From 3c4fd68974e367f39cf1e8256da5e0dbb38c118e Mon Sep 17 00:00:00 2001 From: Lance Bragstad Date: Tue, 17 Feb 2026 09:29:44 -0600 Subject: [PATCH 1/2] Add ITSAR NFV section 1 controls ITSAR has a benchmark for NFV functionality, which is applicable to OpenShift and RHCOS. Let's build out those profiles section by section, starting with section 1. Despite it being labeled as section 1, the controls are indexed at 2. --- controls/itsar_nfv.yml | 9 ++ controls/itsar_nfv/section-2.yml | 112 ++++++++++++++++++ .../ocp4/profiles/itsar-nfv-v2-0-0.profile | 18 +++ products/ocp4/profiles/itsar-nfv.profile | 17 +++ .../rhcos4/profiles/itsar-nfv-v2-0-0.profile | 18 +++ products/rhcos4/profiles/itsar-nfv.profile | 17 +++ 6 files changed, 191 insertions(+) create mode 100644 controls/itsar_nfv.yml create mode 100644 controls/itsar_nfv/section-2.yml create mode 100644 products/ocp4/profiles/itsar-nfv-v2-0-0.profile create mode 100644 products/ocp4/profiles/itsar-nfv.profile create mode 100644 products/rhcos4/profiles/itsar-nfv-v2-0-0.profile create mode 100644 products/rhcos4/profiles/itsar-nfv.profile diff --git a/controls/itsar_nfv.yml b/controls/itsar_nfv.yml new file mode 100644 index 000000000000..bc6d515ef978 --- /dev/null +++ b/controls/itsar_nfv.yml @@ -0,0 +1,9 @@ +--- +policy: ITSAR NFV +title: ITSAR NFV +id: itsar_nfv +source: '' + +product: + - ocp4 + - rhcos4 diff --git a/controls/itsar_nfv/section-2.yml b/controls/itsar_nfv/section-2.yml new file mode 100644 index 000000000000..366c3826e06a --- /dev/null +++ b/controls/itsar_nfv/section-2.yml @@ -0,0 +1,112 @@ +--- +controls: + - id: '2' + title: System Management + status: automated + rules: [] + controls: + - id: '2.1' + title: Access and Authorization + status: pending + rules: [] + controls: + - id: 2.1.1 + title: Ensure mutual authentication is enabled for system management interfaces + status: automated + rules: + - api_server_client_ca + - api_server_kubelet_client_cert + - etcd_client_cert_auth + - etcd_peer_client_cert_auth + - kubelet_configure_client_ca + - id: 2.1.2 + title: Management Traffic Protection + status: automated + rules: + - api_server_tls_security_profile + - api_server_tls_security_profile_not_old + - api_server_tls_security_profile_custom_min_tls_version + - api_server_tls_cipher_suites + - api_server_tls_cert + - api_server_tls_private_key + - api_server_https_for_kubelet_conn + - api_server_insecure_port + - api_server_insecure_bind_address + - kubelet_configure_tls_min_version + - kubelet_configure_tls_cipher_suites + - etcd_cert_file + - etcd_key_file + - etcd_peer_cert_file + - etcd_peer_key_file + - etcd_auto_tls + - etcd_peer_auto_tls + - etcd_check_cipher_suite + - id: 2.1.3 + title: Role-Based Access Control (RBAC) Policy + status: automated + rules: + - api_server_auth_mode_rbac + - rbac_least_privilege + - rbac_cluster_roles_defined + - rbac_roles_defined + - rbac_limit_cluster_admin + - rbac_wildcard_use + - id: 2.1.4 + title: User Authentication + status: automated + rules: + - idp_is_configured + - ocp_idp_no_htpasswd + - kubeadmin_removed + - ocp_no_ldap_insecure + - api_server_token_auth + - api_server_basic_auth + - accounts_unique_service_account + - accounts_restrict_service_account_tokens + - controller_use_service_account + - api_server_service_account_lookup + - id: 2.1.5 + title: Remote Login Restrictions for Privileged Users + status: automated + rules: + - sshd_disable_root_login + - no_direct_root_logins + - id: 2.1.6 + title: Authorization Policy + status: automated + rules: + - scc_limit_privileged_containers + - scc_limit_root_containers + - scc_limit_privilege_escalation + - scc_limit_host_dir_volume_plugin + - scc_drop_container_capabilities + - scc_limit_container_allowed_capabilities + - scc_limit_net_raw_capability + - scc_limit_ipc_namespace + - scc_limit_network_namespace + - scc_limit_process_id_namespace + - scc_limit_host_ports + - id: 2.1.7 + title: Unambiguous Identification of the User & Group Accounts Removal + status: automated + rules: + - idp_is_configured + - ocp_idp_no_htpasswd + - kubeadmin_removed + - accounts_unique_service_account + - accounts_no_clusterrolebindings_default_service_account + - accounts_no_rolebindings_default_service_account + - audit_logging_enabled + - audit_profile_set + - id: 2.1.8 + title: Out of Band Management + status: partial + notes: |- + This is an infrastructure-level control. Verify that the + Kubernetes API server and OpenShift Console are accessible + only through a private management network or a secure VPN + tunnel that enforces MFA. + rules: + - configure_network_policies + - configure_network_policies_namespaces + - project_config_and_template_network_policy diff --git a/products/ocp4/profiles/itsar-nfv-v2-0-0.profile b/products/ocp4/profiles/itsar-nfv-v2-0-0.profile new file mode 100644 index 000000000000..9596140f3a61 --- /dev/null +++ b/products/ocp4/profiles/itsar-nfv-v2-0-0.profile @@ -0,0 +1,18 @@ +--- +documentation_complete: true + +title: 'ITSAR NFV for Red Hat OpenShift Container Platform 4' + +platform: ocp4 + +reference: https://nccs.gov.in/home/itsars + +metadata: + version: V2.0.0 + +description: |- + This profile defines a baseline that aligns to the ITSAR NFV + requirements for Red Hat OpenShift Container Platform 4. + +selections: + - itsar_nfv:all diff --git a/products/ocp4/profiles/itsar-nfv.profile b/products/ocp4/profiles/itsar-nfv.profile new file mode 100644 index 000000000000..c4c044df71a2 --- /dev/null +++ b/products/ocp4/profiles/itsar-nfv.profile @@ -0,0 +1,17 @@ +--- +documentation_complete: true + +title: 'ITSAR NFV for Red Hat OpenShift Container Platform 4' + +platform: ocp4 + +reference: https://nccs.gov.in/home/itsars + +metadata: + version: V2.0.0 + +description: |- + This profile defines a baseline that aligns to the ITSAR NFV + requirements for Red Hat OpenShift Container Platform 4. + +extends: itsar-nfv-v2-0-0 diff --git a/products/rhcos4/profiles/itsar-nfv-v2-0-0.profile b/products/rhcos4/profiles/itsar-nfv-v2-0-0.profile new file mode 100644 index 000000000000..15a4534159c8 --- /dev/null +++ b/products/rhcos4/profiles/itsar-nfv-v2-0-0.profile @@ -0,0 +1,18 @@ +--- +documentation_complete: true + +title: 'ITSAR NFV for Red Hat Enterprise Linux CoreOS 4' + +platform: rhcos4 + +reference: https://nccs.gov.in/home/itsars + +metadata: + version: V2.0.0 + +description: |- + This profile defines a baseline that aligns to the ITSAR NFV + requirements for Red Hat Enterprise Linux CoreOS 4. + +selections: + - itsar_nfv:all diff --git a/products/rhcos4/profiles/itsar-nfv.profile b/products/rhcos4/profiles/itsar-nfv.profile new file mode 100644 index 000000000000..14ba8b3e60f4 --- /dev/null +++ b/products/rhcos4/profiles/itsar-nfv.profile @@ -0,0 +1,17 @@ +--- +documentation_complete: true + +title: 'ITSAR NFV for Red Hat Enterprise Linux CoreOS 4' + +platform: rhcos4 + +reference: https://nccs.gov.in/home/itsars + +metadata: + version: V2.0.0 + +description: |- + This profile defines a baseline that aligns to the ITSAR NFV + requirements for Red Hat Enterprise Linux CoreOS 4. + +extends: itsar-nfv-v2-0-0 From 6a4f714c307d871e836a5d940826c2f4391c2a43 Mon Sep 17 00:00:00 2001 From: Lance Bragstad Date: Tue, 17 Feb 2026 11:58:13 -0600 Subject: [PATCH 2/2] Add ITSAR NFV section 2 controls This commit adds the rules for authentication attribute management (IAM-like) controls. --- controls/itsar_nfv/section-2.yml | 122 +++++++++++++++++++++++++++++++ 1 file changed, 122 insertions(+) diff --git a/controls/itsar_nfv/section-2.yml b/controls/itsar_nfv/section-2.yml index 366c3826e06a..380890f02b87 100644 --- a/controls/itsar_nfv/section-2.yml +++ b/controls/itsar_nfv/section-2.yml @@ -110,3 +110,125 @@ controls: - configure_network_policies - configure_network_policies_namespaces - project_config_and_template_network_policy + - id: '2.2' + title: Authentication Attribute Management + status: pending + rules: [] + controls: + - id: 2.2.1 + title: Authentication Policy + status: partial + notes: |- + OpenShift delegates authentication to an external Identity + Provider. The automated rules verify that an MFA-capable + IdP is configured and that weak single-factor methods + (htpasswd, basic-auth, static tokens) are disabled. + However, actual MFA enforcement must be verified at the + IdP level (e.g., Keycloak, Okta, Active Directory). For + machine accounts, ServiceAccount tokens satisfy the + single-attribute requirement. + rules: + - idp_is_configured + - ocp_idp_no_htpasswd + - kubeadmin_removed + - ocp_no_ldap_insecure + - api_server_token_auth + - api_server_basic_auth + - id: 2.2.2 + title: Authentication Support - External + status: automated + rules: + - ocp_no_ldap_insecure + - id: 2.2.3 + title: Protection against Brute Force and Dictionary Attacks + status: partial + notes: |- + Brute force and dictionary attack protections are primarily + enforced at the Identity Provider level. The automated rule + ensures an IdP capable of account lockout is used instead of + htpasswd. Verify that the external IdP is configured with at + least two countermeasures such as account lockout after failed + attempts, login delays, or password blacklists. + rules: + - ocp_idp_no_htpasswd + - id: 2.2.4 + title: Enforce Strong Password + status: partial + notes: |- + Password complexity is primarily enforced at the Identity + Provider level. The automated rules ensure Kubernetes + Secrets are encrypted at rest in etcd and that node-level + password storage uses strong hashing. Verify that the + external IdP enforces minimum length, character class, + and password history requirements. + rules: + - api_server_encryption_provider_cipher + - no_empty_passwords + - id: 2.2.5 + title: Inactive Session Timeout + status: automated + rules: + - oauth_inactivity_timeout + - oauthclient_inactivity_timeout + - oauth_or_oauthclient_inactivity_timeout + - oauth_token_maxage + - oauthclient_token_maxage + - oauth_or_oauthclient_token_maxage + - sshd_set_idle_timeout + - sshd_set_keepalive + - id: 2.2.6 + title: Password Changes + status: manual + notes: |- + Password change enforcement, expiration, and history are + functions of the external Identity Provider. Verify that + the IdP linked to OpenShift enforces password changes on + initial login and upon expiry, and prevents reuse of at + least the last 3 passwords. Kubernetes does not track + password history. + rules: [] + - id: 2.2.7 + title: Protected Authentication Feedback + status: inherently met + notes: |- + Password masking is inherent behavior in OpenShift and + Linux. The OpenShift Console, oc CLI, and node-level + authentication commands (passwd, login, sudo) all + obscure password input using system calls that do not + echo characters to the terminal. This cannot be + misconfigured. + rules: [] + - id: 2.2.8 + title: Removal of Predefined or Default Authentication Attributes + status: automated + rules: + - kubeadmin_removed + - id: 2.2.9 + title: Logout Function + status: automated + rules: + - oauth_logout_url_set + - id: 2.2.10 + title: Policy Regarding Consecutive Failed Login Attempts + status: partial + notes: |- + Account lockout after failed login attempts is enforced + at the Identity Provider level. The automated rule + ensures an IdP capable of account lockout is used. + Verify that the external IdP locks accounts after no + more than 8 consecutive failed attempts, with a + recommended default of 5. + rules: + - ocp_idp_no_htpasswd + - id: 2.2.11 + title: Suspend Accounts on Non-Use + status: partial + notes: |- + Account suspension after non-use is primarily managed + by the external Identity Provider. The automated rule + enforces account disabling on RHCOS nodes after + password expiration inactivity. Verify that the IdP + linked to OpenShift is configured to suspend accounts + after a defined period without valid login. + rules: + - account_disable_post_pw_expiration