{"id": "stig_ocp4", "policy": "Red Hat OpenShift Container Platform 4.12 Security Technical Implementation Guide", "title": "Red Hat OpenShift Container Platform 4.12 Security Technical Implementation Guide", "source": "https://www.cyber.mil/stigs/downloads/", "definition_location": "/aptdata/openscap/scap-security-guide/controls/stig_ocp4.yml", "controls": [{"id": "CNTR-OS-000010", "levels": ["medium"], "notes": "", "title": "OpenShift must use TLS 1.2 or greater for secure container image transport from trusted sources.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "CNTR-OS-000020", "levels": ["medium"], "notes": "", "title": "OpenShift must use TLS 1.2 or greater for secure communication.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "CNTR-OS-000030", "levels": ["medium"], "notes": "", "title": "OpenShift must use a centralized user management solution to support account management functions.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "CNTR-OS-000040", "levels": ["medium"], "notes": "", "title": "The kubeadmin account must be disabled.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "CNTR-OS-000050", "levels": ["medium"], "notes": "", "title": "OpenShift must automatically audit account creation.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_sysadmin_actions"], "controls": []}, {"id": "CNTR-OS-000060", "levels": ["medium"], "notes": "", "title": "OpenShift must automatically audit account modification.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_sysadmin_actions"], "controls": []}, {"id": "CNTR-OS-000070", "levels": ["medium"], "notes": "", "title": "OpenShift must generate audit rules to capture account related actions.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_sysadmin_actions"], "controls": []}, {"id": "CNTR-OS-000080", "levels": ["medium"], "notes": "", "title": "Open Shift must automatically audit account removal actions.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_privileged_commands_ssh_keysign", "audit_rules_privileged_commands_mount_nfs", "audit_rules_privileged_commands_su", "audit_rules_privileged_commands_polkit_helper", "audit_rules_privileged_commands_sssd_selinux_child", "audit_rules_privileged_commands_sudo", "audit_rules_privileged_commands_grub2_set_bootflag", "audit_rules_privileged_commands_sssd_proxy_child", "audit_rules_privileged_commands_sssd_krb5_child", "audit_rules_privileged_commands_utempter", "audit_rules_privileged_commands_pkexec", "audit_rules_privileged_commands_dbus_daemon_launch_helper", "audit_rules_privileged_commands_mount", "audit_rules_privileged_commands_passwd", "audit_rules_privileged_commands_write", "audit_rules_privileged_commands_sssd_ldap_child", "audit_rules_privileged_commands_unix_chkpwd", "audit_rules_privileged_commands_fusermount", "audit_rules_privileged_commands_gpasswd", "audit_rules_privileged_commands_fusermount3", "audit_rules_privileged_commands_newgrp", "audit_rules_privileged_commands_chage", "audit_rules_privileged_commands_pam_timestamp_check", "audit_rules_privileged_commands_umount"], "controls": []}, {"id": "CNTR-OS-000090", "levels": ["high"], "notes": "", "title": "OpenShift RBAC access controls must be enforced.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "CNTR-OS-000100", "levels": ["medium"], "notes": "", "title": "OpenShift must enforce network policy on the namespace for controlling the flow of information within the container platform based on organization-defined information flow control policies.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "CNTR-OS-000110", "levels": ["medium"], "notes": "", "title": "OpenShift must enforce approved authorizations for controlling the flow of information within the container platform based on organization-defined information flow control policies.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "CNTR-OS-000130", "levels": ["low"], "notes": "", "title": "OpenShift must display the Standard Mandatory DOD Notice and Consent Banner before granting access to platform components.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "CNTR-OS-000150", "levels": ["medium"], "notes": "", "title": "OpenShift must generate audit records for all DOD-defined auditable events within all components in the platform.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["service_auditd_enabled"], "controls": []}, {"id": "CNTR-OS-000160", "levels": ["medium"], "notes": "", "title": "OpenShift must generate audit records when successful/unsuccessful attempts to access privileges occur.