diff --git a/shared/references/disa-stig-ocp4-v2r2-xccdf-manual.xml b/shared/references/disa-stig-ocp4-v2r3-xccdf-manual.xml similarity index 86% rename from shared/references/disa-stig-ocp4-v2r2-xccdf-manual.xml rename to shared/references/disa-stig-ocp4-v2r3-xccdf-manual.xml index 1232c505e8c..4ccce0600cc 100644 --- a/shared/references/disa-stig-ocp4-v2r2-xccdf-manual.xml +++ b/shared/references/disa-stig-ocp4-v2r3-xccdf-manual.xml @@ -1,12 +1,12 @@ -acceptedRed Hat OpenShift Container Platform 4.12 Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 2 Benchmark Date: 30 Jan 20253.51.10.02I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>SRG-APP-000014-CTR-000035<GroupDescription></GroupDescription>CNTR-OS-000010OpenShift must use TLS 1.2 or greater for secure container image transport from trusted sources.<VulnDiscussion>The authenticity and integrity of the container image during the container image lifecycle is part of the overall security posture of the container platform. This begins with the container image creation and pull of a base image from a trusted source for child container image creation and the instantiation of the new image into a running service. -If an insecure protocol is used during transmission of container images at any step of the lifecycle, a bad actor may inject nefarious code into the container image. The container image, when instantiated, then becomes a security risk to the container platform, the host server, and other containers within the container platform. To thwart the injection of code during transmission, a secure protocol (TLS 1.2 or newer) must be used. Further guidance on secure transport protocols can be found in NIST SP 800-52.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.12DISADPMS TargetRed Hat OpenShift Container Platform 4.125547CCI-000068Remove insecure registries from the cluster's image registry configuration by executing the following: +If an insecure protocol is used during transmission of container images at any step of the lifecycle, a bad actor may inject nefarious code into the container image. The container image, when instantiated, then becomes a security risk to the container platform, the host server, and other containers within the container platform. To thwart the injection of code during transmission, a secure protocol (TLS 1.2 or newer) must be used. Further guidance on secure transport protocols can be found in NIST SP 800-52.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.xDISADPMS TargetRed Hat OpenShift Container Platform 4.x5547CCI-000068Remove insecure registries from the cluster's image registry configuration by executing the following: oc edit image.config.openshift.io/cluster Edit or remove any registries where insecure is set to true or are listed under insecureRegistries. -Refer to https://docs.openshift.com/container-platform/4.8/openshift_images/image-configuration.html for more details on configuring registries in OpenShift.Verify that no insecure registries are configured by executing the following: +Refer to https://docs.openshift.com/container-platform/4.8/openshift_images/image-configuration.html for more details on configuring registries in OpenShift.Verify that no insecure registries are configured by executing the following: oc get image.config.openshift.io/cluster -ojsonpath='{.spec.allowedRegistriesForImport}' | jq -r '.[] | select(.insecure == true)' @@ -18,7 +18,7 @@ oc get image.config.openshift.io/cluster -ojsonpath='{.spec.registrySources.inse If the above query returns anything, then this is a finding. Empty output is not a finding.SRG-APP-000014-CTR-000040<GroupDescription></GroupDescription>CNTR-OS-000020OpenShift must use TLS 1.2 or greater for secure communication.<VulnDiscussion>The authenticity and integrity of the container platform and communication between nodes and components must be secure. If an insecure protocol is used during transmission of data, the data can be intercepted and manipulated. The manipulation of data can be used to inject status changes of the container platform, causing the execution of containers or reporting an incorrect healthcheck. To thwart the manipulation of the data during transmission, a secure protocol (TLS 1.2 or newer) must be used. Further guidance on secure transport protocols can be found in NIST SP 800-52. -Satisfies: SRG-APP-000014-CTR-000040, SRG-APP-000560-CTR-001340</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.12DISADPMS TargetRed Hat OpenShift Container Platform 4.125547CCI-000068CCI-001453Edit each resource and set the TLS Security Profile to Intermediate by executing the following: +Satisfies: SRG-APP-000014-CTR-000040, SRG-APP-000560-CTR-001340</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.xDISADPMS TargetRed Hat OpenShift Container Platform 4.x5547CCI-000068CCI-001453Edit each resource and set the TLS Security Profile to Intermediate by executing the following: oc edit ingresscontroller <NAME> -n <NAMESPACE> @@ -58,7 +58,7 @@ kind: KubeletConfig spec: tlsSecurityProfile: intermediate: {} - type: IntermediateVerify the TLS Security Profile is not set to a profile that does not enforce TLS 1.2 or above. + type: IntermediateVerify the TLS Security Profile is not set to a profile that does not enforce TLS 1.2 or above. View the TLS security profile for the ingress controllers by executing the following: @@ -80,7 +80,7 @@ If the above returns "<none>" TLS profile, this is not a finding as the TL If the kubelet TLS profile check does not return any kubeletconfigs, this is not a finding as the default OCP installation uses defaults only.SRG-APP-000023-CTR-000055<GroupDescription></GroupDescription>CNTR-OS-000030OpenShift must use a centralized user management solution to support account management functions.<VulnDiscussion>OpenShift supports several different types of identity providers. To add users and grant access to OpenShift, an identity provider must be configured. Some of the identity provider types such as HTPassword only provide simple user management and are not intended for production. Other types are public services like GitHub. These provider types are not appropriate as they are managed by public service providers, and therefore are unable to enforce the organizations account management requirements. -Use either the LDAP or the OpenIDConnect Identity Provider type to configure OpenShift to use the organizations centrally managed IdP that is able to enforce the organization's policies regarding user identity management.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.12DISADPMS TargetRed Hat OpenShift Container Platform 4.125547CCI-000015Configure OpenShift to use an appropriate Identity Provider. Do not use HTPasswd. Use either LDAP(AD), OpenIDConnect, or an approved identity provider. +Use either the LDAP or the OpenIDConnect Identity Provider type to configure OpenShift to use the organizations centrally managed IdP that is able to enforce the organization's policies regarding user identity management.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.xDISADPMS TargetRed Hat OpenShift Container Platform 4.x5547CCI-000015Configure OpenShift to use an appropriate Identity Provider. Do not use HTPasswd. Use either LDAP(AD), OpenIDConnect, or an approved identity provider. To configure LDAP provider: 1. Create Secret for BIND DN password by executing the following: @@ -167,7 +167,7 @@ spec: oc apply -f ldapidp.yaml -Note: For more information on configuring an OpenID provider, refer to https://docs.openshift.com/container-platform/4.8/authentication/identity_providers/configuring-oidc-identity-provider.html.Verify the authentication operator is configured to use either an LDAP or a OpenIDConnect provider by executing the following: +Note: For more information on configuring an OpenID provider, refer to https://docs.openshift.com/container-platform/4.8/authentication/identity_providers/configuring-oidc-identity-provider.html.Verify the authentication operator is configured to use either an LDAP or a OpenIDConnect provider by executing the following: oc get oauth cluster -o jsonpath="{.spec.identityProviders[*].type}{'\n'}" @@ -175,9 +175,9 @@ If the output lists any other type besides LDAP or OpenID, this is a finding.DPMS Target Red Hat OpenShift Container Platform 4.12DISADPMS TargetRed Hat OpenShift Container Platform 4.125547CCI-000015If an alternative IDP is already configured and an administrative user exists with the role of cluster-admin, disable the kubeadmin account by running the following command as a cluster administrator: +After a new install, the default authentication uses kubeadmin as the default cluster-admin account. This default account must be disabled and another user account must be given cluster-admin rights.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.xDISADPMS TargetRed Hat OpenShift Container Platform 4.x5547CCI-000015If an alternative IDP is already configured and an administrative user exists with the role of cluster-admin, disable the kubeadmin account by running the following command as a cluster administrator: -oc delete secrets kubeadmin -n kube-systemVerify the kubeadmin account is disabled by executing the following: +oc delete secrets kubeadmin -n kube-systemVerify the kubeadmin account is disabled by executing the following: oc get secrets kubeadmin -n kube-system @@ -194,7 +194,7 @@ kubeadmin Opaque 1 6h3m)DPMS Target Red Hat OpenShift Container Platform 4.12DISADPMS TargetRed Hat OpenShift Container Platform 4.125547CCI-000018Apply the machine config using the following command: +To address access requirements, many application developers choose to integrate their applications with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. Such integration allows the application developer to off-load those access control functions and focus on core application features and functionality.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.xDISADPMS TargetRed Hat OpenShift Container Platform 4.x5547CCI-000018Apply the machine config using the following command: for mcpool in $(oc get mcp -oname | sed "s:.*/::" ); do echo "apiVersion: machineconfiguration.openshift.io/v1 @@ -240,7 +240,7 @@ spec: path: /etc/audit/rules.d/30-etc_shadow_usergroup_modification.rules overwrite: true " | oc apply -f - -doneVerify Red Hat Enterprise Linux CoreOS (RHCOS) generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/shadow". +doneVerify Red Hat Enterprise Linux CoreOS (RHCOS) generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/shadow". Logging on as administrator, check the auditing rules in "/etc/audit/audit.rules" by executing the following: @@ -253,7 +253,7 @@ If the command does not return a line, or the line is commented out, this is a f A comprehensive account management process will ensure an audit trail documents the creation of application user accounts and, as required, notifies administrators and/or application owners exists. Such a process greatly reduces the risk that accounts will be surreptitiously modified and provides logging that can be used for forensic purposes. -To address access requirements, many application developers choose to integrate their applications with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. Such integration allows the application developer to offload those access control functions and focus on core application features and functionality.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.12DISADPMS TargetRed Hat OpenShift Container Platform 4.125547CCI-001403Apply the machine config using the following command: +To address access requirements, many application developers choose to integrate their applications with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. Such integration allows the application developer to offload those access control functions and focus on core application features and functionality.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.xDISADPMS TargetRed Hat OpenShift Container Platform 4.x5547CCI-001403Apply the machine config using the following command: for mcpool in $(oc get mcp -oname | sed "s:.*/::" ); do echo "apiVersion: machineconfiguration.openshift.io/v1 @@ -299,7 +299,7 @@ spec: path: /etc/audit/rules.d/30-etc_shadow_usergroup_modification.rules overwrite: true " | oc apply -f - -doneVerify for each of the files that contain account information the system is configured to emit an audit event in case of a write by executing the following: +doneVerify for each of the files that contain account information the system is configured to emit an audit event in case of a write by executing the following: for node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n "$HOSTNAME "; for f in /etc/passwd /etc/group /etc/gshadow /etc/security/opasswd /etc/shadow /etc/sudoers /etc/sudoers.d/; do grep -q "\-w $f \-p wa \-k" /etc/audit/audit.rules || echo "rule for $f not found"; done' 2>/dev/null; done @@ -307,7 +307,7 @@ If for any of the files a line saying "rule for $filename not found" is printed, When management actions are modified, user accessibility is affected. Once an attacker establishes access to an application, the attacker often attempts to disable authorized accounts to disrupt services or prevent the implementation of countermeasures. In the event of a security incident or policy violation, having detailed audit logs for account creation, modification, disabling, removal, and enabling actions is crucial for incident response and forensic investigations. These logs provide a trail of activities that can be analyzed to determine the cause, impact, and scope of the incident, aiding in the investigation and remediation process. -Satisfies: SRG-APP-000028-CTR-000080, SRG-APP-000291-CTR-000675, SRG-APP-000292-CTR-000680, SRG-APP-000293-CTR-000685, SRG-APP-000294-CTR-000690, SRG-APP-000319-CTR-000745, SRG-APP-000320-CTR-000750, SRG-APP-000509-CTR-001305</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.12DISADPMS TargetRed Hat OpenShift Container Platform 4.125547CCI-000172CCI-001404CCI-000015CCI-002130CCI-001683CCI-001684CCI-001685CCI-001686CCI-002132Apply the machine config using the following command: +Satisfies: SRG-APP-000028-CTR-000080, SRG-APP-000291-CTR-000675, SRG-APP-000292-CTR-000680, SRG-APP-000293-CTR-000685, SRG-APP-000294-CTR-000690, SRG-APP-000319-CTR-000745, SRG-APP-000320-CTR-000750, SRG-APP-000509-CTR-001305</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.xDISADPMS TargetRed Hat OpenShift Container Platform 4.x5547CCI-000172CCI-001404CCI-000015CCI-002130CCI-001683CCI-001684CCI-001685CCI-001686CCI-002132Apply the machine config using the following command: for mcpool in $(oc get mcp -oname | sed "s:.*/::" ); do echo "apiVersion: machineconfiguration.openshift.io/v1 @@ -353,7 +353,7 @@ spec: path: /etc/audit/rules.d/30-etc_shadow_usergroup_modification.rules overwrite: true " | oc apply -f - -doneVerify the audit rules capture account creation, modification, disabling, removal, and enabling actions by executing the following: +doneVerify the audit rules capture account creation, modification, disabling, removal, and enabling actions by executing the following: for node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n "$HOSTNAME "; grep -e user-modify -e group-modify -e audit_rules_usergroup_modification /etc/audit/rules.d/* /etc/audit/audit.rules' 2>/dev/null; done @@ -367,7 +367,7 @@ Confirm the following rules exist on each node: If the above rules are not listed on each node, this is a finding.SRG-APP-000029-CTR-000085<GroupDescription></GroupDescription>CNTR-OS-000080Open Shift must automatically audit account removal actions.<VulnDiscussion>When application accounts are removed, user accessibility is affected. Once an attacker establishes access to an application, the attacker often attempts to remove authorized accounts to disrupt services or prevent the implementation of countermeasures. Auditing account removal actions provides logging that can be used for forensic purposes. -To address access requirements, many application developers choose to integrate their applications with enterprise-level authentication/access/audit mechanisms meeting or exceeding access control policy requirements. Such integration allows the application developer to off-load those access control functions and focus on core application features and functionality.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.12DISADPMS TargetRed Hat OpenShift Container Platform 4.125547CCI-001405Apply the machine config by executing the following: +To address access requirements, many application developers choose to integrate their applications with enterprise-level authentication/access/audit mechanisms meeting or exceeding access control policy requirements. Such integration allows the application developer to off-load those access control functions and focus on core application features and functionality.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.xDISADPMS TargetRed Hat OpenShift Container Platform 4.x5547CCI-001405Apply the machine config by executing the following: for mcpool in $(oc get mcp -oname | sed "s:.*/::" ); do echo "apiVersion: machineconfiguration.openshift.io/v1 @@ -488,7 +488,7 @@ spec: path: /etc/audit/rules.d/75-usr_sbin_unix_chkpwd.rules overwrite: true " | oc apply -f - -doneVerify the audit rules capture the execution of setuid and setgid binaries by executing the following: +doneVerify the audit rules capture the execution of setuid and setgid binaries by executing the following: for node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n "$HOSTNAME "; grep -e key=privileged /etc/audit/audit.rules || echo "not found"' 2>/dev/null; done @@ -533,7 +533,7 @@ The OpenShift Container Platform includes a built-in image registry. The primary Restricting access permissions and providing access only to the necessary components and resources within the OpenShift environment reduces the potential impact of security breaches and unauthorized activities. -Satisfies: SRG-APP-000033-CTR-000090, SRG-APP-000033-CTR-000095, SRG-APP-000033-CTR-000100, SRG-APP-000133-CTR-000290, SRG-APP-000133-CTR-000295, SRG-APP-000133-CTR-000300, SRG-APP-000133-CTR-000305, SRG-APP-000133-CTR-000310, SRG-APP-000148-CTR-000350, SRG-APP-000153-CTR-000375, SRG-APP-000340-CTR-000770, SRG-APP-000378-CTR-000880, SRG-APP-000378-CTR-000885, SRG-APP-000378-CTR-000890, SRG-APP-000380-CTR-000900, SRG-APP-000386-CTR-000920</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.12DISADPMS TargetRed Hat OpenShift Container Platform 4.125547CCI-000213CCI-000764CCI-004045CCI-001499CCI-001774CCI-003980CCI-001813CCI-002235CCI-000770CCI-001812If users or groups exist that are bound to roles they must not have, modify the user or group permissions using the following cluster and local role binding commands: +Satisfies: SRG-APP-000033-CTR-000090, SRG-APP-000033-CTR-000095, SRG-APP-000033-CTR-000100, SRG-APP-000133-CTR-000290, SRG-APP-000133-CTR-000295, SRG-APP-000133-CTR-000300, SRG-APP-000133-CTR-000305, SRG-APP-000133-CTR-000310, SRG-APP-000148-CTR-000350, SRG-APP-000153-CTR-000375, SRG-APP-000340-CTR-000770, SRG-APP-000378-CTR-000880, SRG-APP-000378-CTR-000885, SRG-APP-000378-CTR-000890, SRG-APP-000380-CTR-000900, SRG-APP-000386-CTR-000920</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.xDISADPMS TargetRed Hat OpenShift Container Platform 4.x5547CCI-000213CCI-000764CCI-004045CCI-001499CCI-001774CCI-003980CCI-001813CCI-002235CCI-000770CCI-001812If users or groups exist that are bound to roles they must not have, modify the user or group permissions using the following cluster and local role binding commands: Remove a user from a Cluster RBAC role by executing the following: @@ -551,7 +551,7 @@ Remove a group from a Local RBAC role by executing the following: oc adm policy remove-role-from-group <role> <groupname> -Note: For additional information, refer to https://docs.openshift.com/container-platform/4.8/authentication/using-rbac.html.The administrator must verify that OpenShift is configured with the necessary RBAC access controls. +Note: For additional information, refer to https://docs.openshift.com/container-platform/4.8/authentication/using-rbac.html.The administrator must verify that OpenShift is configured with the necessary RBAC access controls. Review the RBAC configuration. @@ -571,7 +571,7 @@ If these results show users with privileged access that do not require that acce OpenShift forces the use of namespaces. Service accounts are a namespace resource as well, so they are segregated. RBAC policies apply to service accounts. In addition, Network Policies are used to control the flow of requests between containers hosted on the container platform. -It is important to define a default Network Policy on the namespace that will be applied automatically to new projects to prevent unintended requests. These policies can be updated by the project's administrator (with the appropriate RBAC permissions) to apply a policy that is appropriate to the service(s) within the project namespace.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.12DISADPMS TargetRed Hat OpenShift Container Platform 4.125547CCI-001368Add a Network Policy to an existing project namespace by performing the following steps: +It is important to define a default Network Policy on the namespace that will be applied automatically to new projects to prevent unintended requests. These policies can be updated by the project's administrator (with the appropriate RBAC permissions) to apply a policy that is appropriate to the service(s) within the project namespace.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.xDISADPMS TargetRed Hat OpenShift Container Platform 4.x5547CCI-001368Add a Network Policy to an existing project namespace by performing the following steps: 1. Create <YOURFILE>.yaml and insert the desired resource Network Policy content. The following is an example resource quota definition: @@ -590,13 +590,13 @@ spec: oc apply -f <YOURFILE>.yaml -n <NAMESPACE> -Details regarding the configuration of resource Network Policy can be reviewed at https://docs.openshift.com/container-platform/4.12/networking/network_policy/about-network-policy.html.Verify that each user namespace has a Network Policy by executing the following: +Details regarding the configuration of resource Network Policy can be reviewed at https://docs.openshift.com/container-platform/4.12/networking/network_policy/about-network-policy.html.Verify that each user namespace has a Network Policy by executing the following: for ns in $(oc get namespaces -ojson | jq -r '.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default") | .metadata.name '); do oc get networkpolicy -n$ns; done If the above returns any lines saying "No resources found in <PROJECT> namespace.", this is a finding. Empty output is not a finding.SRG-APP-000039-CTR-000110<GroupDescription></GroupDescription>CNTR-OS-000110OpenShift must enforce approved authorizations for controlling the flow of information within the container platform based on organization-defined information flow control policies.<VulnDiscussion>OpenShift provides several layers of protection to control the flow of information between the container platform components and user services. Each user project is given a separate namespace and OpenShift enforces RBAC policies controlling which projects and services users can access. In addition, Network Policies are used to control the flow of requests to and from externally integrated services to services hosted on the container platform. -It is important to define a default Network Policy that will be applied automatically to new projects to prevent unintended requests. These policies can be updated by the project's administrator (with the appropriate RBAC permissions) to apply a policy that is appropriate to the service(s) within the project namespace.