National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

NIST National Checklist for Red Hat OpenShift Container Platform 3.x content v0.1.44 Checklist Details (Checklist Revisions)

SCAP 1.3 Content:

SCAP 1.2 Content:

Supporting Resources:

Target:

Target CPE Name
Red Hat OpenShift Container Platform 3.5 cpe:/a:redhat:openshift_container_platform:3.5 (View CVEs)
Red Hat OpenShift Container Platform 3.6 cpe:/a:redhat:openshift_container_platform:3.6 (View CVEs)
Red Hat OpenShift Container Platform 3.7 cpe:/a:redhat:openshift_container_platform:3.7 (View CVEs)
Red Hat OpenShift Container Platform 3.8 cpe:/a:redhat:openshift_container_platform:3.8 (View CVEs)
Red Hat OpenShift Container Platform 3.9 cpe:/a:redhat:openshift_container_platform:3.9 (View CVEs)
Red Hat OpenShift Container Platform 3.10 cpe:/a:redhat:openshift_container_platform:3.10 (View CVEs)
Red Hat OpenShift Container Platform 3.11 cpe:/a:redhat:openshift_container_platform:3.11 (View CVEs)

Checklist Highlights

Checklist Name:
NIST National Checklist for Red Hat OpenShift Container Platform 3.x
Checklist ID:
866
Version:
content v0.1.44
Type:
Compliance
Review Status:
Final
Authority:
Software Vendor: Red Hat
Original Publication Date:
05/03/2019

Checklist Summary:

To support OpenShift deployments in regulated environments, Red Hat has been developing SCAP and Ansible based security automation content. The NIST National Checklist for OpenShift 3.x provides: (a) FISMA Applicability Guide, documenting which NIST 800-53 controls are applicable to OpenShift 3.x; (b) SCAP datastreams in SCAP 1.2 and SCAP 1.3 formats to assist with pass/fail configuration scanning. Ansible Playbooks are also provided to ensure OpenShift deployments are configured in accordance with the security profile.

Checklist Role:

  • Virtualization Server

Known Issues:

Not provided.

Target Audience:

Not provided.

Target Operational Environment:

  • Standalone
  • Managed
  • Specialized Security-Limited Functionality (SSLF)
  • Legacy
  • Sector-Specific Environment

Testing Information:

Usage of the security automation content requires OpenSCAP (for configuration scanning) and Ansible (for remediation capabilities). To install these components: $ sudo yum -y install openscap-utils ansible The files to use for the scan in the zip file are: - ssg-ocp3-ds.xml SCAP Datastream file - roles/ssg-ocp3-role-opencis-ocp-master.yml Ansible playbook for Master nodes - roles/ssg-ocp3-role-opencis-ocp-node.yml Ansible playbook for nodes Prior to performing a configuration evaluation ensure OpenSCAP installed on the OCP masters and nodes. The scan can be run manually, through a job, or from Red Hat Satellite. To run a scan on the OpenShift Master node: $ sudo oscap xccdf eval --profile \ xccdf_org.ssgproject.content_profile_opencis-ocp-master \ --report master-report.html \ --oval-results \ /path/to/ssg-ocp3-ds.xml To run a scan on non-master nodes: $ sudo oscap xccdf eval \ --profile xccdf_org.ssgproject.content_profile_opencis-ocp-node \ --report node-report.html \ --oval-results \ /path/to/ssg-ocp3-ds.xml Pass/fail states will be displayed on the command line. HTML reports will also be generated (master-report.html, node-report.html) which are used as a human readable interfaces to view why certain rules passed and others failed.

Regulatory Compliance:

NIST 800-53 revision 4.

Comments/Warnings/Miscellaneous:

Comments, patches, errata, and other feedback, we most welcome in the upstream ComplianceAsCode project: https://github.com/ComplianceAsCode/redhat.

Disclaimer:

Not provided.

Product Support:

Not provided.

Point of Contact:

Named Red Hat POC: Shawn Wells, Chief Security Strategist, Red Hat Public Sector. EMail: shawn@redhat.com. Cell: 443-534-0130 (US EST). Additional contact Chuck Svoboda, OpenShift Federal Sales Lead, Red Hat Public Sector. EMail: csvoboda@redhat.com. Cell: 410-913-2181?.

Sponsor:

Red Hat

Licensing:

Not provided.

Change History:

Corrected resource - 10/2/18
Resource Update - 2/22/19
Updated content to v0.1.43
Added link to OpenControl content for OpenShift
Corrected SHA discrepancy - 4/1/2019
Updated content to v0.1.44. A complete changelog is available at https://github.com/ComplianceAsCode/content/releases/tag/v0.1.44. - 5/17/2019
Updated data streams with stricter adherence to SCAP 1.3 specifications. - 06/14/2019

Dependency/Requirements:

URL Description

References:

Reference URL Description

NIST checklist record last modified on 06/14/2019