| Finding ID |
Severity |
Title |
Description |
|
V-233290
|
High |
The container platform must prohibit or restrict the use of protocols that transmit unencrypted authentication information or use flawed cryptographic algorithms for transmission. |
The use of secure ports, protocols and services within the container platform must be controlled and conform to the PPSM CAL. Those ports, protocols, and services that fall outside the PPSM CAL must be blocked by the runtime. Instructions on the PPSM can be found in DoD Instruction 8551.01 Policy.... |
|
V-233289
|
High |
The container platform must use a FIPS-validated cryptographic module to implement encryption services for unclassified information requiring confidentiality. |
Unvalidated cryptography is viewed by NIST as providing no protection to the information or data. In effect, the data would be considered unprotected plaintext. If the agency specifies that the information or data be cryptographically protected, then FIPS 140-2 is applicable. In essence, if cryptography is required, it must be... |
|
V-233224
|
High |
The application must protect the confidentiality and integrity of transmitted information. |
Without protection of the transmitted information, confidentiality and integrity may be compromised since unprotected communications can be intercepted and either read or altered.
This requirement applies only to those applications that either are distributed or can allow access to data non-locally. Use of this requirement will be limited to situations... |
|
V-233220
|
High |
The container platform keystore must implement encryption to prevent unauthorized disclosure of information at rest within the container platform. |
Container platform keystore is used for container deployments for persistent storage of all its REST API objects. These objects are sensitive in nature and should be encrypted at rest to avoid any unauthorized disclosure. Selection of a cryptographic mechanism is based on the need to protect the confidentiality of organizational... |
|
V-233185
|
High |
The container platform runtime must prohibit the instantiation of container images without explicit privileged status. |
Controlling access to those users and roles responsible for container image instantiation reduces the risk of untested or potentially malicious containers from being executed within the platform and on the hosting system. This access may be separate from the access required to install container images into the registry and those... |
|
V-233118
|
High |
The container platform must protect authenticity of communications sessions with the use of FIPS-validated 140-2 or 140-3 security requirements for cryptographic modules. |
The container platform is responsible for pulling images from trusted sources and placing those images into its registry. To protect the transmission of images, the container platform must use FIPS-validated 140-2 or 140-3 cryptographic modules. This added protection defends against main-in-the-middle attacks where malicious code could be added to an... |
|
V-233096
|
High |
For accounts using password authentication, the container platform must use FIPS-validated SHA-2 or later protocol to protect the integrity of the password authentication process. |
Passwords need to be protected on entry, in transmission, during authentication, and when stored. If compromised at any of these security points, a nefarious user can use the password along with stolen user account information to gain access or to escalate privileges. The container platform may require account authentication during... |
|
V-270876
|
Medium |
The container root filesystem must be mounted as read-only. |
Any changes to a container must be made by rebuilding the image and redeploying the new container image. Once a container is running, changes to the root filesystem should not be needed, thus preserving the immutable nature of the container. Any attempts to change the root filesystem are usually malicious... |
|
V-270875
|
Medium |
The container must have resource request limits set. |
Setting a container resource request limit allows the container platform to determine the best location for the container to execute. The container platform looks at the resources available and finds the location that will require the minimum resources for the container to execute. Examples of resources that can be specified... |
|
V-263601
|
Medium |
The container platform must synchronize system clocks within and between systems or system components. |
Time synchronization of system clocks is essential for the correct execution of many system services, including identification and authentication processes that involve certificates and time-of-day restrictions as part of access control. Denial of service or failure to deny expired credentials may result without properly synchronized clocks within and between systems... |
|
V-263600
|
Medium |
The container platform must provide protected storage for cryptographic keys with organization-defined safeguards and/or hardware protected key store. |
A Trusted Platform Module (TPM) is an example of a hardware-protected data store that can be used to protect cryptographic keys. |
|
V-263599
|
Medium |
The container platform must include only approved trust anchors in trust stores or certificate stores managed by the organization. |
Public key infrastructure (PKI) certificates are certificates with visibility external to organizational systems and certificates related to the internal operations of systems, such as application-specific time services. In cryptographic systems with a hierarchical structure, a trust anchor is an authoritative source (i.e., a certificate authority) for which trust is assumed... |
|
V-263598
|
Medium |
The container platform must protect nonlocal maintenance sessions by separating the maintenance session from other network sessions with the system by logically separated communications paths. |
Nonlocal maintenance and diagnostic activities are conducted by individuals who communicate through either an external or internal network.
Communications paths can be logically separated using encryption. |
|
V-263597
|
Medium |
The container platform must for password-based authentication, employ automated tools to assist the user in selecting strong password authenticators. |
Password-based authentication applies to passwords regardless of whether they are used in single-factor or multi-factor authentication. Long passwords or passphrases are preferable over shorter passwords. Enforced composition rules provide marginal security benefits while decreasing usability. However, organizations may choose to establish certain rules for password generation (e.g., minimum character length... |
|
V-263596
|
Medium |
The container platform must for password-based authentication, allow user selection of long passwords and passphrases, including spaces and all printable characters. |
Password-based authentication applies to passwords regardless of whether they are used in single-factor or multi-factor authentication. Long passwords or passphrases are preferable over shorter passwords. Enforced composition rules provide marginal security benefits while decreasing usability. However, organizations may choose to establish certain rules for password generation (e.g., minimum character length... |
|
V-263595
|
Medium |
The container platform must for password-based authentication, require immediate selection of a new password upon account recovery. |
Password-based authentication applies to passwords regardless of whether they are used in single-factor or multi-factor authentication. Long passwords or passphrases are preferable over shorter passwords. Enforced composition rules provide marginal security benefits while decreasing usability. However, organizations may choose to establish certain rules for password generation (e.g., minimum character length... |
|
V-263594
|
Medium |
The container platform must for password-based authentication, verify when users create or update passwords, that the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5 (1) (a). |
Password-based authentication applies to passwords regardless of whether they are used in single-factor or multi-factor authentication. Long passwords or passphrases are preferable over shorter passwords. Enforced composition rules provide marginal security benefits while decreasing usability. However, organizations may choose to establish certain rules for password generation (e.g., minimum character length... |
|
V-263593
|
Medium |
The container platform must for password-based authentication, update the list of passwords when organizational passwords are suspected to have been compromised directly or indirectly. |
Password-based authentication applies to passwords regardless of whether they are used in single-factor or multi-factor authentication. Long passwords or passphrases are preferable over shorter passwords. Enforced composition rules provide marginal security benefits while decreasing usability. However, organizations may choose to establish certain rules for password generation (e.g., minimum character length... |
|
V-263592
|
Medium |
The container platform must for password-based authentication, update the list of passwords on an organization-defined frequency. |
Password-based authentication applies to passwords regardless of whether they are used in single-factor or multi-factor authentication. Long passwords or passphrases are preferable over shorter passwords. Enforced composition rules provide marginal security benefits while decreasing usability. However, organizations may choose to establish certain rules for password generation (e.g., minimum character length... |
|
V-263591
|
Medium |
The container platform must for password-based authentication, maintain a list of commonly used, expected, or compromised passwords on an organization-defined frequency. |
Password-based authentication applies to passwords regardless of whether they are used in single-factor or multi-factor authentication. Long passwords or passphrases are preferable over shorter passwords. Enforced composition rules provide marginal security benefits while decreasing usability. However, organizations may choose to establish certain rules for password generation (e.g., minimum character length... |
|
V-263590
|
Medium |
The container platform must implement multifactor authentication for local; network; and/or remote access to privileged accounts; and/or nonprivileged accounts such that the device meets organization-defined strength of mechanism requirements. |
The purpose of requiring a device that is separate from the system to which the user is attempting to gain access for one of the factors during multifactor authentication is to reduce the likelihood of compromising authenticators or credentials stored on the system. Adversaries may be able to compromise such... |
|
V-263589
|
Medium |
The container platform must implement multifactor authentication for local; network; and/or remote access to privileged accounts; and/or nonprivileged accounts such that one of the factors is provided by a device separate from the system gaining access. |
The purpose of requiring a device that is separate from the system to which the user is attempting to gain access for one of the factors during multifactor authentication is to reduce the likelihood of compromising authenticators or credentials stored on the system. Adversaries may be able to compromise such... |
|
V-263588
|
Medium |
The container platform must alert organization-defined personnel or roles upon detection of unauthorized access, modification, or deletion of audit information. |
Audit information includes all information needed to successfully audit system activity, such as audit records, audit log settings, audit reports, and personally identifiable information. Audit logging tools are those programs and devices used to conduct system audit and logging activities. Protection of audit information focuses on technical protection and limits... |
|
V-263587
|
Medium |
The container platform must implement the capability to centrally review and analyze audit records from multiple components within the system. |
Automated mechanisms for centralized reviews and analyses include Security Information and Event Management products. |
|
V-263586
|
Medium |
The container platform must disable accounts when the accounts are no longer associated to a user. |
Disabling expired, inactive, or otherwise anomalous accounts supports the concepts of least privilege and least functionality which reduce the attack surface of the system. |
|
V-257291
|
Medium |
The container platform must enforce organization-defined circumstances and/or usage conditions for organization-defined accounts. |
Activity under unusual conditions can indicate hostile activity. For example, what is normal activity during business hours can indicate hostile activity if it occurs during off hours.
