Definition of CIS Red Hat OpenShift Container Platform 4 Benchmark for ocp4

2.1: Ensure that the --cert-file and --key-file arguments are set as appropriate

Description: None

• level_1

Automated: yes

• etcd_cert_file: Ensure That The etcd Client Certificate Is Correctly Set
• etcd_key_file: Ensure That The etcd Key File Is Correctly Set

2.2: Ensure that the --client-cert-auth argument is set to true

Description: None

• level_1

Automated: yes

• etcd_client_cert_auth: Enable The Client Certificate Authentication

2.3: Ensure that the --auto-tls argument is not set to true

Description: None

• level_1

Automated: yes

• etcd_auto_tls: Disable etcd Self-Signed Certificates

2.4: Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate

Description: None

• level_1

Automated: yes

• etcd_peer_cert_file: Ensure That The etcd Peer Client Certificate Is Correctly Set
• etcd_peer_key_file: Ensure That The etcd Peer Key File Is Correctly Set

2.5: Ensure that the --peer-client-cert-auth argument is set to true

Description: None

• level_1

Automated: yes

• etcd_peer_client_cert_auth: Enable The Peer Client Certificate Authentication

2.6: Ensure that the --peer-auto-tls argument is not set to true

Description: None

• level_1

Automated: yes

• etcd_peer_auto_tls: Disable etcd Peer Self-Signed Certificates

2.7: Ensure that a unique Certificate Authority is used for etcd

Description: None

• level_2

Automated: yes

• etcd_unique_ca: Configure A Unique CA Certificate for etcd

2: etcd

Description: None

• level_1

Automated: no

• etcd_auto_tls: Disable etcd Self-Signed Certificates
• etcd_cert_file: Ensure That The etcd Client Certificate Is Correctly Set
• etcd_client_cert_auth: Enable The Client Certificate Authentication
• etcd_key_file: Ensure That The etcd Key File Is Correctly Set
• etcd_peer_auto_tls: Disable etcd Peer Self-Signed Certificates
• etcd_peer_cert_file: Ensure That The etcd Peer Client Certificate Is Correctly Set
• etcd_peer_client_cert_auth: Enable The Peer Client Certificate Authentication
• etcd_peer_key_file: Ensure That The etcd Peer Key File Is Correctly Set
• etcd_unique_ca: Configure A Unique CA Certificate for etcd

3.1.1: Client certificate authentication should not be used for users

Description: None

• level_2

Automated: yes

• idp_is_configured: Configure An Identity Provider
• kubeadmin_removed: Ensure that the kubeadmin secret has been removed

3.1: Authentication and Authorization

Description: None

• level_1

Automated: yes

• idp_is_configured: Configure An Identity Provider
• kubeadmin_removed: Ensure that the kubeadmin secret has been removed

3.2.1: Ensure that a minimal audit policy is created

Description: None

• level_1

Automated: yes

• audit_logging_enabled: Ensure that API server audit logging is enabled

3.2.2: Ensure that the audit policy covers key security concerns

Description: None

• level_2

Automated: yes

• audit_profile_set: Ensure that the cluster's audit profile is properly set

3.2: Logging

Description: None

• level_1

Automated: yes

• audit_logging_enabled: Ensure that API server audit logging is enabled
• audit_profile_set: Ensure that the cluster's audit profile is properly set

3: Control Plane Configuration

Description: None

• level_1

Automated: no

• audit_logging_enabled: Ensure that API server audit logging is enabled
• audit_profile_set: Ensure that the cluster's audit profile is properly set
• idp_is_configured: Configure An Identity Provider
• kubeadmin_removed: Ensure that the kubeadmin secret has been removed

1.1.1: Ensure that the API server pod specification file permissions are set to 600 or more restrictive

Description: None

• level_1

Automated: yes

• file_permissions_kube_apiserver: Verify Permissions on the Kubernetes API Server Pod Specification File

1.1.2: Ensure that the API server pod specification file ownership is set to root:root

