STIGs Search Compare About

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
Compare Versions

Resources

About
VPAT
DISA STIG Library

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← Back to STIGs

Red Hat OpenShift Container Platform 4.x Security Technical Implementation Guide

Version

V2R5

Benchmark ID

RH_OpenShift_Container_Platform_4-x_STIG

Total Checks

83

Tags

container

CAT I: 7CAT II: 73CAT III: 3

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Export CKL Export CSV Export JSON

Checks (83)

V-257505MEDIUMOpenShift must use TLS 1.2 or greater for secure container image transport from trusted sources.V-257506MEDIUMOpenShift must use TLS 1.2 or greater for secure communication.V-257507MEDIUMOpenShift must use a centralized user management solution to support account management functions.V-257508MEDIUMThe kubeadmin account must be disabled.V-257509MEDIUMOpenShift must automatically audit account creation.V-257510MEDIUMOpenShift must automatically audit account modification.V-257511MEDIUMOpenShift must generate audit rules to capture account related actions.V-257512MEDIUMOpen Shift must automatically audit account removal actions.V-257513HIGHOpenShift role-based access controls (RBAC) must be enforced.V-257514MEDIUMOpenShift must enforce network policy on the namespace for controlling the flow of information within the container platform based on organization-defined information flow control policies.V-257515MEDIUMOpenShift must enforce approved authorizations for controlling the flow of information within the container platform based on organization-defined information flow control policies.V-257516LOWOpenShift must display the Standard Mandatory DOD Notice and Consent Banner before granting access to platform components.V-257517MEDIUMOpenShift must generate audit records for all DOD-defined auditable events within all components in the platform.V-257518MEDIUMOpenShift must generate audit records when successful/unsuccessful attempts to access privileges occur.V-257519HIGHRed Hat Enterprise Linux CoreOS (RHCOS) must initiate session audits at system startup.V-257520MEDIUMAll audit records must identify what type of event has occurred within OpenShift.V-257521MEDIUMOpenShift audit records must have a date and time association with all events.V-257522MEDIUMAll audit records must generate the event results within OpenShift.V-257523MEDIUMOpenShift must take appropriate action upon an audit failure.V-257524MEDIUMOpenShift components must provide the ability to send audit logs to a central enterprise repository for review and analysis.V-257525MEDIUMOpenShift must use internal system clocks to generate audit record time stamps.V-257526MEDIUMThe Red Hat Enterprise Linux CoreOS (RHCOS) chrony Daemon must use multiple NTP servers to generate audit record time stamps.V-257527MEDIUMOpenShift must protect audit logs from any type of unauthorized access.V-257528MEDIUMOpenShift must protect system journal file from any type of unauthorized access by setting file permissions.V-257529MEDIUMOpenShift must protect system journal file from any type of unauthorized access by setting owner permissions.V-257530MEDIUMOpenShift must protect log directory from any type of unauthorized access by setting file permissions.V-257531MEDIUMOpenShift must protect log directory from any type of unauthorized access by setting owner permissions.V-257532MEDIUMOpenShift must protect pod log files from any type of unauthorized access by setting owner permissions.V-257533MEDIUMOpenShift must protect audit information from unauthorized modification.V-257534MEDIUMOpenShift must prevent unauthorized changes to logon UIDs.V-257535MEDIUMOpenShift must protect audit tools from unauthorized access.V-257536MEDIUMOpenShift must use FIPS-validated cryptographic mechanisms to protect the integrity of log information.V-257537MEDIUMOpenShift must verify container images.V-257538MEDIUMOpenShift must contain only container images for those capabilities being offered by the container platform.V-257539MEDIUMOpenShift runtime must enforce ports, protocols, and services that adhere to the PPSM CAL.V-257540HIGHOpenShift must disable root and terminate network connections.V-257541MEDIUMOpenShift must use multifactor authentication for network access to accounts.V-257542MEDIUMOpenShift must use FIPS-validated SHA-1 or higher hash function to provide replay-resistant authentication mechanisms for network access to privileged accounts.V-257543HIGHOpenShift must use FIPS validated LDAP or OpenIDConnect.V-257544MEDIUMOpenShift must terminate all network connections associated with a communications session at the end of the session, or as follows: for in-band management sessions (privileged sessions), the session must be terminated after 10 minutes of inactivity.V-257545MEDIUMOpenShift must separate user functionality (including user interface services) from information system management functionality.V-257546HIGHOpenShift must protect authenticity of communications sessions with the use of FIPS-validated 140-2 or 140-3 validated cryptography.V-257547MEDIUMOpenShift runtime must isolate