CSCv7|5.2

Title

Maintain Secure Images

Description

Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.

Reference Item Details

Category: Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.1.1 Ensure that the API server pod specification file permissions are set to 644 or more restrictiveUnixCIS Kubernetes Benchmark v1.6.1 L1 Master
1.1.2 Ensure that the API server pod specification file ownership is set to root:rootUnixCIS Kubernetes Benchmark v1.6.1 L1 Master
1.1.3 Ensure that the controller manager pod specification file permissions are set to 644 or more restrictiveUnixCIS Kubernetes Benchmark v1.6.1 L1 Master
1.1.4 Ensure that the controller manager pod specification file ownership is set to root:rootUnixCIS Kubernetes Benchmark v1.6.1 L1 Master
1.1.5 Ensure that the scheduler pod specification file permissions are set to 644 or more restrictiveUnixCIS Kubernetes Benchmark v1.6.1 L1 Master
1.1.6 Ensure that the scheduler pod specification file ownership is set to root:rootUnixCIS Kubernetes Benchmark v1.6.1 L1 Master
1.1.7 Ensure that the etcd pod specification file permissions are set to 644 or more restrictiveUnixCIS Kubernetes Benchmark v1.6.1 L1 Master
1.1.8 Ensure that the etcd pod specification file ownership is set to root:rootUnixCIS Kubernetes Benchmark v1.6.1 L1 Master
1.1.9 Ensure that the Container Network Interface file permissions are set to 644 or more restrictiveUnixCIS Kubernetes Benchmark v1.6.1 L1 Master
1.1.10 Ensure that the Container Network Interface file ownership is set to root:rootUnixCIS Kubernetes Benchmark v1.6.1 L1 Master
1.1.11 Ensure that the etcd data directory permissions are set to 700 or more restrictiveUnixCIS Kubernetes Benchmark v1.6.1 L1 Master
1.1.12 Ensure that the etcd data directory ownership is set to etcd:etcdUnixCIS Kubernetes Benchmark v1.6.1 L1 Master
1.1.13 Ensure that the admin.conf file permissions are set to 644 or more restrictiveUnixCIS Kubernetes Benchmark v1.6.1 L1 Master
1.1.14 Ensure that the admin.conf file ownership is set to root:rootUnixCIS Kubernetes Benchmark v1.6.1 L1 Master
1.1.15 Ensure that the scheduler.conf file permissions are set to 644 or more restrictiveUnixCIS Kubernetes Benchmark v1.6.1 L1 Master
1.1.16 Ensure that the scheduler.conf file ownership is set to root:rootUnixCIS Kubernetes Benchmark v1.6.1 L1 Master
1.1.17 Ensure that the controller-manager.conf file permissions are set to 644 or more restrictiveUnixCIS Kubernetes Benchmark v1.6.1 L1 Master
1.1.18 Ensure that the controller-manager.conf file ownership is set to root:rootUnixCIS Kubernetes Benchmark v1.6.1 L1 Master
1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictiveUnixCIS Kubernetes Benchmark v1.6.1 L1 Master
1.1.21 Ensure that the Kubernetes PKI key file permissions are set to 600UnixCIS Kubernetes Benchmark v1.6.1 L1 Master
1.2.13 Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not usedUnixCIS Kubernetes Benchmark v1.6.1 L1 Master
2.1.4 Ensure Config-state is savedCheckPointCIS Check Point Firewall L1 v1.1.0
2.4.1 Ensure 'System Backup' is set.CheckPointCIS Check Point Firewall L1 v1.1.0
3.1.1 Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictiveUnixCIS Google Kubernetes Engine (GKE) v1.1.0 L1 Worker
