CIS RedHat OpenShift Container Platform 4 v1.2.0 L1

Audit Details

Name: CIS RedHat OpenShift Container Platform 4 v1.2.0 L1

Updated: 1/9/2023

Authority: CIS

Plugin: OpenShift

Revision: 1.0

Estimated Item Count: 160

File Details

Filename: CIS_RedHat_OpenShift_Container_Platform_4_v1.2.0_L1.audit

Size: 308 kB

MD5: a2f6900fb66d3dd47d577572943247fe
SHA256: c78e83a01f0ffb7816f1fb863d7f214053231b7d9796885e840d371fc47a1e0b

Audit Items

DescriptionCategories
1.1.1 Ensure that the API server pod specification file permissions are set to 600 or more restrictive

ACCESS CONTROL, MEDIA PROTECTION

1.1.2 Ensure that the API server pod specification file ownership is set to root:root

ACCESS CONTROL

1.1.3 Ensure that the controller manager pod specification file permissions are set to 600 or more restrictive

ACCESS CONTROL, MEDIA PROTECTION

1.1.4 Ensure that the controller manager pod specification file ownership is set to root:root

ACCESS CONTROL

1.1.5 Ensure that the scheduler pod specification file permissions are set to 600 or more restrictive

ACCESS CONTROL, MEDIA PROTECTION

1.1.6 Ensure that the scheduler pod specification file ownership is set to root:root

ACCESS CONTROL

1.1.7 Ensure that the etcd pod specification file permissions are set to 600 or more restrictive

ACCESS CONTROL, MEDIA PROTECTION

1.1.8 Ensure that the etcd pod specification file ownership is set to root:root

ACCESS CONTROL

1.1.9 Ensure that the Container Network Interface file permissions are set to 600 or more restrictive

ACCESS CONTROL, MEDIA PROTECTION

1.1.10 Ensure that the Container Network Interface file ownership is set to root:root

ACCESS CONTROL

1.1.11 Ensure that the etcd data directory permissions are set to 700 or more restrictive

ACCESS CONTROL, MEDIA PROTECTION

1.1.12 Ensure that the etcd data directory ownership is set to etcd:etcd

ACCESS CONTROL

1.1.13 Ensure that the admin.conf file permissions are set to 600 or more restrictive

ACCESS CONTROL, MEDIA PROTECTION

1.1.14 Ensure that the admin.conf file ownership is set to root:root

ACCESS CONTROL

1.1.15 Ensure that the scheduler.conf file permissions are set to 600 or more restrictive

ACCESS CONTROL, MEDIA PROTECTION

1.1.16 Ensure that the scheduler.conf file ownership is set to root:root

ACCESS CONTROL

1.1.17 Ensure that the controller-manager.conf file permissions are set to 600 or more restrictive

ACCESS CONTROL, MEDIA PROTECTION

1.1.18 Ensure that the controller-manager.conf file ownership is set to root:root

ACCESS CONTROL

1.1.19 Ensure that the OpenShift PKI directory and file ownership is set to root:root

ACCESS CONTROL

1.1.20 Ensure that the OpenShift PKI certificate file permissions are set to 600 or more restrictive

ACCESS CONTROL, MEDIA PROTECTION

1.1.21 Ensure that the OpenShift PKI key file permissions are set to 600

ACCESS CONTROL, MEDIA PROTECTION

1.2.1 Ensure that anonymous requests are authorized - ClusterRoleBindings

ACCESS CONTROL, MEDIA PROTECTION

1.2.1 Ensure that anonymous requests are authorized - RoleBindings

ACCESS CONTROL, MEDIA PROTECTION

1.2.2 Ensure that the --basic-auth-file argument is not set - ClusterOperators

CONFIGURATION MANAGEMENT, MAINTENANCE

1.2.2 Ensure that the --basic-auth-file argument is not set - openshift-apiserver

CONFIGURATION MANAGEMENT, MAINTENANCE

1.2.2 Ensure that the --basic-auth-file argument is not set - openshift-kube-apiserver

CONFIGURATION MANAGEMENT, MAINTENANCE

1.2.3 Ensure that the --token-auth-file parameter is not set - ClusterOperators

CONFIGURATION MANAGEMENT, MAINTENANCE

1.2.3 Ensure that the --token-auth-file parameter is not set - KubeApiServers

CONFIGURATION MANAGEMENT, MAINTENANCE

1.2.3 Ensure that the --token-auth-file parameter is not set - openshift-apiserver

CONFIGURATION MANAGEMENT, MAINTENANCE

1.2.3 Ensure that the --token-auth-file parameter is not set - openshift-kube-apiserver

CONFIGURATION MANAGEMENT, MAINTENANCE

1.2.4 Use https for kubelet connections - ConfigMaps

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

1.2.4 Use https for kubelet connections - Secrets

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

1.2.5 Ensure that the kubelet uses certificates to authenticate - ConfigMaps

SYSTEM AND SERVICES ACQUISITION

1.2.5 Ensure that the kubelet uses certificates to authenticate - Secrets

SYSTEM AND SERVICES ACQUISITION

1.2.6 Verify that the kubelet certificate authority is set as appropriate

SYSTEM AND SERVICES ACQUISITION

1.2.7 Ensure that the --authorization-mode argument is not set to AlwaysAllow

ACCESS CONTROL, MEDIA PROTECTION

1.2.8 Verify that the Node authorizer is enabled

ACCESS CONTROL, MEDIA PROTECTION

1.2.9 Verify that RBAC is enabled

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

1.2.10 Ensure that the APIPriorityAndFairness feature gate is enabled - ConfigMaps

ACCESS CONTROL, SYSTEM AND COMMUNICATIONS PROTECTION

1.2.10 Ensure that the APIPriorityAndFairness feature gate is enabled - FeatureGates

ACCESS CONTROL, SYSTEM AND COMMUNICATIONS PROTECTION

1.2.10 Ensure that the APIPriorityAndFairness feature gate is enabled - Overrides

ACCESS CONTROL, SYSTEM AND COMMUNICATIONS PROTECTION

1.2.11 Ensure that the admission control plugin AlwaysAdmit is not set - Admission

ACCESS CONTROL, MEDIA PROTECTION

1.2.11 Ensure that the admission control plugin AlwaysAdmit is not set - Overrides

ACCESS CONTROL, MEDIA PROTECTION

1.2.12 Ensure that the admission control plugin AlwaysPullImages is not set - Admission

ACCESS CONTROL, MEDIA PROTECTION

1.2.12 Ensure that the admission control plugin AlwaysPullImages is not set - Overrides

ACCESS CONTROL, MEDIA PROTECTION

1.2.13 Ensure that the admission control plugin SecurityContextDeny is not set - Admission SecurityContextConstraint

SYSTEM AND SERVICES ACQUISITION

1.2.13 Ensure that the admission control plugin SecurityContextDeny is not set - Admission SecurityContextDeny

SYSTEM AND SERVICES ACQUISITION

1.2.13 Ensure that the admission control plugin SecurityContextDeny is not set - Allow Privileged

SYSTEM AND SERVICES ACQUISITION

1.2.13 Ensure that the admission control plugin SecurityContextDeny is not set - anyuid

SYSTEM AND SERVICES ACQUISITION

1.2.13 Ensure that the admission control plugin SecurityContextDeny is not set - Disabled

SYSTEM AND SERVICES ACQUISITION