Check: SRG-APP-000131-CTR-000285
Container Platform SRG:
SRG-APP-000131-CTR-000285
(in versions v1 r5 through v1 r1)
Title
The container platform must verify container images. (Cat II impact)
Discussion
The container platform must be capable of validating container images are signed and that the digital signature is from a recognized and approved source approved by the organization. Allowing any container image to be introduced into the registry and instantiated into a container can allow for services to be introduced that are not trusted and may contain malicious code, which introduces unwanted services. These unwanted services can cause harm and security risks to the hosting server, the container platform, other services running within the container platform, and the overall organization.
Check Content
Review the container platform configuration to determine if container images are verified by enforcing image signing and that the image is signed recognized by an approved source. If container images are not verified or the signature is not verified as a recognized and approved source, this is a finding.
Fix Text
Configure the container platform to verify container images are digitally signed and the signature is from a recognized and approved source.
Additional Identifiers
Rule ID: SV-233065r879584_rule
Vulnerability ID: V-233065
Group Title: SRG-APP-000131
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-001749 |
The information system prevents the installation of organization-defined software components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization. |
Controls
| Number | Title |
|---|---|
| CM-5 (3) |
Signed Components |