Depending on mission needs and conditions, account usage restrictions based on conditions and circumstances may be critical to limit access to resources and... |
|
V-233285
|
Medium |
The container platform must use FIPS-validated SHA-2 or higher hash function for digital signature generation and verification (non-legacy use). |
Without the use of digital signature, information can be altered by unauthorized accounts accessing or modifying the container platform registry, keystore, and container at runtime. Digital signatures provide non-repudiation for transactions between the components within the container platform. Without the use of approved FIPS-validated SHA-2 or higher hash function with... |
|
V-233284
|
Medium |
The container platform must validate certificates used for Transport Layer Security (TLS) functions by performing an RFC 5280-compliant certification path validation. |
A certification path is the path from the end entity certificate to a trusted root certification authority (CA). Certification path validation is necessary for a relying party to make an informed decision regarding acceptance of an end entity certificate and discourages the use of self-signed certificates.
Certification path validation includes... |
|
V-233276
|
Medium |
The container platform must prohibit communication using TLS versions 1.0 and 1.1, and SSL 2.0 and 3.0. |
The container platform and its components will prohibit the use of SSL and unauthorized versions of TLS protocols to properly secure communication.
The use of unsupported protocol exposes vulnerabilities to the container platform by rogue traffic interceptions, man-in-the middle-attacks, and impersonation of users or services from the container platform runtime,... |
|
V-233275
|
Medium |
The container platform must continuously scan components, containers, and images for vulnerabilities. |
Finding vulnerabilities quickly within the container platform and within containers deployed within the platform is important to keep the overall platform secure. When a vulnerability within a component or container is unknown or allowed to remain unpatched, other containers and customers within the platform become vulnerability. The vulnerability can lead... |
|
V-233274
|
Medium |
The container platform must be able to store and instantiate industry standard container images. |
Monitoring the container images and containers during their lifecycle is important to guarantee the container platform is secure. To monitor the containers and images, security tools can be put in place. To fully utilize the security tools available, using images formatted in an industry standard format should be used. This... |
|
V-233273
|
Medium |
Container platform components must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including SRGs, STIGs, NSA configuration guides, CTOs, and DTMs. |
Container platform components are part of the overall container platform, offering services that enable the container platform to fully orchestrate user containers. These components may fall outside the scope of this document, but they still must be secured. Examples of such components are DNS, routers, and firewalls. These and any... |
|
V-233271
|
Medium |
The container platform must use a valid FIPS 140-2 approved cryptographic modules to generate hashes. |
The cryptographic module used must have at least one validated hash algorithm. This validated hash algorithm must be used to generate cryptographic hashes for all cryptographic security function within the container platform components being evaluated.
FIPS 140-2 precludes the use of invalidated cryptography for the cryptographic protection of sensitive or... |
|
V-233270
|
Medium |
The container runtime must generate audit records for all container execution, shutdown, restart events, and program initiations. |
The container runtime must generate audit records that are specific to the security and mission needs of the organization. Without audit record, it would be difficult to establish, correlate, and investigate events relating to an incident. |
|
V-233269
|
Medium |
The container platform must generate audit records for all account creations, modifications, disabling, and termination events. |
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one.
Audit records can be generated from various components within the information system (e.g.,... |
|
V-233268
|
Medium |
Direct access to the container platform must generate audit records. |
Direct access to the container platform and its components must generate audit records. All the components must use the same standard so that the events can be tied together to understand what took place within the overall container platform. This must establish, correlate, and help assist with investigating the events... |
|
V-233267
|
Medium |
The container platform runtime must generate audit records when successful/unsuccessful attempts to access objects occur. |
Container platform runtime objects are defined as configuration files, code, etc. This provides the ability to configure resources and software parameters prior to image execution from the container platform registry. An unauthorized user with malicious intent could modify existing objects causing vulnerabilities or attacks. It would be difficult to establish,... |
|
V-233266
|
Medium |
The container platform must generate audit records when concurrent logons from different workstations and systems occur. |
The container platform and its components must generate audit records for concurrent logons from workstations perform remote maintenance, runtime instances, connectivity to the container registry, and keystore. All the components must use the same standard so the events can be tied together to understand what took place within the overall... |
|
V-233265
|
Medium |
The container platform audit records must record user access start and end times. |
The container platform must generate audit records showing start and end times for users and services acting on behalf of a user accessing the registry and keystore. These components must use the same standard so that the events can be tied together to understand what took place within the overall... |
|
V-233264
|
Medium |
The container platform must generate audit record for privileged activities. |
The container platform components will generate audit records for privilege activities and container platform runtime, registry, and keystore must generate access audit records to detect possible malicious intent. All the components must use the same standard so that the events can be tied together to understand what took place within... |
|
V-233263
|
Medium |
The container platform must generate audit records when successful/unsuccessful logon attempts occur. |
The container platform and its components must generate audit records when successful and unsuccessful logon attempts occur. The information system can determine if an account is compromised or is in the process of being compromised and can take actions to thwart the attack. All the components must use the same... |
|
V-233262
|
Medium |
The container platform must generate audit records when successful/unsuccessful attempts to delete categories of information (e.g., classification levels) occur. |
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one.
