{"id": "srg_ctr", "policy": "Container Platform Security Requirements Guide", "title": "Container Platform Security Requirements Guide", "source": "https://www.cyber.mil/stigs/downloads/", "definition_location": "/aptdata/openscap/scap-security-guide/controls/srg_ctr.yml", "controls": [{"id": "SRG-APP-000402-CTR-000970", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must accept Personal Identity Verification (PIV) credentials from other federal agencies.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": "Not Applicable. Applicable to Identity Management Provider and not\nOCP. Only configurable check is to ensure OCP is configured for an\nIDP under SRG-APP-000023-CTR-000055. Verify with IdM service provider\nadmins that the IdM meets the requirements.", "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["idp_is_configured", "ocp_idp_no_htpasswd", "kubeadmin_removed"], "rules": [], "controls": []}, {"id": "SRG-APP-000091-CTR-000160", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must generate audit records when successful/unsuccessful attempts to access privileges occur.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["audit_profile_set"], "rules": ["audit_rules_dac_modification_fsetxattr", "audit_rules_dac_modification_chown", "audit_create_failed", "audit_rules_dac_modification_fchown", "audit_rules_dac_modification_lsetxattr", "audit_access_failed", "audit_rules_dac_modification_lremovexattr", "audit_rules_dac_modification_chmod", "audit_rules_dac_modification_fchmod", "audit_modify_failed", "audit_rules_dac_modification_lchown", "audit_rules_dac_modification_fchownat", "audit_rules_dac_modification_fremovexattr", "audit_rules_dac_modification_removexattr", "audit_rules_dac_modification_fchmodat", "audit_rules_dac_modification_setxattr"], "controls": []}, {"id": "SRG-APP-000358-CTR-000805", "levels": ["medium"], "notes": "", "title": "Audit records must be stored at a secondary location.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SRG-APP-000456-CTR-001125", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 registry must contain the latest images with most recent updates and execute within the container platform runtime as authorized by IAVM, CTOs, DTMs, and STIGs. ", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SRG-APP-000141-CTR-000315", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must be configured with only essential configurations.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["service_usbguard_enabled", "kernel_module_usb-storage_disabled", "service_sshd_disabled", "configure_usbguard_auditbackend", "package_usbguard_installed", "usbguard_allow_hid_and_hub"], "controls": []}, {"id": "SRG-APP-000096-CTR-000175", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 audit records must have a date and time association with all events.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["audit_profile_set"], "rules": ["auditd_log_format", "auditd_data_retention_max_log_file_action_stig", "auditd_data_disk_error_action"], "controls": []}, {"id": "SRG-APP-000320-CTR-000750", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must generate audit rules to capture account creation, modification, disabling, removal and enabling actions.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": "Apply the machine config using the following command:\n\nfor mcpool in $(oc get mcp -oname | sed \"s:.*/::\" ); do\necho \"apiVersion: machineconfiguration.openshift.io/v1\nkind: MachineConfig\nmetadata:\n name: 75-account-modifications-rules-$mcpool\n labels:\n machineconfiguration.openshift.io/role: $mcpool\nspec:\n config:\n ignition:\n version: 3.1.0\n storage:\n files:\n - contents:\n source: data:,-w%20/etc/sudoers.d/%20-p%20wa%20-k%20actions%0A-w%20/etc/sudoers%20-p%20wa%20-k%20actions%0A\n mode: 0644\n path: /etc/audit/rules.d/75-audit-sysadmin-actions.rules\n overwrite: true\n - contents:\n source: data:,-w%20/etc/group%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A\n mode: 0644\n path: /etc/audit/rules.d/30-etc_group_usergroup_modification.rules\n overwrite: true\n - contents:\n source: data:,-w%20/etc/gshadow%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A\n mode: 0644\n path: /etc/audit/rules.d/30-etc_gshadow_usergroup_modification.rules\n overwrite: true\n - contents:\n source: data:,-w%20/etc/security/opasswd%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A\n mode: 0644\n path: /etc/audit/rules.d/30-etc_security_opasswd_usergroup_modification.rules\n overwrite: true\n - contents:\n source: data:,-w%20/etc/passwd%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A\n mode: 0644\n path: /etc/audit/rules.d/30-etc_passwd_usergroup_modification.rules\n overwrite: true\n - contents:\n source: data:,-w%20/etc/shadow%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A\n mode: 0644\n path: /etc/audit/rules.d/30-etc_shadow_usergroup_modification.rules\n overwrite: true\n\" | oc apply -f -\ndone", "check": "Verify the audit rules capture account creation, modification, disabling, removal and enabling actions by executing the following:\n\nfor node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n \"$HOSTNAME \"; grep -e user-modify -e group-modify -e audit_rules_usergroup_modification /etc/audit/rules.d/* /etc/audit/audit.rules' 2>/dev/null; done\n\nConfirm the following rules exist on each node:\n-w /etc/group -p wa -k audit_rules_usergroup_modification\n-w /etc/gshadow -p wa -k audit_rules_usergroup_modification\n-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification\n-w /etc/passwd -p wa -k audit_rules_usergroup_modification\n-w /etc/shadow -p wa -k audit_rules_usergroup_modification\n\nIf the above rules are not listed on each node, this is a finding.", "tickets": null, "original_title": null, "related_rules": ["idp_is_configured", "ocp_idp_no_htpasswd", "kubeadmin_removed"], "rules": ["audit_rules_sysadmin_actions", "audit_rules_usergroup_modification"], "controls": []}, {"id": "SRG-APP-000492-CTR-001220", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must generate audit records when successful/unsuccessful attempts to access security objects occur.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["audit_profile_set"], "rules": ["audit_rules_dac_modification_fsetxattr", "audit_rules_dac_modification_chown", "audit_create_failed", "audit_rules_dac_modification_fchown", "audit_rules_dac_modification_lsetxattr", "audit_access_failed", "audit_rules_dac_modification_lremovexattr", "audit_rules_dac_modification_chmod", "audit_rules_dac_modification_fchmod", "audit_modify_failed", "audit_rules_dac_modification_lchown", "audit_rules_dac_modification_fchownat", "audit_rules_dac_modification_fremovexattr", "audit_rules_dac_modification_removexattr", "audit_rules_dac_modification_fchmodat", "audit_rules_dac_modification_setxattr"], "controls": []}, {"id": "SRG-APP-000294-CTR-000690", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must generate audit rules to capture account creation, modification, disabling, removal and enabling actions.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": "Apply the machine config using the following command:\n\nfor mcpool in $(oc get mcp -oname | sed \"s:.*/::\" ); do\necho \"apiVersion: machineconfiguration.openshift.io/v1\nkind: MachineConfig\nmetadata:\n name: 75-account-modifications-rules-$mcpool\n labels:\n machineconfiguration.openshift.io/role: $mcpool\nspec:\n config:\n ignition:\n version: 3.1.0\n storage:\n files:\n - contents:\n source: data:,-w%20/etc/sudoers.d/%20-p%20wa%20-k%20actions%0A-w%20/etc/sudoers%20-p%20wa%20-k%20actions%0A\n mode: 0644\n path: /etc/audit/rules.d/75-audit-sysadmin-actions.rules\n overwrite: true\n - contents:\n source: data:,-w%20/etc/group%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A\n mode: 0644\n path: /etc/audit/rules.d/30-etc_group_usergroup_modification.rules\n overwrite: true\n - contents:\n source: data:,-w%20/etc/gshadow%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A\n mode: 0644\n path: /etc/audit/rules.d/30-etc_gshadow_usergroup_modification.rules\n overwrite: true\n - contents:\n source: data:,-w%20/etc/security/opasswd%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A\n mode: 0644\n path: /etc/audit/rules.d/30-etc_security_opasswd_usergroup_modification.rules\n overwrite: true\n - contents:\n source: data:,-w%20/etc/passwd%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A\n mode: 0644\n path: /etc/audit/rules.d/30-etc_passwd_usergroup_modification.rules\n overwrite: true\n - contents:\n source: data:,-w%20/etc/shadow%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A\n mode: 0644\n path: /etc/audit/rules.d/30-etc_shadow_usergroup_modification.rules\n overwrite: true\n\" | oc apply -f -\ndone", "check": "Verify the audit rules capture account creation, modification, disabling, removal and enabling actions by executing the following:\n\nfor node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n \"$HOSTNAME \"; grep -e user-modify -e group-modify -e audit_rules_usergroup_modification /etc/audit/rules.d/* /etc/audit/audit.rules' 2>/dev/null; done\n\nConfirm the following rules exist on each node:\n-w /etc/group -p wa -k audit_rules_usergroup_modification\n-w /etc/gshadow -p wa -k audit_rules_usergroup_modification\n-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification\n-w /etc/passwd -p wa -k audit_rules_usergroup_modification\n-w /etc/shadow -p wa -k audit_rules_usergroup_modification\n\nIf the above rules are not listed on each node, this is a finding.", "tickets": null, "original_title": null, "related_rules": ["idp_is_configured", "ocp_idp_no_htpasswd", "kubeadmin_removed"], "rules": ["audit_rules_sysadmin_actions", "audit_rules_usergroup_modification"], "controls": []}, {"id": "SRG-APP-000097-CTR-000180", "levels": ["medium"], "notes": "", "title": "All audit records must identify where in the container platform the event occurred.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["audit_profile_set"], "rules": ["auditd_log_format", "auditd_data_retention_max_log_file_action_stig", "auditd_data_disk_error_action"], "controls": []}, {"id": "SRG-APP-000317-CTR-000735", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must terminate shared/group account credentials when members leave the group.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": "Not Applicable. Applicable to Identity Management Provider and not\nOCP. Only configurable check is to ensure OCP is configured for an\nIDP under SRG-APP-000023-CTR-000055. Verify with IdM service provider\nadmins that the IdM meets the requirements.", "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["idp_is_configured", "ocp_idp_no_htpasswd", "kubeadmin_removed"], "rules": [], "controls": []}, {"id": "SRG-APP-000163-CTR-000395", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must disable identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": "Not Applicable. Applicable to Identity Management Provider and not\nOCP. Only configurable check is to ensure OCP is configured for an\nIDP under SRG-APP-000023-CTR-000055. Verify with IdM service provider\nadmins that the IdM meets the requirements.", "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["idp_is_configured", "ocp_idp_no_htpasswd", "kubeadmin_removed"], "rules": [], "controls": []}, {"id": "SRG-APP-000120-CTR-000250", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must protect audit information from unauthorized deletion.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["audit_log_forwarding_uses_tls", "audit_profile_set", "directory_permissions_var_log_kube_audit", "directory_permissions_var_log_oauth_audit", "directory_permissions_var_log_ocp_audit"], "rules": ["audit_rules_immutable"], "controls": []}, {"id": "SRG-APP-000233-CTR-000585", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 runtime must isolate security functions from non-security functions.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["selinux_policytype", "selinux_state", "coreos_enable_selinux_kernel_argument"], "controls": []}, {"id": "SRG-APP-000380-CTR-000900", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must enforce access restrictions for container platform configuration changes.", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["audit_profile_set"], "rules": [], "controls": []}, {"id": "SRG-APP-000516-CTR-001330", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must be able to store and instantiate industry standard container images.", "description": null, "rationale": null, "automated": "no", "status": "inherently met", "mitigation": null, "artifact_description": "Supporting evidence is in the following documentation\nhttps://docs.openshift.com/container-platform/latest/architecture/architecture.html", "status_justification": "Red Hat OpenShift leverages CRI-O as its runtime which was designed as a container engine specifically to work with Kubernetes and can run the legacy Docker container format as well as the newer industry standard OCI container image format", "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SRG-APP-000496-CTR-001240", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must generate audit records when successful/unsuccessful attempts to modify security objects occur.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["audit_profile_set"], "rules": ["audit_rules_dac_modification_fsetxattr", "audit_rules_dac_modification_lsetxattr", "audit_rules_dac_modification_lremovexattr", "audit_rules_execution_setsebool", "audit_rules_execution_chcon", "audit_rules_execution_semanage", "audit_rules_execution_setfiles", "audit_rules_usergroup_modification_opasswd", "audit_rules_dac_modification_fremovexattr", "audit_rules_dac_modification_removexattr"], "controls": []}, {"id": "SRG-APP-000033-CTR-000090", "levels": ["medium"], "notes": "", "title": "Least privilege access and need to know must be required to access the container platform registry.", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SRG-APP-000383-CTR-000910", "levels": ["medium"], "notes": "", "title": "All non-essential, unnecessary, and unsecure DoD ports, protocols, and services must be disabled in the container platform.", "description": null, "rationale": null, "automated": "no", "status": "inherently met", "mitigation": null, "artifact_description": "Supporting evidence is in the following documentation\n\nhttps://docs.openshift.com/container-platform/latest/installing/installing_bare_metal/installing-bare-metal.html#installation-network-user-infra_installing-bare-metal", "status_justification": "The container platform inherently only exposes the ports which are needed and adhere to DoD standards. By default all communications use two-way TLS. A full list is available here:\n\nhttps://docs.openshift.com/container-platform/latest/installing/installing_bare_metal/installing-bare-metal.html#installation-network-user-infra_installing-bare-metal", "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SRG-APP-000156-CTR-000380", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must use FIPS-validated SHA-1 or higher hash function to provide replay-resistant authentication mechanisms for network access to privileged accounts.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SRG-APP-000148-CTR-000350", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 application program interface (API) must uniquely identify and authenticate processes acting on behalf of the users.", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["idp_is_configured", "ocp_idp_no_htpasswd", "kubeadmin_removed"], "rules": [], "controls": []}, {"id": "SRG-APP-000165-CTR-000405", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must prohibit password reuse for a minimum of 10 generations.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": "Not Applicable. Applicable to Identity Management Provider and not\nOCP. Only configurable check is to ensure OCP is configured for an\nIDP under SRG-APP-000023-CTR-000055. Verify with IdM service provider\nadmins that the IdM meets the requirements.", "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["idp_is_configured", "ocp_idp_no_htpasswd", "kubeadmin_removed"], "rules": [], "controls": []}, {"id": "SRG-APP-000374-CTR-000865", "levels": ["medium"], "notes": "", "title": "All audit records must use UTC or GMT time stamps.", "description": null, "rationale": null, "automated": "no", "status": "inherently met", "mitigation": null, "artifact_description": "Supporting evidence is in the following documentation\nhttps://docs.openshift.com/container-platform/latest/security/audit-log-view.html", "status_justification": "Openshift Container Platform conforms to DoD/DISA requirements regarding audit log fields.", "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["audit_profile_set"], "rules": [], "controls": []}, {"id": "SRG-APP-000149-CTR-000355", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must use multifactor authentication for network access to privileged accounts.