U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

NIST National Checklist for Red Hat OpenShift Container Platform 3.x content v0.1.48 Checklist Details (Checklist Revisions)

SCAP 1.2 Content:

Supporting Resources:

Target:

Target CPE Name
Red Hat OpenShift Container Platform 3.10 cpe:/a:redhat:openshift_container_platform:3.10 (View CVEs)
Red Hat OpenShift Container Platform 3.11 cpe:/a:redhat:openshift_container_platform:3.11 (View CVEs)
Red Hat OpenShift Container Platform 3.5 cpe:/a:redhat:openshift_container_platform:3.5 (View CVEs)
Red Hat OpenShift Container Platform 3.6 cpe:/a:redhat:openshift_container_platform:3.6 (View CVEs)
Red Hat OpenShift Container Platform 3.7 cpe:/a:redhat:openshift_container_platform:3.7 (View CVEs)
Red Hat OpenShift Container Platform 3.8 cpe:/a:redhat:openshift_container_platform:3.8 (View CVEs)
Red Hat OpenShift Container Platform 3.9 cpe:/a:redhat:openshift_container_platform:3.9 (View CVEs)

Checklist Highlights

Checklist Name:
NIST National Checklist for Red Hat OpenShift Container Platform 3.x
Checklist ID:
866
Version:
content v0.1.48
Type:
Compliance
Review Status:
Under Review
Authority:
Software Vendor: Red Hat
Original Publication Date:
08/29/2018

Checklist Summary:

To support OpenShift deployments in regulated environments, Red Hat has been developing SCAP and Ansible based security automation content. The NIST National Checklist for OpenShift 3.x provides: (a) FISMA Applicability Guide, documenting which NIST 800-53 controls are applicable to OpenShift 3.x; (b) SCAP datastreams in SCAP 1.2 and SCAP 1.3 formats to assist with pass/fail configuration scanning. Ansible Playbooks are also provided to ensure OpenShift deployments are configured in accordance with the security profile.

Checklist Role:

  • Virtualization Server

Known Issues:

Not provided.

Target Audience:

Not provided.

Target Operational Environment:

  • Standalone
  • Managed
  • Specialized Security-Limited Functionality (SSLF)
  • Legacy
  • Sector-Specific Environment

Testing Information:

Usage of the security automation content requires OpenSCAP (for configuration scanning) and Ansible (for remediation capabilities). To install these components: $ sudo yum -y install openscap-utils ansible The files to use for the scan in the zip file are: - ssg-ocp3-ds.xml SCAP Datastream file - roles/ssg-ocp3-role-opencis-ocp-master.yml Ansible playbook for Master nodes - roles/ssg-ocp3-role-opencis-ocp-node.yml Ansible playbook for nodes Prior to performing a configuration evaluation ensure OpenSCAP installed on the OCP masters and nodes. The scan can be run manually, through a job, or from Red Hat Satellite. To run a scan on the OpenShift Master node: $ sudo oscap xccdf eval --profile \ xccdf_org.ssgproject.content_profile_opencis-ocp-master \ --report master-report.html \ --oval-results \ /path/to/ssg-ocp3-ds.xml To run a scan on non-master nodes: $ sudo oscap xccdf eval \ --profile xccdf_org.ssgproject.content_profile_opencis-ocp-node \ --report node-report.html \ --oval-results \ /path/to/ssg-ocp3-ds.xml Pass/fail states will be displayed on the command line. HTML reports will also be generated (master-report.html, node-report.html) which are used as a human readable interfaces to view why certain rules passed and others failed.

Regulatory Compliance:

NIST 800-53 revision 4.

Comments/Warnings/Miscellaneous:

Comments, patches, errata, and other feedback, we most welcome in the upstream ComplianceAsCode project: https://github.com/ComplianceAsCode/redhat.

Disclaimer:

Not provided.

Product Support:

Not provided.

Point of Contact:

Named Red Hat POC: Shawn Wells, Chief Security Strategist, Red Hat Public Sector. EMail: shawn@redhat.com. Cell: 443-534-0130 (US EST). Additional contact Chuck Svoboda, OpenShift Federal Sales Lead, Red Hat Public Sector. EMail: csvoboda@redhat.com. Cell: 410-913-2181?.

Sponsor:

Red Hat

Licensing:

Not provided.

Change History:

Corrected resource - 10/2/18
Resource Update - 2/22/19
Updated content to v0.1.43
null

Dependency/Requirements:

URL Description

References:

Reference URL Description

NIST checklist record last modified on 03/19/2019


* This checklist is still undergoing review for inclusion into the NCP.