Detections
Analytics

CIS RedHat OpenShift Container Platform 4 v1.4.0 L1

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: CIS RedHat OpenShift Container Platform 4 v1.4.0 L1

Updated: 1/29/2024

Authority: CIS

Plugin: OpenShift

Revision: 1.1

Estimated Item Count: 153

File Details

Filename: CIS_RedHat_OpenShift_Container_Platform_4_v1.4.0_L1.audit

Size: 216 kB

MD5: a6c8730097b4adab8cef9a73ee52f72d
SHA256: 83abaf03739f3d825b31f3f5d4c4a83dbaa3399c617ffce897df1b9036f4a0f1

Audit Items

DescriptionCategories
1.1.1 Ensure that the API server pod specification file permissions are set to 600 or more restrictive
1.1.2 Ensure that the API server pod specification file ownership is set to root:root
1.1.3 Ensure that the controller manager pod specification file permissions are set to 600 or more restrictive
1.1.4 Ensure that the controller manager pod specification file ownership is set to root:root
1.1.5 Ensure that the scheduler pod specification file permissions are set to 600 or more restrictive
1.1.6 Ensure that the scheduler pod specification file ownership is set to root:root
1.1.7 Ensure that the etcd pod specification file permissions are set to 600 or more restrictive
1.1.8 Ensure that the etcd pod specification file ownership is set to root:root
1.1.9 Ensure that the Container Network Interface file permissions are set to 600 or more restrictive
1.1.10 Ensure that the Container Network Interface file ownership is set to root:root
1.1.11 Ensure that the etcd data directory permissions are set to 700 or more restrictive
1.1.12 Ensure that the etcd data directory ownership is set to etcd:etcd
1.1.13 Ensure that the kubeconfig file permissions are set to 600 or more restrictive
1.1.14 Ensure that the kubeconfig file ownership is set to root:root
1.1.15 Ensure that the Scheduler kubeconfig file permissions are set to 600 or more restrictive
1.1.16 Ensure that the Scheduler kubeconfig file ownership is set to root:root
1.1.17 Ensure that the Controller Manager kubeconfig file permissions are set to 600 or more restrictive
1.1.18 Ensure that the Controller Manager kubeconfig file ownership is set to root:root
1.1.19 Ensure that the OpenShift PKI directory and file ownership is set to root:root
1.1.20 Ensure that the OpenShift PKI certificate file permissions are set to 600 or more restrictive
1.1.21 Ensure that the OpenShift PKI key file permissions are set to 600
1.2.1 Ensure that anonymous requests are authorized
1.2.2 Ensure that the --basic-auth-file argument is not set - ClusterOperators
1.2.2 Ensure that the --basic-auth-file argument is not set - openshift-apiserver
1.2.2 Ensure that the --basic-auth-file argument is not set - openshift-kube-apiserver
1.2.3 Ensure that the --token-auth-file parameter is not set - ClusterOperators
1.2.3 Ensure that the --token-auth-file parameter is not set - KubeApiServers
1.2.3 Ensure that the --token-auth-file parameter is not set - openshift-apiserver
1.2.3 Ensure that the --token-auth-file parameter is not set - openshift-kube-apiserver
1.2.4 Use https for kubelet connections - ConfigMaps
1.2.4 Use https for kubelet connections - Secrets
1.2.5 Ensure that the kubelet uses certificates to authenticate - ConfigMaps
1.2.5 Ensure that the kubelet uses certificates to authenticate - Secrets
1.2.6 Verify that the kubelet certificate authority is set as appropriate
1.2.7 Ensure that the --authorization-mode argument is not set to AlwaysAllow
1.2.8 Verify that RBAC is enabled
1.2.9 Ensure that the APIPriorityAndFairness feature gate is enabled - ConfigMaps
1.2.9 Ensure that the APIPriorityAndFairness feature gate is enabled - FeatureGates
1.2.9 Ensure that the APIPriorityAndFairness feature gate is enabled - Overrides
1.2.10 Ensure that the admission control plugin AlwaysAdmit is not set
1.2.11 Ensure that the admission control plugin AlwaysPullImages is not set
1.2.12 Ensure that the admission control plugin ServiceAccount is set
1.2.13 Ensure that the admission control plugin NamespaceLifecycle is set
1.2.14 Ensure that the admission control plugin SecurityContextConstraint is set
1.2.15 Ensure that the admission control plugin NodeRestriction is set
1.2.16 Ensure that the --insecure-bind-address argument is not set - feature-gates
1.2.16 Ensure that the --insecure-bind-address argument is not set - openshift-apiserver
1.2.16 Ensure that the --insecure-bind-address argument is not set - openshift-kube-apiserver
1.2.17 Ensure that the --insecure-port argument is set to 0
1.2.18 Ensure that the --secure-port argument is not set to 0 - KubeApiServers