| 1.1.7 Ensure that the etcd pod specification file permissions are set to 600 or more restrictive | CIS RedHat OpenShift Container Platform v1.6.0 L1 | OpenShift | ACCESS CONTROL, MEDIA PROTECTION |
| 1.1.21 Ensure that the OpenShift PKI key file permissions are set to 600 | CIS RedHat OpenShift Container Platform v1.6.0 L1 | OpenShift | ACCESS CONTROL, MEDIA PROTECTION |
| 1.2.3 Ensure that the --token-auth-file parameter is not set | CIS RedHat OpenShift Container Platform v1.6.0 L1 | OpenShift | CONFIGURATION MANAGEMENT, MAINTENANCE |
| 1.2.8 Verify that RBAC is enabled | CIS RedHat OpenShift Container Platform v1.6.0 L1 | OpenShift | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 1.2.19 Ensure that the healthz endpoint is protected by RBAC | CIS RedHat OpenShift Container Platform v1.6.0 L1 | OpenShift | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 1.2.24 Ensure that the --request-timeout argument is set | CIS RedHat OpenShift Container Platform v1.6.0 L1 | OpenShift | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 1.2.27 Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate | CIS RedHat OpenShift Container Platform v1.6.0 L1 | OpenShift | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 1.2.28 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | CIS RedHat OpenShift Container Platform v1.6.0 L1 | OpenShift | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 1.2.32 Ensure that the API Server only makes use of Strong Cryptographic Ciphers | CIS RedHat OpenShift Container Platform v1.6.0 L1 | OpenShift | CONFIGURATION MANAGEMENT |
| 1.3.4 Ensure that the --root-ca-file argument is set as appropriate | CIS RedHat OpenShift Container Platform v1.6.0 L1 | OpenShift | SYSTEM AND COMMUNICATIONS PROTECTION |
| 1.3.5 Ensure that the --bind-address argument is set to 127.0.0.1 | CIS RedHat OpenShift Container Platform v1.6.0 L1 | OpenShift | ACCESS CONTROL, SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.6 Ensure that the --peer-auto-tls argument is not set to true | CIS RedHat OpenShift Container Platform v1.6.0 L1 | OpenShift | IDENTIFICATION AND AUTHENTICATION |
| 3.1.1 Client certificate authentication should not be used for users | CIS RedHat OpenShift Container Platform v1.6.0 L2 | OpenShift | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 3.2.2 Ensure that the audit policy covers key security concerns | CIS RedHat OpenShift Container Platform v1.6.0 L2 | OpenShift | AUDIT AND ACCOUNTABILITY |
| 4.1.1 Ensure that the kubelet service file permissions are set to 644 or more restrictive | CIS RedHat OpenShift Container Platform v1.6.0 L1 | OpenShift | ACCESS CONTROL, MEDIA PROTECTION |
| 4.1.5 Ensure that the --kubeconfig kubelet.conf file permissions are set to 644 or more restrictive | CIS RedHat OpenShift Container Platform v1.6.0 L1 | OpenShift | ACCESS CONTROL, MEDIA PROTECTION |
| 4.1.8 Ensure that the client certificate authorities file ownership is set to root:root | CIS RedHat OpenShift Container Platform v1.6.0 L1 | OpenShift | ACCESS CONTROL |
| 4.1.16 Ensure kernel module loading and unloading is collected - /etc/audit/rules.d modprobe | CIS Fedora 19 Family Linux Workstation L2 v1.0.0 | Unix | CONFIGURATION MANAGEMENT |
| 4.1.16 Ensure kernel module loading and unloading is collected - /sbin/modprobe | CIS Debian Family Server L2 v1.0.0 | Unix | CONFIGURATION MANAGEMENT |
| 4.1.16 Ensure kernel module loading and unloading is collected - auditctl /sbin/insmod | CIS Red Hat 6 Server L2 v3.0.0 | Unix | CONFIGURATION MANAGEMENT |
| 4.1.16 Ensure kernel module loading and unloading is collected - auditctl /sbin/insmod | CIS Red Hat 6 Workstation L2 v3.0.0 | Unix | CONFIGURATION MANAGEMENT |
| 4.1.16 Ensure kernel module loading and unloading is collected - auditctl init_module/delete_module (64-bit) | CIS Ubuntu Linux 16.04 LTS Server L2 v2.0.0 | Unix | CONFIGURATION MANAGEMENT |
| 4.1.16 Ensure kernel module loading and unloading is collected - auditctl init_module/delete_module (64-bit) | CIS Ubuntu Linux 16.04 LTS Workstation L2 v2.0.0 | Unix | CONFIGURATION MANAGEMENT |
| 4.1.16 Ensure kernel module loading and unloading is collected - auditctl insmod | CIS Fedora 19 Family Linux Server L2 v1.0.0 | Unix | CONFIGURATION MANAGEMENT |
| 4.1.16 Ensure kernel module loading and unloading is collected - auditctl modules | CIS Fedora 19 Family Linux Server L2 v1.0.0 | Unix | CONFIGURATION MANAGEMENT |
