To support OpenShift deployments in regulated environments, Red Hat has been developing SCAP and Ansible based security automation content.
The NIST National Checklist for OpenShift 3.x provides: (a) FISMA Applicability Guide, documenting which NIST 800-53 controls are applicable to OpenShift 3.x; (b) SCAP datastreams in SCAP 1.2 and SCAP 1.3 formats to assist with pass/fail configuration scanning. Ansible Playbooks are also provided to ensure OpenShift deployments are configured in accordance with the security profile.
- Specialized Security-Limited Functionality (SSLF)
- Sector-Specific Environment
Usage of the security automation content requires OpenSCAP (for configuration scanning) and Ansible (for remediation capabilities). To install these components:
$ sudo yum -y install openscap-utils ansible
The files to use for the scan in the zip file are:
SCAP Datastream file
Ansible playbook for Master nodes
Ansible playbook for nodes
Prior to performing a configuration evaluation ensure OpenSCAP installed on the OCP masters and nodes. The scan can be run manually, through a job, or from Red Hat Satellite.
To run a scan on the OpenShift Master node:
$ sudo oscap xccdf eval --profile \ xccdf_org.ssgproject.content_profile_opencis-ocp-master \
--report master-report.html \
To run a scan on non-master nodes:
$ sudo oscap xccdf eval \
--profile xccdf_org.ssgproject.content_profile_opencis-ocp-node \
--report node-report.html \
Pass/fail states will be displayed on the command line.
HTML reports will also be generated (master-report.html, node-report.html) which are used as a human readable interfaces to view why certain rules passed and others failed.
NIST 800-53 revision 4.
Named Red Hat POC: Shawn Wells, Chief Security Strategist, Red Hat Public Sector. EMail: email@example.com. Cell: 443-534-0130 (US EST). Additional contact Chuck Svoboda, OpenShift Federal Sales Lead, Red Hat Public Sector. EMail: firstname.lastname@example.org. Cell: 410-913-2181?.
Corrected resource - 10/2/18
Resource Update - 2/22/19
Updated content to v0.1.43
Added link to OpenControl content for OpenShift
Corrected SHA discrepancy - 4/1/2019
Updated content to v0.1.44. A complete changelog is available at https://github.com/ComplianceAsCode/content/releases/tag/v0.1.44. - 5/17/2019
Updated data streams with stricter adherence to SCAP 1.3 specifications. - 06/14/2019
NIST checklist record last modified on 06/14/2019