Audit records can be generated from various components within the information system (e.g.,... |
|
V-233261
|
Medium |
The container platform must generate audit records when successful/unsuccessful attempts to delete security objects occur. |
Unauthorized users modify level the security levels to exploit vulnerabilities within the container platform component. All the components must use the same standard so that the events can be tied together to understand what took place within the overall container platform. This must establish, correlate, and help assist with investigating... |
|
V-233260
|
Medium |
The container platform must generate audit records when successful/unsuccessful attempts to delete security levels occur. |
The container platform and its components must generate audit records when deleting security levels. All the components must use the same standard so that the events can be tied together to understand what took place within the overall container platform. This must establish, correlate, and help assist with investigating the... |
|
V-233259
|
Medium |
The container platform must generate audit records when successful/unsuccessful attempts to delete privileges occur. |
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one.
Audit records can be generated from various components within the information system (e.g.,... |
|
V-233258
|
Medium |
The container platform must generate audit records when successful/unsuccessful attempts to modify categories of information (e.g., classification levels) occur. |
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one.
Audit records can be generated from various components within the information system (e.g.,... |
|
V-233257
|
Medium |
The container platform must generate audit records when successful/unsuccessful attempts to modify security levels occur. |
Unauthorized users could modify the security levels to exploit vulnerabilities within the container platform component. All the components must use the same standard so that the events can be tied together to understand what took place within the overall container platform. This must establish, correlate, and help assist with investigating... |
|
V-233256
|
Medium |
The container platform must generate audit records when successful/unsuccessful attempts to modify security objects occur. |
The container platform and its components must generate audit records when modifying security objects. All the components must use the same standard so that the events can be tied together to understand what took place within the overall container platform. This must establish, correlate, and help assist with investigating the... |
|
V-233255
|
Medium |
The container platform must generate audit records when successful/unsuccessful attempts to modify privileges occur. |
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one.
Audit records can be generated from various components within the information system (e.g.,... |
|
V-233254
|
Medium |
The container platform must generate audit records when successful/unsuccessful attempts to access categories of information (e.g., classification levels) occur. |
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one.
Audit records can be generated from various components within the information system (e.g.,... |
|
V-233253
|
Medium |
The container platform must generate audit records when successful/unsuccessful attempts to access security levels occur. |
Unauthorized users could access the security levels to exploit vulnerabilities within the container platform component. All the components must use the same standard so that the events can be tied together to understand what took place within the overall container platform. This must establish, correlate, and help assist with investigating... |
|
V-233252
|
Medium |
The container platform must generate audit records when successful/unsuccessful attempts to access security objects occur. |
The container platform and its components must generate audit records when successful and unsuccessful access security objects occur. All the components must use the same standard so that the events can be tied together to understand what took place within the overall container platform. This must establish, correlate, and help... |
|
V-233244
|
Medium |
The container platform must provide system notifications to the system administrator and operational staff when anomalies in the operation of the organization-defined security functions are discovered. |
If anomalies are not acted upon, security functions may fail to secure the container within the container platform runtime.
Security functions are responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited... |
|
V-233243
|
Medium |
The container platform must perform verification of the correct operation of security functions: upon system startup and/or restart; upon command by a user with privileged access; and/or every 30 days. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. |
Without verification, security functions may not operate correctly and this failure may go unnoticed within the container platform.
Security functions are responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to,... |
|
V-233242
|
Medium |
The organization-defined role must verify correct operation of security functions in the container platform. |
Without verification, security functions may not operate correctly and this failure may go unnoticed within the container platform. The container platform components must identity and ensure the security functions are still operational and applicable to the organization.
Security functions are responsible for enforcing the system security policy and supporting the... |
|
V-233234
|
Medium |
The container platform runtime must have updates installed within the time period directed by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs). |
The container platform runtime must be carefully monitored for vulnerabilities, and when problems are detected, they must be remediated quickly. A vulnerable runtime exposes all containers it supports, as well as the host itself, to potentially significant risk. Organizations should use tools to look for Common Vulnerabilities and Exposures (CVEs)... |
|
V-233233
|
Medium |
The container platform registry must contain the latest images with most recent updates and execute within the container platform runtime as authorized by IAVM, CTOs, DTMs, and STIGs. |
Software supporting the container platform, images in the registry must stay up to date with the latest patches, service packs, and hot fixes. Not updating the container platform and container images will expose the organization to vulnerabilities.
Flaws discovered during security assessments, continuous monitoring, incident response activities, or information system... |
|
V-233231
|
Medium |
The container platform registry must remove old container images after updating versions have been made available. |
Obsolete and stale images need to be removed from the registry to ensure the container platform maintains a secure posture. While the storing of these images does not directly pose a threat, they do increase the likelihood of these images being deployed. Removing stale or obsolete images and only keeping... |
|
V-233230
|
Medium |
The container platform must remove old components after updated versions have been installed. |
Previous versions of container platform components that are not removed from the container platform after updates have been installed may be exploited by adversaries by causing older components to execute which contain vulnerabilities. When these components are deleted, the likelihood of this happening is removed. |
|
V-233229
|
Medium |
The container platform must implement organization-defined security safeguards to protect system CPU and memory from resource depletion and unauthorized code execution. |
The execution of images within the container platform runtime must implement organizational defined security safeguards to prevent distributed denial-of-service (DDOS) and other possible attacks against the container image at runtime.
Security safeguards employed to protect memory and CPU include, for example, data execution prevention and address space layout randomization. Data... |
|
V-233228
|
Medium |
The container platform must behave in a predictable and documented manner that reflects organizational and system objectives when invalid inputs are received. |
Software or code parameters typically follow well-defined protocols that use structured messages (i.e., commands or queries) to communicate between software modules or system components. Structured messages can contain raw or unstructured data interspersed with metadata or control information. If attacker-supplied inputs to construct structured messages without properly encoding such messages,... |
|
V-233227
|
Medium |
The container platform must maintain the confidentiality and integrity of information during reception. |
Information either can be unintentionally or maliciously disclosed or modified during reception for reception within the container platform during aggregation, at protocol transformation points, and during container image runtime. These unauthorized disclosures or modifications compromise the confidentiality or integrity of the information. When receiving data, the container platform components need... |
|
V-233226
|
Medium |
The container platform must maintain the confidentiality and integrity of information during preparation for transmission. |
Information may be unintentionally or maliciously disclosed or modified during preparation for transmission within the container platform during aggregation, at protocol transformation points, and during container image runtime. These unauthorized disclosures or modifications compromise the confidentiality or integrity of the information. When transmitting data, the container platform components need to... |
|
V-233222
|
Medium |
The container platform must protect against or limit the effects of all types of denial-of-service (DoS) attacks by employing organization-defined security safeguards. |
DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity.
