Check: CNTR-RM-000030
Rancher Government Solutions Multi-Cluster Manager STIG:
CNTR-RM-000030
(in versions v2 r1 through v1 r1)
Title
Rancher MCM must use a centralized user management solution to support account management functions. For accounts using password authentication, the container platform must use FIPS-validated SHA-2 or later protocol to protect the integrity of the password authentication process. (Cat I impact)
Discussion
RBAC Integration and Authn/Authz Centralized authentication services provide additional functionality fulfilling security requirements: - Multi-factor authentication, which is compatible with Rancher MCM. - Disabling users after a period of time. - Storage and transmission of secure information is encrypted. - Secure authentication protocols such as LDAP over TLS, or LDAPS using FIPS 140-2 approved encryption modules. - PKI based authentication. Rancher MCM can integrate with external centralized authentication but does not offer a native solution. The authentication mechanism needs to be initially enabled and configured. The proxy authenticates users and forwards their requests to Kubernetes clusters using a service account. Satisfies: SRG-APP-000023-CTR-000055, SRG-APP-000024-CTR-000060, SRG-APP-000027-CTR-000075, SRG-APP-000029-CTR-000085, SRG-APP-000033-CTR-000095, SRG-APP-000038-CTR-000105, SRG-APP-000065-CTR-000115, SRG-APP-000099-CTR-000190, SRG-APP-000111-CTR-000220, SRG-APP-000118-CTR-000240, SRG-APP-000119-CTR-000245, SRG-APP-000120-CTR-000250, SRG-APP-000121-CTR-000255, SRG-APP-000122-CTR-000260, SRG-APP-000123-CTR-000265, SRG-APP-000126-CTR-000275, SRG-APP-000133-CTR-000310, SRG-APP-000148-CTR-000335, SRG-APP-000148-CTR-000340, SRG-APP-000148-CTR-000345, SRG-APP-000148-CTR-000350, SRG-APP-000149-CTR-000355, SRG-APP-000150-CTR-000360, SRG-APP-000156-CTR-000380, SRG-APP-000163-CTR-000395, SRG-APP-000164-CTR-000400, SRG-APP-000165-CTR-000405, SRG-APP-000166-CTR-000410, SRG-APP-000167-CTR-000415, SRG-APP-000168-CTR-000420, SRG-APP-000169-CTR-000425, SRG-APP-000170-CTR-000430, SRG-APP-000171-CTR-000435, SRG-APP-000172-CTR-000440, SRG-APP-000173-CTR-000445, SRG-APP-000174-CTR-000450, SRG-APP-000177-CTR-000465, SRG-APP-000178-CTR-000470, SRG-APP-000243-CTR-000595, SRG-APP-000317-CTR-000735, SRG-APP-000340-CTR-000770, SRG-APP-000345-CTR-000785, SRG-APP-000378-CTR-000880, SRG-APP-000378-CTR-000885, SRG-APP-000378-CTR-000890, SRG-APP-000380-CTR-000900, SRG-APP-000381-CTR-000905, SRG-APP-000384-CTR-000915, SRG-APP-000319-CTR-000745
Check Content
RBAC Integration and Authn/Authz View and modify authentication settings through the Rancher MCM UI. Navigate to Triple Bar Symbol(Global) >> Users & Authentication >> Auth Provider. This screen shows the authentication mechanism that is configured. If no authentication mechanism is configured or disabled, this is a finding.
Fix Text
RBAC Integration and Authn/Authz Navigate to Triple Bar Symbol(Global) >> Users & Authentication >> Auth Provider. From this screen the authentication mechanism can be selected and configured. This STIG is written and tested with KeyCloak and not included with Rancher MCM. Installation instructions for KeyCloak can be found here: https://www.keycloak.org/getting-started/getting-started-kube
Additional Identifiers
Rule ID: SV-252843r1015788_rule
Vulnerability ID: V-252843
Group Title: SRG-APP-000023-CTR-000055
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-000015 |
Support the management of system accounts using organization-defined automated mechanisms. |
| CCI-000016 |
Automatically remove or disable temporary and emergency accounts after an organization-defined time-period for each type of account. |
| CCI-000044 |
Enforce the organization-defined limit of consecutive invalid logon attempts by a user during the organization-defined time period. |
| CCI-000134 |
Ensure that audit records containing information that establishes the outcome of the event. |
| CCI-000154 |
Provide the capability to centrally review and analyze audit records from multiple components within the system. |
| CCI-000162 |
Protect audit information from unauthorized access. |
| CCI-000163 |
Protect audit information from unauthorized modification. |
| CCI-000164 |
Protect audit information from unauthorized deletion. |
| CCI-000187 |
For public key-based authentication, map the authenticated identity to the account of the individual or group. |
| CCI-000192 |
The information system enforces password complexity by the minimum number of upper case characters used. |
| CCI-000193 |
The information system enforces password complexity by the minimum number of lower case characters used. |
| CCI-000194 |
The information system enforces password complexity by the minimum number of numeric characters used. |
| CCI-000195 |
The information system, for password-based authentication, when new passwords are created, enforces that at least an organization-defined number of characters are changed. |
| CCI-000196 |
The information system, for password-based authentication, stores only cryptographically-protected passwords. |
| CCI-000197 |
For password-based authentication, transmit passwords only over cryptographically-protected channels. |
| CCI-000198 |
The information system enforces minimum password lifetime restrictions. |
| CCI-000199 |
The information system enforces maximum password lifetime restrictions. |
| CCI-000200 |
The information system prohibits password reuse for the organization-defined number of generations. |
| CCI-000205 |
The information system enforces minimum password length. |
| CCI-000206 |
Obscure feedback of authentication information during the authentication process to protect the information from possible exploitation and use by unauthorized individuals. |
| CCI-000213 |
Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. |
| CCI-000764 |
Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users. |
