TickYouOff
Sign in
Back
🔒

RGS MCM STIG Compliance Checklist

Hard 17 items · 4 hours
testuser's avatar
testuser Published 1 month ago
Security

This checklist guides administrators through applying the Rancher Government Solutions Multi-Cluster Manager (RGS MCM) STIG (Ver 2, Rel 2). It’s for platform owners and security teams who manage multiple Kubernetes clusters and need to confirm STIG requirements are identified, implemented, and documented.

Source: https://ncp.nist.gov/checklist/1026

Progress
0 / 17
  1. Download the RGS MCM STIG (Ver 2, Rel 2) — Obtain the latest STIG from DISA Cyber Exchange or public.cyber.mil.
  2. Review the STIG scope, summary, and applicability — Identify controls that apply to your RGS MCM deployment and out-of-scope items.
  3. Inventory managed Kubernetes clusters and components — List clusters, OS, hypervisor, container runtime, and CNI plugins.
  4. Verify vendor-specific Kubernetes STIGs or SRGs are applied — Follow vendor STIGs or the generic SRG when vendor guidance is unavailable.
  5. Harden underlying environment components — Ensure host OS, container runtime, and network plugins meet their STIGs/SRGs.
  6. Harden host operating systems (OS) — Apply OS STIGs, disable unused services, enforce baseline configurations.
  7. Harden container runtime (e.g., Docker, containerd) — Restrict privileges, apply runtime SRG guidance, and isolate runtimes.
  8. Harden CNI and network plugins (e.g., Calico, Flannel) — Secure plugin configs and implement network policies where supported.
  9. Implement global RBAC in RGS MCM — Configure multi-cluster roles to enforce least privilege across clusters.
  10. Configure multi-cluster access controls and limit admin privileges — Remove wide default permissions and assign scoped administrative roles.
  11. Enforce secure default configurations for RGS MCM — Disable unused features and apply secure templates and policies.
  12. Validate and implement network policies and cluster segmentation — Ensure pod-to-pod and cross-cluster traffic restrictions are enforced.
  13. Enable and configure audit logging for RGS MCM and clusters — Centralize audit logs, enforce retention, and secure log storage.
  14. Integrate vulnerability scanning for container images and clusters — Scan images and nodes regularly and remediate critical findings.
  15. Apply timely updates and patches to RGS MCM, Kubernetes, and dependencies — Test patches in staging and follow change control before production rollouts.
  16. Document security configurations, deviations, and approved exceptions — Record rationale, evidence, and authorization for audit purposes.
  17. Subscribe to DISA Cyber Exchange and monitor STIG updates — Track change history and pull updated STIGs or resources when released.
Sign in to save
📝 My Notes