CIS RedHat OpenShift Container Platform 4 v1.3.0 L1

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: CIS RedHat OpenShift Container Platform 4 v1.3.0 L1

Updated: 11/28/2023

Authority: CIS

Plugin: OpenShift

Revision: 1.1

Estimated Item Count: 160

Audit Items

DescriptionCategories
1.1.1 Ensure that the API server pod specification file permissions are set to 600 or more restrictive
1.1.2 Ensure that the API server pod specification file ownership is set to root:root
1.1.3 Ensure that the controller manager pod specification file permissions are set to 600 or more restrictive
1.1.4 Ensure that the controller manager pod specification file ownership is set to root:root
1.1.5 Ensure that the scheduler pod specification file permissions are set to 600 or more restrictive
1.1.6 Ensure that the scheduler pod specification file ownership is set to root:root
1.1.7 Ensure that the etcd pod specification file permissions are set to 600 or more restrictive
1.1.8 Ensure that the etcd pod specification file ownership is set to root:root
1.1.9 Ensure that the Container Network Interface file permissions are set to 600 or more restrictive
1.1.10 Ensure that the Container Network Interface file ownership is set to root:root
1.1.11 Ensure that the etcd data directory permissions are set to 700 or more restrictive
1.1.12 Ensure that the etcd data directory ownership is set to etcd:etcd
1.1.13 Ensure that the admin.conf file permissions are set to 600 or more restrictive
1.1.14 Ensure that the admin.conf file ownership is set to root:root
1.1.15 Ensure that the scheduler.conf file permissions are set to 600 or more restrictive
1.1.16 Ensure that the scheduler.conf file ownership is set to root:root
1.1.17 Ensure that the controller-manager.conf file permissions are set to 600 or more restrictive
1.1.18 Ensure that the controller-manager.conf file ownership is set to root:root
1.1.19 Ensure that the OpenShift PKI directory and file ownership is set to root:root
1.1.20 Ensure that the OpenShift PKI certificate file permissions are set to 600 or more restrictive
1.1.21 Ensure that the OpenShift PKI key file permissions are set to 600
1.2.1 Ensure that anonymous requests are authorized - ClusterRoleBindings
1.2.1 Ensure that anonymous requests are authorized - RoleBindings
1.2.2 Ensure that the --basic-auth-file argument is not set - ClusterOperators
1.2.2 Ensure that the --basic-auth-file argument is not set - openshift-apiserver
1.2.2 Ensure that the --basic-auth-file argument is not set - openshift-kube-apiserver
1.2.3 Ensure that the --token-auth-file parameter is not set - ClusterOperators
1.2.3 Ensure that the --token-auth-file parameter is not set - KubeApiServers
1.2.3 Ensure that the --token-auth-file parameter is not set - openshift-apiserver
1.2.3 Ensure that the --token-auth-file parameter is not set - openshift-kube-apiserver
1.2.4 Use https for kubelet connections - ConfigMaps
1.2.4 Use https for kubelet connections - Secrets
1.2.5 Ensure that the kubelet uses certificates to authenticate - ConfigMaps
1.2.5 Ensure that the kubelet uses certificates to authenticate - Secrets
1.2.6 Verify that the kubelet certificate authority is set as appropriate
1.2.7 Ensure that the --authorization-mode argument is not set to AlwaysAllow
1.2.8 Verify that the Node authorizer is enabled
1.2.9 Verify that RBAC is enabled
1.2.10 Ensure that the APIPriorityAndFairness feature gate is enabled - ConfigMaps
1.2.10 Ensure that the APIPriorityAndFairness feature gate is enabled - FeatureGates
1.2.10 Ensure that the APIPriorityAndFairness feature gate is enabled - Overrides
1.2.11 Ensure that the admission control plugin AlwaysAdmit is not set - Admission
1.2.11 Ensure that the admission control plugin AlwaysAdmit is not set - Overrides
1.2.12 Ensure that the admission control plugin AlwaysPullImages is not set - Admission
1.2.12 Ensure that the admission control plugin AlwaysPullImages is not set - Overrides
1.2.13 Ensure that the admission control plugin SecurityContextDeny is not set - Admission SecurityContextConstraint
1.2.13 Ensure that the admission control plugin SecurityContextDeny is not set - Admission SecurityContextDeny
1.2.13 Ensure that the admission control plugin SecurityContextDeny is not set - Allow Privileged
1.2.13 Ensure that the admission control plugin SecurityContextDeny is not set - anyuid
1.2.13 Ensure that the admission control plugin SecurityContextDeny is not set - Disabled