| V-257505 | | OpenShift must use TLS 1.2 or greater for secure container image transport from trusted sources. | The authenticity and integrity of the container image during the container image lifecycle is part of the overall security posture of the container pl... |
| V-257506 | | OpenShift must use TLS 1.2 or greater for secure communication. | The authenticity and integrity of the container platform and communication between nodes and components must be secure. If an insecure protocol is use... |
| V-257507 | | OpenShift must use a centralized user management solution to support account management functions. | OpenShift supports several different types of identity providers. To add users and grant access to OpenShift, an identity provider must be configured.... |
| V-257508 | | The kubeadmin account must be disabled. | Using a centralized user management solution for account management functions enhances security, simplifies administration, improves user experience, ... |
| V-257509 | | OpenShift must automatically audit account creation. | Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomp... |
| V-257510 | | OpenShift must automatically audit account modification. | Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomp... |
| V-257511 | | OpenShift must generate audit rules to capture account related actions. | Account management actions, such as creation, modification, disabling, removal, and enabling are important changes within the system.
When management... |
| V-257512 | | Open Shift must automatically audit account removal actions. | When application accounts are removed, user accessibility is affected. Once an attacker establishes access to an application, the attacker often attem... |
| V-257514 | | OpenShift must enforce network policy on the namespace for controlling the flow of information within the container platform based on organization-defined information flow control policies. | OpenShift provides several layers of protection to control the flow of information between the container platform components and user services. Each u... |
| V-257515 | | OpenShift must enforce approved authorizations for controlling the flow of information within the container platform based on organization-defined information flow control policies. | OpenShift provides several layers of protection to control the flow of information between the container platform components and user services. Each u... |
| V-257517 | | OpenShift must generate audit records for all DOD-defined auditable events within all components in the platform. | The OpenShift Platform supports three audit levels: Default, WriteRequestBodies, and AllRequestBodies. The identities of the users are logged for all ... |
| V-257518 | | OpenShift must generate audit records when successful/unsuccessful attempts to access privileges occur. | OpenShift and its components must generate audit records when successful/unsuccessful attempts to access or delete security objects, security levels, ... |
| V-257520 | | All audit records must identify what type of event has occurred within OpenShift. | Within the container platform, audit data can be generated from any of the deployed container platform components. This audit data is important when t... |
| V-257521 | | OpenShift audit records must have a date and time association with all events. | Within the container platform, audit data can be generated from any of the deployed container platform components. This audit data is important when t... |
| V-257522 | | All audit records must generate the event results within OpenShift. | Within the container platform, audit data can be generated from any of the deployed container platform components. Since the audit data may be part of... |
| V-257523 | | OpenShift must take appropriate action upon an audit failure. | It is critical that when the container platform is at risk of failing to process audit logs as required that it takes action to mitigate the failure. ... |
| V-257524 | | OpenShift components must provide the ability to send audit logs to a central enterprise repository for review and analysis. | Sending audit logs to a central enterprise repository allows for centralized log management. Instead of scattered logs across multiple OpenShift compo... |
| V-257525 | | OpenShift must use internal system clocks to generate audit record time stamps. | Knowing when a sequence of events for an incident occurred is crucial to understand what may have taken place. Without a common clock, the components ... |
| V-257526 | | The Red Hat Enterprise Linux CoreOS (RHCOS) chrony Daemon must use multiple NTP servers to generate audit record time stamps. | Utilizing multiple NTP servers for the chrony daemon in RHCOS ensures accurate and reliable audit record timestamps. It improves time synchronization,... |
| V-257527 | | OpenShift must protect audit logs from any type of unauthorized access. | If audit data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity i... |
| V-257528 | | OpenShift must protect system journal file from any type of unauthorized access by setting file permissions. | It is a fundamental security practice to enforce the principle of least privilege, where only the necessary permissions are granted to authorized enti... |
| V-257529 | | OpenShift must protect system journal file from any type of unauthorized access by setting owner permissions. | OpenShift follows the principle of least privilege, which aims to restrict access to resources based on user roles and responsibilities. This separati... |
