Check: SRG-APP-000133-CTR-000300
Container Platform SRG:
SRG-APP-000133-CTR-000300
(in versions v1 r5 through v1 r1)
Title
The container platform must limit privileges to the container platform keystore. (Cat II impact)
Discussion
The container platform keystore is used to store credentials used to build a trust between the container platform and some external source. This trust relationship is authorized by the organization. If a malicious user were to have access to the container platform keystore, two negative scenarios could develop: 1) Keys not approved could be introduced and 2) Approved keys deleted, leading to the introduction of container images from sources that were never approved by the organization. To thwart this threat, it is important to protect the container platform keystore and give access to only those individuals and roles approved by the organization.
Check Content
Review the container platform keystore configuration to determine if the level of access to the keystore is controlled through user privileges. Attempt to perform keystore operations to determine if the privileges are enforced. If the container platform keystore is not limited through user privileges or the user privileges are not enforced, this is a finding.
Fix Text
Configure the container platform to use and enforce user privileges when accessing the container platform keystore.
Additional Identifiers
Rule ID: SV-233068r879586_rule
Vulnerability ID: V-233068
Group Title: SRG-APP-000133
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001499 |
The organization limits privileges to change software resident within software libraries. |
Controls
Number | Title |
---|---|
CM-5 (6) |
Limit Library Privileges |