NIST National Checklist for Red Hat OpenShift Container Platform 3.x content v0.1.48 Checklist Details (Checklist Revisions)
NOTE
This is not the current revision of this Checklist, view the current revision.
SCAP 1.2 Content:
-
Download SCAP 1.2 Content - NIST National Checklist for Red Hat Enterprise Linux 7.x with SCAP 1.2 Datastream and OVAL 5.10
- Author: Red Hat
Supporting Resources:
-
Download Security Template - NIST 800-53/FISMA Applicability Guide for OpenShift 3.x
- Red Hat
-
Download Prose - OpenShift Security Configuration Guide (HTML)
- Red Hat
-
Download Machine-Readable Format - NIST National Checklist for Red Hat Enterprise Linux 7.x with SCAP 1.3 Datastream and OVAL 5.11 (recommended)
- Red Hat
Target:
Target | CPE Name |
---|---|
Red Hat OpenShift Container Platform 3.10 | cpe:/a:redhat:openshift_container_platform:3.10 (View CVEs) |
Red Hat OpenShift Container Platform 3.11 | cpe:/a:redhat:openshift_container_platform:3.11 (View CVEs) |
Red Hat OpenShift Container Platform 3.5 | cpe:/a:redhat:openshift_container_platform:3.5 (View CVEs) |
Red Hat OpenShift Container Platform 3.6 | cpe:/a:redhat:openshift_container_platform:3.6 (View CVEs) |
Red Hat OpenShift Container Platform 3.7 | cpe:/a:redhat:openshift_container_platform:3.7 (View CVEs) |
Red Hat OpenShift Container Platform 3.8 | cpe:/a:redhat:openshift_container_platform:3.8 (View CVEs) |
Red Hat OpenShift Container Platform 3.9 | cpe:/a:redhat:openshift_container_platform:3.9 (View CVEs) |
Checklist Highlights
- Checklist Name:
- NIST National Checklist for Red Hat OpenShift Container Platform 3.x
- Checklist ID:
- 866
- Version:
- content v0.1.48
- Type:
- Compliance
- Review Status:
- Under Review
- Authority:
- Software Vendor: Red Hat
- Original Publication Date:
- 08/29/2018
Checklist Summary:
To support OpenShift deployments in regulated environments, Red Hat has been developing SCAP and Ansible based security automation content. The NIST National Checklist for OpenShift 3.x provides: (a) FISMA Applicability Guide, documenting which NIST 800-53 controls are applicable to OpenShift 3.x; (b) SCAP datastreams in SCAP 1.2 and SCAP 1.3 formats to assist with pass/fail configuration scanning. Ansible Playbooks are also provided to ensure OpenShift deployments are configured in accordance with the security profile.
Checklist Role:
- Virtualization Server
Known Issues:
Not provided.
Target Audience:
Not provided.
Target Operational Environment:
- Standalone
- Managed
- Specialized Security-Limited Functionality (SSLF)
- Legacy
- Sector-Specific Environment
Testing Information:
Usage of the security automation content requires OpenSCAP (for configuration scanning) and Ansible (for remediation capabilities). To install these components: $ sudo yum -y install openscap-utils ansible The files to use for the scan in the zip file are: - ssg-ocp3-ds.xml SCAP Datastream file - roles/ssg-ocp3-role-opencis-ocp-master.yml Ansible playbook for Master nodes - roles/ssg-ocp3-role-opencis-ocp-node.yml Ansible playbook for nodes Prior to performing a configuration evaluation ensure OpenSCAP installed on the OCP masters and nodes. The scan can be run manually, through a job, or from Red Hat Satellite. To run a scan on the OpenShift Master node: $ sudo oscap xccdf eval --profile \ xccdf_org.ssgproject.content_profile_opencis-ocp-master \ --report master-report.html \ --oval-results \ /path/to/ssg-ocp3-ds.xml To run a scan on non-master nodes: $ sudo oscap xccdf eval \ --profile xccdf_org.ssgproject.content_profile_opencis-ocp-node \ --report node-report.html \ --oval-results \ /path/to/ssg-ocp3-ds.xml Pass/fail states will be displayed on the command line. HTML reports will also be generated (master-report.html, node-report.html) which are used as a human readable interfaces to view why certain rules passed and others failed.
Regulatory Compliance:
NIST 800-53 revision 4.
Comments/Warnings/Miscellaneous:
Comments, patches, errata, and other feedback, we most welcome in the upstream ComplianceAsCode project: https://github.com/ComplianceAsCode/redhat.
Disclaimer:
Not provided.
Product Support:
Not provided.
Point of Contact:
Named Red Hat POC: Shawn Wells, Chief Security Strategist, Red Hat Public Sector. EMail: shawn@redhat.com. Cell: 443-534-0130 (US EST). Additional contact Chuck Svoboda, OpenShift Federal Sales Lead, Red Hat Public Sector. EMail: csvoboda@redhat.com. Cell: 410-913-2181?.
Sponsor:
Red Hat
Licensing:
Not provided.
Change History:
Corrected resource - 10/2/18 Resource Update - 2/22/19 Updated content to v0.1.43 null
Dependency/Requirements:
URL | Description |
---|
References:
Reference URL | Description |
---|
NIST checklist record last modified on 03/19/2019
* This checklist is still undergoing review for inclusion into the NCP.