STIGQter: STIG Summary: Container Platform Security Requirements Guide Version: 1 Release: 1 Benchmark Date: 20 Nov 2020:

The container platform registry must remove old container images after updating versions have been made available.

DISA Rule

SV-233231r599707_rule

Vulnerability Number

V-233231

Group Title

SRG-APP-000454

Rule Version

SRG-APP-000454-CTR-001115

Severity

CAT II

CCI(s)

• CCI-002617 - The organization removes organization-defined software components (e.g., previous versions) after updated versions have been installed.

Weight

10

Fix Recommendation

Configure the container platform registry to update organization-defined images with current approved vendor version and remove obsolete images after updated versions have been installed. Configure the container platform runtime to execute latest organization-defined images from the container platform registry.

Check Contents

Review container platform registry documentation and configuration to determine if organization-defined images contains latest approved vendor software image version.

If organization-defined images do not contain the latest approved vendor software image version, this is a finding.

Review container platform registry documentation and configuration to determine if organization-defined images are removed after updated versions have been installed.

If organization-defined images are not removed after updated versions have been installed, this is a finding.

Review container platform runtime documentation and configuration to determine if organization-defined images are executing latest image version from the container registry.

If container platform runtime is not executing latest organization-defined images from the container platform registry, this is a finding.

Vulnerability Number

V-233231

Documentable

False

Rule Version

SRG-APP-000454-CTR-001115

Severity Override Guidance

Review container platform registry documentation and configuration to determine if organization-defined images contains latest approved vendor software image version.

If organization-defined images do not contain the latest approved vendor software image version, this is a finding.

Review container platform registry documentation and configuration to determine if organization-defined images are removed after updated versions have been installed.

If organization-defined images are not removed after updated versions have been installed, this is a finding.

Review container platform runtime documentation and configuration to determine if organization-defined images are executing latest image version from the container registry.

If container platform runtime is not executing latest organization-defined images from the container platform registry, this is a finding.

Check Content Reference

M

Target Key

5239

Comments