This requirement addresses the configuration of the container platform to mitigate the impact of DoS attacks that have occurred. For each... |
|
V-233221
|
Medium |
The container platform runtime must maintain separate execution domains for each container by assigning each container a separate address space. |
Container namespace access is limited upon runtime execution. Each container is a distinct process so that communication between containers is performed in a manner controlled through security policies that limits the communication so one container cannot modify another container. Different groups of containers with different security needs should be deployed... |
|
V-233211
|
Medium |
The container platform must implement NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. |
Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data and images. The container platform must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. |
|
V-233210
|
Medium |
Vulnerability scanning applications must implement privileged access authorization to all container platform components, containers, and container images for selected organization-defined vulnerability scanning activities. |
In certain situations, the nature of the vulnerability scanning may be more intrusive, or the container platform component that is the subject of the scanning may contain highly sensitive information. Privileged access authorization to selected system components facilitates more thorough vulnerability scanning and protects the sensitive nature of such scanning.... |
|
V-233208
|
Medium |
The container platform must configure web management tools and Application Program Interfaces (API) with FIPS-validated Advanced Encryption Standard (AES) cipher block algorithm to protect the confidentiality of maintenance and diagnostic communications for nonlocal maintenance sessions. |
Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session.
Nonlocal maintenance and diagnostic activities are activities conducted by individuals communicating through either an external network (e.g., the internet) or an internal network. |
|
V-233207
|
Medium |
Container platform applications and Application Program Interfaces (API) used for nonlocal maintenance sessions must use FIPS-validated keyed-hash message authentication code (HMAC) to protect the integrity of nonlocal maintenance and diagnostic communications. |
Unapproved mechanisms that are used for authentication to the cryptographic module are not verified, and therefore cannot be relied on to provide confidentiality or integrity, and DoD data may be compromised.
Nonlocal maintenance and diagnostic activities are activities conducted by individuals communicating through either an external network (e.g., the internet)... |
|
V-233206
|
Medium |
The container platform must audit non-local maintenance and diagnostic sessions' organization-defined audit events associated with non-local maintenance. |
To fully investigate an attack, it is important to understand the event and those events taking place during the same time period. Often, non-local administrative access and diagnostic sessions are not logged. These events are seen as only administrative functions and not worthy of being audited, but these events are... |
|
V-233202
|
Medium |
The container platform must accept Personal Identity Verification (PIV) credentials from other federal agencies. |
Controlling access to the container platform and its components is paramount in having a secure and stable system. Validating users is the first step in controlling the access. Users may be validated by the overall container platform or they may be validated by each component. It is essential to accept... |
|
V-233201
|
Medium |
The container platform, for PKI-based authentication, must implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network. |
The potential of allowing access to users who are no longer authorized (have revoked certificates) increases unless a local cache of revocation data is configured. |
|
V-233200
|
Medium |
The container platform must prohibit the use of cached authenticators after an organization-defined time period. |
If cached authentication information is out of date, the validity of the authentication information may be questionable. |
|
V-233195
|
Medium |
The container platform must be configured to use multi-factor authentication for user authentication. |
Controlling access to the container platform and its components is paramount in having a secure and stable system. Validating users is the first step in controlling the access. Users may be validated by the overall container platform or they may be validated by each component. To standardize and reduce the... |
|
V-233193
|
Medium |
The container platform must require users to reauthenticate when organization-defined circumstances or situations require reauthentication. |
Controlling user access is paramount in securing the container platform. During a user's access to the container platform, events may occur that change the user's access and which require reauthentication. For instance, if the capability to change security roles or escalate privileges is implemented, it is critical the user reauthenticate.... |
|
V-233192
|
Medium |
The container platform registry must employ a deny-all, permit-by-exception (whitelist) policy to allow only authorized container images in the container platform. |
Controlling the sources where container images can be pulled from allows the organization to define what software can be run within the container platform. Allowing any container image to be introduced and instantiated within the container platform may introduce malicious code and vulnerabilities to the platform and the hosting system.... |
|
V-233191
|
Medium |
The container platform must prevent component execution in accordance with organization-defined policies regarding software program usage and restrictions, and/or rules authorizing the terms and conditions of software program usage. |
The container platform may offer components such as DNS services, firewall services, router services, or web services that are not required by every organization to meet their needs. Container platform components may also add capabilities that run counter to the mission or that provide users with functionality that exceeds mission... |
|
V-233190
|
Medium |
All non-essential, unnecessary, and unsecure DoD ports, protocols, and services must be disabled in the container platform. |
To properly offer services to the user and to orchestrate containers, the container platform may offer services that use ports and protocols that best fit those services. The container platform, when offering the services, must only offer the services on ports and protocols authorized by the DoD.
To validate that... |
|
V-233189
|
Medium |
The container platform must enforce access restrictions and support auditing of the enforcement actions. |
Auditing the enforcement of access restrictions against changes to the container platform helps identify attacks and provides forensic data for investigation for after-the-fact actions. Attempts to change configurations, components, or data maintained by a component (e.g., images in the registry, running containers in the runtime, or keys in the keystore)... |
|
V-233188
|
Medium |
The container platform must enforce access restrictions for container platform configuration changes. |
Configuration changes cause the container platform to change the way it operates. These changes can be used to improve the system with added features or performance, but these configuration changes can also be used to introduce malicious features and degrade performance. To control the configuration changes made to the container... |
|
V-233186
|
Medium |
The container platform registry must prohibit installation or modification of container images without explicit privileged status. |
Controlling access to those users and roles that perform container platform registry functions reduces the risk of untested or potentially malicious containers from being introduced into the platform. This access may be separate from the access required to instantiate container images into services and those access requirements required to perform... |
|
V-233184
|
Medium |
The container platform must prohibit the installation of patches and updates without explicit privileged status. |
Controlling access to those users and roles responsible for patching and updating the container platform reduces the risk of untested or potentially malicious software from being installed within the platform. This access may be separate from the access required to install container images into the registry and those access requirements... |
|
V-233182
|
Medium |
The container platform must record time stamps for audit records that meet a granularity of one second for a minimum degree of precision. |
To properly investigate an event, it is important to have enough granularity within the time stamps to determine the chronological order of the audited events. Without this granularity, events may be interpreted out of proper sequence, thus hobbling the investigation or causing the investigation to come to inaccurate conclusions.
Time... |
|
V-233181
|
Medium |
All audit records must use UTC or GMT time stamps. |
The container platform and its components must generate audit records using either Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT) time stamps or local time that offset from UTC. All the components must use the same standard so that the events can be tied together to understand what took... |
|
V-233171
|
Medium |
The container platform must provide an immediate real-time alert to the SA and ISSO, at a minimum, of all audit failure events requiring real-time alerts. |
It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of an impending failure of the audit capability and system operation may be adversely affected.
Alerts provide... |
|
V-233170
|
Medium |
The container platform must provide an immediate warning to the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of repository maximum audit record storage capacity. |
If security personnel are not notified immediately upon storage volume utilization reaching 75 percent, they are unable to plan for storage capacity expansion. |
|
V-233169
|
Medium |
Audit records must be stored at a secondary location. |
Auditable events are used in the investigation of incidents and must be protected from being deleted or altered. Often, events that took place in the past must be viewed to understand the entire incident. For the purposes of audit event protection and recall, audit events are often off-loaded to an... |
|
V-233168
|
Medium |
The container platform must allocate audit record storage capacity in accordance with organization-defined audit record storage requirements. |
In order to ensure applications have a sufficient storage capacity in which to write the audit logs, applications need to be able to allocate audit record storage capacity.