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": "Not Applicable. Applicable to Identity Management Provider and not\nOCP. Only configurable check is to ensure OCP is configured for an\nIDP under SRG-APP-000023-CTR-000055. Verify with IdM service provider\nadmins that the IdM meets the requirements.", "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["idp_is_configured", "ocp_idp_no_htpasswd", "kubeadmin_removed"], "rules": [], "controls": []}, {"id": "SRG-APP-000014-CTR-000035", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must use TLS 1.2 or greater for secure container image transport from trusted sources.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["fips_mode_enabled_on_all_nodes"], "rules": [], "controls": []}, {"id": "SRG-APP-000065-CTR-000115", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": "Not Applicable. Applicable to Identity Management Provider and not\nOCP. Only configurable check is to ensure OCP is configured for an\nIDP under SRG-APP-000023-CTR-000055. Verify with IdM service provider\nadmins that the IdM meets the requirements.", "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["idp_is_configured", "ocp_idp_no_htpasswd", "kubeadmin_removed"], "rules": [], "controls": []}, {"id": "SRG-APP-000414-CTR-001010", "levels": ["medium"], "notes": "", "title": "Vulnerability scanning applications must implement privileged access authorization to all container platform components, containers, and container images for selected organization-defined vulnerability scanning activities.", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": "Create a service if one does not already exist in the appropriate namespace.\n\n> oc create serviceaccount \n\nBind to the appropriate cluster RBAC role\n\n> oc adm policy add-cluster-role-to-user -z \n\nFor more information see the following guides:\n\nhttps://docs.openshift.com/container-platform/latest/authentication/using-rbac.html\nhttps://docs.openshift.com/container-platform/latest/authentication/understanding-and-creating-service-accounts.html\nhttps://docs.openshift.com/container-platform/latest/authentication/using-service-accounts-in-applications.html", "check": "Identify the service accounts used by the vulnerability scanning tools. If the tool runs as a container on the platform, then service account information can be found in the the pod details.\n> oc get pod -o jsonpath='{.spec.serviceAccount}{\"\\n\"}'\n\nView cluster role bindings to determine which role the service account is bound to.\n> oc get clusterrolebinding -ojson | jq '.items[]|select(.subjects[]?|select(.kind == \"ServiceAccount\" and .name == \"\"))|{ \"crb\": .metadata.name, \"roleRef\": .roleRef, \"subjects\": .subjects}'\nFind the role to which the service account is bound, if the service account is not bound to a cluster role, or the role does not provide sufficient access, this is a finding. If no service account exists for the vulnerabilty scanning toll, this is also a finding.", "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SRG-APP-000635-CTR-001405", "levels": ["high"], "notes": "", "title": "Ubuntu 22.04 must use a FIPS-validated cryptographic module to implement encryption services for unclassified information requiring confidentiality.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SRG-APP-000412-CTR-001000", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must configure web management tools and Application Program Interfaces (API) with FIPS-validated Advanced Encryption Standard (AES) cipher block algorithm to protect the confidentiality of maintenance and diagnostic communications for nonlocal maintenance sessions.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SRG-APP-000025-CTR-000065", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must automatically disable accounts after a 35-day period of account inactivity.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": "Not Applicable. Applicable to Identity Management Provider and not\nOCP. Only configurable check is to ensure OCP is configured for an\nIDP under SRG-APP-000023-CTR-000055. Verify with IdM service provider\nadmins that the IdM meets the requirements.", "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["idp_is_configured", "ocp_idp_no_htpasswd", "kubeadmin_removed"], "rules": [], "controls": []}, {"id": "SRG-APP-000450-CTR-001105", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must implement organization-defined security safeguards to protect system CPU and memory from resource depletion and unauthorized code execution.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_kernel_randomize_va_space", "bios_enable_execution_restrictions"], "controls": []}, {"id": "SRG-APP-000092-CTR-000165", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must initiate session auditing upon startup.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["coreos_audit_backlog_limit_kernel_argument", "coreos_audit_option"], "controls": []}, {"id": "SRG-APP-000447-CTR-001100", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must behave in a predictable and documented manner that reflects organizational and system objectives when invalid inputs are received.", "description": null, "rationale": null, "automated": "no", "status": "inherently met", "mitigation": null, "artifact_description": "Supporting evidence is in the following documentation\nhttps://docs.openshift.com/container-platform/latest/rest_api/understanding-compatibility-guidelines.html", "status_justification": "All changes to the system go through API Server which is protected through transport security (TLS), as well as authentication, authorization, and additional admission controllers. These security mechanisms are configured out of the box with strong security controls but can be even further limited to enforce least privilege. Additionally, the API Server safeguards against unintended consequences by rejecting invalid inputs and creating audit records of API events. Alerts and logs and also be setup to display changes of API events.", "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SRG-APP-000141-CTR-000320", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 registry must contain only container images for those capabilities being offered by the container platform.", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": "Remove all container images from the container platform registry that\nare not being used or contain features and functions not supported by\nthe platform.", "check": "To review the container images within the container platform registry, run the following command:\n> oc get images\nReview the container platform container images to validate that only\nnecessary container images for the functionality of the information\nsystem are present.", "tickets": null, "original_title": null, "related_rules": ["reject_unsigned_images_by_default", "ocp_allowed_registries_for_import", "ocp_allowed_registries", "ocp_insecure_registries", "ocp_insecure_allowed_registries_for_import"], "rules": [], "controls": []}, {"id": "SRG-APP-000291-CTR-000675", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must generate audit rules to capture account creation, modification, disabling, removal and enabling actions.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": "Apply the machine config using the following command:\n\nfor mcpool in $(oc get mcp -oname | sed \"s:.*/::\" ); do\necho \"apiVersion: machineconfiguration.openshift.io/v1\nkind: MachineConfig\nmetadata:\n name: 75-account-modifications-rules-$mcpool\n labels:\n machineconfiguration.openshift.io/role: $mcpool\nspec:\n config:\n ignition:\n version: 3.1.0\n storage:\n files:\n - contents:\n source: data:,-w%20/etc/sudoers.d/%20-p%20wa%20-k%20actions%0A-w%20/etc/sudoers%20-p%20wa%20-k%20actions%0A\n mode: 0644\n path: /etc/audit/rules.d/75-audit-sysadmin-actions.rules\n overwrite: true\n - contents:\n source: data:,-w%20/etc/group%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A\n mode: 0644\n path: /etc/audit/rules.d/30-etc_group_usergroup_modification.rules\n overwrite: true\n - contents:\n source: data:,-w%20/etc/gshadow%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A\n mode: 0644\n path: /etc/audit/rules.d/30-etc_gshadow_usergroup_modification.rules\n overwrite: true\n - contents:\n source: data:,-w%20/etc/security/opasswd%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A\n mode: 0644\n path: /etc/audit/rules.d/30-etc_security_opasswd_usergroup_modification.rules\n overwrite: true\n - contents:\n source: data:,-w%20/etc/passwd%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A\n mode: 0644\n path: /etc/audit/rules.d/30-etc_passwd_usergroup_modification.rules\n overwrite: true\n - contents:\n source: data:,-w%20/etc/shadow%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A\n mode: 0644\n path: /etc/audit/rules.d/30-etc_shadow_usergroup_modification.rules\n overwrite: true\n\" | oc apply -f -\ndone", "check": "Verify the audit rules capture account creation, modification, disabling, removal and enabling actions by executing the following:\n\nfor node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n \"$HOSTNAME \"; grep -e user-modify -e group-modify -e audit_rules_usergroup_modification /etc/audit/rules.d/* /etc/audit/audit.rules' 2>/dev/null; done\n\nConfirm the following rules exist on each node:\n-w /etc/group -p wa -k audit_rules_usergroup_modification\n-w /etc/gshadow -p wa -k audit_rules_usergroup_modification\n-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification\n-w /etc/passwd -p wa -k audit_rules_usergroup_modification\n-w /etc/shadow -p wa -k audit_rules_usergroup_modification\n\nIf the above rules are not listed on each node, this is a finding.", "tickets": null, "original_title": null, "related_rules": ["idp_is_configured", "ocp_idp_no_htpasswd", "kubeadmin_removed"], "rules": ["audit_rules_sysadmin_actions", "audit_rules_usergroup_modification"], "controls": []}, {"id": "SRG-APP-000454-CTR-001110", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must remove old components after updated versions have been installed.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SRG-APP-000293-CTR-000685", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must generate audit rules to capture account creation, modification, disabling, removal and enabling actions.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": "Apply the machine config using the following command:\n\nfor mcpool in $(oc get mcp -oname | sed \"s:.*/::\" ); do\necho \"apiVersion: machineconfiguration.openshift.io/v1\nkind: MachineConfig\nmetadata:\n name: 75-account-modifications-rules-$mcpool\n labels:\n machineconfiguration.openshift.io/role: $mcpool\nspec:\n config:\n ignition:\n version: 3.1.0\n storage:\n files:\n - contents:\n source: data:,-w%20/etc/sudoers.d/%20-p%20wa%20-k%20actions%0A-w%20/etc/sudoers%20-p%20wa%20-k%20actions%0A\n mode: 0644\n path: /etc/audit/rules.d/75-audit-sysadmin-actions.rules\n overwrite: true\n - contents:\n source: data:,-w%20/etc/group%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A\n mode: 0644\n path: /etc/audit/rules.d/30-etc_group_usergroup_modification.rules\n overwrite: true\n - contents:\n source: data:,-w%20/etc/gshadow%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A\n mode: 0644\n path: /etc/audit/rules.d/30-etc_gshadow_usergroup_modification.rules\n overwrite: true\n - contents:\n source: data:,-w%20/etc/security/opasswd%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A\n mode: 0644\n path: /etc/audit/rules.d/30-etc_security_opasswd_usergroup_modification.rules\n overwrite: true\n - contents:\n source: data:,-w%20/etc/passwd%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A\n mode: 0644\n path: /etc/audit/rules.d/30-etc_passwd_usergroup_modification.rules\n overwrite: true\n - contents:\n source: data:,-w%20/etc/shadow%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A\n mode: 0644\n path: /etc/audit/rules.d/30-etc_shadow_usergroup_modification.rules\n overwrite: true\n\" | oc apply -f -\ndone", "check": "Verify the audit rules capture account creation, modification, disabling, removal and enabling actions by executing the following:\n\nfor node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n \"$HOSTNAME \"; grep -e user-modify -e group-modify -e audit_rules_usergroup_modification /etc/audit/rules.d/* /etc/audit/audit.rules' 2>/dev/null; done\n\nConfirm the following rules exist on each node:\n-w /etc/group -p wa -k audit_rules_usergroup_modification\n-w /etc/gshadow -p wa -k audit_rules_usergroup_modification\n-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification\n-w /etc/passwd -p wa -k audit_rules_usergroup_modification\n-w /etc/shadow -p wa -k audit_rules_usergroup_modification\n\nIf the above rules are not listed on each node, this is a finding.", "tickets": null, "original_title": null, "related_rules": ["idp_is_configured", "ocp_idp_no_htpasswd", "kubeadmin_removed"], "rules": ["audit_rules_sysadmin_actions", "audit_rules_usergroup_modification"], "controls": []}, {"id": "SRG-APP-000500-CTR-001260", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must generate audit records when successful/unsuccessful attempts to delete security levels occur.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["audit_profile_set"], "rules": ["audit_rules_dac_modification_fsetxattr", "audit_rules_dac_modification_chown", "audit_create_failed", "audit_rules_dac_modification_fchown", "audit_rules_dac_modification_lsetxattr", "audit_access_failed", "audit_rules_dac_modification_lremovexattr", "audit_rules_dac_modification_chmod", "audit_rules_dac_modification_fchmod", "audit_modify_failed", "audit_rules_dac_modification_lchown", "audit_rules_dac_modification_fchownat", "audit_rules_dac_modification_fremovexattr", "audit_rules_dac_modification_removexattr", "audit_rules_dac_modification_fchmodat", "audit_rules_dac_modification_setxattr"], "controls": []}, {"id": "SRG-APP-000343-CTR-000780", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must audit the execution of privileged functions.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["directory_access_var_log_kube_audit", "directory_access_var_log_oauth_audit", "directory_access_var_log_ocp_audit"], "rules": ["audit_rules_suid_privilege_function"], "controls": []}, {"id": "SRG-APP-000033-CTR-000100", "levels": ["medium"], "notes": "", "title": "Least privilege access and need to know must be required to access the container platform keystore.", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SRG-APP-000068-CTR-000120", "levels": ["low"], "notes": "", "title": "Ubuntu 22.04 must display the Standard Mandatory DoD Notice and Consent Banner before granting access to platform components.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SRG-APP-000109-CTR-000215", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must take appropriate action upon an audit failure.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["auditd_log_format", "auditd_data_retention_max_log_file_action_stig", "auditd_data_disk_error_action"], "controls": []}, {"id": "SRG-APP-000516-CTR-000790", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must provide the configuration for organization-identified individuals or roles to change the auditing to be performed on all components, based on all selectable event criteria within organization-defined time thresholds.", "description": null, "rationale": null, "automated": "no", "status": "does not meet", "mitigation": "A way of mitigating the control is to set a verbose audit log level, forward the logs off-cluster and then filter or correlate the log information that are needed using SIEM tools such as Elastic.\n\nDocumentation regarding how to forward cluster logs using the Cluster Logging Operator to specific endpoints can be found at: \nhttps://docs.openshift.com/container-platform/latest/logging/cluster-logging.html", "artifact_description": null, "status_justification": "Custom audit policies are not supported. However, the WriteRequestBodies (or even AllRequestBodies) policies should satisfy all the information the other controls ask for.\nRed Hat OpenShift supports three different audit policies which are documented at https://docs.openshift.com/container-platform/4.7/security/audit-log-policy-config.html", "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SRG-APP-000246-CTR-000605", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must restrict individuals' ability to launch organizationally defined denial-of-service (DoS) attacks against other information systems.