1.4.1 Ensure that the healthz endpoints for the scheduler are protected by RBAC

Information

Disable profiling, if not needed.

Rationale:

Profiling allows for the identification of specific performance bottlenecks. It generates a significant amount of program data that could potentially be exploited to uncover system and program details. If you are not experiencing any bottlenecks and do not need the profiler for troubleshooting purposes, it is recommended to turn it off to reduce the potential attack surface.

Impact:

Profiling information would not be available.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

A fix to this issue: https://bugzilla.redhat.com/show_bug.cgi?id=1889488
None required. Profiling is protected by RBAC and cannot be disabled.

Default Value:

By default, profiling is enabled.

See Also

https://workbench.cisecurity.org/files/3980

Item Details

Category: ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

References: 800-53|AC-2, 800-53|AC-3, 800-53|AC-6, 800-53|AC-6(1), 800-53|AC-6(7), 800-53|AU-9(4), CSCv7|14.6

Plugin: OpenShift

Control ID: 3171604d89c58e44ceae4baf0932c18ecc7ba977f5f8416835ec86ab906f5383