Container Platform Security Requirements Guide

Version

SRG-APP-000091-CTR-000160

Vuln IDs

V-233040

Rule IDs

SV-233040r601617_rule

Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).

Checks: C-35976r601616_chk

Review the container platform configuration to determine if it is configured to generate audit records when successful/unsuccessful attempts are made to access privileges. If the container platform is not configured to generate audit records on successful/unsuccessful access to privileges, this is a finding.

Fix: F-35944r600608_fix

Configure the container platform to generate audit records when successful/unsuccessful attempts are made to access privileges occur.

b

The container platform must initiate session auditing upon startup.

AU-14 - Medium - CCI-001464 - V-233041 - SV-233041r601871_rule

RMF Control

AU-14

Severity

M

CCI

CCI-001464

Version

SRG-APP-000092-CTR-000165

Vuln IDs

V-233041

Rule IDs

SV-233041r601871_rule

When the container platform is started, container platform components and user services can also be started. It is important that the container platform begin auditing on startup in order to handle container platform startup events along with events for container platform components and services that begin on startup.

Checks: C-35977r601870_chk

Review the container platform configuration for session audits. Ensure audit policy for session logging at startup is enabled. Verify events are written to the log. Validate system documentation is current. If the container platform is not configured to meet this requirement, this is a finding.

Fix: F-35945r600611_fix

Configure the container platform to generate audit logs for session logging at startup. Revise all applicable system documentation.

b

All audit records must identify what type of event has occurred within the container platform.

AU-3 - Medium - CCI-000130 - V-233042 - SV-233042r601621_rule

RMF Control

AU-3

Severity

M

CCI

CCI-000130

Version

SRG-APP-000095-CTR-000170

Vuln IDs

V-233042

Rule IDs

SV-233042r601621_rule

Within the container platform, audit data can be generated from any of the deployed container platform components. This audit data is important when there are issues, such as security incidents, that must be investigated. To make the audit data worthwhile for the investigation of events, it is necessary to know what type of event occurred.

Checks: C-35978r601620_chk

Review the container platform configuration for audit event types. Ensure audit policy for event type is enabled. Verify records showing what type of event occurred are written to the log. Validate system documentation is current. If log data does not show the type of event, this is a finding.

Fix: F-35946r600614_fix

Configure the container platform to include the event type in the log data. Revise all applicable system documentation.

b

The container platform audit records must have a date and time association with all events.

AU-3 - Medium - CCI-000131 - V-233043 - SV-233043r601623_rule

RMF Control

AU-3

Severity

M

CCI

CCI-000131

Version

SRG-APP-000096-CTR-000175

Vuln IDs

V-233043

Rule IDs

SV-233043r601623_rule

Within the container platform, audit data can be generated from any of the deployed container platform components. This audit data is important when there are issues, such as security incidents, that must be investigated. To make the audit data worthwhile for the investigation of events, it is necessary to know when the event occurred. To establish the time of the event, the audit record must contain the date and time.

Checks: C-35979r601622_chk

Review the container platform configuration for audit events date and time. Ensure audit policy for event date and time are enabled. Verify records showing event date and time are included in the log. Validate system documentation is current. If the date and time are not included, this is a finding.

Fix: F-35947r600617_fix

Configure the container platform to include log date and time with the event. Revise all applicable system documentation.

b

All audit records must identify where in the container platform the event occurred.

AU-3 - Medium - CCI-000132 - V-233044 - SV-233044r601625_rule

RMF Control

AU-3

Severity

M

CCI

CCI-000132

Version

SRG-APP-000097-CTR-000180

Vuln IDs

V-233044

Rule IDs

SV-233044r601625_rule

Within the container platform, audit data can be generated from any of the deployed container platform components. This audit data is important when there are issues, such as security incidents, that must be investigated. To make the audit data worthwhile for the investigation of events, it is necessary to know where within the container platform the event occurred.

Checks: C-35980r601624_chk

Review the container platform configuration to determine if all audit records identify where in the container platform the event occurred. Generate audit records and view the audit records to verify that the records do identify where in the container platform the event occurred. If the container platform is not configured to generate audit records that identify where in the container platform the event occurred, or if the generated audit records do not identify where in the container platform the event occurred, this is a finding.

Fix: F-35948r600620_fix

Configure the container platform to generate audit records that identify where in the container platform the event occurred.

b

All audit records must identify the source of the event within the container platform.

AU-3 - Medium - CCI-000133 - V-233045 - SV-233045r601627_rule

RMF Control

AU-3

Severity

M

CCI

CCI-000133

Version

SRG-APP-000098-CTR-000185

Vuln IDs

V-233045

Rule IDs

SV-233045r601627_rule

Audit data is important when there are issues, to include security incidents that must be investigated. Since the audit data may be part of a larger audit system, it is important for the audit data to also include the container platform name for traceability back to the container platform itself and not just the container platform components.

Checks: C-35981r601626_chk

Review container platform audit policy configuration for logons establishing the sources of events. Ensure audit policy is configured to generate sufficient information to resolve the source, e.g., source IP, of the log event. Verify records showing by requesting a user access the container platform and generate log events, and then review the logs to determine if the source of the event can be established. If the source of the event cannot be determined, this is a finding.

Fix: F-35949r600623_fix

Configure the container platform registry, keystore, and runtime to generate the source of each loggable event. Revise all applicable system documentation.

b

All audit records must generate the event results within the container platform.

AU-3 - Medium - CCI-000134 - V-233046 - SV-233046r601629_rule

RMF Control

AU-3

Severity

M

CCI

CCI-000134

Version

SRG-APP-000099-CTR-000190

Vuln IDs

V-233046

Rule IDs

SV-233046r601629_rule

Within the container platform, audit data can be generated from any of the deployed container platform components. This audit data is important when there are issues, such as security incidents, that must be investigated. To make the audit data worthwhile for the investigation of events, it is necessary to know the outcome of the event.

Checks: C-35982r601628_chk

Review the container platform configuration to determine if audit records contain the audit event results. Generate audit records and review the data to validate that the record does contain the event result. If the container platform is not configured to generate audit records with the event result or the audit record does not contain the event result, this is a finding.

Fix: F-35950r600626_fix

Configure the container platform to generate audit records that contain the event result.

b

All audit records must identify any users associated with the event within the container platform.

AU-3 - Medium - CCI-001487 - V-233047 - SV-233047r601631_rule

RMF Control

AU-3

Severity

M

CCI

CCI-001487

Version

SRG-APP-000100-CTR-000195

Vuln IDs

V-233047

Rule IDs

SV-233047r601631_rule

Without information that establishes the identity of the user associated with the events, security personnel cannot determine responsibility for the potentially harmful event.

Checks: C-35983r601630_chk

Review container platform documentation and the log files on the application server to determine if the logs contain information that establishes the identity of the user or process associated with log event data. If the container platform does not produce logs that establish the identity of the user or process associated with log event data, this is a finding.

Fix: F-35951r600629_fix

Configure the container platform logging system to log the identity of the user or process related to the events.

b

All audit records must identify any containers associated with the event within the container platform.

AU-3 - Medium - CCI-001487 - V-233048 - SV-233048r601633_rule

RMF Control

AU-3

Severity

M

CCI

CCI-001487

Version

SRG-APP-000100-CTR-000200

Vuln IDs

V-233048

Rule IDs

SV-233048r601633_rule

Without information that establishes the identity of the containers offering user services or running on behalf of a user within the platform associated with audit events, security personnel cannot determine responsibility for potentially harmful events.

Checks: C-35984r601632_chk

Review the container platform configuration to determine if it is configured to generate audit records that contain the component information that generated the audit record. Generate audit records and review the data to determine if records are generated containing the component information that generated the record. If the container platform is not configured to generate audit records containing the component information or records are generated that do not contain the component information that generated the record, this is a finding.

Fix: F-35952r600632_fix

Configure the container platform to include the component information that generated the audit record.

b

The container platform must generate audit records containing the full-text recording of privileged commands or the individual identities of group account users.

AU-3 - Medium - CCI-000135 - V-233049 - SV-233049r601635_rule

RMF Control

AU-3

Severity

M

CCI

CCI-000135

Version

SRG-APP-000101-CTR-000205

Vuln IDs

V-233049

Rule IDs

SV-233049r601635_rule

During an investigation of an incident, it is important to fully understand what took place. Often, information is not part of the audited event due to the data's nature, security risk, or audit log size. Organizations must consider limiting the additional audit information to only that information explicitly needed for specific audit requirements. At a minimum, the organization must audit either full-text recording of privileged commands, or the individual identities of group users, or both.

Checks: C-35985r601634_chk

Review the documentation and deployment configuration to determine if the container platform is configured to generate full-text recording of privileged commands or the individual identities of group users at a minimum. Have a user execute a privileged command and review the log data to validate that the full-text or identity of the individual is being logged. If the container platform is not meeting this requirement, this is a finding.

Fix: F-35953r600635_fix

Configure the container platform to generate the full-text recording of privileged commands, or the individual identities of group users, or both.

b

The container platform must take appropriate action upon an audit failure.

AU-5 - Medium - CCI-000140 - V-233051 - SV-233051r601637_rule

RMF Control

AU-5

Severity

M

CCI

CCI-000140

Version

SRG-APP-000109-CTR-000215

Vuln IDs

V-233051

Rule IDs

SV-233051r601637_rule

It is critical that when the container platform is at risk of failing to process audit logs as required that it take action to mitigate the failure. Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. Responses to audit failure depend upon the nature of the failure mode. Because availability of the services provided by the container platform, approved actions in response to an audit failure are as follows: (i) If the failure was caused by the lack of audit record storage capacity, the container platform must continue generating audit records if possible (automatically restarting the audit service if necessary), overwriting the oldest audit records in a first-in-first-out manner. (ii) If audit records are sent to a centralized collection server and communication with this server is lost or the server fails, the container platform must queue audit records locally until communication is restored or until the audit records are retrieved manually. Upon restoration of the connection to the centralized collection server, action should be taken to synchronize the local audit data with the collection server.

Checks: C-35987r601636_chk

Review the configuration settings to determine how the container platform components are configured for audit failures. When the audit failure is due to the lack of audit record storage, the container platform must continue generating audit records, restarting services if necessary, and overwrite the oldest audit records in a first-in-first-out manner. If the audit failure is due to a communication to a centralized collection server, the container platform must queue audit records locally until communication is restored or the records are retrieved manually. If the container platform is not configured to handle audit failures appropriately, this is a finding.

Fix: F-35955r601861_fix

Configure the container platform to continue generating audit records overwriting oldest audit records in a first-in-first-out manner when the failure is due to a lack of audit record storage. When the audit failure is due to a communication to a centralized collection server, configure the container platform to queue audit records locally until communication is restored or the records are retrieved manually. If other actions are to be taken for audit record failures, the actions and rationale must be documented in the system security plan and risk acceptance approvals must be obtained.

b

The container platform components must provide the ability to send audit logs to a central enterprise repository for review and analysis.

AU-6 - Medium - CCI-000154 - V-233052 - SV-233052r601639_rule

RMF Control

AU-6

Severity

M

CCI

CCI-000154

Version

SRG-APP-000111-CTR-000220

Vuln IDs

V-233052

Rule IDs

SV-233052r601639_rule

The container platform components must send audit events to a central managed audit log repository to provide reporting, analysis, and alert notification. Incident response relies on successful timely, accurate system analysis in order for the organization to identify and respond to possible security events.

Checks: C-35988r601638_chk

Review the configuration settings to determine if the container platform components are configured to send audit events to central managed audit log repository. If the container platform is not configured to send audit events to central managed audit log repository, this is a finding.

Fix: F-35956r600644_fix

Configure the container platform components to send audit logs to a central managed audit log repository.

b

The container platform must use internal system clocks to generate audit record time stamps.

AU-8 - Medium - CCI-000159 - V-233055 - SV-233055r600654_rule

RMF Control

AU-8

Severity

M

CCI

CCI-000159

Version

SRG-APP-000116-CTR-000235

Vuln IDs

V-233055

Rule IDs

SV-233055r600654_rule

Understanding when and sequence of events for an incident is crucial to understand what may have taken place. Without a common clock, the components generating audit events could be out of synchronization and would then present a picture of the event that is warped and corrupted. To give a clear picture, it is important that the container platform and its components use a common internal clock.

Checks: C-35991r600652_chk

Review the container platform configuration files to determine if the internal system clock is used for time stamps. If the container platform does not use the internal system clock to generate time stamps, this is a finding.

Fix: F-35959r600653_fix

Configure the container platform to use internal system clocks to generate time stamps for log records.

b

The container platform must protect audit information from any type of unauthorized read access.

AU-9 - Medium - CCI-000162 - V-233056 - SV-233056r600657_rule

RMF Control

AU-9

Severity

M

CCI

CCI-000162

Version

SRG-APP-000118-CTR-000240

Vuln IDs

V-233056

Rule IDs

SV-233056r600657_rule

If audit data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult if not impossible to achieve. In addition, access to audit records provides information an attacker could potentially use to his or her advantage. To ensure the veracity of audit data, the information system and/or the application must protect audit information from any and all unauthorized access. This includes read, write, and copy access. This requirement can be achieved through multiple methods, which will depend upon system architecture and design. Commonly employed methods for protecting audit information include least privilege permissions as well as restricting the location and number of log file repositories. Additionally, applications with user interfaces to audit records should not allow for the unfettered manipulation of or access to those records via the application. If the application provides access to the audit data, the application becomes accountable for ensuring audit information is protected from unauthorized access. Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity.

Checks: C-35992r600655_chk

Review the container platform configuration to determine where audit information is stored. If the audit information is not protected from any type of unauthorized read access, this is a finding.

Fix: F-35960r600656_fix

Configure the container platform to protect the storage of audit information from unauthorized read access.

b

The container platform must protect audit information from unauthorized modification.

AU-9 - Medium - CCI-000163 - V-233057 - SV-233057r600660_rule

RMF Control

AU-9

Severity

M

CCI

CCI-000163

Version

SRG-APP-000119-CTR-000245

Vuln IDs

V-233057

Rule IDs

SV-233057r600660_rule

If audit data were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity would be impossible to achieve. To ensure the veracity of audit data, the information system and/or the application must protect audit information from unauthorized modification. This requirement can be achieved through multiple methods, which will depend upon system architecture and design. Some commonly employed methods include ensuring log files receive the proper file system permissions and limiting log data locations. Applications providing a user interface to audit data will leverage user permissions and roles identifying the user accessing the data and the corresponding rights that the user enjoys in order to make access decisions regarding the modification of audit data. Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity.

Checks: C-35993r600658_chk

Review the container platform configuration to determine where audit information is stored. If the audit log data is not protected from unauthorized modification, this is a finding.

Fix: F-35961r600659_fix

Configure the container platform to protect the storage of audit information from unauthorized modification.

b

The container platform must protect audit information from unauthorized deletion.

AU-9 - Medium - CCI-000164 - V-233058 - SV-233058r600663_rule

RMF Control

AU-9

Severity

M

CCI

CCI-000164

Version

SRG-APP-000120-CTR-000250

Vuln IDs

V-233058

Rule IDs

SV-233058r600663_rule

If audit data were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity would be impossible to achieve. To ensure the veracity of audit data, the information system and/or the application must protect audit information from unauthorized deletion. This requirement can be achieved through multiple methods, which will depend upon system architecture and design. Some commonly employed methods include: ensuring log files receive the proper file system permissions utilizing file system protections, restricting access, and backing up log data to ensure log data is retained. Applications providing a user interface to audit data will leverage user permissions and roles identifying the user accessing the data and the corresponding rights the user enjoys in order make access decisions regarding the deletion of audit data. Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. Audit information may include data from other applications or be included with the audit application itself.

Checks: C-35994r600661_chk

Review the container platform configuration to determine where audit information is stored. If the audit log data is not protected from unauthorized deletion, this is a finding.

Fix: F-35962r600662_fix

Configure the container platform to protect the storage of audit information from unauthorized deletion.

b

The container platform must protect audit tools from unauthorized access.

AU-9 - Medium - CCI-001493 - V-233059 - SV-233059r600666_rule

RMF Control

AU-9

Severity

M

CCI

CCI-001493

Version

SRG-APP-000121-CTR-000255

Vuln IDs

V-233059

Rule IDs

SV-233059r600666_rule

Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit data. Applications providing tools to interface with audit data will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys in order to make access decisions regarding the access to audit tools. Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.

Checks: C-35995r600664_chk

Review the container platform to validate container platform audit tools are protected from unauthorized access. If the audit tools are not protected from unauthorized access, this is a finding.

Fix: F-35963r600665_fix

Configure the container platform to protect audit tools from unauthorized access.

b

The container platform must protect audit tools from unauthorized modification.

AU-9 - Medium - CCI-001494 - V-233060 - SV-233060r600669_rule

RMF Control

AU-9

Severity

M

CCI

CCI-001494

Version

SRG-APP-000122-CTR-000260

Vuln IDs

V-233060

Rule IDs

SV-233060r600669_rule

Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit data. Applications providing tools to interface with audit data will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys in order make access decisions regarding the modification of audit tools. Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.

Checks: C-35996r600667_chk

Review the container platform to validate container platform audit tools are protected from unauthorized modification. If the audit tools are not protected from unauthorized modification, this is a finding.

Fix: F-35964r600668_fix

Configure the container platform to protect audit tools from unauthorized modification.

b

The container platform must protect audit tools from unauthorized deletion.

AU-9 - Medium - CCI-001495 - V-233061 - SV-233061r600672_rule

RMF Control

AU-9

Severity

M

CCI

CCI-001495

Version

SRG-APP-000123-CTR-000265

Vuln IDs

V-233061

Rule IDs

SV-233061r600672_rule

Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit data. Applications providing tools to interface with audit data will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys in order make access decisions regarding the deletion of audit tools. Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.

Checks: C-35997r600670_chk

Review the container platform to validate container platform audit tools are protected from unauthorized deletion. If the audit tools are not protected from unauthorized deletion, this is a finding.

Fix: F-35965r600671_fix

Configure the container platform to protect audit tools from unauthorized deletion.

b

The container platform must use FIPS validated cryptographic mechanisms to protect the integrity of log information.

AU-9 - Medium - CCI-001350 - V-233063 - SV-233063r601693_rule

RMF Control

AU-9

Severity

M

CCI

CCI-001350

Version

SRG-APP-000126-CTR-000275

Vuln IDs

V-233063

Rule IDs

SV-233063r601693_rule

To fully investigate an incident and to have trust in the audit data that is generated, it is important to put in place data protections. Without integrity protections, unauthorized changes may be made to the audit files and reliable forensic analysis and discovery of the source of malicious system activity may be degraded. Although digital signatures are one example of protecting integrity, this control is not intended to cause a new cryptographic hash to be generated every time a record is added to a log file. Integrity protections can also be implemented by using cryptographic techniques for security function isolation and file system protections to protect against unauthorized changes.

Checks: C-35999r601673_chk

Review the container platform configuration to determine if FIPS-validated cryptographic mechanisms are being used to protect the integrity of log information. If FIPS-validated cryptographic mechanisms are not being used to protect the integrity of log information, this is a finding.

Fix: F-35967r600677_fix

Configure the container platform to use FIPS-validated cryptographic mechanisms to protect the integrity of log information.

b

The container platform must be built from verified packages.