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.12DISADPMS TargetRed Hat OpenShift Container Platform 4.125547CCI-001414Configure a default network policy as necessary to protect the flow of information by performing the following steps: +It is important to define a default Network Policy that will be applied automatically to new projects to prevent unintended requests. These policies can be updated by the project's administrator (with the appropriate RBAC permissions) to apply a policy that is appropriate to the service(s) within the project namespace.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.xDISADPMS TargetRed Hat OpenShift Container Platform 4.x5547CCI-001414Configure a default network policy as necessary to protect the flow of information by performing the following steps: 1. Create a bootstrap project template (if not already created) by executing the following: @@ -636,7 +636,7 @@ oc create -f template.yaml -n openshift-config oc patch project.config.openshift.io/cluster --type=merge -p '{"spec":{"projectRequestTemplate":{"name": "<PROJECT_REQUEST_TEMPLATE>"}}}' -For additional information regarding network policies, refer to https://docs.openshift.com/container-platform/4.8/networking/network_policy/about-network-policy.html.Check for Network Policy. Verify a default project template is defined by executing the following: +For additional information regarding network policies, refer to https://docs.openshift.com/container-platform/4.8/networking/network_policy/about-network-policy.html.Check for Network Policy. Verify a default project template is defined by executing the following: oc get project.config.openshift.io/cluster -o jsonpath="{.spec.projectRequestTemplate.name}" @@ -646,7 +646,7 @@ Verify the project request template creates a Network Policy: oc get templates/<PROJECT-REQUEST-TEMPLATE> -n openshift-config -o jsonpath="{.objects[?(.kind=='NetworkPolicy')]}{'\n'}" -Replace <PROJECT-REQUEST-TEMPLATE> with the name of the project request template returned from the earlier query. If the project template is not defined, or there are no Network Policy definitions in it, this is a finding.SRG-APP-000068-CTR-000120<GroupDescription></GroupDescription>CNTR-OS-000130OpenShift must display the Standard Mandatory DOD Notice and Consent Banner before granting access to platform components.<VulnDiscussion>OpenShift has countless components where different access levels are needed. To control access, the user must first log into the component and then be presented with a DOD-approved use notification banner before granting access to the component. This guarantees privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.12DISADPMS TargetRed Hat OpenShift Container Platform 4.125547CCI-000048The following command will create a configmap that displays the DOD Notice and Consent Banner when logging in using the OpenShift CLI tool by executing the following: +Replace <PROJECT-REQUEST-TEMPLATE> with the name of the project request template returned from the earlier query. If the project template is not defined, or there are no Network Policy definitions in it, this is a finding.SRG-APP-000068-CTR-000120<GroupDescription></GroupDescription>CNTR-OS-000130OpenShift must display the Standard Mandatory DOD Notice and Consent Banner before granting access to platform components.<VulnDiscussion>OpenShift has countless components where different access levels are needed. To control access, the user must first log into the component and then be presented with a DOD-approved use notification banner before granting access to the component. This guarantees privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.xDISADPMS TargetRed Hat OpenShift Container Platform 4.x5547CCI-000048The following command will create a configmap that displays the DOD Notice and Consent Banner when logging in using the OpenShift CLI tool by executing the following: echo 'apiVersion: v1 kind: ConfigMap @@ -654,7 +654,7 @@ metadata: name: motd namespace: openshift data: - message: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."' | oc apply -f -To verify the OpenShift CLI tool is configured to display the DOD Notice and Consent Banner, do either of the following steps: + message: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."' | oc apply -f -To verify the OpenShift CLI tool is configured to display the DOD Notice and Consent Banner, do either of the following steps: Log in to OpenShift using the oc CLI tool. @@ -673,9 +673,9 @@ If the configmap does not exist, or it does not contain the DOD Notice and Conse For more detailed documentation on what is being logged, refer to https://docs.openshift.com/container-platform/4.8/security/audit-log-view.html. -Satisfies: SRG-APP-000089-CTR-000150, SRG-APP-000090-CTR-000155, SRG-APP-000101-CTR-000205, SRG-APP-000510-CTR-001310, SRG-APP-000516-CTR-000790</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.12DISADPMS TargetRed Hat OpenShift Container Platform 4.125547CCI-000135CCI-000169CCI-000171CCI-000172CCI-000366As the cluster administrator, update the APIServer.config.openshift.io/cluster object to set the profile to the defined level of detail. For example, to configure the profile to WriteRequestBodies, meaning that all write requests to any API server object are logged in their entirety, by executing the following: +Satisfies: SRG-APP-000089-CTR-000150, SRG-APP-000090-CTR-000155, SRG-APP-000101-CTR-000205, SRG-APP-000510-CTR-001310, SRG-APP-000516-CTR-000790</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.xDISADPMS TargetRed Hat OpenShift Container Platform 4.x5547CCI-000135CCI-000169CCI-000171CCI-000172CCI-000366As the cluster administrator, update the APIServer.config.openshift.io/cluster object to set the profile to the defined level of detail. For example, to configure the profile to WriteRequestBodies, meaning that all write requests to any API server object are logged in their entirety, by executing the following: -oc patch apiserver.config.openshift.io/cluster --type=merge -p '{"spec": {"audit": {"profile": "WriteRequestBodies"}}}'To determine at what level the OpenShift audit policy logging verbosity is configured, as a cluster-administrator:execute the following command: +oc patch apiserver.config.openshift.io/cluster --type=merge -p '{"spec": {"audit": {"profile": "WriteRequestBodies"}}}'To determine at what level the OpenShift audit policy logging verbosity is configured, as a cluster-administrator:execute the following command: oc get apiserver.config.openshift.io/cluster -ojsonpath='{.spec.audit.profile}' @@ -685,7 +685,7 @@ All the components must use the same standard so that the events can be tied tog Without audit record generation, access control levels can be accessed by unauthorized users unknowingly for malicious intent, creating vulnerabilities within the container platform. -Satisfies: SRG-APP-000091-CTR-000160, SRG-APP-000492-CTR-001220, SRG-APP-000493-CTR-001225, SRG-APP-000494-CTR-001230, SRG-APP-000500-CTR-001260, SRG-APP-000507-CTR-001295</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.12DISADPMS TargetRed Hat OpenShift Container Platform 4.125547CCI-000172Apply the following machine config and generate audit records by executing following: +Satisfies: SRG-APP-000091-CTR-000160, SRG-APP-000492-CTR-001220, SRG-APP-000493-CTR-001225, SRG-APP-000494-CTR-001230, SRG-APP-000500-CTR-001260, SRG-APP-000507-CTR-001295</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.xDISADPMS TargetRed Hat OpenShift Container Platform 4.x5547CCI-000172Apply the following machine config and generate audit records by executing following: for mcpool in $(oc get mcp -oname | sed "s:.*/::" ); do echo "apiVersion: machineconfiguration.openshift.io/v1 @@ -771,7 +771,7 @@ spec: path: /etc/audit/rules.d/30-ospp-v42-remediation.rules overwrite: true " | oc apply -f - -doneVerify OpenShift is configured to generate audit records when successful/unsuccessful attempts to access or delete security objects, security levels, and privileges occur by executing the following: +doneVerify OpenShift is configured to generate audit records when successful/unsuccessful attempts to access or delete security objects, security levels, and privileges occur by executing the following: for node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n "$HOSTNAME "; grep -e "key=perm_mod" -e "key=unsuccessful-create" -e "key=unsuccessful-modification" -e "key=unsuccessful-access" /etc/audit/audit.rules|| echo "not found"' 2>/dev/null; done @@ -833,7 +833,7 @@ Confirm the following rules exist on each node: On each node, if the above rules are not listed, or the return is "not found", this is a finding.SRG-APP-000092-CTR-000165<GroupDescription></GroupDescription>CNTR-OS-000170Red Hat Enterprise Linux CoreOS (RHCOS) must initiate session audits at system startup.<VulnDiscussion>Initiating session audits at system startup allows for comprehensive monitoring of user activities and system events from the moment the system is powered on. Audit logs capture information about login attempts, commands executed, file access, and other system activities. By starting session audits at system startup, RHCOS ensures that all relevant events are recorded, providing a complete security monitoring solution. Some audit systems also maintain state information only available if auditing is enabled before a given process is created. -By initiating session audits at system startup, RHCOS enhances security monitoring, aids in timely incident detection and response, meets compliance requirements, facilitates forensic analysis, and promotes accountability and governance.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.12DISADPMS TargetRed Hat OpenShift Container Platform 4.125547CCI-001464Apply the machine config by executing the following: +By initiating session audits at system startup, RHCOS enhances security monitoring, aids in timely incident detection and response, meets compliance requirements, facilitates forensic analysis, and promotes accountability and governance.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.xDISADPMS TargetRed Hat OpenShift Container Platform 4.x5547CCI-001464Apply the machine config by executing the following: for mcpool in $(oc get mcp -oname | sed "s:.*/::" ); do echo "apiVersion: machineconfiguration.openshift.io/v1 @@ -850,7 +850,7 @@ spec: - audit=1 - audit_backlog_limit=8192 " | oc create -f - -doneVerify the RHCOS boot loader configuration has audit enabled, including backlog: +doneVerify the RHCOS boot loader configuration has audit enabled, including backlog: for node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n "$HOSTNAME "; grep audit /boot/loader/entries/*.conf || echo "not found"' 2>/dev/null; done @@ -858,7 +858,7 @@ If "audit" is not set to "1" or returns "not found", this is a finding. If "audit_backlog" is not set to 8192 or returns "not found", this is a finding.SRG-APP-000095-CTR-000170<GroupDescription></GroupDescription>CNTR-OS-000180All audit records must identify what type of event has occurred within OpenShift.<VulnDiscussion>Within the container platform, audit data can be generated from any of the deployed container platform components. This audit data is important when there are issues such as security incidents that must be investigated. Identifying the type of event in audit records helps classify and categorize different activities or actions within OpenShift. This classification allows for easier analysis, reporting, and filtering of audit logs based on specific event types. It helps distinguish between user actions, system events, policy violations, or security incidents, providing a clearer understanding of the activities occurring within the platform. -Satisfies: SRG-APP-000095-CTR-000170, SRG-APP-000409-CTR-000990, SRG-APP-000508-CTR-001300, SRG-APP-000510-CTR-001310</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.12DISADPMS TargetRed Hat OpenShift Container Platform 4.125547CCI-000130CCI-000172CCI-002884Apply the machine config setting auditd to active and enabled by executing the following: +Satisfies: SRG-APP-000095-CTR-000170, SRG-APP-000409-CTR-000990, SRG-APP-000508-CTR-001300, SRG-APP-000510-CTR-001310</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.xDISADPMS TargetRed Hat OpenShift Container Platform 4.x5547CCI-000130CCI-000172CCI-002884Apply the machine config setting auditd to active and enabled by executing the following: for mcpool in $(oc get mcp -oname | sed "s:.*/::" ); do echo "apiVersion: machineconfiguration.openshift.io/v1 @@ -876,11 +876,11 @@ spec: - name: auditd.service enabled: true " | oc apply -f - -doneVerify the audit service is enabled and active by executing the following: +doneVerify the audit service is enabled and active by executing the following: for node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n "$HOSTNAME "; systemctl is-enabled auditd.service; systemctl is-active auditd.service' 2>/dev/null; done -If the auditd service is not "enabled" and "active" this is a finding.SRG-APP-000096-CTR-000175<GroupDescription></GroupDescription>CNTR-OS-000190OpenShift audit records must have a date and time association with all events.<VulnDiscussion>Within the container platform, audit data can be generated from any of the deployed container platform components. This audit data is important when there are issues, such as security incidents, that must be investigated. To make the audit data worthwhile for the investigation of events, it is necessary to know when the event occurred. To establish the time of the event, the audit record must contain the date and time.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.12DISADPMS TargetRed Hat OpenShift Container Platform 4.125547CCI-000131Apply the machine config by executing the following: +If the auditd service is not "enabled" and "active" this is a finding.SRG-APP-000096-CTR-000175<GroupDescription></GroupDescription>CNTR-OS-000190OpenShift audit records must have a date and time association with all events.<VulnDiscussion>Within the container platform, audit data can be generated from any of the deployed container platform components. This audit data is important when there are issues, such as security incidents, that must be investigated. To make the audit data worthwhile for the investigation of events, it is necessary to know when the event occurred. To establish the time of the event, the audit record must contain the date and time.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.xDISADPMS TargetRed Hat OpenShift Container Platform 4.x5547CCI-000131Apply the machine config by executing the following: for mcpool in $(oc get mcp -oname | sed "s:.*/::" ); do echo "apiVersion: machineconfiguration.openshift.io/v1 @@ -901,7 +901,7 @@ spec: path: /etc/audit/auditd.conf overwrite: true " | oc apply -f - -done1. Verify Red Hat Enterprise Linux CoreOS (RHCOS) Audit Daemon is configured to resolve audit information before writing to disk by executing the following command: +done1. Verify Red Hat Enterprise Linux CoreOS (RHCOS) Audit Daemon is configured to resolve audit information before writing to disk by executing the following command: for node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n "$HOSTNAME "; grep "log_format" /etc/audit/auditd.conf' 2>/dev/null; done @@ -931,7 +931,7 @@ It is common for attackers to replace the audit tools or inject code into the ex To address this risk, audit tools must be cryptographically signed in order to provide the capability to identify when the audit tools have been modified, manipulated, or replaced. An example is a checksum hash of the file or files. -Satisfies: SRG-APP-000099-CTR-000190, SRG-APP-000097-CTR-000180, SRG-APP-000098-CTR-000185, SRG-APP-000100-CTR-000195, SRG-APP-000100-CTR-000200, SRG-APP-000109-CTR-000215, SRG-APP-000290-CTR-000670, SRG-APP-000357-CTR-000800</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.12DISADPMS TargetRed Hat OpenShift Container Platform 4.125547CCI-000132CCI-000133CCI-000134CCI-000140CCI-001487CCI-001496CCI-001849Apply the machine config by executing the following: +Satisfies: SRG-APP-000099-CTR-000190, SRG-APP-000097-CTR-000180, SRG-APP-000098-CTR-000185, SRG-APP-000100-CTR-000195, SRG-APP-000100-CTR-000200, SRG-APP-000109-CTR-000215, SRG-APP-000290-CTR-000670, SRG-APP-000357-CTR-000800</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.xDISADPMS TargetRed Hat OpenShift Container Platform 4.x5547CCI-000132CCI-000133CCI-000134CCI-000140CCI-001487CCI-001496CCI-001849Apply the machine config by executing the following: for mcpool in $(oc get mcp -oname | sed "s:.*/::" ); do echo "apiVersion: machineconfiguration.openshift.io/v1 @@ -952,7 +952,7 @@ spec: path: /etc/audit/auditd.conf overwrite: true " | oc apply -f - -done1. Verify Red Hat Enterprise Linux CoreOS (RHCOS) Audit Daemon is configured to resolve audit information before writing to disk, by executing the following command: +done1. Verify Red Hat Enterprise Linux CoreOS (RHCOS) Audit Daemon is configured to resolve audit information before writing to disk, by executing the following command: for node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n "$HOSTNAME "; grep "log_format" /etc/audit/auditd.conf' 2>/dev/null; done @@ -976,7 +976,7 @@ Because availability of the services provided by the container platform, approve (i) If the failure was caused by the lack of audit record storage capacity, the container platform must continue generating audit records if possible (automatically restarting the audit service if necessary), overwriting the oldest audit records in a first-in-first-out manner. -(ii) If audit records are sent to a centralized collection server and communication with this server is lost or the server fails, the container platform must queue audit records locally until communication is restored or until the audit records are retrieved manually. Upon restoration of the connection to the centralized collection server, action must be taken to synchronize the local audit data with the collection server.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.12DISADPMS TargetRed Hat OpenShift Container Platform 4.125547CCI-000140Apply the following Prometheus rule by executing the following: +(ii) If audit records are sent to a centralized collection server and communication with this server is lost or the server fails, the container platform must queue audit records locally until communication is restored or until the audit records are retrieved manually. Upon restoration of the connection to the centralized collection server, action must be taken to synchronize the local audit data with the collection server.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.xDISADPMS TargetRed Hat OpenShift Container Platform 4.x5547CCI-000140Apply the following Prometheus rule by executing the following: oc apply -f - << 'EOF' --- @@ -1002,7 +1002,7 @@ spec: for: 1m labels: severity: warning -EOFVerify there is a Prometheus rule to watch for audit events by executing the following: +EOFVerify there is a Prometheus rule to watch for audit events by executing the following: oc get prometheusrule -o yaml --all-namespaces | grep apiserver_audit @@ -1013,7 +1013,7 @@ If the output above is not displayed, this is a finding. Centralized audit logs are crucial for incident response and forensic investigations. When a security incident occurs, having audit logs in a central repository allows security teams to quickly access relevant log data for analysis. It facilitates incident reconstruction, root cause analysis, and the identification of the scope and impact of the incident. This is vital for effective incident response and minimizing the impact of security breaches. -Satisfies: SRG-APP-000111-CTR-000220, SRG-APP-000092-CTR-000165, SRG-APP-000358-CTR-000805</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.12DISADPMS TargetRed Hat OpenShift Container Platform 4.125547CCI-000154CCI-001464CCI-001851To configure log forwarding, the OpenShift Cluster Logging operator first must be installed, and then the Cluster Log Forwarder is configured to forward logs to a centralized log aggregation service. +Satisfies: SRG-APP-000111-CTR-000220, SRG-APP-000092-CTR-000165, SRG-APP-000358-CTR-000805</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.xDISADPMS TargetRed Hat OpenShift Container Platform 4.x5547CCI-000154CCI-001464CCI-001851To configure log forwarding, the OpenShift Cluster Logging operator first must be installed, and then the Cluster Log Forwarder is configured to forward logs to a centralized log aggregation service. To install the OpenShift Cluster Logging operator, execute the following command to apply the subscription manifests to the cluster: @@ -1129,7 +1129,7 @@ spec: EOF Note that many log forwarding destinations are supported, and the fix does not require that users forward audit logs to rsyslog over mTLS. To better understand how to configure the ClusterLogForwarder, consult the OpenShift Logging documentation: -https://docs.openshift.com/container-platform/4.8/logging/cluster-logging-external.htmlDetermine if cluster log forwarding is configured. +https://docs.openshift.com/container-platform/4.8/logging/cluster-logging-external.htmlDetermine if cluster log forwarding is configured. 1. Verify the cluster-logging operator is installed by executing the following: @@ -1153,7 +1153,7 @@ oc describe clusterlogforwarder/<CLF_NAME> -n openshift-logging Review the details of the cluster log forwarder. -If the configuration is not set to forward logs the organization's centralized logging service, this is a finding.SRG-APP-000116-CTR-000235<GroupDescription></GroupDescription>CNTR-OS-000230OpenShift must use internal system clocks to generate audit record time stamps.<VulnDiscussion>Knowing when a sequence of events for an incident occurred is crucial to understand what may have taken place. Without a common clock, the components generating audit events could be out of synchronization and would then present a picture of the event that is warped and corrupted. To give a clear picture, it is important that the container platform and its components use a common internal clock.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.12DISADPMS TargetRed Hat OpenShift Container Platform 4.125547CCI-000159Apply the machine config to use internal system clocks for audit records by executing the following: +If the configuration is not set to forward logs the organization's centralized logging service, this is a finding.SRG-APP-000116-CTR-000235<GroupDescription></GroupDescription>CNTR-OS-000230OpenShift must use internal system clocks to generate audit record time stamps.<VulnDiscussion>Knowing when a sequence of events for an incident occurred is crucial to understand what may have taken place. Without a common clock, the components generating audit events could be out of synchronization and would then present a picture of the event that is warped and corrupted. To give a clear picture, it is important that the container platform and its components use a common internal clock.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.xDISADPMS TargetRed Hat OpenShift Container Platform 4.x5547CCI-000159Apply the machine config to use internal system clocks for audit records by executing the following: for mcpool in $(oc get mcp -oname | sed "s:.