Red Hat OpenShift Container Platform STIG V1R1

View as one page
STIG ID CCI Title
CNTR-OS-000010 CCI-000068 OpenShift must use TLS 1.2 or greater for secure container image transport from trusted sources.
CNTR-OS-000020 CCI-000068 OpenShift must use TLS 1.2 or greater for secure communication.
CNTR-OS-000030 CCI-000015 OpenShift must use a centralized user management solution to support account management functions.
CNTR-OS-000040 CCI-000015 The kubeadmin account must be disabled.
CNTR-OS-000050 CCI-000018 OpenShift must automatically audit account creation.
CNTR-OS-000060 CCI-001403 OpenShift must automatically audit account modification.
CNTR-OS-000070 CCI-000172 OpenShift must generate audit rules to capture account related actions.
CNTR-OS-000080 CCI-001405 Open Shift must automatically audit account removal actions.
CNTR-OS-000090 CCI-000213 OpenShift RBAC access controls must be enforced.
CNTR-OS-000100 CCI-001368 OpenShift must enforce network policy on the namespace for controlling the flow of information within the container platform based on organization-defined information flow control policies.
CNTR-OS-000110 CCI-001414 OpenShift must enforce approved authorizations for controlling the flow of information within the container platform based on organization-defined information flow control policies.
CNTR-OS-000130 CCI-000048 OpenShift must display the Standard Mandatory DOD Notice and Consent Banner before granting access to platform components.
CNTR-OS-000150 CCI-000135 OpenShift must generate audit records for all DOD-defined auditable events within all components in the platform.
CNTR-OS-000160 CCI-000172 OpenShift must generate audit records when successful/unsuccessful attempts to access privileges occur.
CNTR-OS-000170 CCI-001464 Red Hat Enterprise Linux CoreOS (RHCOS) must initiate session audits at system startup.
CNTR-OS-000180 CCI-000130 All audit records must identify what type of event has occurred within OpenShift.
CNTR-OS-000190 CCI-000131 OpenShift audit records must have a date and time association with all events.
CNTR-OS-000200 CCI-000132 All audit records must generate the event results within OpenShift.
CNTR-OS-000210 CCI-000140 OpenShift must take appropriate action upon an audit failure.
CNTR-OS-000220 CCI-000154 OpenShift components must provide the ability to send audit logs to a central enterprise repository for review and analysis.
CNTR-OS-000230 CCI-000159 OpenShift must use internal system clocks to generate audit record time stamps.
CNTR-OS-000240 CCI-000159 The Red Hat Enterprise Linux CoreOS (RHCOS) chrony Daemon must use multiple NTP servers to generate audit record time stamps.
CNTR-OS-000250 CCI-000162 OpenShift must protect audit logs from any type of unauthorized access.
CNTR-OS-000260 CCI-000162 OpenShift must protect system journal file from any type of unauthorized access by setting file permissions.
CNTR-OS-000270 CCI-000162 OpenShift must protect system journal file from any type of unauthorized access by setting owner permissions.
CNTR-OS-000280 CCI-000162 OpenShift must protect log directory from any type of unauthorized access by setting file permissions.
CNTR-OS-000290 CCI-000162 OpenShift must protect log directory from any type of unauthorized access by setting owner permissions.
CNTR-OS-000300 CCI-000162 OpenShift must protect pod log files from any type of unauthorized access by setting owner permissions.
CNTR-OS-000310 CCI-000163 OpenShift must protect audit information from unauthorized modification.
CNTR-OS-000320 CCI-001493 OpenShift must prevent unauthorized changes to logon UIDs.
CNTR-OS-000330 CCI-001493 OpenShift must protect audit tools from unauthorized access.
CNTR-OS-000340 CCI-001350 OpenShift must use FIPS-validated cryptographic mechanisms to protect the integrity of log information.
CNTR-OS-000360 CCI-001749 OpenShift must verify container images.
CNTR-OS-000380 CCI-000381 OpenShift must contain only container images for those capabilities being offered by the container platform.
CNTR-OS-000390 CCI-000382 OpenShift runtime must enforce ports, protocols, and services that adhere to the PPSM CAL.
CNTR-OS-000400 CCI-000764 OpenShift must disable root and terminate network connections.
CNTR-OS-000430 CCI-000765 OpenShift must use multifactor authentication for network access to accounts.
CNTR-OS-000440 CCI-001941 OpenShift must use FIPS-validated SHA-1 or higher hash function to provide replay-resistant authentication mechanisms for network access to privileged accounts.
CNTR-OS-000460 CCI-000016 OpenShift must use FIPS validated LDAP or OpenIDConnect.
CNTR-OS-000490 CCI-001133 OpenShift must terminate all network connections associated with a communications session at the end of the session, or as follows: for in-band management sessions (privileged sessions), the session must be terminated after 10 minutes of inactivity.
CNTR-OS-000500 CCI-001082 OpenShift must separate user functionality (including user interface services) from information system management functionality.
CNTR-OS-000510 CCI-001184 OpenShift must protect authenticity of communications sessions with the use of FIPS-validated 140-2 or 140-3 validated cryptography.
CNTR-OS-000540 CCI-001084 OpenShift runtime must isolate security functions from nonsecurity functions.
CNTR-OS-000560 CCI-001090 OpenShift must prevent unauthorized and unintended information transfer via shared system resources and enable page poisoning.