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SRG-APP-000441-CTR-001090", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must maintain the confidentiality and integrity of information during preparation for transmission.", "description": null, "rationale": null, "automated": "no", "status": "inherently met", "mitigation": null, "artifact_description": "Supporting evidence is in the following documentation\nhttps://access.redhat.com/articles/5348961", "status_justification": "The OpenShift Container Platform uses TLS encryption for communication with the internal components. Many of these components support additional levels of configuration, such as allowed cyphers and minimum TLS levels. Although not all components support this additional configuration, they still use TLS for encryption of the internal communications.", "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["api_server_client_ca", "api_server_etcd_ca", "api_server_tls_cert", "api_server_tls_private_key", "etcd_peer_cert_file", "etcd_peer_key_file", "kubelet_configure_tls_cert", "kubelet_configure_tls_key", "routes_protected_by_tls"], "rules": [], "controls": []}, {"id": "SRG-APP-000442-CTR-001095", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must maintain the confidentiality and integrity of information during reception.", "description": null, "rationale": null, "automated": "no", "status": "inherently met", "mitigation": null, "artifact_description": "Supporting evidence is in the following documentation\nhttps://access.redhat.com/articles/5348961", "status_justification": "The OpenShift Container Platform uses TLS encryption for communication with the internal components. Many of these components support additional levels of configuration, such as allowed cyphers and minimum TLS levels. Although not all components support this additional configuration, they still use TLS for encryption of the internal communications.", "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["api_server_client_ca", "api_server_etcd_ca", "api_server_tls_cert", "api_server_tls_private_key", "etcd_peer_cert_file", "etcd_peer_key_file", "kubelet_configure_tls_cert", "kubelet_configure_tls_key", "routes_protected_by_tls"], "rules": [], "controls": []}, {"id": "SRG-APP-000439-CTR-001080", "levels": ["medium"], "notes": "", "title": "The application must protect the confidentiality and integrity of transmitted information.", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": "Delete any Route or Ingress that does not use a secure transport.\n\noc delete route -n \n\nor\n\noc delete ingress -n ", "check": "Verify that routes and ingress are using secured transmission ports and protocols by executing the following:\n\noc get routes --all-namespaces\n\nReview the ingress ports, if the Ingress is not using a secure TLS transport, this is a finding.", "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SRG-APP-000610-CTR-001385", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must use FIPS-validated SHA-2 or higher hash function for digital signature generation and verification (non-legacy use).", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SRG-APP-000510-CTR-001310", "levels": ["medium"], "notes": "", "title": "The container runtime must generate audit records for all container execution, shutdown, restart events, and program initiations.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["audit_profile_set"], "rules": ["service_auditd_enabled"], "controls": []}, {"id": "SRG-APP-000026-CTR-000070", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must automatically audit account creation.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": "Apply the machine config using the following command:\n\nfor mcpool in $(oc get mcp -oname | sed \"s:.*/::\" ); do\necho \"apiVersion: machineconfiguration.openshift.io/v1\nkind: MachineConfig\nmetadata:\n name: 75-account-modifications-rules-$mcpool\n labels:\n machineconfiguration.openshift.io/role: $mcpool\nspec:\n config:\n ignition:\n version: 3.1.0\n storage:\n files:\n - contents:\n source: data:,-w%20/etc/sudoers.d/%20-p%20wa%20-k%20actions%0A-w%20/etc/sudoers%20-p%20wa%20-k%20actions%0A\n mode: 0644\n path: /etc/audit/rules.d/75-audit-sysadmin-actions.rules\n overwrite: true\n - contents:\n source: data:,-w%20/etc/group%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A\n mode: 0644\n path: /etc/audit/rules.d/30-etc_group_usergroup_modification.rules\n overwrite: true\n - contents:\n source: data:,-w%20/etc/gshadow%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A\n mode: 0644\n path: /etc/audit/rules.d/30-etc_gshadow_usergroup_modification.rules\n overwrite: true\n - contents:\n source: data:,-w%20/etc/security/opasswd%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A\n mode: 0644\n path: /etc/audit/rules.d/30-etc_security_opasswd_usergroup_modification.rules\n overwrite: true\n - contents:\n source: data:,-w%20/etc/passwd%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A\n mode: 0644\n path: /etc/audit/rules.d/30-etc_passwd_usergroup_modification.rules\n overwrite: true\n - contents:\n source: data:,-w%20/etc/shadow%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A\n mode: 0644\n path: /etc/audit/rules.d/30-etc_shadow_usergroup_modification.rules\n overwrite: true\n\" | oc apply -f -\ndone", "check": "Verify Red Hat Enterprise Linux CoreOS (RHCOS) generates audit records for all account creations, modifications, disabling, and termination events that affect \"/etc/shadow\".\n\nLogging on as administrator, check the auditing rules in \"/etc/audit/audit.rules\" by executing the following:\n\nfor node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n \"$HOSTNAME: \"; grep /etc/shadow /etc/audit/audit.rules /etc/audit/rules.d/*'; done\n\n(Example output:\n-w /etc/shadow -p wa -k identity)\n\nIf the command does not return a line, or the line is commented out, this is a finding.", "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_sysadmin_actions", "audit_rules_usergroup_modification"], "controls": []}, {"id": "SRG-APP-000243-CTR-000600", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must prevent unauthorized and unintended information transfer via shared system resources.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["coreos_page_poison_kernel_argument", "coreos_vsyscall_kernel_argument", "sysctl_kernel_dmesg_restrict", "coreos_slub_debug_kernel_argument", "sysctl_kernel_perf_event_paranoid"], "controls": []}, {"id": "SRG-APP-000118-CTR-000240", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must protect audit information from any type of unauthorized read access.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["audit_log_forwarding_uses_tls", "audit_profile_set", "directory_permissions_var_log_kube_audit", "directory_permissions_var_log_oauth_audit", "directory_permissions_var_log_ocp_audit"], "rules": ["file_groupowner_var_log", "file_ownership_var_log_audit", "file_permissions_var_log_audit", "file_groupowner_system_journal", "file_permissions_var_log", "file_owner_var_log", "file_owner_system_journal", "file_permissions_system_journal"], "controls": []}, {"id": "SRG-APP-000497-CTR-001245", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must generate audit records when successful/unsuccessful attempts to modify security levels occur.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["audit_profile_set"], "rules": ["audit_rules_dac_modification_fsetxattr", "audit_rules_dac_modification_lsetxattr", "audit_rules_dac_modification_lremovexattr", "audit_rules_execution_setsebool", "audit_rules_execution_chcon", "audit_rules_execution_semanage", "audit_rules_execution_setfiles", "audit_rules_usergroup_modification_opasswd", "audit_rules_dac_modification_fremovexattr", "audit_rules_dac_modification_removexattr"], "controls": []}, {"id": "SRG-APP-000033-CTR-000095", "levels": ["medium"], "notes": "", "title": "Least privilege access and need to know must be required to access the container platform runtime.", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SRG-APP-000069-CTR-000125", "levels": ["low"], "notes": "", "title": "Ubuntu 22.04 must retain the Standard Mandatory DoD Notice and Consent Banner on the screen until users acknowledge the usage and conditions and take explicit actions to log on for further access.", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": "This control is resolved by resolving SRG-APP-000068-CTR-000120", "check": "From a web browser, go to the Openshift web console to login (logout\nif already logged in). Verify that the DOD notice and consent banner is\ndisplayed, and that the user must select 'Ok' before proceeding to the\nlogin page.\n\nIf the DOD notice and consent banner is not displayed, or does not have an\n'Ok' button to acknowledge consent before proceeding, this is a finding.", "tickets": null, "original_title": null, "related_rules": ["classification_banner", "oauth_login_template_set", "oauth_provider_selection_set", "openshift_motd_exists"], "rules": [], "controls": []}, {"id": "SRG-APP-000381-CTR-000905", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must enforce access restrictions and support auditing of the enforcement actions.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_suid_privilege_function"], "controls": []}, {"id": "SRG-APP-000152-CTR-000370", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must use multifactor authentication for local access to non-privileged accounts.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": "Not Applicable. Applicable to Identity Management Provider and not\nOCP. Only configurable check is to ensure OCP is configured for an\nIDP under SRG-APP-000023-CTR-000055. Verify with IdM service provider\nadmins that the IdM meets the requirements.", "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["idp_is_configured", "ocp_idp_no_htpasswd", "kubeadmin_removed"], "rules": [], "controls": []}, {"id": "SRG-APP-000472-CTR-001170", "levels": ["medium"], "notes": "", "title": "The organization-defined role must verify correct operation of security functions in Ubuntu 22.04.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["file_integrity_exists"], "rules": [], "controls": []}, {"id": "SRG-APP-000435-CTR-001070", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must protect against or limit the effects of all types of denial-of-service (DoS) attacks by employing organization-defined security safeguards.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SRG-APP-000416-CTR-001015", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must implement NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SRG-APP-000131-CTR-000280", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must be built from verified packages.", "description": null, "rationale": null, "automated": "no", "status": "inherently met", "mitigation": null, "artifact_description": "Supporting evidence is in the following documentation\n\nhttps://github.com/openshift/machine-config-operator/blob/master/docs/OSUpgrades.md#questions-and-answers", "status_justification": "Integrity of the OpenShift platform is handled to start by the cluster version operator. Today the CVO will by default GPG verify the integrity of the release image before applying it. The release image contains a sha256 digest of machine-os-content which is used by the MCO for updates. On the host, the container runtime podman verifies the integrity of that sha256 when pulling the image, before the MCO reads its content. Hence, there is end-to-end GPG-verified integrity for the operating system updates (as well as the rest of the cluster components which run as regular containers).\n\nhttps://github.com/openshift/machine-config-operator/blob/master/docs/OSUpgrades.md#questions-and-answers", "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["reject_unsigned_images_by_default", "ocp_allowed_registries", "ocp_allowed_registries_for_import"], "rules": [], "controls": []}, {"id": "SRG-APP-000378-CTR-000885", "levels": ["high"], "notes": "", "title": "Ubuntu 22.04 runtime must prohibit the instantiation of container images without explicit privileged status.", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SRG-APP-000157-CTR-000385", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must implement replay-resistant authentication mechanisms for network access to non-privileged accounts.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": "Not Applicable. Applicable to Identity Management Provider and not\nOCP. Only configurable check is to ensure OCP is configured for an\nIDP under SRG-APP-000023-CTR-000055. Verify with IdM service provider\nadmins that the IdM meets the requirements.", "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["idp_is_configured", "ocp_idp_no_htpasswd", "kubeadmin_removed"], "rules": [], "controls": []}, {"id": "SRG-APP-000148-CTR-000345", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must uniquely identify and authenticate processes acting on behalf of the users.", "description": null, "rationale": null, "automated": "no", "status": "inherently met", "mitigation": null, "artifact_description": "Supporting evidence is in the following documentation:\nhttps://cloud.redhat.com/blog/a-guide-to-openshift-and-uids", "status_justification": "OpenShift does not execute containers with a user's account, as users\nof OpenShift do not have accounts on the host operating system. Pods\nare executed using UIDs that do not exist on the system and have no\nprivileges on the host system at all. It is deliberately isolated\nfurther per logical namespace to allow for a mapping of UIDs to\napplications within the context of the API, without allowing for UID\ncollision across logical namespaces.\n\nFor more background information, see: https://cloud.redhat.com/blog/a-guide-to-openshift-and-uids", "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["idp_is_configured", "ocp_idp_no_htpasswd", "kubeadmin_removed"], "rules": [], "controls": []}, {"id": "SRG-APP-000150-CTR-000360", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must use multifactor authentication for network access to non-privileged accounts.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": "Not Applicable. Applicable to Identity Management Provider and not\nOCP. Only configurable check is to ensure OCP is configured for an\nIDP under SRG-APP-000023-CTR-000055. Verify with IdM service provider\nadmins that the IdM meets the requirements.", "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["idp_is_configured", "ocp_idp_no_htpasswd", "kubeadmin_removed"], "rules": [], "controls": []}, {"id": "SRG-APP-000384-CTR-000915", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must prevent component execution in accordance with organization-defined policies regarding software program usage and restrictions, and/or rules authorizing the terms and conditions of software program usage.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["reject_unsigned_images_by_default", "ocp_allowed_registries", "ocp_allowed_registries_for_import"], "rules": [], "controls": []}, {"id": "SRG-APP-000514-CTR-001315", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must use a valid FIPS 140-2 approved cryptographic modules to generate hashes.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SRG-APP-000499-CTR-001255", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must generate audit records when successful/unsuccessful attempts to delete privileges occur.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["audit_profile_set"], "rules": ["audit_rules_dac_modification_lremovexattr", "audit_rules_dac_modification_fchmod", "audit_rules_file_deletion_events_renameat", "audit_rules_dac_modification_lchown", "audit_rules_privileged_commands_pt_chown", "audit_rules_file_deletion_events_rmdir", "audit_rules_usergroup_modification_passwd", "audit_rules_sudoers", "audit_rules_usergroup_modification_group", "audit_rules_dac_modification_removexattr", "audit_rules_dac_modification_fchmodat", "audit_rules_dac_modification_chmod", "audit_rules_dac_modification_chown", "audit_rules_file_deletion_events_unlinkat", "audit_rules_usergroup_modification_shadow", "audit_rules_file_deletion_events_unlink", "audit_rules_dac_modification_fremovexattr", "audit_rules_privileged_commands_usermod", "audit_rules_usergroup_modification_gshadow", "audit_rules_file_deletion_events_rename", "audit_rules_privileged_commands_su", "audit_rules_dac_modification_fchownat", "audit_rules_execution_chacl", "audit_rules_sudoers_d", "audit_rules_dac_modification_fchown", "audit_rules_privileged_commands_sudo"], "controls": []}, {"id": "SRG-APP-000342-CTR-000775", "levels": ["medium"], "notes": "", "title": "Container images instantiated by the container platform must execute using least privileges.", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SRG-APP-000133-CTR-000295", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must limit privileges to the container platform runtime.", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SRG-APP-000319-CTR-000745", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must generate audit rules to capture account creation, modification, disabling, removal and enabling actions.