| V-260906 | | Least privilege access and need to know must be required to access MKE runtime and instantiate container images. | To control what is instantiated within MKE, it is important to control access to the runtime. Without this control, container platform specific servic... |
| V-260907 | | Only required ports must be open on containers in MKE. | Ports, protocols, and services within MKE runtime must be controlled and conform to the PPSM CAL. Those ports, protocols, and services that fall outsi... |
| V-260908 | | FIPS mode must be enabled. | During any user authentication, MKE must use FIPS-validated SHA-2 or later protocol to protect the integrity of the password authentication process.
... |
| V-260903 | | The Lifetime Minutes and Renewal Threshold Minutes Login Session Controls on MKE must be set. | The "Lifetime Minutes" and "Renewal Threshold Minutes" login session controls in MKE are part of security features that help manage user sessions with... |
| V-260904 | | In an MSR organization, user permissions and repositories must be configured. | Configuring user permissions, organizations, and repositories in MSR is crucial for maintaining a secure, organized, and efficient container image man... |
| V-260905 | | User-managed resources must be created in dedicated namespaces. | Dedicated namespaces act as security boundaries, limiting the blast radius in case of security incidents or misconfigurations. If an issue arises with... |
| V-260909 | | MKE must be configured to integrate with an Enterprise Identity Provider. | Configuring MKE to integrate with an Enterprise Identity Provider enhances security, simplifies user management, ensures compliance, provides auditing... |
| V-260910 | | SSH must not run within Linux containers. | To limit the attack surface of MKE, it is important that the nonessential services are not installed. Containers are designed to be lightweight and is... |
| V-260911 | | Swarm Secrets or Kubernetes Secrets must be used. | Swarm Secrets in Docker Swarm and Kubernetes Secrets both provide mechanisms for encrypting sensitive data at rest. This adds an additional layer of s... |
| V-260912 | | MKE must have Grants created to control authorization to cluster resources. | MKE uses Role-Based Access Controls (RBAC) to enforce approved authorizations for logical access to information and system resources in accordance wit... |
| V-260913 | | MKE host network namespace must not be shared. | MKE can be built with privileges that are not approved within the organization. To limit the attack surface of MKE, it is essential that privileges me... |
| V-260914 | | Audit logging must be enabled on MKE. | Enabling audit logging on MKE enhances security, supports compliance efforts, provides user accountability, and offers valuable insights for incident ... |
| V-260915 | | MKE must be configured to send audit data to a centralized log server. | Sending audit data from MKE to a centralized log server enhances centralized monitoring, facilitates efficient incident response, scales effectively, ... |
| V-260916 | | MSR's self-signed certificates must be replaced with DOD trusted, signed certificates. | Self-signed certificates pose security risks, as they are not issued by a trusted third party. DOD trusted, signed certificates have undergone a valid... |
| V-260917 | | Allowing users and administrators to schedule containers on all nodes must be disabled. | MKE and MSR are set to disallow administrators and users to schedule containers. This setting must be checked for allowing administrators or users to ... |
| V-260918 | | MKE telemetry must be disabled. | MKE provides a telemetry service that automatically records and transmits data to Mirantis through an encrypted channel for monitoring and analysis pu... |
| V-260919 | | MSR telemetry must be disabled. | MSR provides a telemetry service that automatically records and transmits data to Mirantis through an encrypted channel for monitoring and analysis pu... |
| V-260920 | | For MKE's deployed on an Ubuntu host operating system, the AppArmor profile must be enabled. | AppArmor protects the Ubuntu OS and applications from various threats by enforcing security policy which is also known as AppArmor profile. The user c... |
| V-260921 | | If MKE is deployed on a Red Hat or CentOS system, SELinux security must be enabled. | SELinux provides a Mandatory Access Control (MAC) system on RHEL and CentOS that greatly augments the default Discretionary Access Control (DAC) model... |
| V-260922 | | The Docker socket must not be mounted inside any containers. | The Docker socket docker.sock must not be mounted inside a container, with the exception case being during the installation of Universal Control Plane... |
| V-260923 | | Linux Kernel capabilities must be restricted within containers. | By default, MKE starts containers with a restricted set of Linux Kernel Capabilities. Any process may be granted the required capabilities instead of ... |
| V-260924 | | Incoming container traffic must be bound to a specific host interface. | Privileged ports are those ports below 1024 and that require system privileges for their use. If containers are able to use these ports, the container... |