*/::" ); do echo "apiVersion: machineconfiguration.openshift.io/v1 @@ -1171,11 +1171,11 @@ spec: - name: chronyd.service enabled: true " | oc apply -f - -doneVerify the chronyd service is enabled and active by executing the following: +doneVerify the chronyd service is enabled and active by executing the following: for node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n "$HOSTNAME "; systemctl is-enabled chronyd.service; systemctl is-active chronyd.service' 2>/dev/null; done -If the auditd service is not "enabled" and "active", this is a finding.SRG-APP-000116-CTR-000235<GroupDescription></GroupDescription>CNTR-OS-000240The Red Hat Enterprise Linux CoreOS (RHCOS) chrony Daemon must use multiple NTP servers to generate audit record time stamps.<VulnDiscussion>Utilizing multiple NTP servers for the chrony daemon in RHCOS ensures accurate and reliable audit record timestamps. It improves time synchronization, mitigates time drift, provides redundancy, and enhances resilience against attacks. Knowing when a sequence of events for an incident occurred is crucial to understand what may have taken place. Without a common clock, the components generating audit events could be out of synchronization and would then present a picture of the event that is warped and corrupted. To give a clear picture, it is important that the container platform and its components use a common internal clock.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.12DISADPMS TargetRed Hat OpenShift Container Platform 4.125547CCI-000159Apply the machine config by executing the following, replacing the variables in the MachineConfig with organizationally-defined NTP servers. +If the auditd service is not "enabled" and "active", this is a finding.SRG-APP-000116-CTR-000235<GroupDescription></GroupDescription>CNTR-OS-000240The Red Hat Enterprise Linux CoreOS (RHCOS) chrony Daemon must use multiple NTP servers to generate audit record time stamps.<VulnDiscussion>Utilizing multiple NTP servers for the chrony daemon in RHCOS ensures accurate and reliable audit record timestamps. It improves time synchronization, mitigates time drift, provides redundancy, and enhances resilience against attacks. Knowing when a sequence of events for an incident occurred is crucial to understand what may have taken place. Without a common clock, the components generating audit events could be out of synchronization and would then present a picture of the event that is warped and corrupted. To give a clear picture, it is important that the container platform and its components use a common internal clock.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.xDISADPMS TargetRed Hat OpenShift Container Platform 4.x5547CCI-000159Apply the machine config by executing the following, replacing the variables in the MachineConfig with organizationally-defined NTP servers. for mcpool in $(oc get mcp -oname | sed ""s:.*/::"" ); do echo "apiVersion: machineconfiguration.openshift.io/v1 @@ -1206,7 +1206,7 @@ spec: overwrite: true path: /etc/chrony.d/ntp-server.conf " | oc apply -f - -doneVerify Red Hat Enterprise Linux CoreOS (RHCOS) chrony Daemon is configured to use multiple NTP servers by executing the following: +doneVerify Red Hat Enterprise Linux CoreOS (RHCOS) chrony Daemon is configured to use multiple NTP servers by executing the following: for node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n "$HOSTNAME "; grep "server" /etc/chrony.d/*' 2>/dev/null; done @@ -1221,7 +1221,7 @@ This requirement can be achieved through multiple methods, which will depend upo Additionally, applications with user interfaces to audit records must not allow for the unfettered manipulation of or access to those records via the application. If the application provides access to the audit data, the application becomes accountable for ensuring audit information is protected from unauthorized access. -Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.12DISADPMS TargetRed Hat OpenShift Container Platform 4.125547CCI-000162Correct permissions (audit logs have a mode of "0600") by executing the following: +Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.xDISADPMS TargetRed Hat OpenShift Container Platform 4.x5547CCI-000162Correct permissions (audit logs have a mode of "0600") by executing the following: for node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n "$HOSTNAME "; machine_id=$(systemd-machine-id-setup --print); chmod 600 /var/log/audit/audit.log' 2>/dev/null; done @@ -1235,7 +1235,7 @@ for node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash - Correct permissions ( audit log directories have a mode of "0700") by executing the following: -for node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n "$HOSTNAME "; machine_id=$(systemd-machine-id-setup --print); chmod 700 /var/log/audit' 2>/dev/null; doneVerify the audit logs have a mode of "0600" by executing the following: +for node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n "$HOSTNAME "; machine_id=$(systemd-machine-id-setup --print); chmod 700 /var/log/audit' 2>/dev/null; doneVerify the audit logs have a mode of "0600" by executing the following: for node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n "$HOSTNAME "; stat -c "%a %n" /var/log/audit/audit.log' 2>/dev/null; done @@ -1263,17 +1263,17 @@ for node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash - (Sample Output: 700 /var/log/audit) If the audit log directory has a mode more permissive than "0700", this is a finding.SRG-APP-000118-CTR-000240<GroupDescription></GroupDescription>CNTR-OS-000260OpenShift must protect system journal file from any type of unauthorized access by setting file permissions.<VulnDiscussion>It is a fundamental security practice to enforce the principle of least privilege, where only the necessary permissions are granted to authorized entities. OpenShift must protect the system journal file from any type of unauthorized access by setting file permissions. -The system journal file contains important log data that helps in troubleshooting and monitoring the system. Unauthorized access or tampering with the journal file can compromise the integrity of this data. By setting appropriate file permissions, OpenShift ensures that only authorized users or processes have access to the journal file, maintaining the integrity and reliability of system logs.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.12DISADPMS TargetRed Hat OpenShift Container Platform 4.125547CCI-000162Correct journal file permissions by executing the following: +The system journal file contains important log data that helps in troubleshooting and monitoring the system. Unauthorized access or tampering with the journal file can compromise the integrity of this data. By setting appropriate file permissions, OpenShift ensures that only authorized users or processes have access to the journal file, maintaining the integrity and reliability of system logs.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.xDISADPMS TargetRed Hat OpenShift Container Platform 4.x5547CCI-000162Correct journal file permissions by executing the following: -for node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n "$HOSTNAME "; machine_id=$(systemd-machine-id-setup --print); chmod 640 /var/log/journal/$machine_id/system.journal' 2>/dev/null; doneVerify the system journal file has mode "0640" or less permissive by executing the following: +for node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n "$HOSTNAME "; machine_id=$(systemd-machine-id-setup --print); chmod 640 /var/log/journal/$machine_id/system.journal' 2>/dev/null; doneVerify the system journal file has mode "0640" or less permissive by executing the following: for node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n "$HOSTNAME "; machine_id=$(systemd-machine-id-setup --print); stat -c "%a %n" /var/log/journal/$machine_id/system.journal' 2>/dev/null; done If a value of "0640" or less permissive is not returned, this is a finding.SRG-APP-000118-CTR-000240<GroupDescription></GroupDescription>CNTR-OS-000270OpenShift must protect system journal file from any type of unauthorized access by setting owner permissions.<VulnDiscussion>OpenShift follows the principle of least privilege, which aims to restrict access to resources based on user roles and responsibilities. This separation of privileges helps mitigate the risk of unauthorized modifications or unauthorized access by users or processes that do not need to interact with the file. -Protecting the system journal file from unauthorized access helps safeguard against potential security threats. The system journal file contains critical log data that is vital for system analysis, troubleshooting, and security auditing. Unauthorized users gaining access to the file may exploit vulnerabilities, tamper with logs, or extract sensitive information. By setting strict file owner permissions, OpenShift minimizes the risk of unauthorized individuals or processes accessing or modifying the journal file, reducing the likelihood of security breaches.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.12DISADPMS TargetRed Hat OpenShift Container Platform 4.125547CCI-000162Correct journal file ownership by executing the following: +Protecting the system journal file from unauthorized access helps safeguard against potential security threats. The system journal file contains critical log data that is vital for system analysis, troubleshooting, and security auditing. Unauthorized users gaining access to the file may exploit vulnerabilities, tamper with logs, or extract sensitive information. By setting strict file owner permissions, OpenShift minimizes the risk of unauthorized individuals or processes accessing or modifying the journal file, reducing the likelihood of security breaches.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.xDISADPMS TargetRed Hat OpenShift Container Platform 4.x5547CCI-000162Correct journal file ownership by executing the following: -for node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n "$HOSTNAME "; machine_id=$(systemd-machine-id-setup --print); chown root:systemd-journal /var/log/journal/$machine_id/system.journal' 2>/dev/null; doneVerify the "system journal" file is group-owned by systemd-journal and owned by root by executing the following: +for node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n "$HOSTNAME "; machine_id=$(systemd-machine-id-setup --print); chown root:systemd-journal /var/log/journal/$machine_id/system.journal' 2>/dev/null; doneVerify the "system journal" file is group-owned by systemd-journal and owned by root by executing the following: for node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n "$HOSTNAME "; machine_id=$(systemd-machine-id-setup --print); stat -c "%U %G" /var/log/journal/$machine_id/system.journal' 2>/dev/null; done @@ -1282,21 +1282,21 @@ ip-10-0-150-1 root systemd-journal If "root" is not returned as the owner, this is a finding. -If "systemd-journald" is not returned as the group owner, this is a finding.SRG-APP-000118-CTR-000240<GroupDescription></GroupDescription>CNTR-OS-000280OpenShift must protect log directory from any type of unauthorized access by setting file permissions.<VulnDiscussion>Log files contain sensitive information such as user credentials, system configurations, and potentially even security-related events. Unauthorized access to log files can expose this sensitive data to malicious actors. By protecting the log directory, OpenShift ensures that only authorized users or processes can access the log files, preserving the confidentiality of the information contained within them.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.12DISADPMS TargetRed Hat OpenShift Container Platform 4.125547CCI-000162Correct log directory permissions by executing the following: +If "systemd-journald" is not returned as the group owner, this is a finding.SRG-APP-000118-CTR-000240<GroupDescription></GroupDescription>CNTR-OS-000280OpenShift must protect log directory from any type of unauthorized access by setting file permissions.<VulnDiscussion>Log files contain sensitive information such as user credentials, system configurations, and potentially even security-related events. Unauthorized access to log files can expose this sensitive data to malicious actors. By protecting the log directory, OpenShift ensures that only authorized users or processes can access the log files, preserving the confidentiality of the information contained within them.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.xDISADPMS TargetRed Hat OpenShift Container Platform 4.x5547CCI-000162Correct log directory permissions by executing the following: -for node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n "$HOSTNAME "; chmod 755 /var/log/' 2>/dev/null; doneVerify the "/var/log" directory has a mode of "0755" or less by executing the following: +for node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n "$HOSTNAME "; chmod 755 /var/log/' 2>/dev/null; doneVerify the "/var/log" directory has a mode of "0755" or less by executing the following: for node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n "$HOSTNAME "; stat -c "%a %n" /var/log' 2>/dev/null; done If a value of "0755" or less permissive is not returned, this is a finding.SRG-APP-000118-CTR-000240<GroupDescription></GroupDescription>CNTR-OS-000290OpenShift must protect log directory from any type of unauthorized access by setting owner permissions.<VulnDiscussion>OpenShift follows the principle of least privilege, which aims to restrict access to resources based on user roles and responsibilities. This separation of privileges helps mitigate the risk of unauthorized modifications or unauthorized access by users or processes that do not need to interact with the file. -Protecting the /var/log directory from unauthorized access helps safeguard against potential security threats. Unauthorized users gaining access to the file may exploit vulnerabilities, tamper with logs, or extract sensitive information. By setting strict file owner permissions, OpenShift minimizes the risk of unauthorized individuals or processes accessing or modifying the directory, reducing the likelihood of security breaches.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.12DISADPMS TargetRed Hat OpenShift Container Platform 4.125547CCI-000162Correct log directory ownership by executing the following: +Protecting the /var/log directory from unauthorized access helps safeguard against potential security threats. Unauthorized users gaining access to the file may exploit vulnerabilities, tamper with logs, or extract sensitive information. By setting strict file owner permissions, OpenShift minimizes the risk of unauthorized individuals or processes accessing or modifying the directory, reducing the likelihood of security breaches.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.xDISADPMS TargetRed Hat OpenShift Container Platform 4.x5547CCI-000162Correct log directory ownership by executing the following: - for node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n "$HOSTNAME "; chown root:root /var/log/' 2>/dev/null; doneVerify the "/var/log" directory is group-owned by root by executing the following command: + for node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n "$HOSTNAME "; chown root:root /var/log/' 2>/dev/null; doneVerify the "/var/log" directory is group-owned by root by executing the following command: for node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n "$HOSTNAME "; stat -c "%G" /var/log' 2>/dev/null; done -If "root" is not returned as a result, this is a finding.SRG-APP-000118-CTR-000240<GroupDescription></GroupDescription>CNTR-OS-000300OpenShift must protect pod log files from any type of unauthorized access by setting owner permissions.<VulnDiscussion>Pod log files may contain sensitive information such as application data, user credentials, or system configurations. Unauthorized access to these log files can expose sensitive data to malicious actors. By setting owner permissions, OpenShift ensures that only authorized users or processes with the necessary privileges can access the pod log files, preserving the confidentiality of the logged information.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.12DISADPMS TargetRed Hat OpenShift Container Platform 4.125547CCI-000162Change the permissions and ownership of files located under "/var/log/pods" to protect from unauthorized access. +If "root" is not returned as a result, this is a finding.SRG-APP-000118-CTR-000240<GroupDescription></GroupDescription>CNTR-OS-000300OpenShift must protect pod log files from any type of unauthorized access by setting owner permissions.<VulnDiscussion>Pod log files may contain sensitive information such as application data, user credentials, or system configurations. Unauthorized access to these log files can expose sensitive data to malicious actors. By setting owner permissions, OpenShift ensures that only authorized users or processes with the necessary privileges can access the pod log files, preserving the confidentiality of the logged information.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.xDISADPMS TargetRed Hat OpenShift Container Platform 4.x5547CCI-000162Change the permissions and ownership of files located under "/var/log/pods" to protect from unauthorized access. 1. Execute the following to set the output of pods readable only by the owner: @@ -1304,7 +1304,7 @@ for node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash - 2. Execute the following to set the group and group-ownership to root for files that store the output of pods: -for node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n "$HOSTNAME "; find /var/log/pods/ -type f \! -user 0 | xargs -r chown root:root' 2>/dev/null; doneVerify the permissions and ownership of files located under "/var/log/pods" that store the output of pods are set to protect from unauthorized access. +for node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n "$HOSTNAME "; find /var/log/pods/ -type f \! -user 0 | xargs -r chown root:root' 2>/dev/null; doneVerify the permissions and ownership of files located under "/var/log/pods" that store the output of pods are set to protect from unauthorized access. 1. Verify the files are readable only by the owner by executing the following command: @@ -1331,7 +1331,7 @@ Additionally, applications with user interfaces to audit records must not allow Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. -Satisfies: SRG-APP-000119-CTR-000245, SRG-APP-000120-CTR-000250</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.12DISADPMS TargetRed Hat OpenShift Container Platform 4.125547CCI-000163CCI-000164Apply the machine config to prevent unauthorized changes by executing the following: +Satisfies: SRG-APP-000119-CTR-000245, SRG-APP-000120-CTR-000250</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.xDISADPMS TargetRed Hat OpenShift Container Platform 4.x5547CCI-000163CCI-000164Apply the machine config to prevent unauthorized changes by executing the following: for mcpool in $(oc get mcp -oname | sed "s:.*/::" ); do echo "apiVersion: machineconfiguration.openshift.io/v1 @@ -1352,13 +1352,13 @@ spec: path: /etc/audit/rules.d/90-immutable.rules overwrite: true " | oc apply -f - -doneVerify the audit system prevents unauthorized changes by executing the following command: +doneVerify the audit system prevents unauthorized changes by executing the following command: for node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n ""$HOSTNAME ""; grep "^\-e\s2\s*$" /etc/audit/audit.rules /etc/audit/rules.d/* || echo "not found"' 2>/dev/null; done If the check returns "not found", the audit system is not set to be immutable by adding the ""-e 2"" option to the ""/etc/audit/audit.rules"", this is a finding.SRG-APP-000121-CTR-000255<GroupDescription></GroupDescription>CNTR-OS-000320OpenShift must prevent unauthorized changes to logon UIDs.<VulnDiscussion>Logon UIDs are used to uniquely identify and authenticate users within the system. By preventing unauthorized changes to logon UIDs, OpenShift ensures that user identities remain consistent and accurate. This helps maintain the integrity of user accounts and ensures that users can be properly authenticated and authorized for their respective resources and actions. -User accounts and associated logon UIDs are important for security monitoring, auditing, and accountability purposes. By preventing unauthorized changes to logon UIDs, OpenShift ensures that actions performed by users can be accurately traced and attributed to the correct user account. This helps with incident investigation, compliance requirements, and maintaining overall system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.12DISADPMS TargetRed Hat OpenShift Container Platform 4.125547CCI-001493Apply the machine config to prevent changes to logon UIDs by executing the following: +User accounts and associated logon UIDs are important for security monitoring, auditing, and accountability purposes. By preventing unauthorized changes to logon UIDs, OpenShift ensures that actions performed by users can be accurately traced and attributed to the correct user account. This helps with incident investigation, compliance requirements, and maintaining overall system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.xDISADPMS TargetRed Hat OpenShift Container Platform 4.x5547CCI-001493Apply the machine config to prevent changes to logon UIDs by executing the following: for mcpool in $(oc get mcp -oname | sed "s:.*/::" ); do echo "apiVersion: machineconfiguration.openshift.io/v1 @@ -1379,7 +1379,7 @@ spec: path: /etc/audit/rules.d/11-loginuid.rules overwrite: true " | oc apply -f - -doneVerify the audit system prevents unauthorized changes to logon UIDs by executing the following: +doneVerify the audit system prevents unauthorized changes to logon UIDs by executing the following: for node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n "$HOSTNAME "; grep -i immutable /etc/audit/audit.rules || echo "not found"' 2>/dev/null; done @@ -1389,7 +1389,7 @@ Applications providing tools to interface with audit data will leverage user per Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. -Satisfies: SRG-APP-000121-CTR-000255, SRG-APP-000122-CTR-000260, SRG-APP-000123-CTR-000265</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.12DISADPMS TargetRed Hat OpenShift Container Platform 4.125547CCI-001493CCI-001494CCI-001495Remove view permissions from any unauthorized user or group by performing one or more of the following commands. +Satisfies: SRG-APP-000121-CTR-000255, SRG-APP-000122-CTR-000260, SRG-APP-000123-CTR-000265</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.xDISADPMS TargetRed Hat OpenShift Container Platform 4.x5547CCI-001493CCI-001494CCI-001495Remove view permissions from any unauthorized user or group by performing one or more of the following commands. Remove role from user by executing the following: @@ -1406,7 +1406,7 @@ Remove cluster role from group by executing the following: oc adm policy remove-cluster-role-from-group <CLUSTER_ROLE> <GROUP> -n openshift-logging -Note: ROLE/CLUSTER_ROLE is the role granting user view permission to resources in openshift-logging namespace.List the users and groups who have permission to view the cluster logging configuration by executing the following two commands: +Note: ROLE/CLUSTER_ROLE is the role granting user view permission to resources in openshift-logging namespace.List the users and groups who have permission to view the cluster logging configuration by executing the following two commands: oc policy who-can view ClusterLogging -n openshift-logging @@ -1414,13 +1414,13 @@ oc policy who-can view ClusterLoggingForwarder -n openshift-logging Review the list of users and groups who have view access to the cluster logging resources. If any user or group listed must not have access to view the cluster logging resources, this is a finding.SRG-APP-000126-CTR-000275<GroupDescription></GroupDescription>CNTR-OS-000340OpenShift must use FIPS-validated cryptographic mechanisms to protect the integrity of log information.