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": "Apply the machine config using the following command:\n\nfor mcpool in $(oc get mcp -oname | sed \"s:.*/::\" ); do\necho \"apiVersion: machineconfiguration.openshift.io/v1\nkind: MachineConfig\nmetadata:\n name: 75-account-modifications-rules-$mcpool\n labels:\n machineconfiguration.openshift.io/role: $mcpool\nspec:\n config:\n ignition:\n version: 3.1.0\n storage:\n files:\n - contents:\n source: data:,-w%20/etc/sudoers.d/%20-p%20wa%20-k%20actions%0A-w%20/etc/sudoers%20-p%20wa%20-k%20actions%0A\n mode: 0644\n path: /etc/audit/rules.d/75-audit-sysadmin-actions.rules\n overwrite: true\n - contents:\n source: data:,-w%20/etc/group%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A\n mode: 0644\n path: /etc/audit/rules.d/30-etc_group_usergroup_modification.rules\n overwrite: true\n - contents:\n source: data:,-w%20/etc/gshadow%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A\n mode: 0644\n path: /etc/audit/rules.d/30-etc_gshadow_usergroup_modification.rules\n overwrite: true\n - contents:\n source: data:,-w%20/etc/security/opasswd%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A\n mode: 0644\n path: /etc/audit/rules.d/30-etc_security_opasswd_usergroup_modification.rules\n overwrite: true\n - contents:\n source: data:,-w%20/etc/passwd%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A\n mode: 0644\n path: /etc/audit/rules.d/30-etc_passwd_usergroup_modification.rules\n overwrite: true\n - contents:\n source: data:,-w%20/etc/shadow%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A\n mode: 0644\n path: /etc/audit/rules.d/30-etc_shadow_usergroup_modification.rules\n overwrite: true\n\" | oc apply -f -\ndone", "check": "Verify the audit rules capture account creation, modification, disabling, removal and enabling actions by executing the following:\n\nfor node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n \"$HOSTNAME \"; grep -e user-modify -e group-modify -e audit_rules_usergroup_modification /etc/audit/rules.d/* /etc/audit/audit.rules' 2>/dev/null; done\n\nConfirm the following rules exist on each node:\n-w /etc/group -p wa -k audit_rules_usergroup_modification\n-w /etc/gshadow -p wa -k audit_rules_usergroup_modification\n-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification\n-w /etc/passwd -p wa -k audit_rules_usergroup_modification\n-w /etc/shadow -p wa -k audit_rules_usergroup_modification\n\nIf the above rules are not listed on each node, this is a finding.", "tickets": null, "original_title": null, "related_rules": ["idp_is_configured", "ocp_idp_no_htpasswd", "kubeadmin_removed"], "rules": ["audit_rules_sysadmin_actions", "audit_rules_usergroup_modification"], "controls": []}, {"id": "SRG-APP-000502-CTR-001270", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must generate audit records when successful/unsuccessful attempts to delete categories of information (e.g., classification levels) occur.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["audit_profile_set"], "rules": ["audit_rules_dac_modification_fsetxattr", "audit_rules_unsuccessful_file_modification_unlink", "audit_delete_failed", "audit_rules_dac_modification_lsetxattr", "audit_rules_file_deletion_events_unlinkat", "audit_rules_dac_modification_lremovexattr", "audit_rules_unsuccessful_file_modification_unlinkat", "audit_rules_privileged_commands_chage", "audit_rules_execution_chcon", "audit_rules_file_deletion_events_rename", "audit_rules_file_deletion_events_renameat", "audit_rules_unsuccessful_file_modification_rename", "audit_rules_privileged_commands_pt_chown", "audit_rules_unsuccessful_file_modification_renameat", "audit_rules_file_deletion_events_rmdir", "audit_rules_file_deletion_events_unlink", "audit_rules_dac_modification_removexattr"], "controls": []}, {"id": "SRG-APP-000226-CTR-000575", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must preserve any information necessary to determine the cause of the disruption or failure.", "description": null, "rationale": null, "automated": "no", "status": "inherently met", "mitigation": null, "artifact_description": "Supporting evidence is in the following documentation\nhttps://docs.openshift.com/container-platform/latest/support/gathering-cluster-data.html", "status_justification": "In the event that there is a failure or disruption to the OpenShift platform, information necessary to identifying the cause would be preserved. The cluster state (resource definitions) is preserved by etcd, audit and system logs are preserved via journald service at the node levels. The following guide provide steps on how to gather cluster data in order to investigate issue with the cluster.\nhttps://docs.openshift.com/container-platform/latest/support/gathering-cluster-data.html", "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SRG-APP-000133-CTR-000310", "levels": ["medium"], "notes": "", "title": "Authentication files for the container platform must be protected.", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SRG-APP-000023-CTR-000055", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must use a centralized user management solution to support account management functions.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SRG-APP-000177-CTR-000465", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must map the authenticated identity to the individual user or group account for PKI-based authentication.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": "Not Applicable. Applicable to Identity Management Provider and not\nOCP. Only configurable check is to ensure OCP is configured for an\nIDP under SRG-APP-000023-CTR-000055. Verify with IdM service provider\nadmins that the IdM meets the requirements.", "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["idp_is_configured", "ocp_idp_no_htpasswd", "kubeadmin_removed"], "rules": [], "controls": []}, {"id": "SRG-APP-000164-CTR-000400", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must enforce a minimum 15-character password length.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": "Not Applicable. Applicable to Identity Management Provider and not\nOCP. Only configurable check is to ensure OCP is configured for an\nIDP under SRG-APP-000023-CTR-000055. Verify with IdM service provider\nadmins that the IdM meets the requirements.", "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["idp_is_configured", "ocp_idp_no_htpasswd", "kubeadmin_removed"], "rules": [], "controls": []}, {"id": "SRG-APP-000190-CTR-000500", "levels": ["medium"], "notes": "", "title": "The application must terminate all network connections associated with a communications session at the end of the session, or as follows: for in-band management sessions (privileged sessions), the session must be terminated after 10 minutes of inactivity;", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sshd_disable_root_login"], "controls": []}, {"id": "SRG-APP-000185-CTR-000490", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must employ strong authenticators in the establishment of non-local maintenance and diagnostic sessions.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["service_sshd_disabled"], "rules": [], "controls": []}, {"id": "SRG-APP-000509-CTR-001305", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must generate audit rules to capture account creation, modification, disabling, removal and enabling actions.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": "Apply the machine config using the following command:\n\nfor mcpool in $(oc get mcp -oname | sed \"s:.*/::\" ); do\necho \"apiVersion: machineconfiguration.openshift.io/v1\nkind: MachineConfig\nmetadata:\n name: 75-account-modifications-rules-$mcpool\n labels:\n machineconfiguration.openshift.io/role: $mcpool\nspec:\n config:\n ignition:\n version: 3.1.0\n storage:\n files:\n - contents:\n source: data:,-w%20/etc/sudoers.d/%20-p%20wa%20-k%20actions%0A-w%20/etc/sudoers%20-p%20wa%20-k%20actions%0A\n mode: 0644\n path: /etc/audit/rules.d/75-audit-sysadmin-actions.rules\n overwrite: true\n - contents:\n source: data:,-w%20/etc/group%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A\n mode: 0644\n path: /etc/audit/rules.d/30-etc_group_usergroup_modification.rules\n overwrite: true\n - contents:\n source: data:,-w%20/etc/gshadow%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A\n mode: 0644\n path: /etc/audit/rules.d/30-etc_gshadow_usergroup_modification.rules\n overwrite: true\n - contents:\n source: data:,-w%20/etc/security/opasswd%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A\n mode: 0644\n path: /etc/audit/rules.d/30-etc_security_opasswd_usergroup_modification.rules\n overwrite: true\n - contents:\n source: data:,-w%20/etc/passwd%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A\n mode: 0644\n path: /etc/audit/rules.d/30-etc_passwd_usergroup_modification.rules\n overwrite: true\n - contents:\n source: data:,-w%20/etc/shadow%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A\n mode: 0644\n path: /etc/audit/rules.d/30-etc_shadow_usergroup_modification.rules\n overwrite: true\n\" | oc apply -f -\ndone", "check": "Verify the audit rules capture account creation, modification, disabling, removal and enabling actions by executing the following:\n\nfor node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n \"$HOSTNAME \"; grep -e user-modify -e group-modify -e audit_rules_usergroup_modification /etc/audit/rules.d/* /etc/audit/audit.rules' 2>/dev/null; done\n\nConfirm the following rules exist on each node:\n-w /etc/group -p wa -k audit_rules_usergroup_modification\n-w /etc/gshadow -p wa -k audit_rules_usergroup_modification\n-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification\n-w /etc/passwd -p wa -k audit_rules_usergroup_modification\n-w /etc/shadow -p wa -k audit_rules_usergroup_modification\n\nIf the above rules are not listed on each node, this is a finding.", "tickets": null, "original_title": null, "related_rules": ["audit_profile_set"], "rules": ["audit_rules_sysadmin_actions", "audit_rules_usergroup_modification"], "controls": []}, {"id": "SRG-APP-000454-CTR-001115", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 registry must remove old container images after updating versions have been made available.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SRG-APP-000378-CTR-000880", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must prohibit the installation of patches and updates without explicit privileged status.", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SRG-APP-000169-CTR-000425", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must enforce password complexity by requiring that at least one special character be used.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": "Not Applicable. Applicable to Identity Management Provider and not\nOCP. Only configurable check is to ensure OCP is configured for an\nIDP under SRG-APP-000023-CTR-000055. Verify with IdM service provider\nadmins that the IdM meets the requirements.", "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["idp_is_configured", "ocp_idp_no_htpasswd", "kubeadmin_removed"], "rules": [], "controls": []}, {"id": "SRG-APP-000029-CTR-000085", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must automatically audit account removal actions.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["idp_is_configured", "ocp_idp_no_htpasswd", "kubeadmin_removed"], "rules": ["audit_rules_privileged_commands_sssd_krb5_child", "audit_rules_privileged_commands_newgrp", "audit_rules_privileged_commands_sssd_ldap_child", "audit_rules_privileged_commands_polkit_helper", "audit_rules_privileged_commands_grub2_set_bootflag", "audit_rules_privileged_commands_mount_nfs", "audit_rules_privileged_commands_unix_chkpwd", "audit_rules_privileged_commands_mount", "audit_rules_privileged_commands_fusermount", "audit_rules_privileged_commands_ssh_keysign", "audit_rules_privileged_commands_sssd_selinux_child", "audit_rules_privileged_commands_utempter", "audit_rules_privileged_commands_passwd", "audit_rules_privileged_commands_gpasswd", "audit_rules_privileged_commands_su", "audit_rules_privileged_commands_fusermount3", "audit_rules_privileged_commands_chage", "audit_rules_privileged_commands_dbus_daemon_launch_helper", "audit_rules_privileged_commands_write", "audit_rules_privileged_commands_sssd_proxy_child", "audit_rules_privileged_commands_umount", "audit_rules_privileged_commands_pam_timestamp_check", "audit_rules_privileged_commands_pkexec", "audit_rules_privileged_commands_sudo"], "controls": []}, {"id": "SRG-APP-000498-CTR-001250", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must generate audit records when successful/unsuccessful attempts to modify categories of information (e.g., classification levels) occur.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["audit_profile_set"], "rules": ["audit_rules_dac_modification_fsetxattr", "audit_rules_dac_modification_lsetxattr", "audit_rules_dac_modification_lremovexattr", "audit_rules_execution_setsebool", "audit_rules_execution_chcon", "audit_rules_execution_semanage", "audit_rules_execution_setfiles", "audit_rules_usergroup_modification_opasswd", "audit_rules_dac_modification_fremovexattr", "audit_rules_dac_modification_removexattr"], "controls": []}, {"id": "SRG-APP-000126-CTR-000275", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must use FIPS validated cryptographic mechanisms to protect the integrity of log information.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SRG-APP-000495-CTR-001235", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must generate audit records when successful/unsuccessful attempts to modify privileges occur.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["audit_profile_set"], "rules": ["audit_rules_dac_modification_fsetxattr", "audit_rules_privileged_commands_newgrp", "audit_rules_dac_modification_lremovexattr", "audit_rules_dac_modification_fchmod", "audit_rules_dac_modification_lchown", "audit_rules_file_deletion_events_renameat", "audit_rules_execution_semanage", "audit_rules_file_deletion_events_rmdir", "audit_rules_usergroup_modification_passwd", "audit_rules_sudoers", "audit_rules_usergroup_modification_group", "audit_rules_dac_modification_removexattr", "audit_rules_dac_modification_fchmodat", "audit_rules_dac_modification_chmod", "audit_rules_dac_modification_chown", "audit_rules_privileged_commands_postdrop", "audit_rules_media_export", "audit_rules_file_deletion_events_unlinkat", "audit_rules_usergroup_modification_shadow", "audit_rules_execution_setfacl", "audit_rules_privileged_commands_unix_chkpwd", "audit_rules_privileged_commands_crontab", "audit_rules_file_deletion_events_unlink", "audit_rules_unsuccessful_file_modification_ftruncate", "audit_rules_privileged_commands_postqueue", "audit_rules_dac_modification_fremovexattr", "audit_rules_privileged_commands_userhelper", "audit_rules_privileged_commands_unix_update", "audit_immutable_login_uids", "audit_rules_dac_modification_setxattr", "audit_rules_privileged_commands_ssh_agent", "audit_rules_privileged_commands_ssh_keysign", "audit_rules_privileged_commands_usermod", "audit_rules_privileged_commands_passwd", "audit_rules_privileged_commands_gpasswd", "audit_rules_usergroup_modification_gshadow", "audit_rules_kernel_module_loading_delete", "audit_rules_execution_chcon", "audit_rules_privileged_commands_sudoedit", "audit_rules_dac_modification_umount2", "audit_rules_file_deletion_events_rename", "audit_rules_unsuccessful_file_modification_open_by_handle_at", "audit_rules_dac_modification_umount", "audit_rules_login_events_lastlog", "audit_rules_execution_setfiles", "audit_rules_dac_modification_fchownat", "audit_rules_execution_chacl", "audit_rules_unsuccessful_file_modification_truncate", "audit_rules_privileged_commands_chsh", "audit_rules_privileged_commands_su", "audit_rules_unsuccessful_file_modification_open", "audit_rules_sudoers_d", "audit_rules_privileged_commands_kmod", "audit_rules_kernel_module_loading_finit", "audit_rules_dac_modification_lsetxattr", "audit_rules_kernel_module_loading_init", "audit_rules_execution_setsebool", "audit_rules_privileged_commands_chage", "audit_rules_unsuccessful_file_modification_openat", "audit_rules_unsuccessful_file_modification_creat", "audit_rules_privileged_commands_pam_timestamp_check", "audit_rules_usergroup_modification_opasswd", "audit_rules_dac_modification_fchown", "audit_rules_privileged_commands_sudo"], "controls": []}, {"id": "SRG-APP-000178-CTR-000470", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.", "description": null, "rationale": null, "automated": "no", "status": "inherently met", "mitigation": null, "artifact_description": "Supporting evidence is in the following documentation\n\nhttps://docs.openshift.com/container-platform/latest/authentication/index.html", "status_justification": "The OpenShift Container Platform's web console hides the user's\npassword as it is typed in. The CLI interface also hides the password as it is typed\nvia standard input on the console. To access the API server a user must first authenticate\nand obtain an OAuth token (or a x.509 certificate) in order send requests to the\nAPI server. In this way, the user's authentication credentials (username/password)\nare protected from discovery.", "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SRG-APP-000431-CTR-001065", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 runtime must maintain separate execution domains for each container by assigning each container a separate address space.", "description": null, "rationale": null, "automated": "no", "status": "inherently met", "mitigation": null, "artifact_description": "Supporting evidence is in the following documentation\n\nhttps://docs.openshift.com/container-platform/latest/authentication/using-rbac.html#rbac-default-projects_using-rbac\nhttps://docs.openshift.com/container-platform/latest/authentication/managing-security-context-constraints.html\nhttps://docs.openshift.com/container-platform/latest/authentication/managing-security-context-constraints.html#examining-a-security-context-constraints-object_configuring-internal-oauth", "status_justification": "The control is met because SELinux and namespaces are enabled by default.