Detections
Analytics

CIS RedHat OpenShift Container Platform 4 v1.5.0 L1

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: CIS RedHat OpenShift Container Platform 4 v1.5.0 L1

Updated: 7/22/2024

Authority: CIS

Plugin: OpenShift

Revision: 1.2

Estimated Item Count: 118

File Details

Filename: CIS_RedHat_OpenShift_Container_Platform_4_v1.5.0_L1.audit

Size: 167 kB

MD5: 91e38ec9c41a5846f8c390e131795b52
SHA256: 81cd081dc30fa0fda1d82da21cf9a66a1a2bf856d4706969cf213b0716be00bd

Audit Items

DescriptionCategories
1.1.1 Ensure that the API server pod specification file permissions are set to 600 or more restrictive
1.1.2 Ensure that the API server pod specification file ownership is set to root:root
1.1.3 Ensure that the controller manager pod specification file permissions are set to 600 or more restrictive
1.1.4 Ensure that the controller manager pod specification file ownership is set to root:root
1.1.5 Ensure that the scheduler pod specification file permissions are set to 600 or more restrictive
1.1.6 Ensure that the scheduler pod specification file ownership is set to root:root
1.1.7 Ensure that the etcd pod specification file permissions are set to 600 or more restrictive
1.1.8 Ensure that the etcd pod specification file ownership is set to root:root
1.1.9 Ensure that the Container Network Interface file permissions are set to 600 or more restrictive
1.1.10 Ensure that the Container Network Interface file ownership is set to root:root
1.1.11 Ensure that the etcd data directory permissions are set to 700 or more restrictive
1.1.12 Ensure that the etcd data directory ownership is set to etcd:etcd
1.1.13 Ensure that the kubeconfig file permissions are set to 600 or more restrictive
1.1.14 Ensure that the kubeconfig file ownership is set to root:root
1.1.15 Ensure that the Scheduler kubeconfig file permissions are set to 600 or more restrictive
1.1.16 Ensure that the Scheduler kubeconfig file ownership is set to root:root
1.1.17 Ensure that the Controller Manager kubeconfig file permissions are set to 600 or more restrictive
1.1.18 Ensure that the Controller Manager kubeconfig file ownership is set to root:root
1.1.19 Ensure that the OpenShift PKI directory and file ownership is set to root:root
1.1.20 Ensure that the OpenShift PKI certificate file permissions are set to 600 or more restrictive
1.1.21 Ensure that the OpenShift PKI key file permissions are set to 600
1.2.1 Ensure that anonymous requests are authorized
1.2.2 Ensure that the --basic-auth-file argument is not set - ClusterOperators
1.2.2 Ensure that the --basic-auth-file argument is not set - openshift-apiserver
1.2.2 Ensure that the --basic-auth-file argument is not set - openshift-kube-apiserver
1.2.3 Ensure that the --token-auth-file parameter is not set - ClusterOperators
1.2.3 Ensure that the --token-auth-file parameter is not set - KubeApiServers
1.2.3 Ensure that the --token-auth-file parameter is not set - openshift-apiserver
1.2.3 Ensure that the --token-auth-file parameter is not set - openshift-kube-apiserver
1.2.4 Use https for kubelet connections - ConfigMaps
1.2.4 Use https for kubelet connections - Secrets
1.2.5 Ensure that the kubelet uses certificates to authenticate - ConfigMaps
1.2.5 Ensure that the kubelet uses certificates to authenticate - Secrets
1.2.6 Verify that the kubelet certificate authority is set as appropriate
1.2.7 Ensure that the --authorization-mode argument is not set to AlwaysAllow
1.2.8 Verify that RBAC is enabled
1.2.9 Ensure that the APIPriorityAndFairness feature gate is enabled - ConfigMaps
1.2.9 Ensure that the APIPriorityAndFairness feature gate is enabled - FeatureGates
1.2.9 Ensure that the APIPriorityAndFairness feature gate is enabled - Overrides
1.2.10 Ensure that the admission control plugin AlwaysAdmit is not set
1.2.11 Ensure that the admission control plugin AlwaysPullImages is not set
1.2.12 Ensure that the admission control plugin ServiceAccount is set
1.2.13 Ensure that the admission control plugin NamespaceLifecycle is set
1.2.14 Ensure that the admission control plugin SecurityContextConstraint is set
1.2.15 Ensure that the admission control plugin NodeRestriction is set
1.2.16 Ensure that the --insecure-bind-address argument is not set - feature-gates
1.2.16 Ensure that the --insecure-bind-address argument is not set - openshift-apiserver
1.2.16 Ensure that the --insecure-bind-address argument is not set - openshift-kube-apiserver
1.2.17 Ensure that the --insecure-port argument is set to 0
1.2.18 Ensure that the --secure-port argument is not set to 0 - KubeApiServers