U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

NIST National Checklist for Red Hat OpenShift Container Platform 3.x content v0.1.48 Checklist Details (Checklist Revisions)

SCAP 1.3 Content:

Supporting Resources:

Target:

Target CPE Name
Red Hat OpenShift Container Platform 3.10 cpe:/a:redhat:openshift_container_platform:3.10 (View CVEs)
Red Hat OpenShift Container Platform 3.11 cpe:/a:redhat:openshift_container_platform:3.11 (View CVEs)
Red Hat OpenShift Container Platform 3.5 cpe:/a:redhat:openshift_container_platform:3.5 (View CVEs)
Red Hat OpenShift Container Platform 3.6 cpe:/a:redhat:openshift_container_platform:3.6 (View CVEs)
Red Hat OpenShift Container Platform 3.7 cpe:/a:redhat:openshift_container_platform:3.7 (View CVEs)
Red Hat OpenShift Container Platform 3.8 cpe:/a:redhat:openshift_container_platform:3.8 (View CVEs)
Red Hat OpenShift Container Platform 3.9 cpe:/a:redhat:openshift_container_platform:3.9 (View CVEs)

Checklist Highlights

Checklist Name:
NIST National Checklist for Red Hat OpenShift Container Platform 3.x
Checklist ID:
866
Version:
content v0.1.48
Type:
Compliance
Review Status:
Final
Authority:
Software Vendor: Red Hat
Original Publication Date:
01/14/2020

Checklist Summary:

To support OpenShift deployments in regulated environments, Red Hat has been developing SCAP and Ansible based security automation content. The NIST National Checklist for OpenShift 3.x provides: (a) FISMA Applicability Guide, documenting which NIST 800-53 controls are applicable to OpenShift 3.x; (b) SCAP datastreams in SCAP 1.2 and SCAP 1.3 formats to assist with pass/fail configuration scanning. Ansible Playbooks are also provided to ensure OpenShift deployments are configured in accordance with the security profile.

Checklist Role:

  • Virtualization Server

Known Issues:

Not provided.

Target Audience:

Not provided.

Target Operational Environment:

  • Standalone
  • Managed
  • Specialized Security-Limited Functionality (SSLF)
  • Legacy
  • Sector-Specific Environment

Testing Information:

Usage of the security automation content requires OpenSCAP (for configuration scanning) and Ansible (for remediation capabilities). To install these components: $ sudo yum -y install openscap-utils ansible The files to use for the scan in the zip file are: - ssg-ocp3-ds.xml SCAP Datastream file - roles/ssg-ocp3-role-opencis-ocp-master.yml Ansible playbook for Master nodes - roles/ssg-ocp3-role-opencis-ocp-node.yml Ansible playbook for nodes Prior to performing a configuration evaluation ensure OpenSCAP installed on the OCP masters and nodes. The scan can be run manually, through a job, or from Red Hat Satellite. To run a scan on the OpenShift Master node: $ sudo oscap xccdf eval --profile \ xccdf_org.ssgproject.content_profile_opencis-ocp-master \ --report master-report.html \ --oval-results \ /path/to/ssg-ocp3-ds.xml To run a scan on non-master nodes: $ sudo oscap xccdf eval \ --profile xccdf_org.ssgproject.content_profile_opencis-ocp-node \ --report node-report.html \ --oval-results \ /path/to/ssg-ocp3-ds.xml Pass/fail states will be displayed on the command line. HTML reports will also be generated (master-report.html, node-report.html) which are used as a human readable interfaces to view why certain rules passed and others failed.

Regulatory Compliance:

NIST 800-53 revision 4.

Comments/Warnings/Miscellaneous:

Comments, patches, errata, and other feedback, we most welcome in the upstream ComplianceAsCode project: https://github.com/ComplianceAsCode/redhat.

Disclaimer:

Not provided.

Product Support:

Not provided.

Point of Contact:

checklists@redhat.com for NCP inquiries.

Sponsor:

Red Hat

Licensing:

Not provided.

Change History:

Corrected resource - 10/2/18
Resource Update - 2/22/19
Updated content to v0.1.43
Added link to OpenControl content for OpenShift
Corrected SHA discrepancy - 4/1/2019
Updated content to v0.1.44. A complete changelog is available at https://github.com/ComplianceAsCode/content/releases/tag/v0.1.44. - 5/17/2019
Updated data streams with stricter adherence to SCAP 1.3 specifications. - 06/14/2019
Updated content to version 0.1.47.
Updated to content v0.1.48.
Update to latest content version
Change POC to NAPS checklist email
(NCP Moderator) - SCAP 1.2 and 1.3 passed manual validation - 10/26/2020

Dependency/Requirements:

URL Description

References:

Reference URL Description
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.50 Release Notes

NIST checklist record last modified on 10/26/2020