<VulnDiscussion>To fully investigate an incident and to have trust in the audit data that is generated, it is important to put in place data protections. Without integrity protections, unauthorized changes may be made to the audit files and reliable forensic analysis and discovery of the source of malicious system activity may be degraded. Although digital signatures are one example of protecting integrity, this control is not intended to cause a new cryptographic hash to be generated every time a record is added to a log file. -Integrity protections can also be implemented by using cryptographic techniques for security function isolation and file system protections to protect against unauthorized changes.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.12DISADPMS TargetRed Hat OpenShift Container Platform 4.125547CCI-001350Edit the Cluster Log Forwarder configuration to configure TLS on the transport by executing the following: +Integrity protections can also be implemented by using cryptographic techniques for security function isolation and file system protections to protect against unauthorized changes.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.xDISADPMS TargetRed Hat OpenShift Container Platform 4.x5547CCI-001350Edit the Cluster Log Forwarder configuration to configure TLS on the transport by executing the following: oc edit clusterlogforwarder <name> -n openshift-logging For any output->url value that is not using a secure transport, edit the url to use a secure (https:// or tls://) transport. -For detailed information regarding configuration of the Cluster Log Forwarder, refer to https://docs.openshift.com/container-platform/4.8/logging/cluster-logging-external.html.Verify the Cluster Log Forwarder is using an encrypted transport by executing the following: +For detailed information regarding configuration of the Cluster Log Forwarder, refer to https://docs.openshift.com/container-platform/4.8/logging/cluster-logging-external.html.Verify the Cluster Log Forwarder is using an encrypted transport by executing the following: oc get clusterlogforwarder -n openshift-logging @@ -1428,7 +1428,7 @@ For each Cluster Log Forwarder, run the following command to display the configu oc describe clusterlogforwarder <name> -n openshift-logging -Review the configuration and determine if the transport is secure, such as tls:// or https://. If there are any transports configured that are not secured by TLS, this is a finding.SRG-APP-000131-CTR-000285<GroupDescription></GroupDescription>CNTR-OS-000360OpenShift must verify container images.<VulnDiscussion>The container platform must be capable of validating that container images are signed and that the digital signature is from a recognized and source approved by the organization. Allowing any container image to be introduced into the registry and instantiated into a container can allow for services to be introduced that are not trusted and may contain malicious code, which introduces unwanted services. These unwanted services can cause harm and security risks to the hosting server, the container platform, other services running within the container platform, and the overall organization.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.12DISADPMS TargetRed Hat OpenShift Container Platform 4.125547CCI-003992CCI-001749Configure the OpenShift Container policy to validate that image signatures are verified and enforced by executing the following: +Review the configuration and determine if the transport is secure, such as tls:// or https://. If there are any transports configured that are not secured by TLS, this is a finding.SRG-APP-000131-CTR-000285<GroupDescription></GroupDescription>CNTR-OS-000360OpenShift must verify container images.<VulnDiscussion>The container platform must be capable of validating that container images are signed and that the digital signature is from a recognized and source approved by the organization. Allowing any container image to be introduced into the registry and instantiated into a container can allow for services to be introduced that are not trusted and may contain malicious code, which introduces unwanted services. These unwanted services can cause harm and security risks to the hosting server, the container platform, other services running within the container platform, and the overall organization.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.xDISADPMS TargetRed Hat OpenShift Container Platform 4.x5547CCI-003992CCI-001749Configure the OpenShift Container policy to validate that image signatures are verified and enforced by executing the following: Note: This can be configured manually or through the use of the MachineConfig Operator published by Red Hat. for mcpool in $(oc get mcp -oname | sed "s:.*/::" ); do @@ -1463,7 +1463,7 @@ spec: mode: 420 path: /etc/containers/policy.json " | oc apply -f - -doneDetermine if a policy has been put in place by running the following command: +doneDetermine if a policy has been put in place by running the following command: for node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n "$HOSTNAME "; cat /etc/containers/policy.json' 2>/dev/null; done @@ -1492,17 +1492,17 @@ The following is an example of how this will look on a system using Red Hat's pu ], ... - }SRG-APP-000141-CTR-000320<GroupDescription></GroupDescription>CNTR-OS-000380OpenShift must contain only container images for those capabilities being offered by the container platform.<VulnDiscussion>Allowing container images to reside within the container platform registry that are not essential to the capabilities being offered by the container platform becomes a potential security risk. By allowing these nonessential container images to exist, the possibility for accidental instantiation exists. The images may be unpatched, not supported, or offer nonapproved capabilities. Those images for customer services are considered essential capabilities.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.12DISADPMS TargetRed Hat OpenShift Container Platform 4.125547CCI-000381Remove any images from the container registry that are not required for the functionality of the system by executing the following: + }SRG-APP-000141-CTR-000320<GroupDescription></GroupDescription>CNTR-OS-000380OpenShift must contain only container images for those capabilities being offered by the container platform.<VulnDiscussion>Allowing container images to reside within the container platform registry that are not essential to the capabilities being offered by the container platform becomes a potential security risk. By allowing these nonessential container images to exist, the possibility for accidental instantiation exists. The images may be unpatched, not supported, or offer nonapproved capabilities. Those images for customer services are considered essential capabilities.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.xDISADPMS TargetRed Hat OpenShift Container Platform 4.x5547CCI-000381Remove any images from the container registry that are not required for the functionality of the system by executing the following: -oc delete image <IMAGE_NAME> -n <IMAGE_NAMESPACE>To review the container images within the container platform registry, execute the following: +oc delete image <IMAGE_NAME> -n <IMAGE_NAMESPACE>To review the container images within the container platform registry, execute the following: oc get images Review the container platform container images to validate that only container images necessary for the functionality of the information system are present. If unnecessary container images exist, this is a finding.SRG-APP-000142-CTR-000325<GroupDescription></GroupDescription>CNTR-OS-000390OpenShift runtime must enforce ports, protocols, and services that adhere to the PPSM CAL.<VulnDiscussion>OpenShift Container Platform uses several IPV4 and IPV6 ports and protocols to facilitate cluster communication and coordination. Not all these ports are identified and approved by the PPSM CAL. Those ports, protocols, and services that fall outside the PPSM CAL must be blocked by the runtime or registered. -Instructions on the PPSM can be found in DOD Instruction 8551.01 Policy.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.12DISADPMS TargetRed Hat OpenShift Container Platform 4.125547CCI-000382Verify the accreditation documentation lists all interfaces and the ports, protocols, and services used. +Instructions on the PPSM can be found in DOD Instruction 8551.01 Policy.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.xDISADPMS TargetRed Hat OpenShift Container Platform 4.x5547CCI-000382Verify the accreditation documentation lists all interfaces and the ports, protocols, and services used. -Register OpenShift's ports, protocols, and services with PPSM.Review the OpenShift documentation and configuration. +Register OpenShift's ports, protocols, and services with PPSM.Review the OpenShift documentation and configuration. For additional information, refer to https://docs.openshift.com/container-platform/4.12/installing/installing_platform_agnostic/installing-platform-agnostic.html. @@ -1546,7 +1546,7 @@ Terminating an idle session within a short time reduces the window of opportunit Terminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level, or de-allocating networking assignments at the application level if multiple application sessions are using a single operating system level network connection. This does not mean that the application terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session. -Satisfies: SRG-APP-000148-CTR-000335, SRG-APP-000190-CTR-000500</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.12DISADPMS TargetRed Hat OpenShift Container Platform 4.125547CCI-000764CCI-001133Apply the machine config that disables root and terminates network connections by executing the following: +Satisfies: SRG-APP-000148-CTR-000335, SRG-APP-000190-CTR-000500</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.xDISADPMS TargetRed Hat OpenShift Container Platform 4.x5547CCI-000764CCI-001133Apply the machine config that disables root and terminates network connections by executing the following: for mcpool in $(oc get mcp -oname | sed "s:.*/::" ); do echo "apiVersion: machineconfiguration.openshift.io/v1 @@ -1567,7 +1567,7 @@ spec: overwrite: true path: /etc/ssh/sshd_config " | oc apply -f - -doneVerify SSH is restricted from logging on as root and network connections are terminated. +doneVerify SSH is restricted from logging on as root and network connections are terminated. Prevent logging on directly as "root" using SSH by executing the following command: @@ -1599,7 +1599,7 @@ A nonprivileged account is any information system account with authorizations of Network access is defined as access to an information system by a user (or a process acting on behalf of a user) communicating through a network (e.g., local area network, wide area network, or the internet). -Satisfies: SRG-APP-000149-CTR-000355, SRG-APP-000150-CTR-000360</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.12DISADPMS TargetRed Hat OpenShift Container Platform 4.125547CCI-000765CCI-000766Configure OpenShift to use an appropriate Identity Provider. Do not use HTPasswd. Use either LDAP(AD), OpenIDConnect, or an approved identity provider. +Satisfies: SRG-APP-000149-CTR-000355, SRG-APP-000150-CTR-000360</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.xDISADPMS TargetRed Hat OpenShift Container Platform 4.x5547CCI-000765CCI-000766Configure OpenShift to use an appropriate Identity Provider. Do not use HTPasswd. Use either LDAP(AD), OpenIDConnect, or an approved identity provider. Steps to configure LDAP provider: @@ -1688,7 +1688,7 @@ spec: oc apply -f ldapidp.yaml -Note: For more information on configuring an OpenID provider, refer to https://docs.openshift.com/container-platform/4.8/authentication/identity_providers/configuring-oidc-identity-provider.html.Verify the authentication operator is configured to use either an LDAP or a OpenIDConnect provider by executing the following: +Note: For more information on configuring an OpenID provider, refer to https://docs.openshift.com/container-platform/4.8/authentication/identity_providers/configuring-oidc-identity-provider.html.Verify the authentication operator is configured to use either an LDAP or a OpenIDConnect provider by executing the following: oc get oauth cluster -o jsonpath="{.spec.identityProviders[*].type}{'\n'}" @@ -1696,7 +1696,7 @@ If the output lists any other type besides LDAP or OpenID, this is a finding.DPMS Target Red Hat OpenShift Container Platform 4.12DISADPMS TargetRed Hat OpenShift Container Platform 4.125547CCI-001941Configure OpenShift to use an OpenIDConnect Identity Provider. Note: This STIG was written for OIC; do not use HTPasswd. Only use an approved identity provider. +Configure the information system to use the hash message authentication code (HMAC) algorithm for authentication services to Kerberos, SSH, web management tool, and any other access method.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.xDISADPMS TargetRed Hat OpenShift Container Platform 4.x5547CCI-001941Configure OpenShift to use an OpenIDConnect Identity Provider. Note: This STIG was written for OIC; do not use HTPasswd. Only use an approved identity provider. Steps to configure OpenID provider: @@ -1737,7 +1737,7 @@ spec: oc apply -f ldapidp.yaml -Note: For more information on configuring an OpenID provider, refer to https://docs.openshift.com/container-platform/4.8/authentication/identity_providers/configuring-oidc-identity-provider.html.Verify the authentication operator is configured to use a secure transport to an OpenIDConnect provider: +Note: For more information on configuring an OpenID provider, refer to https://docs.openshift.com/container-platform/4.8/authentication/identity_providers/configuring-oidc-identity-provider.html.Verify the authentication operator is configured to use a secure transport to an OpenIDConnect provider: oc get oauth cluster -o jsonpath="{.spec.identityProviders[*]}{'\n'}" @@ -1745,7 +1745,7 @@ If the transport is not secure (ex. HTTPS), this is a finding.DPMS Target Red Hat OpenShift Container Platform 4.12DISADPMS TargetRed Hat OpenShift Container Platform 4.125547CCI-000016CCI-000017CCI-000044CCI-000187CCI-004066CCI-004062CCI-000197CCI-004061CCI-000765CCI-000766CCI-003627CCI-001941CCI-001953CCI-004068CCI-002009CCI-004045CCI-002145CCI-002238CCI-000192CCI-000193CCI-000194CCI-000195CCI-000196CCI-000198CCI-000199CCI-000205CCI-000767CCI-000768CCI-000795CCI-001619CCI-001942CCI-001991CCI-002142Configure OpenShift to use an appropriate Identity Provider. Do not use HTPasswd. Use either LDAP(AD), OpenIDConnect or an approved identity provider. +Satisfies: SRG-APP-000172-CTR-000440, SRG-APP-000024-CTR-000060, SRG-APP-000025-CTR-000065, SRG-APP-000065-CTR-000115, SRG-APP-000151-CTR-000365, SRG-APP-000152-CTR-000370, SRG-APP-000157-CTR-000385, SRG-APP-000163-CTR-000395, SRG-APP-000164-CTR-000400, SRG-APP-000165-CTR-000405, SRG-APP-000166-CTR-000410, SRG-APP-000167-CTR-000415, SRG-APP-000168-CTR-000420, SRG-APP-000169-CTR-000425, SRG-APP-000170-CTR-000430, SRG-APP-000171-CTR-000435, SRG-APP-000173-CTR-000445, SRG-APP-000174-CTR-000450, SRG-APP-000177-CTR-000465, SRG-APP-000317-CTR-000735, SRG-APP-000318-CTR-000740, SRG-APP-000345-CTR-000785, SRG-APP-000391-CTR-000935, SRG-APP-000397-CTR-000955, SRG-APP-000401-CTR-000965, SRG-APP-000402-CTR-000970</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.xDISADPMS TargetRed Hat OpenShift Container Platform 4.x5547CCI-000016CCI-000017CCI-000044CCI-000187CCI-004066CCI-004062CCI-000197CCI-004061CCI-000765CCI-000766CCI-003627CCI-001941CCI-001953CCI-004068CCI-002009CCI-004045CCI-002145CCI-002238CCI-000192CCI-000193CCI-000194CCI-000195CCI-000196CCI-000198CCI-000199CCI-000205CCI-000767CCI-000768CCI-000795CCI-001619CCI-001942CCI-001991CCI-002142Configure OpenShift to use an appropriate Identity Provider. Do not use HTPasswd. Use either LDAP(AD), OpenIDConnect or an approved identity provider. To configure LDAP provider: @@ -1834,7 +1834,7 @@ spec: oc apply -f ldapidp.yaml -Note: For more information on configuring an OpenID provider, refer to https://docs.openshift.com/container-platform/4.8/authentication/identity_providers/configuring-oidc-identity-provider.html.Verify the authentication operator is configured to use either an LDAP or a OpenIDConnect provider by executing the following: +Note: For more information on configuring an OpenID provider, refer to https://docs.openshift.com/container-platform/4.8/authentication/identity_providers/configuring-oidc-identity-provider.html.Verify the authentication operator is configured to use either an LDAP or a OpenIDConnect provider by executing the following: oc get oauth cluster -o jsonpath="{.spec.identityProviders[*].type}{'\n'}" @@ -1846,13 +1846,13 @@ OpenShift provides the ability for automatic time-out to debug node sessions on Allowing debug sessions to run indefinitely could introduce security risks. If a session is left unattended or unauthorized access is gained to a debug session, it could potentially compromise the application or expose sensitive information. By enforcing time-outs, OpenShift reduces the window of opportunity for unauthorized access and helps maintain the security and stability of the platform. -Satisfies: SRG-APP-000190-CTR-000500, SRG-APP-000389-CTR-000925</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.12DISADPMS TargetRed Hat OpenShift Container Platform 4.125547CCI-001133CCI-004895CCI-002038Download the latest version of the OC client, and remove/replace any older versions. +Satisfies: SRG-APP-000190-CTR-000500, SRG-APP-000389-CTR-000925</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.xDISADPMS TargetRed Hat OpenShift Container Platform 4.x5547CCI-001133CCI-004895CCI-002038Download the latest version of the OC client, and remove/replace any older versions. For each oauth client that does not have the idle timeout set, or the timeout is set to the wrong duration, run the following command to set the idle timeout value to 10 minutes. oc patch oauthclient/<CLIENT_NAME> --type=merge -p '{"accessTokenInactivityTimeoutSeconds":600}' -where CLIENT_NAME is the name of the oauthclient identified in the check.On each administrators terminal, verify the OC client version includes the required idle timeout by executing the following. +where CLIENT_NAME is the name of the oauthclient identified in the check.On each administrators terminal, verify the OC client version includes the required idle timeout by executing the following. oc version @@ -1864,13 +1864,13 @@ oc get oauthclients -ojsonpath='{range .items[*]}{.metadata.name}{"\t"}{.accessT The output will list each oauth client name followed by a number. The number represents the timeout in seconds. If no number is displayed, or the timeout value is >600, this is a finding.SRG-APP-000211-CTR-000530<GroupDescription></GroupDescription>CNTR-OS-000500OpenShift must separate user functionality (including user interface services) from information system management functionality.<VulnDiscussion>Red Hat Enterprise Linux CoreOS (RHCOS) is a single-purpose container operating system. RHCOS is only supported as a component of the OpenShift Container Platform. Remote management of the RHCOS nodes is performed at the OpenShift Container Platform API level. -Any direct access to the RHCOS nodes is unnecessary. RHCOS only has two user accounts defined, root(0) and core(1000). These are the only two user accounts that should exist on the RHCOS nodes. As any administrative access or actions are to be done through the OpenShift Container Platform's administrative APIs, direct logon access to the RHCOS host must be disabled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.12DISADPMS TargetRed Hat OpenShift Container Platform 4.125547CCI-001082Disable and remove passwords from root and core accounts by executing the following: +Any direct access to the RHCOS nodes is unnecessary. RHCOS only has two user accounts defined, root(0) and core(1000). These are the only two user accounts that should exist on the RHCOS nodes. As any administrative access or actions are to be done through the OpenShift Container Platform's administrative APIs, direct logon access to the RHCOS host must be disabled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.xDISADPMS TargetRed Hat OpenShift Container Platform 4.x5547CCI-001082Disable and remove passwords from root and core accounts by executing the following: for node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'usermod -p "*" root; usermod -p "*" core' 2>/dev/null; done Remove any additional user accounts from the nodes by executing the following: -oc debug node/<node> -- chroot /host /bin/bash -c 'userdel <user>'Verify that root and core are the only user accounts on the nodes by executing the following: +oc debug node/<node> -- chroot /host /bin/bash -c 'userdel <user>'Verify that root and core are the only user accounts on the nodes by executing the following: for node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n "$HOSTNAME "; cat /etc/passwd' 2>/dev/null; done @@ -1897,7 +1897,7 @@ Because FIPS must be enabled before the operating system used by the cluster boo OpenShift employs industry-validated cryptographic algorithms, key management practices, and secure protocols, reducing the likelihood of cryptographic vulnerabilities and attacks. -Satisfies: SRG-APP-000219-CTR-000550, SRG-APP-000635-CTR-001405, SRG-APP-000126-CTR-000275, SRG-APP-000411-CTR-000995, SRG-APP-000412-CTR-001000, SRG-APP-000416-CTR-001015, SRG-APP-000514-CTR-001315</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.12DISADPMS TargetRed Hat OpenShift Container Platform 4.125547CCI-001184CCI-001350CCI-002450CCI-002890CCI-003123Reinstall the OpenShift cluster in FIPS mode. The file install-config.yaml has a top-level key that enables FIPS mode for all nodes and the cluster platform layer. If the install-config.yaml was not backed up prior to consumption as part of the installation, recreate it. An example install-config.yaml with some sections trimmed out for brevity, and the "fips: true" key applied at the top level is shown below: +Satisfies: SRG-APP-000219-CTR-000550, SRG-APP-000635-CTR-001405, SRG-APP-000126-CTR-000275, SRG-APP-000411-CTR-000995, SRG-APP-000412-CTR-001000, SRG-APP-000416-CTR-001015, SRG-APP-000514-CTR-001315</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.xDISADPMS TargetRed Hat OpenShift Container Platform 4.x5547CCI-001184CCI-001350CCI-002450CCI-002890CCI-003123Reinstall the OpenShift cluster in FIPS mode. The file install-config.yaml has a top-level key that enables FIPS mode for all nodes and the cluster platform layer. If the install-config.yaml was not backed up prior to consumption as part of the installation, recreate it. An example install-config.yaml with some sections trimmed out for brevity, and the "fips: true" key applied at the top level is shown below: apiVersion: v1 baseDomain: example.com @@ -1927,7 +1927,7 @@ Once the install-config.yaml is saved with corresponding correct information for > ./openshift-install create cluster --dir=<installation_directory> --log-level=info Where <installation_directory> is the directory that contains install-config.yaml -Additional details can be found here: https://docs.openshift.com/container-platform/4.8/installing/installing-fips.htmlTo validate the OpenShift cluster is running with FIPS enabled on each node by executing the following: +Additional details can be found here: https://docs.openshift.com/container-platform/4.8/installing/installing-fips.htmlTo validate the OpenShift cluster is running with FIPS enabled on each node by executing the following: for node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n "$HOSTNAME "; sysctl crypto.fips_enabled' 2>/dev/null; done @@ -1935,7 +1935,7 @@ If any lines of output end in anything other than 1, this is a finding.DPMS Target Red Hat OpenShift Container Platform 4.12DISADPMS TargetRed Hat OpenShift Container Platform 4.125547CCI-001084Apply the machine config by executing the following: +Developers and implementers can increase the assurance in security functions by employing well-defined security policy models; structured, disciplined, and rigorous hardware and software development techniques; and sound system/security engineering principles. Implementation may include isolation of memory space and libraries. Operating systems restrict access to security functions using access control mechanisms and by implementing least privilege capabilities.