TickYouOff
Sign in
Back
🔒

Red Hat OpenShift Container Platform 4.12 STIG

Hard 18 items · 4 hours
testuser's avatar
testuser Published 1 month ago
Security

This checklist guides system administrators and security engineers through implementing the DISA STIG requirements for Red Hat OpenShift 4.12. It covers key verification, hardening, logging, identity integration, and reporting steps to help meet DoD security expectations.

Source: https://ncp.nist.gov/checklist/1065

Progress
0 / 18
  1. Verify OpenShift version is 4.12 — Confirm installed version matches cpe:/a:redhat:openshift_container_platform:4.12
  2. Apply latest OpenShift patches and updates — Include all security errata and node/cluster updates from Red Hat
  3. Run STIG compliance scan against the cluster — Use XCCDF-based tools or authorized scanners to assess compliance
  4. Generate CUI/non-compliance report for AO review — Produce a report of failed STIG items for authorizing official review
  5. Configure Role-Based Access Control (RBAC) least privilege — Restrict cluster-admin rights and grant only required permissions
  6. Integrate with central identity provider (SSO/IAM) — Delegate authentication to the enterprise IAM for centralized control
  7. Configure SSO provider for OpenShift — Set up OIDC or SAML per enterprise standards
  8. Map enterprise roles to OpenShift roles — Align IAM groups and roles to cluster RBAC policies
  9. Enforce strong authentication policies (MFA, password complexity) — Require MFA and set password/lockout policies via IAM
  10. Enable and forward audit logs to central log server — Collect cluster and API audit logs and centralize them for analysis
  11. Enable OpenShift audit logging with required retention — Configure audit policy, log levels, and retention per STIG
  12. Configure log forwarder to send logs to central server — Use Fluentd/Vector or approved forwarder and secure the transport
  13. Implement network segmentation using NetworkPolicies — Limit pod-to-pod and ingress/egress access per workload needs
  14. Harden container runtime and node configuration — Apply sysctl, seccomp, SELinux, and node hardening settings
  15. Disable unused services and API endpoints — Remove or restrict extra addons, routes, and unused APIs
  16. Scan and remediate container images for vulnerabilities — Integrate image scanning in CI/CD and remediate before deploy
  17. Review and remediate known CVEs affecting the platform — Track applicable CVEs and apply patches or mitigations promptly
  18. Document exceptions and obtain Authorizing Official (AO) approval — Record deviations, compensating controls, and mitigation timelines
Sign in to save
📝 My Notes