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_dac_modification_fchown", "audit_rules_dac_modification_chmod", "audit_rules_dac_modification_fsetxattr", "audit_rules_dac_modification_removexattr", "audit_rules_dac_modification_lsetxattr", "audit_rules_dac_modification_fchownat", "audit_access_failed", "audit_rules_dac_modification_chown", "audit_rules_dac_modification_fchmodat", "audit_rules_dac_modification_lchown", "audit_modify_failed", "audit_rules_dac_modification_lremovexattr", "audit_rules_dac_modification_fchmod", "audit_rules_dac_modification_fremovexattr", "audit_create_failed", "audit_rules_dac_modification_setxattr"], "controls": []}, {"id": "CNTR-OS-000170", "levels": ["high"], "notes": "", "title": "Red Hat Enterprise Linux CoreOS (RHCOS) must initiate session audits at system startup.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["coreos_audit_option", "coreos_audit_backlog_limit_kernel_argument"], "controls": []}, {"id": "CNTR-OS-000180", "levels": ["medium"], "notes": "", "title": "All audit records must identify what type of event has occurred within OpenShift.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["service_auditd_enabled"], "controls": []}, {"id": "CNTR-OS-000190", "levels": ["medium"], "notes": "", "title": "OpenShift audit records must have a date and time association with all events.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["auditd_data_retention_max_log_file_action_stig", "auditd_log_format", "auditd_data_disk_error_action"], "controls": []}, {"id": "CNTR-OS-000200", "levels": ["medium"], "notes": "", "title": "All audit records must generate the event results within OpenShift.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["partition_for_var_log_audit", "auditd_data_retention_max_log_file_action_stig", "auditd_log_format", "auditd_data_disk_error_action"], "controls": []}, {"id": "CNTR-OS-000210", "levels": ["medium"], "notes": "", "title": "OpenShift must take appropriate action upon an audit failure.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["auditd_data_retention_max_log_file_action_stig", "auditd_log_format", "auditd_data_disk_error_action"], "controls": []}, {"id": "CNTR-OS-000220", "levels": ["medium"], "notes": "", "title": "OpenShift components must provide the ability to send audit logs to a central enterprise repository for review and analysis.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["coreos_audit_option", "coreos_audit_backlog_limit_kernel_argument"], "controls": []}, {"id": "CNTR-OS-000230", "levels": ["medium"], "notes": "", "title": "OpenShift must use internal system clocks to generate audit record time stamps.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["chronyd_or_ntpd_specify_remote_server", "service_chronyd_or_ntpd_enabled"], "controls": []}, {"id": "CNTR-OS-000240", "levels": ["medium"], "notes": "", "title": "The Red Hat Enterprise Linux CoreOS (RHCOS) chrony Daemon must use multiple NTP servers to generate audit record time stamps.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["chronyd_or_ntpd_specify_remote_server", "service_chronyd_or_ntpd_enabled"], "controls": []}, {"id": "CNTR-OS-000250", "levels": ["medium"], "notes": "", "title": "OpenShift must protect audit logs from any type of unauthorized access.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_permissions_var_log", "file_ownership_var_log_audit", "file_permissions_var_log_audit", "file_permissions_system_journal", "file_owner_var_log", "file_groupowner_var_log", "file_owner_system_journal", "file_groupowner_system_journal"], "controls": []}, {"id": "CNTR-OS-000260", "levels": ["medium"], "notes": "", "title": "OpenShift must protect system journal file from any type of unauthorized access by setting file permissions.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_permissions_var_log", "file_ownership_var_log_audit", "file_permissions_var_log_audit", "file_permissions_system_journal", "file_owner_var_log", "file_groupowner_var_log", "file_owner_system_journal", "file_groupowner_system_journal"], "controls": []}, {"id": "CNTR-OS-000270", "levels": ["medium"], "notes": "", "title": "OpenShift must protect system journal file from any type of unauthorized access by setting owner permissions.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_permissions_var_log", "file_ownership_var_log_audit", "file_permissions_var_log_audit", "file_permissions_system_journal", "file_owner_var_log", "file_groupowner_var_log", "file_owner_system_journal", "file_groupowner_system_journal"], "controls": []}, {"id": "CNTR-OS-000280", "levels": ["medium"], "notes": "", "title": "OpenShift must protect log directory from any type of unauthorized access by setting file permissions.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_permissions_var_log", "file_ownership_var_log_audit", "file_permissions_var_log_audit", "file_permissions_system_journal", "file_owner_var_log", "file_groupowner_var_log", "file_owner_system_journal", "file_groupowner_system_journal"], "controls": []}, {"id": "CNTR-OS-000290", "levels": ["medium"], "notes": "", "title": "OpenShift must protect log directory from any type of unauthorized access by setting owner permissions.