CNTR-OS-000570 CCI-001090 OpenShift must disable virtual syscalls.
CNTR-OS-000580 CCI-001090 OpenShift must enable poisoning of SLUB/SLAB objects.
CNTR-OS-000590 CCI-001090 OpenShift must set the sticky bit for world-writable directories.
CNTR-OS-000600 CCI-001090 OpenShift must restrict access to the kernel buffer.
CNTR-OS-000610 CCI-001090 OpenShift must prevent kernel profiling.
CNTR-OS-000620 CCI-001094 OpenShift must restrict individuals the ability to launch organizational-defined Denial-of-Service (DOS) attacks against other information systems by setting a default Resource Quota.
CNTR-OS-000630 CCI-001094 OpenShift must restrict individuals the ability to launch organizational-defined Denial-of-Service (DOS) attacks against other information systems by rate-limiting.
CNTR-OS-000650 CCI-002364 OpenShift must display an explicit logout message indicating the reliable termination of authenticated communication sessions.
CNTR-OS-000660 CCI-000382 Container images instantiated by OpenShift must execute using least privileges.
CNTR-OS-000670 CCI-001849 Red Hat Enterprise Linux CoreOS (RHCOS) must allocate audit record storage capacity to store at least one weeks' worth of audit records, when audit records are not immediately sent to a central audit record storage facility.
CNTR-OS-000690 CCI-001858 OpenShift must configure Alert Manger Receivers to notify SA and ISSO of all audit failure events requiring real-time alerts.
CNTR-OS-000720 CCI-001814 OpenShift must enforce access restrictions and support auditing of the enforcement actions.
CNTR-OS-000740 CCI-001764 OpenShift must prevent the installation of patches, service packs, device drivers, or operating system components without verification they have been digitally signed using a certificate that is recognized and approved by the organization.
CNTR-OS-000760 CCI-002007 OpenShift must set server token max age no greater than eight hours.
CNTR-OS-000770 CCI-001067 Vulnerability scanning applications must implement privileged access authorization to all OpenShift components, containers, and container images for selected organization-defined vulnerability scanning activities.
CNTR-OS-000780 CCI-002476 OpenShift keystore must implement encryption to prevent unauthorized disclosure of information at rest within the container platform.
CNTR-OS-000800 CCI-002385 OpenShift must protect against or limit the effects of all types of Denial-of-Service (DoS) attacks by employing organization-defined security safeguards by including a default resource quota.
CNTR-OS-000810 CCI-001094 OpenShift must protect against or limit the effects of all types of Denial-of-Service (DoS) attacks by defining resource quotas on a namespace.
CNTR-OS-000820 CCI-002418 OpenShift must protect the confidentiality and integrity of transmitted information.
CNTR-OS-000860 CCI-002824 Red Hat Enterprise Linux CoreOS (RHCOS) must implement nonexecutable data to protect its memory from unauthorized code execution.
CNTR-OS-000870 CCI-002824 Red Hat Enterprise Linux CoreOS (RHCOS) must implement ASLR (Address Space Layout Randomization) from unauthorized code execution.
CNTR-OS-000880 CCI-002617 OpenShift must remove old components after updated versions have been installed.
CNTR-OS-000890 CCI-002605 OpenShift must contain the latest images with most recent updates and execute within the container platform runtime as authorized by IAVM, CTOs, DTMs, and STIGs.
CNTR-OS-000900 CCI-002605 OpenShift runtime must have updates installed within the period directed by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).
CNTR-OS-000910 CCI-002696 The Compliance Operator must be configured.
CNTR-OS-000920 CCI-002699 OpenShift must perform verification of the correct operation of security functions: upon startup and/or restart; upon command by a user with privileged access; and/or every 30 days.
CNTR-OS-000930 CCI-000172 OpenShift must generate audit records when successful/unsuccessful attempts to modify privileges occur.
CNTR-OS-000940 CCI-000172 OpenShift must generate audit records when successful/unsuccessful attempts to modify security objects occur.
CNTR-OS-000950 CCI-000172 OpenShift must generate audit records when successful/unsuccessful attempts to delete privileges occur.
CNTR-OS-000960 CCI-000172 OpenShift must generate audit records when successful/unsuccessful attempts to delete security objects occur.
CNTR-OS-000970 CCI-000172 OpenShift must generate audit records when successful/unsuccessful logon attempts occur.
CNTR-OS-000980 CCI-000172 Red Hat Enterprise Linux CoreOS (RHCOS) must be configured to audit the loading and unloading of dynamic kernel modules.
CNTR-OS-000990 CCI-000172 OpenShift audit records must record user access start and end times.
CNTR-OS-001000 CCI-000172 OpenShift must generate audit records when concurrent logons from different workstations and systems occur.
CNTR-OS-001010 CCI-000381 Red Hat Enterprise Linux CoreOS (RHCOS) must disable SSHD service.
CNTR-OS-001020 CCI-000381 Red Hat Enterprise Linux CoreOS (RHCOS) must disable USB Storage kernel module.
CNTR-OS-001030 CCI-000381 Red Hat Enterprise Linux CoreOS (RHCOS) must use USBGuard for hosts that include a USB Controller.
CNTR-OS-001060 CCI-000366 OpenShift must continuously scan components, containers, and images for vulnerabilities.
CNTR-OS-001080 CCI-000803 OpenShift must use FIPS-validated SHA-2 or higher hash function for digital signature generation and verification (nonlegacy use).