Major Use the following guidelines for performing container security assessment
- Choose minimal base images to reduce attack surface of the container
- Create a dedicated user and group on the image, with minimal permissions to run the application
- Sign and verify images to mitigate Man in The Middle attacks
- Scan images for known vulnerabilities
- Harden container images, daemons, and the host environment
- Create separate virtual networks for the containers to segregate them by data sensitivity
- Do not store secrets in containers
- Ensure that containers are stateless and immutable
- Do not run container processes as Root
- Monitor the user activity around container ecosystem
- Configure resource quotas on a per-container basis
- Capture host and container logs
FedRAMP / Moderate Baseline
*_ RA-1: Risk Assessment | Risk Assessment Policy And Procedures *_
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls; and
b. Reviews and updates the current:
1. Risk assessment policy [at least every 3 years]; and
2. Risk assessment procedures [at least annually].
*_ RA-2: Risk Assessment | Security Categorization *_
The organization:
a. Categorizes information and the information system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;
b. Documents the security categorization results (including supporting rationale) in the security plan for the information system; and
c. Ensures that the security categorization decision is reviewed and approved by the authorizing official or authorizing official designated representative.
*_ RA-3: Risk Assessment | Risk Assessment *_
The organization:
a. Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits;
b. Documents risk assessment results in [security assessment report];
c. Reviews risk assessment results [at least every three (3) years or when a significant change occurs];
d. Disseminates risk assessment results to [to include all Authoring Officials and FedRAMP ISSOs]; and
e. Updates the risk assessment [at least every three (3) years or when a significant change occurs] or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the system.
Imported from SD Elements: https://redhat.sdelements.com/bunits/psse-secure-development/group-3-supporting-and-tooling-offering/openshift-zero-trust-workload-identity-manager/tasks/phase/requirements/311-T1917/
