This is a potential security issue, you are being redirected to https://ncp.nist.gov
|Red Hat OpenShift Container Platform 3.10||cpe:/a:redhat:openshift_container_platform:3.10 (View CVEs)|
|Red Hat OpenShift Container Platform 3.11||cpe:/a:redhat:openshift_container_platform:3.11 (View CVEs)|
|Red Hat OpenShift Container Platform 3.5||cpe:/a:redhat:openshift_container_platform:3.5 (View CVEs)|
|Red Hat OpenShift Container Platform 3.6||cpe:/a:redhat:openshift_container_platform:3.6 (View CVEs)|
|Red Hat OpenShift Container Platform 3.7||cpe:/a:redhat:openshift_container_platform:3.7 (View CVEs)|
|Red Hat OpenShift Container Platform 3.8||cpe:/a:redhat:openshift_container_platform:3.8 (View CVEs)|
|Red Hat OpenShift Container Platform 3.9||cpe:/a:redhat:openshift_container_platform:3.9 (View CVEs)|
To support OpenShift deployments in regulated environments, Red Hat has been developing SCAP and Ansible based security automation content. The NIST National Checklist for OpenShift 3.x provides: (a) FISMA Applicability Guide, documenting which NIST 800-53 controls are applicable to OpenShift 3.x; (b) SCAP datastreams in SCAP 1.2 and SCAP 1.3 formats to assist with pass/fail configuration scanning. Ansible Playbooks are also provided to ensure OpenShift deployments are configured in accordance with the security profile.
Usage of the security automation content requires OpenSCAP (for configuration scanning) and Ansible (for remediation capabilities). To install these components: $ sudo yum -y install openscap-utils ansible The files to use for the scan in the zip file are: - ssg-ocp3-ds.xml SCAP Datastream file - roles/ssg-ocp3-role-opencis-ocp-master.yml Ansible playbook for Master nodes - roles/ssg-ocp3-role-opencis-ocp-node.yml Ansible playbook for nodes Prior to performing a configuration evaluation ensure OpenSCAP installed on the OCP masters and nodes. The scan can be run manually, through a job, or from Red Hat Satellite. To run a scan on the OpenShift Master node: $ sudo oscap xccdf eval --profile \ xccdf_org.ssgproject.content_profile_opencis-ocp-master \ --report master-report.html \ --oval-results \ /path/to/ssg-ocp3-ds.xml To run a scan on non-master nodes: $ sudo oscap xccdf eval \ --profile xccdf_org.ssgproject.content_profile_opencis-ocp-node \ --report node-report.html \ --oval-results \ /path/to/ssg-ocp3-ds.xml Pass/fail states will be displayed on the command line. HTML reports will also be generated (master-report.html, node-report.html) which are used as a human readable interfaces to view why certain rules passed and others failed.
NIST 800-53 revision 4.
Comments, patches, errata, and other feedback, we most welcome in the upstream ComplianceAsCode project: https://github.com/ComplianceAsCode/redhat.
firstname.lastname@example.org for NCP inquiries.
Corrected resource - 10/2/18 Resource Update - 2/22/19 Updated content to v0.1.43 Added link to OpenControl content for OpenShift Corrected SHA discrepancy - 4/1/2019 Updated content to v0.1.44. A complete changelog is available at https://github.com/ComplianceAsCode/content/releases/tag/v0.1.44. - 5/17/2019 Updated data streams with stricter adherence to SCAP 1.3 specifications. - 06/14/2019 Updated content to version 0.1.47. Updated to content v0.1.48. Update to latest content version Change POC to NAPS checklist email (NCP Moderator) - SCAP 1.2 and 1.3 passed manual validation - 10/26/2020