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_permissions_var_log", "file_ownership_var_log_audit", "file_permissions_var_log_audit", "file_permissions_system_journal", "file_owner_var_log", "file_groupowner_var_log", "file_owner_system_journal", "file_groupowner_system_journal"], "controls": []}, {"id": "CNTR-OS-000300", "levels": ["medium"], "notes": "", "title": "OpenShift must protect pod log files from any type of unauthorized access by setting owner permissions.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_permissions_var_log", "file_ownership_var_log_audit", "file_permissions_var_log_audit", "file_permissions_system_journal", "file_owner_var_log", "file_groupowner_var_log", "file_owner_system_journal", "file_groupowner_system_journal"], "controls": []}, {"id": "CNTR-OS-000310", "levels": ["medium"], "notes": "", "title": "OpenShift must protect audit information from unauthorized modification.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_immutable"], "controls": []}, {"id": "CNTR-OS-000320", "levels": ["medium"], "notes": "", "title": "OpenShift must prevent unauthorized changes to logon UIDs.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_immutable_login_uids"], "controls": []}, {"id": "CNTR-OS-000330", "levels": ["medium"], "notes": "", "title": "OpenShift must protect audit tools from unauthorized access.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_immutable_login_uids"], "controls": []}, {"id": "CNTR-OS-000340", "levels": ["medium"], "notes": "", "title": "OpenShift must use FIPS-validated cryptographic mechanisms to protect the integrity of log information.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "CNTR-OS-000360", "levels": ["medium"], "notes": "", "title": "OpenShift must verify container images.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "CNTR-OS-000380", "levels": ["medium"], "notes": "Satisfies SRG-APP-000141-CTR-000320", "title": "OpenShift must contain only container images for those capabilities being offered by the container platform.", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": "The admin needs to validate whether the container platform images available are requried.", "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["reject_unsigned_images_by_default", "ocp_allowed_registries_for_import", "ocp_allowed_registries", "ocp_insecure_registries", "ocp_insecure_allowed_registries_for_import"], "rules": [], "controls": []}, {"id": "CNTR-OS-000390", "levels": ["medium"], "notes": "Satisfies SRG-APP-000142-CTR-000325", "title": "OpenShift runtime must enforce ports, protocols, and services that adhere to the PPSM CAL.", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": "The admin needs to verify the accreditation documentation and register OpenShift's ports,\nprotocols, and services with PPSM.", "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "CNTR-OS-000400", "levels": ["high"], "notes": "", "title": "OpenShift must disable root and terminate network connections.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sshd_disable_root_login"], "controls": []}, {"id": "CNTR-OS-000430", "levels": ["medium"], "notes": "Satisfies SRG-APP-000149-CTR-000355, SRG-APP-000150-CTR-000360", "title": "OpenShift must use multifactor authentication for network access to accounts.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": "Not Applicable. Applicable to Identity Management Provider and not\nOCP. Only configurable check is to ensure OCP is configured for an\nIDP under SRG-APP-000023-CTR-000055. Verify with IdM service provider\nadmins that the IdM meets the requirements.", "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["idp_is_configured", "ocp_idp_no_htpasswd", "kubeadmin_removed"], "rules": [], "controls": []}, {"id": "CNTR-OS-000440", "levels": ["medium"], "notes": "Verify the authentication operator is configured to use a secure transport\nto an OpenIDConnect provider.", "title": "OpenShift must use FIPS-validated SHA-1 or higher hash function to provide replay-resistant authentication mechanisms for network access to privileged accounts.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "CNTR-OS-000460", "levels": ["high"], "notes": "Satisfies SRG-APP-000172-CTR-000440, SRG-APP-000024-CTR-000060, SRG-APP-000025-CTR-000065, SRG-APP-000065-CTR-000115, SRG-APP-000151-CTR-000365, SRG-APP-000152-CTR-000370, SRG-APP-000157-CTR-000385, SRG-APP-000163-CTR-000395, SRG-APP-000164-CTR-000400, SRG-APP-000165-CTR-000405, SRG-APP-000166-CTR-000410, SRG-APP-000167-CTR-000415, SRG-APP-000168-CTR-000420, SRG-APP-000169-CTR-000425, SRG-APP-000170-CTR-000430, SRG-APP-000171-CTR-000435, SRG-APP-000173-CTR-000445, SRG-APP-000174-CTR-000450, SRG-APP-000177-CTR-000465, SRG-APP-000317-CTR-000735, SRG-APP-000318-CTR-000740, SRG-APP-000345-CTR-000785, SRG-APP-000391-CTR-000935, SRG-APP-000397-CTR-000955, SRG-APP-000401-CTR-000965, SRG-APP-000402-CTR-000970", "title": "OpenShift must use FIPS validated LDAP or OpenIDConnect.