The task of allocating audit record storage capacity is usually performed during initial installation of the application and is closely associated with... |
|
V-233166
|
Medium |
The container platform must provide the configuration for organization-identified individuals or roles to change the auditing to be performed on all components, based on all selectable event criteria within organization-defined time thresholds. |
Auditing requirements may change per organization or situation within and organization. With the container platform allowing an organization to customize the auditing, an organization can decide to extend or limit auditing as necessary to meet organizational requirements. Auditing that is limited to conserve resources may be extended to address certain... |
|
V-233165
|
Medium |
The container platform must automatically lock an account until the locked account is released by an administrator when three unsuccessful login attempts in 15 minutes are exceeded. |
By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the account. |
|
V-233164
|
Medium |
The container platform must audit the execution of privileged functions. |
Privileged functions within the container platform can be component specific or can envelope the entire container platform. Because of the nature of the commands, it is important to understand what command was executed for either investigation of an incident or for debugging/error correction; therefore, privileged function execution must be audited. |
|
V-233163
|
Medium |
Container images instantiated by the container platform must execute using least privileges. |
Containers running within the container platform must execute as non-privileged. When a container can execute as a privileged container, the privileged container is also a privileged user within the hosting system, and the hosting system becomes a major security risk. It is important for the container platform runtime to validate... |
|
V-233162
|
Medium |
The container platform must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. |
Controlling what users can perform privileged functions prevents unauthorized users from performing tasks that may expose data or degrade the container platform. When users are not segregated into privileged and non-privileged users, unauthorized individuals may perform tasks such as deploying containers, pulling images into the register, and modify keys in... |
|
V-233158
|
Medium |
The container platform must notify the system administrator (SA) and information system security officer (ISSO) of account enabling actions. |
Once an attacker establishes access to an application, the attacker often attempts to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to simply enable a new or disabled account. Sending notification of account enabling events to the system administrator and ISSO is... |
|
V-233157
|
Medium |
The container platform must automatically audit account-enabling actions. |
Once an attacker establishes access to an application, the attacker often attempts to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to simply enable a new or disabled account. Automatically auditing account enabling actions provides logging that can be used for forensic... |
|
V-233155
|
Medium |
The container platform must terminate shared/group account credentials when members leave the group. |
If shared/group account credentials are not terminated when individuals leave the group, the user that left the group can still gain access even though they are no longer authorized. A shared/group account credential is a shared form of authentication that allows multiple individuals to access the application using a single... |
|
V-233146
|
Medium |
The container platform must notify system administrators and ISSO for account removal actions. |
When application accounts are removed, user accessibility is affected. Accounts are utilized for identifying users or for identifying the application processes themselves. Sending notification of account removal events to the system administrator and ISSO is one method for mitigating this risk. Such a capability greatly reduces the risk that application... |
|
V-233145
|
Medium |
The container platform must notify system administrators and ISSO for account disabling actions. |
When application accounts are disabled, user accessibility is affected. Accounts are utilized for identifying individual users or for identifying the application processes themselves. Sending notification of account disabling events to the system administrator and ISSO is one method for mitigating this risk. Such a capability greatly reduces the risk that... |
|
V-233144
|
Medium |
The container platform must notify system administrators (SAs) and the information system security officer (ISSO) when accounts are modified. |
When application accounts are modified, user accessibility is affected. Accounts are utilized for identifying individual users or for identifying the application processes themselves. Sending notification of account modification events to the system administrator and ISSO is one method for mitigating this risk. Such a capability greatly reduces the risk that... |
|
V-233143
|
Medium |
The container platform must notify system administrators (SAs) and the information system security officer (ISSO) when accounts are created. |
Once an attacker establishes access to an application, the attacker often attempts to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to simply create a new account. Sending notification of account creation events to the SA and ISSO is one method for... |
|
V-233142
|
Medium |
The container platform must use cryptographic mechanisms to protect the integrity of audit tools. |
Protecting the integrity of the tools used for auditing purposes is a critical step to ensuring the integrity of audit data. Audit data includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity.
Audit tools include, but are not limited to, vendor... |
|
V-233133
|
Medium |
The container platform must generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries. |
The container platform is responsible for offering services to users. These services could be across diverse user groups and data types. To protect information about the container platform, services, users, and data, it is important during error message generation to offer enough information to diagnose the error, but not reveal... |
|
V-233129
|
Medium |
The container platform must restrict individuals' ability to launch organizationally defined denial-of-service (DoS) attacks against other information systems. |
The container platform will offer services to users and these services share resources available on the hosting system. To share the resources in a manner that does not exhaust or over utilize resources, it is necessary for the container platform to have mechanisms that allow developers to size there containers... |
|
V-233128
|
Medium |
The container platform must prevent unauthorized and unintended information transfer via shared system resources. |
The container platform makes host system resources available to container services. These shared resources, such as the host system kernel, network connections, and storage, must be protected to prevent unauthorized and unintended information transfer. The protections must be implemented for users and processes acting on behalf of users. |
|
V-233127
|
Medium |
The container platform must prohibit containers from accessing privileged resources. |
Containers images instantiated within the container platform may request access to host system resources. Access to privileged resources can allow for unauthorized and unintended transfer of information, but in some cases, these resources may be needed for the service being offered by the container. By default, containers should be denied... |
|
V-233126
|
Medium |
The container platform must never automatically remove or disable emergency accounts. |
Emergency accounts are administrator accounts that are established in response to crisis situations where the need for rapid account activation is required. Therefore, emergency account activation may bypass normal account authorization processes. If these accounts are automatically disabled, system maintenance during emergencies may not be possible, thus adversely affecting system... |
|
V-233125
|
Medium |
The container platform runtime must isolate security functions from non-security functions. |
The container platform runtime must be configured to isolate those services used for security functions from those used for non-security functions. This separation can be performed using environment variables, labels, network segregation, and kernel groups. |
|
V-233123
|
Medium |
The container platform must preserve any information necessary to determine the cause of the disruption or failure. |
When a failure occurs within the container platform, preserving the state of the container platform and its components, along with other container services, helps to facilitate container platform restart and return to the operational mode of the organization with less disruption to mission essential processes. When preserving state, considerations for... |
|
V-233122
|
Medium |
The container platform runtime must fail to a secure state if system initialization fails, shutdown fails, or aborts fail. |
The container platform offers services for container image orchestration and services for users. If any of these services were to fail into an insecure state, security measures for user and data separation and image instantiation could become absent. In addition, audit log protections could be relaxed allowing for investigation of... |
|
V-233114
|
Medium |
The container platform must separate user functionality (including user interface services) from information system management functionality. |
Separating user functionality from management functionality is a requirement for all the components within the container platform. Without the separation, users may have access to management functions that can degrade the container platform and the services being offered and can offer a method to bypass testing and validation of functions... |
|
V-233108
|
Medium |
The application must terminate all network connections associated with a communications session at the end of the session, or as follows: for in-band management sessions (privileged sessions), the session must be terminated after 10 minutes of inactivity. |
Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by... |
|
V-233106
|
Medium |
The container platform must employ strong authenticators in the establishment of non-local maintenance and diagnostic sessions. |
If maintenance tools are used by unauthorized personnel, they may accidentally or intentionally damage or compromise the system. The act of managing systems and applications includes the ability to access sensitive application information, such as, system configuration details, diagnostic information, user information, and potentially sensitive application data.