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.xDISADPMS TargetRed Hat OpenShift Container Platform 4.x5547CCI-001084Apply the machine config by executing the following: for mcpool in $(oc get mcp -oname | sed "s:.*/::" ); do echo "apiVersion: machineconfiguration.openshift.io/v1 @@ -1951,11 +1951,11 @@ spec: kernelArguments: - enforcing=1 " | oc apply -f - -doneVerify the Red Hat Enterprise Linux CoreOS (RHCOS) verifies correct operation of all security functions by executing the following: +doneVerify the Red Hat Enterprise Linux CoreOS (RHCOS) verifies correct operation of all security functions by executing the following: for node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n "$HOSTNAME "; getenforce' 2>/dev/null; done -If "SELinux" is not active and not in "Enforcing" mode, this is a finding.SRG-APP-000243-CTR-000600<GroupDescription></GroupDescription>CNTR-OS-000560OpenShift must prevent unauthorized and unintended information transfer via shared system resources and enable page poisoning.<VulnDiscussion>Enabling page poisoning in OpenShift improves memory safety, mitigates memory corruption vulnerabilities, aids in fault isolation, assists with debugging. It enhances the overall security and stability of the platform, reducing the risk of memory-related exploits and improving the resilience of applications running on OpenShift.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.12DISADPMS TargetRed Hat OpenShift Container Platform 4.125547CCI-001090Apply the machine config to enable page poisoning by executing the following: +If "SELinux" is not active and not in "Enforcing" mode, this is a finding.SRG-APP-000243-CTR-000600<GroupDescription></GroupDescription>CNTR-OS-000560OpenShift must prevent unauthorized and unintended information transfer via shared system resources and enable page poisoning.<VulnDiscussion>Enabling page poisoning in OpenShift improves memory safety, mitigates memory corruption vulnerabilities, aids in fault isolation, assists with debugging. It enhances the overall security and stability of the platform, reducing the risk of memory-related exploits and improving the resilience of applications running on OpenShift.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.xDISADPMS TargetRed Hat OpenShift Container Platform 4.x5547CCI-001090Apply the machine config to enable page poisoning by executing the following: for mcpool in $(oc get mcp -oname | sed "s:.*/::" ); do echo "apiVersion: machineconfiguration.openshift.io/v1 @@ -1971,11 +1971,11 @@ spec: kernelArguments: - page_poison=1 " | oc apply -f - -doneCheck the current CoreOS boot loader configuration has page poisoning enabled by executing the following: +doneCheck the current CoreOS boot loader configuration has page poisoning enabled by executing the following: for node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n "$HOSTNAME "; grep page_poison /boot/loader/entries/*.conf|| echo "not found"' 2>/dev/null; done -If "page_poison" is not set to "1" or returns "not found", this is a finding.SRG-APP-000243-CTR-000600<GroupDescription></GroupDescription>CNTR-OS-000570OpenShift must disable virtual syscalls.<VulnDiscussion>Virtual syscalls are a mechanism that allows user-space programs to make privileged system calls without transitioning to kernel mode. However, this feature can introduce additional security risks. Disabling virtual syscalls helps to mitigate potential vulnerabilities associated with this mechanism. By reducing the attack surface and limiting the ways in which user-space programs can interact with the kernel, OpenShift can enhance the overall security posture of the platform.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.12DISADPMS TargetRed Hat OpenShift Container Platform 4.125547CCI-001090Apply the machine config to disable virtual syscalls by executing the following: +If "page_poison" is not set to "1" or returns "not found", this is a finding.SRG-APP-000243-CTR-000600<GroupDescription></GroupDescription>CNTR-OS-000570OpenShift must disable virtual syscalls.<VulnDiscussion>Virtual syscalls are a mechanism that allows user-space programs to make privileged system calls without transitioning to kernel mode. However, this feature can introduce additional security risks. Disabling virtual syscalls helps to mitigate potential vulnerabilities associated with this mechanism. By reducing the attack surface and limiting the ways in which user-space programs can interact with the kernel, OpenShift can enhance the overall security posture of the platform.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.xDISADPMS TargetRed Hat OpenShift Container Platform 4.x5547CCI-001090Apply the machine config to disable virtual syscalls by executing the following: for mcpool in $(oc get mcp -oname | sed "s:.*/::" ); do echo "apiVersion: machineconfiguration.openshift.io/v1 @@ -1991,11 +1991,11 @@ spec: kernelArguments: - vsyscall=none " | oc apply -f - -doneCheck the current CoreOS boot loader configuration has virtual syscalls disabled by executing the following: +doneCheck the current CoreOS boot loader configuration has virtual syscalls disabled by executing the following: for node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n "$HOSTNAME "; grep vsyscall=none boot/loader/entries/*.conf || echo "not found"' 2>/dev/null; done -If "vsyscall" is not set to "none" or returns "not found", this is a finding.SRG-APP-000243-CTR-000600<GroupDescription></GroupDescription>CNTR-OS-000580OpenShift must enable poisoning of SLUB/SLAB objects.<VulnDiscussion>By enabling poisoning of SLUB/SLAB objects, OpenShift can detect and identify use-after-free scenarios more effectively. The poisoned objects are marked as invalid or inaccessible, causing crashes or triggering alerts when an application attempts to access them. This helps identify and mitigate potential security vulnerabilities before they can be exploited.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.12DISADPMS TargetRed Hat OpenShift Container Platform 4.125547CCI-001090Apply the machine config to enable poisoning of SLUB/SLAB objects by executing the following: +If "vsyscall" is not set to "none" or returns "not found", this is a finding.SRG-APP-000243-CTR-000600<GroupDescription></GroupDescription>CNTR-OS-000580OpenShift must enable poisoning of SLUB/SLAB objects.<VulnDiscussion>By enabling poisoning of SLUB/SLAB objects, OpenShift can detect and identify use-after-free scenarios more effectively. The poisoned objects are marked as invalid or inaccessible, causing crashes or triggering alerts when an application attempts to access them. This helps identify and mitigate potential security vulnerabilities before they can be exploited.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.xDISADPMS TargetRed Hat OpenShift Container Platform 4.x5547CCI-001090Apply the machine config to enable poisoning of SLUB/SLAB objects by executing the following: for mcpool in $(oc get mcp -oname | sed "s:.*/::" ); do echo "apiVersion: machineconfiguration.openshift.io/v1 @@ -2011,22 +2011,22 @@ spec: kernelArguments: - slub_debug=P " | oc apply -f - -doneVerify that Red Hat Enterprise Linux CoreOS (RHCOS) is configured to enable poisoning of SLUB/SLAB objects to mitigate use-after-free vulnerabilities by executing the following: +doneVerify that Red Hat Enterprise Linux CoreOS (RHCOS) is configured to enable poisoning of SLUB/SLAB objects to mitigate use-after-free vulnerabilities by executing the following: for node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n "$HOSTNAME "; grep slub_debug /boot/loader/entries/*.conf ' 2>/dev/null; done -If "slub_debug" is not set to "P" or is missing, this is a finding.SRG-APP-000243-CTR-000600<GroupDescription></GroupDescription>CNTR-OS-000590OpenShift must set the sticky bit for world-writable directories.<VulnDiscussion>Removing world-writable permissions or setting the sticky bit helps enforce access control on directories within the OpenShift platform. World-writable permissions allow any user to modify or delete files within the directory, which can introduce security risks. By removing these permissions or setting the sticky bit, OpenShift restricts modifications to the directory's owner and prevents unauthorized or unintended changes by other users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.12DISADPMS TargetRed Hat OpenShift Container Platform 4.125547CCI-001090Fix the directory permissions, by either removing world-writeable permission, or setting the sticky bit by executing the following: +If "slub_debug" is not set to "P" or is missing, this is a finding.SRG-APP-000243-CTR-000600<GroupDescription></GroupDescription>CNTR-OS-000590OpenShift must set the sticky bit for world-writable directories.<VulnDiscussion>Removing world-writable permissions or setting the sticky bit helps enforce access control on directories within the OpenShift platform. World-writable permissions allow any user to modify or delete files within the directory, which can introduce security risks. By removing these permissions or setting the sticky bit, OpenShift restricts modifications to the directory's owner and prevents unauthorized or unintended changes by other users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.xDISADPMS TargetRed Hat OpenShift Container Platform 4.x5547CCI-001090Fix the directory permissions, by either removing world-writeable permission, or setting the sticky bit by executing the following: oc debug node/<node_name> -- chroot /host /bin/bash -c 'chmod XXXX <directory>' where node_name: The name of the node to connect to (oc get node) XXXX: Either 1777 (sticky bit) or 0755 (remove group and world write permission) - <directory>: The directory on which to correct the permissionsVerify that all world-writable directories have the sticky bit set. List any world-writeable directories that do not have the sticky bit set by executing the following: + <directory>: The directory on which to correct the permissionsVerify that all world-writable directories have the sticky bit set. List any world-writeable directories that do not have the sticky bit set by executing the following: for node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n "$HOSTNAME "; find / -type d \( -perm -0002 -a ! -perm -1000 ! -path "/var/lib/containers/*" ! -path "/var/lib/kubelet/pods/*" ! -path "/sysroot/ostree/deploy/*" \) -print 2>/dev/null' 2>/dev/null; done -If there are any directories listed in the results, this is a finding.SRG-APP-000243-CTR-000600<GroupDescription></GroupDescription>CNTR-OS-000600OpenShift must restrict access to the kernel buffer.<VulnDiscussion>Restricting access to the kernel buffer in OpenShift is crucial for preventing unauthorized access, protecting system stability, mitigating kernel-level attacks, preventing information leakage, and adhering to the principle of least privilege. It enhances the security posture of the platform and helps maintain the confidentiality, integrity, and availability of critical system resources.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.12DISADPMS TargetRed Hat OpenShift Container Platform 4.125547CCI-001090Apply the machine config to restrict access to the kernel message buffer by executing the following: +If there are any directories listed in the results, this is a finding.SRG-APP-000243-CTR-000600<GroupDescription></GroupDescription>CNTR-OS-000600OpenShift must restrict access to the kernel buffer.<VulnDiscussion>Restricting access to the kernel buffer in OpenShift is crucial for preventing unauthorized access, protecting system stability, mitigating kernel-level attacks, preventing information leakage, and adhering to the principle of least privilege. It enhances the security posture of the platform and helps maintain the confidentiality, integrity, and availability of critical system resources.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.xDISADPMS TargetRed Hat OpenShift Container Platform 4.x5547CCI-001090Apply the machine config to restrict access to the kernel message buffer by executing the following: for mcpool in $(oc get mcp -oname | sed "s:.*/::" ); do echo "apiVersion: machineconfiguration.openshift.io/v1 @@ -2047,7 +2047,7 @@ spec: path: /etc/sysctl.d/75-sysctl_kernel_dmesg_restrict.conf overwrite: true " | oc apply -f - -doneVerify the Red Hat Enterprise Linux CoreOS (RHCOS) is configured to restrict access to the kernel message buffer. +doneVerify the Red Hat Enterprise Linux CoreOS (RHCOS) is configured to restrict access to the kernel message buffer. Check the status of the kernel.dmesg_restrict kernel parameter by executing the following: @@ -2055,7 +2055,7 @@ for node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash - If "kernel.dmesg_restrict" is not set to "1" or is missing, this is a finding.SRG-APP-000243-CTR-000600<GroupDescription></GroupDescription>CNTR-OS-000610OpenShift must prevent kernel profiling.<VulnDiscussion>Kernel profiling involves monitoring and analyzing the behavior of the kernel, including its internal operations and system calls. This level of access and visibility into the kernel can potentially be exploited by attackers to gather sensitive information or launch attacks. By preventing kernel profiling, the attack surface is minimized and the risk of unauthorized access or malicious activities targeting the kernel is reduced. -Kernel profiling can introduce additional overhead and resource utilization, potentially impacting the stability and performance of the system. Profiling tools and techniques often involve instrumenting the kernel code, injecting hooks, or collecting detailed data, which may interfere with the normal operation of the kernel. By disallowing kernel profiling, OpenShift helps ensure the stability and reliability of the platform, preventing any potential disruptions caused by profiling activities.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.12DISADPMS TargetRed Hat OpenShift Container Platform 4.125547CCI-001090Apply the machine config to prevent kernel profiling by executing the following: +Kernel profiling can introduce additional overhead and resource utilization, potentially impacting the stability and performance of the system. Profiling tools and techniques often involve instrumenting the kernel code, injecting hooks, or collecting detailed data, which may interfere with the normal operation of the kernel. By disallowing kernel profiling, OpenShift helps ensure the stability and reliability of the platform, preventing any potential disruptions caused by profiling activities.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.xDISADPMS TargetRed Hat OpenShift Container Platform 4.x5547CCI-001090Apply the machine config to prevent kernel profiling by executing the following: for mcpool in $(oc get mcp -oname | sed "s:.*/::" ); do echo "apiVersion: machineconfiguration.openshift.io/v1 @@ -2076,14 +2076,14 @@ spec: path: /etc/sysctl.d/75-sysctl_kernel_perf_event_paranoid.conf overwrite: true " | oc apply -f - -doneVerify the Red Hat Enterprise Linux CoreOS (RHCOS) is configured to prevent kernel profiling by unprivileged users. +doneVerify the Red Hat Enterprise Linux CoreOS (RHCOS) is configured to prevent kernel profiling by unprivileged users. Check the status of the kernel.perf_event_paranoid kernel parameter by executing the following: for node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n "$HOSTNAME "; sysctl kernel.perf_event_paranoid ' 2>/dev/null; done -If "kernel.perf_event_paranoid" is not set to "2" or is missing, this is a finding.SRG-APP-000246-CTR-000605<GroupDescription></GroupDescription>CNTR-OS-000620OpenShift must restrict individuals the ability to launch organizational-defined Denial-of-Service (DOS) attacks against other information systems by setting a default Resource Quota.<VulnDiscussion>OpenShift allows administrators to define resource quotas on a namespace basis. This allows tailoring of the shared resources based on a project needs. However, when a new project is created, unless a default project resource quota is configured, that project will not have any limits or quotas defined. This could allow someone to create a new project and then deploy services that exhaust or overuse the shared cluster resources. Thus, it is necessary to ensure that there is a default resource quota configured for all new projects. A Cluster Admin may increase resource quotas on a given project namespace, if that project requires additional resources at any time.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.12DISADPMS TargetRed Hat OpenShift Container Platform 4.125547CCI-001094Configure a default resource quota to protect resource over utilization by performing the following steps: +If "kernel.perf_event_paranoid" is not set to "2" or is missing, this is a finding.SRG-APP-000246-CTR-000605<GroupDescription></GroupDescription>CNTR-OS-000620OpenShift must restrict individuals the ability to launch organizational-defined Denial-of-Service (DOS) attacks against other information systems by setting a default Resource Quota.<VulnDiscussion>OpenShift allows administrators to define resource quotas on a namespace basis. This allows tailoring of the shared resources based on a project needs. However, when a new project is created, unless a default project resource quota is configured, that project will not have any limits or quotas defined. This could allow someone to create a new project and then deploy services that exhaust or overuse the shared cluster resources. Thus, it is necessary to ensure that there is a default resource quota configured for all new projects. A Cluster Admin may increase resource quotas on a given project namespace, if that project requires additional resources at any time.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.xDISADPMS TargetRed Hat OpenShift Container Platform 4.x5547CCI-001094Configure a default resource quota to protect resource over utilization by performing the following steps: 1. Create a bootstrap project template (if not already created) by executing the following: @@ -2110,7 +2110,7 @@ oc create -f template.yaml -n openshift-config oc patch project.config.openshift.io/cluster --type=merge -p '{"spec":{"projectRequestTemplate":{"name": "<PROJECT_REQUEST_TEMPLATE>"}}}' -Details regarding the configuration of resource quotas can be reviewed at https://docs.openshift.com/container-platform/4.8/applications/quotas/quotas-setting-per-project.html.Check for Resource Quota. Verify a default project template is defined by executing the following: +Details regarding the configuration of resource quotas can be reviewed at https://docs.openshift.com/container-platform/4.8/applications/quotas/quotas-setting-per-project.html.Check for Resource Quota. Verify a default project template is defined by executing the following: oc get project.config.openshift.io/cluster -o jsonpath="{.spec.projectRequestTemplate.name}" @@ -2128,23 +2128,23 @@ Setting rate limits also ensures fair resource allocation, prevents service degr OpenShift has an option to set the rate limit for Routes (refer to link below) when creating new Routes. All routes outside the OpenShift namespaces and the kube namespaces must use the rate-limiting annotations. -https://docs.openshift.com/container-platform/4.9/networking/routes/route-configuration.html#nw-route-specific-annotations_route-configuration</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.12DISADPMS TargetRed Hat OpenShift Container Platform 4.125547CCI-001094Add the haproxy.router.openshift.io/rate-limit-connections annotation to any routes outside the kube-* or openshift-* namespaces +https://docs.openshift.com/container-platform/4.9/networking/routes/route-configuration.html#nw-route-specific-annotations_route-configuration</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.xDISADPMS TargetRed Hat OpenShift Container Platform 4.x5547CCI-001094Add the haproxy.router.openshift.io/rate-limit-connections annotation to any routes outside the kube-* or openshift-* namespaces oc annotate route <route_name> -n <namespace> --overwrite=true "haproxy.router.openshift.io/timeout=2s" -https://docs.openshift.com/container-platform/4.9/networking/routes/route-configuration.htmlVerify that all namespaces except those that start with kube-* or openshift-* use the rate-limiting annotation by executing the following: +https://docs.openshift.com/container-platform/4.9/networking/routes/route-configuration.htmlVerify that all namespaces except those that start with kube-* or openshift-* use the rate-limiting annotation by executing the following: oc get routes --all-namespaces -o json | jq '[.items[] | select(.metadata.namespace | startswith("kube-") or startswith("openshift-") | not) | select(.metadata.annotations["haproxy.router.openshift.io/rate-limit-connections"] == "true" | not) | .metadata.name]' If the above command returns any namespaces, this is a finding.SRG-APP-000297-CTR-000705<GroupDescription></GroupDescription>CNTR-OS-000650OpenShift must display an explicit logout message indicating the reliable termination of authenticated communication sessions.<VulnDiscussion>The OpenShift CLI tool includes an explicit logout option. -The web console's default logout will invalidate the user's session token and redirect back to the console page, which will redirect the user to the authentication page. There is no explicit logout message. And in addition, if the IdP provider type is OIDC, the session token from the SSO provider will remain valid, which would effectively keep the user logged in. To correct this, the web console needs to be configured to redirect the user to a logout page. If using an OIDC provider, this would be the logout page for that provider.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.12DISADPMS TargetRed Hat OpenShift Container Platform 4.125547CCI-002364Configure the web console's logout redirect to direct to an appropriate logout page. If OpenShift is configured to use an OIDC provider, then the redirect needs to first go to the OIDC provider's logout page, and then it can be redirected to another logout page as needed. +The web console's default logout will invalidate the user's session token and redirect back to the console page, which will redirect the user to the authentication page. There is no explicit logout message. And in addition, if the IdP provider type is OIDC, the session token from the SSO provider will remain valid, which would effectively keep the user logged in. To correct this, the web console needs to be configured to redirect the user to a logout page. If using an OIDC provider, this would be the logout page for that provider.