NIST National Checklist for Red Hat OpenShift Container Platform 3.x content v0.1.48 Checklist Details (Checklist Revisions)

SCAP 1.3 Content:

Supporting Resources:


Target CPE Name
Red Hat OpenShift Container Platform 3.10 cpe:/a:redhat:openshift_container_platform:3.10 (View CVEs)
Red Hat OpenShift Container Platform 3.11 cpe:/a:redhat:openshift_container_platform:3.11 (View CVEs)
Red Hat OpenShift Container Platform 3.5 cpe:/a:redhat:openshift_container_platform:3.5 (View CVEs)
Red Hat OpenShift Container Platform 3.6 cpe:/a:redhat:openshift_container_platform:3.6 (View CVEs)
Red Hat OpenShift Container Platform 3.7 cpe:/a:redhat:openshift_container_platform:3.7 (View CVEs)
Red Hat OpenShift Container Platform 3.8 cpe:/a:redhat:openshift_container_platform:3.8 (View CVEs)
Red Hat OpenShift Container Platform 3.9 cpe:/a:redhat:openshift_container_platform:3.9 (View CVEs)

Checklist Highlights

Checklist Name:
NIST National Checklist for Red Hat OpenShift Container Platform 3.x
Checklist ID:
content v0.1.48
Review Status:
Software Vendor: Red Hat
Original Publication Date:

Checklist Summary:

To support OpenShift deployments in regulated environments, Red Hat has been developing SCAP and Ansible based security automation content. The NIST National Checklist for OpenShift 3.x provides: (a) FISMA Applicability Guide, documenting which NIST 800-53 controls are applicable to OpenShift 3.x; (b) SCAP datastreams in SCAP 1.2 and SCAP 1.3 formats to assist with pass/fail configuration scanning. Ansible Playbooks are also provided to ensure OpenShift deployments are configured in accordance with the security profile.

Checklist Role:

  • Virtualization Server

Known Issues:

Not provided.

Target Audience:

Not provided.

Target Operational Environment:

  • Standalone
  • Managed
  • Specialized Security-Limited Functionality (SSLF)
  • Legacy
  • Sector-Specific Environment

Testing Information:

Usage of the security automation content requires OpenSCAP (for configuration scanning) and Ansible (for remediation capabilities). To install these components: $ sudo yum -y install openscap-utils ansible The files to use for the scan in the zip file are: - ssg-ocp3-ds.xml SCAP Datastream file - roles/ssg-ocp3-role-opencis-ocp-master.yml Ansible playbook for Master nodes - roles/ssg-ocp3-role-opencis-ocp-node.yml Ansible playbook for nodes Prior to performing a configuration evaluation ensure OpenSCAP installed on the OCP masters and nodes. The scan can be run manually, through a job, or from Red Hat Satellite. To run a scan on the OpenShift Master node: $ sudo oscap xccdf eval --profile \ xccdf_org.ssgproject.content_profile_opencis-ocp-master \ --report master-report.html \ --oval-results \ /path/to/ssg-ocp3-ds.xml To run a scan on non-master nodes: $ sudo oscap xccdf eval \ --profile xccdf_org.ssgproject.content_profile_opencis-ocp-node \ --report node-report.html \ --oval-results \ /path/to/ssg-ocp3-ds.xml Pass/fail states will be displayed on the command line. HTML reports will also be generated (master-report.html, node-report.html) which are used as a human readable interfaces to view why certain rules passed and others failed.

Regulatory Compliance:

NIST 800-53 revision 4.


Comments, patches, errata, and other feedback, we most welcome in the upstream ComplianceAsCode project:


Not provided.

Product Support:

Not provided.

Point of Contact: for NCP inquiries.


Red Hat


Not provided.

Change History:

Corrected resource - 10/2/18
Resource Update - 2/22/19
Updated content to v0.1.43
Added link to OpenControl content for OpenShift
Corrected SHA discrepancy - 4/1/2019
Updated content to v0.1.44. A complete changelog is available at - 5/17/2019
Updated data streams with stricter adherence to SCAP 1.3 specifications. - 06/14/2019
Updated content to version 0.1.47.
Updated to content v0.1.48.
Update to latest content version
Change POC to NAPS checklist email
(NCP Moderator) - SCAP 1.2 and 1.3 passed manual validation - 10/26/2020


URL Description


Reference URL Description Release Notes

NIST checklist record last modified on 10/26/2020