\nhttps://docs.openshift.com/container-platform/latest/authentication/using-rbac.html#rbac-default-projects_using-rbac\nhttps://docs.openshift.com/container-platform/latest/authentication/managing-security-context-constraints.html\nhttps://docs.openshift.com/container-platform/latest/authentication/managing-security-context-constraints.html#examining-a-security-context-constraints-object_configuring-internal-oauth\n- OpenShift comes with a number of default projects, and projects starting with `openshift-` are considered essential to users. Resources in OpenShift should be segregated by project, to allow for security controls to be applied at that level and to make it easier to manage resources. Review projects to ensure that only system managed resources belong in default projects.\noc project < project-name > && oc get all\n- By default, OpenShift also sets a SCC for all authenticated users. Specifically, it sets the restricted SCC by default, which denies access to all host features and requires pods to be run with a UID and SELinux context that are allocated to the project. \nTo get all SCC's:\n oc get scc\nTo describe an SCC, including which users, service accounts, and groups SCC is applied to:\n oc describe scc ", "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SRG-APP-000121-CTR-000255", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must protect audit tools from unauthorized access.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["audit_log_forwarding_uses_tls", "audit_profile_set", "directory_permissions_var_log_kube_audit", "directory_permissions_var_log_oauth_audit", "directory_permissions_var_log_ocp_audit"], "rules": ["audit_immutable_login_uids"], "controls": []}, {"id": "SRG-APP-000111-CTR-000220", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 components must provide the ability to send audit logs to a central enterprise repository for review and analysis.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SRG-APP-000456-CTR-001130", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 runtime must have updates installed within the time period directed by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": "The container platform and underlying operating system regularly release updates alongside Red Hat Security Advisories covering CVE patches. These updates are sent out at the same cadence of reliability as Red Hat Enterprise Linux.\n\nThe organization must define how and when to update the container platform, including the synchronization of Red Hat provided updates that patch CVEs to the registry used for the container platform.\n\nUpdate Service Architecture Overview\nhttps://docs.openshift.com/container-platform/latest/architecture/architecture-installation.html#update-service-overview_architecture-installation", "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SRG-APP-000211-CTR-000530", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must separate user functionality (including user interface services) from information system management functionality.", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": "Disable and remove passwords from root and core accounts by executing the following:\n\nfor node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'usermod -p \"*\" root; usermod -p \"*\" core' 2>/dev/null; done\n\nRemove any additional user accounts from the nodes by executing the following:\n\noc debug node/ -- chroot /host /bin/bash -c 'userdel '", "check": "Verify that root and core are the only user accounts on the nodes by executing the following:\n\nfor node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n \"$HOSTNAME \"; cat /etc/passwd' 2>/dev/null; done\n\nThe output will look something like\n\n root:x:0:0:root:/root:/bin/bash\ncore:x:1000:1000:CoreOS Admin:/var/home/core:/bin/bash\ncontainers:x:993:995:User for housing the sub ID range for containers:/var/home/containers:/sbin/nologin\n\nIf there are any user accounts in addition to root, containers and core, this is a finding.\n\nVerify the root and core users are set to disable password logon by executing the following:\n\nfor node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n \"$HOSTNAME \"; grep -e \"^root\" -e \"^core\" /etc/shadow' 2>/dev/null; done\n\nThe output will look something like\n\nroot:*:18367:0:99999:7:::\ncore:*:18939:0:99999:7:::\n\nIf the password entry has anything other than '*', this is a finding.", "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SRG-APP-000024-CTR-000060", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must automatically remove or disable temporary user accounts after 72 hours.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": "Not Applicable. Applicable to Identity Management Provider and not\nOCP. Only configurable check is to ensure OCP is configured for an\nIDP under SRG-APP-000023-CTR-000055. Verify with IdM service provider\nadmins that the IdM meets the requirements.", "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["idp_is_configured", "ocp_idp_no_htpasswd", "kubeadmin_removed"], "rules": [], "controls": []}, {"id": "SRG-APP-000142-CTR-000325", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 runtime must enforce ports, protocols, and services that adhere to the PPSM CAL.", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": "Verify the accreditation documentation lists all interfaces and the ports, protocols, and services used.\n\nRegister OpenShift's ports, protocols, and services with PPSM.", "check": "Review the OpenShift documentation and configuration.\n(See for additional information: https://docs.openshift.com/container-platform/4.12/installing/installing_platform_agnostic/installing-platform-agnostic.html)\n\n1. Interview the application administrator.\n\n2. Identify the TCP/IP port numbers OpenShift is configured to utilize and is utilizing by using a combination of relevant OS commands and application configuration utilities.\n\n3. Identify the network ports and protocols that are utilized by kube-apiserver by executing the following:\noc get configmap kube-apiserver-pod -n openshift-kube-apiserver -o \"jsonpath={ .data['pod\\.yaml'] }\" | jq '..|.containerPort?' | grep -v \"null\"\n\noc get configmap kube-apiserver-pod -n openshift-kube-apiserver -o \"jsonpath={ .data['pod\\.yaml'] }\" | jq '..|.hostPort?' | grep -v \"null\"\n\noc get services -A --show-labels | grep apiserver | awk '{print $6,$8}' | grep apiserver\n\n4. Identify the network ports and protocols that are utilized by kube-scheduler by executing the following:\noc get configmap kube-scheduler-pod -n openshift-kube-scheduler -o \"jsonpath={ .data['pod\\.yaml'] }\" | jq '..|.containerPort?' | grep -v \"null\"\n\noc get services -A --show-labels | grep scheduler | awk '{print $6,$8}' | grep scheduler\n\n5. Identify the network ports and protocols that are utilized by kube-controller-manager by executing the following:\noc get configmap kube-controller-manager-pod -n openshift-kube-controller-manager -o \"jsonpath={ .data['pod\\.yaml'] }\" | jq '..|.containerPort?' | grep -v \"null\"\n\noc get services -A --show-labels | grep kube-controller\n\n6. Identify the network ports and protocols that are utilized by etcd by executing the following:\noc get configmap etcd-pod -n openshift-etcd -o \"jsonpath={ .data['pod\\.yaml'] }\" | grep -Po '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}:[0-9]+' | sort -u\n\n\nReview the PPSM web page at:\n\nhttp://www.disa.mil/Network-Services/Enterprise-Connections/PPSM\n\nReview the PPSM Category Assurance List (CAL) directly at the following link: \n\nhttps://disa.deps.mil/ext/cop/iase/ppsm/Pages/cal.aspx\n\nVerify the ports used by the OpenShift are approved by the PPSM CAL.\n\nIf the ports, protocols, and services have not be registered locally, this is a finding.", "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SRG-APP-000116-CTR-000235", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must use internal system clocks to generate audit record time stamps.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["chronyd_or_ntpd_specify_multiple_servers", "chronyd_or_ntpd_set_maxpoll", "chronyd_client_only"], "rules": ["service_chronyd_or_ntpd_enabled", "chronyd_or_ntpd_specify_remote_server"], "controls": []}, {"id": "SRG-APP-000494-CTR-001230", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must generate audit records when successful/unsuccessful attempts to access categories of information (e.g., classification levels) occur.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["audit_profile_set"], "rules": ["audit_rules_dac_modification_fsetxattr", "audit_rules_dac_modification_chown", "audit_create_failed", "audit_rules_dac_modification_fchown", "audit_rules_dac_modification_lsetxattr", "audit_access_failed", "audit_rules_dac_modification_lremovexattr", "audit_rules_dac_modification_chmod", "audit_rules_dac_modification_fchmod", "audit_modify_failed", "audit_rules_dac_modification_lchown", "audit_rules_dac_modification_fchownat", "audit_rules_dac_modification_fremovexattr", "audit_rules_dac_modification_removexattr", "audit_rules_dac_modification_fchmodat", "audit_rules_dac_modification_setxattr"], "controls": []}, {"id": "SRG-APP-000014-CTR-000040", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must use TLS 1.2 or greater for secure communication.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["fips_mode_enabled_on_all_nodes"], "rules": [], "controls": []}, {"id": "SRG-APP-000219-CTR-000550", "levels": ["high"], "notes": "", "title": "Ubuntu 22.04 must protect authenticity of communications sessions with the use of FIPS-validated 140-2 or 140-3 security requirements for cryptographic modules.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SRG-APP-000170-CTR-000430", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must require the change of at least 15 of the total number of characters when passwords are changed.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": "Not Applicable. Applicable to Identity Management Provider and not\nOCP. Only configurable check is to ensure OCP is configured for an\nIDP under SRG-APP-000023-CTR-000055. Verify with IdM service provider\nadmins that the IdM meets the requirements.", "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["idp_is_configured", "ocp_idp_no_htpasswd", "kubeadmin_removed"], "rules": [], "controls": []}, {"id": "SRG-APP-000039-CTR-000110", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must enforce approved authorizations for controlling the flow of information between interconnected systems and services based on organization-defined information flow control policies.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["configure_network_policies_namespaces", "configure_network_policies", "routes_protected_by_tls"], "rules": [], "controls": []}, {"id": "SRG-APP-000400-CTR-000960", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must prohibit the use of cached authenticators after an organization-defined time period.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": "Supporting evidence is in the following documentation\n\nhttps://docs.openshift.com/container-platform/latest/authentication/configuring-internal-oauth.html#oauth-configuring-internal-oauth_configuring-internal-oauth", "status_justification": "By default, OpenShift Oauth tokens that permit interaction with the API Server are only valid for 24 hours. Expired tokens are not honored.\nTo confirm the current timeout value of an OpenShift 4.x cluster, run the following:\n`oc describe oauth.config.openshift.io/cluster` and reference the `Spec.Access Token Max Age Seconds` Key value.\n\n To configure the duration of a token change the `Spec.Access Token Max Age Seconds` value.\n`oc edit oauth.config.openshift.io/cluster`\nSee:\nhttps://docs.openshift.com/container-platform/latest/authentication/configuring-internal-oauth.html#oauth-configuring-internal-oauth_configuring-internal-oauth", "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SRG-APP-000297-CTR-000705", "levels": ["low"], "notes": "", "title": "Access to the container platform must display an explicit logout message to user indicating the reliable termination of authenticated communication sessions.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SRG-APP-000390-CTR-000930", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must require devices to reauthenticate when organization-defined circumstances or situations requiring reauthentication.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": "Supporting evidence is in the following documentation\n\nhttps://docs.openshift.com/container-platform/latest/authentication/using-rbac.html", "status_justification": "The OpenShift Container Platform does not required a user/device to re-authenticate when changes to the RBAC policy, or permissions to a service/object change in the system. These changes are applied and effective immediately and do not require the user/device to first logout.\n\nhttps://docs.openshift.com/container-platform/latest/authentication/using-rbac.html", "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SRG-APP-000508-CTR-001300", "levels": ["medium"], "notes": "", "title": "Direct access to the container platform must generate audit records.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["audit_profile_set"], "rules": ["service_auditd_enabled"], "controls": []}, {"id": "SRG-APP-000174-CTR-000450", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must enforce a 60-day maximum password lifetime restriction.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": "Not Applicable. Applicable to Identity Management Provider and not\nOCP. Only configurable check is to ensure OCP is configured for an\nIDP under SRG-APP-000023-CTR-000055. Verify with IdM service provider\nadmins that the IdM meets the requirements.", "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["idp_is_configured", "ocp_idp_no_htpasswd", "kubeadmin_removed"], "rules": [], "controls": []}, {"id": "SRG-APP-000474-CTR-001180", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must provide system notifications to the system administrator and operational staff when anomalies in the operation of the organization-defined security functions are discovered.", "description": null, "rationale": null, "automated": "no", "status": "does not meet", "mitigation": "Use external tooling, such as Red Hat Advanced Cluster Security or\ncompliance solutions from other vendors to provide active alerts\nconditionally. Applying an external tool mitigates this risk to a\nCAT III.", "artifact_description": null, "status_justification": "If the OpenShift Compliance Operator is configured in accordance with\nthe Fix data in SRG-APP-000516-CTR-001325, then administrators will be\nable to query when a ComplianceCheckResult shows non-compliant status\nfor any of the rules defined in the compliance profile, aligning with\nthe SSP for the system.