CM-5 - Medium - CCI-001749 - V-233064 - SV-233064r601695_rule

RMF Control

CM-5

Severity

M

CCI

CCI-001749

Version

SRG-APP-000131-CTR-000280

Vuln IDs

V-233064

Rule IDs

SV-233064r601695_rule

It is important to patch and upgrade the container platform when patches and upgrades are available. More important is to get these patches and upgrades from a known source. To validate the authenticity of any patches and upgrades before installation, the container platform must check that the files are digitally signed by sources approved by the organization.

Checks: C-36000r601694_chk

Review the container platform configuration to verify it has been built from packages that are digitally signed by known and approved sources. If the container platform was built from packages that are not digitally signed or are from unknown or non-approved sources, this is a finding.

Fix: F-35968r600680_fix

Rebuild the container platform from verified packages that are digitally signed by known and approved sources.

b

The container platform must verify container images.

CM-5 - Medium - CCI-001749 - V-233065 - SV-233065r601697_rule

RMF Control

CM-5

Severity

M

CCI

CCI-001749

Version

SRG-APP-000131-CTR-000285

Vuln IDs

V-233065

Rule IDs

SV-233065r601697_rule

The container platform must be capable of validating container images are signed and that the digital signature is from a recognized and approved source approved by the organization. Allowing any container image to be introduced into the registry and instantiated into a container can allow for services to be introduced that are not trusted and may contain malicious code, which introduces unwanted services. These unwanted services can cause harm and security risks to the hosting server, the container platform, other services running within the container platform, and the overall organization.

Checks: C-36001r601696_chk

Review the container platform configuration to determine if container images are verified by enforcing image signing and that the image is signed recognized by an approved source. If container images are not verified or the signature is not verified as a recognized and approved source, this is a finding.

Fix: F-35969r600683_fix

Configure the container platform to verify container images are digitally signed and the signature is from a recognized and approved source.

b

The container platform must limit privileges to the container platform registry.

CM-5 - Medium - CCI-001499 - V-233066 - SV-233066r601699_rule

RMF Control

CM-5

Severity

M

CCI

Version

SRG-APP-000133-CTR-000290

Vuln IDs

V-233066

Rule IDs

SV-233066r601699_rule

To control what is instantiated within the container platform, it is important to control access to the registry. Without this control, container images can be introduced and instantiated by accident or on container platform startup. Without control of the registry, security measures put in place for the runtime can be bypassed meaning the controls of approval and testing are also bypassed. Only those individuals and roles approved by the organization can have access to the container platform registry.

Checks: C-36002r601872_chk

Review the container platform registry configuration to determine if the level of access to the registry is controlled through user privileges. Attempt to perform registry operations to determine if the privileges are enforced. If the container platform registry is not limited through user privileges or the user privileges are not enforced, this is a finding.

Fix: F-35970r600686_fix

Configure the container platform to use and enforce user privileges when accessing the container platform registry.

b

The container platform must limit privileges to the container platform runtime.

CM-5 - Medium - CCI-001499 - V-233067 - SV-233067r601701_rule

RMF Control

CM-5

Severity

M

CCI

Version

SRG-APP-000133-CTR-000295

Vuln IDs

V-233067

Rule IDs

SV-233067r601701_rule

To control what is instantiated within the container platform, it is important to control access to the runtime. Without this control, container platform specific services and customer services can be introduced without receiving approval and going through proper testing. Only those individuals and roles approved by the organization can have access to the container platform runtime.

Checks: C-36003r601700_chk

Review the container platform runtime configuration to determine if the level of access to the runtime is controlled through user privileges. Attempt to perform runtime operations to determine if the privileges are enforced. If the container platform runtime is not limited through user privileges or the user privileges are not enforced, this is a finding.

Fix: F-35971r600689_fix

Configure the container platform to use and enforce user privileges when accessing the container platform runtime.

b

The container platform must limit privileges to the container platform keystore.

CM-5 - Medium - CCI-001499 - V-233068 - SV-233068r601703_rule

RMF Control

CM-5

Severity

M

CCI

Version

SRG-APP-000133-CTR-000300

Vuln IDs

V-233068

Rule IDs

SV-233068r601703_rule

The container platform keystore is used to store credentials used to build a trust between the container platform and some external source. This trust relationship is authorized by the organization. If a malicious user were to have access to the container platform keystore, two negative scenarios could develop: 1) Keys not approved could be introduced and 2) Approved keys deleted, leading to the introduction of container images from sources that were never approved by the organization. To thwart this threat, it is important to protect the container platform keystore and give access to only those individuals and roles approved by the organization.

Checks: C-36004r601873_chk

Review the container platform keystore configuration to determine if the level of access to the keystore is controlled through user privileges. Attempt to perform keystore operations to determine if the privileges are enforced. If the container platform keystore is not limited through user privileges or the user privileges are not enforced, this is a finding.

Fix: F-35972r600692_fix

Configure the container platform to use and enforce user privileges when accessing the container platform keystore.

b

Configuration files for the container platform must be protected.

CM-5 - Medium - CCI-001499 - V-233069 - SV-233069r600696_rule

RMF Control

CM-5

Severity

M

CCI

Version

SRG-APP-000133-CTR-000305

Vuln IDs

V-233069

Rule IDs

SV-233069r600696_rule

The secure configuration of the container platform must be protected by disallowing changes to be implemented by non-privileged users. Changes to the container platform can introduce security risks or stability issues and undermine change management procedures. Securing configuration files from non-privileged user modification can be enforced using file ownership and permissions.

Checks: C-36005r600694_chk

Review the container platform to verify that configuration files cannot be modified by non-privileged users. If non-privileged users can modify configuration files, this is a finding.

Fix: F-35973r600695_fix

Configure the container platform to only allow configuration modifications by privileged users.

b

Authentication files for the container platform must be protected.

CM-5 - Medium - CCI-001499 - V-233070 - SV-233070r600699_rule

RMF Control

CM-5

Severity

M

CCI

Version

SRG-APP-000133-CTR-000310

Vuln IDs

V-233070

Rule IDs

SV-233070r600699_rule

The secure configuration of the container platform must be protected by disallowing changing to be implemented by non-privileged users. Changes to the container platform can introduce security risks and stability issues and undermine change management procedures. To secure authentication files from non-privileged user modification can be enforced using file ownership and permissions. Examples of authentication files are keys, certificates, and tokens.

Checks: C-36006r600697_chk

Review the container platform to verify that authentication files cannot be modified by non-privileged users. If non-privileged users can modify key and certificate files, this is a finding.

Fix: F-35974r600698_fix

Configure the container platform to only allow authentication file modifications by privileged users.

b

The container platform must be configured with only essential configurations.

CM-7 - Medium - CCI-000381 - V-233071 - SV-233071r600702_rule

RMF Control

CM-7

Severity

M

CCI

CCI-000381

Version

SRG-APP-000141-CTR-000315

Vuln IDs

V-233071

Rule IDs

SV-233071r600702_rule

The container platform can be built with components that are not used for the intended purpose of the organization. To limit the attack surface of the container platform, it is essential that the non-essential services are not installed.

Checks: C-36007r600700_chk

Review the container platform configuration and verify that only those components needed for operation are installed. If components are installed that are not used for the intended purpose of the organization, this is a finding.

Fix: F-35975r600701_fix

Identify the role the container platform is intended to play in the production environment and remove any components that are not needed or used for the intended purpose.

b

The container platform registry must contain only container images for those capabilities being offered by the container platform.

CM-7 - Medium - CCI-000381 - V-233072 - SV-233072r600705_rule

RMF Control

CM-7

Severity

M

CCI

CCI-000381

Version

SRG-APP-000141-CTR-000320

Vuln IDs

V-233072

Rule IDs

SV-233072r600705_rule

Allowing container images to reside within the container platform registry that are not essential to the capabilities being offered by the container platform becomes a potential security risk. By allowing these non-essential container images to exist, the possibility for accidental instantiation exists. The images may be unpatched, not supported, or offer non-approved capabilities. Those images for customer services are considered essential capabilities.

Checks: C-36008r600703_chk

Review the container platform registry and the container images being stored. If container images are stored in the registry and are not being used to offer container platform capabilities, this is a finding.

Fix: F-35976r600704_fix

Remove all container images from the container platform registry that are not being used or contain features and functions not supported by the platform.

b

The container platform runtime must enforce ports, protocols, and services that adhere to the PPSM CAL.

CM-7 - Medium - CCI-000382 - V-233073 - SV-233073r601892_rule

RMF Control

CM-7

Severity

M

CCI

CCI-000382

Version

SRG-APP-000142-CTR-000325

Vuln IDs

V-233073

Rule IDs

SV-233073r601892_rule

Ports, protocols, and services within the container platform runtime must be controlled and conform to the PPSM CAL. Those ports, protocols, and services that fall outside the PPSM CAL must be blocked by the runtime. Instructions on the PPSM can be found in DoD Instruction 8551.01 Policy.

Checks: C-36009r601891_chk

Review the container platform documentation and deployment configuration to determine which ports and protocols are enabled. Verify the ports and protocols being used are not prohibited by PPSM CAL in accordance to DoD Instruction 8551.01 Policy and are necessary for the operations and applications. If any of the ports or protocols is prohibited or not necessary for the operation, this is a finding.

Fix: F-35977r600707_fix

Configure the container platform to disable any ports or protocols that are prohibited by the PPSM CAL and not necessary for the operation.

b

The container platform runtime must enforce the use of ports that are non-privileged.

CM-7 - Medium - CCI-000382 - V-233074 - SV-233074r601707_rule

RMF Control

CM-7

Severity

M

CCI

CCI-000382

Version

SRG-APP-000142-CTR-000330

Vuln IDs

V-233074

Rule IDs

SV-233074r601707_rule

Privileged ports are those ports below 1024 and that require system privileges for their use. If containers are able to use these ports, the container must be run as a privileged user. The container platform must stop containers that try to map to these ports directly. Allowing non-privileged ports to be mapped to the container-privileged port is the allowable method when a certain port is needed. An example is mapping port 8080 externally to port 80 in the container.

Checks: C-36010r601706_chk

Review the container platform configuration and the containers within the platform by performing the following checks: 1. Verify the container platform is configured to disallow the use of privileged ports by containers. 2. Validate all containers within the container platform are using non-privileged ports. 3. Attempt to instantiate a container image that uses a privileged port. If the container platform is not configured to disallow the use of privileged ports, this is a finding. If the container platform has containers using privileged ports, this is a finding. If the container platform allows containers to be instantiated that use privileged ports, this is a finding.

Fix: F-35978r600710_fix

Configure the container platform to disallow the use of privileged ports by containers. Move any containers that are using privileged ports to non-privileged ports.

b

The container platform must uniquely identify and authenticate users.

IA-2 - Medium - CCI-000764 - V-233075 - SV-233075r600714_rule

RMF Control

IA-2

Severity

M

CCI

Version

SRG-APP-000148-CTR-000335

Vuln IDs

V-233075

Rule IDs

SV-233075r600714_rule

The container platform requires user accounts to perform container platform tasks. These tasks may pertain to the overall container platform or may be component-specific, thus requiring users to authenticate against those specific components. To ensure accountability and prevent unauthenticated access, users must be identified and authenticated to prevent potential misuse and compromise of the system.

Checks: C-36011r600712_chk

Review the container platform configuration to determine if users are uniquely identified and authenticated. If users are not uniquely identified or are not authenticated, this is a finding.

Fix: F-35979r600713_fix

Configure the container platform to uniquely identify and authenticate users.

b

The container platform application program interface (API) must uniquely identify and authenticate users.

IA-2 - Medium - CCI-000764 - V-233076 - SV-233076r600717_rule

RMF Control

IA-2

Severity

M

CCI

Version

SRG-APP-000148-CTR-000340

Vuln IDs

V-233076

Rule IDs

SV-233076r600717_rule

The container platform requires user accounts to perform container platform tasks. These tasks are often performed through the container platform API. Protecting the API from users who are not authorized or authenticated is essential to keep the container platform stable. Protection of platform and application data and enhances the protections put in place for Denial-of Service (DoS) attacks.

Checks: C-36012r600715_chk

Review the container platform configuration to determine if users are uniquely identified and authenticated before the API is executed. If users are not uniquely identified or are not authenticated, this is a finding.

Fix: F-35980r600716_fix

Configure the container platform to uniquely identify and authenticate users before container platform API access.

b

The container platform must uniquely identify and authenticate processes acting on behalf of the users.

IA-2 - Medium - CCI-000764 - V-233077 - SV-233077r600720_rule

RMF Control

IA-2

Severity

M

CCI

Version

SRG-APP-000148-CTR-000345

Vuln IDs

V-233077

Rule IDs

SV-233077r600720_rule

The container platform will instantiate a container image and use the user privileges given to the user used to execute the container. To ensure accountability and prevent unauthenticated access to containers, the user the container is using to execute must be uniquely identified and authenticated to prevent potential misuse and compromise of the system.

Checks: C-36013r600718_chk

Review the container platform configuration to determine if processes acting on behalf of users are uniquely identified and authenticated. If processes acting on behalf of users are not uniquely identified or are not authenticated, this is a finding.

Fix: F-35981r600719_fix

Configure the container platform to uniquely identify and authenticate processes acting on behalf of users.

b

The container platform application program interface (API) must uniquely identify and authenticate processes acting on behalf of the users.

IA-2 - Medium - CCI-000764 - V-233078 - SV-233078r601709_rule

RMF Control

IA-2

Severity

M

CCI

Version

SRG-APP-000148-CTR-000350

Vuln IDs

V-233078

Rule IDs

SV-233078r601709_rule

The container platform API can be used to perform any task within the platform. Often, the API is used to create tasks that perform some kind of maintenance task and run without user interaction. To guarantee the task is authorized, it is important to authenticate the task. These tasks, even though executed without user intervention, run on behalf of a user and must run with the user's authorization. If tasks are allowed to be created without authentication, users could bypass authentication and authorization mechanisms put in place for user interfaces. This could lead to users gaining greater access than given to the user putting the container platform into a compromised state.

Checks: C-36014r601708_chk

Review the container platform API configuration to determine if processes acting on behalf of users are uniquely identified and authenticated. If processes acting on behalf of users are not uniquely identified or are not authenticated, this is a finding.

Fix: F-35982r600722_fix

Configure the container platform API to uniquely identify and authenticate processes acting on behalf of users.

b

The container platform must use multifactor authentication for network access to privileged accounts.

IA-2 - Medium - CCI-000765 - V-233079 - SV-233079r601711_rule

RMF Control

IA-2

Severity

M

CCI

CCI-000765

Version

SRG-APP-000149-CTR-000355

Vuln IDs

V-233079

Rule IDs

SV-233079r601711_rule

Without the use of multifactor authentication, the ease of access to privileged functions is greatly increased. Multifactor authentication requires using two or more factors to achieve authentication. Factors include: (i) something a user knows (e.g., password/PIN); (ii) something a user has (e.g., cryptographic identification device, token); or (iii) something a user is (e.g., biometric). A privileged account is defined as an information system account with authorizations of a privileged user. Network access is defined as access to an information system by a user (or a process acting on behalf of a user) communicating through a network (e.g., local area network, wide area network, or the internet).

Checks: C-36015r601710_chk

Review the container platform configuration to determine if the container platform is configured to use multifactor authentication for network access to privileged accounts. If the container platform does not use multifactor authentication for network access to privileged accounts, this is a finding.

Fix: F-35983r600725_fix

Configure the container platform to use multifactor authentication for network access to privileged accounts.

b

The container platform must use multifactor authentication for network access to non-privileged accounts.

IA-2 - Medium - CCI-000766 - V-233080 - SV-233080r601713_rule

RMF Control

IA-2

Severity

M

CCI

CCI-000766

Version

SRG-APP-000150-CTR-000360

Vuln IDs

V-233080

Rule IDs

SV-233080r601713_rule

To ensure accountability and prevent unauthenticated access, non-privileged users must utilize multifactor authentication to prevent potential misuse and compromise of the system. Multifactor authentication uses two or more factors to achieve authentication. Factors include: (i) Something you know (e.g., password/PIN); (ii) Something you have (e.g., cryptographic identification device, token); or (iii) Something you are (e.g., biometric). A non-privileged account is any information system account with authorizations of a non-privileged user. Network access is any access to an application by a user (or process acting on behalf of a user) where said access is obtained through a network connection. Applications integrating with the DoD Active Directory and utilize the DoD CAC are examples of compliant multifactor authentication solutions.

Checks: C-36016r601712_chk

Review the container platform configuration to determine if the container platform is configured to use multifactor authentication for network access to non-privileged accounts. If the container platform does not use multifactor authentication for network access to non-privileged accounts, this is a finding.

Fix: F-35984r600728_fix

Configure the container platform to use multifactor authentication for network access to non-privileged accounts.

b

The container platform must use multifactor authentication for local access to privileged accounts.

IA-2 - Medium - CCI-000767 - V-233081 - SV-233081r600732_rule

RMF Control

IA-2

Severity

M

CCI

CCI-000767

Version

SRG-APP-000151-CTR-000365

Vuln IDs

V-233081

Rule IDs

SV-233081r600732_rule

To ensure accountability and prevent unauthenticated access, privileged users must utilize multifactor authentication to prevent potential misuse and compromise of the system. Multifactor authentication is defined as using two or more factors to achieve authentication. Factors include: (i) Something a user knows (e.g., password/PIN); (ii) Something a user has (e.g., cryptographic identification device, token); or (iii) Something a user is (e.g., biometric). A privileged account is defined as an information system account with authorizations of a privileged user. Local access is defined as access to an organizational information system by a user (or process acting on behalf of a user) communicating through a direct connection without the use of a network.

Checks: C-36017r600730_chk

Review the container platform configuration to determine if multifactor authentication is used for local access to privileged accounts. If multifactor authentication for local access to privileged accounts is not being used, this is a finding.

Fix: F-35985r600731_fix

Configure the container platform to use multifactor authentication for local access to privileged accounts.

b

The container platform must use multifactor authentication for local access to non-privileged accounts.

IA-2 - Medium - CCI-000768 - V-233082 - SV-233082r600735_rule

RMF Control

IA-2

Severity

M

CCI

CCI-000768

Version

SRG-APP-000152-CTR-000370

Vuln IDs

V-233082

Rule IDs

SV-233082r600735_rule

To ensure accountability, prevent unauthenticated access, and prevent misuse of the system, non-privileged users must utilize multi-factor authentication for local access. Multifactor authentication is defined as using two or more factors to achieve authentication. Factors include: (i) Something a user knows (e.g., password/PIN); (ii) Something a user has (e.g., cryptographic identification device, token); or (iii) Something a user is (e.g., biometric). A non-privileged account is defined as an information system account with authorizations of a regular or non-privileged user. Local access is defined as access to an organizational information system by a user (or process acting on behalf of a user) communicating through a direct connection without the use of a network.

Checks: C-36018r600733_chk

Review the container platform configuration to determine if multifactor authentication is used for local access to non-privileged accounts. If multifactor authentication for local access to non-privileged accounts is not being used, this is a finding.

Fix: F-35986r600734_fix

Configure the container platform to use multifactor authentication for local access to non-privileged accounts.

b

The container platform must ensure users are authenticated with an individual authenticator prior to using a group authenticator.

