Detections
Analytics

CSCv7|5.2

Title

Maintain Secure Images

Description

Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.

Reference Item Details

Category: Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.1.1 Ensure that the API server pod specification file permissions are set to 644 or more restrictiveUnixCIS Kubernetes Benchmark v1.6.1 L1 Master
1.1.1 Ensure that the API server pod specification file permissions are set to 644 or more restrictiveUnixCIS Kubernetes Benchmark v1.5.1 L1
1.1.2 Ensure that the API server pod specification file ownership is set to root:rootUnixCIS Kubernetes Benchmark v1.6.1 L1 Master
1.1.2 Ensure that the API server pod specification file ownership is set to root:rootUnixCIS Kubernetes Benchmark v1.5.1 L1
1.1.3 Ensure that the controller manager pod specification file permissions are set to 644 or more restrictiveUnixCIS Kubernetes Benchmark v1.6.1 L1 Master
1.1.3 Ensure that the controller manager pod specification file permissions are set to 644 or more restrictiveUnixCIS Kubernetes Benchmark v1.5.1 L1
1.1.4 Ensure that the controller manager pod specification file ownership is set to root:rootUnixCIS Kubernetes Benchmark v1.5.1 L1
1.1.4 Ensure that the controller manager pod specification file ownership is set to root:rootUnixCIS Kubernetes Benchmark v1.6.1 L1 Master
1.1.5 Ensure that the scheduler pod specification file permissions are set to 644 or more restrictiveUnixCIS Kubernetes Benchmark v1.6.1 L1 Master
1.1.5 Ensure that the scheduler pod specification file permissions are set to 644 or more restrictiveUnixCIS Kubernetes Benchmark v1.5.1 L1
1.1.6 Ensure that the scheduler pod specification file ownership is set to root:rootUnixCIS Kubernetes Benchmark v1.5.1 L1
1.1.6 Ensure that the scheduler pod specification file ownership is set to root:rootUnixCIS Kubernetes Benchmark v1.6.1 L1 Master
1.1.7 Ensure that the etcd pod specification file permissions are set to 644 or more restrictiveUnixCIS Kubernetes Benchmark v1.5.1 L1
1.1.7 Ensure that the etcd pod specification file permissions are set to 644 or more restrictiveUnixCIS Kubernetes Benchmark v1.6.1 L1 Master
1.1.8 Ensure that the etcd pod specification file ownership is set to root:rootUnixCIS Kubernetes Benchmark v1.5.1 L1
1.1.8 Ensure that the etcd pod specification file ownership is set to root:rootUnixCIS Kubernetes Benchmark v1.6.1 L1 Master
1.1.9 Ensure that the Container Network Interface file permissions are set to 644 or more restrictiveUnixCIS Kubernetes Benchmark v1.5.1 L1
1.1.9 Ensure that the Container Network Interface file permissions are set to 644 or more restrictiveUnixCIS Kubernetes Benchmark v1.6.1 L1 Master
1.1.10 Ensure that the Container Network Interface file ownership is set to root:rootUnixCIS Kubernetes Benchmark v1.5.1 L1
1.1.10 Ensure that the Container Network Interface file ownership is set to root:rootUnixCIS Kubernetes Benchmark v1.6.1 L1 Master
1.1.11 Ensure that the etcd data directory permissions are set to 700 or more restrictiveUnixCIS Kubernetes Benchmark v1.5.1 L1
1.1.11 Ensure that the etcd data directory permissions are set to 700 or more restrictiveUnixCIS Kubernetes Benchmark v1.6.1 L1 Master
1.1.12 Ensure that the etcd data directory ownership is set to etcd:etcdUnixCIS Kubernetes Benchmark v1.6.1 L1 Master
1.1.12 Ensure that the etcd data directory ownership is set to etcd:etcdUnixCIS Kubernetes Benchmark v1.5.1 L1
1.1.13 Ensure that the admin.conf file permissions are set to 644 or more restrictiveUnixCIS Kubernetes Benchmark v1.5.1 L1
1.1.13 Ensure that the admin.conf file permissions are set to 644 or more restrictiveUnixCIS Kubernetes Benchmark v1.6.1 L1 Master
1.1.14 Ensure that the admin.conf file ownership is set to root:rootUnixCIS Kubernetes Benchmark v1.6.1 L1 Master
1.1.14 Ensure that the admin.conf file ownership is set to root:rootUnixCIS Kubernetes Benchmark v1.5.1 L1
1.1.15 Ensure that the scheduler.conf file permissions are set to 644 or more restrictiveUnixCIS Kubernetes Benchmark v1.5.1 L1
1.1.15 Ensure that the scheduler.conf file permissions are set to 644 or more restrictiveUnixCIS Kubernetes Benchmark v1.6.1 L1 Master
1.1.16 Ensure that the scheduler.conf file ownership is set to root:rootUnixCIS Kubernetes Benchmark v1.5.1 L1
1.1.16 Ensure that the scheduler.conf file ownership is set to root:rootUnixCIS Kubernetes Benchmark v1.6.1 L1 Master
1.1.17 Ensure that the controller-manager.conf file permissions are set to 644 or more restrictiveUnixCIS Kubernetes Benchmark v1.5.1 L1
1.1.17 Ensure that the controller-manager.conf file permissions are set to 644 or more restrictiveUnixCIS Kubernetes Benchmark v1.6.1 L1 Master
1.1.18 Ensure that the controller-manager.conf file ownership is set to root:rootUnixCIS Kubernetes Benchmark v1.5.1 L1
1.1.18 Ensure that the controller-manager.conf file ownership is set to root:rootUnixCIS Kubernetes Benchmark v1.6.1 L1 Master
1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictiveUnixCIS Kubernetes Benchmark v1.5.1 L1
1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictiveUnixCIS Kubernetes Benchmark v1.6.1 L1 Master
1.1.21 Ensure that the Kubernetes PKI key file permissions are set to 600UnixCIS Kubernetes Benchmark v1.6.1 L1 Master
1.1.21 Ensure that the Kubernetes PKI key file permissions are set to 600UnixCIS Kubernetes Benchmark v1.5.1 L1
1.2.12 Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not usedUnixCIS Kubernetes v1.20 Benchmark v1.0.0 L1 Master
1.2.13 Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not usedUnixCIS Kubernetes Benchmark v1.5.1 L1
1.2.13 Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not usedUnixCIS Kubernetes Benchmark v1.6.1 L1 Master
2.1.4 Ensure Config-state is savedCheckPointCIS Check Point Firewall L1 v1.1.0
2.4.1 Ensure 'System Backup' is set.CheckPointCIS Check Point Firewall L1 v1.1.0
3.1.1 Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictiveUnixCIS Google Kubernetes Engine (GKE) v1.4.0 L1 Node
3.1.1 Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictiveUnixCIS Google Kubernetes Engine (GKE) v1.1.0 L1 Worker
3.1.1 Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictiveUnixCIS Google Kubernetes Engine (GKE) v1.5.0 L1 Node
3.1.1 Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictiveUnixCIS Google Kubernetes Engine (GKE) v1.3.0 L1 Node
3.1.2 Ensure that the proxy kubeconfig file ownership is set to root:rootUnixCIS Google Kubernetes Engine (GKE) v1.3.0 L1 Node