| V-257530 | | OpenShift must protect log directory from any type of unauthorized access by setting file permissions. | Log files contain sensitive information such as user credentials, system configurations, and potentially even security-related events. Unauthorized ac... |
| V-257531 | | OpenShift must protect log directory from any type of unauthorized access by setting owner permissions. | OpenShift follows the principle of least privilege, which aims to restrict access to resources based on user roles and responsibilities. This separati... |
| V-257532 | | OpenShift must protect pod log files from any type of unauthorized access by setting owner permissions. | Pod log files may contain sensitive information such as application data, user credentials, or system configurations. Unauthorized access to these log... |
| V-257533 | | OpenShift must protect audit information from unauthorized modification. | If audit data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity i... |
| V-257534 | | OpenShift must prevent unauthorized changes to logon UIDs. | Logon UIDs are used to uniquely identify and authenticate users within the system. By preventing unauthorized changes to logon UIDs, OpenShift ensures... |
| V-257535 | | OpenShift must protect audit tools from unauthorized access. | Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is ne... |
| V-257536 | | OpenShift must use FIPS-validated cryptographic mechanisms to protect the integrity of log information. | To fully investigate an incident and to have trust in the audit data that is generated, it is important to put in place data protections. Without inte... |
| V-257537 | | OpenShift must verify container images. | The container platform must be capable of validating that container images are signed and that the digital signature is from a recognized and source a... |
| V-257538 | | OpenShift must contain only container images for those capabilities being offered by the container platform. | Allowing container images to reside within the container platform registry that are not essential to the capabilities being offered by the container p... |
| V-257539 | | OpenShift runtime must enforce ports, protocols, and services that adhere to the PPSM CAL. | OpenShift Container Platform uses several IPV4 and IPV6 ports and protocols to facilitate cluster communication and coordination. Not all these ports ... |
| V-257541 | | OpenShift must use multifactor authentication for network access to accounts. | Without the use of multifactor authentication, the ease of access to privileged and nonprivileged functions is greatly increased.
Multifactor authent... |
| V-257542 | | OpenShift must use FIPS-validated SHA-1 or higher hash function to provide replay-resistant authentication mechanisms for network access to privileged accounts. | A replay attack may enable an unauthorized user to gain access to the application. Authentication sessions between the authenticator and the applicati... |
| V-257544 | | OpenShift must terminate all network connections associated with a communications session at the end of the session, or as follows: for in-band management sessions (privileged sessions), the session must be terminated after 10 minutes of inactivity. | In OpenShift, the "session token inactivity timeout" on OAuth clients is set to ensure security and protect against potential unauthorized access to u... |
| V-257545 | | OpenShift must separate user functionality (including user interface services) from information system management functionality. | Red Hat Enterprise Linux CoreOS (RHCOS) is a single-purpose container operating system. RHCOS is only supported as a component of the OpenShift Contai... |
| V-257547 | | OpenShift runtime must isolate security functions from nonsecurity functions. | An isolation boundary provides access control and protects the integrity of the hardware, software, and firmware that perform security functions. Secu... |
| V-257548 | | OpenShift must prevent unauthorized and unintended information transfer via shared system resources and enable page poisoning. | Enabling page poisoning in OpenShift improves memory safety, mitigates memory corruption vulnerabilities, aids in fault isolation, assists with debugg... |
| V-257549 | | OpenShift must disable virtual syscalls. | Virtual syscalls are a mechanism that allows user-space programs to make privileged system calls without transitioning to kernel mode. However, this f... |
| V-257550 | | OpenShift must enable poisoning of SLUB/SLAB objects. | By enabling poisoning of SLUB/SLAB objects, OpenShift can detect and identify use-after-free scenarios more effectively. The poisoned objects are mark... |
| V-257551 | | OpenShift must set the sticky bit for world-writable directories. | Removing world-writable permissions or setting the sticky bit helps enforce access control on directories within the OpenShift platform. World-writabl... |
| V-257552 | | OpenShift must restrict access to the kernel buffer. | Restricting access to the kernel buffer in OpenShift is crucial for preventing unauthorized access, protecting system stability, mitigating kernel-lev... |
| V-257553 | | OpenShift must prevent kernel profiling. | Kernel profiling involves monitoring and analyzing the behavior of the kernel, including its internal operations and system calls. This level of acces... |
| V-257554 | | OpenShift must restrict individuals the ability to launch organizational-defined Denial-of-Service (DOS) attacks against other information systems by setting a default Resource Quota. | OpenShift allows administrators to define resource quotas on a namespace basis. This allows tailoring of the shared resources based on a project needs... |
