NIST National Checklist for Red Hat OpenShift Container Platform 3.x content v0.1.48 Checklist Details (Checklist Revisions)
SCAP 1.3 Content:
-
Download SCAP 1.3 Content - NIST National Checklist for Red Hat OpenShift Container Platform 3.x
- Author: Red Hat
Supporting Resources:
Target:
Target | CPE Name |
---|---|
Red Hat OpenShift Container Platform 3.10 | cpe:/a:redhat:openshift_container_platform:3.10 (View CVEs) |
Red Hat OpenShift Container Platform 3.11 | cpe:/a:redhat:openshift_container_platform:3.11 (View CVEs) |
Red Hat OpenShift Container Platform 3.5 | cpe:/a:redhat:openshift_container_platform:3.5 (View CVEs) |
Red Hat OpenShift Container Platform 3.6 | cpe:/a:redhat:openshift_container_platform:3.6 (View CVEs) |
Red Hat OpenShift Container Platform 3.7 | cpe:/a:redhat:openshift_container_platform:3.7 (View CVEs) |
Red Hat OpenShift Container Platform 3.8 | cpe:/a:redhat:openshift_container_platform:3.8 (View CVEs) |
Red Hat OpenShift Container Platform 3.9 | cpe:/a:redhat:openshift_container_platform:3.9 (View CVEs) |
Checklist Highlights
- Checklist Name:
- NIST National Checklist for Red Hat OpenShift Container Platform 3.x
- Checklist ID:
- 866
- Version:
- content v0.1.48
- Type:
- Compliance
- Review Status:
- Final
- Authority:
- Software Vendor: Red Hat
- Original Publication Date:
- 01/14/2020
Checklist Summary:
To support OpenShift deployments in regulated environments, Red Hat has been developing SCAP and Ansible based security automation content. The NIST National Checklist for OpenShift 3.x provides: (a) FISMA Applicability Guide, documenting which NIST 800-53 controls are applicable to OpenShift 3.x; (b) SCAP datastreams in SCAP 1.2 and SCAP 1.3 formats to assist with pass/fail configuration scanning. Ansible Playbooks are also provided to ensure OpenShift deployments are configured in accordance with the security profile.
Checklist Role:
- Virtualization Server
Known Issues:
Not provided.
Target Audience:
Not provided.
Target Operational Environment:
- Standalone
- Managed
- Specialized Security-Limited Functionality (SSLF)
- Legacy
- Sector-Specific Environment
Testing Information:
Usage of the security automation content requires OpenSCAP (for configuration scanning) and Ansible (for remediation capabilities). To install these components: $ sudo yum -y install openscap-utils ansible The files to use for the scan in the zip file are: - ssg-ocp3-ds.xml SCAP Datastream file - roles/ssg-ocp3-role-opencis-ocp-master.yml Ansible playbook for Master nodes - roles/ssg-ocp3-role-opencis-ocp-node.yml Ansible playbook for nodes Prior to performing a configuration evaluation ensure OpenSCAP installed on the OCP masters and nodes. The scan can be run manually, through a job, or from Red Hat Satellite. To run a scan on the OpenShift Master node: $ sudo oscap xccdf eval --profile \ xccdf_org.ssgproject.content_profile_opencis-ocp-master \ --report master-report.html \ --oval-results \ /path/to/ssg-ocp3-ds.xml To run a scan on non-master nodes: $ sudo oscap xccdf eval \ --profile xccdf_org.ssgproject.content_profile_opencis-ocp-node \ --report node-report.html \ --oval-results \ /path/to/ssg-ocp3-ds.xml Pass/fail states will be displayed on the command line. HTML reports will also be generated (master-report.html, node-report.html) which are used as a human readable interfaces to view why certain rules passed and others failed.
Regulatory Compliance:
NIST 800-53 revision 4.
Comments/Warnings/Miscellaneous:
Comments, patches, errata, and other feedback, we most welcome in the upstream ComplianceAsCode project: https://github.com/ComplianceAsCode/redhat.
Disclaimer:
Not provided.
Product Support:
Not provided.
Point of Contact:
checklists@redhat.com for NCP inquiries.
Sponsor:
Red Hat
Licensing:
Not provided.
Change History:
Corrected resource - 10/2/18 Resource Update - 2/22/19 Updated content to v0.1.43 Added link to OpenControl content for OpenShift Corrected SHA discrepancy - 4/1/2019 Updated content to v0.1.44. A complete changelog is available at https://github.com/ComplianceAsCode/content/releases/tag/v0.1.44. - 5/17/2019 Updated data streams with stricter adherence to SCAP 1.3 specifications. - 06/14/2019 Updated content to version 0.1.47. Updated to content v0.1.48. Update to latest content version Change POC to NAPS checklist email (NCP Moderator) - SCAP 1.2 and 1.3 passed manual validation - 10/26/2020
Dependency/Requirements:
URL | Description |
---|
References:
Reference URL | Description |
---|---|
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.50 | Release Notes |