Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
Review the container platform configuration to verify that TLS 1.2 or greater is being used for secure container image transport from trusted sources. If TLS 1.2 or greater is not being used for secure container image transport, this is a finding.
Configure the container platform to use TLS 1.2 or greater when components communicate internally or externally. The fix ensures that all communication components in the container platform are configured to utilize secure versions of TLS.
Review the container platform configuration to verify that TLS 1.2 or greater is being used for communication by the container platform nodes and components. If TLS 1.2 or greater is not being used for secure communication, this is a finding.
Configure the container platform to use TLS 1.2 or greater for node and component communication.
Review the container platform to determine if it is using a centralized user management system for user management functions. If the container platform is not using a centralized user management system for user management functions, this is a finding.
Configure the container platform to use a centralized user management system for user management functions.
Review the container platform configuration to determine if temporary user accounts are automatically removed or disabled after 72 hours. If temporary user accounts are not automatically removed or disabled after 72 hours, this is a finding.
Configure the container platform to automatically remove or disable temporary user accounts after 72 hours.
Determine if the container platform automatically disables accounts after a 35-day period of account inactivity. If the container platform does not automatically disable accounts after a 35-day period of account inactivity, this is a finding.
Configure the container platform to automatically disable accounts after a 35-day period of account inactivity.
Review the container platform configuration to determine if audit records are automatically created upon account creation. If audit records are not automatically created upon account creation, this is a finding.
Configure the container platform to automatically create audit records on account creation.
Review the container platform configuration to determine if account modification is automatically audited. If account modification is not automatically audited, this is a finding.
Configure the container platform to automatically audit account modification.
Review the container platform configuration to determine if account disabling is automatically audited. If account disabling is not automatically audited, this is a finding.
Configure the container platform to automatically audit account disabling.
Review the container platform configuration to determine if account removal is automatically audited. If account removal is not automatically audited, this is a finding.
Configure the container platform to automatically audit account removal.
Review the container platform configuration to determine if least privilege and need-to-know access is being used for container platform registry access. If least privilege and need-to-know access is not being used for container platform registry access, this is a finding.
Configure the container platform to use least privilege and need to know when granting access to the container platform registry. The fix ensures the proper roles and permissions are configured.
Review the container platform to determine if only those individuals with runtime duties have access to the container platform runtime. If users have access to the container platform runtime that do not have runtime duties, this is a finding.
Configure the container platform to use least privilege and need to know when granting access to the container runtime. The fix ensures the proper roles and permissions are configured.
Review the container platform to determine if only those individuals with keystore duties have access to the container platform keystore. If users have access to the container platform keystore that do not have keystore duties, this is a finding.
Configure the container platform to use least privilege and need to know when granting access to the container keystore. The fix ensures the proper roles and permissions are configured.
Review the container platform to determine if approved authorizations for controlling the flow of information within the container platform based on organization-defined information flow control policies is being enforced. If the organization-defined information flow policies are not being enforced, this is a finding.
Configure the container platform to enforce approved authorizations for controlling the flow of information within the container platform based on organization-defined information flow control policies.
Review the container platform configuration to determine if organization-defined information flow controls are implemented. If information flow controls are not implemented, this is a finding.
Configure the container platform to implement organization-defined information flow controls.
Review the container platform to determine if it is configured to enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period. If the container platform is not configured to enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period, this is a finding.
Configure the container platform to enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.
Review the container platform configuration to determine if the Standard Mandatory DoD Notice and Consent Banner is configured to be displayed before granting access to platform components. Log in to the container platform components and verify that the Standard Mandatory DoD Notice and Consent Banner is being displayed before granting access. If the Standard Mandatory DoD Notice and Consent Banner is not configured or is not displayed before granting access to container platform components, this is a finding.
Configure the container platform to display the Standard Mandatory DoD Notice and Consent Banner before granting access to container platform components.
Log in to the container platform components to determine if the Standard Mandatory DoD Notice and Consent Banner remains on the screen until users acknowledge the usage and conditions and take explicit actions to log on for further access. If the Standard Mandatory DoD Notice and Consent Banner does not stay on the screen until the users acknowledge the usage and conditions, this is a finding.
Configure the container platform to retain the Standard Mandatory DoD Notice and Consent Banner on the screen until users acknowledge the usage and conditions and take explicit actions to log on for further access.
Review the container platform configuration to determine if the container platform is configured to generate audit records for all DoD-defined auditable events within all components in the platform. Generate DoD-defined auditable events within all the components to determine if the events are being audited. If the container platform is not configured to generate audit records for all DoD-defined auditable events within the components or the events are not generating audit records, this is a finding.
Configure the container platform to generate audit records for all DoD-defined auditable events within all the components of the container platform.
Review the container platform to determine if the container platform is configured to allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited. If the container platform is not configured to only allow the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited, this is a finding.
Configure the container platform to only allow the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited.
Review the container platform configuration to determine if it is configured to generate audit records when successful/unsuccessful attempts are made to access privileges. If the container platform is not configured to generate audit records on successful/unsuccessful access to privileges, this is a finding.
Configure the container platform to generate audit records when successful/unsuccessful attempts are made to access privileges occur.
Review the container platform configuration for session audits. Ensure audit policy for session logging at startup is enabled. Verify events are written to the log. Validate system documentation is current. If the container platform is not configured to meet this requirement, this is a finding.
Configure the container platform to generate audit logs for session logging at startup. Revise all applicable system documentation.
Review the container platform configuration for audit event types. Ensure audit policy for event type is enabled. Verify records showing what type of event occurred are written to the log. Validate system documentation is current. If log data does not show the type of event, this is a finding.
Configure the container platform to include the event type in the log data. Revise all applicable system documentation.
Review the container platform configuration for audit events date and time. Ensure audit policy for event date and time are enabled. Verify records showing event date and time are included in the log. Validate system documentation is current. If the date and time are not included, this is a finding.
Configure the container platform to include log date and time with the event. Revise all applicable system documentation.
Review the container platform configuration to determine if all audit records identify where in the container platform the event occurred. Generate audit records and view the audit records to verify that the records do identify where in the container platform the event occurred. If the container platform is not configured to generate audit records that identify where in the container platform the event occurred, or if the generated audit records do not identify where in the container platform the event occurred, this is a finding.
