OpenShift must continuously scan components, containers, and images for vulnerabilities.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-257586 | CNTR-OS-001060 | SV-257586r961863_rule | CCI-000366 | medium |
| Description | ||||
| Finding vulnerabilities quickly within the container platform and within containers deployed within the platform is important to keep the overall platform secure. When a vulnerability within a component or container is unknown or allowed to remain unpatched, other containers and customers within the platform become vulnerability. The vulnerability can lead to the loss of application data, organizational infrastructure data, and Denial-of-Service (DoS) to hosted applications. Vulnerability scanning can be performed by the container platform or by external applications. | ||||
| STIG | Date | |||
| Red Hat OpenShift Container Platform 4.x Security Technical Implementation Guide | 2025-05-15 | |||
Related Frameworks
4 paths across 3 frameworks
Related Frameworks
NIST 800-531 mapping
CM-6
1.00
- DISA · 2 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
NIST 800-1712 mappings
3.4.1
1.00
- DISA · 2 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
3.4.2
1.00
- DISA · 2 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
CCI1 mapping
CCI-000366
1.00
- DISA · 2 · disa_xccdf · related
Details
Check Text (C-257586r961863_chk)
To check if the Container Security Operator is running, execute the following:
oc get deploy -n openshift-operators container-security-operator -ojsonpath='{.status.readyReplicas}'
If this command returns an error or the number 0, and a separate tool is not being used to perform continuous vulnerability scans of components, containers, and container images, this is a finding.
Fix Text (F-61245r921700_fix)
Vulnerability scanning can be performed by the Container Security Operator, Red Hat Advanced Cluster Security (formerly StackRox) or by external applications. Follow instructions from the application vendor if using external tool for vulnerability scanning. To install the Container Security Operator into the cluster, run the following:
oc apply -f - << 'EOF'
---
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
labels:
operators.coreos.com/container-security-operator.openshift-operators: ''
name: container-security-operator
namespace: openshift-operators
spec:
channel: stable-3.8
installPlanApproval: Automatic
name: container-security-operator
source: redhat-operators
sourceNamespace: openshift-marketplace
EOF