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": "Not Applicable. Applicable to Identity Management Provider and not\nOCP. Only configurable check is to ensure OCP is configured for an\nIDP under SRG-APP-000023-CTR-000055. Verify with IdM service provider\nadmins that the IdM meets the requirements.", "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["idp_is_configured", "ocp_idp_no_htpasswd", "kubeadmin_removed"], "rules": [], "controls": []}, {"id": "CNTR-OS-000490", "levels": ["medium"], "notes": "", "title": "OpenShift must terminate all network connections associated with a communications session at the end of the session, or as follows: for in-band management sessions (privileged sessions), the session must be terminated after 10 minutes of inactivity.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sshd_disable_root_login"], "controls": []}, {"id": "CNTR-OS-000500", "levels": ["medium"], "notes": "Satisfies SRG-APP-000211-CTR-000530. We cannot have an automated check for this rule at the moment. https://github.com/ComplianceAsCode/content/pull/10742", "title": "OpenShift must separate user functionality (including user interface services) from information system management functionality.", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "CNTR-OS-000510", "levels": ["high"], "notes": "", "title": "OpenShift must protect authenticity of communications sessions with the use of FIPS-validated 140-2 or 140-3 validated cryptography.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "CNTR-OS-000540", "levels": ["medium"], "notes": "", "title": "OpenShift runtime must isolate security functions from nonsecurity functions.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["selinux_policytype", "coreos_enable_selinux_kernel_argument", "selinux_state"], "controls": []}, {"id": "CNTR-OS-000560", "levels": ["medium"], "notes": "", "title": "OpenShift must prevent unauthorized and unintended information transfer via shared system resources and enable page poisoning.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["coreos_vsyscall_kernel_argument", "sysctl_kernel_perf_event_paranoid", "coreos_page_poison_kernel_argument", "sysctl_kernel_dmesg_restrict", "coreos_slub_debug_kernel_argument"], "controls": []}, {"id": "CNTR-OS-000570", "levels": ["medium"], "notes": "", "title": "OpenShift must disable virtual syscalls.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["coreos_vsyscall_kernel_argument", "sysctl_kernel_perf_event_paranoid", "coreos_page_poison_kernel_argument", "sysctl_kernel_dmesg_restrict", "coreos_slub_debug_kernel_argument"], "controls": []}, {"id": "CNTR-OS-000580", "levels": ["medium"], "notes": "", "title": "OpenShift must enable poisoning of SLUB/SLAB objects.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["coreos_vsyscall_kernel_argument", "sysctl_kernel_perf_event_paranoid", "coreos_page_poison_kernel_argument", "sysctl_kernel_dmesg_restrict", "coreos_slub_debug_kernel_argument"], "controls": []}, {"id": "CNTR-OS-000590", "levels": ["medium"], "notes": "", "title": "OpenShift must set the sticky bit for world-writable directories.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["coreos_vsyscall_kernel_argument", "sysctl_kernel_perf_event_paranoid", "coreos_page_poison_kernel_argument", "sysctl_kernel_dmesg_restrict", "coreos_slub_debug_kernel_argument"], "controls": []}, {"id": "CNTR-OS-000600", "levels": ["medium"], "notes": "", "title": "OpenShift must restrict access to the kernel buffer.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["coreos_vsyscall_kernel_argument", "sysctl_kernel_perf_event_paranoid", "coreos_page_poison_kernel_argument", "sysctl_kernel_dmesg_restrict", "coreos_slub_debug_kernel_argument"], "controls": []}, {"id": "CNTR-OS-000610", "levels": ["medium"], "notes": "", "title": "OpenShift must prevent kernel profiling.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["coreos_vsyscall_kernel_argument", "sysctl_kernel_perf_event_paranoid", "coreos_page_poison_kernel_argument", "sysctl_kernel_dmesg_restrict", "coreos_slub_debug_kernel_argument"], "controls": []}, {"id": "CNTR-OS-000620", "levels": ["medium"], "notes": "", "title": "OpenShift must restrict individuals the ability to launch organizational-defined Denial-of-Service (DOS) attacks against other information systems by setting a default Resource Quota.