Check: CNTR-MK-000870
Mirantis Kubernetes Engine STIG:
CNTR-MK-000870
(in version v1 r1)
Title
FIPS mode must be enabled. (Cat I impact)
Discussion
During any user authentication, MKE must use FIPS-validated SHA-2 or later protocol to protect the integrity of the password authentication process. FIPS mode enforces the use of cryptographic algorithms and modules. This ensures a higher level of cryptographic security, reducing the risk of vulnerabilities related to cryptographic functions. FIPS-compliant cryptographic modules are designed to provide strong protection for sensitive data. Enabling FIPS mode helps safeguard cryptographic operations, securing data both at rest and in transit within containerized applications.
Check Content
On the MKE controller, verify FIPS mode is enabled. Execute the following command through the CLI: docker info The "Security Options" section in the response must show a "fips" label, indicating that, when configured, the remotely accessible MKE UI uses FIPS-validated digital signatures in conjunction with an approved hash function to protect the integrity of remote access sessions. If the "fips" label is not shown in the "Security Options" section, then this is a finding.
Fix Text
If the operating system has FIPS enabled, FIPS mode is enabled by default in MCR. The preferred method is to ensure FIPS mode is set on the operating system prior to installation. If a change is required on a deployed system, create the directory if it does not exist by executing the following: mkdir -p /etc/systemd/system/docker.service.d/ Create a file called /etc/systemd/system/docker.service.d/fips-module.conf and add the following: [Service] Environment="DOCKER_FIPS=1" Reload the Docker configuration to systemd by executing the following: sudo systemctl daemon-reload Restart the Docker service by executing the following: sudo systemctl restart docker
Additional Identifiers
Rule ID: SV-260908r966081_rule
Vulnerability ID: V-260908
Group Title: SRG-APP-000172-CTR-000440
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-000197 |
The information system, for password-based authentication, transmits only cryptographically-protected passwords. |
| CCI-000803 |
The information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication. |
| CCI-001184 |
The information system protects the authenticity of communications sessions. |
| CCI-002418 |
The information system protects the confidentiality and/or integrity of transmitted information. |
| CCI-002420 |
The information system maintains the confidentiality and/or integrity of information during preparation for transmission. |
| CCI-002422 |
The information system maintains the confidentiality and/or integrity of information during reception. |
| CCI-002450 |
The information system implements organization-defined cryptographic uses and type of cryptography required for each use in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. |
| CCI-002890 |
The information system implements cryptographic mechanisms to protect the integrity of nonlocal maintenance and diagnostic communications. |
| CCI-003123 |
The information system implements cryptographic mechanisms to protect the confidentiality of nonlocal maintenance and diagnostic communications. |
Controls
| Number | Title |
|---|---|
| IA-5 (1) |
Password-Based Authentication |
| IA-7 |
Cryptographic Module Authentication |
| MA-4 (6) |
Cryptographic Protection |
| SC-8 |
Transmission Confidentiality And Integrity |
| SC-8 (2) |
Pre / Post Transmission Handling |
| SC-13 |
Cryptographic Protection |
| SC-23 |
Session Authenticity |