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.xDISADPMS TargetRed Hat OpenShift Container Platform 4.x5547CCI-002364Configure the web console's logout redirect to direct to an appropriate logout page. If OpenShift is configured to use an OIDC provider, then the redirect needs to first go to the OIDC provider's logout page, and then it can be redirected to another logout page as needed. Run the following command to update the console: oc patch console.config.openshift.io cluster --type merge -p '{"spec":{"authentication":{"logoutRedirect":"<LOGOUT_URL>"}}}' -where LOGOUT_URL is set to the logout page.Verify the logout redirect setting in web console configuration is set by executing the following: +where LOGOUT_URL is set to the logout page.Verify the logout redirect setting in web console configuration is set by executing the following: oc get console.config.openshift.io cluster -o jsonpath='{.spec.authentication.logoutRedirect}{"\n"}' @@ -2154,7 +2154,7 @@ OpenShift uses the default security context constraints (SCC), restricted, to pr https://docs.openshift.com/container-platform/4.8/openshift_images/create-images.html#images-create-guide-openshift_create-images -Satisfies: SRG-APP-000342-CTR-000775, SRG-APP-000142-CTR-000330, SRG-APP-000243-CTR-000595</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.12DISADPMS TargetRed Hat OpenShift Container Platform 4.125547CCI-000382CCI-001090CCI-002233For users and groups that are defined in the SCC policy, execute the following to remove the users or groups by editing the corresponding SCC policy. +Satisfies: SRG-APP-000342-CTR-000775, SRG-APP-000142-CTR-000330, SRG-APP-000243-CTR-000595</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.xDISADPMS TargetRed Hat OpenShift Container Platform 4.x5547CCI-000382CCI-001090CCI-002233For users and groups that are defined in the SCC policy, execute the following to remove the users or groups by editing the corresponding SCC policy. oc edit scc <SCC> @@ -2177,7 +2177,7 @@ Remove any roles that allows use of nonpermitted SCC policies (excluding platfor oc delete clusterrole.rbac <ROLE> or -oc delete role.rbac <ROLE> -n <NAMESPACE>Check SCC: +oc delete role.rbac <ROLE> -n <NAMESPACE>Check SCC: 1. Identify any SCC policy that allows containers to access the host network or filesystem resources, or allows privileged containers or where runAsUser is not MustRunAsRange by executing the following: @@ -2218,7 +2218,7 @@ Where <CLUSTER_ROLE_LIST> and <LOCAL_ROLE_LIST> are comma-separated ... .roleRef.name == ("system:openshift:scc:privileged","system:openshift:scc:hostnetwork","system:openshift:scc:hostaccess") ... -Excluding any platform namespaces (kube-*,openshift-*), if there are any rolebindings to roles that are not permitted, this is a finding.SRG-APP-000357-CTR-000800<GroupDescription></GroupDescription>CNTR-OS-000670Red Hat Enterprise Linux CoreOS (RHCOS) must allocate audit record storage capacity to store at least one weeks' worth of audit records, when audit records are not immediately sent to a central audit record storage facility.<VulnDiscussion>To ensure RHCOS has a sufficient storage capacity in which to write the audit logs, operating systems need to be able to allocate audit record storage capacity. The task of allocating audit record storage capacity is performed during initial installation of the operating system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.12DISADPMS TargetRed Hat OpenShift Container Platform 4.125547CCI-001849Reinstall the cluster, generating custom ignition configs to allocate audit record storage capacity. +Excluding any platform namespaces (kube-*,openshift-*), if there are any rolebindings to roles that are not permitted, this is a finding.SRG-APP-000357-CTR-000800<GroupDescription></GroupDescription>CNTR-OS-000670Red Hat Enterprise Linux CoreOS (RHCOS) must allocate audit record storage capacity to store at least one weeks' worth of audit records, when audit records are not immediately sent to a central audit record storage facility.<VulnDiscussion>To ensure RHCOS has a sufficient storage capacity in which to write the audit logs, operating systems need to be able to allocate audit record storage capacity. The task of allocating audit record storage capacity is performed during initial installation of the operating system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.xDISADPMS TargetRed Hat OpenShift Container Platform 4.x5547CCI-001849Reinstall the cluster, generating custom ignition configs to allocate audit record storage capacity. 1. Generate manifest files for the cluster by executing the following: @@ -2252,7 +2252,7 @@ butane <install_dir>/98-var-partition.bu -o <install_dir>/openshift/ 4. Create the ignition config files by executing the following: -openshift-install create ignition-configs --dir <install_dir>Verify RHCOS allocates audit record storage capacity to store at least one week of audit records when audit records are not immediately sent to a central audit record storage facility. +openshift-install create ignition-configs --dir <install_dir>Verify RHCOS allocates audit record storage capacity to store at least one week of audit records when audit records are not immediately sent to a central audit record storage facility. Check the size of the partition to which audit records are written (with the example being /var/log/audit/) by executing the following: @@ -2267,7 +2267,7 @@ Note: The partition size needed to capture a week of audit records is based on t Alerts provide organizations with urgent messages. Real-time alerts provide these messages immediately (i.e., the time from event detection to alert occurs in seconds or less). -Satisfies: SRG-APP-000360-CTR-000815, SRG-APP-000474-CTR-001180</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.12DISADPMS TargetRed Hat OpenShift Container Platform 4.125547CCI-001858CCI-002702Create an alert notification receiver. +Satisfies: SRG-APP-000360-CTR-000815, SRG-APP-000474-CTR-001180</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.xDISADPMS TargetRed Hat OpenShift Container Platform 4.x5547CCI-001858CCI-002702Create an alert notification receiver. 1. From the Administrator perspective on the OpenShift web console, navigate to Administration >> Cluster Settings >> Configuration >> Alertmanager. @@ -2280,7 +2280,7 @@ Satisfies: SRG-APP-000360-CTR-000815, SRG-APP-000474-CTR-001180</VulnDiscussi 5. Click "Create". Refer to the following documentation for more information: -https://docs.openshift.com/container-platform/4.8/monitoring/managing-alerts.html#sending-notifications-to-external-systems_managing-alertsVerify the AlertManager config includes a configured receiver. +https://docs.openshift.com/container-platform/4.8/monitoring/managing-alerts.html#sending-notifications-to-external-systems_managing-alertsVerify the AlertManager config includes a configured receiver. 1. From the Administrator perspective on the OpenShift web console, navigate to Administration >> Cluster Settings >> Configuration >> Alertmanager. @@ -2294,7 +2294,7 @@ Enforcing access restrictions and auditing the enforcement actions ensures accou Auditing the enforcement actions provides administrators with visibility into the system's security posture, access patterns, and potential security risks. It helps identify anomalies, detect suspicious activities, and monitor compliance with established security policies. This operational visibility enables timely detection and response to security incidents, ensuring the ongoing security and stability of the OpenShift environment. -Satisfies: SRG-APP-000381-CTR-000905, SRG-APP-000343-CTR-000780</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.12DISADPMS TargetRed Hat OpenShift Container Platform 4.125547CCI-003938CCI-002234CCI-001814Apply the machine config to audit the execution of "execve" by executing the following: +Satisfies: SRG-APP-000381-CTR-000905, SRG-APP-000343-CTR-000780</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.xDISADPMS TargetRed Hat OpenShift Container Platform 4.x5547CCI-003938CCI-002234CCI-001814Apply the machine config to audit the execution of "execve" by executing the following: for mcpool in $(oc get mcp -oname | sed "s:.*/::" ); do echo "apiVersion: machineconfiguration.openshift.io/v1 @@ -2315,7 +2315,7 @@ spec: path: /etc/audit/rules.d/75-audit-suid-privilege-function.rules overwrite: true " | oc apply -f - -doneVerify OpenShift is configured to audit the execution of the "execve" system call by executing the following: +doneVerify OpenShift is configured to audit the execution of the "execve" system call by executing the following: for node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n "$HOSTNAME "; grep -e "execpriv" /etc/audit/audit.rules' 2>/dev/null; done @@ -2326,10 +2326,10 @@ Confirm the following rules exist on each node: -a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k execpriv -a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k execpriv -If the above rules are not listed on each node, this is a finding.SRG-APP-000384-CTR-000915<GroupDescription></GroupDescription>CNTR-OS-000740OpenShift must prevent the installation of patches, service packs, device drivers, or operating system components without verification they have been digitally signed using a certificate that is recognized and approved by the organization.<VulnDiscussion>Integrity of the OpenShift platform is handled by the cluster version operator. The cluster version operator will by default GPG verify the integrity of the release image before applying it. The release image contains a sha256 digest of machine-os-content which is used by the machine config operators for updates. On the host, the container runtime (podman) verifies the integrity of that sha256 when pulling the image before the machine config operator reads its content. Hence, there is end-to-end GPG-verified integrity for the operating system updates (as well as the rest of the cluster components which run as regular containers).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.12DISADPMS TargetRed Hat OpenShift Container Platform 4.125547CCI-001764By default, the integrity of RH CoreOS is checked by cluster version operator on OpenShift platform. If the integrity is not verified, reinstall of the cluster is necessary. +If the above rules are not listed on each node, this is a finding.SRG-APP-000384-CTR-000915<GroupDescription></GroupDescription>CNTR-OS-000740OpenShift must prevent the installation of patches, service packs, device drivers, or operating system components without verification they have been digitally signed using a certificate that is recognized and approved by the organization.<VulnDiscussion>Integrity of the OpenShift platform is handled by the cluster version operator. The cluster version operator will by default GPG verify the integrity of the release image before applying it. The release image contains a sha256 digest of machine-os-content which is used by the machine config operators for updates. On the host, the container runtime (podman) verifies the integrity of that sha256 when pulling the image before the machine config operator reads its content. Hence, there is end-to-end GPG-verified integrity for the operating system updates (as well as the rest of the cluster components which run as regular containers).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.xDISADPMS TargetRed Hat OpenShift Container Platform 4.x5547CCI-001764By default, the integrity of RH CoreOS is checked by cluster version operator on OpenShift platform. If the integrity is not verified, reinstall of the cluster is necessary. Refer to instructions: -https://docs.openshift.com/container-platform/4.10/installing/index.htmlTo verify integrity of the cluster version, execute the following: +https://docs.openshift.com/container-platform/4.10/installing/index.htmlTo verify integrity of the cluster version, execute the following: oc get clusterversion version @@ -2341,13 +2341,13 @@ oc get clusterversion version -o yaml If "verified: true", under status history for each item is not present, this is a finding.SRG-APP-000400-CTR-000960<GroupDescription></GroupDescription>CNTR-OS-000760OpenShift must set server token max age no greater than eight hours.<VulnDiscussion>The setting for OAuth server token max age is used to control the maximum duration for which an issued OAuth access token remains valid. Access tokens serve as a form of authentication and authorization in OAuth-based systems. By setting a maximum age for these tokens, OpenShift helps mitigate security risks associated with long-lived tokens. If a token is compromised, its impact is limited to the maximum age duration, as the token will expire and become invalid after that period. It reduces the window of opportunity for unauthorized access and enhances the security of the system. -By setting a maximum age for access tokens, OpenShift encourages the use of token refresh rather than relying on the same token for an extended period. Regular token refresh helps maintain a higher level of security by ensuring that tokens are periodically revalidated and rotated.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.12DISADPMS TargetRed Hat OpenShift Container Platform 4.125547CCI-002007To set the OAuth server token max age, edit the OAuth server object by executing the following: +By setting a maximum age for access tokens, OpenShift encourages the use of token refresh rather than relying on the same token for an extended period. Regular token refresh helps maintain a higher level of security by ensuring that tokens are periodically revalidated and rotated.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.xDISADPMS TargetRed Hat OpenShift Container Platform 4.x5547CCI-002007To set the OAuth server token max age, edit the OAuth server object by executing the following: oc patch oauth cluster --type merge -p '{"spec":{"tokenConfig":{"accessTokenMaxAgeSeconds": 28800}}}' To set the OAuth client token max age, edit the OAuth client object by executing the following: -cli in $(oc get oauthclient -oname); do oc patch oauthclient $cli --type=merge -p '{"accessTokenMaxAgeSeconds": 28800}'; doneTo check if the OAuth server token max age is configured, execute the following: +cli in $(oc get oauthclient -oname); do oc patch oauthclient $cli --type=merge -p '{"accessTokenMaxAgeSeconds": 28800}'; doneTo check if the OAuth server token max age is configured, execute the following: oc get oauth cluster -ojsonpath='{.spec.tokenConfig.accessTokenMaxAgeSeconds}' @@ -2359,7 +2359,7 @@ Check all clients OAuth client token max age configuration by execute the follow oc get oauthclients -ojson | jq -r '.items[] | { accessTokenMaxAgeSeconds: .accessTokenMaxAgeSeconds}' -If the output returns a timeout value of >"28800" for any client, this is a finding.SRG-APP-000414-CTR-001010<GroupDescription></GroupDescription>CNTR-OS-000770Vulnerability scanning applications must implement privileged access authorization to all OpenShift components, containers, and container images for selected organization-defined vulnerability scanning activities.<VulnDiscussion>OpenShift uses service accounts to provide applications running on or off the platform access to the API service using the enforced RBAC policies. Vulnerability scanning applications that need access to the container platform may use a service account to grant that access. That service account can then be bound to the appropriate role required. The highest level of access granted is the cluster-admin role. Any account bound to that role can access and modify anything on the platform. It is strongly recommended to limit the number of accounts bound to that role. Instead, there are other predefined cluster level roles that may support the scanning to, such as the view or edit cluster roles. Additionally, custom roles may be defined to tailor fit access as needed by the scanning tools.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.12DISADPMS TargetRed Hat OpenShift Container Platform 4.125547CCI-001067If no vulnerability scanning tool is used, this requirement is Not Applicable. +If the output returns a timeout value of >"28800" for any client, this is a finding.SRG-APP-000414-CTR-001010<GroupDescription></GroupDescription>CNTR-OS-000770Vulnerability scanning applications must implement privileged access authorization to all OpenShift components, containers, and container images for selected organization-defined vulnerability scanning activities.<VulnDiscussion>OpenShift uses service accounts to provide applications running on or off the platform access to the API service using the enforced RBAC policies. Vulnerability scanning applications that need access to the container platform may use a service account to grant that access. That service account can then be bound to the appropriate role required. The highest level of access granted is the cluster-admin role. Any account bound to that role can access and modify anything on the platform. It is strongly recommended to limit the number of accounts bound to that role. Instead, there are other predefined cluster level roles that may support the scanning to, such as the view or edit cluster roles. Additionally, custom roles may be defined to tailor fit access as needed by the scanning tools.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.xDISADPMS TargetRed Hat OpenShift Container Platform 4.x5547CCI-001067If no vulnerability scanning tool is used, this requirement is Not Applicable. Create a service if one does not already exist. @@ -2384,7 +2384,7 @@ https://docs.openshift.com/container-platform/4.8/authentication/using-rbac.html https://docs.openshift.com/container-platform/4.8/authentication/understanding-and-creating-service-accounts.html -https://docs.openshift.com/container-platform/4.8/authentication/using-service-accounts-in-applications.htmlIf no vulnerability scanning tool is used, this requirement is Not Applicable. +https://docs.openshift.com/container-platform/4.8/authentication/using-service-accounts-in-applications.htmlIf no vulnerability scanning tool is used, this requirement is Not Applicable. Identify the service accounts used by the vulnerability scanning tools. If the tool runs as a container on the platform, then service account information can be found in the pod details by executing the following: @@ -2409,7 +2409,7 @@ OAuth access tokens OAuth authorize tokens -When users enable etcd encryption, encryption keys are created. These keys are rotated on a weekly basis. Users must have these keys to restore from an etcd backup.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.12DISADPMS TargetRed Hat OpenShift Container Platform 4.125547CCI-002476Set API encryption type by executing the following: +When users enable etcd encryption, encryption keys are created. These keys are rotated on a weekly basis. Users must have these keys to restore from an etcd backup.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.xDISADPMS TargetRed Hat OpenShift Container Platform 4.x5547CCI-002476Set API encryption type by executing the following: oc edit apiserver @@ -2419,7 +2419,7 @@ spec: type: aescbc Additional details about the configuration can be found in the documentation: -https://docs.openshift.com/container-platform/4.8/security/encrypting-etcd.htmlReview the API server encryption by running by executing the following: +https://docs.openshift.com/container-platform/4.8/security/encrypting-etcd.htmlReview the API server encryption by running by executing the following: oc edit apiserver @@ -2438,7 +2438,7 @@ https://docs.openshift.com/container-platform/4.8/security/container_security/se Resource quotas must be set on a given namespace or across multiple namespaces. Using resource quotas will help to mitigate a DoS attack by limiting how much CPU, memory, and pods may be consumed in a project. This helps protect other projects (namespaces) from being denied resources to process. -https://docs.openshift.com/container-platform/4.8/applications/quotas/quotas-setting-per-project.html</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.12DISADPMS TargetRed Hat OpenShift Container Platform 4.125547CCI-002385Configure a default resource quota as necessary to protect resource over utilization. +https://docs.openshift.com/container-platform/4.8/applications/quotas/quotas-setting-per-project.html</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.xDISADPMS TargetRed Hat OpenShift Container Platform 4.x5547CCI-002385Configure a default resource quota as necessary to protect resource over utilization. 1. Create a bootstrap project template by executing the following: @@ -2461,7 +2461,7 @@ parameters: oc create -f template.yaml -n openshift-config -Details regarding the configuration of resource quotas can be reviewed at https://docs.openshift.com/container-platform/4.8/applications/quotas/quotas-setting-per-project.html.Verify the new project template includes a default resource quota by executing the following: +Details regarding the configuration of resource quotas can be reviewed at https://docs.openshift.com/container-platform/4.8/applications/quotas/quotas-setting-per-project.html.Verify the new project template includes a default resource quota by executing the following: oc get templates/project-request -n openshift-config -o jsonpath="{.objects[?(.kind=='ResourceQuota')]}{'\n'}" @@ -2473,7 +2473,7 @@ Using resource quotas will help to mitigate a DoS attack by limiting how much CP https://docs.openshift.com/container-platform/4.8/applications/quotas/quotas-setting-per-project.html -Satisfies: SRG-APP-000435-CTR-001070, SRG-APP-000246-CTR-000605, SRG-APP-000450-CTR-001105</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.12DISADPMS TargetRed Hat OpenShift Container Platform 4.125547CCI-001094CCI-002385CCI-002824Add a resource quota to an existing project namespace by performing the following steps: +Satisfies: SRG-APP-000435-CTR-001070, SRG-APP-000246-CTR-000605, SRG-APP-000450-CTR-001105</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.xDISADPMS TargetRed Hat OpenShift Container Platform 4.x5547CCI-001094CCI-002385CCI-002824Add a resource quota to an existing project namespace by performing the following steps: 1. Create <YOURFILE>.yaml and insert the desired resource quota content. The following is an example resource quota definition. @@ -2496,24 +2496,24 @@ spec: oc apply -f <YOURFILE>.yaml -n <NAMESPACE> -Details regarding the configuration of resource quotas can be reviewed at https://docs.openshift.com/container-platform/4.8/applications/quotas/quotas-setting-per-project.html.Note: CNTR-OS-000140 is a prerequisite to this control. A Network Policy must exist to run this check. +Details regarding the configuration of resource quotas can be reviewed at https://docs.openshift.com/container-platform/4.8/applications/quotas/quotas-setting-per-project.html.Note: CNTR-OS-000140 is a prerequisite to this control. A Network Policy must exist to run this check. Verify that each user namespace has a ResourceQuota defined by executing the following: for ns in $(oc get namespaces -ojson | jq -r '.