Description: None

• level_1

Automated: yes

• file_groupowner_kube_apiserver: Verify Group Who Owns The Kubernetes API Server Pod Specification File
• file_owner_kube_apiserver: Verify User Who Owns The Kubernetes API Server Pod Specification File

1.1.3: Ensure that the controller manager pod specification file permissions are set to 600 or more restrictive

Description: None

• level_1

Automated: yes

• file_permissions_kube_controller_manager: Verify Permissions on the Kubernetes Controller Manager Pod Specification File

1.1.4: Ensure that the controller manager pod specification file ownership is set to root:root

Description: None

• level_1

Automated: yes

• file_groupowner_kube_controller_manager: Verify Group Who Owns The Kubernetes Controller Manager Pod Specification File
• file_owner_kube_controller_manager: Verify User Who Owns The Kubernetes Controller Manager Pod Specification File

1.1.5: Ensure that the scheduler pod specification file permissions are set to 600 or more restrictive

Description: None

• level_1

Automated: yes

• file_permissions_scheduler: Verify Permissions on the Kubernetes Scheduler Pod Specification File

1.1.6: Ensure that the scheduler pod specification file ownership is set to root:root

Description: None

• level_1

Automated: yes

• file_groupowner_kube_scheduler: Verify Group Who Owns The Kubernetes Scheduler Pod Specification File
• file_owner_kube_scheduler: Verify User Who Owns The Kubernetes Scheduler Pod Specification File

1.1.7: Ensure that the etcd pod specification file permissions are set to 600 or more restrictive

Description: None

• level_1

Automated: yes

• file_permissions_etcd_member: Verify Permissions on the Etcd Member Pod Specification File

1.1.8: Ensure that the etcd pod specification file ownership is set to root:root

Description: None

• level_1

Automated: yes

• file_groupowner_etcd_member: Verify Group Who Owns The etcd Member Pod Specification File
• file_owner_etcd_member: Verify User Who Owns The Etcd Member Pod Specification File

1.1.9: Ensure that the Container Network Interface file permissions are set to 600 or more restrictive

Description: None

• level_1

Automated: yes

• file_permissions_cni_conf: Verify Permissions on the OpenShift Container Network Interface Files
• file_permissions_ip_allocations: Verify Permissions on the OpenShift SDN Container Network Interface Plugin IP Address Allocations
• file_permissions_multus_conf: Verify Permissions on the OpenShift Multus Container Network Interface Plugin Files
• file_permissions_ovn_cni_server_sock: Verify Permissions on the OVNKubernetes socket
• file_permissions_ovn_db_files: Verify Permissions on the OVNKubernetes DB files
• file_permissions_ovs_conf_db: Verify Permissions on the Open vSwitch Configuration Database
• file_permissions_ovs_conf_db_lock: Verify Permissions on the Open vSwitch Configuration Database Lock
• file_permissions_ovs_pid: Verify Permissions on the Open vSwitch Process ID File
• file_permissions_ovs_sys_id_conf: Verify Permissions on the Open vSwitch Persistent System ID
• file_permissions_ovs_vswitchd_pid: Verify Permissions on the Open vSwitch Daemon PID File
• file_permissions_ovsdb_server_pid: Verify Permissions on the Open vSwitch Database Server PID
• file_perms_openshift_sdn_cniserver_config: Verify Permissions on the OpenShift SDN CNI Server Config

1.1.10: Ensure that the Container Network Interface file ownership is set to root:root