IA-2 - Medium - CCI-000770 - V-233083 - SV-233083r601715_rule

RMF Control

IA-2

Severity

M

CCI

CCI-000770

Version

SRG-APP-000153-CTR-000375

Vuln IDs

V-233083

Rule IDs

SV-233083r601715_rule

To ensure individual accountability and prevent unauthorized access, application users must be individually identified and authenticated. Individual accountability mandates that each user be uniquely identified. A group authenticator is a shared account or some other form of authentication that allows multiple unique individuals to access the application using a single account. If an application allows or provides for group authenticators, it must first individually authenticate users prior to implementing group authenticator functionality. Some applications may not need to provide a group authenticator; this is considered a matter of application design. In those instances where the application design includes the use of a group authenticator, this requirement will apply. There may also be instances when specific user actions need to be performed on the information system without unique user identification or authentication. An example of this type of access is a web server, which contains publicly releasable information.

Checks: C-36019r601714_chk

Review the container platform configuration to determine if the container platform is configured to ensure users are authenticated with an individual authenticator prior to using a group authenticator. If the container platform is not configured to ensure users are authenticated with an individual authenticator prior to using a group authenticator, this is a finding.

Fix: F-35987r600737_fix

Configure the container platform to ensure users are authenticated with an individual authenticator prior to using a group authenticator.

b

The container platform must use FIPS-validated SHA-1 or higher hash function to provide replay-resistant authentication mechanisms for network access to privileged accounts.

IA-2 - Medium - CCI-001941 - V-233084 - SV-233084r601717_rule

RMF Control

IA-2

Severity

M

CCI

CCI-001941

Version

SRG-APP-000156-CTR-000380

Vuln IDs

V-233084

Rule IDs

SV-233084r601717_rule

A replay attack may enable an unauthorized user to gain access to the application. Authentication sessions between the authenticator and the application validating the user credentials must not be vulnerable to a replay attack. Anti-replay is a cryptographically based mechanism; thus, it must use FIPS-approved algorithms. An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message. Note that the anti-replay service is implicit when data contains monotonically increasing sequence numbers and data integrity is assured. Use of DoD PKI is inherently compliant with this requirement for user and device access. Use of Transport Layer Security (TLS), including application protocols such as HTTPS and DNSSEC, that use TLS/SSL as the underlying security protocol is also compliant. Configure the information system to use the hash message authentication code (HMAC) algorithm for authentication services to Kerberos, SSH, web management tool, and any other access method.

Checks: C-36020r601716_chk

Review the container platform configuration to determine if the container platform is configured to use FIPS-validated SHA-1 or higher hash function to provide replay-resistant authentication mechanisms for network access to privileged accounts. If the container platform is not configured to use FIPS-validated SHA-1 or higher hash function to provide replay-resistant authentication mechanisms for network access to privileged accounts, this is a finding.

Fix: F-35988r600740_fix

Configure the container platform to use FIPS-validated SHA-1 or higher hash function to provide replay-resistant authentication mechanisms for network access to privileged accounts.

b

The container platform must implement replay-resistant authentication mechanisms for network access to non-privileged accounts.

IA-2 - Medium - CCI-001942 - V-233085 - SV-233085r601719_rule

RMF Control

IA-2

Severity

M

CCI

CCI-001942

Version

SRG-APP-000157-CTR-000385

Vuln IDs

V-233085

Rule IDs

SV-233085r601719_rule

A replay attack may enable an unauthorized user to gain access to the application. Authentication sessions between the authenticator and the application validating the user credentials must not be vulnerable to a replay attack. An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message. A non-privileged account is any operating system account with authorizations of a non-privileged user. Techniques used to address this include protocols using nonces (e.g., numbers generated for a specific one-time use) or challenges (e.g., TLS, WS_Security). Additional techniques include time-synchronous or challenge-response one-time authenticators.

Checks: C-36021r601718_chk

Review the container platform configuration to determine if the container platform is configured to provide replay-resistant authentication mechanisms for network access to non-privileged accounts. If the container platform is not configured to provide replay-resistant authentication mechanisms for network access to non-privileged accounts, this is a finding.

Fix: F-35989r600743_fix

Configure the container platform to provide replay-resistant authentication mechanisms for network access to non-privileged accounts.

b

The container platform must uniquely identify all network-connected nodes before establishing any connection.

IA-3 - Medium - CCI-000778 - V-233086 - SV-233086r601721_rule

RMF Control

IA-3

Severity

M

CCI

CCI-000778

Version

SRG-APP-000158-CTR-000390

Vuln IDs

V-233086

Rule IDs

SV-233086r601721_rule

A container platform usually consists of multiple nodes. It is important for these nodes to be uniquely identified before a connection is allowed. Without identifying the nodes, unidentified or unknown nodes may be introduced, thereby facilitating malicious activity.

Checks: C-36022r601720_chk

Review the container platform configuration to determine if the container platform uniquely identifies all nodes before establishing a connection. If the container platform is not configured to uniquely identify all nodes before establishing the connection, this is a finding.

Fix: F-35990r600746_fix

Configure the container platform to uniquely identify all nodes before establishing the connection.

b

The container platform must disable identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.

IA-4 - Medium - CCI-000795 - V-233087 - SV-233087r601723_rule

RMF Control

IA-4

Severity

M

CCI

CCI-000795

Version

SRG-APP-000163-CTR-000395

Vuln IDs

V-233087

Rule IDs

SV-233087r601723_rule

Inactive identifiers pose a risk to systems and applications. Attackers that are able to exploit an inactive identifier can potentially obtain and maintain undetected access to the application. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained. Applications need to track periods of inactivity and disable application identifiers after 35 days of inactivity. Management of user identifiers is not applicable to shared information system accounts (e.g., guest and anonymous accounts). It is commonly the case that a user account is the name of an information system account associated with an individual. To avoid having to build complex user management capabilities directly into their application, wise developers leverage the underlying OS or other user account management infrastructure (AD, LDAP) that is already in place within the organization and meets organizational user account management requirements.

Checks: C-36023r601722_chk

Review the container platform configuration to determine if the container platform is configured to disable identifiers (individuals, groups, roles, and devices) after 35 days of inactivity. If identifiers are not disabled after 35 days of inactivity, this is a finding.

Fix: F-35991r600749_fix

Configure the container platform to disable identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.

b

The container platform must enforce a minimum 15-character password length.

IA-5 - Medium - CCI-000205 - V-233088 - SV-233088r600753_rule

RMF Control

IA-5

Severity

M

CCI

CCI-000205

Version

SRG-APP-000164-CTR-000400

Vuln IDs

V-233088

Rule IDs

SV-233088r600753_rule

The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.

Checks: C-36024r600751_chk

Review the container platform configuration to determine if the container platform enforces a minimum 15-character password length. If the container platform does not enforce a 15-character password length, this is a finding.

Fix: F-35992r600752_fix

Configure the container platform to enforce a minimum 15-character password length.

b

The container platform must prohibit password reuse for a minimum of 10 generations.

IA-5 - Medium - CCI-000200 - V-233089 - SV-233089r600756_rule

RMF Control

IA-5

Severity

M

CCI

CCI-000200

Version

SRG-APP-000165-CTR-000405

Vuln IDs

V-233089

Rule IDs

SV-233089r600756_rule

Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. To meet password policy requirements, passwords need to be changed at specific policy-based intervals. If the information system or application allows the user to consecutively reuse their password when that password has exceeded its defined lifetime, the result is a password that is not changed as per policy requirements. The references for this check are: NIST SP 800-53 :: IA-5 (1) (e) NIST SP 800-53A :: IA-5 (1).1 (v) NIST SP 800-53 Revision 4 :: IA-5 (1) CNSS 1253

Checks: C-36025r600754_chk

Review the container platform configuration to determine if it prohibits password reuse for a minimum of five generations. If the container platform does not prohibit password reuse for a minimum of five generations, this is a finding.

Fix: F-35993r600755_fix

Configure the container platform to prohibit password reuse for a minimum of five generations.

b

The container platform must enforce password complexity by requiring that at least one uppercase character be used.

IA-5 - Medium - CCI-000192 - V-233090 - SV-233090r601725_rule

RMF Control

IA-5

Severity

M

CCI

CCI-000192

Version

SRG-APP-000166-CTR-000410

Vuln IDs

V-233090

Rule IDs

SV-233090r601725_rule

Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password is, the greater the number of possible combinations that need to be tested before the password is compromised.

Checks: C-36026r601724_chk

Review the container platform configuration to determine if it enforces password complexity by requiring that at least one uppercase character be used. If the container platform does not enforce password complexity by requiring that at least one uppercase character be used, this is a finding.

Fix: F-35994r600758_fix

Configure the container platform to enforce password complexity by requiring that at least one uppercase character be used.

b

The container platform must enforce password complexity by requiring that at least one lowercase character be used.

IA-5 - Medium - CCI-000193 - V-233091 - SV-233091r601727_rule

RMF Control

IA-5

Severity

M

CCI

CCI-000193

Version

SRG-APP-000167-CTR-000415

Vuln IDs

V-233091

Rule IDs

SV-233091r601727_rule

Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.

Checks: C-36027r601726_chk

Review the container platform configuration to determine if it enforces password complexity by requiring that at least one lowercase character be used. If the container platform does not enforce password complexity by requiring that at least one lowercase character be used, this is a finding.

Fix: F-35995r600761_fix

Configure the container platform to enforce password complexity by requiring that at least one lowercase character be used.

b

The container platform must enforce password complexity by requiring that at least one numeric character be used.

IA-5 - Medium - CCI-000194 - V-233092 - SV-233092r601729_rule

RMF Control

IA-5

Severity

M

CCI

CCI-000194

Version

SRG-APP-000168-CTR-000420

Vuln IDs

V-233092

Rule IDs

SV-233092r601729_rule

Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.

Checks: C-36028r601728_chk

Review the container platform configuration to determine if it enforces password complexity by requiring that at least one numeric character be used. If the container platform does not enforce password complexity by requiring that at least one numeric character be used, this is a finding.

Fix: F-35996r600764_fix

Configure the container platform to enforce password complexity by requiring that at least one numeric character be used.

b

The container platform must enforce password complexity by requiring that at least one special character be used.

IA-5 - Medium - CCI-001619 - V-233093 - SV-233093r601731_rule

RMF Control

IA-5

Severity

M

CCI

CCI-001619

Version

SRG-APP-000169-CTR-000425

Vuln IDs

V-233093

Rule IDs

SV-233093r601731_rule

Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor in determining how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Special characters are those characters that are not alphanumeric. Examples include ~ ! @ # $ % ^ *.

Checks: C-36029r601730_chk

Review the container platform configuration to determine if it enforces password complexity by requiring that at least one special character be used. If the container platform does not enforce password complexity by requiring that at least one special character be used, this is a finding.

Fix: F-35997r600767_fix

Configure the container platform to enforce password complexity by requiring that at least one special character be used.

b

The container platform must require the change of at least 15 of the total number of characters when passwords are changed.

IA-5 - Medium - CCI-000195 - V-233094 - SV-233094r601733_rule

RMF Control

IA-5

Severity

M

CCI

CCI-000195

Version

SRG-APP-000170-CTR-000430

Vuln IDs

V-233094

Rule IDs

SV-233094r601733_rule

If the application allows the user to consecutively reuse extensive portions of passwords, this increases the chances of password compromise by increasing the window of opportunity for attempts at guessing and brute-force attacks. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. In other words, characters may be the same within the two passwords; however, the positions of the like characters must be different.

Checks: C-36030r601732_chk

Review the container platform configuration to determine if it requires the change of at least 15 of the total number of characters when passwords are changed. If the container platform does not require the change of at least 15 of the total number of characters when passwords are changed, this is a finding.

Fix: F-35998r600770_fix

Configure the container platform to require the change of at least 15 of the total number of characters when passwords are changed.

b

For container platform using password authentication, the application must store only cryptographic representations of passwords.

IA-5 - Medium - CCI-000196 - V-233095 - SV-233095r601735_rule

RMF Control

IA-5

Severity

M

CCI

CCI-000196

Version

SRG-APP-000171-CTR-000435

Vuln IDs

V-233095

Rule IDs

SV-233095r601735_rule

Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read and easily compromised. Use of passwords for authentication is intended only for limited situations and should not be used as a replacement for two-factor CAC-enabled authentication. Examples of situations where a user ID and password might be used include: - When the user does not use a CAC and is not a current DoD employee, member of the military, or DoD contractor. - When a user has been officially designated as temporarily unable to present a CAC for some reason (lost, damaged, not yet issued, broken card reader) (i.e., Temporary Exception User) and to satisfy urgent organizational needs must be temporarily permitted to use user ID/password authentication until the problem with CAC use has been remedied. - When the application is publicly available and or hosting publicly releasable data requiring some degree of need-to-know protection. If the password is already encrypted and not a plaintext password, this meets this requirement. Implementation of this requirement requires configuration of FIPS-approved cipher block algorithm and block cipher modes for encryption. This method uses a one-way hashing encryption algorithm with a salt value to validate a user's password without having to store the actual password. Performance and time required to access are factors that must be considered, and the one-way hash is the most feasible means of securing the password and providing an acceptable measure of password security. Verifying the user knows a password is performed using a password verifier. In its simplest form, a password verifier is a computational function that is capable of creating a hash of a password and determining if the value provided by the user matches the hash. A more secure version of verifying a user knowing a password is to store the result of an iterating hash function and a large random salt value as follows: H0 = H(pwd, H(salt)) Hn = H(Hn-1,H(salt)) In the above, "n" is a cryptographically-strong random [*3] number. "Hn" is stored along with the salt. When the application wishes to verify that the user knows a password, it simply repeats the process and compares "Hn" with the stored "Hn". A salt is essentially a fixed-length cryptographically strong random value. Another method is using a keyed-hash message authentication code (HMAC). HMAC calculates a message authentication code via a cryptographic hash function used in conjunction with an encryption key. The key must be protected as with any private key. This requirement applies to all accounts including authentication server, AAA, and local account, including the root account and the account of last resort.

Checks: C-36031r601734_chk

Review the container platform configuration to determine if it using password authentication and stores only cryptographic representations of the passwords. If the container platform is using password authentication and does not store only cryptographic representations of passwords, this is a finding.

Fix: F-35999r600773_fix

Configure the container platform to store only cryptographic representations of passwords if passwords are being used for authentication.

c

For accounts using password authentication, the container platform must use FIPS-validated SHA-2 or later protocol to protect the integrity of the password authentication process.

IA-5 - High - CCI-000197 - V-233096 - SV-233096r600777_rule

RMF Control

IA-5

Severity

H

CCI

CCI-000197

Version

SRG-APP-000172-CTR-000440

Vuln IDs

V-233096

Rule IDs

SV-233096r600777_rule

Passwords need to be protected on entry, in transmission, during authentication, and when stored. If compromised at any of these security points, a nefarious user can use the password along with stolen user account information to gain access or to escalate privileges. The container platform may require account authentication during container platform tasks and before accessing container platform components, e.g. runtime, registry, and keystore. During any user authentication, the container platform must use FIPS-validated SHA-2 or later protocol to protect the integrity of the password authentication process.

Checks: C-36032r600775_chk

Review the documentation and configuration to determine if the container platform enforces the required FIPS-validated encrypt passwords when they are transmitted. If the container platform is not configured to meet this requirement, this is a finding.

Fix: F-36000r600776_fix

Configure the container platform to transmit only encrypted FIPS-validated SHA-2 or later representations of passwords.

b

The container platform must enforce 24 hours (one day) as the minimum password lifetime.

IA-5 - Medium - CCI-000198 - V-233097 - SV-233097r600780_rule

RMF Control

IA-5

Severity

M

CCI

CCI-000198

Version

SRG-APP-000173-CTR-000445

Vuln IDs

V-233097

Rule IDs

SV-233097r600780_rule

Enforcing a minimum password lifetime helps prevent repeated password changes to defeat the password reuse or history enforcement requirement. Restricting this setting limits the user's ability to change their password. Passwords need to be changed at specific policy-based intervals; however, if the application allows the user to immediately and continually change their password, then the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.

Checks: C-36033r600778_chk

Review the container platform configuration to determine if it enforces 24 hours/1 day as the minimum password lifetime. If the container platform does not enforce 24 hours/1 day as the minimum password lifetime, this is a finding.

Fix: F-36001r600779_fix

Configure the container platform to enforce 24 hours/1 day as the minimum password lifetime.

b

The container platform must enforce a 60-day maximum password lifetime restriction.

IA-5 - Medium - CCI-000199 - V-233098 - SV-233098r600783_rule

RMF Control

IA-5

Severity

M

CCI

CCI-000199

Version

SRG-APP-000174-CTR-000450

Vuln IDs

V-233098

Rule IDs

SV-233098r600783_rule

Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed at specific intervals. One method of minimizing this risk is to use complex passwords and periodically change them. If the application does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the system and/or application passwords could be compromised. This requirement does not include emergency administration accounts that are meant for access to the application in case of failure. These accounts are not required to have maximum password lifetime restrictions.

Checks: C-36034r600781_chk

Review the container platform configuration to determine if it enforces a 60-day maximum password lifetime restriction. If the container platform does not enforce a 60-day maximum password lifetime restriction, this is a finding.

Fix: F-36002r600782_fix

Configure the container platform to enforce a 60-day maximum password lifetime restriction.

b

The container platform must map the authenticated identity to the individual user or group account for PKI-based authentication.

IA-5 - Medium - CCI-000187 - V-233101 - SV-233101r600792_rule

RMF Control

IA-5

Severity

M

CCI

CCI-000187

Version

SRG-APP-000177-CTR-000465

Vuln IDs

V-233101

Rule IDs

SV-233101r600792_rule

The container platform and its components may require authentication before use. When the authentication is PKI-based, the container platform or component must map the certificate to a user account. If the certificate is not mapped to a user account, the ability to determine the identity of the individual user or group will not be available for forensic analysis.

Checks: C-36037r600790_chk

Review documentation and configuration to ensure the container platform provides a PKI integration capability that meets DoD PKI infrastructure requirements. If the container platform is not configured to meet this requirement, this is a finding.

Fix: F-36005r600791_fix

Configure the container platform to utilize the DoD Enterprise PKI infrastructure.

b

The container platform must obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.

IA-6 - Medium - CCI-000206 - V-233102 - SV-233102r601737_rule

RMF Control

IA-6

Severity

M

CCI

CCI-000206

Version

SRG-APP-000178-CTR-000470

Vuln IDs

V-233102

Rule IDs

SV-233102r601737_rule

To prevent the compromise of authentication information such as passwords during the authentication process, the feedback from the container platform and its components, e.g., runtime, registry, and keystore, must not provide any information that would allow an unauthorized user to compromise the authentication mechanism. Obfuscation of user-provided information when typed is a method used in addressing this risk. Displaying asterisks when a user types in a password is an example of obscuring feedback of authentication information.

Checks: C-36038r601736_chk

Review container platform documentation and configuration to determine if any interfaces that are provided for authentication purposes display the user's password when it is typed into the data entry field. If authentication information is not obfuscated when entered, this is a finding.

Fix: F-36006r600794_fix

Configure the container platform to obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.

b

The container platform must provide an audit reduction capability that supports on-demand reporting requirements.