Non-local maintenance and... |
|
V-233105
|
Medium |
The container platform must provide an audit reduction capability that supports on-demand reporting requirements. |
The ability to generate on-demand reports, including after the audit data has been subjected to audit reduction, greatly facilitates the organization's ability to generate incident reports as needed to better handle larger-scale or more complex security incidents.
Audit reduction is a process that manipulates collected audit information and organizes such... |
|
V-233102
|
Medium |
The container platform must obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals. |
To prevent the compromise of authentication information such as passwords during the authentication process, the feedback from the container platform and its components, e.g., runtime, registry, and keystore, must not provide any information that would allow an unauthorized user to compromise the authentication mechanism.
Obfuscation of user-provided information when typed... |
|
V-233101
|
Medium |
The container platform must map the authenticated identity to the individual user or group account for PKI-based authentication. |
The container platform and its components may require authentication before use. When the authentication is PKI-based, the container platform or component must map the certificate to a user account. If the certificate is not mapped to a user account, the ability to determine the identity of the individual user or... |
|
V-233098
|
Medium |
The container platform must enforce a 60-day maximum password lifetime restriction. |
Any password, no matter how complex, can eventually be cracked; therefore, passwords need to be changed at specific intervals.
One method of minimizing this risk is to use complex passwords and periodically change them. If the application does not limit the lifetime of passwords and force users to change their... |
|
V-233097
|
Medium |
The container platform must enforce 24 hours (one day) as the minimum password lifetime. |
Enforcing a minimum password lifetime helps prevent repeated password changes to defeat the password reuse or history enforcement requirement.
Restricting this setting limits the user's ability to change their password. Passwords need to be changed at specific policy-based intervals; however, if the application allows the user to immediately and continually... |
|
V-233095
|
Medium |
For container platform using password authentication, the application must store only cryptographic representations of passwords. |
Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read and easily compromised. Use of passwords for authentication is intended only for limited situations and should not be used as a replacement for... |
|
V-233094
|
Medium |
The container platform must require the change of at least 15 of the total number of characters when passwords are changed. |
If the application allows the user to consecutively reuse extensive portions of passwords, this increases the chances of password compromise by increasing the window of opportunity for attempts at guessing and brute-force attacks.
The number of changed characters refers to the number of changes required with respect to the total... |
|
V-233093
|
Medium |
The container platform must enforce password complexity by requiring that at least one special character be used. |
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
Password complexity is one factor in determining how long it takes to... |
|
V-233092
|
Medium |
The container platform must enforce password complexity by requiring that at least one numeric character be used. |
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
Password complexity is one factor of several that determine how long it... |
|
V-233091
|
Medium |
The container platform must enforce password complexity by requiring that at least one lowercase character be used. |
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
Password complexity is one factor of several that determine how long it... |
|
V-233090
|
Medium |
The container platform must enforce password complexity by requiring that at least one uppercase character be used. |
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
Password complexity is one factor of several that determine how long it... |
|
V-233088
|
Medium |
The container platform must enforce a minimum 15-character password length. |
The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised.
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that... |
|
V-233087
|
Medium |
The container platform must disable identifiers (individuals, groups, roles, and devices) after 35 days of inactivity. |
Inactive identifiers pose a risk to systems and applications. Attackers that are able to exploit an inactive identifier can potentially obtain and maintain undetected access to the application. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained.
Applications need to track periods... |
|
V-233086
|
Medium |
The container platform must uniquely identify all network-connected nodes before establishing any connection. |
A container platform usually consists of multiple nodes. It is important for these nodes to be uniquely identified before a connection is allowed. Without identifying the nodes, unidentified or unknown nodes may be introduced, thereby facilitating malicious activity. |
|
V-233085
|
Medium |
The container platform must implement replay-resistant authentication mechanisms for network access to nonprivileged accounts. |
A replay attack may enable an unauthorized user to gain access to the application. Authentication sessions between the authenticator and the application validating the user credentials must not be vulnerable to a replay attack.
An authentication process resists replay attacks if it is impractical to achieve a successful authentication by... |
|
V-233084
|
Medium |
The container platform must use FIPS-validated SHA-1 or higher hash function to provide replay-resistant authentication mechanisms for network access to privileged accounts. |
A replay attack may enable an unauthorized user to gain access to the application. Authentication sessions between the authenticator and the application validating the user credentials must not be vulnerable to a replay attack.
Anti-replay is a cryptographically based mechanism; thus, it must use FIPS-approved algorithms. An authentication process resists... |
|
V-233083
|
Medium |
The container platform must ensure users are authenticated with an individual authenticator prior to using a group authenticator. |
To ensure individual accountability and prevent unauthorized access, application users must be individually identified and authenticated.
Individual accountability mandates that each user be uniquely identified. A group authenticator is a shared account or some other form of authentication that allows multiple unique individuals to access the application using a single... |
|
V-233082
|
Medium |
The container platform must use multifactor authentication for local access to nonprivileged accounts. |
To ensure accountability, prevent unauthenticated access, and prevent misuse of the system, nonprivileged users must utilize multi-factor authentication for local access.
Multifactor authentication is defined as using two or more factors to achieve authentication.
Factors include:
(i) Something a user knows (e.g., password/PIN);
(ii) Something a user has (e.g., cryptographic... |
|
V-233081
|
Medium |
The container platform must use multifactor authentication for local access to privileged accounts. |
To ensure accountability and prevent unauthenticated access, privileged users must utilize multifactor authentication to prevent potential misuse and compromise of the system.
Multifactor authentication is defined as using two or more factors to achieve authentication.
Factors include:
(i) Something a user knows (e.g., password/PIN);
(ii) Something a user has (e.g.,... |
|
V-233080
|
Medium |
The container platform must use multifactor authentication for network access to non-privileged accounts. |
To ensure accountability and prevent unauthenticated access, non-privileged users must utilize multifactor authentication to prevent potential misuse and compromise of the system.
Multifactor authentication uses two or more factors to achieve authentication.
Factors include:
(i) Something you know (e.g., password/PIN);
(ii) Something you have (e.g., cryptographic identification device, token); or... |
|
V-233079
|
Medium |
The container platform must use multifactor authentication for network access to privileged accounts. |
Without the use of multifactor authentication, the ease of access to privileged functions is greatly increased.
Multifactor authentication requires using two or more factors to achieve authentication.