Description: None

• level_1

Automated: yes

• file_groupowner_cni_conf: Verify Group Who Owns The OpenShift Container Network Interface Files
• file_groupowner_ip_allocations: Verify Group Who Owns The OpenShift SDN Container Network Interface Plugin IP Address Allocations
• file_groupowner_multus_conf: Verify Group Who Owns The OpenShift Multus Container Network Interface Plugin Files
• file_groupowner_openshift_sdn_cniserver_config: Verify Group Who Owns The OpenShift SDN CNI Server Config
• file_groupowner_ovn_cni_server_sock: Verify Group Who Owns The OVNKubernetes Socket
• file_groupowner_ovn_db_files: Verify Group Who Owns The OVNKubernetes DB files
• file_groupowner_ovs_conf_db: Verify Group Who Owns The Open vSwitch Configuration Database
• file_groupowner_ovs_conf_db_lock: Verify Group Who Owns The Open vSwitch Configuration Database Lock
• file_groupowner_ovs_pid: Verify Group Who Owns The Open vSwitch Process ID File
• file_groupowner_ovs_sys_id_conf: Verify Group Who Owns The Open vSwitch Persistent System ID
• file_groupowner_ovs_vswitchd_pid: Verify Group Who Owns The Open vSwitch Daemon PID File
• file_groupowner_ovsdb_server_pid: Verify Group Who Owns The Open vSwitch Database Server PID
• file_owner_cni_conf: Verify User Who Owns The OpenShift Container Network Interface Files
• file_owner_ip_allocations: Verify User Who Owns The OpenShift SDN Container Network Interface Plugin IP Address Allocations
• file_owner_multus_conf: Verify User Who Owns The OpenShift Multus Container Network Interface Plugin Files
• file_owner_openshift_sdn_cniserver_config: Verify User Who Owns The OpenShift SDN CNI Server Config
• file_owner_ovn_cni_server_sock: Verify User Who Owns The OVNKubernetes Socket
• file_owner_ovn_db_files: Verify Who Owns The OVNKubernetes DB files
• file_owner_ovs_conf_db: Verify User Who Owns The Open vSwitch Configuration Database
• file_owner_ovs_conf_db_lock: Verify User Who Owns The Open vSwitch Configuration Database Lock
• file_owner_ovs_pid: Verify User Who Owns The Open vSwitch Process ID File
• file_owner_ovs_sys_id_conf: Verify User Who Owns The Open vSwitch Persistent System ID
• file_owner_ovs_vswitchd_pid: Verify User Who Owns The Open vSwitch Daemon PID File
• file_owner_ovsdb_server_pid: Verify User Who Owns The Open vSwitch Database Server PID

1.1.11: Ensure that the etcd data directory permissions are set to 700 or more restrictive

Description: None

• level_1

Automated: yes

• file_permissions_etcd_data_dir: Verify Permissions on the Etcd Database Directory
• file_permissions_etcd_data_files: Verify Permissions on the Etcd Write-Ahead-Log Files

1.1.12: Ensure that the etcd data directory ownership is set to etcd:etcd

Description: None

• level_1

Automated: yes

• file_groupowner_etcd_data_dir: Verify Group Who Owns The Etcd Database Directory
• file_groupowner_etcd_data_files: Verify Group Who Owns The Etcd Write-Ahead-Log Files
• file_owner_etcd_data_dir: Verify User Who Owns The Etcd Database Directory
• file_owner_etcd_data_files: Verify User Who Owns The Etcd Write-Ahead-Log Files

1.1.13: Ensure that the kubeconfig file permissions are set to 600 or more restrictive

Description: None

• level_1

Automated: yes

• file_permissions_master_admin_kubeconfigs: Verify Permissions on the OpenShift Admin Kubeconfig Files

1.1.14: Ensure that the kubeconfig file ownership is set to root:root

Description: None

• level_1

Automated: yes

• file_groupowner_master_admin_kubeconfigs: Verify Group Who Owns The OpenShift Admin Kubeconfig Files
• file_owner_master_admin_kubeconfigs: Verify User Who Owns The OpenShift Admin Kubeconfig Files

1.1.15: Ensure that the Scheduler kubeconfig file permissions are set to 600 or more restrictive

Description: None

• level_1

Automated: yes

• file_permissions_scheduler_kubeconfig: Verify Permissions on the Kubernetes Scheduler Kubeconfig File

1.1.16: Ensure that the Scheduler kubeconfig file ownership is set to root:root

Description: None

• level_1

Automated: yes

• file_groupowner_scheduler_kubeconfig: Verify Group Who Owns The Kubernetes Scheduler Kubeconfig File
• file_owner_scheduler_kubeconfig: Verify User Who Owns The Kubernetes Scheduler Kubeconfig File