Configure the container platform to generate audit records that identify where in the container platform the event occurred.
Review container platform audit policy configuration for logons establishing the sources of events. Ensure audit policy is configured to generate sufficient information to resolve the source, e.g., source IP, of the log event. Verify records showing by requesting a user access the container platform and generate log events, and then review the logs to determine if the source of the event can be established. If the source of the event cannot be determined, this is a finding.
Configure the container platform registry, keystore, and runtime to generate the source of each loggable event. Revise all applicable system documentation.
Review the container platform configuration to determine if audit records contain the audit event results. Generate audit records and review the data to validate that the record does contain the event result. If the container platform is not configured to generate audit records with the event result or the audit record does not contain the event result, this is a finding.
Configure the container platform to generate audit records that contain the event result.
Review container platform documentation and the log files on the application server to determine if the logs contain information that establishes the identity of the user or process associated with log event data. If the container platform does not produce logs that establish the identity of the user or process associated with log event data, this is a finding.
Configure the container platform logging system to log the identity of the user or process related to the events.
Review the container platform configuration to determine if it is configured to generate audit records that contain the component information that generated the audit record. Generate audit records and review the data to determine if records are generated containing the component information that generated the record. If the container platform is not configured to generate audit records containing the component information or records are generated that do not contain the component information that generated the record, this is a finding.
Configure the container platform to include the component information that generated the audit record.
Review the documentation and deployment configuration to determine if the container platform is configured to generate full-text recording of privileged commands or the individual identities of group users at a minimum. Have a user execute a privileged command and review the log data to validate that the full-text or identity of the individual is being logged. If the container platform is not meeting this requirement, this is a finding.
Configure the container platform to generate the full-text recording of privileged commands, or the individual identities of group users, or both.
Review the configuration settings to determine how the container platform components are configured for audit failures. When the audit failure is due to the lack of audit record storage, the container platform must continue generating audit records, restarting services if necessary, and overwrite the oldest audit records in a first-in-first-out manner. If the audit failure is due to a communication to a centralized collection server, the container platform must queue audit records locally until communication is restored or the records are retrieved manually. If the container platform is not configured to handle audit failures appropriately, this is a finding.
Configure the container platform to continue generating audit records overwriting oldest audit records in a first-in-first-out manner when the failure is due to a lack of audit record storage. When the audit failure is due to a communication to a centralized collection server, configure the container platform to queue audit records locally until communication is restored or the records are retrieved manually. If other actions are to be taken for audit record failures, the actions and rationale must be documented in the system security plan and risk acceptance approvals must be obtained.
Review the configuration settings to determine if the container platform components are configured to send audit events to central managed audit log repository. If the container platform is not configured to send audit events to central managed audit log repository, this is a finding.
Configure the container platform components to send audit logs to a central managed audit log repository.
Review the container platform configuration files to determine if the internal system clock is used for time stamps. If the container platform does not use the internal system clock to generate time stamps, this is a finding.
Configure the container platform to use internal system clocks to generate time stamps for log records.
Review the container platform configuration to determine where audit information is stored. If the audit information is not protected from any type of unauthorized read access, this is a finding.
Configure the container platform to protect the storage of audit information from unauthorized read access.
Review the container platform configuration to determine where audit information is stored. If the audit log data is not protected from unauthorized modification, this is a finding.
Configure the container platform to protect the storage of audit information from unauthorized modification.
Review the container platform configuration to determine where audit information is stored. If the audit log data is not protected from unauthorized deletion, this is a finding.
Configure the container platform to protect the storage of audit information from unauthorized deletion.
Review the container platform to validate container platform audit tools are protected from unauthorized access. If the audit tools are not protected from unauthorized access, this is a finding.
Configure the container platform to protect audit tools from unauthorized access.
Review the container platform to validate container platform audit tools are protected from unauthorized modification. If the audit tools are not protected from unauthorized modification, this is a finding.
Configure the container platform to protect audit tools from unauthorized modification.
Review the container platform to validate container platform audit tools are protected from unauthorized deletion. If the audit tools are not protected from unauthorized deletion, this is a finding.
Configure the container platform to protect audit tools from unauthorized deletion.
Review the container platform configuration to determine if FIPS-validated cryptographic mechanisms are being used to protect the integrity of log information. If FIPS-validated cryptographic mechanisms are not being used to protect the integrity of log information, this is a finding.
Configure the container platform to use FIPS-validated cryptographic mechanisms to protect the integrity of log information.
Review the container platform configuration to verify it has been built from packages that are digitally signed by known and approved sources. If the container platform was built from packages that are not digitally signed or are from unknown or non-approved sources, this is a finding.
Rebuild the container platform from verified packages that are digitally signed by known and approved sources.
Review the container platform configuration to determine if container images are verified by enforcing image signing and that the image is signed recognized by an approved source. If container images are not verified or the signature is not verified as a recognized and approved source, this is a finding.
Configure the container platform to verify container images are digitally signed and the signature is from a recognized and approved source.
Review the container platform registry configuration to determine if the level of access to the registry is controlled through user privileges. Attempt to perform registry operations to determine if the privileges are enforced. If the container platform registry is not limited through user privileges or the user privileges are not enforced, this is a finding.
Configure the container platform to use and enforce user privileges when accessing the container platform registry.
Review the container platform runtime configuration to determine if the level of access to the runtime is controlled through user privileges. Attempt to perform runtime operations to determine if the privileges are enforced. If the container platform runtime is not limited through user privileges or the user privileges are not enforced, this is a finding.
Configure the container platform to use and enforce user privileges when accessing the container platform runtime.
Review the container platform keystore configuration to determine if the level of access to the keystore is controlled through user privileges. Attempt to perform keystore operations to determine if the privileges are enforced. If the container platform keystore is not limited through user privileges or the user privileges are not enforced, this is a finding.
Configure the container platform to use and enforce user privileges when accessing the container platform keystore.
Review the container platform to verify that configuration files cannot be modified by non-privileged users. If non-privileged users can modify configuration files, this is a finding.
Configure the container platform to only allow configuration modifications by privileged users.
Review the container platform to verify that authentication files cannot be modified by non-privileged users. If non-privileged users can modify key and certificate files, this is a finding.
Configure the container platform to only allow authentication file modifications by privileged users.
