NIST National Checklist for Red Hat OpenShift Container Platform 3.x content v0.1.48 Checklist Details (Checklist Revisions)
NOTE
This is not the current revision of this Checklist, view the current revision.
SCAP 1.3 Content:
-
Download SCAP 1.3 Content - NIST National Checklist for Red Hat OpenShift Container Platform 3.x
- Author: Red Hat
Supporting Resources:
Target:
Target | CPE Name |
---|---|
Red Hat OpenShift Container Platform 3.10 | cpe:/a:redhat:openshift_container_platform:3.10 (View CVEs) |
Red Hat OpenShift Container Platform 3.11 | cpe:/a:redhat:openshift_container_platform:3.11 (View CVEs) |
Red Hat OpenShift Container Platform 3.5 | cpe:/a:redhat:openshift_container_platform:3.5 (View CVEs) |
Red Hat OpenShift Container Platform 3.6 | cpe:/a:redhat:openshift_container_platform:3.6 (View CVEs) |
Red Hat OpenShift Container Platform 3.7 | cpe:/a:redhat:openshift_container_platform:3.7 (View CVEs) |
Red Hat OpenShift Container Platform 3.8 | cpe:/a:redhat:openshift_container_platform:3.8 (View CVEs) |
Red Hat OpenShift Container Platform 3.9 | cpe:/a:redhat:openshift_container_platform:3.9 (View CVEs) |
Checklist Highlights
- Checklist Name:
- NIST National Checklist for Red Hat OpenShift Container Platform 3.x
- Checklist ID:
- 866
- Version:
- content v0.1.48
- Type:
- Compliance
- Review Status:
- Final
- Authority:
- Software Vendor: Red Hat
- Original Publication Date:
- 01/14/2020
Checklist Summary:
To support OpenShift deployments in regulated environments, Red Hat has been developing SCAP and Ansible based security automation content. The NIST National Checklist for OpenShift 3.x provides: (a) FISMA Applicability Guide, documenting which NIST 800-53 controls are applicable to OpenShift 3.x; (b) SCAP datastreams in SCAP 1.2 and SCAP 1.3 formats to assist with pass/fail configuration scanning. Ansible Playbooks are also provided to ensure OpenShift deployments are configured in accordance with the security profile.
Checklist Role:
- Virtualization Server
Known Issues:
Not provided.
Target Audience:
Not provided.
Target Operational Environment:
- Standalone
- Managed
- Specialized Security-Limited Functionality (SSLF)
- Legacy
- Sector-Specific Environment
Testing Information:
Usage of the security automation content requires OpenSCAP (for configuration scanning) and Ansible (for remediation capabilities). To install these components: $ sudo yum -y install openscap-utils ansible The files to use for the scan in the zip file are: - ssg-ocp3-ds.xml SCAP Datastream file - roles/ssg-ocp3-role-opencis-ocp-master.yml Ansible playbook for Master nodes - roles/ssg-ocp3-role-opencis-ocp-node.yml Ansible playbook for nodes Prior to performing a configuration evaluation ensure OpenSCAP installed on the OCP masters and nodes. The scan can be run manually, through a job, or from Red Hat Satellite. To run a scan on the OpenShift Master node: $ sudo oscap xccdf eval --profile \ xccdf_org.ssgproject.content_profile_opencis-ocp-master \ --report master-report.html \ --oval-results \ /path/to/ssg-ocp3-ds.xml To run a scan on non-master nodes: $ sudo oscap xccdf eval \ --profile xccdf_org.ssgproject.content_profile_opencis-ocp-node \ --report node-report.html \ --oval-results \ /path/to/ssg-ocp3-ds.xml Pass/fail states will be displayed on the command line. HTML reports will also be generated (master-report.html, node-report.html) which are used as a human readable interfaces to view why certain rules passed and others failed.
Regulatory Compliance:
NIST 800-53 revision 4.
Comments/Warnings/Miscellaneous:
Comments, patches, errata, and other feedback, we most welcome in the upstream ComplianceAsCode project: https://github.com/ComplianceAsCode/redhat.
Disclaimer:
Not provided.
Product Support:
Not provided.
Point of Contact:
Named Red Hat POC: Shawn Wells, Chief Security Strategist, Red Hat Public Sector. EMail: shawn@redhat.com. Cell: 443-534-0130 (US EST). Additional contact Chuck Svoboda, OpenShift Federal Sales Lead, Red Hat Public Sector. EMail: csvoboda@redhat.com. Cell: 410-913-2181?.
Sponsor:
Red Hat
Licensing:
Not provided.
Change History:
Corrected resource - 10/2/18 Resource Update - 2/22/19 Updated content to v0.1.43 Added link to OpenControl content for OpenShift Corrected SHA discrepancy - 4/1/2019 Updated content to v0.1.44. A complete changelog is available at https://github.com/ComplianceAsCode/content/releases/tag/v0.1.44. - 5/17/2019 Updated data streams with stricter adherence to SCAP 1.3 specifications. - 06/14/2019 Updated content to version 0.1.47. Updated to content v0.1.48.
Dependency/Requirements:
URL | Description |
---|
References:
Reference URL | Description |
---|---|
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.48 | Release Notes |