1.1.17: Ensure that the Controller Manager kubeconfig file permissions are set to 600 or more restrictive

Description: None

• level_1

Automated: yes

• file_permissions_controller_manager_kubeconfig: Verify Permissions on the OpenShift Controller Manager Kubeconfig File

1.1.18: Ensure that the Controller Manager kubeconfig file ownership is set to root:root

Description: None

• level_1

Automated: yes

• file_groupowner_controller_manager_kubeconfig: Verify Group Who Owns The OpenShift Controller Manager Kubeconfig File
• file_owner_controller_manager_kubeconfig: Verify User Who Owns The OpenShift Controller Manager Kubeconfig File

1.1.19: Ensure that the OpenShift PKI directory and file ownership is set to root:root

Description: None

• level_1

Automated: yes

• file_groupowner_etcd_pki_cert_files: Verify Group Who Owns The Etcd PKI Certificate Files
• file_groupowner_openshift_pki_cert_files: Verify Group Who Owns The OpenShift PKI Certificate Files
• file_groupowner_openshift_pki_key_files: Verify Group Who Owns The OpenShift PKI Private Key Files
• file_owner_etcd_pki_cert_files: Verify User Who Owns The Etcd PKI Certificate Files
• file_owner_openshift_pki_cert_files: Verify User Who Owns The OpenShift PKI Certificate Files
• file_owner_openshift_pki_key_files: Verify User Who Owns The OpenShift PKI Private Key Files

1.1.20: Ensure that the OpenShift PKI certificate file permissions are set to 600 or more restrictive

Description: None

• level_1

Automated: yes

• file_permissions_etcd_pki_cert_files: Verify Permissions on the Etcd PKI Certificate Files
• file_permissions_openshift_pki_cert_files: Verify Permissions on the OpenShift PKI Certificate Files

1.1.21: Ensure that the OpenShift PKI key file permissions are set to 600

Description: None

• level_1

Automated: yes

• file_permissions_openshift_pki_key_files: Verify Permissions on the OpenShift PKI Private Key Files