Review the container platform configuration and verify that only those components needed for operation are installed. If components are installed that are not used for the intended purpose of the organization, this is a finding.
Identify the role the container platform is intended to play in the production environment and remove any components that are not needed or used for the intended purpose.
Review the container platform registry and the container images being stored. If container images are stored in the registry and are not being used to offer container platform capabilities, this is a finding.
Remove all container images from the container platform registry that are not being used or contain features and functions not supported by the platform.
Review the container platform documentation and deployment configuration to determine which ports and protocols are enabled. Verify the ports and protocols being used are not prohibited by PPSM CAL in accordance to DoD Instruction 8551.01 Policy and are necessary for the operations and applications. If any of the ports or protocols is prohibited or not necessary for the operation, this is a finding.
Configure the container platform to disable any ports or protocols that are prohibited by the PPSM CAL and not necessary for the operation.
Review the container platform configuration and the containers within the platform by performing the following checks: 1. Verify the container platform is configured to disallow the use of privileged ports by containers. 2. Validate all containers within the container platform are using non-privileged ports. 3. Attempt to instantiate a container image that uses a privileged port. If the container platform is not configured to disallow the use of privileged ports, this is a finding. If the container platform has containers using privileged ports, this is a finding. If the container platform allows containers to be instantiated that use privileged ports, this is a finding.
Configure the container platform to disallow the use of privileged ports by containers. Move any containers that are using privileged ports to non-privileged ports.
Review the container platform configuration to determine if users are uniquely identified and authenticated. If users are not uniquely identified or are not authenticated, this is a finding.
Configure the container platform to uniquely identify and authenticate users.
Review the container platform configuration to determine if users are uniquely identified and authenticated before the API is executed. If users are not uniquely identified or are not authenticated, this is a finding.
Configure the container platform to uniquely identify and authenticate users before container platform API access.
Review the container platform configuration to determine if processes acting on behalf of users are uniquely identified and authenticated. If processes acting on behalf of users are not uniquely identified or are not authenticated, this is a finding.
Configure the container platform to uniquely identify and authenticate processes acting on behalf of users.
Review the container platform API configuration to determine if processes acting on behalf of users are uniquely identified and authenticated. If processes acting on behalf of users are not uniquely identified or are not authenticated, this is a finding.
Configure the container platform API to uniquely identify and authenticate processes acting on behalf of users.
Review the container platform configuration to determine if the container platform is configured to use multifactor authentication for network access to privileged accounts. If the container platform does not use multifactor authentication for network access to privileged accounts, this is a finding.
Configure the container platform to use multifactor authentication for network access to privileged accounts.
Review the container platform configuration to determine if the container platform is configured to use multifactor authentication for network access to non-privileged accounts. If the container platform does not use multifactor authentication for network access to non-privileged accounts, this is a finding.
Configure the container platform to use multifactor authentication for network access to non-privileged accounts.
Review the container platform configuration to determine if multifactor authentication is used for local access to privileged accounts. If multifactor authentication for local access to privileged accounts is not being used, this is a finding.
Configure the container platform to use multifactor authentication for local access to privileged accounts.
Review the container platform configuration to determine if multifactor authentication is used for local access to non-privileged accounts. If multifactor authentication for local access to non-privileged accounts is not being used, this is a finding.
Configure the container platform to use multifactor authentication for local access to non-privileged accounts.
Review the container platform configuration to determine if the container platform is configured to ensure users are authenticated with an individual authenticator prior to using a group authenticator. If the container platform is not configured to ensure users are authenticated with an individual authenticator prior to using a group authenticator, this is a finding.
Configure the container platform to ensure users are authenticated with an individual authenticator prior to using a group authenticator.
Review the container platform configuration to determine if the container platform is configured to use FIPS-validated SHA-1 or higher hash function to provide replay-resistant authentication mechanisms for network access to privileged accounts. If the container platform is not configured to use FIPS-validated SHA-1 or higher hash function to provide replay-resistant authentication mechanisms for network access to privileged accounts, this is a finding.
Configure the container platform to use FIPS-validated SHA-1 or higher hash function to provide replay-resistant authentication mechanisms for network access to privileged accounts.
Review the container platform configuration to determine if the container platform is configured to provide replay-resistant authentication mechanisms for network access to non-privileged accounts. If the container platform is not configured to provide replay-resistant authentication mechanisms for network access to non-privileged accounts, this is a finding.
Configure the container platform to provide replay-resistant authentication mechanisms for network access to non-privileged accounts.
Review the container platform configuration to determine if the container platform uniquely identifies all nodes before establishing a connection. If the container platform is not configured to uniquely identify all nodes before establishing the connection, this is a finding.
Configure the container platform to uniquely identify all nodes before establishing the connection.
Review the container platform configuration to determine if the container platform is configured to disable identifiers (individuals, groups, roles, and devices) after 35 days of inactivity. If identifiers are not disabled after 35 days of inactivity, this is a finding.
Configure the container platform to disable identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.
Review the container platform configuration to determine if the container platform enforces a minimum 15-character password length. If the container platform does not enforce a 15-character password length, this is a finding.
Configure the container platform to enforce a minimum 15-character password length.
Review the container platform configuration to determine if it prohibits password reuse for a minimum of five generations. If the container platform does not prohibit password reuse for a minimum of five generations, this is a finding.
Configure the container platform to prohibit password reuse for a minimum of five generations.
Review the container platform configuration to determine if it enforces password complexity by requiring that at least one uppercase character be used. If the container platform does not enforce password complexity by requiring that at least one uppercase character be used, this is a finding.
Configure the container platform to enforce password complexity by requiring that at least one uppercase character be used.
Review the container platform configuration to determine if it enforces password complexity by requiring that at least one lowercase character be used. If the container platform does not enforce password complexity by requiring that at least one lowercase character be used, this is a finding.
Configure the container platform to enforce password complexity by requiring that at least one lowercase character be used.
Review the container platform configuration to determine if it enforces password complexity by requiring that at least one numeric character be used. If the container platform does not enforce password complexity by requiring that at least one numeric character be used, this is a finding.
Configure the container platform to enforce password complexity by requiring that at least one numeric character be used.
Review the container platform configuration to determine if it enforces password complexity by requiring that at least one special character be used. If the container platform does not enforce password complexity by requiring that at least one special character be used, this is a finding.
Configure the container platform to enforce password complexity by requiring that at least one special character be used.