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default") | .metadata.name '); do oc get resourcequota -n$ns; done -If the above returns any lines saying "No resources found in <PROJECT> namespace.", this is a finding. Empty output is not a finding.SRG-APP-000439-CTR-001080<GroupDescription></GroupDescription>CNTR-OS-000820OpenShift must protect the confidentiality and integrity of transmitted information.<VulnDiscussion>OpenShift provides for two types of application level ingress types, Routes, and Ingresses. Routes have been a part of OpenShift since version 3. Ingresses were promoted out of beta in Aug 2020 (kubernetes v1.19). Routes provides for three type of TLS configuration options; Edge, Passthrough, and Re-encrypt. Each of those options provide TLS encryption over HTTP for inbound transmissions originating outside the cluster. Ingresses will have an IngressController associated that manages the routing and proxying of inbound transmissions.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.12DISADPMS TargetRed Hat OpenShift Container Platform 4.125547CCI-002418Delete any Route or Ingress that does not use a secure transport. +If the above returns any lines saying "No resources found in <PROJECT> namespace.", this is a finding. Empty output is not a finding.SRG-APP-000439-CTR-001080<GroupDescription></GroupDescription>CNTR-OS-000820OpenShift must protect the confidentiality and integrity of transmitted information.<VulnDiscussion>OpenShift provides for two types of application level ingress types, Routes, and Ingresses. Routes have been a part of OpenShift since version 3. Ingresses were promoted out of beta in Aug 2020 (kubernetes v1.19). Routes provides for three type of TLS configuration options; Edge, Passthrough, and Re-encrypt. Each of those options provide TLS encryption over HTTP for inbound transmissions originating outside the cluster. Ingresses will have an IngressController associated that manages the routing and proxying of inbound transmissions.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.xDISADPMS TargetRed Hat OpenShift Container Platform 4.x5547CCI-002418Delete any Route or Ingress that does not use a secure transport. oc delete route <NAME> -n <NAMESPACE> or -oc delete ingress <NAME> -n <NAMESPACE>Verify that routes and ingress are using secured transmission ports and protocols by executing the following: +oc delete ingress <NAME> -n <NAMESPACE>Verify that routes and ingress are using secured transmission ports and protocols by executing the following: oc get routes --all-namespaces -Review the ingress ports, if the Ingress is not using a secure TLS transport, this is a finding.SRG-APP-000450-CTR-001105<GroupDescription></GroupDescription>CNTR-OS-000860Red Hat Enterprise Linux CoreOS (RHCOS) must implement nonexecutable data to protect its memory from unauthorized code execution.<VulnDiscussion>The NX bit is a hardware feature that prevents the execution of code from data memory regions. By enabling NX bit execute protection, OpenShift ensures that malicious code or exploits cannot execute from areas of memory that are intended for data storage. This helps protect against various types of buffer overflow attacks, where an attacker attempts to inject and execute malicious code in data memory.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.12DISADPMS TargetRed Hat OpenShift Container Platform 4.125547CCI-002824The NX bit execute protection must be enabled in the system BIOS. The nodes must be reinstalled. Follow the steps found here for more information: -https://access.redhat.com/solutions/2936741Verify the NX (no-execution) bit flag is set on the system by executing the following: +Review the ingress ports, if the Ingress is not using a secure TLS transport, this is a finding.SRG-APP-000450-CTR-001105<GroupDescription></GroupDescription>CNTR-OS-000860Red Hat Enterprise Linux CoreOS (RHCOS) must implement nonexecutable data to protect its memory from unauthorized code execution.<VulnDiscussion>The NX bit is a hardware feature that prevents the execution of code from data memory regions. By enabling NX bit execute protection, OpenShift ensures that malicious code or exploits cannot execute from areas of memory that are intended for data storage. This helps protect against various types of buffer overflow attacks, where an attacker attempts to inject and execute malicious code in data memory.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.xDISADPMS TargetRed Hat OpenShift Container Platform 4.x5547CCI-002824The NX bit execute protection must be enabled in the system BIOS. The nodes must be reinstalled. Follow the steps found here for more information: +https://access.redhat.com/solutions/2936741Verify the NX (no-execution) bit flag is set on the system by executing the following: for node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n "$HOSTNAME "; dmesg | grep Execute ' 2>/dev/null; done @@ -2531,7 +2531,7 @@ ASLR enhances the resilience of the OpenShift platform by introducing randomness ASLR is particularly effective in mitigating remote code execution attacks. By randomizing the memory layout, ASLR prevents attackers from precisely predicting the memory addresses needed to execute malicious code. This makes it significantly more challenging for attackers to successfully exploit vulnerabilities and execute arbitrary code on the system. -Protection of Shared Libraries: ASLR also protects shared libraries used by applications running on OpenShift. By randomizing the base addresses of shared libraries, ASLR makes it harder for attackers to leverage vulnerabilities in shared libraries to compromise applications or gain unauthorized access to the system. It adds an extra layer of protection to prevent attacks targeting shared library vulnerabilities.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.12DISADPMS TargetRed Hat OpenShift Container Platform 4.125547CCI-002824Apply the machine config to implement ASLR by executing the following: +Protection of Shared Libraries: ASLR also protects shared libraries used by applications running on OpenShift. By randomizing the base addresses of shared libraries, ASLR makes it harder for attackers to leverage vulnerabilities in shared libraries to compromise applications or gain unauthorized access to the system. It adds an extra layer of protection to prevent attacks targeting shared library vulnerabilities.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.xDISADPMS TargetRed Hat OpenShift Container Platform 4.x5547CCI-002824Apply the machine config to implement ASLR by executing the following: for mcpool in $(oc get mcp -oname | sed "s:.*/::" ); do echo "apiVersion: machineconfiguration.openshift.io/v1 @@ -2552,25 +2552,25 @@ spec: path: /etc/sysctl.d/75-sysctl_kernel_randomize_va_space.conf overwrite: true " | oc apply -f - -doneVerify Red Hat Enterprise Linux CoreOS (RHCOS) implements ASLR by executing the following: +doneVerify Red Hat Enterprise Linux CoreOS (RHCOS) implements ASLR by executing the following: for node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n "$HOSTNAME "; sysctl kernel.randomize_va_space ' 2>/dev/null; done If "kernel.randomize_va_space" is not set to "2", this is a finding.SRG-APP-000454-CTR-001110<GroupDescription></GroupDescription>CNTR-OS-000880OpenShift must remove old components after updated versions have been installed.<VulnDiscussion>Previous versions of OpenShift components that are not removed from the container platform after updates have been installed may be exploited by adversaries by causing older components to execute which contain vulnerabilities. When these components are deleted, the likelihood of this happening is removed. -Satisfies: SRG-APP-000454-CTR-001110, SRG-APP-000454-CTR-001115</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.12DISADPMS TargetRed Hat OpenShift Container Platform 4.125547CCI-002617Enable the image pruner to automate the pruning of images from the cluster by executing the following: +Satisfies: SRG-APP-000454-CTR-001110, SRG-APP-000454-CTR-001115</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.xDISADPMS TargetRed Hat OpenShift Container Platform 4.x5547CCI-002617Enable the image pruner to automate the pruning of images from the cluster by executing the following: oc patch imagepruners.imageregistry.operator.openshift.io/cluster --type=merge -p '{"spec":{"suspend":false}}' For additional details on configuring the image pruner operator, refer to the following document: -https://docs.openshift.com/container-platform/4.8/applications/pruning-objects.html#pruning-images_pruning-objectsEnsure the imagepruner is configured and is not in a suspended state by executing the following: +https://docs.openshift.com/container-platform/4.8/applications/pruning-objects.html#pruning-images_pruning-objectsEnsure the imagepruner is configured and is not in a suspended state by executing the following: oc get imagepruners.imageregistry.operator.openshift.io/cluster -o jsonpath='{.spec}{"\n"}' Review the settings. If "suspend" is set to "true", this is a finding.SRG-APP-000456-CTR-001125<GroupDescription></GroupDescription>CNTR-OS-000890OpenShift must contain the latest images with most recent updates and execute within the container platform runtime as authorized by IAVM, CTOs, DTMs, and STIGs.<VulnDiscussion>It is critical to the security and stability of the container platform and the software services running on the platform to ensure that images are deployed through a trusted software supply chain. The OpenShift platform can be configured to limit and control which image source repositories may be used by the platform and the users of the platform. By configuring this to only allow users to deploy images from trusted sources, lowers the risk for a user to deploy unsafe or untested images that would be detrimental to the security and stability of the platform. -In order to help users manage images, OpenShift uses image streams to provide a level of obstruction for the users. In this way the users can trigger automatic redeployments as images are updated. It is also possible to configure the image stream to periodically check the image source repository for any updates and automatically pull in the latest updates.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.12DISADPMS TargetRed Hat OpenShift Container Platform 4.125547CCI-002605Edit the cluster image config resource to define the allowed registries by executing the following: +In order to help users manage images, OpenShift uses image streams to provide a level of obstruction for the users. In this way the users can trigger automatic redeployments as images are updated. It is also possible to configure the image stream to periodically check the image source repository for any updates and automatically pull in the latest updates.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.xDISADPMS TargetRed Hat OpenShift Container Platform 4.x5547CCI-002605Edit the cluster image config resource to define the allowed registries by executing the following: oc edit image.config.openshift.io/cluster @@ -2605,7 +2605,7 @@ spec: - insecure.com status: internalRegistryHostname: image-registry.openshift-image-registry.svc:5000 -----------------------------------------------------------------------Verify the image source policy is configured by executing the following: +----------------------------------------------------------------------Verify the image source policy is configured by executing the following: oc get image.config.openshift.io/cluster -o jsonpath='{.spec.registrySources}{"\nAllowedRegistriesForImport: "}{.spec.allowedRegistriesForImport}{"\n"}' @@ -2613,14 +2613,14 @@ If nothing is returned, this is a finding. If the registries listed under allowedRegistries, insecureRegistries, or AllowedRegistriesForImport are not from trusted sources as defined by the organization, this is a finding.SRG-APP-000456-CTR-001130<GroupDescription></GroupDescription>CNTR-OS-000900OpenShift runtime must have updates installed within the period directed by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).<VulnDiscussion>OpenShift runtime must be carefully monitored for vulnerabilities, and when problems are detected, they must be remediated quickly. A vulnerable runtime exposes all containers it supports, as well as the host itself, to potentially significant risk. Organizations must use tools to look for Common Vulnerabilities and Exposures (CVEs) in the runtimes deployed, to upgrade any instances at risk, and to ensure that orchestrators only allow deployments to properly maintained runtimes. -Satisfies: SRG-APP-000456-CTR-001130, SRG-APP-000456-CTR-001125</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.12DISADPMS TargetRed Hat OpenShift Container Platform 4.125547CCI-002605For container images that are not scheduled to check for updates that otherwise should, update the imagestream to schedule updates for each tag by executing the following: +Satisfies: SRG-APP-000456-CTR-001130, SRG-APP-000456-CTR-001125</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.xDISADPMS TargetRed Hat OpenShift Container Platform 4.x5547CCI-002605For container images that are not scheduled to check for updates that otherwise should, update the imagestream to schedule updates for each tag by executing the following: oc patch imagestream <NAME> -n NAMESPACE --type merge -p '{"spec":{"tags":[{"name":"<TAG_NAME>","importPolicy":{"scheduled":true}}]}}' where, NAME: The imagestream name to update NAMESPACE: The namespace the imagestream is in. This will most often be 'openshift'. - TAG_NAME: The imagestream tag to updateTo list all the imagestreams and identify which imagestream tags are configured to periodically check for updates (imagePolicy = { scheduled: true }), execute the following: + TAG_NAME: The imagestream tag to updateTo list all the imagestreams and identify which imagestream tags are configured to periodically check for updates (imagePolicy = { scheduled: true }), execute the following: oc get imagestream --all-namespaces -o jsonpath='{range .items[*]}{.metadata.name}{"\n"}{range .spec.tags[*]}{"\t"}{.name}{": "}{.importPolicy}{"\n"}' @@ -2643,7 +2643,7 @@ Review the listing, and for each imagestream tag version that does not have the The Compliance Operator assesses compliance of both the Kubernetes API resources of OpenShift Container Platform, as well as the nodes running the cluster. -The Compliance Operator uses OpenSCAP, a NIST-certified tool, to scan and enforce security policies provided by the content. This allows an organization to define organizational policy to align with the SSP, combine it with standardized vendor-provided content, and periodically scan the platform in accordance with organization-defined policy.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.12DISADPMS TargetRed Hat OpenShift Container Platform 4.125547CCI-002696If Red Hat OpenShift Compliance Operator is not used,, this check is Not Applicable. +The Compliance Operator uses OpenSCAP, a NIST-certified tool, to scan and enforce security policies provided by the content. This allows an organization to define organizational policy to align with the SSP, combine it with standardized vendor-provided content, and periodically scan the platform in accordance with organization-defined policy.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.xDISADPMS TargetRed Hat OpenShift Container Platform 4.x5547CCI-002696If Red Hat OpenShift Compliance Operator is not used,, this check is Not Applicable. The compliance operator must be leveraged to ensure that components are configured in alignment with the SSP. Install the Compliance Operator by executing the following: @@ -2687,7 +2687,7 @@ Following installation of the Compliance Operator, a ScanSettingBinding object t oc apply -f my-scansettingbinding.yml -n openshift-compliance -For more information about the compliance operator and its use, including the creation of TailoredProfiles and the ScanSettings available to meet specific security functions or organizational goals defined in the SSP, refer to https://docs.openshift.com/container-platform/4.8/security/compliance_operator/compliance-operator-understanding.html.If Red Hat OpenShift Compliance Operator is not used, this check is Not Applicable. +For more information about the compliance operator and its use, including the creation of TailoredProfiles and the ScanSettings available to meet specific security functions or organizational goals defined in the SSP, refer to https://docs.openshift.com/container-platform/4.8/security/compliance_operator/compliance-operator-understanding.html.If Red Hat OpenShift Compliance Operator is not used, this check is Not Applicable. Note: If Red Hat OpenShift Compliance Operator is not used, run the checks manually. Review the cluster configuration to validate that all required security functions are being validated with the Compliance Operator. @@ -2717,7 +2717,7 @@ The Compliance Operator enables continuous compliance monitoring within OpenShif The Compliance Operator assesses compliance of both the Kubernetes API resources of OpenShift Container Platform, as well as the nodes running the cluster. -The Compliance Operator uses OpenSCAP, a NIST-certified tool, to scan and enforce security policies provided by the content. This allows an organization to define organizational policy to align with the SSP, combine it with standardized vendor-provided content, and periodically scan the platform in accordance with organization-defined policy.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.12DISADPMS TargetRed Hat OpenShift Container Platform 4.125547CCI-002699If Red Hat OpenShift Compliance Operator is not used, this check is Not Applicable. +The Compliance Operator uses OpenSCAP, a NIST-certified tool, to scan and enforce security policies provided by the content. This allows an organization to define organizational policy to align with the SSP, combine it with standardized vendor-provided content, and periodically scan the platform in accordance with organization-defined policy.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.xDISADPMS TargetRed Hat OpenShift Container Platform 4.x5547CCI-002699If Red Hat OpenShift Compliance Operator is not used, this check is Not Applicable. The compliance operator must be leveraged to ensure that components are configured in alignment with the SSP at a desired schedule. Install the Compliance Operator by executing the following: @@ -2761,7 +2761,7 @@ Following installation of the Compliance Operator, a ScanSettingBinding object t oc apply -f my-scansettingbinding.yml -n openshift-compliance -For more information about the compliance operator and its use, including the configurability of scheduling of scan cadence in ScanSetting resources and the role-based access control requirements for manually triggered scans, refer to https://docs.openshift.com/container-platform/4.8/security/compliance_operator/compliance-operator-understanding.html.If Red Hat OpenShift Compliance Operator is not used, this check is Not Applicable. +For more information about the compliance operator and its use, including the configurability of scheduling of scan cadence in ScanSetting resources and the role-based access control requirements for manually triggered scans, refer to https://docs.openshift.com/container-platform/4.8/security/compliance_operator/compliance-operator-understanding.html.If Red Hat OpenShift Compliance Operator is not used, this check is Not Applicable. Review the cluster configuration to validate that all required security functions are being validated with the Compliance Operator. @@ -2786,7 +2786,7 @@ If the profiles that are bound to schedules do not cover the organization-design Audit records for unsuccessful attempts to modify privileges help in identifying unauthorized activities or potential attacks. If an unauthorized entity attempts to modify privileges, the audit records can serve as an early warning sign of a security threat. By monitoring and analyzing such records, administrators can detect and mitigate potential security breaches before they escalate. -Audit records play a vital role in forensic analysis and investigation. In the event of a security incident or suspected compromise, audit logs for privilege modifications provide valuable information for understanding the scope and impact of the incident.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.12DISADPMS TargetRed Hat OpenShift Container Platform 4.125547CCI-000172Apply the machine config to generate audit records when successful/unsuccessful attempts to modify privileges by executing the following: +Audit records play a vital role in forensic analysis and investigation. In the event of a security incident or suspected compromise, audit logs for privilege modifications provide valuable information for understanding the scope and impact of the incident.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.xDISADPMS TargetRed Hat OpenShift Container Platform 4.x5547CCI-000172Apply the machine config to generate audit records when successful/unsuccessful attempts to modify privileges by executing the following: for mcpool in $(oc get mcp -oname | sed "s:.*/::" ); do echo "apiVersion: machineconfiguration.openshift.io/v1 @@ -3077,7 +3077,7 @@ spec: path: /etc/audit/rules.d/30-etc_shadow_usergroup_modification.rules overwrite: true " | oc apply -f - -doneVerify OpenShift is configured to generate audit records when successful/unsuccessful attempts to modify privileges occur by executing the following: +doneVerify OpenShift is configured to generate audit records when successful/unsuccessful attempts to modify privileges occur by executing the following: for node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n "$HOSTNAME "; grep -e "key=unsuccessful-create" -e "key=unsuccessful-modification" -e "key=delete" -e "key=unsuccessful-access" -e "actions" -e "key=perm_mod" -e "audit_rules_usergroup_modification" -e "module-change" -e "logins" /etc/audit/audit.rules' 2>/dev/null; done @@ -3166,7 +3166,7 @@ If the above rules are not listed on each node, this is a finding.DPMS Target Red Hat OpenShift Container Platform 4.12DISADPMS TargetRed Hat OpenShift Container Platform 4.125547CCI-000172Apply the machine config to configure modification audit records by executing the following: +Satisfies: SRG-APP-000496-CTR-001240, SRG-APP-000497-CTR-001245, SRG-APP-000498-CTR-001250</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.xDISADPMS TargetRed Hat OpenShift Container Platform 4.x5547CCI-000172Apply the machine config to configure modification audit records by executing the following: for mcpool in $(oc get mcp -oname | sed "s:.*/::" ); do echo "apiVersion: machineconfiguration.openshift.io/v1 @@ -3232,7 +3232,7 @@ spec: path: /etc/audit/rules.d/75-usr_sbin_setsebool_execution.rules overwrite: true " | oc apply -f - -doneVerify the Red Hat Enterprise Linux CoreOS (RHCOS) is configured to generate audit records when successful/unsuccessful attempts to modify security categories or objects occur by executing the following: +doneVerify the Red Hat Enterprise Linux CoreOS (RHCOS) is configured to generate audit records when successful/unsuccessful attempts to modify security categories or objects occur by executing the following: for node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n "$HOSTNAME "; grep -e "key=privileged" -e "key=perm_mod" /etc/audit/audit.rules' 2>/dev/null; done @@ -3255,7 +3255,7 @@ Confirm the following rules exist on each node: If the above rules are not listed on each node, this is a finding.SRG-APP-000499-CTR-001255<GroupDescription></GroupDescription>CNTR-OS-000950OpenShift must generate audit records when successful/unsuccessful attempts to delete privileges occur.