DISA Kubernetes Security Technical Implementation Guide (STIG) Alignment¶
This document describes how the Secure CINC Auditor Kubernetes Container Scanning solution aligns with the Defense Information Systems Agency (DISA) Kubernetes Security Technical Implementation Guide (STIG).
Overview¶
The DISA Kubernetes STIG provides security requirements for Kubernetes deployments in DoD environments. This document outlines how our container scanning approaches align with these requirements.
STIG Alignment¶
| Vulnerability ID | Title | Requirement Summary | Alignment | Notes |
|---|---|---|---|---|
| V-242407 | Authentication | The Kubernetes API Server must disable anonymous authentication | ✅ High | Service account tokens with proper authentication |
| V-242446 | Authorization | The Kubernetes API Server must enable Node,RBAC as the authorization mode | ✅ High | Least-privilege RBAC implementation |
| V-242420 | Pod Security | User-managed resources must be created in dedicated namespaces | ✅ High | Proper namespace and container isolation |
| V-242408 | Encryption | The Kubernetes etcd must use TLS to protect data-in-transit | ✅ High | TLS encryption for all communications |
| V-242435 | Audit Logging | Kubernetes API Server must generate audit records | ✅ High | Comprehensive logging of operations |
Scanning Approach Compliance¶
Kubernetes API Approach¶
The Kubernetes API Approach provides the highest level of alignment with Kubernetes STIG requirements:
- Uses Kubernetes native authentication and authorization
- Implements proper RBAC controls with least privilege
- Maintains container security boundaries
- Provides comprehensive audit logging
Debug Container Approach¶
The Debug Container Approach has moderate alignment with Kubernetes STIG requirements:
- Uses ephemeral debug containers with limited lifespans
- Implements appropriate RBAC controls
- Provides container isolation
Sidecar Container Approach¶
The Sidecar Container Approach has moderate alignment with Kubernetes STIG requirements:
- Uses pod-level isolation with shared process namespace
- Implements appropriate container security contexts
- Supports deployment-time security controls
Implementation Recommendations for STIG Compliance¶
For optimal alignment with Kubernetes STIG requirements, we recommend:
- Using the Kubernetes API Approach as the primary scanning method
- Implementing the comprehensive RBAC controls provided
- Following the security hardening recommendations
- Implementing all audit logging capabilities
- Following the security guidelines in our Enterprise Recommendations guide
Testing for STIG Compliance¶
Our platform includes testing tools to validate STIG compliance:
- RBAC validation tools to ensure proper permissions
- Security context validation
- Network security validation
Related Documentation¶
- DoD Instruction 8500.01 - DoD policy alignment
- DISA Container Platform SRG - DISA SRG alignment
- Approach Comparison - Security framework comparison
- Risk Documentation - Documentation requirements