\n\nThis capability does not currently natively support alerting for\nnon-compliant status. External tooling, such as Red Hat Advanced Cluster\nSecurity or compliance solutions from other vendors, may be integrated\nusing their own mechanisms to provide active alerts conditionally.", "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["scansettingbinding_exists", "scansettings_have_schedule", "file_integrity_exists"], "rules": [], "controls": []}, {"id": "SRG-APP-000166-CTR-000410", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must enforce password complexity by requiring that at least one uppercase character be used.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": "Not Applicable. Applicable to Identity Management Provider and not\nOCP. Only configurable check is to ensure OCP is configured for an\nIDP under SRG-APP-000023-CTR-000055. Verify with IdM service provider\nadmins that the IdM meets the requirements.", "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["idp_is_configured", "ocp_idp_no_htpasswd", "kubeadmin_removed"], "rules": [], "controls": []}, {"id": "SRG-APP-000090-CTR-000155", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SRG-APP-000357-CTR-000800", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must allocate audit record storage capacity in accordance with organization-defined audit record storage requirements.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["auditd_data_disk_error_action", "auditd_log_format", "auditd_data_retention_max_log_file_action_stig", "partition_for_var_log_audit"], "controls": []}, {"id": "SRG-APP-000292-CTR-000680", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must generate audit rules to capture account creation, modification, disabling, removal and enabling actions.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": "Apply the machine config using the following command:\n\nfor mcpool in $(oc get mcp -oname | sed \"s:.*/::\" ); do\necho \"apiVersion: machineconfiguration.openshift.io/v1\nkind: MachineConfig\nmetadata:\n name: 75-account-modifications-rules-$mcpool\n labels:\n machineconfiguration.openshift.io/role: $mcpool\nspec:\n config:\n ignition:\n version: 3.1.0\n storage:\n files:\n - contents:\n source: data:,-w%20/etc/sudoers.d/%20-p%20wa%20-k%20actions%0A-w%20/etc/sudoers%20-p%20wa%20-k%20actions%0A\n mode: 0644\n path: /etc/audit/rules.d/75-audit-sysadmin-actions.rules\n overwrite: true\n - contents:\n source: data:,-w%20/etc/group%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A\n mode: 0644\n path: /etc/audit/rules.d/30-etc_group_usergroup_modification.rules\n overwrite: true\n - contents:\n source: data:,-w%20/etc/gshadow%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A\n mode: 0644\n path: /etc/audit/rules.d/30-etc_gshadow_usergroup_modification.rules\n overwrite: true\n - contents:\n source: data:,-w%20/etc/security/opasswd%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A\n mode: 0644\n path: /etc/audit/rules.d/30-etc_security_opasswd_usergroup_modification.rules\n overwrite: true\n - contents:\n source: data:,-w%20/etc/passwd%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A\n mode: 0644\n path: /etc/audit/rules.d/30-etc_passwd_usergroup_modification.rules\n overwrite: true\n - contents:\n source: data:,-w%20/etc/shadow%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A\n mode: 0644\n path: /etc/audit/rules.d/30-etc_shadow_usergroup_modification.rules\n overwrite: true\n\" | oc apply -f -\ndone", "check": "Verify the audit rules capture account creation, modification, disabling, removal and enabling actions by executing the following:\n\nfor node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n \"$HOSTNAME \"; grep -e user-modify -e group-modify -e audit_rules_usergroup_modification /etc/audit/rules.d/* /etc/audit/audit.rules' 2>/dev/null; done\n\nConfirm the following rules exist on each node:\n-w /etc/group -p wa -k audit_rules_usergroup_modification\n-w /etc/gshadow -p wa -k audit_rules_usergroup_modification\n-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification\n-w /etc/passwd -p wa -k audit_rules_usergroup_modification\n-w /etc/shadow -p wa -k audit_rules_usergroup_modification\n\nIf the above rules are not listed on each node, this is a finding.", "tickets": null, "original_title": null, "related_rules": ["idp_is_configured", "ocp_idp_no_htpasswd", "kubeadmin_removed"], "rules": ["audit_rules_sysadmin_actions", "audit_rules_usergroup_modification"], "controls": []}, {"id": "SRG-APP-000345-CTR-000785", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must automatically lock an account until the locked account is released by an administrator when three unsuccessful login attempts in 15 minutes are exceeded.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": "Not Applicable. Applicable to Identity Management Provider and not\nOCP. Only configurable check is to ensure OCP is configured for an\nIDP under SRG-APP-000023-CTR-000055. Verify with IdM service provider\nadmins that the IdM meets the requirements.", "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["idp_is_configured", "ocp_idp_no_htpasswd", "kubeadmin_removed"], "rules": [], "controls": []}, {"id": "SRG-APP-000038-CTR-000105", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must enforce approved authorizations for controlling the flow of information within Ubuntu 22.04 based on organization-defined information flow control policies.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["routes_protected_by_tls"], "rules": [], "controls": []}, {"id": "SRG-APP-000493-CTR-001225", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must generate audit records when successful/unsuccessful attempts to access security levels occur.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["audit_profile_set"], "rules": ["audit_rules_dac_modification_fsetxattr", "audit_rules_dac_modification_chown", "audit_create_failed", "audit_rules_dac_modification_fchown", "audit_rules_dac_modification_lsetxattr", "audit_access_failed", "audit_rules_dac_modification_lremovexattr", "audit_rules_dac_modification_chmod", "audit_rules_dac_modification_fchmod", "audit_modify_failed", "audit_rules_dac_modification_lchown", "audit_rules_dac_modification_fchownat", "audit_rules_dac_modification_fremovexattr", "audit_rules_dac_modification_removexattr", "audit_rules_dac_modification_fchmodat", "audit_rules_dac_modification_setxattr"], "controls": []}, {"id": "SRG-APP-000501-CTR-001265", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must generate audit records when successful/unsuccessful attempts to delete security objects occur.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["audit_profile_set"], "rules": ["audit_rules_dac_modification_fsetxattr", "audit_rules_unsuccessful_file_modification_unlink", "audit_delete_failed", "audit_rules_dac_modification_lsetxattr", "audit_rules_file_deletion_events_unlinkat", "audit_rules_dac_modification_lremovexattr", "audit_rules_unsuccessful_file_modification_unlinkat", "audit_rules_privileged_commands_chage", "audit_rules_execution_chcon", "audit_rules_file_deletion_events_rename", "audit_rules_file_deletion_events_renameat", "audit_rules_unsuccessful_file_modification_rename", "audit_rules_privileged_commands_pt_chown", "audit_rules_unsuccessful_file_modification_renameat", "audit_rules_file_deletion_events_rmdir", "audit_rules_file_deletion_events_unlink", "audit_rules_dac_modification_removexattr"], "controls": []}, {"id": "SRG-APP-000266-CTR-000625", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.", "description": null, "rationale": null, "automated": "no", "status": "inherently met", "mitigation": null, "artifact_description": "Supporting evidence is in the following documentation:\nhttps://docs.openshift.com/container-platform/latest/logging/cluster-logging-visualizer.html\nhttps://docs.openshift.com/container-platform/latest/authentication/using-rbac.html", "status_justification": "In OpenShift, the logs depend greatly on the component. Some components would just write messages to stdout that the cluster administrator can retrieve logs through the use of the oc command. Some components emit events, and others emit a Prometheus metric which the API server would write into their logs.\n\nFor the OCP components that run in a container (most operators), the usual RBAC rules would prevent a non-admin user from reading the container logs or events.\n\nOpenShift error message handling is designed to obscure or not log sensitive information which is contained inside Secrets.\n\nError Messages from applications will need to be reviewed independently as the messages provided by the application hosted on the platform is outside the scope of the platform control.", "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["audit_profile_set"], "rules": [], "controls": []}, {"id": "SRG-APP-000318-CTR-000740", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must enforce organization-defined circumstances and/or usage conditions for organization-defined accounts.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": "Not Applicable. Applicable to Identity Management Provider and not\nOCP. Only configurable check is to ensure OCP is configured for an\nIDP under SRG-APP-000023-CTR-000055. Verify with IdM service provider\nadmins that the IdM meets the requirements.", "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SRG-APP-000340-CTR-000770", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SRG-APP-000100-CTR-000195", "levels": ["medium"], "notes": "", "title": "All audit records must identify any users associated with the event within Ubuntu 22.04.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["audit_profile_set"], "rules": ["auditd_log_format", "auditd_data_retention_max_log_file_action_stig", "auditd_data_disk_error_action"], "controls": []}, {"id": "SRG-APP-000158-CTR-000390", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must uniquely identify all network-connected nodes before establishing any connection.", "description": null, "rationale": null, "automated": "no", "status": "inherently met", "mitigation": null, "artifact_description": "Supporting evidence is in the following documentation\nhttps://docs.openshift.com/container-platform/latest/security/certificate_types_descriptions/node-certificates.html", "status_justification": "Internal components are secured with two-way TLS.\nhttps://docs.openshift.com/container-platform/latest/security/certificate_types_descriptions/node-certificates.html\nNode certificates are signed by the cluster; they come from a certificate authority (CA) that is generated by the bootstrap process. Once the cluster is installed, the node certificates are auto-rotated.\nNode certificates are managed by the cluster and not the user", "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SRG-APP-000375-CTR-000870", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must record time stamps for audit records that meet a granularity of one second for a minimum degree of precision.", "description": null, "rationale": null, "automated": "no", "status": "inherently met", "mitigation": null, "artifact_description": "Supporting evidence is in the following documentation\nhttps://docs.openshift.com/container-platform/latest/security/audit-log-view.html", "status_justification": "Openshift Container Platform conforms to DoD/DISA requirements regarding audit log fields.", "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["audit_profile_set"], "rules": [], "controls": []}, {"id": "SRG-APP-000243-CTR-000595", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must prohibit containers from accessing privileged resources.", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SRG-APP-000172-CTR-000440", "levels": ["high"], "notes": "", "title": "For accounts using password authentication, the container platform must use FIPS-validated SHA-2 or later protocol to protect the integrity of the password authentication process.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": "Not Applicable. Applicable to Identity Management Provider and not\nOCP. Only configurable check is to ensure OCP is configured for an\nIDP under SRG-APP-000023-CTR-000055. Verify with IdM service provider\nadmins that the IdM meets the requirements.", "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["idp_is_configured", "ocp_idp_no_htpasswd", "kubeadmin_removed"], "rules": [], "controls": []}, {"id": "SRG-APP-000429-CTR-001060", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 keystore must implement encryption to prevent unauthorized disclosure of information at rest within the container platform.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SRG-APP-000133-CTR-000300", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must limit privileges to the container platform keystore.", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SRG-APP-000095-CTR-000170", "levels": ["medium"], "notes": "", "title": "All audit records must identify what type of event has occurred within the container platform.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["audit_profile_set"], "rules": ["service_auditd_enabled"], "controls": []}, {"id": "SRG-APP-000100-CTR-000200", "levels": ["medium"], "notes": "", "title": "All audit records must identify any containers associated with the event within Ubuntu 22.04.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["audit_profile_set"], "rules": ["auditd_log_format", "auditd_data_retention_max_log_file_action_stig", "auditd_data_disk_error_action"], "controls": []}, {"id": "SRG-APP-000516-CTR-001325", "levels": ["medium"], "notes": "", "title": "Container platform components must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including SRGs, STIGs, NSA configuration guides, CTOs, and DTMs.