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "CNTR-OS-000630", "levels": ["medium"], "notes": "", "title": "OpenShift must restrict individuals the ability to launch organizational-defined Denial-of-Service (DOS) attacks against other information systems by rate-limiting.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "CNTR-OS-000650", "levels": ["low"], "notes": "", "title": "OpenShift must display an explicit logout message indicating the reliable termination of authenticated communication sessions.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "CNTR-OS-000660", "levels": ["high"], "notes": "", "title": "Container images instantiated by OpenShift must execute using least privileges.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "CNTR-OS-000670", "levels": ["low"], "notes": "", "title": "Red Hat Enterprise Linux CoreOS (RHCOS) must allocate audit record storage capacity to store at least one weeks' worth of audit records, when audit records are not immediately sent to a central audit record storage facility.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["auditd_data_retention_max_log_file_action_stig", "auditd_log_format", "partition_for_var_log_audit", "auditd_data_disk_error_action"], "controls": []}, {"id": "CNTR-OS-000690", "levels": ["medium"], "notes": "This needs further investigation: CMP-2437", "title": "OpenShift must configure Alert Manger Receivers to notify SA and ISSO of all audit failure events requiring real-time alerts.", "description": null, "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "CNTR-OS-000720", "levels": ["medium"], "notes": "", "title": "OpenShift must enforce access restrictions and support auditing of the enforcement actions.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_suid_privilege_function"], "controls": []}, {"id": "CNTR-OS-000740", "levels": ["medium"], "notes": "", "title": "OpenShift must prevent the installation of patches, service packs, device drivers, or operating system components without verification they have been digitally signed using a certificate that is recognized and approved by the organization.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "CNTR-OS-000760", "levels": ["medium"], "notes": "", "title": "OpenShift must set server token max age no greater than eight hours.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "CNTR-OS-000770", "levels": ["medium"], "notes": "", "title": "Vulnerability scanning applications must implement privileged access authorization to all OpenShift components, containers, and container images for selected organization-defined vulnerability scanning activities.", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "CNTR-OS-000780", "levels": ["medium"], "notes": "", "title": "OpenShift keystore must implement encryption to prevent unauthorized disclosure of information at rest within the container platform.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "CNTR-OS-000800", "levels": ["medium"], "notes": "", "title": "OpenShift must protect against or limit the effects of all types of Denial-of-Service (DoS) attacks by employing organization-defined security safeguards by including a default resource quota.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "CNTR-OS-000810", "levels": ["medium"], "notes": "", "title": "OpenShift must protect against or limit the effects of all types of Denial-of-Service (DoS) attacks by defining resource quotas on a namespace.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["bios_enable_execution_restrictions", "sysctl_kernel_randomize_va_space"], "controls": []}, {"id": "CNTR-OS-000820", "levels": ["medium"], "notes": "This item is manual and kindof vague by design as e.g. with passthrough TLS, the TLS settings\nmust be checked in the app anyway.", "title": "OpenShift must protect the confidentiality and integrity of transmitted information.", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "CNTR-OS-000860", "levels": ["medium"], "notes": "", "title": "Red Hat Enterprise Linux CoreOS (RHCOS) must implement nonexecutable data to protect its memory from unauthorized code execution.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["bios_enable_execution_restrictions", "sysctl_kernel_randomize_va_space"], "controls": []}, {"id": "CNTR-OS-000870", "levels": ["medium"], "notes": "", "title": "Red Hat Enterprise Linux CoreOS (RHCOS) must implement ASLR (Address Space Layout Randomization) from unauthorized code execution.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["bios_enable_execution_restrictions", "sysctl_kernel_randomize_va_space"], "controls": []}, {"id": "CNTR-OS-000880", "levels": ["medium"], "notes": "", "title": "OpenShift must remove old components after updated versions have been installed.