1.1: Master Node Configuration Files

Description: None

• level_1

Automated: yes

• file_groupowner_cni_conf: Verify Group Who Owns The OpenShift Container Network Interface Files
• file_groupowner_controller_manager_kubeconfig: Verify Group Who Owns The OpenShift Controller Manager Kubeconfig File
• file_groupowner_etcd_data_dir: Verify Group Who Owns The Etcd Database Directory
• file_groupowner_etcd_data_files: Verify Group Who Owns The Etcd Write-Ahead-Log Files
• file_groupowner_etcd_member: Verify Group Who Owns The etcd Member Pod Specification File
• file_groupowner_etcd_pki_cert_files: Verify Group Who Owns The Etcd PKI Certificate Files
• file_groupowner_ip_allocations: Verify Group Who Owns The OpenShift SDN Container Network Interface Plugin IP Address Allocations
• file_groupowner_kube_apiserver: Verify Group Who Owns The Kubernetes API Server Pod Specification File
• file_groupowner_kube_controller_manager: Verify Group Who Owns The Kubernetes Controller Manager Pod Specification File
• file_groupowner_kube_scheduler: Verify Group Who Owns The Kubernetes Scheduler Pod Specification File
• file_groupowner_master_admin_kubeconfigs: Verify Group Who Owns The OpenShift Admin Kubeconfig Files
• file_groupowner_multus_conf: Verify Group Who Owns The OpenShift Multus Container Network Interface Plugin Files
• file_groupowner_openshift_pki_cert_files: Verify Group Who Owns The OpenShift PKI Certificate Files
• file_groupowner_openshift_pki_key_files: Verify Group Who Owns The OpenShift PKI Private Key Files
• file_groupowner_openshift_sdn_cniserver_config: Verify Group Who Owns The OpenShift SDN CNI Server Config
• file_groupowner_ovn_cni_server_sock: Verify Group Who Owns The OVNKubernetes Socket
• file_groupowner_ovn_db_files: Verify Group Who Owns The OVNKubernetes DB files
• file_groupowner_ovs_conf_db: Verify Group Who Owns The Open vSwitch Configuration Database
• file_groupowner_ovs_conf_db_lock: Verify Group Who Owns The Open vSwitch Configuration Database Lock
• file_groupowner_ovs_pid: Verify Group Who Owns The Open vSwitch Process ID File
• file_groupowner_ovs_sys_id_conf: Verify Group Who Owns The Open vSwitch Persistent System ID
• file_groupowner_ovs_vswitchd_pid: Verify Group Who Owns The Open vSwitch Daemon PID File
• file_groupowner_ovsdb_server_pid: Verify Group Who Owns The Open vSwitch Database Server PID
• file_groupowner_scheduler_kubeconfig: Verify Group Who Owns The Kubernetes Scheduler Kubeconfig File
• file_owner_cni_conf: Verify User Who Owns The OpenShift Container Network Interface Files
• file_owner_controller_manager_kubeconfig: Verify User Who Owns The OpenShift Controller Manager Kubeconfig File
• file_owner_etcd_data_dir: Verify User Who Owns The Etcd Database Directory
• file_owner_etcd_data_files: Verify User Who Owns The Etcd Write-Ahead-Log Files
• file_owner_etcd_member: Verify User Who Owns The Etcd Member Pod Specification File
• file_owner_etcd_pki_cert_files: Verify User Who Owns The Etcd PKI Certificate Files
• file_owner_ip_allocations: Verify User Who Owns The OpenShift SDN Container Network Interface Plugin IP Address Allocations
• file_owner_kube_apiserver: Verify User Who Owns The Kubernetes API Server Pod Specification File
• file_owner_kube_controller_manager: Verify User Who Owns The Kubernetes Controller Manager Pod Specification File
• file_owner_kube_scheduler: Verify User Who Owns The Kubernetes Scheduler Pod Specification File
• file_owner_master_admin_kubeconfigs: Verify User Who Owns The OpenShift Admin Kubeconfig Files
• file_owner_multus_conf: Verify User Who Owns The OpenShift Multus Container Network Interface Plugin Files
• file_owner_openshift_pki_cert_files: Verify User Who Owns The OpenShift PKI Certificate Files
• file_owner_openshift_pki_key_files: Verify User Who Owns The OpenShift PKI Private Key Files
• file_owner_openshift_sdn_cniserver_config: Verify User Who Owns The OpenShift SDN CNI Server Config
• file_owner_ovn_cni_server_sock: Verify User Who Owns The OVNKubernetes Socket
• file_owner_ovn_db_files: Verify Who Owns The OVNKubernetes DB files
• file_owner_ovs_conf_db: Verify User Who Owns The Open vSwitch Configuration Database
• file_owner_ovs_conf_db_lock: Verify User Who Owns The Open vSwitch Configuration Database Lock
• file_owner_ovs_pid: Verify User Who Owns The Open vSwitch Process ID File
• file_owner_ovs_sys_id_conf: Verify User Who Owns The Open vSwitch Persistent System ID
• file_owner_ovs_vswitchd_pid: Verify User Who Owns The Open vSwitch Daemon PID File
• file_owner_ovsdb_server_pid: Verify User Who Owns The Open vSwitch Database Server PID
• file_owner_scheduler_kubeconfig: Verify User Who Owns The Kubernetes Scheduler Kubeconfig File
• file_permissions_cni_conf: Verify Permissions on the OpenShift Container Network Interface Files
• file_permissions_controller_manager_kubeconfig: Verify Permissions on the OpenShift Controller Manager Kubeconfig File
• file_permissions_etcd_data_dir: Verify Permissions on the Etcd Database Directory
• file_permissions_etcd_data_files: Verify Permissions on the Etcd Write-Ahead-Log Files
• file_permissions_etcd_member: Verify Permissions on the Etcd Member Pod Specification File
• file_permissions_etcd_pki_cert_files: Verify Permissions on the Etcd PKI Certificate Files
• file_permissions_ip_allocations: Verify Permissions on the OpenShift SDN Container Network Interface Plugin IP Address Allocations
• file_permissions_kube_apiserver: Verify Permissions on the Kubernetes API Server Pod Specification File
• file_permissions_kube_controller_manager: Verify Permissions on the Kubernetes Controller Manager Pod Specification File
• file_permissions_master_admin_kubeconfigs: Verify Permissions on the OpenShift Admin Kubeconfig Files
• file_permissions_multus_conf: Verify Permissions on the OpenShift Multus Container Network Interface Plugin Files
• file_permissions_openshift_pki_cert_files: Verify Permissions on the OpenShift PKI Certificate Files
• file_permissions_openshift_pki_key_files: Verify Permissions on the OpenShift PKI Private Key Files
• file_permissions_ovn_cni_server_sock: Verify Permissions on the OVNKubernetes socket
• file_permissions_ovn_db_files: Verify Permissions on the OVNKubernetes DB files
• file_permissions_ovs_conf_db: Verify Permissions on the Open vSwitch Configuration Database
• file_permissions_ovs_conf_db_lock: Verify Permissions on the Open vSwitch Configuration Database Lock
• file_permissions_ovs_pid: Verify Permissions on the Open vSwitch Process ID File
• file_permissions_ovs_sys_id_conf: Verify Permissions on the Open vSwitch Persistent System ID
• file_permissions_ovs_vswitchd_pid: Verify Permissions on the Open vSwitch Daemon PID File
• file_permissions_ovsdb_server_pid: Verify Permissions on the Open vSwitch Database Server PID
• file_permissions_scheduler: Verify Permissions on the Kubernetes Scheduler Pod Specification File
• file_permissions_scheduler_kubeconfig: Verify Permissions on the Kubernetes Scheduler Kubeconfig File
• file_perms_openshift_sdn_cniserver_config: Verify Permissions on the OpenShift SDN CNI Server Config