AU-7 - Medium - CCI-001876 - V-233105 - SV-233105r601739_rule

RMF Control

AU-7

Severity

M

CCI

CCI-001876

Version

SRG-APP-000181-CTR-000485

Vuln IDs

V-233105

Rule IDs

SV-233105r601739_rule

The ability to generate on-demand reports, including after the audit data has been subjected to audit reduction, greatly facilitates the organization's ability to generate incident reports as needed to better handle larger-scale or more complex security incidents. Audit reduction is a process that manipulates collected audit information and organizes such information in a summary format that is more meaningful to analysts. The report generation capability provided by the application must support on-demand (i.e., customizable, ad hoc, and as-needed) reports. This requirement is specific to applications with audit reduction capabilities; however, applications need to support on-demand audit review and analysis.

Checks: C-36041r601738_chk

Review the container platform configuration to determine if the container platform is configured to provide an audit reduction capability that supports on-demand reporting requirements. If the container platform is not configured to support on-demand reporting requirements, this is a finding.

Fix: F-36009r600803_fix

Configure the container platform to support on-demand reporting requirements.

b

The container platform must employ strong authenticators in the establishment of non-local maintenance and diagnostic sessions.

MA-4 - Medium - CCI-000877 - V-233106 - SV-233106r601741_rule

RMF Control

MA-4

Severity

M

CCI

CCI-000877

Version

SRG-APP-000185-CTR-000490

Vuln IDs

V-233106

Rule IDs

SV-233106r601741_rule

If maintenance tools are used by unauthorized personnel, they may accidentally or intentionally damage or compromise the system. The act of managing systems and applications includes the ability to access sensitive application information, such as, system configuration details, diagnostic information, user information, and potentially sensitive application data. Non-local maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. Typically, strong authentication requires authenticators that are resistant to replay attacks and employ multifactor authentication. Strong authenticators include, for example, PKI where certificates are stored on a token protected by a password, passphrase, or biometric. This requirement applies to hardware/software diagnostic test equipment or tools. This requirement does not cover hardware/software components that may support information system maintenance, yet are a part of the system (e.g., the software implementing "ping," "ls," "ipconfig," or the hardware and software implementing the monitoring port of an Ethernet switch).

Checks: C-36042r601740_chk

Review the container platform configuration to determine if the container platform is configured to employ strong authenticators in the establishment of non-local maintenance and diagnostic sessions. If the container platform is not configured to employ strong authenticators in the establishment of non-local maintenance and diagnostic sessions, this is a finding.

Fix: F-36010r600806_fix

Configure the container platform to employ strong authenticators in the establishment of non-local maintenance and diagnostic sessions.

b

The application must terminate all network connections associated with a communications session at the end of the session, or as follows: for in-band management sessions (privileged sessions), the session must be terminated after 10 minutes of inactivity;

SC-10 - Medium - CCI-001133 - V-233108 - SV-233108r754792_rule

RMF Control

SC-10

Severity

M

CCI

CCI-001133

Version

SRG-APP-000190-CTR-000500

Vuln IDs

V-233108

Rule IDs

SV-233108r754792_rule

Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. Terminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level, or de-allocating networking assignments at the application level if multiple application sessions are using a single, operating system level network connection. This does not mean that the application terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session.

Checks: C-36044r600811_chk

This requirement is NA for this technology.

Fix: F-36012r600812_fix

The requirement is NA. No fix is required.

b

The container platform must separate user functionality (including user interface services) from information system management functionality.

SC-2 - Medium - CCI-001082 - V-233114 - SV-233114r601743_rule

RMF Control

SC-2

Severity

M

CCI

CCI-001082

Version

SRG-APP-000211-CTR-000530

Vuln IDs

V-233114

Rule IDs

SV-233114r601743_rule

Separating user functionality from management functionality is a requirement for all the components within the container platform. Without the separation, users may have access to management functions that can degrade the container platform and the services being offered and can offer a method to bypass testing and validation of functions before introduced into a production environment. The separation should be enforced by each component within the container platform.

Checks: C-36050r601742_chk

Review the container platform configuration to determine if management functionality is separated from user functionality. Validate that the separation is also implemented within the components by trying to execute management functions for each component as a user. If the container platform is not configured to separate management and user functionality or if component management and user functionality are not separated, this is a finding.

Fix: F-36018r600830_fix

Configure the container platform and its components to separate management and user functionality.

c

The container platform must protect authenticity of communications sessions with the use of FIPS-validated 140-2 or 140-3 security requirements for cryptographic modules.

SC-23 - High - CCI-001184 - V-233118 - SV-233118r601745_rule

RMF Control

SC-23

Severity

H

CCI

CCI-001184

Version

SRG-APP-000219-CTR-000550

Vuln IDs

V-233118

Rule IDs

SV-233118r601745_rule

The container platform is responsible for pulling images from trusted sources and placing those images into its registry. To protect the transmission of images, the container platform must use FIPS-validated 140-2 or 140-3 cryptographic modules. This added protection defends against main-in-the-middle attacks where malicious code could be added to an image during transmission.

Checks: C-36054r601744_chk

Review the container platform configuration to determine if FIPS-validated 140-2 or 140-3 cryptographic modules are being used to protect container images during transmission. If FIPS-validated 140-2 or 140-3 cryptographic modules are not being use, this is a finding.

Fix: F-36022r600842_fix

Configure the container platform to use FIPS-validated 140-2 or 140-3 cryptographic modules to protect container images during transmission.

b

The container platform runtime must fail to a secure state if system initialization fails, shutdown fails, or aborts fail.

SC-24 - Medium - CCI-001190 - V-233122 - SV-233122r601749_rule

RMF Control

SC-24

Severity

M

CCI

CCI-001190

Version

SRG-APP-000225-CTR-000570

Vuln IDs

V-233122

Rule IDs

SV-233122r601749_rule

The container platform offers services for container image orchestration and services for users. If any of these services were to fail into an insecure state, security measures for user and data separation and image instantiation could become absent. In addition, audit log protections could be relaxed allowing for investigation of what occurred could be lost. To protect services and data, it is important for the container platform to fail to a secure state if the container platform registry initialization fails, shutdown fails, or aborts fail.

Checks: C-36058r601746_chk

Review documentation and configuration to determine if the container platform runtime fails to a secure state if system initialization fails, shutdown fails, or aborts fail. If the container platform runtime cannot be configured to fail securely, this is a finding.

Fix: F-36026r600854_fix

Configure the container platform runtime to fail to a secure state if system initialization fails, shutdown fails, or aborts fail.

b

The container platform must preserve any information necessary to determine the cause of the disruption or failure.

SC-24 - Medium - CCI-001665 - V-233123 - SV-233123r600858_rule

RMF Control

SC-24

Severity

M

CCI

CCI-001665

Version

SRG-APP-000226-CTR-000575

Vuln IDs

V-233123

Rule IDs

SV-233123r600858_rule

When a failure occurs within the container platform, preserving the state of the container platform and its components, along with other container services, helps to facilitate container platform restart and return to the operational mode of the organization with less disruption to mission essential processes. When preserving state, considerations for preservation of data confidentiality and integrity must be taken into consideration.

Checks: C-36059r600856_chk

Review the container platform configuration to determine if information necessary to determine the cause of a disruption or failure is preserved. If the information is not preserved, this is a finding.

Fix: F-36027r600857_fix

Configure the container platform to preserve information necessary to determine the cause of the disruption or failure.

b

The container platform runtime must isolate security functions from non-security functions.

SC-3 - Medium - CCI-001084 - V-233125 - SV-233125r601751_rule

RMF Control

SC-3

Severity

M

CCI

CCI-001084

Version

SRG-APP-000233-CTR-000585

Vuln IDs

V-233125

Rule IDs

SV-233125r601751_rule

The container platform runtime must be configured to isolate those services used for security functions from those used for non-security functions. This separation can be performed using environment variables, labels, network segregation, and kernel groups.

Checks: C-36061r601750_chk

Verify container platform runtime configuration settings to determine whether container services used for security functions are located in an isolated security function such as a separate environment variables, labels, network segregation, and kernel groups. If security-related functions are not separate, this is a finding.

Fix: F-36029r600863_fix

Configure the container platform runtime to isolate security functions from non-security functions.

b

The container platform must never automatically remove or disable emergency accounts.

AC-2 - Medium - CCI-001682 - V-233126 - SV-233126r600867_rule

RMF Control

AC-2

Severity

M

CCI

CCI-001682

Version

SRG-APP-000234-CTR-000590

Vuln IDs

V-233126

Rule IDs

SV-233126r600867_rule

Emergency accounts are administrator accounts that are established in response to crisis situations where the need for rapid account activation is required. Therefore, emergency account activation may bypass normal account authorization processes. If these accounts are automatically disabled, system maintenance during emergencies may not be possible, thus adversely affecting system availability. Emergency accounts are different from infrequently used accounts (i.e., local logon accounts used by system administrators when network or normal logon/access is not available). Infrequently used accounts also remain available and are not subject to automatic termination dates. However, an emergency account is normally a different account that is created for use by vendors or system maintainers. To address access requirements, many application developers choose to integrate their applications with enterprise-level authentication/access mechanisms that meet or exceed access control policy requirements. Such integration allows the application developer to off-load those access control functions and focus on core application features and functionality.

Checks: C-36062r600865_chk

Review the container platform to determine if emergency accounts are automatically removed or disabled. If emergency accounts are automatically removed or disabled, this is a finding.

Fix: F-36030r600866_fix

Configure the container platform to never remove or disable emergency accounts.

b

The container platform must prohibit containers from accessing privileged resources.

SC-4 - Medium - CCI-001090 - V-233127 - SV-233127r601753_rule

RMF Control

SC-4

Severity

M

CCI

CCI-001090

Version

SRG-APP-000243-CTR-000595

Vuln IDs

V-233127

Rule IDs

SV-233127r601753_rule

Containers images instantiated within the container platform may request access to host system resources. Access to privileged resources can allow for unauthorized and unintended transfer of information, but in some cases, these resources may be needed for the service being offered by the container. By default, containers should be denied instantiation when privileged system resources are requested and granted only after approval has been given. When access to privileged resources is necessary for a container, a new policy for execution should be written for the container. The default behavior must not give containers privileged access to host system resources. Examples of system resources that should be protected are kernel namespaces and host system sensitive directories such as /etc and /usr.

Checks: C-36063r601752_chk

Review documentation and configuration to determine if the container platform disallows instantiation of containers trying to access host system privileged resources. If the container platform does not block containers requesting host system privileged resources, this is a finding.

Fix: F-36031r600869_fix

Configure the container platform to block instantiation of containers requesting access to host system-privileged resources.

b

The container platform must prevent unauthorized and unintended information transfer via shared system resources.

SC-4 - Medium - CCI-001090 - V-233128 - SV-233128r601755_rule

RMF Control

SC-4

Severity

M

CCI

CCI-001090

Version

SRG-APP-000243-CTR-000600

Vuln IDs

V-233128

Rule IDs

SV-233128r601755_rule

The container platform makes host system resources available to container services. These shared resources, such as the host system kernel, network connections, and storage, must be protected to prevent unauthorized and unintended information transfer. The protections must be implemented for users and processes acting on behalf of users.

Checks: C-36064r601754_chk

Review the container platform architecture documentation to find out if and how it protects the resources of one process or user (such as working memory, storage, host system kernel, network connections) from unauthorized access by another user or process. If the container platform configuration settings do not effectively implement these protections to prevent unauthorized access by another user or process, this is a finding.

Fix: F-36032r601862_fix

Deploy a container platform capable of effectively protecting the resources of one process or user from unauthorized access by another user or process. Configure the container platform to effectively protect the resources of one process or user from unauthorized access by another user or process. The container security solution should help the user understand where the code in the environment was deployed from, and provide controls that prevent deployment from untrusted sources or registries.

b

The container platform must restrict individuals' ability to launch organizationally defined denial-of-service (DoS) attacks against other information systems.

SC-5 - Medium - CCI-001094 - V-233129 - SV-233129r601757_rule

RMF Control

SC-5

Severity

M

CCI

CCI-001094

Version

SRG-APP-000246-CTR-000605

Vuln IDs

V-233129

Rule IDs

SV-233129r601757_rule

The container platform will offer services to users and these services share resources available on the hosting system. To share the resources in a manner that does not exhaust or over utilize resources, it is necessary for the container platform to have mechanisms that allow developers to size there containers to provide minimum and maximum amounts. If there is no mechanism to specify limits, container services can cause DoS by over utilization.

Checks: C-36065r601756_chk

Review the container platform implementation and security documentation and components settings to determine if the information system restricts the ability of users or systems to launch organization-defined DoS attacks against other information systems or networks from the container platform. If the container platform is not configured to restrict this ability, this is a finding.

Fix: F-36033r600875_fix

Configure the container platform to restrict the ability of users or other systems to launch DoS attacks from the container platform components by setting resource quotas on resources such as memory, storage, and CPU utilization.

b

The container platform must generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.

SI-11 - Medium - CCI-001312 - V-233133 - SV-233133r601759_rule

RMF Control

SI-11

Severity

M

CCI

CCI-001312

Version

SRG-APP-000266-CTR-000625

Vuln IDs

V-233133

Rule IDs

SV-233133r601759_rule

The container platform is responsible for offering services to users. These services could be across diverse user groups and data types. To protect information about the container platform, services, users, and data, it is important during error message generation to offer enough information to diagnose the error, but not reveal information that needs to be protected.

Checks: C-36069r601758_chk

Review documentation and logs to determine if the container platform writes sensitive information such as passwords or private keys into the logs and administrative messages. If the container platform writes sensitive or potentially harmful information into the logs and administrative messages, this is a finding.

Fix: F-36037r600887_fix

Configure the container platform to not write sensitive information into the logs and administrative messages.

b

The container platform must use cryptographic mechanisms to protect the integrity of audit tools.

AU-9 - Medium - CCI-001496 - V-233142 - SV-233142r600915_rule

RMF Control

AU-9

Severity

M

CCI

CCI-001496

Version

SRG-APP-000290-CTR-000670

Vuln IDs

V-233142

Rule IDs

SV-233142r600915_rule

Protecting the integrity of the tools used for auditing purposes is a critical step to ensuring the integrity of audit data. Audit data includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. Audit tools include, but are not limited to, vendor provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. It is common for attackers to replace the audit tools or inject code into the existing tools with the purpose of providing the capability to hide or erase system activity from the audit logs. To address this risk, audit tools must be cryptographically signed in order to provide the capability to identify when the audit tools have been modified, manipulated, or replaced. An example is a checksum hash of the file or files.

Checks: C-36078r600913_chk

Review the container platform configuration to determine if the integrity of the audit tools is protected using cryptographic mechanisms. If audit tools are not protected through cryptographic mechanisms, this is a finding.

Fix: F-36046r600914_fix

Configure the container platform to use cryptographic mechanisms to protect the integrity of audit tools.

b

The container platform must notify system administrators and ISSO when accounts are created.

AC-2 - Medium - CCI-001683 - V-233143 - SV-233143r600918_rule

RMF Control

AC-2

Severity

M

CCI

CCI-001683

Version

SRG-APP-000291-CTR-000675

Vuln IDs

V-233143

Rule IDs

SV-233143r600918_rule

Once an attacker establishes access to an application, the attacker often attempts to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to simply create a new account. Sending notification of account creation events to the system administrator and ISSO is one method for mitigating this risk. To address access requirements, many application developers choose to integrate their applications with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. Such integration allows the application developer to off-load those access control functions and focus on core application features and functionality.

Checks: C-36079r600916_chk

Review the container platform configuration to determine if system administrators and ISSO are notified when accounts are created. If system administrators and ISSO are not notified, this is a finding.

Fix: F-36047r600917_fix

Configure the container platform to notify system administrators and ISSO when accounts are created.

b

The container platform must notify system administrators and ISSO when accounts are modified.

AC-2 - Medium - CCI-001684 - V-233144 - SV-233144r600921_rule

RMF Control

AC-2

Severity

M

CCI

CCI-001684

Version

SRG-APP-000292-CTR-000680

Vuln IDs

V-233144

Rule IDs

SV-233144r600921_rule

When application accounts are modified, user accessibility is affected. Accounts are utilized for identifying individual users or for identifying the application processes themselves. Sending notification of account modification events to the system administrator and ISSO is one method for mitigating this risk. Such a capability greatly reduces the risk that application accessibility will be negatively affected for extended periods of time and provides logging that can be used for forensic purposes. To address access requirements, many operating systems can be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements.

Checks: C-36080r600919_chk

Review the container platform configuration to determine if system administrators and ISSO are notified when accounts are modified. If system administrators and ISSO are not notified, this is a finding.

Fix: F-36048r600920_fix

Configure the container platform to notify system administrators and ISSO when accounts are modified.

b

The container platform must notify system administrators and ISSO for account disabling actions.

AC-2 - Medium - CCI-001685 - V-233145 - SV-233145r600924_rule

RMF Control

AC-2

Severity

M

CCI

CCI-001685

Version

SRG-APP-000293-CTR-000685

Vuln IDs

V-233145

Rule IDs

SV-233145r600924_rule

When application accounts are disabled, user accessibility is affected. Accounts are utilized for identifying individual users or for identifying the application processes themselves. Sending notification of account disabling events to the system administrator and ISSO is one method for mitigating this risk. Such a capability greatly reduces the risk that application accessibility will be negatively affected for extended periods of time and provides logging that can be used for forensic purposes. To address access requirements, many operating systems can be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements.

Checks: C-36081r600922_chk

Review the container platform configuration to determine if system administrators and ISSO are notified when accounts are disabled. If system administrators and ISSO are not notified, this is a finding.

Fix: F-36049r600923_fix

Configure the container platform to notify system administrators and ISSO when accounts are disabled.

b

The container platform must notify system administrators and ISSO for account removal actions.

AC-2 - Medium - CCI-001686 - V-233146 - SV-233146r600927_rule

RMF Control

AC-2

Severity

M

CCI

CCI-001686

Version

SRG-APP-000294-CTR-000690

Vuln IDs

V-233146

Rule IDs

SV-233146r600927_rule

When application accounts are removed, user accessibility is affected. Accounts are utilized for identifying users or for identifying the application processes themselves. Sending notification of account removal events to the system administrator and ISSO is one method for mitigating this risk. Such a capability greatly reduces the risk that application accessibility will be negatively affected for extended periods of time, and provides logging that can be used for forensic purposes. To address access requirements, many operating systems can be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements.

Checks: C-36082r600925_chk

Review the container platform configuration to determine if system administrators and ISSO are notified when accounts are removed. If system administrators and ISSO are not notified, this is a finding.

Fix: F-36050r600926_fix

Configure the container platform to notify system administrators and ISSO when accounts are removed.

a

Access to the container platform must display an explicit logout message to user indicating the reliable termination of authenticated communication sessions.

AC-12 - Low - CCI-002364 - V-233149 - SV-233149r600936_rule

RMF Control

AC-12

Severity

L

CCI

CCI-002364

Version

SRG-APP-000297-CTR-000705

Vuln IDs

V-233149

Rule IDs

SV-233149r600936_rule

Access to the container platform will occur through web and terminal sessions. Any web interfaces must conform to application and web security requirements. Terminal access to the container platform and its components must provide a logout facility that terminates the connection to the component or the platform.

