v2.17.1
Date of Release: 06/03/2026
Version Information
| - | Version | Hardening References |
|---|---|---|
| Red Hat Enterprise Linux | 9.4 | USG STIGs ver 2 rel 5 |
| Rancher Kubernetes Engine Government (RKE2) | v1.33.7 | RKE ver 2 rel 3 |
| Glasswall Halo | 2.17.1 | SAST, DAST, SCA and Container Security Reports available on request |
System Requirements
Recommended
32 vCPU 64 GB RAM
Minimum
16 vCPU 32 GB RAM
Base OS Information
-
SELinux is Enforcing
-
No USG STIG banner message by default (configurable)
-
The local
glasswallsystem account now requires a password to escalate privileges in the sudoers. -
The bootloader password has been set in accordance with STIG requirements. This can be provided upon request.
-
Password history enforcement implemented as per SANS CIS Kubernetes Benchmark:
- Password reuse is prohibited for a minimum of five generations.
-
Random number generator used for generating cryptographic keys has been enabled.
-
Audit policy log level for the
kube-apiserverhas been set toRequestResponse, as recommended by SANS CIS Kubernetes Benchmarks. -
The
kube-apiserveraudit log path has been rerouted from/var/lib/rancherto/var/log/rancherfor improved log visibility. -
syslogcan be configured on the virtual machine by referencing these steps- Optionally, syslog can be configured to send RKE2 audit logs by adding the below snippet into
/etc/syslog-ng/syslog-ng.confafter thesource s_podsblock, and restarting the syslog daemon usingsudo systemctl restart syslog-ng:
- Optionally, syslog can be configured to send RKE2 audit logs by adding the below snippet into
source s_rke2 {
wildcard-file(
base-dir("/var/log/rancher")
filename-pattern("*")
recursive(yes)
follow-freq(60)
);
};
log { source(s_rke2); filter(f_default); destination(remote); };
-
Password quality policy updated to enforce:
- Length: Minimum of 15 characters.
- Complexity:
- At least 1 uppercase letter (e.g., A)
- At least 1 lowercase letter (e.g., a)
- At least 1 digit (e.g., 1)
- At least 1 special character (e.g., !)
- Avoid:
- More than 3 consecutive identical characters (e.g., aaa)
- More than 4 consecutive characters of the same type (e.g., 1111, AAAA)
- Passwords that are not significantly different (must differ by at least 8 characters)
- Inclusion of username or dictionary-based words
-
AIDE has been preconfigured to run daily on key configuration files.
-
Maximum age of passwords is now set to 60 days in accordance with STIG guidelines. After this duration, existing password will expire and new password to be configured
-
Password change attempts are now logged to /var/log/secure to improve visibility and auditing purposes
-
Bruteforce protection has been implemented. 5 invalid attempts in 60 sec will block the user for 10 min.
-
Re use of last 5 passwords is now restricted as per STIG guidelines
-
TLS Protocols and ciphers have been updated inline with the following:
ssl-ciphers: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA" ssl-protocols: "TLSv1.2 TLSv1.3
Kubernetes Information
- CNI plugin: Canal
Glasswall Halo Information
Currently deployed services and Helm charts:
- cdrplatform-engine
- cdrplatform-sync-api
- cdrplatform-report-extractor
- cdrplatform-portal
- cdrplatform-policy-api
- cdrplatform-api-access
- cdrplatform-portal-access
- cdrplatform-license-management
- cdrplatform-cleanup
- cdrplatform-async-api
- cdrplatform-metrics-projection
- cdrplatform-rabbitmq
- cdrplatform-storage
- cdrplatform-storage-monitor
- nginx-ingress
Please refer to the Glasswall Halo 2.17.1 Release Notes for more information.