STIGhubSTIGhub
STIGsRMF ControlsCompare
STIGhub— A free STIG search and compliance tool·STIGs updated 3 days ago
Powered by Pylon·Privacy·Terms·© 2026 Beacon Cloud Solutions, Inc.
← Back to Red Hat OpenShift Container Platform 4.x Security Technical Implementation Guide

V-257561

CAT II (Medium)

OpenShift must prevent the installation of patches, service packs, device drivers, or operating system components without verification they have been digitally signed using a certificate that is recognized and approved by the organization.

Rule ID

SV-257561r1156740_rule

STIG

Red Hat OpenShift Container Platform 4.x Security Technical Implementation Guide

Version

V2R5

CCIs

CCI-001764

Discussion

Integrity of the OpenShift platform is handled by the cluster version operator. The cluster version operator will by default GPG verify the integrity of the release image before applying it. The release image contains a sha256 digest of machine-os-content which is used by the machine config operators for updates. On the host, the container runtime (podman) verifies the integrity of that sha256 when pulling the image before the machine config operator reads its content. Hence, there is end-to-end GPG-verified integrity for the operating system updates (as well as the rest of the cluster components, which run as regular containers).

Check Content

To verify integrity of the cluster version, execute the following:
oc get clusterversion version 
 
If the Cluster Version Operator is not installed or the AVAILABLE is not set to "True", this is a finding. 
 
Run the following command to retrieve the Cluster Version objects in the system: 
oc get clusterversion version -o yaml
 
If 'verified: true', under status history for each item is not present, this is a finding.

Where OpenShift Virtualization is enabled:
$ oc get hyperconverged kubevirt-hyperconverged -n openshift-cnv -o
jsonpath='{.metadata.annotations}'| jq
'.|has("kubevirt.kubevirt.io/jsonpatch")'

$ oc get hyperconverged kubevirt-hyperconverged -n openshift-cnv -o
jsonpath='{.metadata.annotations}'| jq
'.|has("containerizeddataimporter.kubevirt.io/jsonpatch")'

$ oc get hyperconverged kubevirt-hyperconverged -n openshift-cnv -o
jsonpath='{.metadata.annotations}'| jq
'.|has("networkaddonsconfigs.kubevirt.io/jsonpatch")'

$ oc get hyperconverged kubevirt-hyperconverged -n openshift-cnv -o
jsonpath='{.metadata.annotations}'| jq
'.|has("ssp.kubevirt.io/jsonpatch")'

If any results are returned aside from empty strings, this is a finding.

Fix Text

By default, the integrity of RH CoreOS is checked by cluster version operator on OpenShift platform. If the integrity is not verified, reinstall of the cluster is necessary.
 
Refer to instructions:
https://docs.openshift.com/container-platform/4.10/installing/index.html

Where OpenShift Virtualization is enabled:
Annotations must be removed from the Hyperconverged by directly editing the object with oc edit hyperconverged kubevirt-hyperconverged -n openshift-cnv or by removing the annotation with the annotate command.

Example:
$ oc annotate --overwrite -n openshift-cnv hco
kubevirt-hyperconverged
'containerizeddataimporter.kubevirt.io/jsonpatch-'