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["accounts_restrict_service_account_tokens", "accounts_unique_service_account", "api_server_admission_control_plugin_alwaysadmit", "api_server_admission_control_plugin_alwayspullimages", "api_server_admission_control_plugin_namespacelifecycle", "api_server_admission_control_plugin_noderestriction", "api_server_admission_control_plugin_scc", "api_server_admission_control_plugin_securitycontextdeny", "api_server_admission_control_plugin_service_account", "api_server_anonymous_auth", "api_server_api_priority_flowschema_catch_all", "api_server_api_priority_gate_enabled", "api_server_audit_log_maxbackup", "api_server_audit_log_maxsize", "api_server_audit_log_path", "api_server_auth_mode_no_aa", "api_server_auth_mode_node", "api_server_auth_mode_rbac", "api_server_basic_auth", "api_server_bind_address", "api_server_etcd_cert", "api_server_etcd_key", "api_server_https_for_kubelet_conn", "api_server_insecure_bind_address", "api_server_insecure_port", "api_server_kubelet_certificate_authority", "api_server_kubelet_client_cert", "api_server_kubelet_client_key", "api_server_no_adm_ctrl_plugins_disabled", "api_server_oauth_https_serving_cert", "api_server_openshift_https_serving_cert", "api_server_profiling_protected_by_rbac", "api_server_request_timeout", "api_server_service_account_lookup", "api_server_service_account_public_key", "api_server_tls_cipher_suites", "api_server_token_auth", "ocp_api_server_audit_log_maxbackup", "ocp_api_server_audit_log_maxsize", "controller_insecure_port_disabled", "controller_rotate_kubelet_server_certs", "controller_secure_port", "controller_service_account_ca", "controller_service_account_private_key", "controller_use_service_account", "etcd_auto_tls", "etcd_cert_file", "etcd_client_cert_auth", "etcd_key_file", "etcd_peer_auto_tls", "etcd_peer_client_cert_auth", "etcd_unique_ca", "general_apply_scc", "general_configure_imagepolicywebhook", "general_default_namespace_use", "general_default_seccomp_profile", "general_namespaces_in_use", "kubelet_anonymous_auth", "kubelet_authorization_mode", "kubelet_configure_client_ca", "kubelet_configure_event_creation", "kubelet_configure_tls_cipher_suites", "kubelet_disable_readonly_port", "kubelet_enable_cert_rotation", "kubelet_enable_client_cert_rotation", "kubelet_enable_iptables_util_chains", "kubelet_enable_protect_kernel_defaults", "kubelet_enable_protect_kernel_sysctl", "kubelet_enable_server_cert_rotation", "kubelet_enable_streaming_connections", "kubelet_eviction_thresholds_set_hard_imagefs_available", "kubelet_eviction_thresholds_set_hard_memory_available", "kubelet_eviction_thresholds_set_hard_nodefs_available", "kubelet_eviction_thresholds_set_hard_nodefs_inodesfree", "file_integrity_exists", "file_groupowner_cni_conf", "file_groupowner_controller_manager_kubeconfig", "file_groupowner_etcd_data_dir", "file_groupowner_etcd_data_files", "file_groupowner_etcd_member", "file_groupowner_etcd_pki_cert_files", "file_groupowner_ip_allocations", "file_groupowner_kube_apiserver", "file_groupowner_kube_controller_manager", "file_groupowner_kube_scheduler", "file_groupowner_master_admin_kubeconfigs", "file_groupowner_multus_conf", "file_groupowner_openshift_pki_cert_files", "file_groupowner_openshift_pki_key_files", "file_groupowner_openshift_sdn_cniserver_config", "file_groupowner_ovs_conf_db_openvswitch", "file_groupowner_ovs_conf_db_hugetlbfs", "file_groupowner_ovs_conf_db_lock_openvswitch", "file_groupowner_ovs_conf_db_lock_hugetlbfs", "file_groupowner_ovs_pid", "file_groupowner_ovs_sys_id_conf_openvswitch", "file_groupowner_ovs_sys_id_conf_hugetlbfs", "file_groupowner_ovs_vswitchd_pid", "file_groupowner_ovsdb_server_pid", "file_groupowner_scheduler_kubeconfig", "file_owner_cni_conf", "file_owner_controller_manager_kubeconfig", "file_owner_etcd_data_dir", "file_owner_etcd_data_files", "file_owner_etcd_member", "file_owner_etcd_pki_cert_files", "file_owner_ip_allocations", "file_owner_kube_apiserver", "file_owner_kube_controller_manager", "file_owner_kube_scheduler", "file_owner_master_admin_kubeconfigs", "file_owner_multus_conf", "file_owner_openshift_pki_cert_files", "file_owner_openshift_pki_key_files", "file_owner_openshift_sdn_cniserver_config", "file_owner_ovs_conf_db", "file_owner_ovs_conf_db_lock", "file_owner_ovs_pid", "file_owner_ovs_sys_id_conf", "file_owner_ovs_vswitchd_pid", "file_owner_ovsdb_server_pid", "file_owner_scheduler_kubeconfig", "file_permissions_cni_conf", "file_permissions_controller_manager_kubeconfig", "file_permissions_etcd_data_dir", "file_permissions_etcd_data_files", "file_permissions_etcd_member", "file_permissions_etcd_pki_cert_files", "file_permissions_ip_allocations", "file_permissions_kube_apiserver", "file_permissions_kube_controller_manager", "file_permissions_master_admin_kubeconfigs", "file_permissions_multus_conf", "file_permissions_openshift_pki_cert_files", "file_permissions_openshift_pki_key_files", "file_permissions_ovs_conf_db", "file_permissions_ovs_conf_db_lock", "file_permissions_ovs_pid", "file_permissions_ovs_sys_id_conf", "file_permissions_ovs_vswitchd_pid", "file_permissions_ovsdb_server_pid", "file_permissions_scheduler", "file_permissions_scheduler_kubeconfig", "file_perms_openshift_sdn_cniserver_config", "openshift_api_server_audit_log_path", "rbac_debug_role_protects_pprof", "rbac_limit_cluster_admin", "rbac_limit_secrets_access", "rbac_pod_creation_access", "rbac_wildcard_use", "scansettingbinding_exists", "scc_drop_container_capabilities", "scc_limit_container_allowed_capabilities", "scc_limit_ipc_namespace", "scc_limit_net_raw_capability", "scc_limit_network_namespace", "scc_limit_privilege_escalation", "scc_limit_privileged_containers", "scc_limit_process_id_namespace", "scc_limit_root_containers", "secrets_consider_external_storage", "secrets_no_environment_variables", "file_groupowner_kubelet_conf", "file_groupowner_proxy_kubeconfig", "file_groupowner_worker_ca", "file_groupowner_worker_kubeconfig", "file_groupowner_worker_service", "file_owner_kubelet", "file_owner_kubelet_conf", "file_owner_proxy_kubeconfig", "file_owner_worker_ca", "file_owner_worker_kubeconfig", "file_owner_worker_service", "file_permissions_kubelet", "file_permissions_kubelet_conf", "file_permissions_proxy_kubeconfig", "file_permissions_worker_ca", "file_permissions_worker_kubeconfig", "file_permissions_worker_service", "file_permissions_ovn_cni_server_sock", "file_groupowner_ovn_cni_server_sock", "file_owner_ovn_cni_server_sock", "file_groupowner_ovn_db_files", "file_owner_ovn_db_files", "file_permissions_ovn_db_files"], "rules": [], "controls": []}, {"id": "SRG-APP-000389-CTR-000925", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must require users to reauthenticate when organization-defined circumstances or situations require reauthentication.", "description": null, "rationale": null, "automated": "no", "status": "inherently met", "mitigation": null, "artifact_description": "Supporting evidence is in the following documentation\n\nhttps://docs.openshift.com/container-platform/latest/authentication/using-rbac.html", "status_justification": "The OpenShift Container Platform does not required a user to re-authenticate when changes to the RBAC policy, or permissions to a service/object change in the system. These changes are applied and effective immediately and do not require the user to first logout.\n\nhttps://docs.openshift.com/container-platform/latest/authentication/using-rbac.html", "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SRG-APP-000386-CTR-000920", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 registry must employ a deny-all, permit-by-exception (whitelist) policy to allow only authorized container images in the container platform.", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SRG-APP-000560-CTR-001340", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must prohibit communication using TLS versions 1.0 and 1.1, and SSL 2.0 and 3.0.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["fips_mode_enabled_on_all_nodes"], "rules": [], "controls": []}, {"id": "SRG-APP-000411-CTR-000995", "levels": ["medium"], "notes": "", "title": "Container platform applications and Application Program Interfaces (API) used for nonlocal maintenance sessions must use FIPS-validated keyed-hash message authentication code (HMAC) to protect the integrity of nonlocal maintenance and diagnostic communications.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SRG-APP-000133-CTR-000290", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must limit privileges to the container platform registry.", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SRG-APP-000148-CTR-000335", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must uniquely identify and authenticate users.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["idp_is_configured", "ocp_idp_no_htpasswd", "kubeadmin_removed"], "rules": ["sshd_disable_root_login"], "controls": []}, {"id": "SRG-APP-000123-CTR-000265", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must protect audit tools from unauthorized deletion.", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["audit_log_forwarding_uses_tls", "audit_profile_set", "directory_permissions_var_log_kube_audit", "directory_permissions_var_log_oauth_audit", "directory_permissions_var_log_ocp_audit"], "rules": [], "controls": []}, {"id": "SRG-APP-000360-CTR-000815", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must provide an immediate real-time alert to the SA and ISSO, at a minimum, of all audit failure events requiring real-time alerts.", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": "Supporting documentation is in the following documentation\n\nhttps://docs.openshift.com/container-platform/latest/post_installation_configuration/configuring-alert-notifications.html\nhttps://kubernetes.io/docs/tasks/debug-application-cluster/audit/#parameter-tuning", "status_justification": "The OpenShift Container Platform provides an alert notification\nservice to notify admins of critical events.", "fixtext": "Create a alert notification receiver\n\n1. From the Administrator perspective on the OpenShift web console, navigate to Administration->Cluster Settings -> Global Configuration -> Alertmanager\n2. Select Create Receiver\n3. Set the name, and choose a Receiver Type\n4. Complete the form as per the organizations policy\n\nRefer to the following documentation for more information\n\nhttps://docs.openshift.com/container-platform/latest/monitoring/managing-alerts.html#sending-notifications-to-external-systems_managing-alerts", "check": "Verify that the AlertManager config includes a configured receiver. \n\n1. From the Administrator perspective on the OpenShift web console, navigate to Administration->Cluster Settings -> Global Configuration -> Alertmanager\n2. View the list of receivers, and inspect the configuration\n3. Verify that at least one receiver is configured as either PagerDuty, Webhook, Email, or Slack according to the organizations policy.\n\nIf an alert receiver is not configured according to the organizational policy this is a finding.", "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SRG-APP-000098-CTR-000185", "levels": ["medium"], "notes": "", "title": "All audit records must identify the source of the event within the container platform.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["audit_profile_set"], "rules": ["auditd_log_format", "auditd_data_retention_max_log_file_action_stig", "auditd_data_disk_error_action"], "controls": []}, {"id": "SRG-APP-000028-CTR-000080", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must generate audit rules to capture account creation, modification, disabling, removal and enabling actions.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": "Apply the machine config using the following command:\n\nfor mcpool in $(oc get mcp -oname | sed \"s:.*/::\" ); do\necho \"apiVersion: machineconfiguration.openshift.io/v1\nkind: MachineConfig\nmetadata:\n name: 75-account-modifications-rules-$mcpool\n labels:\n machineconfiguration.openshift.io/role: $mcpool\nspec:\n config:\n ignition:\n version: 3.1.0\n storage:\n files:\n - contents:\n source: data:,-w%20/etc/sudoers.d/%20-p%20wa%20-k%20actions%0A-w%20/etc/sudoers%20-p%20wa%20-k%20actions%0A\n mode: 0644\n path: /etc/audit/rules.d/75-audit-sysadmin-actions.rules\n overwrite: true\n - contents:\n source: data:,-w%20/etc/group%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A\n mode: 0644\n path: /etc/audit/rules.d/30-etc_group_usergroup_modification.rules\n overwrite: true\n - contents:\n source: data:,-w%20/etc/gshadow%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A\n mode: 0644\n path: /etc/audit/rules.d/30-etc_gshadow_usergroup_modification.rules\n overwrite: true\n - contents:\n source: data:,-w%20/etc/security/opasswd%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A\n mode: 0644\n path: /etc/audit/rules.d/30-etc_security_opasswd_usergroup_modification.rules\n overwrite: true\n - contents:\n source: data:,-w%20/etc/passwd%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A\n mode: 0644\n path: /etc/audit/rules.d/30-etc_passwd_usergroup_modification.rules\n overwrite: true\n - contents:\n source: data:,-w%20/etc/shadow%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A\n mode: 0644\n path: /etc/audit/rules.d/30-etc_shadow_usergroup_modification.rules\n overwrite: true\n\" | oc apply -f -\ndone", "check": "Verify the audit rules capture account creation, modification, disabling, removal and enabling actions by executing the following:\n\nfor node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n \"$HOSTNAME \"; grep -e user-modify -e group-modify -e audit_rules_usergroup_modification /etc/audit/rules.d/* /etc/audit/audit.rules' 2>/dev/null; done\n\nConfirm the following rules exist on each node:\n-w /etc/group -p wa -k audit_rules_usergroup_modification\n-w /etc/gshadow -p wa -k audit_rules_usergroup_modification\n-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification\n-w /etc/passwd -p wa -k audit_rules_usergroup_modification\n-w /etc/shadow -p wa -k audit_rules_usergroup_modification\n\nIf the above rules are not listed on each node, this is a finding.", "tickets": null, "original_title": null, "related_rules": ["idp_is_configured", "ocp_idp_no_htpasswd", "kubeadmin_removed"], "rules": ["audit_rules_sysadmin_actions", "audit_rules_usergroup_modification"], "controls": []}, {"id": "SRG-APP-000101-CTR-000205", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must generate audit records containing the full-text recording of privileged commands or the individual identities of group account users.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SRG-APP-000645-CTR-001410", "levels": ["high"], "notes": "", "title": "Ubuntu 22.04 must prohibit or restrict the use of protocols that transmit unencrypted authentication information or use flawed cryptographic algorithms for transmission.", "description": null, "rationale": null, "automated": "no", "status": "inherently met", "mitigation": null, "artifact_description": "Supporting evidence is in the following documentation\nhttps://docs.openshift.com/container-platform/latest/post_installation_configuration/network-configuration.html", "status_justification": "The ports and protocols configured with OpenShift are required for the\nproper functioning of the clusters and associated network. Details on\nconfiguration options are located in the following document:\nhttps://docs.openshift.com/container-platform/latest/post_installation_configuration/network-configuration.html", "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["configure_network_policies_namespaces"], "rules": [], "controls": []}, {"id": "SRG-APP-000131-CTR-000285", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must verify container images.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["ocp_allowed_registries", "ocp_allowed_registries_for_import"], "rules": [], "controls": []}, {"id": "SRG-APP-000401-CTR-000965", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04, for PKI-based authentication, must implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": "Not Applicable. Applicable to Identity Management Provider and not\nOCP. Only configurable check is to ensure OCP is configured for an\nIDP under SRG-APP-000023-CTR-000055. Verify with IdM service provider\nadmins that the IdM meets the requirements.", "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["idp_is_configured", "ocp_idp_no_htpasswd", "kubeadmin_removed"], "rules": [], "controls": []}, {"id": "SRG-APP-000099-CTR-000190", "levels": ["medium"], "notes": "", "title": "All audit records must generate the event results within the container platform.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["audit_profile_set"], "rules": ["auditd_log_format", "auditd_data_retention_max_log_file_action_stig", "auditd_data_disk_error_action"], "controls": []}, {"id": "SRG-APP-000122-CTR-000260", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must protect audit tools from unauthorized modification.", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["audit_log_forwarding_uses_tls", "audit_profile_set", "directory_permissions_var_log_kube_audit", "directory_permissions_var_log_oauth_audit", "directory_permissions_var_log_ocp_audit"], "rules": [], "controls": []}, {"id": "SRG-APP-000153-CTR-000375", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must ensure users are authenticated with an individual authenticator prior to using a group authenticator.", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["idp_is_configured", "ocp_idp_no_htpasswd", "kubeadmin_removed"], "rules": [], "controls": []}, {"id": "SRG-APP-000173-CTR-000445", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must enforce 24 hours (one day) as the minimum password lifetime.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": "Not Applicable. Applicable to Identity Management Provider and not\nOCP. Only configurable check is to ensure OCP is configured for an\nIDP under SRG-APP-000023-CTR-000055. Verify with IdM service provider\nadmins that the IdM meets the requirements.", "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["idp_is_configured", "ocp_idp_no_htpasswd", "kubeadmin_removed"], "rules": [], "controls": []}, {"id": "SRG-APP-000181-CTR-000485", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must provide an audit reduction capability that supports on-demand reporting requirements.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": "Not applicable - The location of the external logging server used for audit\nlog aggregation is outside the scope of Ubuntu 22.04 configuration.