Factors include:
(i) something a user knows (e.g., password/PIN);
(ii) something a user has (e.g., cryptographic identification device, token); or
(iii) something a... |
|
V-233078
|
Medium |
The container platform application program interface (API) must uniquely identify and authenticate processes acting on behalf of the users. |
The container platform API can be used to perform any task within the platform. Often, the API is used to create tasks that perform some kind of maintenance task and run without user interaction. To guarantee the task is authorized, it is important to authenticate the task. These tasks, even... |
|
V-233077
|
Medium |
The container platform must uniquely identify and authenticate processes acting on behalf of the users. |
The container platform will instantiate a container image and use the user privileges given to the user used to execute the container. To ensure accountability and prevent unauthenticated access to containers, the user the container is using to execute must be uniquely identified and authenticated to prevent potential misuse and... |
|
V-233076
|
Medium |
The container platform application program interface (API) must uniquely identify and authenticate users. |
The container platform requires user accounts to perform container platform tasks. These tasks are often performed through the container platform API. Protecting the API from users who are not authorized or authenticated is essential to keep the container platform stable. Protection of platform and application data and enhances the protections... |
|
V-233075
|
Medium |
The container platform must uniquely identify and authenticate users. |
The container platform requires user accounts to perform container platform tasks. These tasks may pertain to the overall container platform or may be component-specific, thus requiring users to authenticate against those specific components. To ensure accountability and prevent unauthenticated access, users must be identified and authenticated to prevent potential misuse... |
|
V-233074
|
Medium |
The container platform runtime must enforce the use of ports that are non-privileged. |
Privileged ports are those ports below 1024 and that require system privileges for their use. If containers are able to use these ports, the container must be run as a privileged user. The container platform must stop containers that try to map to these ports directly. Allowing non-privileged ports to... |
|
V-233073
|
Medium |
The container platform runtime must enforce ports, protocols, and services that adhere to the PPSM CAL. |
Ports, protocols, and services within the container platform runtime must be controlled and conform to the PPSM CAL. Those ports, protocols, and services that fall outside the PPSM CAL must be blocked by the runtime. Instructions on the PPSM can be found in DoD Instruction 8551.01 Policy. |
|
V-233072
|
Medium |
The container platform registry must contain only container images for those capabilities being offered by the container platform. |
Allowing container images to reside within the container platform registry that are not essential to the capabilities being offered by the container platform becomes a potential security risk. By allowing these non-essential container images to exist, the possibility for accidental instantiation exists. The images may be unpatched, not supported, or... |
|
V-233071
|
Medium |
The container platform must be configured with only essential configurations. |
The container platform can be built with components that are not used for the intended purpose of the organization. To limit the attack surface of the container platform, it is essential that the non-essential services are not installed. |
|
V-233070
|
Medium |
Authentication files for the container platform must be protected. |
The secure configuration of the container platform must be protected by disallowing changing to be implemented by non-privileged users. Changes to the container platform can introduce security risks and stability issues and undermine change management procedures. To secure authentication files from non-privileged user modification can be enforced using file ownership... |
|
V-233069
|
Medium |
Configuration files for the container platform must be protected. |
The secure configuration of the container platform must be protected by disallowing changes to be implemented by non-privileged users. Changes to the container platform can introduce security risks or stability issues and undermine change management procedures. Securing configuration files from non-privileged user modification can be enforced using file ownership and... |
|
V-233068
|
Medium |
The container platform must limit privileges to the container platform keystore. |
The container platform keystore is used to store credentials used to build a trust between the container platform and some external source. This trust relationship is authorized by the organization. If a malicious user were to have access to the container platform keystore, two negative scenarios could develop:
1) Keys... |
|
V-233067
|
Medium |
The container platform must limit privileges to the container platform runtime. |
To control what is instantiated within the container platform, it is important to control access to the runtime. Without this control, container platform specific services and customer services can be introduced without receiving approval and going through proper testing. Only those individuals and roles approved by the organization can have... |
|
V-233066
|
Medium |
The container platform must limit privileges to the container platform registry. |
To control what is instantiated within the container platform, it is important to control access to the registry. Without this control, container images can be introduced and instantiated by accident or on container platform startup. Without control of the registry, security measures put in place for the runtime can be... |
|
V-233065
|
Medium |
The container platform must verify container images. |
The container platform must be capable of validating container images are signed and that the digital signature is from a recognized and approved source approved by the organization. Allowing any container image to be introduced into the registry and instantiated into a container can allow for services to be introduced... |
|
V-233064
|
Medium |
The container platform must be built from verified packages. |
It is important to patch and upgrade the container platform when patches and upgrades are available. More important is to get these patches and upgrades from a known source. To validate the authenticity of any patches and upgrades before installation, the container platform must check that the files are digitally... |
|
V-233063
|
Medium |
The container platform must use FIPS validated cryptographic mechanisms to protect the integrity of log information. |
To fully investigate an incident and to have trust in the audit data that is generated, it is important to put in place data protections. Without integrity protections, unauthorized changes may be made to the audit files and reliable forensic analysis and discovery of the source of malicious system activity... |
|
V-233061
|
Medium |
The container platform must protect audit tools from unauthorized deletion. |
Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit data.
Applications providing tools to interface with audit data will leverage user permissions and roles identifying the user accessing the tools... |
|
V-233060
|
Medium |
The container platform must protect audit tools from unauthorized modification. |
Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit data.
Applications providing tools to interface with audit data will leverage user permissions and roles identifying the user accessing the tools... |
|
V-233059
|
Medium |
The container platform must protect audit tools from unauthorized access. |
Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit data.
Applications providing tools to interface with audit data will leverage user permissions and roles identifying the user accessing the tools... |
|
V-233058
|
Medium |
The container platform must protect audit information from unauthorized deletion. |
If audit data were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity would be impossible to achieve.
To ensure the veracity of audit data, the information system and/or the application must protect audit information from unauthorized deletion. This requirement can be... |
|
V-233057
|
Medium |
The container platform must protect audit information from unauthorized modification. |
If audit data were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity would be impossible to achieve.
To ensure the veracity of audit data, the information system and/or the application must protect audit information from unauthorized modification.
This requirement can be... |
|
V-233056
|
Medium |
The container platform must protect audit information from any type of unauthorized read access. |
If audit data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult if not impossible to achieve. In addition, access to audit records provides information an attacker could potentially use to his or her advantage.
To ensure the... |
|
V-233055
|
Medium |
The container platform must use internal system clocks to generate audit record time stamps. |
Understanding when and sequence of events for an incident is crucial to understand what may have taken place. Without a common clock, the components generating audit events could be out of synchronization and would then present a picture of the event that is warped and corrupted. To give a clear... |
|
V-233052
|
Medium |
The container platform components must provide the ability to send audit logs to a central enterprise repository for review and analysis. |
The container platform components must send audit events to a central managed audit log repository to provide reporting, analysis, and alert notification. Incident response relies on successful timely, accurate system analysis in order for the organization to identify and respond to possible security events. |
|
V-233049
|
Medium |
The container platform must generate audit records containing the full-text recording of privileged commands or the individual identities of group account users. |
During an investigation of an incident, it is important to fully understand what took place. Often, information is not part of the audited event due to the data's nature, security risk, or audit log size. Organizations must consider limiting the additional audit information to only that information explicitly needed for... |
|
V-233048
|
Medium |
All audit records must identify any containers associated with the event within the container platform. |
Without information that establishes the identity of the containers offering user services or running on behalf of a user within the platform associated with audit events, security personnel cannot determine responsibility for potentially harmful events. |
|
V-233047
|
Medium |
All audit records must identify any users associated with the event within the container platform. |
Without information that establishes the identity of the user associated with the events, security personnel cannot determine responsibility for the potentially harmful event. |
|
V-233046
|
Medium |
All audit records must generate the event results within the container platform. |
Within the container platform, audit data can be generated from any of the deployed container platform components. This audit data is important when there are issues, such as security incidents, that must be investigated. To make the audit data worthwhile for the investigation of events, it is necessary to know... |
|
V-233045
|
Medium |
All audit records must identify the source of the event within the container platform. |
Audit data is important when there are issues, to include security incidents that must be investigated. Since the audit data may be part of a larger audit system, it is important for the audit data to also include the container platform name for traceability back to the container platform itself... |
|
V-233044
|
Medium |
All audit records must identify where in the container platform the event occurred. |
Within the container platform, audit data can be generated from any of the deployed container platform components. This audit data is important when there are issues, such as security incidents, that must be investigated. To make the audit data worthwhile for the investigation of events, it is necessary to know... |
|
V-233043
|
Medium |
The container platform audit records must have a date and time association with all events. |
Within the container platform, audit data can be generated from any of the deployed container platform components. This audit data is important when there are issues, such as security incidents, that must be investigated. To make the audit data worthwhile for the investigation of events, it is necessary to know... |
|
V-233042
|
Medium |
All audit records must identify what type of event has occurred within the container platform. |
Within the container platform, audit data can be generated from any of the deployed container platform components. This audit data is important when there are issues, such as security incidents, that must be investigated. To make the audit data worthwhile for the investigation of events, it is necessary to know... |
|
V-233041
|
Medium |
The container platform must initiate session auditing upon startup. |
When the container platform is started, container platform components and user services can also be started. It is important that the container platform begin auditing on startup in order to handle container platform startup events along with events for container platform components and services that begin on startup. |
|
V-233040
|
Medium |
The container platform must generate audit records when successful/unsuccessful attempts to access privileges occur. |
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one.