Review the container platform configuration to determine if it requires the change of at least 15 of the total number of characters when passwords are changed. If the container platform does not require the change of at least 15 of the total number of characters when passwords are changed, this is a finding.
Configure the container platform to require the change of at least 15 of the total number of characters when passwords are changed.
Review the container platform configuration to determine if it using password authentication and stores only cryptographic representations of the passwords. If the container platform is using password authentication and does not store only cryptographic representations of passwords, this is a finding.
Configure the container platform to store only cryptographic representations of passwords if passwords are being used for authentication.
Review the documentation and configuration to determine if the container platform enforces the required FIPS-validated encrypt passwords when they are transmitted. If the container platform is not configured to meet this requirement, this is a finding.
Configure the container platform to transmit only encrypted FIPS-validated SHA-2 or later representations of passwords.
Review the container platform configuration to determine if it enforces 24 hours/1 day as the minimum password lifetime. If the container platform does not enforce 24 hours/1 day as the minimum password lifetime, this is a finding.
Configure the container platform to enforce 24 hours/1 day as the minimum password lifetime.
Review the container platform configuration to determine if it enforces a 60-day maximum password lifetime restriction. If the container platform does not enforce a 60-day maximum password lifetime restriction, this is a finding.
Configure the container platform to enforce a 60-day maximum password lifetime restriction.
Review documentation and configuration to ensure the container platform provides a PKI integration capability that meets DoD PKI infrastructure requirements. If the container platform is not configured to meet this requirement, this is a finding.
Configure the container platform to utilize the DoD Enterprise PKI infrastructure.
Review container platform documentation and configuration to determine if any interfaces that are provided for authentication purposes display the user's password when it is typed into the data entry field. If authentication information is not obfuscated when entered, this is a finding.
Configure the container platform to obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.
Review the container platform configuration to determine if the container platform is configured to provide an audit reduction capability that supports on-demand reporting requirements. If the container platform is not configured to support on-demand reporting requirements, this is a finding.
Configure the container platform to support on-demand reporting requirements.
Review the container platform configuration to determine if the container platform is configured to employ strong authenticators in the establishment of non-local maintenance and diagnostic sessions. If the container platform is not configured to employ strong authenticators in the establishment of non-local maintenance and diagnostic sessions, this is a finding.
Configure the container platform to employ strong authenticators in the establishment of non-local maintenance and diagnostic sessions.
Review documentation and configuration settings to determine if the container platform is configured to close user sessions after defined conditions or trigger events are met. If the container platform is not configured or cannot be configured to disconnect users after defined conditions and trigger events are met, this is a finding.
Configure the container platform to terminate user sessions on defined conditions or trigger events.
Review the container platform configuration to determine if management functionality is separated from user functionality. Validate that the separation is also implemented within the components by trying to execute management functions for each component as a user. If the container platform is not configured to separate management and user functionality or if component management and user functionality are not separated, this is a finding.
Configure the container platform and its components to separate management and user functionality.
Review the container platform configuration to determine if FIPS-validated 140-2 or 140-3 cryptographic modules are being used to protect container images during transmission. If FIPS-validated 140-2 or 140-3 cryptographic modules are not being use, this is a finding.
Configure the container platform to use FIPS-validated 140-2 or 140-3 cryptographic modules to protect container images during transmission.
Review documentation and configuration to determine if the container platform runtime fails to a secure state if system initialization fails, shutdown fails, or aborts fail. If the container platform runtime cannot be configured to fail securely, this is a finding.
Configure the container platform runtime to fail to a secure state if system initialization fails, shutdown fails, or aborts fail.
Review the container platform configuration to determine if information necessary to determine the cause of a disruption or failure is preserved. If the information is not preserved, this is a finding.
Configure the container platform to preserve information necessary to determine the cause of the disruption or failure.
Verify container platform runtime configuration settings to determine whether container services used for security functions are located in an isolated security function such as a separate environment variables, labels, network segregation, and kernel groups. If security-related functions are not separate, this is a finding.
Configure the container platform runtime to isolate security functions from non-security functions.
Review the container platform to determine if emergency accounts are automatically removed or disabled. If emergency accounts are automatically removed or disabled, this is a finding.
Configure the container platform to never remove or disable emergency accounts.
Review documentation and configuration to determine if the container platform disallows instantiation of containers trying to access host system privileged resources. If the container platform does not block containers requesting host system privileged resources, this is a finding.
Configure the container platform to block instantiation of containers requesting access to host system-privileged resources.
Review the container platform architecture documentation to find out if and how it protects the resources of one process or user (such as working memory, storage, host system kernel, network connections) from unauthorized access by another user or process. If the container platform configuration settings do not effectively implement these protections to prevent unauthorized access by another user or process, this is a finding.
Deploy a container platform capable of effectively protecting the resources of one process or user from unauthorized access by another user or process. Configure the container platform to effectively protect the resources of one process or user from unauthorized access by another user or process. The container security solution should help the user understand where the code in the environment was deployed from, and provide controls that prevent deployment from untrusted sources or registries.
Review the container platform implementation and security documentation and components settings to determine if the information system restricts the ability of users or systems to launch organization-defined DoS attacks against other information systems or networks from the container platform. If the container platform is not configured to restrict this ability, this is a finding.
Configure the container platform to restrict the ability of users or other systems to launch DoS attacks from the container platform components by setting resource quotas on resources such as memory, storage, and CPU utilization.
Review documentation and logs to determine if the container platform writes sensitive information such as passwords or private keys into the logs and administrative messages. If the container platform writes sensitive or potentially harmful information into the logs and administrative messages, this is a finding.
Configure the container platform to not write sensitive information into the logs and administrative messages.
Review the container platform configuration to determine if the integrity of the audit tools is protected using cryptographic mechanisms. If audit tools are not protected through cryptographic mechanisms, this is a finding.
Configure the container platform to use cryptographic mechanisms to protect the integrity of audit tools.
Review the container platform configuration to determine if system administrators and ISSO are notified when accounts are created. If system administrators and ISSO are not notified, this is a finding.
Configure the container platform to notify system administrators and ISSO when accounts are created.
Review the container platform configuration to determine if system administrators and ISSO are notified when accounts are modified. If system administrators and ISSO are not notified, this is a finding.
