Check: CNTR-RM-000030
Rancher Government Solutions Multi-Cluster Manager STIG:
CNTR-RM-000030
(in versions v1 r3 through v1 r1)
Title
Rancher MCM must use a centralized user management solution to support account management functions. For accounts using password authentication, the container platform must use FIPS-validated SHA-2 or later protocol to protect the integrity of the password authentication process. (Cat I impact)
Discussion
RBAC Integration and Authn/Authz Centralized authentication services provide additional functionality fulfilling security requirements: - Multi-factor authentication, which is compatible with Rancher MCM - Disabling users after a period of time - Storage and transmission of secure information is encrypted - Secure authentication protocols such as LDAP over TLS, or LDAPS using FIPS 140-2 approved encryption modules - PKI based authentication Rancher MCM can integrate with external centralized authentication but does not offer a native solution. The authentication mechanism needs to be initially enabled and configured. The proxy authenticates users and forwards their requests to Kubernetes clusters using a service account. Satisfies: SRG-APP-000023-CTR-000055, SRG-APP-000024-CTR-000060, SRG-APP-000027-CTR-000075, SRG-APP-000029-CTR-000085, SRG-APP-000033-CTR-000095, SRG-APP-000038-CTR-000105, SRG-APP-000065-CTR-000115, SRG-APP-000099-CTR-000190, SRG-APP-000111-CTR-000220, SRG-APP-000118-CTR-000240, SRG-APP-000119-CTR-000245, SRG-APP-000120-CTR-000250, SRG-APP-000121-CTR-000255, SRG-APP-000122-CTR-000260, SRG-APP-000123-CTR-000265, SRG-APP-000126-CTR-000275, SRG-APP-000133-CTR-000310, SRG-APP-000148-CTR-000335, SRG-APP-000148-CTR-000340, SRG-APP-000148-CTR-000345, SRG-APP-000148-CTR-000350, SRG-APP-000149-CTR-000355, SRG-APP-000150-CTR-000360, SRG-APP-000156-CTR-000380, SRG-APP-000163-CTR-000395, SRG-APP-000164-CTR-000400, SRG-APP-000165-CTR-000405, SRG-APP-000166-CTR-000410, SRG-APP-000167-CTR-000415, SRG-APP-000168-CTR-000420, SRG-APP-000169-CTR-000425, SRG-APP-000170-CTR-000430, SRG-APP-000171-CTR-000435, SRG-APP-000172-CTR-000440, SRG-APP-000173-CTR-000445, SRG-APP-000174-CTR-000450, SRG-APP-000177-CTR-000465, SRG-APP-000178-CTR-000470, SRG-APP-000243-CTR-000595, SRG-APP-000317-CTR-000735, SRG-APP-000340-CTR-000770, SRG-APP-000345-CTR-000785, SRG-APP-000378-CTR-000880, SRG-APP-000378-CTR-000885, SRG-APP-000378-CTR-000890, SRG-APP-000380-CTR-000900, SRG-APP-000381-CTR-000905, SRG-APP-000384-CTR-000915, SRG-APP-000319-CTR-000745
Check Content
RBAC Integration and Authn/Authz View and modify authentication settings through the Rancher MCM UI. Navigate to Triple Bar Symbol(Global) >> Users & Authentication >> Auth Provider. This screen shows the authentication mechanism that is configured. If no authentication mechanism is configured or disabled, this is a finding.
Fix Text
RBAC Integration and Authn/Authz Navigate to Triple Bar Symbol(Global) >> Users & Authentication >> Auth Provider. From this screen the authentication mechanism can be selected and configured. This STIG is written and tested with KeyCloak and not included with Rancher MCM. Installation instructions for KeyCloak can be found here: https://www.keycloak.org/getting-started/getting-started-kube
Additional Identifiers
Rule ID: SV-252843r879522_rule
Vulnerability ID: V-252843
Group Title: SRG-APP-000023-CTR-000055
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-000015 |
The organization employs automated mechanisms to support the information system account management functions. |
| CCI-000016 |
The information system automatically removes or disables temporary accounts after an organization-defined time period for each type of account. |
| CCI-000044 |
The information system enforces the organization-defined limit of consecutive invalid logon attempts by a user during the organization-defined time period. |
| CCI-000134 |
The information system generates audit records containing information that establishes the outcome of the event. |
| CCI-000154 |
The information system provides the capability to centrally review and analyze audit records from multiple components within the system. |
| CCI-000162 |
The information system protects audit information from unauthorized access. |
| CCI-000163 |
The information system protects audit information from unauthorized modification. |
| CCI-000164 |
The information system protects audit information from unauthorized deletion. |
| CCI-000187 |
The information system, for PKI-based authentication, maps the authenticated identity to the account of the individual or group. |
| CCI-000192 |
The information system enforces password complexity by the minimum number of upper case characters used. |
| CCI-000193 |
The information system enforces password complexity by the minimum number of lower case characters used. |
| CCI-000194 |
The information system enforces password complexity by the minimum number of numeric characters used. |
| CCI-000195 |
The information system, for password-based authentication, when new passwords are created, enforces that at least an organization-defined number of characters are changed. |
| CCI-000196 |
The information system, for password-based authentication, stores only cryptographically-protected passwords. |
| CCI-000197 |
The information system, for password-based authentication, transmits only cryptographically-protected passwords. |
| CCI-000198 |
The information system enforces minimum password lifetime restrictions. |
| CCI-000199 |
The information system enforces maximum password lifetime restrictions. |
| CCI-000200 |
The information system prohibits password reuse for the organization-defined number of generations. |
| CCI-000205 |
The information system enforces minimum password length. |
| CCI-000206 |
