STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 4 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Red Hat OpenShift Container Platform 4.x Security Technical Implementation Guide

V-257570

CAT II (Medium)

OpenShift must remove old components after updated versions have been installed.

Rule ID

SV-257570r961677_rule

STIG

Red Hat OpenShift Container Platform 4.x Security Technical Implementation Guide

Version

V2R5

CCIs

CCI-002617

Discussion

Previous versions of OpenShift components that are not removed from the container platform after updates have been installed may be exploited by adversaries by causing older components to execute which contain vulnerabilities. When these components are deleted, the likelihood of this happening is removed. Satisfies: SRG-APP-000454-CTR-001110, SRG-APP-000454-CTR-001115

Check Content

Ensure the imagepruner is configured and is not in a suspended state by executing the following:

oc get imagepruners.imageregistry.operator.openshift.io/cluster -o jsonpath='{.spec}{"\n"}'

Review the settings. If "suspend" is set to "true", this is a finding.

Fix Text

Enable the image pruner to automate the pruning of images from the cluster by executing the following:

oc patch imagepruners.imageregistry.operator.openshift.io/cluster --type=merge -p '{"spec":{"suspend":false}}'

For additional details on configuring the image pruner operator, refer to the following document:
https://docs.openshift.com/container-platform/4.8/applications/pruning-objects.html#pruning-images_pruning-objects