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "CNTR-OS-000890", "levels": ["medium"], "notes": "", "title": "OpenShift must contain the latest images with most recent updates and execute within the container platform runtime as authorized by IAVM, CTOs, DTMs, and STIGs.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "CNTR-OS-000900", "levels": ["medium"], "notes": "", "title": "OpenShift runtime must have updates installed within the period directed by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "CNTR-OS-000910", "levels": ["medium"], "notes": "", "title": "The Compliance Operator must be configured.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "CNTR-OS-000920", "levels": ["medium"], "notes": "", "title": "OpenShift must perform verification of the correct operation of security functions: upon startup and/or restart; upon command by a user with privileged access; and/or every 30 days.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "CNTR-OS-000930", "levels": ["medium"], "notes": "", "title": "OpenShift must generate audit records when successful/unsuccessful attempts to modify privileges occur.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_dac_modification_fchown", "audit_rules_dac_modification_removexattr", "audit_rules_dac_modification_lsetxattr", "audit_rules_kernel_module_loading_delete", "audit_rules_privileged_commands_crontab", "audit_rules_privileged_commands_sudoedit", "audit_rules_usergroup_modification_opasswd", "audit_immutable_login_uids", "audit_rules_privileged_commands_ssh_keysign", "audit_rules_privileged_commands_postqueue", "audit_rules_dac_modification_fremovexattr", "audit_rules_login_events_lastlog", "audit_rules_usergroup_modification_passwd", "audit_rules_privileged_commands_su", "audit_rules_dac_modification_umount2", "audit_rules_execution_setfiles", "audit_rules_sudoers", "audit_rules_file_deletion_events_rename", "audit_rules_dac_modification_fchownat", "audit_rules_usergroup_modification_group", "audit_rules_dac_modification_fchmodat", "audit_rules_dac_modification_lchown", "audit_rules_execution_chcon", "audit_rules_privileged_commands_unix_update", "audit_rules_execution_setsebool", "audit_rules_privileged_commands_postdrop", "audit_rules_privileged_commands_kmod", "audit_rules_privileged_commands_sudo", "audit_rules_privileged_commands_ssh_agent", "audit_rules_privileged_commands_userhelper", "audit_rules_file_deletion_events_renameat", "audit_rules_file_deletion_events_unlink", "audit_rules_usergroup_modification_shadow", "audit_rules_dac_modification_lremovexattr", "audit_rules_kernel_module_loading_init", "audit_rules_execution_chacl", "audit_rules_file_deletion_events_unlinkat", "audit_rules_execution_setfacl", "audit_rules_dac_modification_setxattr", "audit_rules_media_export", "audit_rules_execution_semanage", "audit_rules_privileged_commands_chsh", "audit_rules_dac_modification_chmod", "audit_rules_dac_modification_fsetxattr", "audit_rules_dac_modification_umount", "audit_rules_kernel_module_loading_finit", "audit_rules_privileged_commands_passwd", "audit_rules_sudoers_d", "audit_rules_usergroup_modification_gshadow", "audit_rules_privileged_commands_usermod", "audit_rules_dac_modification_chown", "audit_rules_privileged_commands_unix_chkpwd", "audit_rules_dac_modification_fchmod", "audit_rules_privileged_commands_gpasswd", "audit_rules_file_deletion_events_rmdir", "audit_rules_privileged_commands_newgrp", "audit_rules_privileged_commands_chage", "audit_rules_privileged_commands_pam_timestamp_check"], "controls": []}, {"id": "CNTR-OS-000940", "levels": ["medium"], "notes": "", "title": "OpenShift must generate audit records when successful/unsuccessful attempts to modify security objects occur.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_execution_semanage", "audit_rules_execution_setsebool", "audit_rules_dac_modification_fsetxattr", "audit_rules_dac_modification_removexattr", "audit_rules_dac_modification_lsetxattr", "audit_rules_usergroup_modification_opasswd", "audit_rules_dac_modification_lremovexattr", "audit_rules_dac_modification_fremovexattr", "audit_rules_execution_setfiles", "audit_rules_execution_chcon"], "controls": []}, {"id": "CNTR-OS-000950", "levels": ["medium"], "notes": "", "title": "OpenShift must generate audit records when successful/unsuccessful attempts to delete privileges occur.