| CNTR-OS-000010 |
OpenShift must use TLS 1.2 or greater for secure container image transport from trusted sources. |
| CNTR-OS-000020 |
OpenShift must use TLS 1.2 or greater for secure communication. |
| CNTR-OS-000030 |
OpenShift must use a centralized user management solution to support account management functions. |
| CNTR-OS-000040 |
The kubeadmin account must be disabled. |
| CNTR-OS-000050 |
OpenShift must automatically audit account creation. |
| CNTR-OS-000060 |
OpenShift must automatically audit account modification. |
| CNTR-OS-000070 |
OpenShift must generate audit rules to capture account related actions. |
| CNTR-OS-000080 |
Open Shift must automatically audit account removal actions. |
| CNTR-OS-000090 |
OpenShift RBAC access controls must be enforced. |
| CNTR-OS-000100 |
OpenShift must enforce network policy on the namespace for controlling the flow of information within the container platform based on organization-defined information flow control policies. |
| CNTR-OS-000110 |
OpenShift must enforce approved authorizations for controlling the flow of information within the container platform based on organization-defined information flow control policies. |
| CNTR-OS-000130 |
OpenShift must display the Standard Mandatory DOD Notice and Consent Banner before granting access to platform components. |
| CNTR-OS-000150 |
OpenShift must generate audit records for all DOD-defined auditable events within all components in the platform. |
| CNTR-OS-000160 |
OpenShift must generate audit records when successful/unsuccessful attempts to access privileges occur. |
| CNTR-OS-000170 |
Red Hat Enterprise Linux CoreOS (RHCOS) must initiate session audits at system startup. |
| CNTR-OS-000180 |
All audit records must identify what type of event has occurred within OpenShift. |
| CNTR-OS-000190 |
OpenShift audit records must have a date and time association with all events. |
| CNTR-OS-000200 |
All audit records must generate the event results within OpenShift. |
| CNTR-OS-000210 |
OpenShift must take appropriate action upon an audit failure. |
| CNTR-OS-000220 |
OpenShift components must provide the ability to send audit logs to a central enterprise repository for review and analysis. |
| CNTR-OS-000230 |
OpenShift must use internal system clocks to generate audit record time stamps. |
| CNTR-OS-000240 |
The Red Hat Enterprise Linux CoreOS (RHCOS) chrony Daemon must use multiple NTP servers to generate audit record time stamps. |
| CNTR-OS-000250 |
OpenShift must protect audit logs from any type of unauthorized access. |
| CNTR-OS-000260 |
OpenShift must protect system journal file from any type of unauthorized access by setting file permissions. |
| CNTR-OS-000270 |
OpenShift must protect system journal file from any type of unauthorized access by setting owner permissions. |
| CNTR-OS-000280 |
OpenShift must protect log directory from any type of unauthorized access by setting file permissions. |
| CNTR-OS-000290 |
OpenShift must protect log directory from any type of unauthorized access by setting owner permissions. |
| CNTR-OS-000300 |
OpenShift must protect pod log files from any type of unauthorized access by setting owner permissions. |
| CNTR-OS-000310 |
OpenShift must protect audit information from unauthorized modification. |
| CNTR-OS-000320 |
OpenShift must prevent unauthorized changes to logon UIDs. |
| CNTR-OS-000330 |
OpenShift must protect audit tools from unauthorized access. |
| CNTR-OS-000340 |
OpenShift must use FIPS-validated cryptographic mechanisms to protect the integrity of log information. |
| CNTR-OS-000360 |
OpenShift must verify container images. |
| CNTR-OS-000380 |
OpenShift must contain only container images for those capabilities being offered by the container platform. |
| CNTR-OS-000390 |
OpenShift runtime must enforce ports, protocols, and services that adhere to the PPSM CAL. |
| CNTR-OS-000400 |
OpenShift must disable root and terminate network connections. |
| CNTR-OS-000430 |
OpenShift must use multifactor authentication for network access to accounts. |
| CNTR-OS-000440 |
OpenShift must use FIPS-validated SHA-1 or higher hash function to provide replay-resistant authentication mechanisms for network access to privileged accounts. |
| CNTR-OS-000460 |
OpenShift must use FIPS validated LDAP or OpenIDConnect. |
| CNTR-OS-000490 |
OpenShift must terminate all network connections associated with a communications session at the end of the session, or as follows: for in-band management sessions (privileged sessions), the session must be terminated after 10 minutes of inactivity. |
| CNTR-OS-000500 |
OpenShift must separate user functionality (including user interface services) from information system management functionality. |
| CNTR-OS-000510 |
OpenShift must protect authenticity of communications sessions with the use of FIPS-validated 140-2 or 140-3 validated cryptography. |
| CNTR-OS-000540 |
OpenShift runtime must isolate security functions from nonsecurity functions. |
| CNTR-OS-000560 |
OpenShift must prevent unauthorized and unintended information transfer via shared system resources and enable page poisoning. |
| CNTR-OS-000570 |
OpenShift must disable virtual syscalls. |
