CIS RedHat OpenShift Container Platform 4 v1.3.0 L2

Audit Details

Name: CIS RedHat OpenShift Container Platform 4 v1.3.0 L2

Updated: 4/6/2023

Authority: CIS

Plugin: OpenShift

Revision: 1.0

Estimated Item Count: 33

File Details

Filename: CIS_RedHat_OpenShift_Container_Platform_4_v1.3.0_L2.audit

Size: 64 kB

MD5: 3910535d14af8bc376db4c28acd31801
SHA256: b249dab24fc2fb1f06ddb68bf1144401c626e4fee8588662fac3fd3bb9afd7b6

Audit Items

DescriptionCategories
1.3.6 Ensure that the RotateKubeletServerCertificate argument is set to true

IDENTIFICATION AND AUTHENTICATION

2.7 Ensure that a unique Certificate Authority is used for etcd

IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

2.8 Encrypt etc

IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

3.1.1 Client certificate authentication should not be used for users - Authentications

CONFIGURATION MANAGEMENT

3.1.1 Client certificate authentication should not be used for users - ClusterRoleBindings

CONFIGURATION MANAGEMENT

3.1.1 Client certificate authentication should not be used for users - Identities

CONFIGURATION MANAGEMENT

3.1.1 Client certificate authentication should not be used for users - Secrets

CONFIGURATION MANAGEMENT

3.2.2 Ensure that the audit policy covers key security concerns - openshift-apiserver

AUDIT AND ACCOUNTABILITY

3.2.2 Ensure that the audit policy covers key security concerns - openshift-kube-apiserver

AUDIT AND ACCOUNTABILITY

4.2.9 Ensure that the kubeAPIQPS [--event-qps] argument is set to 0 or a level which ensures appropriate event capture

AUDIT AND ACCOUNTABILITY

5.2.6 Minimize the admission of root containers

ACCESS CONTROL

5.2.9 Minimize the admission of containers with capabilities assigned

CONFIGURATION MANAGEMENT

5.3.2 Ensure that all Namespaces have Network Policies defined - Namespaces

SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

5.3.2 Ensure that all Namespaces have Network Policies defined - NetworkPolicies

SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

5.4.2 Consider external secret storage

SYSTEM AND COMMUNICATIONS PROTECTION

5.5.1 Configure Image Provenance using image controller configuration parameters

CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

5.7.2 Ensure that the seccomp profile is set to docker/default in your pod definitions

CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

5.7.3 Apply Security Context to Your Pods and Containers

RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY

5.7.4 The default namespace should not be used - BuildConfigs

SYSTEM AND COMMUNICATIONS PROTECTION

5.7.4 The default namespace should not be used - Builds

SYSTEM AND COMMUNICATIONS PROTECTION

5.7.4 The default namespace should not be used - CronJobs

SYSTEM AND COMMUNICATIONS PROTECTION

5.7.4 The default namespace should not be used - DaemonSets

SYSTEM AND COMMUNICATIONS PROTECTION

5.7.4 The default namespace should not be used - DeploymentConfigs

SYSTEM AND COMMUNICATIONS PROTECTION

5.7.4 The default namespace should not be used - Deployments

SYSTEM AND COMMUNICATIONS PROTECTION

5.7.4 The default namespace should not be used - HorizontalPodAutoScalers

SYSTEM AND COMMUNICATIONS PROTECTION

5.7.4 The default namespace should not be used - ImageStreams

SYSTEM AND COMMUNICATIONS PROTECTION

5.7.4 The default namespace should not be used - Jobs

SYSTEM AND COMMUNICATIONS PROTECTION

5.7.4 The default namespace should not be used - Pods

SYSTEM AND COMMUNICATIONS PROTECTION

5.7.4 The default namespace should not be used - ReplicaSets

SYSTEM AND COMMUNICATIONS PROTECTION

5.7.4 The default namespace should not be used - ReplicationControllers

SYSTEM AND COMMUNICATIONS PROTECTION

5.7.4 The default namespace should not be used - Routes

SYSTEM AND COMMUNICATIONS PROTECTION

5.7.4 The default namespace should not be used - Services

SYSTEM AND COMMUNICATIONS PROTECTION

5.7.4 The default namespace should not be used - StatefulSets

SYSTEM AND COMMUNICATIONS PROTECTION