The information system obscures feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals. |
| CCI-000213 |
The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies. |
| CCI-000764 |
The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users). |
| CCI-000765 |
The information system implements multifactor authentication for network access to privileged accounts. |
| CCI-000766 |
The information system implements multifactor authentication for network access to non-privileged accounts. |
| CCI-000795 |
The organization manages information system identifiers by disabling the identifier after an organization-defined time period of inactivity. |
| CCI-001090 |
The information system prevents unauthorized and unintended information transfer via shared system resources. |
| CCI-001350 |
The information system implements cryptographic mechanisms to protect the integrity of audit information. |
| CCI-001368 |
The information system enforces approved authorizations for controlling the flow of information within the system based on organization-defined information flow control policies. |
| CCI-001403 |
The information system automatically audits account modification actions. |
| CCI-001493 |
The information system protects audit tools from unauthorized access. |
| CCI-001494 |
The information system protects audit tools from unauthorized modification. |
| CCI-001495 |
The information system protects audit tools from unauthorized deletion. |
| CCI-001499 |
The organization limits privileges to change software resident within software libraries. |
| CCI-001619 |
The information system enforces password complexity by the minimum number of special characters used. |
| CCI-001734 |
The organization defines the restrictions to be followed on the use of open source software. |
| CCI-001764 |
The information system prevents program execution in accordance with organization-defined policies regarding software program usage and restrictions, and/or rules authorizing the terms and conditions of software program usage. |
| CCI-001782 |
The organization updates the information system component inventory per organization-defined frequency. |
| CCI-001783 |
The organization defines the personnel or roles to be notified when unauthorized hardware, software, and firmware components are detected within the information system. |
| CCI-001784 |
When unauthorized hardware, software, and firmware components are detected within the information system, the organization takes action to disable network access by such components, isolates the components, and/or notifies organization-defined personnel or roles. |
| CCI-001812 |
The information system prohibits user installation of software without explicit privileged status. |
| CCI-001813 |
The information system enforces access restrictions. |
| CCI-001814 |
The Information system supports auditing of the enforcement actions. |
| CCI-001911 |
The organization defines the selectable event criteria to be used as the basis for changes to the auditing to be performed on organization-defined information system components, by organization-defined individuals or roles, within organization-defined time thresholds. |
| CCI-001941 |
The information system implements replay-resistant authentication mechanisms for network access to privileged accounts. |
| CCI-002112 |
The organization assigns account managers for information system accounts. |
| CCI-002142 |
The information system terminates shared/group account credentials when members leave the group. |
| CCI-002205 |
The information system uniquely identifies and authenticates source by organization, system, application, and/or individual for information transfer. |
| CCI-002208 |
The information system uniquely authenticates destination by organization, system, application, and/or individual for information transfer. |
| CCI-002235 |
The information system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. |
| CCI-002238 |
The information system automatically locks the account or node for either an organization-defined time period, until the locked account or node is released by an administrator, or delays the next logon prompt according to the organization-defined delay algorithm when the maximum number of unsuccessful logon attempts is exceeded. |
Controls
| Number | Title |
|---|---|
| AC-2 |
Account Management |
| AC-2 (1) |
Automated System Account Management |
| AC-2 (2) |
Removal Of Temporary / Emergency Accounts |
| AC-2 (4) |
Automated Audit Actions |
| AC-2 (10) |
Shared / Group Account Credential Termination |
| AC-3 |
Access Enforcement |
| AC-4 |
Information Flow Enforcement |
| AC-4 (17) |
Domain Authentication |
| AC-6 (10) |
Prohibit Non-Privileged Users From Executing Privileged Functions |
| AC-7 |
Unsuccessful Logon Attempts |
| AU-3 |
Content Of Audit Records |
| AU-6 (4) |
Central Review And Analysis |
| AU-9 |
Protection Of Audit Information |
| AU-9 (3) |
Cryptographic Protection |
| AU-12 (3) |
Changes By Authorized Individuals |
| CM-5 (1) |
Automated Access Enforcement / Auditing |
| CM-5 (6) |
Limit Library Privileges |
| CM-7 (2) |
Prevent Program Execution |
| CM-8 |
Information System Component Inventory |
| CM-8 (3) |
Automated Unauthorized Component Detection |
| CM-10 (1) |
Open Source Software |
| CM-11 (2) |
Prohibit Installation Without Privileged Status |
| IA-2 |
Identification And Authentication (Organizational Users) |
| IA-2 (1) |
Network Access To Privileged Accounts |
| IA-2 (2) |
Network Access To Non-Privileged Accounts |
| IA-2 (8) |
Network Access To Privileged Accounts - Replay Resistant |
| IA-4 |
Identifier Management |
| IA-5 (1) |
Password-Based Authentication |
| IA-5 (2) |
Pki-Based Authentication |
| IA-6 |
Authenticator Feedback |
| SC-4 |
Information In Shared Resources |