| CNTR-OS-000580 |
OpenShift must enable poisoning of SLUB/SLAB objects. |
| CNTR-OS-000590 |
OpenShift must set the sticky bit for world-writable directories. |
| CNTR-OS-000600 |
OpenShift must restrict access to the kernel buffer. |
| CNTR-OS-000610 |
OpenShift must prevent kernel profiling. |
| CNTR-OS-000620 |
OpenShift must restrict individuals the ability to launch organizational-defined Denial-of-Service (DOS) attacks against other information systems by setting a default Resource Quota. |
| CNTR-OS-000630 |
OpenShift must restrict individuals the ability to launch organizational-defined Denial-of-Service (DOS) attacks against other information systems by rate-limiting. |
| CNTR-OS-000650 |
OpenShift must display an explicit logout message indicating the reliable termination of authenticated communication sessions. |
| CNTR-OS-000660 |
Container images instantiated by OpenShift must execute using least privileges. |
| CNTR-OS-000670 |
Red Hat Enterprise Linux CoreOS (RHCOS) must allocate audit record storage capacity to store at least one weeks' worth of audit records, when audit records are not immediately sent to a central audit record storage facility. |
| CNTR-OS-000690 |
OpenShift must configure Alert Manger Receivers to notify SA and ISSO of all audit failure events requiring real-time alerts. |
| CNTR-OS-000720 |
OpenShift must enforce access restrictions and support auditing of the enforcement actions. |
| CNTR-OS-000740 |
OpenShift must prevent the installation of patches, service packs, device drivers, or operating system components without verification they have been digitally signed using a certificate that is recognized and approved by the organization. |
| CNTR-OS-000760 |
OpenShift must set server token max age no greater than eight hours. |
| CNTR-OS-000770 |
Vulnerability scanning applications must implement privileged access authorization to all OpenShift components, containers, and container images for selected organization-defined vulnerability scanning activities. |
| CNTR-OS-000780 |
OpenShift keystore must implement encryption to prevent unauthorized disclosure of information at rest within the container platform. |
| CNTR-OS-000800 |
OpenShift must protect against or limit the effects of all types of Denial-of-Service (DoS) attacks by employing organization-defined security safeguards by including a default resource quota. |
| CNTR-OS-000810 |
OpenShift must protect against or limit the effects of all types of Denial-of-Service (DoS) attacks by defining resource quotas on a namespace. |
| CNTR-OS-000820 |
OpenShift must protect the confidentiality and integrity of transmitted information. |
| CNTR-OS-000860 |
Red Hat Enterprise Linux CoreOS (RHCOS) must implement nonexecutable data to protect its memory from unauthorized code execution. |
| CNTR-OS-000870 |
Red Hat Enterprise Linux CoreOS (RHCOS) must implement ASLR (Address Space Layout Randomization) from unauthorized code execution. |
| CNTR-OS-000880 |
OpenShift must remove old components after updated versions have been installed. |
| CNTR-OS-000890 |
OpenShift must contain the latest images with most recent updates and execute within the container platform runtime as authorized by IAVM, CTOs, DTMs, and STIGs. |
| CNTR-OS-000900 |
OpenShift runtime must have updates installed within the period directed by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs). |
| CNTR-OS-000910 |
The Compliance Operator must be configured. |
| CNTR-OS-000920 |
OpenShift must perform verification of the correct operation of security functions: upon startup and/or restart; upon command by a user with privileged access; and/or every 30 days. |
| CNTR-OS-000930 |
OpenShift must generate audit records when successful/unsuccessful attempts to modify privileges occur. |
| CNTR-OS-000940 |
OpenShift must generate audit records when successful/unsuccessful attempts to modify security objects occur. |
| CNTR-OS-000950 |
OpenShift must generate audit records when successful/unsuccessful attempts to delete privileges occur. |
| CNTR-OS-000960 |
OpenShift must generate audit records when successful/unsuccessful attempts to delete security objects occur. |
| CNTR-OS-000970 |
OpenShift must generate audit records when successful/unsuccessful logon attempts occur. |
| CNTR-OS-000980 |
Red Hat Enterprise Linux CoreOS (RHCOS) must be configured to audit the loading and unloading of dynamic kernel modules. |
| CNTR-OS-000990 |
OpenShift audit records must record user access start and end times. |
| CNTR-OS-001000 |
OpenShift must generate audit records when concurrent logons from different workstations and systems occur. |
| CNTR-OS-001010 |
Red Hat Enterprise Linux CoreOS (RHCOS) must disable SSHD service. |
| CNTR-OS-001020 |
Red Hat Enterprise Linux CoreOS (RHCOS) must disable USB Storage kernel module. |
| CNTR-OS-001030 |
Red Hat Enterprise Linux CoreOS (RHCOS) must use USBGuard for hosts that include a USB Controller. |
| CNTR-OS-001060 |
OpenShift must continuously scan components, containers, and images for vulnerabilities. |
| CNTR-OS-001080 |
OpenShift must use FIPS-validated SHA-2 or higher hash function for digital signature generation and verification (nonlegacy use). |