Configure the container platform to notify system administrators and ISSO when accounts are modified.
Review the container platform configuration to determine if system administrators and ISSO are notified when accounts are disabled. If system administrators and ISSO are not notified, this is a finding.
Configure the container platform to notify system administrators and ISSO when accounts are disabled.
Review the container platform configuration to determine if system administrators and ISSO are notified when accounts are removed. If system administrators and ISSO are not notified, this is a finding.
Configure the container platform to notify system administrators and ISSO when accounts are removed.
Review documentation and configuration settings to determine if the container platform displays a logout message. If the container platform does not display a logout message, this is a finding.
Configure the container platform components to display an explicit logout message to users.
Determine if the container platform is configured to terminate shared/group account credentials when members leave the group. If the container platform does not terminated shared/group account credentials when members leave the group, this is a finding.
Configure the container platform to terminate shared/group account credentials when members leave the group.
Determine if the container platform is configured to automatically audit account-enabling actions. If the container platform is not configured to automatically audit account-enabling actions, this is a finding.
Configure the container platform to automatically audit account-enabling actions.
Determine if the container platform is configured to notify system administrator and ISSO of account enabling actions. If the container platform is not configured to notify system administrator and ISSO of account enabling actions, this is a finding.
Configure the container platform to notify system administrator and ISSO of account enabling actions.
Review documentation to obtain the definition of the container platform functionality considered privileged in the context of the information system in question. Review the container platform security configuration and/or other means used to protect privileged functionality from unauthorized use. If the configuration does not protect all of the actions defined as privileged, this is a finding.
Configure the container platform to security to protect all privileged functionality. Assigning roles that limit what actions a particular user can perform are the most common means of meeting this requirement.
Review documentation and configuration to determine if the container platform disallows instantiation of containers trying to execute with more privileges than required or with privileged permissions. If the container platform does not block containers requesting privileged permissions, privilege escalation, or allows containers to have more privileges than required, this is a finding.
Configure the container platform to block instantiation with no more privileges than necessary.
Review container platform documentation and log configuration to verify the application server logs privileged activity. If the container platform is not configured to log privileged activity, this is a finding.
Configure the container platform to log privileged activity.
Determine if the container platform is configured to automatically lock an account until the locked account is released by an administrator when three unsuccessful login attempts in 15 minutes are exceeded. If the container platform is not configured to lock the account, this is a finding.
Configure the container platform to automatically lock an account until the locked account is released by an administrator when three unsuccessful login attempts in 15 minutes are exceeded.
Review documentation and configuration setting. If the container platform does not provide the ability for users in authorized roles to reconfigure auditing at any time of the user's choosing, this is a finding. If changes in audit configuration cannot take effect until after a certain time or date, or until some event, such as a server restart, has occurred, and if that time or event does not meet the requirements specified by the organization, this is a finding.
Deploy a container platform that provides the ability for users in authorized roles to reconfigure auditing at any time. Deploy a container platform that allows audit configuration changes to take effect within the timeframe required by the organization and without involving actions or events that the organization rules unacceptable.
Review the container platform configuration to determine if audit record storage capacity is allocated in accordance with organization-defined audit record storage requirements. If audit record storage capacity is not allocated in accordance with organization-defined audit record storage requirements, this is a finding.
Configure the container platform to allocate audit record storage capacity in accordance with organization-defined audit record storage requirements.
Verify the log records are being off-loaded to a separate system or transferred from the container platform storage location to a storage location other than the container platform itself. The information system may demonstrate this capability using a log management application, system configuration, or other means. If logs are not being off-loaded, this is a finding.
Configure the container platform to off-load the logs to a remote log or management server.
Review the container platform configuration to determine if it is configured to provide an immediate warning to the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of repository maximum audit record storage capacity. If the container platform is not configured to provide an immediate real-time alert, this is a finding.
Configure the container platform to provide an immediate real-time alert to the SA and ISSO when allocated audit record storage volume reaches 75 percent of repository maximum audit record storage capacity.
Review the container platform configuration to determine if it is configured to provide an immediate real-time alert to the SA and ISSO of all audit failure events requiring real-time alerts. If the container platform is not configured to provide an immediate real-time alert, this is a finding.
Configure the container platform to provide an immediate real-time alert to the SA and ISSO of all audit failure events requiring real-time alerts.
Review the container platform documentation and configuration files to determine if time stamps for log records can be mapped to UTC or GMT or local time that offsets from UTC. If the time stamp cannot be mapped to UTC or GMT, this is a finding.
Configure the container platform to use UTC or GMT or local time that offset from UTC based time stamps for log records.
Review the container platform documentation and configuration files to determine if time stamps for log records meet a granularity of one second. If the time stamp cannot generate to a one-second granularity, this is a finding.
Configure the container platform to use time stamps for log records that can meet a granularity of one second.
Review the container platform configuration to determine if patches and updates can only be installed through accounts with privileged status. Attempt to install a patch or upgrade using a non-privileged user account. If patches or updates can be installed using a non-privileged account or the container platform is not configured to stop the installation using a non-privileged account, this is a finding.
Configure the container platform to only allow patch installation and upgrades using privileged accounts.
Review the container platform runtime configuration to determine if only accounts given specific container instantiation privileges can execute the container image instantiation process. Attempt to instantiate a container image using an account that does not have the proper privileges to execute the process. If container images can be instantiated using an account without the proper privileges, this is a finding.
Configure the container platform runtime to prohibit the instantiation of container images without explicit container image instantiation privileges given to users.
Review container platform registry security settings with respect to non-administrative users' ability to create, alter, or replace container images. If any such permissions exist and are not documented and approved, this is a finding.
Document and obtain approval for any non-administrative users who require the ability to create, alter, or replace container images within the container platform registry. Implement the approved permissions. Revoke any unapproved permissions.
Review documentation and configuration settings to determine if the container platform enforces access restrictions associated with changes to container platform components configuration. If the container platform does not enforce such access restrictions, this is a finding.
Configure the container platform to enforce access restrictions associated with changes to the container platform components configuration.
Review container platform documentation and logs to determine if enforcement actions used to restrict access associated with changes to the container platform are logged. If these actions are not logged, this is a finding.
Configure the container platform to log the enforcement actions used to restrict access associated with changes.