| 4.1.16 Ensure kernel module loading and unloading is collected - auditctl modules | CIS CentOS 6 Workstation L2 v3.0.0 | Unix | CONFIGURATION MANAGEMENT |
| 4.1.16 Ensure kernel module loading and unloading is collected - auditctl rmmod | CIS Fedora 19 Family Linux Workstation L2 v1.0.0 | Unix | CONFIGURATION MANAGEMENT |
| 4.1.16 Ensure kernel module loading and unloading is collected - auditctl rmmod | CIS Ubuntu Linux 16.04 LTS Server L2 v2.0.0 | Unix | CONFIGURATION MANAGEMENT |
| 4.1.16 Ensure kernel module loading and unloading is collected - rmmod | CIS Ubuntu Linux 16.04 LTS Server L2 v2.0.0 | Unix | CONFIGURATION MANAGEMENT |
| 4.1.16 Ensure kernel module loading and unloading is collected - rules.d /sbin/modprobe | CIS Red Hat 6 Workstation L2 v3.0.0 | Unix | CONFIGURATION MANAGEMENT |
| 4.1.17 Ensure kernel module loading and unloading is collected - auditctl /sbin/modprobe | CIS Debian 9 Workstation L2 v1.0.1 | Unix | CONFIGURATION MANAGEMENT |
| 4.2.1 Activate Garbage collection in OpenShift Container Platform 4, as appropriate | CIS RedHat OpenShift Container Platform v1.6.0 L1 | OpenShift | SYSTEM AND INFORMATION INTEGRITY |
| 4.2.3 Ensure that the --authorization-mode argument is not set to AlwaysAllow | CIS RedHat OpenShift Container Platform v1.6.0 L1 | OpenShift | ACCESS CONTROL, MEDIA PROTECTION |
| 4.2.4 Ensure that the --client-ca-file argument is set as appropriate | CIS RedHat OpenShift Container Platform v1.6.0 L1 | OpenShift | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.2.10 Ensure that the --rotate-certificates argument is not set to false | CIS RedHat OpenShift Container Platform v1.6.0 L2 | OpenShift | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.2.5 Minimize the admission of containers with allowPrivilegeEscalation | CIS RedHat OpenShift Container Platform v1.6.0 L1 | OpenShift | ACCESS CONTROL, SYSTEM AND INFORMATION INTEGRITY |
| 5.2.6 Minimize the admission of root containers | CIS RedHat OpenShift Container Platform v1.6.0 L2 | OpenShift | ACCESS CONTROL, SYSTEM AND INFORMATION INTEGRITY |
| 5.2.7 Minimize the admission of containers with the NET_RAW capability | CIS RedHat OpenShift Container Platform v1.6.0 L1 | OpenShift | CONFIGURATION MANAGEMENT |
| 5.2.8 Minimize the admission of containers with added capabilities | CIS RedHat OpenShift Container Platform v1.6.0 L1 | OpenShift | CONFIGURATION MANAGEMENT |
| 5.2.9 Minimize the admission of containers with capabilities assigned | CIS RedHat OpenShift Container Platform v1.6.0 L2 | OpenShift | CONFIGURATION MANAGEMENT |
| 5.2.10 Minimize access to privileged Security Context Constraints | CIS RedHat OpenShift Container Platform v1.6.0 L2 | OpenShift | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 5.3.1 Ensure that the CNI in use supports Network Policies | CIS RedHat OpenShift Container Platform v1.6.0 L1 | OpenShift | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.4.1 Prefer using secrets as files over secrets as environment variables | CIS RedHat OpenShift Container Platform v1.6.0 L2 | OpenShift | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.5.1 Configure Image Provenance using image controller configuration parameters | CIS RedHat OpenShift Container Platform v1.6.0 L2 | OpenShift | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 5.7.1 Create administrative boundaries between resources using namespaces | CIS RedHat OpenShift Container Platform v1.6.0 L1 | OpenShift | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.7.4 The default namespace should not be used | CIS RedHat OpenShift Container Platform v1.6.0 L2 | OpenShift | SYSTEM AND COMMUNICATIONS PROTECTION |
| 6.12 Ensure all HTTP Header Logging options are enabled - X-Forwarded-For | CIS Palo Alto Firewall 6 Benchmark L1 v1.0.0 | Palo_Alto | AUDIT AND ACCOUNTABILITY |
| 9.2.3 Limit Password Reuse | CIS Debian Linux 7 L1 v1.0.0 | Unix | IDENTIFICATION AND AUTHENTICATION |
| DTAVSEL-018 - The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to allow access to files if scanning times out. | McAfee Virus Scan Enterprise for Linux 1.9x/2.0x Local Client v1r6 | Unix | SYSTEM AND INFORMATION INTEGRITY |
| DTAVSEL-113 - The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must be configured to include all local drives and their sub-directories. | McAfee Virus Scan Enterprise for Linux 1.9x/2.0x Managed Client v1r5 | Unix | SYSTEM AND INFORMATION INTEGRITY |