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_dac_modification_fchown", "audit_rules_dac_modification_removexattr", "audit_rules_privileged_commands_pt_chown", "audit_rules_dac_modification_fremovexattr", "audit_rules_usergroup_modification_passwd", "audit_rules_privileged_commands_su", "audit_rules_file_deletion_events_rename", "audit_rules_sudoers", "audit_rules_dac_modification_fchownat", "audit_rules_usergroup_modification_group", "audit_rules_dac_modification_fchmodat", "audit_rules_dac_modification_lchown", "audit_rules_privileged_commands_sudo", "audit_rules_file_deletion_events_renameat", "audit_rules_file_deletion_events_unlink", "audit_rules_usergroup_modification_shadow", "audit_rules_dac_modification_lremovexattr", "audit_rules_file_deletion_events_unlinkat", "audit_rules_execution_chacl", "audit_rules_dac_modification_chmod", "audit_rules_usergroup_modification_gshadow", "audit_rules_sudoers_d", "audit_rules_privileged_commands_usermod", "audit_rules_dac_modification_chown", "audit_rules_dac_modification_fchmod", "audit_rules_file_deletion_events_rmdir"], "controls": []}, {"id": "CNTR-OS-000960", "levels": ["medium"], "notes": "", "title": "OpenShift must generate audit records when successful/unsuccessful attempts to delete security objects occur.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_dac_modification_fsetxattr", "audit_rules_file_deletion_events_rename", "audit_rules_dac_modification_removexattr", "audit_rules_dac_modification_lsetxattr", "audit_rules_privileged_commands_pt_chown", "audit_rules_file_deletion_events_renameat", "audit_rules_file_deletion_events_unlink", "audit_delete_failed", "audit_rules_dac_modification_lremovexattr", "audit_rules_file_deletion_events_rmdir", "audit_rules_privileged_commands_chage", "audit_rules_file_deletion_events_unlinkat", "audit_rules_execution_chcon"], "controls": []}, {"id": "CNTR-OS-000970", "levels": ["medium"], "notes": "", "title": "OpenShift must generate audit records when successful/unsuccessful logon attempts occur.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_sudoers", "audit_rules_login_events_tallylog", "audit_rules_usergroup_modification_gshadow", "audit_rules_sudoers_d", "audit_rules_login_events_faillock", "audit_rules_usergroup_modification_opasswd", "audit_rules_usergroup_modification_group", "audit_rules_usergroup_modification_shadow", "audit_rules_login_events_lastlog", "audit_rules_usergroup_modification_passwd"], "controls": []}, {"id": "CNTR-OS-000980", "levels": ["medium"], "notes": "", "title": "Red Hat Enterprise Linux CoreOS (RHCOS) must be configured to audit the loading and unloading of dynamic kernel modules.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_kernel_module_loading_delete", "audit_rules_kernel_module_loading_init", "audit_rules_kernel_module_loading_finit", "audit_rules_privileged_commands_kmod"], "controls": []}, {"id": "CNTR-OS-000990", "levels": ["medium"], "notes": "", "title": "OpenShift audit records must record user access start and end times.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_session_events"], "controls": []}, {"id": "CNTR-OS-001000", "levels": ["medium"], "notes": "", "title": "OpenShift must generate audit records when concurrent logons from different workstations and systems occur.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_login_events_faillock", "audit_rules_login_events_lastlog"], "controls": []}, {"id": "CNTR-OS-001010", "levels": ["high"], "notes": "", "title": "Red Hat Enterprise Linux CoreOS (RHCOS) must disable SSHD service.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["kernel_module_usb-storage_disabled", "service_usbguard_enabled", "usbguard_allow_hid_and_hub", "package_usbguard_installed", "configure_usbguard_auditbackend", "service_sshd_disabled"], "controls": []}, {"id": "CNTR-OS-001020", "levels": ["medium"], "notes": "", "title": "Red Hat Enterprise Linux CoreOS (RHCOS) must disable USB Storage kernel module.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["kernel_module_usb-storage_disabled", "service_usbguard_enabled", "usbguard_allow_hid_and_hub", "package_usbguard_installed", "configure_usbguard_auditbackend", "service_sshd_disabled"], "controls": []}, {"id": "CNTR-OS-001030", "levels": ["medium"], "notes": "", "title": "Red Hat Enterprise Linux CoreOS (RHCOS) must use USBGuard for hosts that include a USB Controller.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["kernel_module_usb-storage_disabled", "service_usbguard_enabled", "usbguard_allow_hid_and_hub", "package_usbguard_installed", "configure_usbguard_auditbackend", "service_sshd_disabled"], "controls": []}, {"id": "CNTR-OS-001060", "levels": ["medium"], "notes": "", "title": "OpenShift must continuously scan components, containers, and images for vulnerabilities.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "CNTR-OS-001080", "levels": ["medium"], "notes": "", "title": "OpenShift must use FIPS-validated SHA-2 or higher hash function for digital signature generation and verification (nonlegacy use).", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}], "levels": [{"id": "high", "inherits_from": null}, {"id": "medium", "inherits_from": null}, {"id": "low", "inherits_from": null}]}