Checks: C-36085r600934_chk

Review documentation and configuration settings to determine if the container platform displays a logout message. If the container platform does not display a logout message, this is a finding.

Fix: F-36053r600935_fix

Configure the container platform components to display an explicit logout message to users.

b

The container platform must terminate shared/group account credentials when members leave the group.

AC-2 - Medium - CCI-002142 - V-233155 - SV-233155r600954_rule

RMF Control

AC-2

Severity

M

CCI

CCI-002142

Version

SRG-APP-000317-CTR-000735

Vuln IDs

V-233155

Rule IDs

SV-233155r600954_rule

If shared/group account credentials are not terminated when individuals leave the group, the user that left the group can still gain access even though they are no longer authorized. A shared/group account credential is a shared form of authentication that allows multiple individuals to access the application using a single account. There may also be instances when specific user actions need to be performed on the information system without unique user identification or authentication. Examples of credentials include passwords and group membership certificates.

Checks: C-36091r600952_chk

Determine if the container platform is configured to terminate shared/group account credentials when members leave the group. If the container platform does not terminated shared/group account credentials when members leave the group, this is a finding.

Fix: F-36059r600953_fix

Configure the container platform to terminate shared/group account credentials when members leave the group.

b

The container platform must enforce organization-defined circumstances and/or usage conditions for organization-defined accounts.

AC-2 - Medium - CCI-002145 - V-233156 - SV-233156r601761_rule

RMF Control

AC-2

Severity

M

CCI

CCI-002145

Version

SRG-APP-000318-CTR-000740

Vuln IDs

V-233156

Rule IDs

SV-233156r601761_rule

Activity under unusual conditions can indicate hostile activity. For example, what is normal activity during business hours can indicate hostile activity if it occurs during off hours. Depending on mission needs and conditions, account usage restrictions based on conditions and circumstances may be critical to limit access to resources and data to comply with operational or mission access control requirements. Thus, the application must be configured to enforce the specific conditions or circumstances under which application accounts can be used (e.g., by restricting usage to certain days of the week, time of day, or specific durations of time).

Checks: C-36092r601760_chk

Determine if the container platform is configured to enforce organization-defined circumstances and/or usage conditions for organization-defined accounts. If the container platform does not enforce organization-defined circumstances and/or usage conditions for organization-defined accounts, this is a finding.

Fix: F-36060r600956_fix

Configure the container platform to enforce organization-defined circumstances and/or usage conditions for organization-defined accounts.

b

The container platform must automatically audit account-enabling actions.

AC-2 - Medium - CCI-002130 - V-233157 - SV-233157r600960_rule

RMF Control

AC-2

Severity

M

CCI

CCI-002130

Version

SRG-APP-000319-CTR-000745

Vuln IDs

V-233157

Rule IDs

SV-233157r600960_rule

Once an attacker establishes access to an application, the attacker often attempts to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to simply enable a new or disabled account. Automatically auditing account enabling actions provides logging that can be used for forensic purposes. To address access requirements, many application developers choose to integrate their applications with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. Such integration allows the application developer to off-load those access control functions and focus on core application features and functionality.

Checks: C-36093r600958_chk

Determine if the container platform is configured to automatically audit account-enabling actions. If the container platform is not configured to automatically audit account-enabling actions, this is a finding.

Fix: F-36061r600959_fix

Configure the container platform to automatically audit account-enabling actions.

b

The container platform must notify system administrator and ISSO of account enabling actions.

AC-2 - Medium - CCI-002132 - V-233158 - SV-233158r600963_rule

RMF Control

AC-2

Severity

M

CCI

CCI-002132

Version

SRG-APP-000320-CTR-000750

Vuln IDs

V-233158

Rule IDs

SV-233158r600963_rule

Once an attacker establishes access to an application, the attacker often attempts to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to simply enable a new or disabled account. Sending notification of account enabling events to the system administrator and ISSO is one method for mitigating this risk. Such a capability greatly reduces the risk that application accessibility will be negatively affected for extended periods of time and provides logging that can be used for forensic purposes. In order to detect and respond to events that affect user accessibility and application processing, applications must notify the appropriate individuals so they can investigate the event. To address access requirements, many application developers choose to integrate their applications with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. Such integration allows the application developer to off-load those access control functions and focus on core application features and functionality.

Checks: C-36094r600961_chk

Determine if the container platform is configured to notify system administrator and ISSO of account enabling actions. If the container platform is not configured to notify system administrator and ISSO of account enabling actions, this is a finding.

Fix: F-36062r600962_fix

Configure the container platform to notify system administrator and ISSO of account enabling actions.

b

The container platform must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.

AC-6 - Medium - CCI-002235 - V-233162 - SV-233162r601763_rule

RMF Control

AC-6

Severity

M

CCI

CCI-002235

Version

SRG-APP-000340-CTR-000770

Vuln IDs

V-233162

Rule IDs

SV-233162r601763_rule

Controlling what users can perform privileged functions prevents unauthorized users from performing tasks that may expose data or degrade the container platform. When users are not segregated into privileged and non-privileged users, unauthorized individuals may perform tasks such as deploying containers, pulling images into the register, and modify keys in the keystore. These actions can introduce malicious containers and cause denial-of-service (DoS) attacks and undermine the container platform integrity. The enforcement may take place at the container platform and can be implemented within each container platform component (e.g. runtime, registry, and keystore).

Checks: C-36098r601762_chk

Review documentation to obtain the definition of the container platform functionality considered privileged in the context of the information system in question. Review the container platform security configuration and/or other means used to protect privileged functionality from unauthorized use. If the configuration does not protect all of the actions defined as privileged, this is a finding.

Fix: F-36066r600974_fix

Configure the container platform to security to protect all privileged functionality. Assigning roles that limit what actions a particular user can perform are the most common means of meeting this requirement.

b

Container images instantiated by the container platform must execute using least privileges.

AC-6 - Medium - CCI-002233 - V-233163 - SV-233163r601765_rule

RMF Control

AC-6

Severity

M

CCI

CCI-002233

Version

SRG-APP-000342-CTR-000775

Vuln IDs

V-233163

Rule IDs

SV-233163r601765_rule

Containers running within the container platform must execute as non-privileged. When a container can execute as a privileged container, the privileged container is also a privileged user within the hosting system, and the hosting system becomes a major security risk. It is important for the container platform runtime to validate the container user and disallow instantiation if the container is trying to execute with more privileges than required, as a privileged user, or is trying to perform a privilege escalation. When privileged access is necessary for a container, a new policy for execution should be written for the container. The default behavior must not give containers privileged execution. Examples of privileged users are root, admin, and default service accounts for the container platform.

Checks: C-36099r601764_chk

Review documentation and configuration to determine if the container platform disallows instantiation of containers trying to execute with more privileges than required or with privileged permissions. If the container platform does not block containers requesting privileged permissions, privilege escalation, or allows containers to have more privileges than required, this is a finding.

Fix: F-36067r600977_fix

Configure the container platform to block instantiation with no more privileges than necessary.

b

The container platform must audit the execution of privileged functions.

AC-6 - Medium - CCI-002234 - V-233164 - SV-233164r600981_rule

RMF Control

AC-6

Severity

M

CCI

CCI-002234

Version

SRG-APP-000343-CTR-000780

Vuln IDs

V-233164

Rule IDs

SV-233164r600981_rule

Privileged functions within the container platform can be component specific or can envelope the entire container platform. Because of the nature of the commands, it is important to understand what command was executed for either investigation of an incident or for debugging/error correction; therefore, privileged function execution must be audited.

Checks: C-36100r600979_chk

Review container platform documentation and log configuration to verify the application server logs privileged activity. If the container platform is not configured to log privileged activity, this is a finding.

Fix: F-36068r600980_fix

Configure the container platform to log privileged activity.

b

The container platform must automatically lock an account until the locked account is released by an administrator when three unsuccessful login attempts in 15 minutes are exceeded.

AC-7 - Medium - CCI-002238 - V-233165 - SV-233165r601767_rule

RMF Control

AC-7

Severity

M

CCI

CCI-002238

Version

SRG-APP-000345-CTR-000785

Vuln IDs

V-233165

Rule IDs

SV-233165r601767_rule

By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the account.

Checks: C-36101r601766_chk

Determine if the container platform is configured to automatically lock an account until the locked account is released by an administrator when three unsuccessful login attempts in 15 minutes are exceeded. If the container platform is not configured to lock the account, this is a finding.

Fix: F-36069r600983_fix

Configure the container platform to automatically lock an account until the locked account is released by an administrator when three unsuccessful login attempts in 15 minutes are exceeded.

b

The container platform must provide the configuration for organization-identified individuals or roles to change the auditing to be performed on all components, based on all selectable event criteria within organization-defined time thresholds.

CM-6 - Medium - CCI-000366 - V-233166 - SV-233166r601869_rule

RMF Control

CM-6

Severity

M

CCI

Version

SRG-APP-000516-CTR-000790

Vuln IDs

V-233166

Rule IDs

SV-233166r601869_rule

Auditing requirements may change per organization or situation within and organization. With the container platform allowing an organization to customize the auditing, an organization can decide to extend or limit auditing as necessary to meet organizational requirements. Auditing that is limited to conserve resources may be extended to address certain threat situations. In addition, auditing may be limited to a specific set of events to facilitate audit reduction, analysis, and reporting. Organizations can establish time thresholds in which audit actions are changed, for example, near real-time, within minutes, or within hours. Modifying auditing within the container platform must be controlled to only those individuals or roles identified by the organization to modify auditable events.

Checks: C-36102r601768_chk

Review documentation and configuration setting. If the container platform does not provide the ability for users in authorized roles to reconfigure auditing at any time of the user's choosing, this is a finding. If changes in audit configuration cannot take effect until after a certain time or date, or until some event, such as a server restart, has occurred, and if that time or event does not meet the requirements specified by the organization, this is a finding.

Fix: F-36070r601868_fix

Deploy a container platform that provides the ability for users in authorized roles to reconfigure auditing at any time. Deploy a container platform that allows audit configuration changes to take effect within the timeframe required by the organization and without involving actions or events that the organization rules unacceptable.

b

The container platform must allocate audit record storage capacity in accordance with organization-defined audit record storage requirements.

AU-4 - Medium - CCI-001849 - V-233168 - SV-233168r601782_rule

RMF Control

AU-4

Severity

M

CCI

CCI-001849

Version

SRG-APP-000357-CTR-000800

Vuln IDs

V-233168

Rule IDs

SV-233168r601782_rule

In order to ensure applications have a sufficient storage capacity in which to write the audit logs, applications need to be able to allocate audit record storage capacity. The task of allocating audit record storage capacity is usually performed during initial installation of the application and is closely associated with the DBA and system administrator roles. The DBA or system administrator will usually coordinate the allocation of physical drive space with the application owner/installer and the application will prompt the installer to provide the capacity information, the physical location of the disk, or both.

Checks: C-36104r601781_chk

Review the container platform configuration to determine if audit record storage capacity is allocated in accordance with organization-defined audit record storage requirements. If audit record storage capacity is not allocated in accordance with organization-defined audit record storage requirements, this is a finding.

Fix: F-36072r600992_fix

Configure the container platform to allocate audit record storage capacity in accordance with organization-defined audit record storage requirements.

b

Audit records must be stored at a secondary location.

AU-4 - Medium - CCI-001851 - V-233169 - SV-233169r601784_rule

RMF Control

AU-4

Severity

M

CCI

CCI-001851

Version

SRG-APP-000358-CTR-000805

Vuln IDs

V-233169

Rule IDs

SV-233169r601784_rule

Auditable events are used in the investigation of incidents and must be protected from being deleted or altered. Often, events that took place in the past must be viewed to understand the entire incident. For the purposes of audit event protection and recall, audit events are often off-loaded to an external storage location. The container platform must provide a mechanism to assist in the off-loading of the audit data or at a minimum, must not hinder an external process used for audit event off-loading.

Checks: C-36105r601783_chk

Verify the log records are being off-loaded to a separate system or transferred from the container platform storage location to a storage location other than the container platform itself. The information system may demonstrate this capability using a log management application, system configuration, or other means. If logs are not being off-loaded, this is a finding.

Fix: F-36073r600995_fix

Configure the container platform to off-load the logs to a remote log or management server.

b

The container platform must provide an immediate warning to the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of repository maximum audit record storage capacity.

AU-5 - Medium - CCI-001855 - V-233170 - SV-233170r601786_rule

RMF Control

AU-5

Severity

M

CCI

CCI-001855

Version

SRG-APP-000359-CTR-000810

Vuln IDs

V-233170

Rule IDs

SV-233170r601786_rule

If security personnel are not notified immediately upon storage volume utilization reaching 75 percent, they are unable to plan for storage capacity expansion.

Checks: C-36106r601785_chk

Review the container platform configuration to determine if it is configured to provide an immediate warning to the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of repository maximum audit record storage capacity. If the container platform is not configured to provide an immediate real-time alert, this is a finding.

Fix: F-36074r600998_fix

Configure the container platform to provide an immediate real-time alert to the SA and ISSO when allocated audit record storage volume reaches 75 percent of repository maximum audit record storage capacity.

b

The container platform must provide an immediate real-time alert to the SA and ISSO, at a minimum, of all audit failure events requiring real-time alerts.

AU-5 - Medium - CCI-001858 - V-233171 - SV-233171r601788_rule

RMF Control

AU-5

Severity

M

CCI

CCI-001858

Version

SRG-APP-000360-CTR-000815

Vuln IDs

V-233171

Rule IDs

SV-233171r601788_rule

It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of an impending failure of the audit capability and system operation may be adversely affected. Alerts provide organizations with urgent messages. Real-time alerts provide these messages immediately (i.e., the time from event detection to alert occurs in seconds or less).

Checks: C-36107r601787_chk

Review the container platform configuration to determine if it is configured to provide an immediate real-time alert to the SA and ISSO of all audit failure events requiring real-time alerts. If the container platform is not configured to provide an immediate real-time alert, this is a finding.

Fix: F-36075r601001_fix

Configure the container platform to provide an immediate real-time alert to the SA and ISSO of all audit failure events requiring real-time alerts.

b

All audit records must use UTC or GMT time stamps.

AU-8 - Medium - CCI-001890 - V-233181 - SV-233181r601032_rule

RMF Control

AU-8

Severity

M

CCI

CCI-001890

Version

SRG-APP-000374-CTR-000865

Vuln IDs

V-233181

Rule IDs

SV-233181r601032_rule

The container platform and its components must generate audit records using either Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT) time stamps or local time that offset from UTC. All the components must use the same standard so that the events can be tied together to understand what took place within the overall container platform. Time stamps generated by the container platform and its components must include date and time.

Checks: C-36117r601030_chk

Review the container platform documentation and configuration files to determine if time stamps for log records can be mapped to UTC or GMT or local time that offsets from UTC. If the time stamp cannot be mapped to UTC or GMT, this is a finding.

Fix: F-36085r601031_fix

Configure the container platform to use UTC or GMT or local time that offset from UTC based time stamps for log records.

b

The container platform must record time stamps for audit records that meet a granularity of one second for a minimum degree of precision.

AU-8 - Medium - CCI-001889 - V-233182 - SV-233182r601035_rule

RMF Control

AU-8

Severity

M

CCI

CCI-001889

Version

SRG-APP-000375-CTR-000870

Vuln IDs

V-233182

Rule IDs

SV-233182r601035_rule

To properly investigate an event, it is important to have enough granularity within the time stamps to determine the chronological order of the audited events. Without this granularity, events may be interpreted out of proper sequence, thus hobbling the investigation or causing the investigation to come to inaccurate conclusions. Time stamps generated by the container platform include date and time. Granularity of time measurements refers to the degree of synchronization between information system clocks and reference clocks.

Checks: C-36118r601033_chk

Review the container platform documentation and configuration files to determine if time stamps for log records meet a granularity of one second. If the time stamp cannot generate to a one-second granularity, this is a finding.

Fix: F-36086r601034_fix

Configure the container platform to use time stamps for log records that can meet a granularity of one second.

b

The container platform must prohibit the installation of patches and updates without explicit privileged status.

CM-11 - Medium - CCI-001812 - V-233184 - SV-233184r601790_rule

RMF Control

CM-11

Severity

M

CCI

CCI-001812

Version

SRG-APP-000378-CTR-000880

Vuln IDs

V-233184

Rule IDs

SV-233184r601790_rule

Controlling access to those users and roles responsible for patching and updating the container platform reduces the risk of untested or potentially malicious software from being installed within the platform. This access may be separate from the access required to install container images into the registry and those access requirements required to instantiate an image into a service. Explicit privileges (escalated or administrative privileges) provide the regular user with explicit capabilities and control that exceeds the rights of a regular user.

Checks: C-36120r601789_chk

Review the container platform configuration to determine if patches and updates can only be installed through accounts with privileged status. Attempt to install a patch or upgrade using a non-privileged user account. If patches or updates can be installed using a non-privileged account or the container platform is not configured to stop the installation using a non-privileged account, this is a finding.

Fix: F-36088r601040_fix

Configure the container platform to only allow patch installation and upgrades using privileged accounts.

c

The container platform runtime must prohibit the instantiation of container images without explicit privileged status.

CM-11 - High - CCI-001812 - V-233185 - SV-233185r601792_rule

RMF Control

CM-11

Severity

H

CCI

CCI-001812

Version

SRG-APP-000378-CTR-000885

Vuln IDs

V-233185

Rule IDs

SV-233185r601792_rule

Controlling access to those users and roles responsible for container image instantiation reduces the risk of untested or potentially malicious containers from being executed within the platform and on the hosting system. This access may be separate from the access required to install container images into the registry and those access requirements required to perform patch management and upgrades within the container platform. Explicit privileges (escalated or administrative privileges) provide the regular user with explicit capabilities and control that exceeds the rights of a regular user.

Checks: C-36121r601791_chk

Review the container platform runtime configuration to determine if only accounts given specific container instantiation privileges can execute the container image instantiation process. Attempt to instantiate a container image using an account that does not have the proper privileges to execute the process. If container images can be instantiated using an account without the proper privileges, this is a finding.

Fix: F-36089r601043_fix

Configure the container platform runtime to prohibit the instantiation of container images without explicit container image instantiation privileges given to users.

b

The container platform registry must prohibit installation or modification of container images without explicit privileged status.

CM-11 - Medium - CCI-001812 - V-233186 - SV-233186r601047_rule

RMF Control

CM-11

Severity

M

CCI

CCI-001812

Version

SRG-APP-000378-CTR-000890

Vuln IDs

V-233186

Rule IDs

SV-233186r601047_rule

Controlling access to those users and roles that perform container platform registry functions reduces the risk of untested or potentially malicious containers from being introduced into the platform. This access may be separate from the access required to instantiate container images into services and those access requirements required to perform patch management and upgrades within the container platform. Explicit privileges (escalated or administrative privileges) provide the regular user with explicit capabilities and control that exceeds the rights of a regular user.

Checks: C-36122r601045_chk

Review container platform registry security settings with respect to non-administrative users' ability to create, alter, or replace container images. If any such permissions exist and are not documented and approved, this is a finding.

Fix: F-36090r601046_fix

Document and obtain approval for any non-administrative users who require the ability to create, alter, or replace container images within the container platform registry. Implement the approved permissions. Revoke any unapproved permissions.

b

The container platform must enforce access restrictions for container platform configuration changes.