| V-257555 | | OpenShift must restrict individuals the ability to launch organizational-defined Denial-of-Service (DOS) attacks against other information systems by rate-limiting. | By setting rate limits, OpenShift can control the number of requests or connections allowed from a single source within a specific period. This preven... |
| V-257559 | | OpenShift must configure Alert Manger Receivers to notify SA and ISSO of all audit failure events requiring real-time alerts. | It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without a real-time aler... |
| V-257560 | | OpenShift must enforce access restrictions and support auditing of the enforcement actions. | Enforcing access restrictions helps protect the OpenShift environment and its resources from unauthorized access, misuse, or malicious activities. By ... |
| V-257561 | | OpenShift must prevent the installation of patches, service packs, device drivers, or operating system components without verification they have been digitally signed using a certificate that is recognized and approved by the organization. | Integrity of the OpenShift platform is handled by the cluster version operator. The cluster version operator will by default GPG verify the integrity ... |
| V-257562 | | OpenShift must set server token max age no greater than eight hours. | The setting for OAuth server token max age is used to control the maximum duration for which an issued OAuth access token remains valid. Access tokens... |
| V-257563 | | Vulnerability scanning applications must implement privileged access authorization to all OpenShift components, containers, and container images for selected organization-defined vulnerability scanning activities. | OpenShift uses service accounts to provide applications running on or off the platform access to the API service using the enforced RBAC policies. Vul... |
| V-257564 | | OpenShift keystore must implement encryption to prevent unauthorized disclosure of information at rest within the container platform. | By default, etcd data is not encrypted in OpenShift Container Platform. Enable etcd encryption for the cluster to provide an additional layer of data ... |
| V-257565 | | OpenShift must protect against or limit the effects of all types of Denial-of-Service (DoS) attacks by employing organization-defined security safeguards by including a default resource quota. | DNS attacks that are internal to the container platform (exploited or otherwise malicious applications) can have a limited blast radius by adhering to... |
| V-257566 | | OpenShift must protect against or limit the effects of all types of Denial-of-Service (DoS) attacks by defining resource quotas on a namespace. | OpenShift allows administrators to define resource quotas on a namespace basis. This allows tailoring of the shared resources based on a project needs... |
| V-257567 | | OpenShift must protect the confidentiality and integrity of transmitted information. | OpenShift provides for two types of application level ingress types, Routes, and Ingresses. Routes have been a part of OpenShift since version 3. Ingr... |
| V-257568 | | Red Hat Enterprise Linux CoreOS (RHCOS) must implement nonexecutable data to protect its memory from unauthorized code execution. | The NX bit is a hardware feature that prevents the execution of code from data memory regions. By enabling NX bit execute protection, OpenShift ensure... |
| V-257569 | | Red Hat Enterprise Linux CoreOS (RHCOS) must implement ASLR (Address Space Layout Randomization) from unauthorized code execution. | ASLR is a security technique that randomizes the memory layout of processes, making it more difficult for attackers to predict the location of system ... |
| V-257570 | | OpenShift must remove old components after updated versions have been installed. | Previous versions of OpenShift components that are not removed from the container platform after updates have been installed may be exploited by adver... |
| V-257571 | | OpenShift must contain the latest images with most recent updates and execute within the container platform runtime as authorized by IAVM, CTOs, DTMs, and STIGs. | It is critical to the security and stability of the container platform and the software services running on the platform to ensure that images are dep... |
| V-257572 | | OpenShift runtime must have updates installed within the period directed by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs). | OpenShift runtime must be carefully monitored for vulnerabilities, and when problems are detected, they must be remediated quickly. A vulnerable runti... |
| V-257573 | | The Compliance Operator must be configured. | The Compliance Operator enables continuous compliance monitoring within OpenShift. It regularly assesses the environment against defined compliance po... |
| V-257574 | | OpenShift must perform verification of the correct operation of security functions: upon startup and/or restart; upon command by a user with privileged access; and/or every 30 days. | Security functionality includes, but is not limited to, establishing system accounts, configuring access authorization (i.e., permissions, privileges)... |
| V-257575 | | OpenShift must generate audit records when successful/unsuccessful attempts to modify privileges occur. | Audit records provide a crucial source of information for security monitoring and incident response. By generating audit records for privilege modific... |