| V-260925 | | CPU priority must be set appropriately on all containers. | All containers on a Docker host share the resources equally. By using the resource management capabilities of Docker host, such as CPU shares, the use... |
| V-260926 | | MKE must use a non-AUFS storage driver. | The aufs storage driver is an old driver based on a Linux kernel patch-set that is unlikely to be merged into the main Linux kernel. aufs driver is al... |
| V-260927 | | MKE's self-signed certificates must be replaced with DOD trusted, signed certificates. | Self-signed certificates pose security risks, as they are not issued by a trusted third party. DOD trusted, signed certificates have undergone a valid... |
| V-260928 | | The "Create repository on push" option in MSR must be disabled. | Allowing repositories to be created on a push can override essential settings and must not be allowed.... |
| V-260929 | | Containers must not map to privileged ports. | Privileged ports are those ports below 1024 and that require system privileges for their use. If containers are able to use these ports, the container... |
| V-260930 | | MKE must not permit users to create pods that share host process namespace. | Controlling information flow between MKE components and container user services instantiated by MKE must enforce organization-defined information flow... |
| V-260931 | | IPSec network encryption must be configured. | IPsec encrypts the data traffic between nodes in a Kubernetes cluster, ensuring that the information exchanged is confidential and protected from unau... |
| V-260932 | | MKE must preserve any information necessary to determine the cause of the disruption or failure. | When a failure occurs within MKE, preserving the state of MKE and its components, along with other container services, helps to facilitate container p... |
| V-260933 | | MKE must enable kernel protection. | System kernel is responsible for memory, disk, and task management. The kernel provides a gateway between the system hardware and software. Kubernetes... |
| V-260934 | | All containers must be restricted from acquiring additional privileges. | To limit the attack surface of MKE, it is important that the nonessential services are not installed and access to the host system uses the concept of... |
| V-260935 | | Host IPC namespace must not be shared. | IPC (POSIX/SysV IPC) namespace provides separation of named shared memory segments, semaphores, and message queues. IPC namespace on the host must not... |
| V-260936 | | All containers must be restricted to mounting the root filesystem as read only. | The container's root filesystem must be treated as a "golden image" by using Docker run's --read-only option. This prevents any writes to the containe... |
| V-260937 | | The default seccomp profile must not be disabled. | Seccomp filtering provides a means for a process to specify a filter for incoming system calls. The default seccomp profile works on a whitelist basis... |
| V-260938 | | Docker CLI commands must be run with an MKE client trust bundle and without unnecessary permissions. | Running docker CLI commands remotely with a client trust bundle ensures that authentication and role permissions are checked for the command.
Using -... |
| V-260939 | | MKE users must not have permissions to create containers or pods that share the host user namespace. | To limit the attack surface of MKE, it is important that the nonessential services are not installed and access to the host system uses the concept of... |
| V-260940 | | Use of privileged Linux containers must be limited to system containers. | Using the --privileged flag gives all Linux Kernel Capabilities to the container, thus overwriting the --cap-add and --cap-drop flags. The --privilege... |
| V-260941 | | The network ports on all running containers must be limited to required ports. | To validate that the services are using only the approved ports and protocols, the organization must perform a periodic scan/review of MKE and disable... |
| V-260942 | | MKE must only run signed images. | Controlling the sources where container images can be pulled from allows the organization to define what software can be run within MKE. Allowing any ... |
| V-260943 | | Vulnerability scanning must be enabled for all repositories in MSR. | Enabling vulnerability scanning for all repositories in Mirantis Secure Registry (MSR) is a critical security practice that helps organizations identi... |
| V-260944 | | Older Universal Control Plane (MKE) and Docker Trusted Registry (DTR) images must be removed from all cluster nodes upon upgrading. | When upgrading either the UCP or DTR components of MKE, the newer images are pulled (or unpacked if offline) onto engine nodes in a cluster. Once the ... |
| V-260945 | | MKE must contain the latest updates. | MKE must stay up to date with the latest patches, service packs, and hot fixes. Not updating MKE will expose the organization to vulnerabilities.... |
| V-260946 | | MKE must display the Standard Mandatory DOD Notice and Consent Banner before granting access to platform components. | MKE has countless components where different access levels are needed. To control access, the user must first log in to MKE and then be presented with... |