CM-5 - Medium - CCI-001813 - V-233188 - SV-233188r601881_rule

RMF Control

CM-5

Severity

M

CCI

CCI-001813

Version

SRG-APP-000380-CTR-000900

Vuln IDs

V-233188

Rule IDs

SV-233188r601881_rule

Configuration changes cause the container platform to change the way it operates. These changes can be used to improve the system with added features or performance, but these configuration changes can also be used to introduce malicious features and degrade performance. To control the configuration changes made to the container platform, it is important that only authorized users are allowed, through container platform enforcement, to make configuration changes.

Checks: C-36124r601793_chk

Review documentation and configuration settings to determine if the container platform enforces access restrictions associated with changes to container platform components configuration. If the container platform does not enforce such access restrictions, this is a finding.

Fix: F-36092r601880_fix

Configure the container platform to enforce access restrictions associated with changes to the container platform components configuration.

b

The container platform must enforce access restrictions and support auditing of the enforcement actions.

CM-5 - Medium - CCI-001814 - V-233189 - SV-233189r601056_rule

RMF Control

CM-5

Severity

M

CCI

CCI-001814

Version

SRG-APP-000381-CTR-000905

Vuln IDs

V-233189

Rule IDs

SV-233189r601056_rule

Auditing the enforcement of access restrictions against changes to the container platform helps identify attacks and provides forensic data for investigation for after-the-fact actions. Attempts to change configurations, components, or data maintained by a component (e.g., images in the registry, running containers in the runtime, or keys in the keystore) must be audited. Enforcement actions are the methods or mechanisms used to prevent unauthorized changes to configuration settings. Enforcement action methods may be as simple as denying access to a file based on the application of file permissions (access restriction). Audit items may consist of lists of actions blocked by access restrictions or changes identified after the fact.

Checks: C-36125r601054_chk

Review container platform documentation and logs to determine if enforcement actions used to restrict access associated with changes to the container platform are logged. If these actions are not logged, this is a finding.

Fix: F-36093r601055_fix

Configure the container platform to log the enforcement actions used to restrict access associated with changes.

b

All non-essential, unnecessary, and unsecure DoD ports, protocols, and services must be disabled in the container platform.

CM-7 - Medium - CCI-001762 - V-233190 - SV-233190r601059_rule

RMF Control

CM-7

Severity

M

CCI

CCI-001762

Version

SRG-APP-000383-CTR-000910

Vuln IDs

V-233190

Rule IDs

SV-233190r601059_rule

To properly offer services to the user and to orchestrate containers, the container platform may offer services that use ports and protocols that best fit those services. The container platform, when offering the services, must only offer the services on ports and protocols authorized by the DoD. To validate that the services are using only the approved ports and protocols, the organization must perform a periodic scan/review of the container platform and disable functions, ports, protocols, and services deemed to be unneeded or non-secure.

Checks: C-36126r601057_chk

Review the container platform configuration to determine if services or capabilities presently on the information system are required for operational or mission needs. If additional services or capabilities are present on the system, this is a finding.

Fix: F-36094r601058_fix

Configure the container platform to only utilize secure ports and protocols required for operation that have been accepted for use as per the Ports, Protocols, and Services Category Assignments List (CAL) from DISA (PPSM).

b

The container platform must prevent component execution in accordance with organization-defined policies regarding software program usage and restrictions, and/or rules authorizing the terms and conditions of software program usage.

CM-7 - Medium - CCI-001764 - V-233191 - SV-233191r601796_rule

RMF Control

CM-7

Severity

M

CCI

CCI-001764

Version

SRG-APP-000384-CTR-000915

Vuln IDs

V-233191

Rule IDs

SV-233191r601796_rule

The container platform may offer components such as DNS services, firewall services, router services, or web services that are not required by every organization to meet their needs. Container platform components may also add capabilities that run counter to the mission or that provide users with functionality that exceeds mission requirements. To meet the requirements of an organization, the container platform must have a method to remove or disable components not required to meet the organization's mission.

Checks: C-36127r601795_chk

Review documentation and configuration setting to determine if policies, rules, or restrictions exist regarding usage of container platform components. If no such no restrictions are in place, this is not a finding. Identify any components the organization requires to be disabled or removed and configure the container platform according to that policy. If the container platform components are not disabled or removed according to the organization's policy, this is a finding.

Fix: F-36095r601061_fix

Configure the container platform so that any platform components that are not required in order to meet the organization's mission are disabled or removed. Document the components that must be disabled or removed for reference.

b

The container platform registry must employ a deny-all, permit-by-exception (whitelist) policy to allow only authorized container images in the container platform.

CM-7 - Medium - CCI-001774 - V-233192 - SV-233192r601798_rule

RMF Control

CM-7

Severity

M

CCI

CCI-001774

Version

SRG-APP-000386-CTR-000920

Vuln IDs

V-233192

Rule IDs

SV-233192r601798_rule

Controlling the sources where container images can be pulled from allows the organization to define what software can be run within the container platform. Allowing any container image to be introduced and instantiated within the container platform may introduce malicious code and vulnerabilities to the platform and the hosting system. The container platform registry must deny all container images except for those signed by organizational-approved sources.

Checks: C-36128r601797_chk

Review documentation and configuration settings to identify if the container platform whitelisting specifies which container platform components are allowed to execute. Check for the existence of policy settings or policy files that can be configured to restrict container platform component execution. Demonstrate how the program execution is restricted. Look for a deny-all, permit-by-exception policy of restriction. Some methods for restricting execution include but are not limited to the use of custom capabilities built into the application or Software Restriction Policies, Application Security Manager, or Role-Based Access Controls (RBAC). If container platform whitelisting is not utilized or does not follow a deny-all, permit-by-exception (whitelist) policy, this is a finding.

Fix: F-36096r601064_fix

Configure the container platform to utilize a deny-all, permit-by-exception policy when allowing the execution of authorized software.

b

The container platform must require users to reauthenticate when organization-defined circumstances or situations require reauthentication.

IA-11 - Medium - CCI-002038 - V-233193 - SV-233193r601068_rule

RMF Control

IA-11

Severity

M

CCI

CCI-002038

Version

SRG-APP-000389-CTR-000925

Vuln IDs

V-233193

Rule IDs

SV-233193r601068_rule

Controlling user access is paramount in securing the container platform. During a user's access to the container platform, events may occur that change the user's access and which require reauthentication. For instance, if the capability to change security roles or escalate privileges is implemented, it is critical the user reauthenticate. In addition to the reauthentication requirements associated with change in security roles or privilege escalation, organizations may require reauthentication of individuals in other situations, including (but not limited to) the following circumstances: (i) When authenticators change; (ii) When roles change; (iii) When security categories of information systems change; (iv) When the execution of privileged functions occurs; (v) After a fixed period of time; or (vi) Periodically. Within the DoD, the minimum circumstances requiring reauthentication are privilege escalation and role changes.

Checks: C-36129r601066_chk

Review documentation and configuration to determine if the container platform requires a user to reauthenticate when organization-defined circumstances or situations are met. If the container platform does not meet this requirement, this is a finding.

Fix: F-36097r601067_fix

Configure the container platform to require a user to reauthenticate when organization-defined circumstances or situations are met.

b

The container platform must require devices to reauthenticate when organization-defined circumstances or situations requiring reauthentication.

IA-11 - Medium - CCI-002039 - V-233194 - SV-233194r601800_rule

RMF Control

IA-11

Severity

M

CCI

CCI-002039

Version

SRG-APP-000390-CTR-000930

Vuln IDs

V-233194

Rule IDs

SV-233194r601800_rule

The container platform may require external devices be used to fully orchestrate the services needed for users. Examples would be storage or external servers. Without reauthentication, unidentified or unknown devices may be introduced; thereby facilitating malicious activity. The container platform must be capable of allowing the organization to set requirements associated with device reauthentication. Examples are: Organizations may require reauthentication of devices, including (but not limited to), the following other situations: (i) When authenticators change; (ii) When roles change; (iii) When security categories of information systems change; (iv) After a fixed period of time; or (v) Periodically. For distributed architectures (e.g., service-oriented architectures), the decisions regarding the validation of identification claims may be made by services separate from the services acting on those decisions. In such situations, it is necessary to provide the identification decisions (as opposed to the actual identifiers) to the services that need to act on those decisions.

Checks: C-36130r601799_chk

Review documentation and configuration to determine if the container platform requires devices to reauthenticate when organization-defined circumstances or situations require reauthentication. If the container platform does not require a device to reauthenticate, this is a finding.

Fix: F-36098r601070_fix

Configure the container platform to require devices to reauthenticate when organization-defined circumstances or situations require reauthentication.

b

The container platform must be configured to use multi-factor authentication for user authentication.

IA-2 - Medium - CCI-001953 - V-233195 - SV-233195r601074_rule

RMF Control

IA-2

Severity

M

CCI

CCI-001953

Version

SRG-APP-000391-CTR-000935

Vuln IDs

V-233195

Rule IDs

SV-233195r601074_rule

Controlling access to the container platform and its components is paramount in having a secure and stable system. Validating users is the first step in controlling the access. Users may be validated by the overall container platform or they may be validated by each component. To standardize and reduce the risks of unauthorized access, the use of multifactor token-based credentials is the preferred method. DoD has mandated the use of the CAC to support identity management and personal authentication for systems covered under HSPD 12, as well as a primary component of layered protection for national security systems.

Checks: C-36131r601072_chk

Review documentation and configuration to ensure the container platform is configured to use an approved DoD multifactor token (CAC) when accessing platform via user interfaces. If multifactor authentication is not configured, this is a finding.

Fix: F-36099r601073_fix

Configure the container platform to accept standard DoD multifactor token-based credentials when users interface with the platform.

b

The container platform must allow the use of a temporary password for system logons with an immediate change to a permanent password.

IA-5 - Medium - CCI-002041 - V-233199 - SV-233199r601802_rule

RMF Control

IA-5

Severity

M

CCI

CCI-002041

Version

SRG-APP-000397-CTR-000955

Vuln IDs

V-233199

Rule IDs

SV-233199r601802_rule

Without providing this capability, an account may be created without a password. Non-repudiation cannot be guaranteed once an account is created if a user is not forced to change the temporary password upon initial login. Temporary passwords are typically used to allow access to applications when new accounts are created or passwords are changed. It is common practice for administrators to create temporary passwords for user accounts, which allow the users to log in, yet forces them to change the password once they have successfully authenticated.

Checks: C-36135r601801_chk

Review the container platform configuration to determine if the platform is configured to allow the use of a temporary password for system logons with an immediate change to a permanent password. If the container platform is not configured to allow temporary passwords with immediate change to a permanent password, this is a finding.

Fix: F-36103r601085_fix

Configure the container platform to allow the use of a temporary password for system logons with an immediate change to a permanent password.

b

The container platform must prohibit the use of cached authenticators after an organization-defined time period.

IA-5 - Medium - CCI-002007 - V-233200 - SV-233200r601804_rule

RMF Control

IA-5

Severity

M

CCI

CCI-002007

Version

SRG-APP-000400-CTR-000960

Vuln IDs

V-233200

Rule IDs

SV-233200r601804_rule

If cached authentication information is out of date, the validity of the authentication information may be questionable.

Checks: C-36136r601803_chk

Review the container platform configuration to determine if the platform is configured to prohibit the use of cached authenticators after an organization-defined time period. If the container platform is not configured to prohibit the use of cached authenticators after an organization-defined time period, this is a finding.

Fix: F-36104r601088_fix

Configure the container platform to prohibit the use of cached authenticators after an organization-defined time period.

b

The container platform, for PKI-based authentication, must implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network.

IA-5 - Medium - CCI-001991 - V-233201 - SV-233201r601806_rule

RMF Control

IA-5

Severity

M

CCI

CCI-001991

Version

SRG-APP-000401-CTR-000965

Vuln IDs

V-233201

Rule IDs

SV-233201r601806_rule

The potential of allowing access to users who are no longer authorized (have revoked certificates) increases unless a local cache of revocation data is configured.

Checks: C-36137r601805_chk

Review the container platform configuration. If the container platform is not implemented to use a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network, this is a finding.

Fix: F-36105r601091_fix

Configure the container platform to implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network.

b

The container platform must accept Personal Identity Verification (PIV) credentials from other federal agencies.

IA-8 - Medium - CCI-002009 - V-233202 - SV-233202r601095_rule

RMF Control

IA-8

Severity

M

CCI

CCI-002009

Version

SRG-APP-000402-CTR-000970

Vuln IDs

V-233202

Rule IDs

SV-233202r601095_rule

Controlling access to the container platform and its components is paramount in having a secure and stable system. Validating users is the first step in controlling the access. Users may be validated by the overall container platform or they may be validated by each component. It is essential to accept PIV credentials from other federal agencies and eliminate the possibility of access being denied to authorized users. PIV credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidance documents. OMB Memorandum 11-11 requires federal agencies to continue implementing the requirements specified in HSPD-12 to enable agency-wide use of PIV credentials.

Checks: C-36138r601093_chk

Review the documentation and configuration to determine if the container platform accepts PIV credentials from other federal agencies. If the container platform does not accept other federal agency PIV credentials, this is a finding.

Fix: F-36106r601094_fix

Configure the container platform to accept PIV credentials from other federal agencies.

b

The container platform must audit non-local maintenance and diagnostic sessions' organization-defined audit events associated with non-local maintenance.

MA-4 - Medium - CCI-002884 - V-233206 - SV-233206r601808_rule

RMF Control

MA-4

Severity

M

CCI

CCI-002884

Version

SRG-APP-000409-CTR-000990

Vuln IDs

V-233206

Rule IDs

SV-233206r601808_rule

To fully investigate an attack, it is important to understand the event and those events taking place during the same time period. Often, non-local administrative access and diagnostic sessions are not logged. These events are seen as only administrative functions and not worthy of being audited, but these events are important in any investigation and are a major tool for assessing and investigating attacks.

Checks: C-36142r601807_chk

Review the container platform to verify if the platform is auditing non-local maintenance and diagnostic sessions' organization-defined audit events. If the container platform is not auditing non-local maintenance and diagnostic sessions' organization-defined audit events, this is a finding.

Fix: F-36110r601106_fix

Configure the container platform to audit non-local maintenance and diagnostic sessions' organization-defined audit events.

b

Container platform applications and Application Program Interfaces (API) used for nonlocal maintenance sessions must use FIPS-validated keyed-hash message authentication code (HMAC) to protect the integrity of nonlocal maintenance and diagnostic communications.

MA-4 - Medium - CCI-002890 - V-233207 - SV-233207r601874_rule

RMF Control

MA-4

Severity

M

CCI

CCI-002890

Version

SRG-APP-000411-CTR-000995

Vuln IDs

V-233207

Rule IDs

SV-233207r601874_rule

Unapproved mechanisms that are used for authentication to the cryptographic module are not verified, and therefore cannot be relied on to provide confidentiality or integrity, and DoD data may be compromised. Nonlocal maintenance and diagnostic activities are activities conducted by individuals communicating through either an external network (e.g., the internet) or an internal network. Currently, HMAC is the only FIPS-approved algorithm for generating and verifying message/data authentication codes in accordance with FIPS 198-1. Products that are FIPS 140-2 validated will have an HMAC that meets specification; however, the option must be configured for use as the only message authentication code used for authentication to cryptographic modules. Separate requirements for configuring applications and protocols used by each product (e.g., SNMPv3, SSHv2, NTP, and other protocols and applications that require server/client authentication) are required to implement this requirement. The SSHv2 protocol suite must be mandated in the product because it includes layer 7 protocols such as SCP and SFTP that can be used for secure file transfers.

Checks: C-36143r601809_chk

Validate that container platform applications and APIs used for nonlocal maintenance sessions are using FIPS-validated HMAC to protect the integrity of nonlocal maintenance and diagnostic communications. If the sessions are not using FIPS-validated HMAC, this is a finding.

Fix: F-36111r601109_fix

Configure the container platform applications and APIs used for nonlocal maintenance sessions to use FIPS-validated HMAC to protect the integrity of nonlocal maintenance and diagnostic communications.

b

The container platform must configure web management tools and Application Program Interfaces (API) with FIPS-validated Advanced Encryption Standard (AES) cipher block algorithm to protect the confidentiality of maintenance and diagnostic communications for nonlocal maintenance sessions.

MA-4 - Medium - CCI-003123 - V-233208 - SV-233208r601877_rule

RMF Control

MA-4

Severity

M

CCI

CCI-003123

Version

SRG-APP-000412-CTR-001000

Vuln IDs

V-233208

Rule IDs

SV-233208r601877_rule

Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. Nonlocal maintenance and diagnostic activities are activities conducted by individuals communicating through either an external network (e.g., the internet) or an internal network.

Checks: C-36144r601876_chk

Validate the container platform web management tools and Application Program Interfaces (API) are configured to use FIPS-validated Advanced Encryption Standard (AES) cipher block algorithms to protect the confidentiality of maintenance and diagnostic communications for nonlocal maintenance sessions. If the web management tools and API are not configured to use FIPS-validated Advanced Encryption Standard (AES) cipher block algorithms, this is a finding.

Fix: F-36112r601866_fix

Configure the container platform web management tools and Application Program Interfaces (API) with FIPS-validated Advanced Encryption Standard (AES) cipher block algorithm to protect the confidentiality of maintenance and diagnostic communications for nonlocal maintenance sessions.

b

Vulnerability scanning applications must implement privileged access authorization to all container platform components, containers, and container images for selected organization-defined vulnerability scanning activities.

RA-5 - Medium - CCI-001067 - V-233210 - SV-233210r601119_rule

RMF Control

RA-5

Severity

M

CCI

CCI-001067

Version

SRG-APP-000414-CTR-001010

Vuln IDs

V-233210

Rule IDs

SV-233210r601119_rule

In certain situations, the nature of the vulnerability scanning may be more intrusive, or the container platform component that is the subject of the scanning may contain highly sensitive information. Privileged access authorization to selected system components facilitates more thorough vulnerability scanning and protects the sensitive nature of such scanning. The vulnerability scanning application must utilize privileged access authorization for the scanning account.

Checks: C-36146r601117_chk

Validate that scanning applications have privileged access to container platform components, containers, and container images to properly perform vulnerability scans. If privileged access is not given to the scanning application, this is a finding.

Fix: F-36114r601118_fix

Configure the vulnerability scanning application to have privileged access to the container platform components, containers, and container images.

b

The container platform must implement NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.

SC-13 - Medium - CCI-002450 - V-233211 - SV-233211r601812_rule

RMF Control

SC-13

Severity

M

CCI

CCI-002450

Version

SRG-APP-000416-CTR-001015

Vuln IDs

V-233211

Rule IDs

SV-233211r601812_rule

Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data and images. The container platform must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.

Checks: C-36147r601811_chk

Review documentation to verify that the container platform is using NSA-approved cryptography to protect classified data and applications. If the container platform is not using NSA-approved cryptography for classified data and applications, this is a finding.

Fix: F-36115r601121_fix

Configure the container platform to utilize NSA-approved cryptography to protect classified information.

b

The container platform keystore must implement encryption to prevent unauthorized disclosure of information at rest within the container platform.