| V-257576 | | OpenShift must generate audit records when successful/unsuccessful attempts to modify security objects occur. | OpenShift and its components must generate audit records when modifying security objects. All the components must use the same standard so that the ev... |
| V-257577 | | OpenShift must generate audit records when successful/unsuccessful attempts to delete privileges occur. | Audit records for unsuccessful attempts to delete privileges help in identifying unauthorized activities or potential attacks. If an unauthorized enti... |
| V-257578 | | OpenShift must generate audit records when successful/unsuccessful attempts to delete security objects occur. | By generating audit records for security object deletions, OpenShift enables administrators and security teams to track and investigate any unauthoriz... |
| V-257579 | | OpenShift must generate audit records when successful/unsuccessful logon attempts occur. | Audit records provide valuable information for security monitoring and intrusion detection. By generating audit logs for logon attempts, OpenShift ena... |
| V-257580 | | Red Hat Enterprise Linux CoreOS (RHCOS) must be configured to audit the loading and unloading of dynamic kernel modules. | By generating audit logs for the loading and unloading of dynamic kernel modules, OpenShift enables administrators and security teams to track and inv... |
| V-257581 | | OpenShift audit records must record user access start and end times. | OpenShift must generate audit records showing start and end times for users and services acting on behalf of a user accessing the registry and keystor... |
| V-257582 | | OpenShift must generate audit records when concurrent logons from different workstations and systems occur. | OpenShift and its components must generate audit records for concurrent logons from workstations perform remote maintenance, runtime instances, connec... |
| V-257584 | | Red Hat Enterprise Linux CoreOS (RHCOS) must disable USB Storage kernel module. | Disabling the USB Storage kernel module helps protect against potential data exfiltration or unauthorized access to sensitive data. USB storage device... |
| V-257585 | | Red Hat Enterprise Linux CoreOS (RHCOS) must use USBGuard for hosts that include a USB Controller. | USBGuard adds an extra layer of security to the overall OpenShift infrastructure. It provides an additional control mechanism to prevent potential sec... |
| V-257586 | | OpenShift must continuously scan components, containers, and images for vulnerabilities. | Finding vulnerabilities quickly within the container platform and within containers deployed within the platform is important to keep the overall plat... |
| V-257587 | | OpenShift must use FIPS-validated SHA-2 or higher hash function for digital signature generation and verification (nonlegacy use). | Using a FIPS-validated SHA-2 or higher hash function for digital signature generation and verification in OpenShift ensures strong cryptographic secur... |
| V-257516 | | OpenShift must display the Standard Mandatory DOD Notice and Consent Banner before granting access to platform components. | OpenShift has countless components where different access levels are needed. To control access, the user must first log into the component and then be... |
| V-257556 | | OpenShift must display an explicit logout message indicating the reliable termination of authenticated communication sessions. | The OpenShift CLI tool includes an explicit logout option.
The web console's default logout will invalidate the user's session token and redirect ba... |
| V-257558 | | Red Hat Enterprise Linux CoreOS (RHCOS) must allocate audit record storage capacity to store at least one weeks' worth of audit records, when audit records are not immediately sent to a central audit record storage facility. | To ensure RHCOS has a sufficient storage capacity in which to write the audit logs, operating systems need to be able to allocate audit record storage... |
| V-257513 | | OpenShift RBAC access controls must be enforced. | Controlling and limiting users access to system services and resources is key to securing the platform and limiting the intentional or unintentional c... |
| V-257519 | | Red Hat Enterprise Linux CoreOS (RHCOS) must initiate session audits at system startup. | Initiating session audits at system startup allows for comprehensive monitoring of user activities and system events from the moment the system is pow... |
| V-257540 | | OpenShift must disable root and terminate network connections. | Direct login as the "root" user must be disabled to prevent unrestricted access and control over the entire system.
Terminating an idle session with... |
| V-257543 | | OpenShift must use FIPS validated LDAP or OpenIDConnect. | Passwords need to be protected on entry, in transmission, during authentication, and when stored. If compromised at any of these security points, a ne... |
| V-257546 | | OpenShift must protect authenticity of communications sessions with the use of FIPS-validated 140-2 or 140-3 validated cryptography. | FIPS compliance is one of the most critical components required in highly secure environments, to ensure that only supported cryptographic technologie... |
| V-257557 | | Container images instantiated by OpenShift must execute using least privileges. | Container images running on OpenShift must support running as any arbitrary UID. OpenShift will then assign a random, nonprivileged UID to the running... |
| V-257583 | | Red Hat Enterprise Linux CoreOS (RHCOS) must disable SSHD service. | Any direct remote access to the RHCOS nodes is not allowed. RHCOS is a single-purpose container operating system and is only supported as a component ... |
