Released 2023-09-08
| STIG ID | Title |
|---|---|
| CNTR-OS-000010 | OpenShift must use TLS 1.2 or greater for secure container image transport from trusted sources. |
| CNTR-OS-000020 | OpenShift must use TLS 1.2 or greater for secure communication. |
| CNTR-OS-000030 | OpenShift must use a centralized user management solution to support account management functions. |
| CNTR-OS-000040 | The kubeadmin account must be disabled. |
| CNTR-OS-000050 | OpenShift must automatically audit account creation. |
| CNTR-OS-000060 | OpenShift must automatically audit account modification. |
| CNTR-OS-000070 | OpenShift must generate audit rules to capture account related actions. |
| CNTR-OS-000080 | Open Shift must automatically audit account removal actions. |
| CNTR-OS-000090 | OpenShift RBAC access controls must be enforced. |
| CNTR-OS-000100 | OpenShift must enforce network policy on the namespace for controlling the flow of information within the container platform based on organization-defined information flow control policies. |
| CNTR-OS-000110 | OpenShift must enforce approved authorizations for controlling the flow of information within the container platform based on organization-defined information flow control policies. |
| CNTR-OS-000130 | OpenShift must display the Standard Mandatory DOD Notice and Consent Banner before granting access to platform components. |
| CNTR-OS-000150 | OpenShift must generate audit records for all DOD-defined auditable events within all components in the platform. |
| CNTR-OS-000160 | OpenShift must generate audit records when successful/unsuccessful attempts to access privileges occur. |
| CNTR-OS-000170 | Red Hat Enterprise Linux CoreOS (RHCOS) must initiate session audits at system startup. |
| CNTR-OS-000180 | All audit records must identify what type of event has occurred within OpenShift. |
| CNTR-OS-000190 | OpenShift audit records must have a date and time association with all events. |
| CNTR-OS-000200 | All audit records must generate the event results within OpenShift. |
| CNTR-OS-000210 | OpenShift must take appropriate action upon an audit failure. |
| CNTR-OS-000220 | OpenShift components must provide the ability to send audit logs to a central enterprise repository for review and analysis. |
| CNTR-OS-000230 | OpenShift must use internal system clocks to generate audit record time stamps. |
| CNTR-OS-000240 | The Red Hat Enterprise Linux CoreOS (RHCOS) chrony Daemon must use multiple NTP servers to generate audit record time stamps. |
| CNTR-OS-000250 | OpenShift must protect audit logs from any type of unauthorized access. |
| CNTR-OS-000260 | OpenShift must protect system journal file from any type of unauthorized access by setting file permissions. |
| CNTR-OS-000270 | OpenShift must protect system journal file from any type of unauthorized access by setting owner permissions. |
| CNTR-OS-000280 | OpenShift must protect log directory from any type of unauthorized access by setting file permissions. |
| CNTR-OS-000290 | OpenShift must protect log directory from any type of unauthorized access by setting owner permissions. |
| CNTR-OS-000300 | OpenShift must protect pod log files from any type of unauthorized access by setting owner permissions. |
| CNTR-OS-000310 | OpenShift must protect audit information from unauthorized modification. |
| CNTR-OS-000320 | OpenShift must prevent unauthorized changes to logon UIDs. |
| CNTR-OS-000330 | OpenShift must protect audit tools from unauthorized access. |
| CNTR-OS-000340 | OpenShift must use FIPS-validated cryptographic mechanisms to protect the integrity of log information. |
| CNTR-OS-000360 | OpenShift must verify container images. |
| CNTR-OS-000380 | OpenShift must contain only container images for those capabilities being offered by the container platform. |
| CNTR-OS-000390 | OpenShift runtime must enforce ports, protocols, and services that adhere to the PPSM CAL. |
| CNTR-OS-000400 | OpenShift must disable root and terminate network connections. |
| CNTR-OS-000430 | OpenShift must use multifactor authentication for network access to accounts. |
| CNTR-OS-000440 | OpenShift must use FIPS-validated SHA-1 or higher hash function to provide replay-resistant authentication mechanisms for network access to privileged accounts. |
| CNTR-OS-000460 | OpenShift must use FIPS validated LDAP or OpenIDConnect. |
| CNTR-OS-000490 | OpenShift must terminate all network connections associated with a communications session at the end of the session, or as follows: for in-band management sessions (privileged sessions), the session must be terminated after 10 minutes of inactivity. |
| CNTR-OS-000500 | OpenShift must separate user functionality (including user interface services) from information system management functionality. |
| CNTR-OS-000510 | OpenShift must protect authenticity of communications sessions with the use of FIPS-validated 140-2 or 140-3 validated cryptography. |
| CNTR-OS-000540 | OpenShift runtime must isolate security functions from nonsecurity functions. |
| CNTR-OS-000560 | OpenShift must prevent unauthorized and unintended information transfer via shared system resources and enable page poisoning. |
| CNTR-OS-000570 | OpenShift must disable virtual syscalls. |