Review the container platform configuration to determine if services or capabilities presently on the information system are required for operational or mission needs. If additional services or capabilities are present on the system, this is a finding.
Configure the container platform to only utilize secure ports and protocols required for operation that have been accepted for use as per the Ports, Protocols, and Services Category Assignments List (CAL) from DISA (PPSM).
Review documentation and configuration setting to determine if policies, rules, or restrictions exist regarding usage of container platform components. If no such no restrictions are in place, this is not a finding. Identify any components the organization requires to be disabled or removed and configure the container platform according to that policy. If the container platform components are not disabled or removed according to the organization's policy, this is a finding.
Configure the container platform so that any platform components that are not required in order to meet the organization's mission are disabled or removed. Document the components that must be disabled or removed for reference.
Review documentation and configuration settings to identify if the container platform whitelisting specifies which container platform components are allowed to execute. Check for the existence of policy settings or policy files that can be configured to restrict container platform component execution. Demonstrate how the program execution is restricted. Look for a deny-all, permit-by-exception policy of restriction. Some methods for restricting execution include but are not limited to the use of custom capabilities built into the application or Software Restriction Policies, Application Security Manager, or Role-Based Access Controls (RBAC). If container platform whitelisting is not utilized or does not follow a deny-all, permit-by-exception (whitelist) policy, this is a finding.
Configure the container platform to utilize a deny-all, permit-by-exception policy when allowing the execution of authorized software.
Review documentation and configuration to determine if the container platform requires a user to reauthenticate when organization-defined circumstances or situations are met. If the container platform does not meet this requirement, this is a finding.
Configure the container platform to require a user to reauthenticate when organization-defined circumstances or situations are met.
Review documentation and configuration to determine if the container platform requires devices to reauthenticate when organization-defined circumstances or situations require reauthentication. If the container platform does not require a device to reauthenticate, this is a finding.
Configure the container platform to require devices to reauthenticate when organization-defined circumstances or situations require reauthentication.
Review documentation and configuration to ensure the container platform is configured to use an approved DoD multifactor token (CAC) when accessing platform via user interfaces. If multifactor authentication is not configured, this is a finding.
Configure the container platform to accept standard DoD multifactor token-based credentials when users interface with the platform.
Review the container platform configuration to determine if the platform is configured to allow the use of a temporary password for system logons with an immediate change to a permanent password. If the container platform is not configured to allow temporary passwords with immediate change to a permanent password, this is a finding.
Configure the container platform to allow the use of a temporary password for system logons with an immediate change to a permanent password.
Review the container platform configuration to determine if the platform is configured to prohibit the use of cached authenticators after an organization-defined time period. If the container platform is not configured to prohibit the use of cached authenticators after an organization-defined time period, this is a finding.
Configure the container platform to prohibit the use of cached authenticators after an organization-defined time period.
Review the container platform configuration. If the container platform is not implemented to use a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network, this is a finding.
Configure the container platform to implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network.
Review the documentation and configuration to determine if the container platform accepts PIV credentials from other federal agencies. If the container platform does not accept other federal agency PIV credentials, this is a finding.
Configure the container platform to accept PIV credentials from other federal agencies.
Review the container platform to verify if the platform is auditing non-local maintenance and diagnostic sessions' organization-defined audit events. If the container platform is not auditing non-local maintenance and diagnostic sessions' organization-defined audit events, this is a finding.
Configure the container platform to audit non-local maintenance and diagnostic sessions' organization-defined audit events.
Validate that container platform applications and APIs used for nonlocal maintenance sessions are using FIPS-validated HMAC to protect the integrity of nonlocal maintenance and diagnostic communications. If the sessions are not using FIPS-validated HMAC, this is a finding.
Configure the container platform applications and APIs used for nonlocal maintenance sessions to use FIPS-validated HMAC to protect the integrity of nonlocal maintenance and diagnostic communications.
Validate the container platform web management tools and Application Program Interfaces (API) are configured to use FIPS-validated Advanced Encryption Standard (AES) cipher block algorithms to protect the confidentiality of maintenance and diagnostic communications for nonlocal maintenance sessions. If the web management tools and API are not configured to use FIPS-validated Advanced Encryption Standard (AES) cipher block algorithms, this is a finding.
Configure the container platform web management tools and Application Program Interfaces (API) with FIPS-validated Advanced Encryption Standard (AES) cipher block algorithm to protect the confidentiality of maintenance and diagnostic communications for nonlocal maintenance sessions.
Validate that scanning applications have privileged access to container platform components, containers, and container images to properly perform vulnerability scans. If privileged access is not given to the scanning application, this is a finding.
Configure the vulnerability scanning application to have privileged access to the container platform components, containers, and container images.
Review documentation to verify that the container platform is using NSA-approved cryptography to protect classified data and applications. If the container platform is not using NSA-approved cryptography for classified data and applications, this is a finding.
Configure the container platform to utilize NSA-approved cryptography to protect classified information.
Review container platform keystore documentation and configuration to verify encryption levels meet the information sensitivity level. If the container platform keystore encryption configuration does not meet system requirements, this is a finding.
Configure the container platform keystore encryption to maintain the confidentiality and integrity of information for applicable sensitivity level.
Review container platform runtime documentation and configuration is maintaining a separate execution domain for each executing process. Different groups of applications, and services with different security needs, should be deployed in separate namespaces as a first level of isolation. If container platform runtime is not configured to execute processes in separate domains and namespaces, this is a finding. If namespaces use defaults, this is a finding.
Deploy a container platform runtime capable of maintaining a separate execution domain and namespace for each executing process. Create a namespace for each containers, defining them as logical groups.
Review documentation and configuration to determine if the container platform can protect against or limit the effects of all types of DoS attacks by employing defined security safeguards against resource depletion. Examples of resource limits are on memory, storage, and CPU. If the container platform cannot be configured to protect against or limit the effects of all types of DoS, this is a finding.
Configure the container platform to protect against or limit the effects of all types of DoS attacks by employing defined security safeguards. Safeguards such as resource limits on memory, storage, and CPU can be used.
Review container platform configuration to determine if it is using a transmission method that maintains the confidentiality and integrity of information during transmission. If a transmission method is not being used that maintains the confidentiality and integrity of the data, this is a finding.
Configure the container platform to utilize a transmission method that maintains the confidentiality and integrity of information during transmission.