\nBecause the configuration recommended in response to SRG-APP-000111-CTR-000220\nconfigures an external log aggregation server outside of the control of the\nUbuntu 22.04 cluster, it is up to individual implementation to ensure that\nthe location of that log aggregation point meets other requirements.", "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["audit_log_forwarding_enabled", "audit_profile_set"], "rules": [], "controls": []}, {"id": "SRG-APP-000234-CTR-000590", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must never automatically remove or disable emergency accounts.", "description": null, "rationale": null, "automated": "no", "status": "inherently met", "mitigation": null, "artifact_description": "Supporting evidence is in the following documentation\nhttps://docs.openshift.com/container-platform/latest/post_installation_configuration/preparing-for-users.html", "status_justification": "No users are ever created or removed automatically. Any manually created\nemergency accounts would persist, and it is recommended that normal\ncluster authentication be delegated to an external IdP as recommended\nin SRG-APP-000023-CTR-000055.", "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["idp_is_configured", "ocp_idp_no_htpasswd", "kubeadmin_removed"], "rules": [], "controls": []}, {"id": "SRG-APP-000151-CTR-000365", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must use multifactor authentication for local access to privileged accounts.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": "Not Applicable. Applicable to Identity Management Provider and not\nOCP. Only configurable check is to ensure OCP is configured for an\nIDP under SRG-APP-000023-CTR-000055. Verify with IdM service provider\nadmins that the IdM meets the requirements.", "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["idp_is_configured", "ocp_idp_no_htpasswd", "kubeadmin_removed"], "rules": [], "controls": []}, {"id": "SRG-APP-000027-CTR-000075", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must automatically audit account modification.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": "Apply the machine config using the following command:\n\nfor mcpool in $(oc get mcp -oname | sed \"s:.*/::\" ); do\necho \"apiVersion: machineconfiguration.openshift.io/v1\nkind: MachineConfig\nmetadata:\n name: 75-account-modifications-rules-$mcpool\n labels:\n machineconfiguration.openshift.io/role: $mcpool\nspec:\n config:\n ignition:\n version: 3.1.0\n storage:\n files:\n - contents:\n source: data:,-w%20/etc/sudoers.d/%20-p%20wa%20-k%20actions%0A-w%20/etc/sudoers%20-p%20wa%20-k%20actions%0A\n mode: 0644\n path: /etc/audit/rules.d/75-audit-sysadmin-actions.rules\n overwrite: true\n - contents:\n source: data:,-w%20/etc/group%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A\n mode: 0644\n path: /etc/audit/rules.d/30-etc_group_usergroup_modification.rules\n overwrite: true\n - contents:\n source: data:,-w%20/etc/gshadow%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A\n mode: 0644\n path: /etc/audit/rules.d/30-etc_gshadow_usergroup_modification.rules\n overwrite: true\n - contents:\n source: data:,-w%20/etc/security/opasswd%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A\n mode: 0644\n path: /etc/audit/rules.d/30-etc_security_opasswd_usergroup_modification.rules\n overwrite: true\n - contents:\n source: data:,-w%20/etc/passwd%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A\n mode: 0644\n path: /etc/audit/rules.d/30-etc_passwd_usergroup_modification.rules\n overwrite: true\n - contents:\n source: data:,-w%20/etc/shadow%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A\n mode: 0644\n path: /etc/audit/rules.d/30-etc_shadow_usergroup_modification.rules\n overwrite: true\n\" | oc apply -f -\ndone", "check": "Verify for each of the files that contain account information the system is configured to emit an audit event in case of a write, by executing the following:\n\nfor node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n \"$HOSTNAME \"; for f in /etc/passwd /etc/group /etc/gshadow /etc/security/opasswd /etc/shadow /etc/sudoers /etc/sudoers.d/; do grep -q \"\\-w $f \\-p wa \\-k\" /etc/audit/audit.rules || echo \"rule for $f not found\"; done' 2>/dev/null; done\n\nIf for any of the files a line saying \"rule for $filename not found\" is printed, this is a finding.", "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_sysadmin_actions", "audit_rules_usergroup_modification"], "controls": []}, {"id": "SRG-APP-000133-CTR-000305", "levels": ["medium"], "notes": "", "title": "Configuration files for the container platform must be protected.", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SRG-APP-000516-CTR-001335", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must continuously scan components, containers, and images for vulnerabilities.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SRG-APP-000171-CTR-000435", "levels": ["medium"], "notes": "", "title": "For container platform using password authentication, the application must store only cryptographic representations of passwords.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": "Not Applicable. Applicable to Identity Management Provider and not\nOCP. Only configurable check is to ensure OCP is configured for an\nIDP under SRG-APP-000023-CTR-000055. Verify with IdM service provider\nadmins that the IdM meets the requirements.", "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["idp_is_configured", "ocp_idp_no_htpasswd", "kubeadmin_removed"], "rules": [], "controls": []}, {"id": "SRG-APP-000359-CTR-000810", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must provide an immediate warning to the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of repository maximum audit record storage capacity.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": "Not applicable - The location of the external logging server\nused for audit log aggregation is outside the scope of OpenShift Container Platform\nconfiguration. Because the configuration recommended in response to SRG-APP-000111-CTR-000220\nconfigures an external log aggregation server outside of the control of the OpenShift\ncluster, it is up to individual implementation to ensure that the location of that\nlog aggregation point meets other requirements.", "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SRG-APP-000473-CTR-001175", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must perform verification of the correct operation of security functions: upon system startup and/or restart; upon command by a user with privileged access; and/or every 30 days. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["file_integrity_exists"], "rules": [], "controls": []}, {"id": "SRG-APP-000167-CTR-000415", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must enforce password complexity by requiring that at least one lowercase character be used.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": "Not Applicable. Applicable to Identity Management Provider and not\nOCP. Only configurable check is to ensure OCP is configured for an\nIDP under SRG-APP-000023-CTR-000055. Verify with IdM service provider\nadmins that the IdM meets the requirements.", "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["idp_is_configured", "ocp_idp_no_htpasswd", "kubeadmin_removed"], "rules": [], "controls": []}, {"id": "SRG-APP-000504-CTR-001280", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must generate audit record for privileged activities.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_kernel_module_loading_delete", "audit_rules_privileged_commands_kmod", "audit_rules_kernel_module_loading_finit", "audit_rules_kernel_module_loading_init"], "controls": []}, {"id": "SRG-APP-000397-CTR-000955", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must allow the use of a temporary password for system logons with an immediate change to a permanent password.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": "Not Applicable. Applicable to Identity Management Provider and not\nOCP. Only configurable check is to ensure OCP is configured for an\nIDP under SRG-APP-000023-CTR-000055. Verify with IdM service provider\nadmins that the IdM meets the requirements.", "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["idp_is_configured", "ocp_idp_no_htpasswd", "kubeadmin_removed"], "rules": [], "controls": []}, {"id": "SRG-APP-000503-CTR-001275", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must generate audit records when successful/unsuccessful logon attempts occur.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["idp_is_configured", "ocp_idp_no_htpasswd", "kubeadmin_removed"], "rules": ["audit_rules_sudoers_d", "audit_rules_usergroup_modification_gshadow", "audit_rules_usergroup_modification_shadow", "audit_rules_login_events_lastlog", "audit_rules_login_events_faillock", "audit_rules_sudoers", "audit_rules_usergroup_modification_passwd", "audit_rules_usergroup_modification_opasswd", "audit_rules_login_events_tallylog", "audit_rules_usergroup_modification_group"], "controls": []}, {"id": "SRG-APP-000506-CTR-001290", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must generate audit records when concurrent logons from different workstations and systems occur.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["idp_is_configured", "ocp_idp_no_htpasswd", "kubeadmin_removed"], "rules": ["audit_rules_login_events_lastlog", "audit_rules_login_events_faillock"], "controls": []}, {"id": "SRG-APP-000409-CTR-000990", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must audit non-local maintenance and diagnostic sessions' organization-defined audit events associated with non-local maintenance.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["service_auditd_enabled"], "controls": []}, {"id": "SRG-APP-000505-CTR-001285", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 audit records must record user access start and end times.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["idp_is_configured", "ocp_idp_no_htpasswd", "kubeadmin_removed"], "rules": ["audit_rules_session_events"], "controls": []}, {"id": "SRG-APP-000391-CTR-000935", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must be configured to use multi-factor authentication for user authentication.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": "Not Applicable. Applicable to Identity Management Provider and not\nOCP. Only configurable check is to ensure OCP is configured for an\nIDP under SRG-APP-000023-CTR-000055. Verify with IdM service provider\nadmins that the IdM meets the requirements.", "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["idp_is_configured", "ocp_idp_no_htpasswd", "kubeadmin_removed"], "rules": [], "controls": []}, {"id": "SRG-APP-000225-CTR-000570", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 runtime must fail to a secure state if system initialization fails, shutdown fails, or aborts fail.", "description": null, "rationale": null, "automated": "no", "status": "inherently met", "mitigation": null, "artifact_description": "Supporting evidence is in the following documentation\nhttps://docs.openshift.com/container-platform/latest/support/gathering-cluster-data.html", "status_justification": "In the event that there is a failure or disruption to the OpenShift platform, information necessary to identifying the cause would be preserved. The cluster state (resource definitions) is preserved by etcd, audit and system logs are preserved via journald service at the node levels. The following guide provide steps on how to gather cluster data in order to investigate issue with the cluster.\nhttps://docs.openshift.com/container-platform/latest/support/gathering-cluster-data.html", "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SRG-APP-000148-CTR-000340", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 application program interface (API) must uniquely identify and authenticate users.", "description": null, "rationale": null, "automated": "no", "status": "inherently met", "mitigation": null, "artifact_description": "Supporting evidence is in the following documentation\nhttps://docs.openshift.com/container-platform/latest/authentication/index.html", "status_justification": "Users of the OpenShift Platform must be uniquely identified and\nauthenticated in order to access the platform's console. Anonymous\nusers are prohibited, and authorization is enforced by the platform's\nRBAC policies. Refer to\nhttps://docs.openshift.com/container-platform/latest/authentication/index.html\nfor more information.", "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["idp_is_configured", "ocp_idp_no_htpasswd", "kubeadmin_removed"], "rules": [], "controls": []}, {"id": "SRG-APP-000119-CTR-000245", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must protect audit information from unauthorized modification.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["audit_log_forwarding_uses_tls", "audit_profile_set", "directory_permissions_var_log_kube_audit", "directory_permissions_var_log_oauth_audit", "directory_permissions_var_log_ocp_audit"], "rules": ["audit_rules_immutable"], "controls": []}, {"id": "SRG-APP-000378-CTR-000890", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 registry must prohibit installation or modification of container images without explicit privileged status.", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SRG-APP-000290-CTR-000670", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must use cryptographic mechanisms to protect the integrity of audit tools.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["audit_log_forwarding_uses_tls"], "rules": ["auditd_log_format", "auditd_data_retention_max_log_file_action_stig", "auditd_data_disk_error_action"], "controls": []}, {"id": "SRG-APP-000142-CTR-000330", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 runtime must enforce the use of ports that are non-privileged.", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SRG-APP-000605-CTR-001380", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must validate certificates used for Transport Layer Security (TLS) functions by performing an RFC 5280-compliant certification path validation.", "description": null, "rationale": null, "automated": "no", "status": "inherently met", "mitigation": null, "artifact_description": "Supporting evidence is in the following documentation\n\nhttps://docs.openshift.com/container-platform/latest/security/certificate_types_descriptions/node-certificates.html", "status_justification": "Internal components are secured with two-way TLS. Certificate revocation lists (CRLs) are not currently supported by Kubernetes upstream - https://github.com/kubernetes/kubernetes/issues/18982. Application components can be fully compliant by adding the checks inside container images.\n\nhttps://docs.openshift.com/container-platform/latest/security/certificate_types_descriptions/node-certificates.html\n\nNode certificates are signed by the cluster; they come from a certificate authority (CA) that is generated by the bootstrap process. Once the cluster is installed, the node certificates are auto-rotated.\n\nNode certificates are managed by the cluster and not the user\n", "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SRG-APP-000168-CTR-000420", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must enforce password complexity by requiring that at least one numeric character be used.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": "Not Applicable. Applicable to Identity Management Provider and not\nOCP. Only configurable check is to ensure OCP is configured for an\nIDP under SRG-APP-000023-CTR-000055. Verify with IdM service provider\nadmins that the IdM meets the requirements.", "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["idp_is_configured", "ocp_idp_no_htpasswd", "kubeadmin_removed"], "rules": [], "controls": []}, {"id": "SRG-APP-000507-CTR-001295", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 runtime must generate audit records when successful/unsuccessful attempts to access objects occur.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["audit_profile_set"], "rules": ["audit_rules_dac_modification_fsetxattr", "audit_rules_dac_modification_chown", "audit_create_failed", "audit_rules_dac_modification_fchown", "audit_rules_dac_modification_lsetxattr", "audit_access_failed", "audit_rules_dac_modification_lremovexattr", "audit_rules_dac_modification_chmod", "audit_rules_dac_modification_fchmod", "audit_modify_failed", "audit_rules_dac_modification_lchown", "audit_rules_dac_modification_fchownat", "audit_rules_dac_modification_fremovexattr", "audit_rules_dac_modification_removexattr", "audit_rules_dac_modification_fchmodat", "audit_rules_dac_modification_setxattr"], "controls": []}, {"id": "SRG-APP-000089-CTR-000150", "levels": ["medium"], "notes": "", "title": "Ubuntu 22.04 must generate audit records for all DoD-defined auditable events within all components in the platform.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}], "levels": [{"id": "high", "inherits_from": null}, {"id": "medium", "inherits_from": null}, {"id": "low", "inherits_from": null}]}