| CNTR-OS-000580 | OpenShift must enable poisoning of SLUB/SLAB objects. |
| CNTR-OS-000590 | OpenShift must set the sticky bit for world-writable directories. |
| CNTR-OS-000600 | OpenShift must restrict access to the kernel buffer. |
| CNTR-OS-000610 | OpenShift must prevent kernel profiling. |
| CNTR-OS-000620 | OpenShift must restrict individuals the ability to launch organizational-defined Denial-of-Service (DOS) attacks against other information systems by setting a default Resource Quota. |
| CNTR-OS-000630 | OpenShift must restrict individuals the ability to launch organizational-defined Denial-of-Service (DOS) attacks against other information systems by rate-limiting. |
| CNTR-OS-000650 | OpenShift must display an explicit logout message indicating the reliable termination of authenticated communication sessions. |
| CNTR-OS-000660 | Container images instantiated by OpenShift must execute using least privileges. |
| CNTR-OS-000670 | Red Hat Enterprise Linux CoreOS (RHCOS) must allocate audit record storage capacity to store at least one weeks' worth of audit records, when audit records are not immediately sent to a central audit record storage facility. |
| CNTR-OS-000690 | OpenShift must configure Alert Manger Receivers to notify SA and ISSO of all audit failure events requiring real-time alerts. |
| CNTR-OS-000720 | OpenShift must enforce access restrictions and support auditing of the enforcement actions. |
| CNTR-OS-000740 | OpenShift must prevent the installation of patches, service packs, device drivers, or operating system components without verification they have been digitally signed using a certificate that is recognized and approved by the organization. |
| CNTR-OS-000760 | OpenShift must set server token max age no greater than eight hours. |
| CNTR-OS-000770 | Vulnerability scanning applications must implement privileged access authorization to all OpenShift components, containers, and container images for selected organization-defined vulnerability scanning activities. |
| CNTR-OS-000780 | OpenShift keystore must implement encryption to prevent unauthorized disclosure of information at rest within the container platform. |
| CNTR-OS-000800 | OpenShift must protect against or limit the effects of all types of Denial-of-Service (DoS) attacks by employing organization-defined security safeguards by including a default resource quota. |
| CNTR-OS-000810 | OpenShift must protect against or limit the effects of all types of Denial-of-Service (DoS) attacks by defining resource quotas on a namespace. |
| CNTR-OS-000820 | OpenShift must protect the confidentiality and integrity of transmitted information. |
| CNTR-OS-000860 | Red Hat Enterprise Linux CoreOS (RHCOS) must implement nonexecutable data to protect its memory from unauthorized code execution. |
| CNTR-OS-000870 | Red Hat Enterprise Linux CoreOS (RHCOS) must implement ASLR (Address Space Layout Randomization) from unauthorized code execution. |
| CNTR-OS-000880 | OpenShift must remove old components after updated versions have been installed. |
| CNTR-OS-000890 | OpenShift must contain the latest images with most recent updates and execute within the container platform runtime as authorized by IAVM, CTOs, DTMs, and STIGs. |
| CNTR-OS-000900 | OpenShift runtime must have updates installed within the period directed by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs). |
| CNTR-OS-000910 | The Compliance Operator must be configured. |
| CNTR-OS-000920 | OpenShift must perform verification of the correct operation of security functions: upon startup and/or restart; upon command by a user with privileged access; and/or every 30 days. |
| CNTR-OS-000930 | OpenShift must generate audit records when successful/unsuccessful attempts to modify privileges occur. |
| CNTR-OS-000940 | OpenShift must generate audit records when successful/unsuccessful attempts to modify security objects occur. |
| CNTR-OS-000950 | OpenShift must generate audit records when successful/unsuccessful attempts to delete privileges occur. |
| CNTR-OS-000960 | OpenShift must generate audit records when successful/unsuccessful attempts to delete security objects occur. |
| CNTR-OS-000970 | OpenShift must generate audit records when successful/unsuccessful logon attempts occur. |
| CNTR-OS-000980 | Red Hat Enterprise Linux CoreOS (RHCOS) must be configured to audit the loading and unloading of dynamic kernel modules. |
| CNTR-OS-000990 | OpenShift audit records must record user access start and end times. |
| CNTR-OS-001000 | OpenShift must generate audit records when concurrent logons from different workstations and systems occur. |
| CNTR-OS-001010 | Red Hat Enterprise Linux CoreOS (RHCOS) must disable SSHD service. |
| CNTR-OS-001020 | Red Hat Enterprise Linux CoreOS (RHCOS) must disable USB Storage kernel module. |
| CNTR-OS-001030 | Red Hat Enterprise Linux CoreOS (RHCOS) must use USBGuard for hosts that include a USB Controller. |
| CNTR-OS-001060 | OpenShift must continuously scan components, containers, and images for vulnerabilities. |
| CNTR-OS-001080 | OpenShift must use FIPS-validated SHA-2 or higher hash function for digital signature generation and verification (nonlegacy use). |