3.1.2 Ensure that the proxy kubeconfig file ownership is set to root:rootUnixCIS Google Kubernetes Engine (GKE) v1.1.0 L1 Worker
3.1.3 Ensure that the kubelet configuration file has permissions set to 644 or more restrictiveUnixCIS Google Kubernetes Engine (GKE) v1.1.0 L1 Worker
3.1.4 Ensure that the kubelet configuration file ownership is set to root:rootUnixCIS Google Kubernetes Engine (GKE) v1.1.0 L1 Worker
3.2.6 Ensure that the --protect-kernel-defaults argument is set to trueUnixCIS Google Kubernetes Engine (GKE) v1.1.0 L1 Worker
4.1.1 Ensure that the kubelet service file permissions are set to 644 or more restrictiveUnixCIS Kubernetes Benchmark v1.6.1 L1 Worker
4.1.2 Ensure that the kubelet service file ownership is set to root:rootUnixCIS Kubernetes Benchmark v1.6.1 L1 Worker
4.1.2 Minimize access to secretsGCPCIS Google Kubernetes Engine (GKE) v1.1.0 L1 Master
4.1.3 If proxy kubeconfig file exists ensure permissions are set to 644 or more restrictiveUnixCIS Kubernetes Benchmark v1.6.1 L1 Worker
4.1.4 If proxy kubeconfig file exists ensure ownership is set to root:rootUnixCIS Kubernetes Benchmark v1.6.1 L1 Worker
4.1.4 Minimize access to create podsGCPCIS Google Kubernetes Engine (GKE) v1.1.0 L1 Master
4.1.5 Ensure that default service accounts are not actively used.GCPCIS Google Kubernetes Engine (GKE) v1.1.0 L1 Master
4.1.5 Ensure that the --kubeconfig kubelet.conf file permissions are set to 644 or more restrictiveUnixCIS Kubernetes Benchmark v1.6.1 L1 Worker
4.1.6 Ensure that Service Account Tokens are only mounted where necessaryGCPCIS Google Kubernetes Engine (GKE) v1.1.0 L1 Master
4.1.6 Ensure that the --kubeconfig kubelet.conf file ownership is set to root:rootUnixCIS Kubernetes Benchmark v1.6.1 L1 Worker
4.1.8 Ensure that the client certificate authorities file ownership is set to root:rootUnixCIS Kubernetes Benchmark v1.6.1 L1 Worker
4.1.9 Ensure that the kubelet --config configuration file has permissions set to 644 or more restrictiveUnixCIS Kubernetes Benchmark v1.6.1 L1 Worker
4.1.10 Ensure that the kubelet --config configuration file ownership is set to root:rootUnixCIS Kubernetes Benchmark v1.6.1 L1 Worker
4.2 Ensure that containers use only trusted base imagesUnixCIS Docker v1.3.1 L1 Docker Linux
4.2.1 Minimize the admission of privileged containersGCPCIS Google Kubernetes Engine (GKE) v1.1.0 L1 Master
4.2.2 Minimize the admission of containers wishing to share the host process ID namespaceGCPCIS Google Kubernetes Engine (GKE) v1.1.0 L1 Master
4.2.3 Minimize the admission of containers wishing to share the host IPC namespaceGCPCIS Google Kubernetes Engine (GKE) v1.1.0 L1 Master
4.2.4 Minimize the admission of containers wishing to share the host network namespaceGCPCIS Google Kubernetes Engine (GKE) v1.1.0 L1 Master
4.2.5 Minimize the admission of containers with allowPrivilegeEscalationGCPCIS Google Kubernetes Engine (GKE) v1.1.0 L1 Master
4.2.6 Ensure that the --protect-kernel-defaults argument is set to trueUnixCIS Kubernetes v1.20 Benchmark v1.0.1 L1 Worker
4.2.6 Ensure that the --protect-kernel-defaults argument is set to trueUnixCIS Kubernetes v1.23 Benchmark v1.0.1 L1 Worker
4.2.6 Ensure that the --protect-kernel-defaults argument is set to trueUnixCIS Kubernetes v1.24 Benchmark v1.0.0 L1 Worker