Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-233285 | SRG-APP-000610-CTR-001385 | SV-233285r879898_rule | Medium |
Description |
---|
Without the use of digital signature, information can be altered by unauthorized accounts accessing or modifying the container platform registry, keystore, and container at runtime. Digital signatures provide non-repudiation for transactions between the components within the container platform. Without the use of approved FIPS-validated SHA-2 or higher hash function with digital signatures, the container platform cannot claim the validity of the individual or service identity and guarantee private key is kept secret. Keeping the private keys secure is vital for validating individuals or service identity prior to information exchange. The container platform must be configured to use SHA-2 or higher hash functions for digital signatures in accordance with SP 800-131Ar2. |
STIG | Date |
---|---|
Container Platform Security Requirements Guide | 2023-06-05 |
Check Text ( C-36221r601857_chk ) |
---|
Review the container platform configuration to validate that a FIPS-validated SHA-2 or higher hash function is being used for digital signature generation and verification. If a FIPS-validated SHA-2 or higher hash function is not being used for digital signature generation and verification, this is a finding. |
Fix Text (F-36189r601343_fix) |
---|
Configure the container platform to use a FIPS-validated SHA-2 or higher hash function for digital signature generation and verification. |