1.2.1: Ensure that anonymous requests are authorized

Description: None

• level_1

Automated: yes

• api_server_anonymous_auth: Ensure that anonymous requests to the API Server are authorized

1.2.2: Ensure that the --basic-auth-file argument is not set

Description: None

• level_1

Automated: yes

• api_server_basic_auth: Disable basic-auth-file for the API Server

1.2.3: Ensure that the --token-auth-file parameter is not set

Description: None

• level_1

Automated: yes

• api_server_token_auth: Disable Token-based Authentication

1.2.4: Use https for kubelet connections

Description: None

• level_1

Automated: yes

• api_server_https_for_kubelet_conn: Ensure that the --kubelet-https argument is set to true
• api_server_oauth_https_serving_cert: Ensure the openshift-oauth-apiserver service uses TLS
• api_server_openshift_https_serving_cert: Ensure the openshift-oauth-apiserver service uses TLS

1.2.5: Ensure that the kubelet uses certificates to authenticate

Description: None

• level_1

Automated: yes

• api_server_kubelet_client_cert: Configure the kubelet Certificate File for the API Server
• api_server_kubelet_client_cert_pre_4_9: Configure the kubelet Certificate File for the API Server
• api_server_kubelet_client_key: Configure the kubelet Certificate Key for the API Server
• api_server_kubelet_client_key_pre_4_9: Configure the kubelet Certificate Key for the API Server

1.2.6: Verify that the kubelet certificate authority is set as appropriate

Description: None

• level_1

Automated: yes

• api_server_kubelet_certificate_authority: Configure the kubelet Certificate Authority for the API Server

1.2.7: Ensure that the --authorization-mode argument is not set to AlwaysAllow

Description: None

• level_1

Automated: yes

• api_server_auth_mode_no_aa: The authorization-mode cannot be AlwaysAllow

1.2.8: Verify that RBAC is enabled

Description: None

• level_1

Automated: yes

• api_server_auth_mode_rbac: Ensure authorization-mode RBAC is configured

1.2.9: Ensure that the APIPriorityAndFairness feature gate is enabled

Description: None

• level_1

Automated: yes

• api_server_api_priority_gate_enabled: Enable the APIPriorityAndFairness feature gate