Review the documentation and deployed configuration to determine if the container platform maintains the confidentiality and integrity of information during preparation before transmission. If the confidentiality and integrity are not maintained using mechanisms such as TLS, TLS VPNs, or IPsec during preparation before transmission, this is a finding.
Configure the container platform to maintain the confidentiality and integrity of information using mechanisms such as TLS, TLS VPNs, or IPsec during preparation for transmission.
Review documentation and configuration settings to determine if the container platform maintains the confidentiality and integrity of information during reception. If confidentiality and integrity are not maintained using mechanisms such as TLS, TLS VPNs, or IPsec during reception, this is a finding.
Configure the container platform to maintain the confidentiality and integrity using mechanisms such as TLS, TLS VPNs, or IPsec during reception.
Review the configuration to determine if the container platform behaves in a predictable and documented manner that reflects organizational and system objectives when invalid inputs are received. If the container platform does not meet this requirement, this is a finding.
Configure the container platform behave in a predictable and documented manner that reflects organizational and system objectives when invalid inputs are received.
Review the container platform configuration to determine if safeguards are in place to protect the system memory and CPU from resource depletion and unauthorized execution. If safeguards are not in place, this is a finding.
Configure the container platform to have safeguards in place to protect the system memory and CPU from resource depletion and unauthorized code execution.
Review container platform registry documentation and configuration to determine if organization-defined images contains latest approved vendor software image version. If organization-defined images do not contain the latest approved vendor software image version, this is a finding. Review container platform registry documentation and configuration to determine if organization-defined images are removed after updated versions have been installed. If organization-defined images are not removed after updated versions have been installed, this is a finding. Review container platform runtime documentation and configuration to determine if organization-define images are executing latest image version from the container platform registry. If container platform runtime is not executing latest organization-defined images from the container platform registry, this is a finding.
Configure the container platform registry to update organization-defined images with current approved vendor version and remove obsolete images after updated versions have been installed. Configure the container platform runtime to execute latest organization-defined images from the container platform registry.
Review container platform registry documentation and configuration to determine if organization-defined images contains latest approved vendor software image version. If organization-defined images do not contain the latest approved vendor software image version, this is a finding. Review container platform registry documentation and configuration to determine if organization-defined images are removed after updated versions have been installed. If organization-defined images are not removed after updated versions have been installed, this is a finding. Review container platform runtime documentation and configuration to determine if organization-defined images are executing latest image version from the container registry. If container platform runtime is not executing latest organization-defined images from the container platform registry, this is a finding.
Configure the container platform registry to update organization-defined images with current approved vendor version and remove obsolete images after updated versions have been installed. Configure the container platform runtime to execute latest organization-defined images from the container platform registry.
Review documentation and configuration to determine if the container platform registry inspects and contains approved vendor repository latest images containing security-relevant updates within a timeframe directed by an authoritative source (IAVM, CTOs, DTMs, STIGs, etc.). If the container platform registry does not contain the latest image with security-relevant updates within the time period directed by the authoritative source, this is a finding. The container platform registry should help the user understand where the code in the environment was deployed from, and must provide controls that prevent deployment from untrusted sources or registries.
Configure the container platform registry to use approved vendor repository to ensure latest images containing security-relevant updates are installed.
Review documentation and configuration to determine if the container platform registry inspects and contains approved vendor repository latest images containing security-relevant updates within a timeframe directed by an authoritative source (IAVM, CTOs, DTMs, STIGs, etc.). If the container platform registry does not contain the latest image with security-relevant updates within the time period directed by the authoritative source, this is a finding. The container platform registry should help the user understand where the code in the environment was deployed from and must provide controls that prevent deployment from untrusted sources or registries.
Configure the container platform registry to use approved vendor repository to ensure latest images containing security-relevant updates are installed within the time period directed by the authoritative source.
Review container platform documentation and configuration verification of the correct operation of security functions, which may include the valid connection to an external security manager (ESM). If verification of the correct operation of security functions is not performed, this is a finding.
Configure the container platform configuration and installation settings to perform verification of the correct operation of security functions.
Review container platform documentation. Verify that the container platform is configured to perform verification of the correct operation of security functions, which may include the valid connection to an external security manager (ESM), upon product startup/restart, by a user with privileged access, and/or every 30 days. If it is not, this is a finding.
Configure the container platform to perform verification of the correct operation of security functions, which may include the connection validation, upon product startup/restart, or by a user with privileged access, and/or every 30 days.
Review container platform runtime documentation and configuration settings. If the container platform is not configured to notify organization-defined information system role when anomalies in the operation of security functions as defined by site security plan are discovered, this is a finding.
Configure the container platform runtime to notify system administrator and operation staff when anomalies in the operation of the security functions as defined in site security plan are discovered.
Review the container platform configuration to verify audit records are generated on successful/unsuccessful attempts to access security objects. If audit records are not generated, this is a finding.
Configure the container platform to generate audit records when successful/unsuccessful attempts to access security objects occur.
Review the container platform configuration to verify audit records are generated on successful/unsuccessful attempts to access security levels. If audit records are not generated, this is a finding.
Configure the container platform to generate audit records when successful/unsuccessful attempts to access security levels occur.
Review the container platform configuration to verify audit records are generated on successful/unsuccessful attempts to access categories of information. If audit records are not generated, this is a finding.
Configure the container platform to generate audit records on successful/unsuccessful attempts to access categories of information.
Review the container platform configuration to verify audit records are generated on successful/unsuccessful attempts to modify privileges. If audit records are not generated, this is a finding.
Configure the container platform to generate audit records on successful/unsuccessful attempts to modify privileges.
Review the container platform configuration to verify audit records are generated on successful/unsuccessful attempts to modify security objects. If audit records are not generated, this is a finding.
Configure the container platform to generate audit records when successful/unsuccessful attempts to modify security objects.
Review the container platform configuration to verify audit records are generated on successful/unsuccessful attempts to modify security levels. If audit records are not generated, this is a finding.
Configure the container platform to generate audit records when successful/unsuccessful attempts to modify security levels.
Review the container platform configuration to verify audit records are generated when successful/unsuccessful attempts are made to modify categories of information. If audit records are not generated, this is a finding.
Configure the container platform to generate audit records when successful/unsuccessful attempts are made to modify categories of information.
