Detections
Analytics

CIS RedHat OpenShift Container Platform v1.6.0 L1

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: CIS RedHat OpenShift Container Platform v1.6.0 L1

Updated: 4/30/2025

Authority: CIS

Plugin: OpenShift

Revision: 1.2

Estimated Item Count: 102

File Details

Filename: CIS_RedHat_OpenShift_Container_Platform_v1.6.0_L1.audit

Size: 151 kB

MD5: d6e46f720123fe0abdd0133c4e8b8661
SHA256: d9a344b53a0e31da7490ab415194803098eb2898550883c39a511e09008466c7

Audit Items

DescriptionCategories
1.1.1 Ensure that the API server pod specification file permissions are set to 600 or more restrictive
1.1.2 Ensure that the API server pod specification file ownership is set to root:root
1.1.3 Ensure that the controller manager pod specification file permissions are set to 600 or more restrictive
1.1.4 Ensure that the controller manager pod specification file ownership is set to root:root
1.1.5 Ensure that the scheduler pod specification file permissions are set to 600 or more restrictive
1.1.6 Ensure that the scheduler pod specification file ownership is set to root:root
1.1.7 Ensure that the etcd pod specification file permissions are set to 600 or more restrictive
1.1.8 Ensure that the etcd pod specification file ownership is set to root:root
1.1.9 Ensure that the Container Network Interface file permissions are set to 600 or more restrictive
1.1.10 Ensure that the Container Network Interface file ownership is set to root:root
1.1.11 Ensure that the etcd data directory permissions are set to 700 or more restrictive
1.1.12 Ensure that the etcd data directory ownership is set to etcd:etcd
1.1.13 Ensure that the kubeconfig file permissions are set to 600 or more restrictive
1.1.14 Ensure that the kubeconfig file ownership is set to root:root
1.1.15 Ensure that the Scheduler kubeconfig file permissions are set to 600 or more restrictive
1.1.16 Ensure that the Scheduler kubeconfig file ownership is set to root:root
1.1.17 Ensure that the Controller Manager kubeconfig file permissions are set to 600 or more restrictive
1.1.18 Ensure that the Controller Manager kubeconfig file ownership is set to root:root
1.1.19 Ensure that the OpenShift PKI directory and file ownership is set to root:root
1.1.20 Ensure that the OpenShift PKI certificate file permissions are set to 600 or more restrictive
1.1.21 Ensure that the OpenShift PKI key file permissions are set to 600
1.2.1 Ensure that anonymous requests are authorized
1.2.2 Ensure that the --basic-auth-file argument is not set
1.2.3 Ensure that the --token-auth-file parameter is not set
1.2.4 Use https for kubelet connections
1.2.5 Ensure that the kubelet uses certificates to authenticate
1.2.6 Verify that the kubelet certificate authority is set as appropriate
1.2.7 Ensure that the --authorization-mode argument is not set to AlwaysAllow
1.2.8 Verify that RBAC is enabled
1.2.9 Ensure that the APIPriorityAndFairness feature gate is enabled
1.2.10 Ensure that the admission control plugin AlwaysAdmit is not set
1.2.11 Ensure that the admission control plugin AlwaysPullImages is not set
1.2.12 Ensure that the admission control plugin ServiceAccount is set
1.2.13 Ensure that the admission control plugin NamespaceLifecycle is set
1.2.14 Ensure that the admission control plugin SecurityContextConstraint is set
1.2.15 Ensure that the admission control plugin NodeRestriction is set
1.2.16 Ensure that the --insecure-bind-address argument is not set
1.2.17 Ensure that the --insecure-port argument is set to 0
1.2.18 Ensure that the --secure-port argument is not set to 0
1.2.19 Ensure that the healthz endpoint is protected by RBAC
1.2.20 Ensure that the --audit-log-path argument is set
1.2.21 Ensure that the audit logs are forwarded off the cluster for retention
1.2.22 Ensure that the maximumRetainedFiles argument is set to 10 or as appropriate
1.2.23 Ensure that the maximumFileSizeMegabytes argument is set to 100
1.2.24 Ensure that the --request-timeout argument is set
1.2.25 Ensure that the --service-account-lookup argument is set to true
1.2.26 Ensure that the --service-account-key-file argument is set as appropriate
1.2.27 Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate
1.2.28 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate
1.2.29 Ensure that the --client-ca-file argument is set as appropriate