Audit records can be generated from various components within the information system (e.g.,... |
|
V-233039
|
Medium |
The container platform must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited. |
Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate,... |
|
V-233038
|
Medium |
The container platform must generate audit records for all DoD-defined auditable events within all components in the platform. |
Within the container platform, audit data can be generated from any of the deployed container platform components. This audit data is important when there are issues, including security incidents that must be investigated. To make the audit data worthwhile for the investigation of events, it is necessary to have the... |
|
V-233031
|
Medium |
The container platform must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period. |
By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the account. |
|
V-233030
|
Medium |
The container platform must enforce approved authorizations for controlling the flow of information between interconnected systems and services based on organization-defined information flow control policies. |
Controlling information flow between the container platform components and container user services instantiated by the container platform must enforce organization-defined information flow policies. Example methods for information flow control are: using labels for containers to segregate services; user permissions and roles to limit what user services are available to each... |
|
V-233029
|
Medium |
The container platform must enforce approved authorizations for controlling the flow of information within the container platform based on organization-defined information flow control policies. |
Controlling information flow between the container platform components and container user services instantiated by the container platform must enforce organization-defined information flow policies. Example methods for information flow control are using labels and separate namespace for containers to segregate services; user permissions and roles to limit what user services are... |
|
V-233028
|
Medium |
Least privilege access and need to know must be required to access the container platform keystore. |
The container platform keystore is used to store access keys and tokens for trusted access to and from the container platform. The keystore gives the container platform a method to store the confidential data in a secure way and to encrypt the data when at rest. If this data is... |
|
V-233027
|
Medium |
Least privilege access and need to know must be required to access the container platform runtime. |
The container platform runtime is used to instantiate containers. If this process is accessed by those persons who are not authorized, those containers offering services can be brought to a denial of service (DoS) situation, disabling a large number of services with a small change to the container platform. To... |
|
V-233026
|
Medium |
Least privilege access and need to know must be required to access the container platform registry. |
The container platform registry is used to store images and is the keeper of truth for trusted images within the platform. To guarantee the images integrity, access to the registry must be limited to those individuals who need to perform tasks to the images such as the update, creation, or... |
|
V-233025
|
Medium |
The container platform must automatically audit account removal actions. |
When application accounts are removed, user accessibility is affected. Once an attacker establishes access to an application, the attacker often attempts to remove authorized accounts to disrupt services or prevent the implementation of countermeasures. Auditing account removal actions provides logging that can be used for forensic purposes.
To address access... |
|
V-233024
|
Medium |
The container platform must automatically audit account-disabling actions. |
When application accounts are disabled, user accessibility is affected. Once an attacker establishes access to an application, the attacker often attempts to disable authorized accounts to disrupt services or prevent the implementation of countermeasures. Auditing account-disabling actions provides logging that can be used for forensic purposes.
To address access requirements,... |
|
V-233023
|
Medium |
The container platform must automatically audit account modification. |
Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to modify an existing account. Auditing of account creation is one method for mitigating this risk. A comprehensive account management process... |
|
V-233022
|
Medium |
The container platform must automatically audit account creation. |
Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to create a new account. Auditing of account creation is one method for mitigating this risk. A comprehensive account management process... |
|
V-233021
|
Medium |
The container platform must automatically disable accounts after a 35-day period of account inactivity. |
Attackers that are able to exploit an inactive account can potentially obtain and maintain undetected access to an application. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained. Applications need to track periods of user inactivity and disable accounts after 35 days... |
|
V-233020
|
Medium |
The container platform must automatically remove or disable temporary user accounts after 72 hours. |
If temporary user accounts remain active when no longer needed or for an excessive period, these accounts may be used to gain unauthorized access. To mitigate this risk, automated termination of all temporary user accounts must be set upon account creation.
Temporary user accounts are established as part of normal... |
|
V-233019
|
Medium |
The container platform must use a centralized user management solution to support account management functions. |
Enterprise environments make application account management challenging and complex. A manual process for account management functions adds the risk of a potential oversight or other error.
A comprehensive application account management process that includes automation helps to ensure accounts designated as requiring attention are consistently and promptly addressed. Examples include,... |
|
V-233016
|
Medium |
The container platform must use TLS 1.2 or greater for secure communication. |
The authenticity and integrity of the container platform and communication between nodes and components must be secure. If an insecure protocol is used during transmission of data, the data can be intercepted and manipulated. The manipulation of data can be used to inject status changes of the container platform, causing... |
|
V-233015
|
Medium |
The container platform must use TLS 1.2 or greater for secure container image transport from trusted sources. |
The authenticity and integrity of the container image during the container image lifecycle is part of the overall security posture of the container platform. This begins with the container image creation and pull of a base image from a trusted source for child container image creation and the instantiation of... |
|
V-233149
|
Low |
Access to the container platform must display an explicit logout message to user indicating the reliable termination of authenticated communication sessions. |
Access to the container platform will occur through web and terminal sessions. Any web interfaces must conform to application and web security requirements. Terminal access to the container platform and its components must provide a logout facility that terminates the connection to the component or the platform. |
|
V-233033
|
Low |
The container platform must retain the Standard Mandatory DoD Notice and Consent Banner on the screen until users acknowledge the usage and conditions and take explicit actions to log on for further access. |
The banner must be acknowledged by the user prior to allowing the user access to any container platform component. This provides assurance that the user has seen the message and accepted the conditions for access. If the consent banner is not acknowledged by the user, DoD will not be in... |
|
V-233032
|
Low |
The container platform must display the Standard Mandatory DoD Notice and Consent Banner before granting access to platform components. |
The container platform has countless components where different access levels are needed. To control access, the user must first log in to the component and then be presented with a DoD-approved use notification banner before granting access to the component. This guarantees privacy and security notification verbiage used is consistent... |