SC-28 - Medium - CCI-002476 - V-233220 - SV-233220r601149_rule

RMF Control

SC-28

Severity

M

CCI

CCI-002476

Version

SRG-APP-000429-CTR-001060

Vuln IDs

V-233220

Rule IDs

SV-233220r601149_rule

Container platform keystore is used for container deployments for persistent storage of all its REST API objects. These objects are sensitive in nature and should be encrypted at rest to avoid any unauthorized disclosure. Selection of a cryptographic mechanism is based on the need to protect the confidentiality of organizational information. The strength of mechanism is commensurate with the security category and/or classification of the information.

Checks: C-36156r601147_chk

Review container platform keystore documentation and configuration to verify encryption levels meet the information sensitivity level. If the container platform keystore encryption configuration does not meet system requirements, this is a finding.

Fix: F-36124r601148_fix

Configure the container platform keystore encryption to maintain the confidentiality and integrity of information for applicable sensitivity level.

b

The container platform runtime must maintain separate execution domains for each container by assigning each container a separate address space.

SC-39 - Medium - CCI-002530 - V-233221 - SV-233221r601814_rule

RMF Control

SC-39

Severity

M

CCI

CCI-002530

Version

SRG-APP-000431-CTR-001065

Vuln IDs

V-233221

Rule IDs

SV-233221r601814_rule

Container namespace access is limited upon runtime execution. Each container is a distinct process so that communication between containers is performed in a manner controlled through security policies that limits the communication so one container cannot modify another container. Different groups of containers with different security needs should be deployed in separate namespaces as a first level of isolation. Namespaces are a key boundary for network policies, orchestrator access control restrictions, and other important security controls. Separating workloads into namespaces can help contain attacks and limit the impact of mistakes or destructive actions by authorized users.

Checks: C-36157r601813_chk

Review container platform runtime documentation and configuration is maintaining a separate execution domain for each executing process. Different groups of applications, and services with different security needs, should be deployed in separate namespaces as a first level of isolation. If container platform runtime is not configured to execute processes in separate domains and namespaces, this is a finding. If namespaces use defaults, this is a finding.

Fix: F-36125r601151_fix

Deploy a container platform runtime capable of maintaining a separate execution domain and namespace for each executing process. Create a namespace for each containers, defining them as logical groups.

b

The container platform must protect against or limit the effects of all types of denial-of-service (DoS) attacks by employing organization-defined security safeguards.

SC-5 - Medium - CCI-002385 - V-233222 - SV-233222r601816_rule

RMF Control

SC-5

Severity

M

CCI

CCI-002385

Version

SRG-APP-000435-CTR-001070

Vuln IDs

V-233222

Rule IDs

SV-233222r601816_rule

DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. This requirement addresses the configuration of the container platform to mitigate the impact of DoS attacks that have occurred. For each container platform component, known and potential DoS attacks must be identified and solutions for each type implemented. A variety of technologies exist to limit or, in some cases, eliminate the effects of DoS attacks (e.g., limiting runtime processes or restricting the number of sessions the container platform runtime open, limiting container resources to memory and CPU). Processes are an important indicator of security-and operations-relevant container activity. Process names and their arguments provide important visibility into a container’s activity. If an image includes non-default aliases or renamed binaries, attackers will still attempt to use well-known names. The same malicious or unwanted activity might affect multiple deployments across different applications or environments. Staff investigating a potential incident need to find those exposures quickly.

Checks: C-36158r601815_chk

Review documentation and configuration to determine if the container platform can protect against or limit the effects of all types of DoS attacks by employing defined security safeguards against resource depletion. Examples of resource limits are on memory, storage, and CPU. If the container platform cannot be configured to protect against or limit the effects of all types of DoS, this is a finding.

Fix: F-36126r601154_fix

Configure the container platform to protect against or limit the effects of all types of DoS attacks by employing defined security safeguards. Safeguards such as resource limits on memory, storage, and CPU can be used.

b

The application must protect the confidentiality and integrity of transmitted information.

SC-8 - Medium - CCI-002418 - V-233224 - SV-233224r754793_rule

RMF Control

SC-8

Severity

M

CCI

CCI-002418

Version

SRG-APP-000439-CTR-001080

Vuln IDs

V-233224

Rule IDs

SV-233224r754793_rule

Without protection of the transmitted information, confidentiality and integrity may be compromised since unprotected communications can be intercepted and either read or altered. This requirement applies only to those applications that either are distributed or can allow access to data non-locally. Use of this requirement will be limited to situations where the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process. When transmitting data, applications need to leverage transmission protection mechanisms, such as TLS, TLS VPNs, or IPsec. Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa.

Checks: C-36160r601159_chk

This requirement is NA for this technology.

Fix: F-36128r601160_fix

The requirement is NA. No fix is required.

b

The container platform must maintain the confidentiality and integrity of information during preparation for transmission.

SC-8 - Medium - CCI-002420 - V-233226 - SV-233226r601818_rule

RMF Control

SC-8

Severity

M

CCI

CCI-002420

Version

SRG-APP-000441-CTR-001090

Vuln IDs

V-233226

Rule IDs

SV-233226r601818_rule

Information may be unintentionally or maliciously disclosed or modified during preparation for transmission within the container platform during aggregation, at protocol transformation points, and during container image runtime. These unauthorized disclosures or modifications compromise the confidentiality or integrity of the information. When transmitting data, the container platform components need to leverage transmission protection mechanisms, such as TLS, TLS VPNs, or IPsec.

Checks: C-36162r601817_chk

Review the documentation and deployed configuration to determine if the container platform maintains the confidentiality and integrity of information during preparation before transmission. If the confidentiality and integrity are not maintained using mechanisms such as TLS, TLS VPNs, or IPsec during preparation before transmission, this is a finding.

Fix: F-36130r601166_fix

Configure the container platform to maintain the confidentiality and integrity of information using mechanisms such as TLS, TLS VPNs, or IPsec during preparation for transmission.

b

The container platform must maintain the confidentiality and integrity of information during reception.

SC-8 - Medium - CCI-002422 - V-233227 - SV-233227r601820_rule

RMF Control

SC-8

Severity

M

CCI

CCI-002422

Version

SRG-APP-000442-CTR-001095

Vuln IDs

V-233227

Rule IDs

SV-233227r601820_rule

Information either can be unintentionally or maliciously disclosed or modified during reception for reception within the container platform during aggregation, at protocol transformation points, and during container image runtime. These unauthorized disclosures or modifications compromise the confidentiality or integrity of the information. When receiving data, the container platform components need to leverage protection mechanisms, such as TLS, TLS VPNs, or IPsec.

Checks: C-36163r601819_chk

Review documentation and configuration settings to determine if the container platform maintains the confidentiality and integrity of information during reception. If confidentiality and integrity are not maintained using mechanisms such as TLS, TLS VPNs, or IPsec during reception, this is a finding.

Fix: F-36131r601169_fix

Configure the container platform to maintain the confidentiality and integrity using mechanisms such as TLS, TLS VPNs, or IPsec during reception.

b

The container platform must behave in a predictable and documented manner that reflects organizational and system objectives when invalid inputs are received.

SI-10 - Medium - CCI-002754 - V-233228 - SV-233228r601822_rule

RMF Control

SI-10

Severity

M

CCI

CCI-002754

Version

SRG-APP-000447-CTR-001100

Vuln IDs

V-233228

Rule IDs

SV-233228r601822_rule

Software or code parameters typically follow well-defined protocols that use structured messages (i.e., commands or queries) to communicate between software modules or system components. Structured messages can contain raw or unstructured data interspersed with metadata or control information. If attacker-supplied inputs to construct structured messages without properly encoding such messages, then the attacker could insert malicious commands or special characters that can cause the data to be interpreted as control information or metadata. This requirement guards against adverse or unintended system behavior caused by invalid inputs, where container platform components responses to the invalid input may be disruptive or cause the container image runtime to fail into an unsafe state. The behavior will be derived from the organizational and system requirements and includes, but is not limited to, notification of the appropriate personnel, creating an audit record, and rejecting invalid input.

Checks: C-36164r601821_chk

Review the configuration to determine if the container platform behaves in a predictable and documented manner that reflects organizational and system objectives when invalid inputs are received. If the container platform does not meet this requirement, this is a finding.

Fix: F-36132r601172_fix

Configure the container platform behave in a predictable and documented manner that reflects organizational and system objectives when invalid inputs are received.

b

The container platform must implement organization-defined security safeguards to protect system CPU and memory from resource depletion and unauthorized code execution.

SI-16 - Medium - CCI-002824 - V-233229 - SV-233229r601176_rule

RMF Control

SI-16

Severity

M

CCI

CCI-002824

Version

SRG-APP-000450-CTR-001105

Vuln IDs

V-233229

Rule IDs

SV-233229r601176_rule

The execution of images within the container platform runtime must implement organizational defined security safeguards to prevent distributed denial-of-service (DDOS) and other possible attacks against the container image at runtime. Security safeguards employed to protect memory and CPU include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can be software-enforced. Other means of protection are to limit memory and CPU resources to a container.

Checks: C-36165r601174_chk

Review the container platform configuration to determine if safeguards are in place to protect the system memory and CPU from resource depletion and unauthorized execution. If safeguards are not in place, this is a finding.

Fix: F-36133r601175_fix

Configure the container platform to have safeguards in place to protect the system memory and CPU from resource depletion and unauthorized code execution.

b

The container platform must remove old components after updated versions have been installed.

SI-2 - Medium - CCI-002617 - V-233230 - SV-233230r601824_rule

RMF Control

SI-2

Severity

M

CCI

CCI-002617

Version

SRG-APP-000454-CTR-001110

Vuln IDs

V-233230

Rule IDs

SV-233230r601824_rule

Previous versions of container platform components that are not removed from the container platform after updates have been installed may be exploited by adversaries by causing older components to execute which contain vulnerabilities. When these components are deleted, the likelihood of this happening is removed.

Checks: C-36166r601823_chk

Review container platform registry documentation and configuration to determine if organization-defined images contains latest approved vendor software image version. If organization-defined images do not contain the latest approved vendor software image version, this is a finding. Review container platform registry documentation and configuration to determine if organization-defined images are removed after updated versions have been installed. If organization-defined images are not removed after updated versions have been installed, this is a finding. Review container platform runtime documentation and configuration to determine if organization-define images are executing latest image version from the container platform registry. If container platform runtime is not executing latest organization-defined images from the container platform registry, this is a finding.

Fix: F-36134r601863_fix

Configure the container platform registry to update organization-defined images with current approved vendor version and remove obsolete images after updated versions have been installed. Configure the container platform runtime to execute latest organization-defined images from the container platform registry.

b

The container platform registry must remove old container images after updating versions have been made available.

SI-2 - Medium - CCI-002617 - V-233231 - SV-233231r601826_rule

RMF Control

SI-2

Severity

M

CCI

CCI-002617

Version

SRG-APP-000454-CTR-001115

Vuln IDs

V-233231

Rule IDs

SV-233231r601826_rule

Obsolete and stale images need to be removed from the registry to ensure the container platform maintains a secure posture. While the storing of these images does not directly pose a threat, they do increase the likelihood of these images being deployed. Removing stale or obsolete images and only keeping the most recent versions of those that are still in use removes any possibility of vulnerable images being deployed.

Checks: C-36167r601825_chk

Review container platform registry documentation and configuration to determine if organization-defined images contains latest approved vendor software image version. If organization-defined images do not contain the latest approved vendor software image version, this is a finding. Review container platform registry documentation and configuration to determine if organization-defined images are removed after updated versions have been installed. If organization-defined images are not removed after updated versions have been installed, this is a finding. Review container platform runtime documentation and configuration to determine if organization-defined images are executing latest image version from the container registry. If container platform runtime is not executing latest organization-defined images from the container platform registry, this is a finding.

Fix: F-36135r601864_fix

Configure the container platform registry to update organization-defined images with current approved vendor version and remove obsolete images after updated versions have been installed. Configure the container platform runtime to execute latest organization-defined images from the container platform registry.

b

The container platform registry must contain the latest images with most recent updates and execute within the container platform runtime as authorized by IAVM, CTOs, DTMs, and STIGs.

SI-2 - Medium - CCI-002605 - V-233233 - SV-233233r601828_rule

RMF Control

SI-2

Severity

M

CCI

CCI-002605

Version

SRG-APP-000456-CTR-001125

Vuln IDs

V-233233

Rule IDs

SV-233233r601828_rule

Software supporting the container platform, images in the registry must stay up to date with the latest patches, service packs, and hot fixes. Not updating the container platform and container images will expose the organization to vulnerabilities. Flaws discovered during security assessments, continuous monitoring, incident response activities, or information system error handling must also be addressed expeditiously. Organization-defined time periods for updating security-relevant container platform components may vary based on a variety of factors including, for example, the security category of the information system or the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw). This requirement will apply to software patch management solutions that are used to install patches across the enclave and to applications themselves that are not part of that patch management solution. For example, many browsers today provide the capability to install their own patch software. Patch criticality, as well as system criticality will vary. Therefore, the tactical situations regarding the patch management process will also vary. This means that the time period utilized must be a configurable parameter. Time frames for application of security-relevant software updates may be dependent upon the Information Assurance Vulnerability Management (IAVM) process. The container platform components will be configured to check for and install security-relevant software updates within an identified time period from the availability of the update. The container platform registry will ensure the images are current. The specific time period will be defined by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).

Checks: C-36169r601827_chk

Review documentation and configuration to determine if the container platform registry inspects and contains approved vendor repository latest images containing security-relevant updates within a timeframe directed by an authoritative source (IAVM, CTOs, DTMs, STIGs, etc.). If the container platform registry does not contain the latest image with security-relevant updates within the time period directed by the authoritative source, this is a finding. The container platform registry should help the user understand where the code in the environment was deployed from, and must provide controls that prevent deployment from untrusted sources or registries.

Fix: F-36137r601187_fix

Configure the container platform registry to use approved vendor repository to ensure latest images containing security-relevant updates are installed.

b

The container platform runtime must have updates installed within the time period directed by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).

SI-2 - Medium - CCI-002605 - V-233234 - SV-233234r601830_rule

RMF Control

SI-2

Severity

M

CCI

CCI-002605

Version

SRG-APP-000456-CTR-001130

Vuln IDs

V-233234

Rule IDs

SV-233234r601830_rule

The container platform runtime must be carefully monitored for vulnerabilities, and when problems are detected, they must be remediated quickly. A vulnerable runtime exposes all containers it supports, as well as the host itself, to potentially significant risk. Organizations should use tools to look for Common Vulnerabilities and Exposures (CVEs) vulnerabilities in the runtimes deployed, to upgrade any instances at risk, and to ensure that orchestrators only allow deployments to properly maintained runtimes.

Checks: C-36170r601829_chk

Review documentation and configuration to determine if the container platform registry inspects and contains approved vendor repository latest images containing security-relevant updates within a timeframe directed by an authoritative source (IAVM, CTOs, DTMs, STIGs, etc.). If the container platform registry does not contain the latest image with security-relevant updates within the time period directed by the authoritative source, this is a finding. The container platform registry should help the user understand where the code in the environment was deployed from and must provide controls that prevent deployment from untrusted sources or registries.

Fix: F-36138r601190_fix

Configure the container platform registry to use approved vendor repository to ensure latest images containing security-relevant updates are installed within the time period directed by the authoritative source.

b

The organization-defined role must verify correct operation of security functions in the container platform.

SI-6 - Medium - CCI-002696 - V-233242 - SV-233242r601832_rule

RMF Control

SI-6

Severity

M

CCI

CCI-002696

Version

SRG-APP-000472-CTR-001170

Vuln IDs

V-233242

Rule IDs

SV-233242r601832_rule

Without verification, security functions may not operate correctly and this failure may go unnoticed within the container platform. The container platform components must identity and ensure the security functions are still operational and applicable to the organization. Security functions are responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. Notifications provided by information systems include, for example, electronic alerts to system administrators.

Checks: C-36178r601831_chk

Review container platform documentation and configuration verification of the correct operation of security functions, which may include the valid connection to an external security manager (ESM). If verification of the correct operation of security functions is not performed, this is a finding.

Fix: F-36146r601214_fix

Configure the container platform configuration and installation settings to perform verification of the correct operation of security functions.

b

The container platform must perform verification of the correct operation of security functions: upon system startup and/or restart; upon command by a user with privileged access; and/or every 30 days. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters.

SI-6 - Medium - CCI-002699 - V-233243 - SV-233243r601896_rule

RMF Control

SI-6

Severity

M

CCI

CCI-002699

Version

SRG-APP-000473-CTR-001175

Vuln IDs

V-233243

Rule IDs

SV-233243r601896_rule

Without verification, security functions may not operate correctly and this failure may go unnoticed within the container platform. Security functions are responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. Notifications provided by information systems include, for example, electronic alerts to organization-defined role.

Checks: C-36179r601895_chk

Review container platform documentation. Verify that the container platform is configured to perform verification of the correct operation of security functions, which may include the valid connection to an external security manager (ESM), upon product startup/restart, by a user with privileged access, and/or every 30 days. If it is not, this is a finding.

Fix: F-36147r601217_fix

Configure the container platform to perform verification of the correct operation of security functions, which may include the connection validation, upon product startup/restart, or by a user with privileged access, and/or every 30 days.

b

The container platform must provide system notifications to the system administrator and operational staff when anomalies in the operation of the organization-defined security functions are discovered.

SI-6 - Medium - CCI-002702 - V-233244 - SV-233244r601879_rule

RMF Control

SI-6

Severity

M

CCI

CCI-002702

Version

SRG-APP-000474-CTR-001180

Vuln IDs

V-233244

Rule IDs

SV-233244r601879_rule

If anomalies are not acted upon, security functions may fail to secure the container within the container platform runtime. Security functions are responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. Notifications provided by information systems include, for example, electronic alerts to system administrators.

Checks: C-36180r601878_chk

Review container platform runtime documentation and configuration settings. If the container platform is not configured to notify organization-defined information system role when anomalies in the operation of security functions as defined by site security plan are discovered, this is a finding.

Fix: F-36148r601220_fix

Configure the container platform runtime to notify system administrator and operation staff when anomalies in the operation of the security functions as defined in site security plan are discovered.

b

The container platform must generate audit records when successful/unsuccessful attempts to access security objects occur.

AU-12 - Medium - CCI-000172 - V-233252 - SV-233252r601245_rule

RMF Control

AU-12

Severity

M

CCI

Version

SRG-APP-000492-CTR-001220

Vuln IDs

V-233252

Rule IDs

SV-233252r601245_rule

The container platform and its components must generate audit records when successful and unsuccessful access security objects occur. All the components must use the same standard so that the events can be tied together to understand what took place within the overall container platform. This must establish, correlate, and help assist with investigating the events relating to an incident, or identify those responsible. Without audit record generation access controls levels can access by unauthorized users unknowingly for malicious intent creating vulnerabilities within the container platform.

Checks: C-36188r601243_chk

Review the container platform configuration to verify audit records are generated on successful/unsuccessful attempts to access security objects. If audit records are not generated, this is a finding.

Fix: F-36156r601244_fix

Configure the container platform to generate audit records when successful/unsuccessful attempts to access security objects occur.

b

The container platform must generate audit records when successful/unsuccessful attempts to access security levels occur.

