Check: CNTR-MK-000030
Mirantis Kubernetes Engine STIG:
CNTR-MK-000030
(in version v1 r1)
Title
MKE must be configured to integrate with an Enterprise Identity Provider. (Cat II impact)
Discussion
Configuring MKE to integrate with an Enterprise Identity Provider enhances security, simplifies user management, ensures compliance, provides auditing capabilities, and offers a more seamless and consistent user experience. It aligns MKE with enterprise standards and contributes to a more efficient and secure environment.
Check Content
Verify that Enterprise Identity Provider integration is enabled and properly configured in the MKE Admin Settings. 1. Log in to the MKE web UI and navigate to admin >> Admin Settings >> Authentication & Authorization. If LDAP or SAML are not set to "Enabled", this is a finding. 2. Identity Provider configurations: When using LDAP, ensure the following are set: - LDAP/AD server's URL. - Reader DN. - Reader Password. When using SAML: In the "SAML IdP Server" section, ensure the following: - URL for the identity provider exists in the "IdP Metadata URL" field. - Skip TLS Verification is unchecked. - Root Certificate Bundle is filled. In the "SAML Service Provider" section, ensure the MKE Host field has the MKE UI IP address. If the Identity Provider configurations do not match the System Security Plan (SSP), this is a finding.
Fix Text
To configure Identity Provider. Log in to the MKE web UI and navigate to admin >> Admin Settings >> Authentication & Authorization >> Identity Provider Integration section. To configure LDAP: Click the radial button to set LDAP to "Enabled". In the "LDAP Server" subsection set the following: - "LDAP Server URL" to the URL for the organization's AD or LDAP server (URL must be https). - "Reader DN" with the DN of the account used to search the LDAP entries. - "Reader Password" with the password for the Reader account. Click "Save". To configure SAML: Click the radial button to set SAML to "Enabled". Enter URL in the "Service Provider Metadata URL" field. Upload the certificate bundle for the IdP provider in "Root Certificates Bundle". In the "SAML Service Provider" section, enter the "MKE IP address" in the MKE Host field. Click "Save".
Additional Identifiers
Rule ID: SV-260909r966084_rule
Vulnerability ID: V-260909
Group Title: SRG-APP-000023-CTR-000055
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-000015 |
The organization employs automated mechanisms to support the information system account management functions. |
| CCI-000016 |
The information system automatically removes or disables temporary accounts after an organization-defined time period for each type of account. |
| CCI-000017 |
The information system automatically disables inactive accounts after an organization-defined time period. |
| CCI-000044 |
The information system enforces the organization-defined limit of consecutive invalid logon attempts by a user during the organization-defined time period. |
| CCI-000172 |
The information system generates audit records for the events defined in AU-2 d. with the content defined in AU-3. |
| CCI-000187 |
The information system, for PKI-based authentication, maps the authenticated identity to the account of the individual or group. |
| CCI-000192 |
The information system enforces password complexity by the minimum number of upper case characters used. |
| CCI-000193 |
The information system enforces password complexity by the minimum number of lower case characters used. |
| CCI-000194 |
The information system enforces password complexity by the minimum number of numeric characters used. |
| CCI-000195 |
The information system, for password-based authentication, when new passwords are created, enforces that at least an organization-defined number of characters are changed. |
| CCI-000198 |
The information system enforces minimum password lifetime restrictions. |
| CCI-000199 |
The information system enforces maximum password lifetime restrictions. |
| CCI-000200 |
The information system prohibits password reuse for the organization-defined number of generations. |
| CCI-000205 |
The information system enforces minimum password length. |
| CCI-000366 |
The organization implements the security configuration settings. |
| CCI-000765 |
The information system implements multifactor authentication for network access to privileged accounts. |
| CCI-000766 |
The information system implements multifactor authentication for network access to non-privileged accounts. |
| CCI-000767 |
The information system implements multifactor authentication for local access to privileged accounts. |
| CCI-000768 |
The information system implements multifactor authentication for local access to non-privileged accounts. |
| CCI-000770 |
The organization requires individuals to be authenticated with an individual authenticator when a group authenticator is employed. |
| CCI-000795 |
The organization manages information system identifiers by disabling the identifier after an organization-defined time period of inactivity. |
| CCI-001619 |
The information system enforces password complexity by the minimum number of special characters used. |
| CCI-001683 |
The information system notifies organization-defined personnel or roles for account creation actions. |
| CCI-001684 |
The information system notifies organization-defined personnel or roles for account modification actions. |
| CCI-001685 |
The information system notifies organization-defined personnel or roles for account disabling actions. |
| CCI-001686 |
The information system notifies organization-defined personnel or roles for account removal actions. |
| CCI-001814 |
The Information system supports auditing of the enforcement actions. |
| CCI-001942 |
The information system implements replay-resistant authentication mechanisms for network access to non-privileged accounts. |
| CCI-001953 |
The information system accepts Personal Identity Verification (PIV) credentials. |
| CCI-002009 |
The information system accepts Personal Identity Verification (PIV) credentials from other federal agencies. |
| CCI-002041 |
The information system allows the use of a temporary password for system logons with an immediate change to a permanent password. |
| CCI-002130 |
The information system automatically audits account enabling actions. |
| CCI-002132 |
The information system notifies organization-defined personnel or roles for account enabling actions. |
| CCI-002142 |
The information system terminates shared/group account credentials when members leave the group. |
| CCI-002145 |
The information system enforces organization-defined circumstances and/or usage conditions for organization-defined information system accounts. |
| CCI-002238 |
The information system automatically locks the account or node for either an organization-defined time period, until the locked account or node is released by an administrator, or delays the next logon prompt according to the organization-defined delay algorithm when the maximum number of unsuccessful logon attempts is exceeded. |
| CCI-002699 |
The information system performs verification of the correct operation of organization-defined security functions: when the system is in an organization-defined transitional state; upon command by a user with appropriate privileges; and/or on an organization-defined frequency. |
Controls
| Number | Title |
|---|---|
| AC-2 (1) |
Automated System Account Management |
| AC-2 (2) |
Removal Of Temporary / Emergency Accounts |
| AC-2 (3) |
Disable Inactive Accounts |
| AC-2 (4) |
Automated Audit Actions |
| AC-2 (10) |
Shared / Group Account Credential Termination |
| AC-2 (11) |
Usage Conditions |
| AC-7 |
Unsuccessful Logon Attempts |
| AU-12 |
Audit Generation |
| CM-5 (1) |
Automated Access Enforcement / Auditing |
| CM-6 |
Configuration Settings |
| IA-2 (1) |
Network Access To Privileged Accounts |
| IA-2 (2) |
Network Access To Non-Privileged Accounts |
| IA-2 (3) |
Local Access To Privileged Accounts |
| IA-2 (4) |
Local Access To Non-Privileged Accounts |
| IA-2 (5) |
Group Authentication |
| IA-2 (9) |
Network Access To Non-Privileged Accounts - Replay Resistant |
| IA-2 (12) |
Acceptance Of Piv Credentials |
| IA-4 |
Identifier Management |
| IA-5 (1) |
Password-Based Authentication |
| IA-5 (2) |
Pki-Based Authentication |
| IA-8 (1) |
Acceptance Of Piv Credentials From Other Agencies |
| SI-6 |
Security Function Verification |