STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 6 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Red Hat OpenShift Container Platform 4.12 Security Technical Implementation Guide

V-257539

CAT II (Medium)

OpenShift runtime must enforce ports, protocols, and services that adhere to the PPSM CAL.

Rule ID

SV-257539r1043177_rule

STIG

Red Hat OpenShift Container Platform 4.12 Security Technical Implementation Guide

Version

V2R2

CCIs

CCI-000382

Discussion

OpenShift Container Platform uses several IPV4 and IPV6 ports and protocols to facilitate cluster communication and coordination. Not all these ports are identified and approved by the PPSM CAL. Those ports, protocols, and services that fall outside the PPSM CAL must be blocked by the runtime or registered. Instructions on the PPSM can be found in DOD Instruction 8551.01 Policy.

Check Content

Review the OpenShift documentation and configuration.

For additional information, refer to https://docs.openshift.com/container-platform/4.12/installing/installing_platform_agnostic/installing-platform-agnostic.html.

1. Interview the application administrator.

2. Identify the TCP/IP port numbers OpenShift is configured to use and is utilizing by using a combination of relevant OS commands and application configuration utilities.

3. Identify the network ports and protocols that are used by kube-apiserver by executing the following:

oc get configmap kube-apiserver-pod -n openshift-kube-apiserver -o "jsonpath={ .data['pod\.yaml'] }" | jq '..|.containerPort?' | grep -v "null"

oc get configmap kube-apiserver-pod -n openshift-kube-apiserver -o "jsonpath={ .data['pod\.yaml'] }" | jq '..|.hostPort?' | grep -v "null"

oc get services -A --show-labels | grep apiserver | awk '{print $6,$8}' | grep apiserver

4. Identify the network ports and protocols used by kube-scheduler by executing the following:

oc get configmap kube-scheduler-pod -n openshift-kube-scheduler -o "jsonpath={ .data['pod\.yaml'] }" | jq '..|.containerPort?' | grep -v "null"

oc get services -A --show-labels | grep scheduler | awk '{print $6,$8}' | grep scheduler

5. Identify the network ports and protocols used by kube-controller-manager by executing the following:

oc get configmap kube-controller-manager-pod -n openshift-kube-controller-manager -o "jsonpath={ .data['pod\.yaml'] }" | jq '..|.containerPort?' | grep -v "null"

oc get services -A --show-labels | grep kube-controller

6. Identify the network ports and protocols used by etcd by executing the following:

oc get configmap etcd-pod -n openshift-etcd -o "jsonpath={ .data['pod\.yaml'] }" | grep -Po '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}:[0-9]+' | sort -u

Review the PPSM web page at: http://www.disa.mil/Network-Services/Enterprise-Connections/PPSM.

Review the PPSM Category Assurance List (CAL) directly at the following link: https://disa.deps.mil/ext/cop/iase/ppsm/Pages/cal.aspx.

Verify the ports used by the OpenShift are approved by the PPSM CAL.

If the ports, protocols, and services have not been registered locally, this is a finding.

Fix Text

Verify the accreditation documentation lists all interfaces and the ports, protocols, and services used.

Register OpenShift's ports, protocols, and services with PPSM.