AU-12 - Medium - CCI-000172 - V-233253 - SV-233253r601248_rule

RMF Control

AU-12

Severity

M

CCI

Version

SRG-APP-000493-CTR-001225

Vuln IDs

V-233253

Rule IDs

SV-233253r601248_rule

Unauthorized users could access the security levels to exploit vulnerabilities within the container platform component. All the components must use the same standard so that the events can be tied together to understand what took place within the overall container platform. This must establish, correlate, and help assist with investigating the events relating to an incident, or identify those responsible. Without audit record generation, unauthorized users can access security levels unknowingly for malicious intent creating vulnerabilities within the container platform.

Checks: C-36189r601246_chk

Review the container platform configuration to verify audit records are generated on successful/unsuccessful attempts to access security levels. If audit records are not generated, this is a finding.

Fix: F-36157r601247_fix

Configure the container platform to generate audit records when successful/unsuccessful attempts to access security levels occur.

b

The container platform must generate audit records when successful/unsuccessful attempts to access categories of information (e.g., classification levels) occur.

AU-12 - Medium - CCI-000172 - V-233254 - SV-233254r601251_rule

RMF Control

AU-12

Severity

M

CCI

Version

SRG-APP-000494-CTR-001230

Vuln IDs

V-233254

Rule IDs

SV-233254r601251_rule

Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).

Checks: C-36190r601249_chk

Review the container platform configuration to verify audit records are generated on successful/unsuccessful attempts to access categories of information. If audit records are not generated, this is a finding.

Fix: F-36158r601250_fix

Configure the container platform to generate audit records on successful/unsuccessful attempts to access categories of information.

b

The container platform must generate audit records when successful/unsuccessful attempts to modify privileges occur.

AU-12 - Medium - CCI-000172 - V-233255 - SV-233255r601254_rule

RMF Control

AU-12

Severity

M

CCI

Version

SRG-APP-000495-CTR-001235

Vuln IDs

V-233255

Rule IDs

SV-233255r601254_rule

Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).

Checks: C-36191r601252_chk

Review the container platform configuration to verify audit records are generated on successful/unsuccessful attempts to modify privileges. If audit records are not generated, this is a finding.

Fix: F-36159r601253_fix

Configure the container platform to generate audit records on successful/unsuccessful attempts to modify privileges.

b

The container platform must generate audit records when successful/unsuccessful attempts to modify security objects occur.

AU-12 - Medium - CCI-000172 - V-233256 - SV-233256r601257_rule

RMF Control

AU-12

Severity

M

CCI

Version

SRG-APP-000496-CTR-001240

Vuln IDs

V-233256

Rule IDs

SV-233256r601257_rule

The container platform and its components must generate audit records when modifying security objects. All the components must use the same standard so that the events can be tied together to understand what took place within the overall container platform. This must establish, correlate, and help assist with investigating the events relating to an incident, or identify those responsible. Without audit record generation, unauthorized users can modify security objects unknowingly for malicious intent creating vulnerabilities within the container platform.

Checks: C-36192r601255_chk

Review the container platform configuration to verify audit records are generated on successful/unsuccessful attempts to modify security objects. If audit records are not generated, this is a finding.

Fix: F-36160r601256_fix

Configure the container platform to generate audit records when successful/unsuccessful attempts to modify security objects.

b

The container platform must generate audit records when successful/unsuccessful attempts to modify security levels occur.

AU-12 - Medium - CCI-000172 - V-233257 - SV-233257r601260_rule

RMF Control

AU-12

Severity

M

CCI

Version

SRG-APP-000497-CTR-001245

Vuln IDs

V-233257

Rule IDs

SV-233257r601260_rule

Unauthorized users could modify the security levels to exploit vulnerabilities within the container platform component. All the components must use the same standard so that the events can be tied together to understand what took place within the overall container platform. This must establish, correlate, and help assist with investigating the events relating to an incident, or identify those responsible. Without audit record generation, unauthorized users can modify security levels unknowingly for malicious intent creating vulnerabilities within the container platform.

Checks: C-36193r601258_chk

Review the container platform configuration to verify audit records are generated on successful/unsuccessful attempts to modify security levels. If audit records are not generated, this is a finding.

Fix: F-36161r601259_fix

Configure the container platform to generate audit records when successful/unsuccessful attempts to modify security levels.

b

The container platform must generate audit records when successful/unsuccessful attempts to modify categories of information (e.g., classification levels) occur.

AU-12 - Medium - CCI-000172 - V-233258 - SV-233258r601263_rule

RMF Control

AU-12

Severity

M

CCI

Version

SRG-APP-000498-CTR-001250

Vuln IDs

V-233258

Rule IDs

SV-233258r601263_rule

Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).

Checks: C-36194r601261_chk

Review the container platform configuration to verify audit records are generated when successful/unsuccessful attempts are made to modify categories of information. If audit records are not generated, this is a finding.

Fix: F-36162r601262_fix

Configure the container platform to generate audit records when successful/unsuccessful attempts are made to modify categories of information.

b

The container platform must generate audit records when successful/unsuccessful attempts to delete privileges occur.

AU-12 - Medium - CCI-000172 - V-233259 - SV-233259r601266_rule

RMF Control

AU-12

Severity

M

CCI

Version

SRG-APP-000499-CTR-001255

Vuln IDs

V-233259

Rule IDs

SV-233259r601266_rule

Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).

Checks: C-36195r601264_chk

Review the container platform configuration to verify audit records are generated when successful/unsuccessful attempts are made to delete privileges. If audit records are not generated, this is a finding.

Fix: F-36163r601265_fix

Configure the container platform to generate audit records when successful/unsuccessful attempts are made to delete privileges occur.

b

The container platform must generate audit records when successful/unsuccessful attempts to delete security levels occur.

AU-12 - Medium - CCI-000172 - V-233260 - SV-233260r601269_rule

RMF Control

AU-12

Severity

M

CCI

Version

SRG-APP-000500-CTR-001260

Vuln IDs

V-233260

Rule IDs

SV-233260r601269_rule

The container platform and its components must generate audit records when deleting security levels. All the components must use the same standard so that the events can be tied together to understand what took place within the overall container platform. This must establish, correlate, and help assist with investigating the events relating to an incident, or identify those responsible. Without audit record generation, unauthorized users can delete security levels unknowingly for malicious intent creating vulnerabilities within the container platform.

Checks: C-36196r601267_chk

Review the container platform configuration to verify audit records are generated on successful/unsuccessful attempts to delete security levels. If audit records are not generated, this is a finding.

Fix: F-36164r601268_fix

Configure the container platform to generate audit records when successful/unsuccessful attempts to delete security levels.

b

The container platform must generate audit records when successful/unsuccessful attempts to delete security objects occur.

AU-12 - Medium - CCI-000172 - V-233261 - SV-233261r601272_rule

RMF Control

AU-12

Severity

M

CCI

Version

SRG-APP-000501-CTR-001265

Vuln IDs

V-233261

Rule IDs

SV-233261r601272_rule

Unauthorized users modify level the security levels to exploit vulnerabilities within the container platform component. All the components must use the same standard so that the events can be tied together to understand what took place within the overall container platform. This must establish, correlate, and help assist with investigating the events relating to an incident, or identify those responsible. Without audit record generation, unauthorized users can access delete security objects unknowingly for malicious intent creating vulnerabilities within the container platform.

Checks: C-36197r601270_chk

Review the container platform configuration to determine if audit records are generated on successful/unsuccessful attempts to delete security objects occur. If audit records are not generated, this is a finding.

Fix: F-36165r601271_fix

Configure the container platform to generate audit records on successful/unsuccessful attempts to delete security objects occur.

b

The container platform must generate audit records when successful/unsuccessful attempts to delete categories of information (e.g., classification levels) occur.

AU-12 - Medium - CCI-000172 - V-233262 - SV-233262r601275_rule

RMF Control

AU-12

Severity

M

CCI

Version

SRG-APP-000502-CTR-001270

Vuln IDs

V-233262

Rule IDs

SV-233262r601275_rule

Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).

Checks: C-36198r601273_chk

Review the container platform configuration to determine if audit records are generated on successful/unsuccessful attempts to delete categories of information occur. If audit records are not generated, this is a finding.

Fix: F-36166r601274_fix

Configure the container platform to generate audit records on successful/unsuccessful attempts to delete categories of information occur.

b

The container platform must generate audit records when successful/unsuccessful logon attempts occur.

AU-12 - Medium - CCI-000172 - V-233263 - SV-233263r601883_rule

RMF Control

AU-12

Severity

M

CCI

Version

SRG-APP-000503-CTR-001275

Vuln IDs

V-233263

Rule IDs

SV-233263r601883_rule

The container platform and its components must generate audit records when successful and unsuccessful logon attempts occur. The information system can determine if an account is compromised or is in the process of being compromised and can take actions to thwart the attack. All the components must use the same standard so that the events can be tied together to understand what took place within the overall container platform. This must establish, correlate, and help assist with investigating the events relating to an incident, or identify those responsible.

Checks: C-36199r601882_chk

Review the container platform configuration for audit logon events. Ensure audit policy for successful and unsuccessful logon events are enabled. Verify events are written to the log. Validate system documentation is current. If logon attempts do not generate log records, this is a finding.

Fix: F-36167r601277_fix

Configure the container platform registry, keystore, and runtime to generate audit log for successful and unsuccessful logon for any all accounts and services. Revise all applicable system documentation.

b

The container platform must generate audit record for privileged activities.

AU-12 - Medium - CCI-000172 - V-233264 - SV-233264r601281_rule

RMF Control

AU-12

Severity

M

CCI

Version

SRG-APP-000504-CTR-001280

Vuln IDs

V-233264

Rule IDs

SV-233264r601281_rule

The container platform components will generate audit records for privilege activities and container platform runtime, registry, and keystore must generate access audit records to detect possible malicious intent. All the components must use the same standard so that the events can be tied together to understand what took place within the overall container platform. It would be difficult to establish, correlate, and investigate events relating to an incident or identify those responsible without these activities. Audit records can be generated from various components within the container platform.

Checks: C-36200r601279_chk

Review the documentation and configuration guides to determine if the container platform generates log records for privileged activities. If log records are not generated for privileged activities, this is a finding.

Fix: F-36168r601280_fix

Configure the container platform to generate log records for privileged activities.

b

The container platform audit records must record user access start and end times.

AU-12 - Medium - CCI-000172 - V-233265 - SV-233265r601840_rule

RMF Control

AU-12

Severity

M

CCI

Version

SRG-APP-000505-CTR-001285

Vuln IDs

V-233265

Rule IDs

SV-233265r601840_rule

The container platform must generate audit records showing start and end times for users and services acting on behalf of a user accessing the registry and keystore. These components must use the same standard so that the events can be tied together to understand what took place within the overall container platform. This must establish, correlate, and help assist with investigating the events relating to an incident, or identify those responsible.

Checks: C-36201r601839_chk

Review the container platform configuration for audit user access start and end times. Ensure audit policy for user access start and end times are enabled. Verify events are written to the log. Validate system documentation is current. If user access start and end times do not generate log records, this is a finding.

Fix: F-36169r601283_fix

Configure the container platform to generate audit log for user access start and end times for any all accounts and services. Revise all applicable system documentation.

b

The container platform must generate audit records when concurrent logons from different workstations and systems occur.

AU-12 - Medium - CCI-000172 - V-233266 - SV-233266r601842_rule

RMF Control

AU-12

Severity

M

CCI

Version

SRG-APP-000506-CTR-001290

Vuln IDs

V-233266

Rule IDs

SV-233266r601842_rule

The container platform and its components must generate audit records for concurrent logons from workstations perform remote maintenance, runtime instances, connectivity to the container registry, and keystore. All the components must use the same standard so the events can be tied together to understand what took place within the overall container platform. This must establish, correlate, and help assist with investigating the events relating to an incident, or identify those responsible.

Checks: C-36202r601841_chk

Review the container platform configuration for audit logon events. Ensure audit policy for concurrent logons from different workstations and systems is enabled. Verify events are written to the log. Validate system documentation is current. If concurrent logons from different workstations and systems do not generate log records, this is a finding.

Fix: F-36170r601286_fix

Configure the container platform to generate audit log for concurrent logins from multiple workstations and systems. Revise all applicable system documentation.

b

The container platform runtime must generate audit records when successful/unsuccessful attempts to access objects occur.

AU-12 - Medium - CCI-000172 - V-233267 - SV-233267r601844_rule

RMF Control

AU-12

Severity

M

CCI

Version

SRG-APP-000507-CTR-001295

Vuln IDs

V-233267

Rule IDs

SV-233267r601844_rule

Container platform runtime objects are defined as configuration files, code, etc. This provides the ability to configure resources and software parameters prior to image execution from the container platform registry. An unauthorized user with malicious intent could modify existing objects causing vulnerabilities or attacks. It would be difficult to establish, correlate, and investigate events relating to an incident or identify those responsible without audit record generation. Without audit record generation, unauthorized users can access objects unknowingly for malicious intent creating vulnerabilities within the container platform.

Checks: C-36203r601884_chk

Review the container platform configuration to verify that the runtime generates audit records on successful/unsuccessful access to objects. If audit records are not generated by the runtime when objects are successfully/unsuccessfully accessed, this is a finding.

Fix: F-36171r601289_fix

Configure the container platform runtime to generate audit records on successful/unsuccessful access to objects.

b

Direct access to the container platform must generate audit records.

AU-12 - Medium - CCI-000172 - V-233268 - SV-233268r601293_rule

RMF Control

AU-12

Severity

M

CCI

Version

SRG-APP-000508-CTR-001300

Vuln IDs

V-233268

Rule IDs

SV-233268r601293_rule

Direct access to the container platform and its components must generate audit records. All the components must use the same standard so that the events can be tied together to understand what took place within the overall container platform. This must establish, correlate, and help assist with investigating the events relating to an incident, or identify those responsible.

Checks: C-36204r601291_chk

Review the container platform configuration to determine if direct access of the container platform generates audit records. If audit records are not generated, this is a finding.

Fix: F-36172r601292_fix

Configure the container platform to generate audit records when accessed directly.

b

The container platform must generate audit records for all account creations, modifications, disabling, and termination events.

AU-12 - Medium - CCI-000172 - V-233269 - SV-233269r601846_rule

RMF Control

AU-12

Severity

M

CCI

Version

SRG-APP-000509-CTR-001305

Vuln IDs

V-233269

Rule IDs

SV-233269r601846_rule

Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).

Checks: C-36205r601885_chk

Review the container platform configuration to determine if the container platform is configured to generate audit records for all account creations, modifications, disabling, and termination events. If the container platform is not configured to generate the audit records, this is a finding.

Fix: F-36173r601295_fix

Configure the container platform to generate audit records for all account creations, modifications, disabling, and termination events.

b

The container runtime must generate audit records for all container execution, shutdown, restart events, and program initiations.

AU-12 - Medium - CCI-000172 - V-233270 - SV-233270r601848_rule

RMF Control

AU-12

Severity

M

CCI

Version

SRG-APP-000510-CTR-001310

Vuln IDs

V-233270

Rule IDs

SV-233270r601848_rule

The container runtime must generate audit records that are specific to the security and mission needs of the organization. Without audit record, it would be difficult to establish, correlate, and investigate events relating to an incident.

Checks: C-36206r601847_chk

Review the container runtime configuration to validate audit record generation for container execution, shutdown, and restart events. If the container runtime does not generate records for container execution, shutdown and restart events, this is a finding.

Fix: F-36174r601298_fix

Configure the container runtime to generate audit records for container execution, shutdown, and restart events.

b

The container platform must use a valid FIPS 140-2 approved cryptographic modules to generate hashes.

SC-13 - Medium - CCI-002450 - V-233271 - SV-233271r601850_rule

RMF Control

SC-13

Severity

M

CCI

CCI-002450

Version

SRG-APP-000514-CTR-001315

Vuln IDs

V-233271

Rule IDs

SV-233271r601850_rule

The cryptographic module used must have at least one validated hash algorithm. This validated hash algorithm must be used to generate cryptographic hashes for all cryptographic security function within the container platform components being evaluated. FIPS 140-2 precludes the use of invalidated cryptography for the cryptographic protection of sensitive or valuable data within Federal systems. Unvalidated cryptography is viewed by NIST as providing no protection to the information or data. In effect, the data would be considered unprotected plaintext. If the agency specifies that the information or data be cryptographically protected, then FIPS 140-2 is applicable. In essence, if cryptography is required, it must be validated. Cryptographic modules that have been approved for classified use may be used in lieu of modules that have been validated against the FIPS 140-2 standard.

Checks: C-36207r601886_chk

Review the container platform configuration to validate that valid FIPS 140-2 approved cryptographic modules are being used to generate hashes. If non-valid or unapproved FIPS 140-2 cryptographic modules are being used to generate hashes, this is a finding.

Fix: F-36175r601301_fix

Configure the container platform to use valid FIPS 140-2 approved cryptographic modules to generate hashes.

b

Container platform components must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including SRGs, STIGs, NSA configuration guides, CTOs, and DTMs.

CM-6 - Medium - CCI-000366 - V-233273 - SV-233273r601852_rule

RMF Control

CM-6

Severity

M

CCI

Version

SRG-APP-000516-CTR-001325

Vuln IDs

V-233273

Rule IDs

SV-233273r601852_rule

Container platform components are part of the overall container platform, offering services that enable the container platform to fully orchestrate user containers. These components may fall outside the scope of this document, but they still must be secured. Examples of such components are DNS, routers, and firewalls. These and any other services offered by the container platform must follow the appropriate STIG or SRG for the technology offered. If a STIG or SRG is not available for the technology, then best practices for the technology must be used. For example, the Cloud Native Computing Foundation (CNCF) is an open-source organization that is working on container platform best practices.

Checks: C-36209r601851_chk

Review the container platform configuration to determine the services offered by the container platform and validate that any services that are offered are configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including SRGs, STIGs, NSA configuration guides, CTOs, and DTMs. If container platform services are not configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including SRGs, STIGs, NSA configuration guides, CTOs, and DTMs, this is a finding.

Fix: F-36177r601307_fix

Configure container services in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including SRGs, STIGs, NSA configuration guides, CTOs, and DTMs.

b

The container platform must be able to store and instantiate industry standard container images.

CM-6 - Medium - CCI-000366 - V-233274 - SV-233274r601854_rule

RMF Control

CM-6

Severity

M

CCI

Version

SRG-APP-000516-CTR-001330

Vuln IDs

V-233274

Rule IDs

SV-233274r601854_rule

Monitoring the container images and containers during their lifecycle is important to guarantee the container platform is secure. To monitor the containers and images, security tools can be put in place. To fully utilize the security tools available, using images formatted in an industry standard format should be used. This allows the tools to fully understand the images and containers. One standard being worked on by industry leaders in the container space is the Open Container Initiative (OCI). This group is developing a standard container image format.

Checks: C-36210r601887_chk

Review the container platform configuration and documentation to determine if the platform is configured to store and instantiate industry standard container images. If the container platform cannot instantiate industry standard container images, this is a finding.

Fix: F-36178r601310_fix

Enable the container platform to store and instantiate industry standard container image formats.

b

The container platform must continuously scan components, containers, and images for vulnerabilities.

CM-6 - Medium - CCI-000366 - V-233275 - SV-233275r601314_rule

RMF Control

CM-6

Severity

M

CCI