Detections
Analytics

CIS RedHat OpenShift Container Platform 4 v1.4.0 L2

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: CIS RedHat OpenShift Container Platform 4 v1.4.0 L2

Updated: 1/29/2024

Authority: CIS

Plugin: OpenShift

Revision: 1.1

Estimated Item Count: 35

File Details

Filename: CIS_RedHat_OpenShift_Container_Platform_4_v1.4.0_L2.audit

Size: 53.8 kB

MD5: 6670b01eaf5a69ed78a543684efcd963
SHA256: b914e8543ad2669ccf5d6633429381aab397e3f567f277a63d56264c81a86394

Audit Items

DescriptionCategories
2.7 Ensure that a unique Certificate Authority is used for etcd
3.1.1 Client certificate authentication should not be used for users - Authentications
3.1.1 Client certificate authentication should not be used for users - ClusterRoleBindings
3.1.1 Client certificate authentication should not be used for users - Identities
3.1.1 Client certificate authentication should not be used for users - Secrets
3.2.2 Ensure that the audit policy covers key security concerns - openshift-apiserver
3.2.2 Ensure that the audit policy covers key security concerns - openshift-kube-apiserver
4.2.8 Ensure that the kubeAPIQPS [--event-qps] argument is set to 0 or a level which ensures appropriate event capture
4.2.10 Ensure that the --rotate-certificates argument is not set to false
4.2.11 Verify that the RotateKubeletServerCertificate argument is set to true
5.2.6 Minimize the admission of root containers
5.2.9 Minimize the admission of containers with capabilities assigned
5.2.10 Minimize access to privileged Security Context Constraints
5.3.2 Ensure that all Namespaces have Network Policies defined - Namespaces
5.3.2 Ensure that all Namespaces have Network Policies defined - NetworkPolicies
5.4.1 Prefer using secrets as files over secrets as environment variables
5.4.2 Consider external secret storage
5.5.1 Configure Image Provenance using image controller configuration parameters
5.7.2 Ensure that the seccomp profile is set to docker/default in your pod definitions
5.7.3 Apply Security Context to Your Pods and Containers
5.7.4 The default namespace should not be used - BuildConfigs
5.7.4 The default namespace should not be used - Builds
5.7.4 The default namespace should not be used - CronJobs
5.7.4 The default namespace should not be used - DaemonSets
5.7.4 The default namespace should not be used - DeploymentConfigs
5.7.4 The default namespace should not be used - Deployments
5.7.4 The default namespace should not be used - HorizontalPodAutoScalers
5.7.4 The default namespace should not be used - ImageStreams
5.7.4 The default namespace should not be used - Jobs
5.7.4 The default namespace should not be used - Pods
5.7.4 The default namespace should not be used - ReplicaSets
5.7.4 The default namespace should not be used - ReplicationControllers
5.7.4 The default namespace should not be used - Routes
5.7.4 The default namespace should not be used - Services
5.7.4 The default namespace should not be used - StatefulSets