| CCI-000765 |
Implement multifactor authentication for access to privileged accounts. |
| CCI-000766 |
Implement multifactor authentication for access to non-privileged accounts. |
| CCI-000795 |
The organization manages information system identifiers by disabling the identifier after an organization-defined time period of inactivity. |
| CCI-001090 |
Prevent unauthorized and unintended information transfer via shared system resources. |
| CCI-001350 |
Implement cryptographic mechanisms to protect the integrity of audit information. |
| CCI-001368 |
Enforce approved authorizations for controlling the flow of information within the system based on organization-defined information flow control policies. |
| CCI-001403 |
Automatically audit account modification actions. |
| CCI-001493 |
Protect audit tools from unauthorized access. |
| CCI-001494 |
Protect audit tools from unauthorized modification. |
| CCI-001495 |
Protect audit tools from unauthorized deletion. |
| CCI-001499 |
Limit privileges to change software resident within software libraries. |
| CCI-001619 |
The information system enforces password complexity by the minimum number of special characters used. |
| CCI-001734 |
Defines the restrictions to be followed on the use of open source software. |
| CCI-001764 |
Prevent program execution in accordance with organization-defined policies, rules of behavior, and/or access agreements regarding software program usage and restrictions; rules authorizing the terms and conditions of software program usage. |
| CCI-001782 |
The organization updates the information system component inventory per organization-defined frequency. |
| CCI-001783 |
Defines the personnel or roles to be notified when unauthorized hardware, software, and firmware components are detected within the system. |
| CCI-001784 |
When unauthorized hardware, software, and firmware components are detected within the system, the organization takes action to disable network access by such components, isolates the components, and/or notifies organization-defined personnel or roles. |
| CCI-001812 |
The information system prohibits user installation of software without explicit privileged status. |
| CCI-001813 |
Enforce access restrictions using organization-defined mechanisms. |
| CCI-001814 |
The Information system supports auditing of the enforcement actions. |
| CCI-001911 |
Defines the selectable event criteria to be used as the basis for changes to the auditing to be performed on organization-defined system components, by organization-defined individuals or roles, within organization-defined time thresholds. |
| CCI-001941 |
Implement replay-resistant authentication mechanisms for access to privileged accounts and/or non-privileged accounts. |
| CCI-002112 |
Assign account managers. |
| CCI-002142 |
The information system terminates shared/group account credentials when members leave the group. |
| CCI-002205 |
Uniquely identify and authenticate source by organization, system, application, service, and/or individual for information transfer. |
| CCI-002208 |
The information system uniquely authenticates destination by organization, system, application, and/or individual for information transfer. |
| CCI-002235 |
Prevent non-privileged users from executing privileged functions. |
| CCI-002238 |
Automatically lock the account or node for either an organization-defined time period, until the locked account or node is released by an administrator, or delays the next logon prompt according to the organization-defined delay algorithm when the maximum number of unsuccessful logon attempts is exceeded. |
| CCI-003627 |
Disable accounts when the accounts have expired. |
| CCI-003938 |
Automatically generate audit records of the enforcement actions. |
| CCI-003980 |
Allow user installation of software only with explicit privileged status. |
| CCI-004045 |
Require users to be individually authenticated before granting access to the shared accounts or resources. |
| CCI-004061 |
For password-based authentication, verify when users create or update passwords, that the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5 (1) (a). |
| CCI-004062 |
For password-based authentication, store passwords using an approved salted key derivation function, preferably using a keyed hash. |
| CCI-004066 |
For password-based authentication, enforce organization-defined composition and complexity rules. |
Controls
| Number | Title |
|---|---|
| AC-2 |
Account Management |
| AC-2(1) |
Automated System Account Management |
| AC-2(2) |
Removal of Temporary / Emergency Accounts |
| AC-2(4) |
Automated Audit Actions |
| AC-2(10) |
Shared / Group Account Credential Termination |
| AC-3 |
Access Enforcement |
| AC-4 |
Information Flow Enforcement |
| AC-4(17) |
Domain Authentication |
| AC-6(10) |
Prohibit Non-privileged Users from Executing Privileged Functions |
| AC-7 |
Unsuccessful Logon Attempts |
| AU-3 |
Content of Audit Records |
| AU-6(4) |
Central Review and Analysis |
| AU-9 |
Protection of Audit Information |
| AU-9(3) |
Cryptographic Protection |
| AU-12(3) |
Changes by Authorized Individuals |
| CM-5(1) |
Automated Access Enforcement / Auditing |
| CM-5(6) |
Limit Library Privileges |
| CM-7(2) |
Prevent Program Execution |
| CM-8 |
Information System Component Inventory |
| CM-8(3) |
Automated Unauthorized Component Detection |
| CM-10(1) |
Open Source Software |
| CM-11(2) |
Prohibit Installation Without Privileged Status |
| IA-2 |
Identification and Authentication (organizational Users) |
| IA-2(1) |
Network Access to Privileged Accounts |
| IA-2(2) |
Network Access to Non-privileged Accounts |
| IA-2(8) |
Network Access to Privileged Accounts - Replay Resistant |
| IA-4 |
Identifier Management |
| IA-5(1) |
Password-based Authentication |
| IA-5(2) |
Pki-based Authentication |
| IA-6 |
Authenticator Feedback |
| SC-4 |
Information in Shared Resources |