Review the container platform configuration to verify audit records are generated when successful/unsuccessful attempts are made to delete privileges. If audit records are not generated, this is a finding.
Configure the container platform to generate audit records when successful/unsuccessful attempts are made to delete privileges occur.
Review the container platform configuration to verify audit records are generated on successful/unsuccessful attempts to delete security levels. If audit records are not generated, this is a finding.
Configure the container platform to generate audit records when successful/unsuccessful attempts to delete security levels.
Review the container platform configuration to determine if audit records are generated on successful/unsuccessful attempts to delete security objects occur. If audit records are not generated, this is a finding.
Configure the container platform to generate audit records on successful/unsuccessful attempts to delete security objects occur.
Review the container platform configuration to determine if audit records are generated on successful/unsuccessful attempts to delete categories of information occur. If audit records are not generated, this is a finding.
Configure the container platform to generate audit records on successful/unsuccessful attempts to delete categories of information occur.
Review the container platform configuration for audit logon events. Ensure audit policy for successful and unsuccessful logon events are enabled. Verify events are written to the log. Validate system documentation is current. If logon attempts do not generate log records, this is a finding.
Configure the container platform registry, keystore, and runtime to generate audit log for successful and unsuccessful logon for any all accounts and services. Revise all applicable system documentation.
Review the documentation and configuration guides to determine if the container platform generates log records for privileged activities. If log records are not generated for privileged activities, this is a finding.
Configure the container platform to generate log records for privileged activities.
Review the container platform configuration for audit user access start and end times. Ensure audit policy for user access start and end times are enabled. Verify events are written to the log. Validate system documentation is current. If user access start and end times do not generate log records, this is a finding.
Configure the container platform to generate audit log for user access start and end times for any all accounts and services. Revise all applicable system documentation.
Review the container platform configuration for audit logon events. Ensure audit policy for concurrent logons from different workstations and systems is enabled. Verify events are written to the log. Validate system documentation is current. If concurrent logons from different workstations and systems do not generate log records, this is a finding.
Configure the container platform to generate audit log for concurrent logins from multiple workstations and systems. Revise all applicable system documentation.
Review the container platform configuration to verify that the runtime generates audit records on successful/unsuccessful access to objects. If audit records are not generated by the runtime when objects are successfully/unsuccessfully accessed, this is a finding.
Configure the container platform runtime to generate audit records on successful/unsuccessful access to objects.
Review the container platform configuration to determine if direct access of the container platform generates audit records. If audit records are not generated, this is a finding.
Configure the container platform to generate audit records when accessed directly.
Review the container platform configuration to determine if the container platform is configured to generate audit records for all account creations, modifications, disabling, and termination events. If the container platform is not configured to generate the audit records, this is a finding.
Configure the container platform to generate audit records for all account creations, modifications, disabling, and termination events.
Review the container runtime configuration to validate audit record generation for container execution, shutdown, and restart events. If the container runtime does not generate records for container execution, shutdown and restart events, this is a finding.
Configure the container runtime to generate audit records for container execution, shutdown, and restart events.
Review the container platform configuration to validate that valid FIPS 140-2 approved cryptographic modules are being used to generate hashes. If non-valid or unapproved FIPS 140-2 cryptographic modules are being used to generate hashes, this is a finding.
Configure the container platform to use valid FIPS 140-2 approved cryptographic modules to generate hashes.
Review the container platform configuration to determine the services offered by the container platform and validate that any services that are offered are configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including SRGs, STIGs, NSA configuration guides, CTOs, and DTMs. If container platform services are not configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including SRGs, STIGs, NSA configuration guides, CTOs, and DTMs, this is a finding.
Configure container services in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including SRGs, STIGs, NSA configuration guides, CTOs, and DTMs.
Review the container platform configuration and documentation to determine if the platform is configured to store and instantiate industry standard container images. If the container platform cannot instantiate industry standard container images, this is a finding.
Enable the container platform to store and instantiate industry standard container image formats.
Review the container platform to validate continuous vulnerability scans of components, containers, and container images are being performed. If continuous vulnerability scans are not being performed, this is a finding.
Implement continuous vulnerability scans of container platform components, containers, and container images either by the container platform or from external vulnerability scanning applications.
Review the container platform configuration to determine if TLS versions 1.0 and 1.1, SSL 2.0 and 3.0 are prohibited for communication. If communication using TLS versions 1.0 and 1.1, SSL 2.0 and 3.0 is permitted, this is a finding.
Configure the container platform to prohibit communication using TLS versions 1.0 and 1.1, SSL 2.0 and 3.0.
Review the container platform configuration to verify the container platform is validating certificates used for Transport Layer Security (TLS) functions by performing a RFC 5280-compliant certification path validation and that self-signed certificates are not being used. If the container platform is not validating certificates used for TLS functions by performing an RFC 5280-compliant certification path validation, this is a finding. If self-signed certificates are in use, this is a finding.
Configure the container platform to validate certificates used for Transport Layer Security (TLS) functions by performing an RFC 5280-compliant certification path validation and to disable the use of self-signed certificates.
Review the container platform configuration to validate that a FIPS-validated SHA-2 or higher hash function is being used for digital signature generation and verification. If a FIPS-validated SHA-2 or higher hash function is not being used for digital signature generation and verification, this is a finding.
Configure the container platform to use a FIPS-validated SHA-2 or higher hash function for digital signature generation and verification.
Review the container platform configuration to ensure FIPS-validated cryptographic modules are implemented to encrypt unclassified information requiring confidentiality. If FIPS-validated cryptographic modules are not being used, this is a finding.
Configure the container platform to use FIPS-validated cryptographic modules to encrypt unclassified information requiring confidentiality.
Review the container platform configuration to verify that container platform is not using protocols that transmit authentication data unencrypted and that the container platform is not using flawed cryptographic algorithms for transmission. If the container platform is using protocols to transmit authentication data unencrypted or is using flawed cryptographic algorithms, this is a finding.
Configure the container platform to use protocols that transmit authentication data encrypted and to use cryptographic algorithms that are not flawed.
Determine if the container platform is configured to enforce organization-defined circumstances and/or usage conditions for organization-defined accounts. If the container platform does not enforce organization-defined circumstances and/or usage conditions for organization-defined accounts, this is a finding.
Configure the container platform to enforce organization-defined circumstances and/or usage conditions for organization-defined accounts.