security functions from nonsecurity functions.V-257548MEDIUMOpenShift must prevent unauthorized and unintended information transfer via shared system resources and enable page poisoning.V-257549MEDIUMOpenShift must disable virtual syscalls.V-257550MEDIUMOpenShift must enable poisoning of SLUB/SLAB objects.V-257551MEDIUMOpenShift must set the sticky bit for world-writable directories.V-257552MEDIUMOpenShift must restrict access to the kernel buffer.V-257553MEDIUMOpenShift must prevent kernel profiling.V-257554MEDIUMOpenShift must restrict individuals the ability to launch organizational-defined Denial-of-Service (DOS) attacks against other information systems by setting a default Resource Quota.V-257555MEDIUMOpenShift must restrict individuals' ability to launch organization-defined denial-of-service (DOS) attacks against other information systems by rate-limiting.V-257556LOWOpenShift must display an explicit logout message indicating the reliable termination of authenticated communication sessions.V-257557HIGHContainer images instantiated by OpenShift must execute using least privileges.V-257558LOWRed Hat Enterprise Linux CoreOS (RHCOS) must allocate audit record storage capacity to store at least one weeks' worth of audit records, when audit records are not immediately sent to a central audit record storage facility.V-257559MEDIUMOpenShift must configure Alert Manger Receivers to notify SA and ISSO of all audit failure events requiring real-time alerts.V-257560MEDIUMOpenShift must enforce access restrictions and support auditing of the enforcement actions.V-257561MEDIUMOpenShift must prevent the installation of patches, service packs, device drivers, or operating system components without verification they have been digitally signed using a certificate that is recognized and approved by the organization.V-257562MEDIUMOpenShift must set server token max age no greater than eight hours.V-257563MEDIUMVulnerability scanning applications must implement privileged access authorization to all OpenShift components, containers, and container images for selected organization-defined vulnerability scanning activities.V-257564MEDIUMOpenShift keystore must implement encryption to prevent unauthorized disclosure of information at rest within the container platform.V-257565MEDIUMOpenShift must protect against or limit the effects of all types of Denial-of-Service (DoS) attacks by employing organization-defined security safeguards by including a default resource quota.V-257566MEDIUMOpenShift must protect against or limit the effects of all types of Denial-of-Service (DoS) attacks by defining resource quotas on a namespace.V-257567MEDIUMOpenShift must protect the confidentiality and integrity of transmitted information.V-257568MEDIUMRed Hat Enterprise Linux CoreOS (RHCOS) must implement nonexecutable data to protect its memory from unauthorized code execution.V-257569MEDIUMRed Hat Enterprise Linux CoreOS (RHCOS) must implement ASLR (Address Space Layout Randomization) from unauthorized code execution.V-257570MEDIUMOpenShift must remove old components after updated versions have been installed.V-257571MEDIUMOpenShift must contain the latest images with most recent updates and execute within the container platform runtime as authorized by IAVM, CTOs, DTMs, and STIGs.V-257572MEDIUMOpenShift runtime must have updates installed within the period directed by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).V-257573MEDIUMThe Compliance Operator must be configured.V-257574MEDIUMOpenShift must perform verification of the correct operation of security functions: upon startup and/or restart; upon command by a user with privileged access; and/or every 30 days.V-257575MEDIUMOpenShift must generate audit records when successful/unsuccessful attempts to modify privileges occur.V-257576MEDIUMOpenShift must generate audit records when successful/unsuccessful attempts to modify security objects occur.V-257577MEDIUMOpenShift must generate audit records when successful/unsuccessful attempts to delete privileges occur.V-257578MEDIUMOpenShift must generate audit records when successful/unsuccessful attempts to delete security objects occur.V-257579MEDIUMOpenShift must generate audit records when successful/unsuccessful logon attempts occur.V-257580MEDIUMRed Hat Enterprise Linux CoreOS (RHCOS) must be configured to audit the loading and unloading of dynamic kernel modules.V-257581MEDIUMOpenShift audit records must record user access start and end times.V-257582MEDIUMOpenShift must generate audit records when concurrent logons from different workstations and systems occur.V-257583HIGHRed Hat Enterprise Linux CoreOS (RHCOS) must disable SSHD service.V-257584MEDIUMRed Hat Enterprise Linux CoreOS (RHCOS) must disable USB Storage kernel module.V-257585MEDIUMRed Hat Enterprise Linux CoreOS (RHCOS) must use USBGuard for hosts that include a USB Controller.V-257586MEDIUMOpenShift must continuously scan components, containers, and images for vulnerabilities.V-257587MEDIUMOpenShift must use FIPS-validated SHA-2 or higher hash function for digital signature generation and verification (nonlegacy use).