShift.
V-257521 Medium OpenShift audit records must have a date and time association with all events.
V-257508 Medium The kubeadmin account must be disabled.
V-257509 Medium OpenShift must automatically audit account creation.
V-257528 Medium OpenShift must protect system journal file from any type of unauthorized access by setting file permissions.
V-257523 Medium OpenShift must take appropriate action upon an audit failure.
V-257518 Medium OpenShift must generate audit records when successful/unsuccessful attempts to access privileges occur.
V-257539 Medium OpenShift runtime must enforce ports, protocols, and services that adhere to the PPSM CAL.
V-257506 Medium OpenShift must use TLS 1.2 or greater for secure communication.
V-257538 Medium OpenShift must contain only container images for those capabilities being offered by the container platform.
V-257580 Medium Red Hat Enterprise Linux CoreOS (RHCOS) must be configured to audit the loading and unloading of dynamic kernel modules.
V-257581 Medium OpenShift audit records must record user access start and end times.
V-257582 Medium OpenShift must generate audit records when concurrent logons from different workstations and systems occur.
V-257584 Medium Red Hat Enterprise Linux CoreOS (RHCOS) must disable USB Storage kernel module.
V-257507 Medium OpenShift must use a centralized user management solution to support account management functions.
V-257586 Medium OpenShift must continuously scan components, containers, and images for vulnerabilities.
V-257585 Medium Red Hat Enterprise Linux CoreOS (RHCOS) must use USBGuard for hosts that include a USB Controller.
V-257534 Medium OpenShift must prevent unauthorized changes to logon UIDs.
V-257555 Medium OpenShift must restrict individuals the ability to launch organizational-defined Denial-of-Service (DOS) attacks against other information systems by rate-limiting.
V-257566 Medium OpenShift must protect against or limit the effects of all types of Denial-of-Service (DoS) attacks by defining resource quotas on a namespace.
V-257535 Medium OpenShift must protect audit tools from unauthorized access.
V-257587 Medium OpenShift must use FIPS-validated SHA-2 or higher hash function for digital signature generation and verification (nonlegacy use).
V-257567 Medium OpenShift must protect the confidentiality and integrity of transmitted information.
V-257575 Medium OpenShift must generate audit records when successful/unsuccessful attempts to modify privileges occur.
V-257574 Medium OpenShift must perform verification of the correct operation of security functions: upon startup and/or restart; upon command by a user with privileged access; and/or every 30 days.
V-257577 Medium OpenShift must generate audit records when successful/unsuccessful attempts to delete privileges occur.
V-257576 Medium OpenShift must generate audit records when successful/unsuccessful attempts to modify security objects occur.
V-257571 Medium OpenShift must contain the latest images with most recent updates and execute within the container platform runtime as authorized by IAVM, CTOs, DTMs, and STIGs.
V-257559 Medium OpenShift must configure Alert Manger Receivers to notify SA and ISSO of all audit failure events requiring real-time alerts.
V-257573 Medium The Compliance Operator must be configured.
V-257572 Medium OpenShift runtime must have updates installed within the period directed by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).
V-257533 Medium OpenShift must protect audit information from unauthorized modification.
V-257554 Medium OpenShift must restrict individuals the ability to launch organizational-defined Denial-of-Service (DOS) attacks against other information systems by setting a default Resource Quota.
V-257579 Medium OpenShift must generate audit records when successful/unsuccessful logon attempts occur.
V-257552 Medium OpenShift must restrict access to the kernel buffer.
V-257551 Medium OpenShift must set the sticky bit for world-writable directories.
V-257550 Medium OpenShift must enable poisoning of SLUB/SLAB objects.
V-257531 Medium OpenShift must protect log directory from any type of unauthorized access by setting owner permissions.
V-257511 Medium OpenShift must generate audit rules to capture account related actions.
V-257512 Medium Open Shift must automatically audit account removal actions.
V-257515 Medium OpenShift must enforce approved authorizations for controlling the flow of information within the container platform based on organization-defined information flow control policies.
V-257530 Medium OpenShift must protect log directory from any type of unauthorized access by setting file permissions.
V-257529 Medium OpenShift must protect system journal file from any type of unauthorized access by setting owner permissions.
V-257568 Medium Red Hat Enterprise Linux CoreOS (RHCOS) must implement nonexecutable data to protect its memory from unauthorized code execution.
V-257570 Medium OpenShift must remove old components after updated versions have been installed.
V-257556 Low OpenShift must display an explicit logout message indicating the reliable termination of authenticated communication sessions.
V-257558 Low Red Hat Enterprise Linux CoreOS (RHCOS) must allocate audit record storage capacity to store at least one weeks' worth of audit records, when audit records are not immediately sent to a central audit record storage facility.
V-257516 Low OpenShift must display the Standard Mandatory DOD Notice and Consent Banner before granting access to platform components.