<VulnDiscussion>Audit records for unsuccessful attempts to delete privileges help in identifying unauthorized activities or potential attacks. If an unauthorized entity attempts to remove privileges, the audit records can serve as an early warning sign of a security threat. By monitoring and analyzing such records, administrators can detect and mitigate potential security breaches before they escalate. -Audit records play a vital role in forensic analysis and investigation. In the event of a security incident or suspected compromise, audit logs for privilege deletions provide valuable information for understanding the scope and impact of the incident.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.12DISADPMS TargetRed Hat OpenShift Container Platform 4.125547CCI-000172Apply the machine config to generate audit records when successful/unsuccessful attempts to delete security privileges by executing the following: +Audit records play a vital role in forensic analysis and investigation. In the event of a security incident or suspected compromise, audit logs for privilege deletions provide valuable information for understanding the scope and impact of the incident.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.xDISADPMS TargetRed Hat OpenShift Container Platform 4.x5547CCI-000172Apply the machine config to generate audit records when successful/unsuccessful attempts to delete security privileges by executing the following: for mcpool in $(oc get mcp -oname | sed "s:.*/::" ); do echo "apiVersion: machineconfiguration.openshift.io/v1 @@ -3381,7 +3381,7 @@ spec: path: /etc/audit/rules.d/30-etc_shadow_usergroup_modification.rules overwrite: true " | oc apply -f - -doneVerify OpenShift is configured to generate audit records when successful/unsuccessful attempts to delete security privileges occur by executing the following: +doneVerify OpenShift is configured to generate audit records when successful/unsuccessful attempts to delete security privileges occur by executing the following: for node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n "$HOSTNAME "; grep -e "key=delete" -e "key=perm_mod" -e "key=privileged" -e "audit_rules_usergroup_modification" /etc/audit/audit.rules' 2>/dev/null; done @@ -3460,7 +3460,7 @@ Audit records for unsuccessful attempts to delete security objects help in ident Audit records play a vital role in forensic analysis and investigation. In the event of a security incident or suspected compromise, audit logs for security object deletions provide valuable information for understanding the scope and impact of the incident. -Satisfies: SRG-APP-000501-CTR-001265, SRG-APP-000502-CTR-001270</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.12DISADPMS TargetRed Hat OpenShift Container Platform 4.125547CCI-000172Apply the machine config to generate audit records when security objects or categories are deleted by executing the following: +Satisfies: SRG-APP-000501-CTR-001265, SRG-APP-000502-CTR-001270</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.xDISADPMS TargetRed Hat OpenShift Container Platform 4.x5547CCI-000172Apply the machine config to generate audit records when security objects or categories are deleted by executing the following: for mcpool in $(oc get mcp -oname | sed "s:.*/::" ); do echo "apiVersion: machineconfiguration.openshift.io/v1 @@ -3535,7 +3535,7 @@ spec: mode: 0644 path: /etc/audit/rules.d/75-usr_bin_chage_execution.rules overwrite: true -" ; done | oc apply -f -Verify the Red Hat Enterprise Linux CoreOS (RHCOS) is configured to generate audit records when successful/unsuccessful attempts to delete security objects or categories of information occur by executing the following: +" ; done | oc apply -f -Verify the Red Hat Enterprise Linux CoreOS (RHCOS) is configured to generate audit records when successful/unsuccessful attempts to delete security objects or categories of information occur by executing the following: for node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n "$HOSTNAME "; grep -e "key=access" -e "key=delete" -e "key=unsuccessful-delete" -e "key=privileged" -e "key=perm_mod" /etc/audit/audit.rules' 2>/dev/null; done @@ -3627,7 +3627,7 @@ If the above rules are not listed on each node, this is a finding.DPMS Target Red Hat OpenShift Container Platform 4.12DISADPMS TargetRed Hat OpenShift Container Platform 4.125547CCI-000172Apply the machine config to audit logons by executing the following: +By monitoring logon activity logs, administrators and security teams can identify unusual or suspicious patterns of logon attempts. Forensic analysts can examine these records to reconstruct the timeline of logon activities and determine the scope and nature of the incident.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.xDISADPMS TargetRed Hat OpenShift Container Platform 4.x5547CCI-000172Apply the machine config to audit logons by executing the following: for mcpool in $(oc get mcp -oname | sed "s:.*/::" ); do echo "apiVersion: machineconfiguration.openshift.io/v1 @@ -3683,7 +3683,7 @@ spec: path: /etc/audit/rules.d/30-etc_shadow_usergroup_modification.rules overwrite: true " | oc apply -f - -doneVerify that logons are audited by executing the following: +doneVerify that logons are audited by executing the following: for node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n ""$HOSTNAME ""; grep ""logins"" /etc/audit/audit.rules /etc/audit/rules.d/*' 2>/dev/null; done @@ -3696,7 +3696,7 @@ If the two rules above are not found on each node, this is a finding.DPMS Target Red Hat OpenShift Container Platform 4.12DISADPMS TargetRed Hat OpenShift Container Platform 4.125547CCI-000172Apply the machine config for audit rules capture by executing the following: +Audit records for module loading and unloading can be used for system performance analysis and troubleshooting. By reviewing these records, administrators can identify any problematic or misbehaving modules that may affect system performance or stability. This helps in diagnosing and resolving issues related to kernel modules more effectively.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.xDISADPMS TargetRed Hat OpenShift Container Platform 4.x5547CCI-000172Apply the machine config for audit rules capture by executing the following: for mcpool in $(oc get mcp -oname | sed "s:.*/::" ); do echo "apiVersion: machineconfiguration.openshift.io/v1 @@ -3732,7 +3732,7 @@ spec: path: /etc/audit/rules.d/75-kernel-module-loading-init.rules overwrite: true " | oc apply -f - -doneVerify the audit rules capture loading and unloading of kernel modules by executing the following: +doneVerify the audit rules capture loading and unloading of kernel modules by executing the following: for node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n "$HOSTNAME "; grep -e module-load -e module-unload -e module-change /etc/audit/rules.d/* /etc/audit/audit.rules' 2>/dev/null; done @@ -3749,7 +3749,7 @@ Confirm the following rules exist on each node. -a always,exit -F arch=b32 -S init_module -k module-change -a always,exit -F arch=b64 -S init_module -k module-change -If the above rules are not listed for each node, this is a finding.SRG-APP-000505-CTR-001285<GroupDescription></GroupDescription>CNTR-OS-000990OpenShift audit records must record user access start and end times.<VulnDiscussion>OpenShift must generate audit records showing start and end times for users and services acting on behalf of a user accessing the registry and keystore. These components must use the same standard so that the events can be tied together to understand what took place within the overall container platform. This must establish, correlate, and help assist with investigating the events relating to an incident, or identify those responsible.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.12DISADPMS TargetRed Hat OpenShift Container Platform 4.125547CCI-000172Apply the machine config for user access times by executing the following: +If the above rules are not listed for each node, this is a finding.SRG-APP-000505-CTR-001285<GroupDescription></GroupDescription>CNTR-OS-000990OpenShift audit records must record user access start and end times.<VulnDiscussion>OpenShift must generate audit records showing start and end times for users and services acting on behalf of a user accessing the registry and keystore. These components must use the same standard so that the events can be tied together to understand what took place within the overall container platform. This must establish, correlate, and help assist with investigating the events relating to an incident, or identify those responsible.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.xDISADPMS TargetRed Hat OpenShift Container Platform 4.x5547CCI-000172Apply the machine config for user access times by executing the following: for mcpool in $(oc get mcp -oname | sed "s:.*/::" ); do echo "apiVersion: machineconfiguration.openshift.io/v1 @@ -3775,7 +3775,7 @@ spec: path: /etc/audit/rules.d/75-var_log_utmp_write_events.rules overwrite: true " | oc apply -f - -doneVerify the Red Hat Enterprise Linux CoreOS (RHCOS) is configured to generate audit records showing starting and ending times for user access by executing the following: +doneVerify the Red Hat Enterprise Linux CoreOS (RHCOS) is configured to generate audit records showing starting and ending times for user access by executing the following: for node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n "$HOSTNAME "; grep -e "-k session" /etc/audit/audit.rules' 2>/dev/null; done @@ -3784,7 +3784,7 @@ Confirm the following rules exist on each node: -w /var/log/btmp -p wa -k session -w /var/log/utmp -p wa -k session -If the above rules are not listed on each node, this is a finding.SRG-APP-000506-CTR-001290<GroupDescription></GroupDescription>CNTR-OS-001000OpenShift must generate audit records when concurrent logons from different workstations and systems occur.<VulnDiscussion>OpenShift and its components must generate audit records for concurrent logons from workstations perform remote maintenance, runtime instances, connectivity to the container registry, and keystore. All the components must use the same standard so the events can be tied together to understand what took place within the overall container platform. This must establish, correlate, and help assist with investigating the events relating to an incident, or identify those responsible.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.12DISADPMS TargetRed Hat OpenShift Container Platform 4.125547CCI-000172Apply the machine config so concurrent logons are audited by executing the following: +If the above rules are not listed on each node, this is a finding.SRG-APP-000506-CTR-001290<GroupDescription></GroupDescription>CNTR-OS-001000OpenShift must generate audit records when concurrent logons from different workstations and systems occur.<VulnDiscussion>OpenShift and its components must generate audit records for concurrent logons from workstations perform remote maintenance, runtime instances, connectivity to the container registry, and keystore. All the components must use the same standard so the events can be tied together to understand what took place within the overall container platform. This must establish, correlate, and help assist with investigating the events relating to an incident, or identify those responsible.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.xDISADPMS TargetRed Hat OpenShift Container Platform 4.x5547CCI-000172Apply the machine config so concurrent logons are audited by executing the following: for mcpool in $(oc get mcp -oname | sed "s:.*/::" ); do echo "apiVersion: machineconfiguration.openshift.io/v1 @@ -3810,7 +3810,7 @@ spec: path: /etc/audit/rules.d/75-lastlog_login_events.rules overwrite: true " | oc apply -f - -doneVerify that concurrent logons are audited by executing the following: +doneVerify that concurrent logons are audited by executing the following: for node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n "$HOSTNAME "; grep "logins" /etc/audit/audit.rules /etc/audit/rules.d/*' 2>/dev/null; done @@ -3827,7 +3827,7 @@ By disabling SSHD, OpenShift can restrict access to the platform to only authori Disabling SSHD encourages the use of more secure and controlled access mechanisms, such as API-based access or secure remote management tools provided by OpenShift. These mechanisms offer better access control and auditing capabilities, allowing administrators to manage and monitor access to the platform more effectively. -Satisfies: SRG-APP-000141-CTR-000315, SRG-APP-000185-CTR-000490</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.12DISADPMS TargetRed Hat OpenShift Container Platform 4.125547CCI-000381CCI-000877Apply the machine config to disable SSHD service by executing following: +Satisfies: SRG-APP-000141-CTR-000315, SRG-APP-000185-CTR-000490</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.xDISADPMS TargetRed Hat OpenShift Container Platform 4.x5547CCI-000381CCI-000877Apply the machine config to disable SSHD service by executing following: for mcpool in $(oc get mcp -oname | sed "s:.*/::" ); do echo "apiVersion: machineconfiguration.openshift.io/v1 @@ -3845,7 +3845,7 @@ spec: - name: sshd.service enabled: false " | oc apply -f - -doneVerify the SSHD service is inactive and disabled by executing the following: +doneVerify the SSHD service is inactive and disabled by executing the following: for node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n "$HOSTNAME "; systemctl is-enabled sshd.service; systemctl is-active sshd.service' 2>/dev/null; done @@ -3853,7 +3853,7 @@ If the SSHD service is either active or enabled this is a finding.DPMS Target Red Hat OpenShift Container Platform 4.12DISADPMS TargetRed Hat OpenShift Container Platform 4.125547CCI-000381Apply the machine config to disable USB Storage to load USB Storage kernel module by executing the following: +Disabling USB storage prevents unauthorized data transfers to and from the system. This helps enforce data loss prevention (DLP) policies and mitigates the risk of sensitive or confidential data being copied or stolen using USB storage devices. It adds an additional layer of control to protect against data leakage or unauthorized data movement.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.xDISADPMS TargetRed Hat OpenShift Container Platform 4.x5547CCI-000381Apply the machine config to disable USB Storage to load USB Storage kernel module by executing the following: for mcpool in $(oc get mcp -oname | sed "s:.*/::" ); do echo "apiVersion: machineconfiguration.openshift.io/v1 @@ -3874,13 +3874,13 @@ spec: path: /etc/modprobe.d/75-kernel_module_usb-storage_disabled.conf overwrite: true " | oc apply -f - -doneVerify the operating system disables the ability to load the USB Storage kernel module by executing the following: +doneVerify the operating system disables the ability to load the USB Storage kernel module by executing the following: for node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n "$HOSTNAME "; grep -r usb-storage /etc/modprobe.d/* | grep -i "/bin/true"' 2>/dev/null; done install usb-storage /bin/true -If the command does not return any output, or the line is commented out, and use of USB Storage is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.SRG-APP-000141-CTR-000315<GroupDescription></GroupDescription>CNTR-OS-001030Red Hat Enterprise Linux CoreOS (RHCOS) must use USBGuard for hosts that include a USB Controller.<VulnDiscussion>USBGuard adds an extra layer of security to the overall OpenShift infrastructure. It provides an additional control mechanism to prevent potential security threats originating from USB devices. By monitoring and controlling USB access, USBGuard helps mitigate risks associated with unauthorized or malicious devices that may attempt to exploit vulnerabilities within the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.12DISADPMS TargetRed Hat OpenShift Container Platform 4.125547CCI-000381If there is not a USB Controller, this requirement is Not Applicable. +If the command does not return any output, or the line is commented out, and use of USB Storage is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.SRG-APP-000141-CTR-000315<GroupDescription></GroupDescription>CNTR-OS-001030Red Hat Enterprise Linux CoreOS (RHCOS) must use USBGuard for hosts that include a USB Controller.<VulnDiscussion>USBGuard adds an extra layer of security to the overall OpenShift infrastructure. It provides an additional control mechanism to prevent potential security threats originating from USB devices. By monitoring and controlling USB access, USBGuard helps mitigate risks associated with unauthorized or malicious devices that may attempt to exploit vulnerabilities within the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.xDISADPMS TargetRed Hat OpenShift Container Platform 4.x5547CCI-000381If there is not a USB Controller, this requirement is Not Applicable. 1. Install the service by executing the following: @@ -3969,7 +3969,7 @@ spec: path: /etc/usbguard/rules.conf overwrite: true " | oc apply -f - -done1. Determine if the host devices include a USB Controller by executing the following: +done1. Determine if the host devices include a USB Controller by executing the following: for node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n "$HOSTNAME "; lspci' 2>/dev/null; done @@ -3994,7 +3994,7 @@ for node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash - If USBGuard is not found or the results do not match the organizationally defined rules, this is a finding.SRG-APP-000516-CTR-001335<GroupDescription></GroupDescription>CNTR-OS-001060OpenShift must continuously scan components, containers, and images for vulnerabilities.<VulnDiscussion>Finding vulnerabilities quickly within the container platform and within containers deployed within the platform is important to keep the overall platform secure. When a vulnerability within a component or container is unknown or allowed to remain unpatched, other containers and customers within the platform become vulnerability. The vulnerability can lead to the loss of application data, organizational infrastructure data, and Denial-of-Service (DoS) to hosted applications. -Vulnerability scanning can be performed by the container platform or by external applications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.12DISADPMS TargetRed Hat OpenShift Container Platform 4.125547CCI-000366Vulnerability scanning can be performed by the Container Security Operator, Red Hat Advanced Cluster Security (formerly StackRox) or by external applications. Follow instructions from the application vendor if using external tool for vulnerability scanning. To install the Container Security Operator into the cluster, run the following: +Vulnerability scanning can be performed by the container platform or by external applications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.xDISADPMS TargetRed Hat OpenShift Container Platform 4.x5547CCI-000366Vulnerability scanning can be performed by the Container Security Operator, Red Hat Advanced Cluster Security (formerly StackRox) or by external applications. Follow instructions from the application vendor if using external tool for vulnerability scanning. To install the Container Security Operator into the cluster, run the following: oc apply -f - << 'EOF' --- @@ -4011,13 +4011,13 @@ spec: name: container-security-operator source: redhat-operators sourceNamespace: openshift-marketplace -EOFTo check if the Container Security Operator is running, execute the following: +EOFTo check if the Container Security Operator is running, execute the following: oc get deploy -n openshift-operators container-security-operator -ojsonpath='{.status.readyReplicas}' If this command returns an error or the number 0, and a separate tool is not being used to perform continuous vulnerability scans of components, containers, and container images, this is a finding.SRG-APP-000610-CTR-001385<GroupDescription></GroupDescription>CNTR-OS-001080OpenShift must use FIPS-validated SHA-2 or higher hash function for digital signature generation and verification (nonlegacy use).<VulnDiscussion>Using a FIPS-validated SHA-2 or higher hash function for digital signature generation and verification in OpenShift ensures strong cryptographic security, compliance with industry standards, and protection against known attacks. It promotes the integrity, authenticity, and nonrepudiation of digital signatures, which are essential for secure communication and data exchange in the OpenShift platform. -SHA1 is disabled in digital signatures when FIPS mode is enabled. OpenShift must verify that the certificates in /etc/kubernetes and /etc/pki are using sha256 signatures.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.12DISADPMS TargetRed Hat OpenShift Container Platform 4.125547CCI-000803Reinstall the OpenShift cluster in FIPS mode. The file install-config.yaml has a top-level key that enables FIPS mode for all nodes and the cluster platform layer. If the install-config.yaml was not backed up prior to consumption as part of the installation, it must be recreated. An example install-config.yaml with some sections trimmed out for brevity, and the "fips: true" key applied at the top level is shown below: +SHA1 is disabled in digital signatures when FIPS mode is enabled. OpenShift must verify that the certificates in /etc/kubernetes and /etc/pki are using sha256 signatures.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat OpenShift Container Platform 4.xDISADPMS TargetRed Hat OpenShift Container Platform 4.x5547CCI-000803Reinstall the OpenShift cluster in FIPS mode. The file install-config.yaml has a top-level key that enables FIPS mode for all nodes and the cluster platform layer. If the install-config.yaml was not backed up prior to consumption as part of the installation, it must be recreated. An example install-config.yaml with some sections trimmed out for brevity, and the "fips: true" key applied at the top level is shown below: apiVersion: v1 baseDomain: example.com @@ -4048,7 +4048,7 @@ After saving the install-config.yaml with the corresponding correct information, > ./openshift-install create cluster --dir=<installation_directory> --log-level=info Where <installation_directory> is the directory that contains install-config.yaml -Additional details can be found here: https://docs.openshift.com/container-platform/4.8/installing/installing-fips.htmlVerify the use of a FIPS-compliant hash function for digital signature generation and validation, by executing and reviewing the following commands: +Additional details can be found here: https://docs.openshift.com/container-platform/4.8/installing/installing-fips.htmlVerify the use of a FIPS-compliant hash function for digital signature generation and validation, by executing and reviewing the following commands: update-crypto-policies --show diff --git a/shared/references/disa-stig-rhcos4-v2r2-xccdf-manual.xml b/shared/references/disa-stig-rhcos4-v2r2-xccdf-manual.xml deleted file mode 120000 index a816bb0ec0c..00000000000 --- a/shared/references/disa-stig-rhcos4-v2r2-xccdf-manual.xml +++ /dev/null @@ -1 +0,0 @@ -./disa-stig-ocp4-v2r2-xccdf-manual.xml \ No newline at end of file diff --git a/shared/references/disa-stig-rhcos4-v2r3-xccdf-manual.xml b/shared/references/disa-stig-rhcos4-v2r3-xccdf-manual.xml new file mode 120000 index 00000000000..f356703bd8f --- /dev/null +++ b/shared/references/disa-stig-rhcos4-v2r3-xccdf-manual.xml @@ -0,0 +1 @@ +./disa-stig-ocp4-v2r3-xccdf-manual.xml \ No newline at end of file