1.2.10: Ensure that the admission control plugin AlwaysAdmit is not set

Description: None

• level_1

Automated: yes

• api_server_admission_control_plugin_alwaysadmit: Disable the AlwaysAdmit Admission Control Plugin

1.2.11: Ensure that the admission control plugin AlwaysPullImages is not set

Description: None

• level_1

Automated: yes

• api_server_admission_control_plugin_alwayspullimages: Ensure that the Admission Control Plugin AlwaysPullImages is not set

1.2.12: Ensure that the admission control plugin ServiceAccount is set

Description: None

• level_1

Automated: yes

• api_server_admission_control_plugin_service_account: Enable the ServiceAccount Admission Control Plugin

1.2.13: Ensure that the admission control plugin NamespaceLifecycle is set

Description: None

• level_1

Automated: yes

• api_server_admission_control_plugin_namespacelifecycle: Enable the NamespaceLifecycle Admission Control Plugin

1.2.14: Ensure that the admission control plugin SecurityContextConstraint is set

Description: None

• level_1

Automated: yes

• api_server_admission_control_plugin_scc: Enable the SecurityContextConstraint Admission Control Plugin

1.2.15: Ensure that the admission control plugin NodeRestriction is set

Description: None

• level_1

Automated: yes

• api_server_admission_control_plugin_noderestriction: Enable the NodeRestriction Admission Control Plugin

1.2.16: Ensure that the --insecure-bind-address argument is not set

Description: None

• level_1

Automated: yes

• api_server_insecure_bind_address: Disable Use of the Insecure Bind Address

1.2.17: Ensure that the --insecure-port argument is set to 0

Description: None

• level_1

Automated: yes

• api_server_insecure_port: Prevent Insecure Port Access

1.2.18: Ensure that the --secure-port argument is not set to 0

Description: None

• level_1

Automated: yes

• api_server_bind_address: Ensure that the bindAddress is set to a relevant secure port

1.2.19: Ensure that the healthz endpoint is protected by RBAC

Description: None

• level_1

Automated: yes

• api_server_profiling_protected_by_rbac: Profiling is protected by RBAC

1.2.20: Ensure that the --audit-log-path argument is set

Description: None

• level_1

Automated: yes

• api_server_audit_log_path: Configure the Audit Log Path
• openshift_api_server_audit_log_path: Configure the Audit Log Path

1.2.21: Ensure that the audit logs are forwarded off the cluster for retention

Description: None

• level_1

Automated: yes

• audit_log_forwarding_enabled: Ensure that Audit Log Forwarding Is Enabled
• audit_log_forwarding_webhook: Ensure that Audit Log Webhook Is Configured

1.2.22: Ensure that the maximumRetainedFiles argument is set to 10 or as appropriate

Description: None

• level_1

Automated: yes

• api_server_audit_log_maxbackup: Configure the Kubernetes API Server Maximum Retained Audit Logs
• ocp_api_server_audit_log_maxbackup: Configure the OpenShift API Server Maximum Retained Audit Logs

1.2.23: Ensure that the maximumFileSizeMegabytes argument is set to 100

Description: None

• level_1

Automated: yes

• api_server_audit_log_maxsize: Configure Kubernetes API Server Maximum Audit Log Size
• ocp_api_server_audit_log_maxsize: Configure OpenShift API Server Maximum Audit Log Size

1.2.24: Ensure that the --request-timeout argument is set

Description: None

• level_1

Automated: yes

• api_server_request_timeout: Configure the API Server Minimum Request Timeout

1.2.25: Ensure that the --service-account-lookup argument is set to true

Description: None

• level_1

Automated: yes

• api_server_service_account_lookup: Ensure that the service-account-lookup argument is set to true

1.2.26: Ensure that the --service-account-key-file argument is set as appropriate

Description: None

• level_1

Automated: yes

• api_server_service_account_public_key: Configure the Service Account Public Key for the API Server

1.2.27: Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate

Description: None

• level_1

Automated: yes

• api_server_etcd_cert: Configure the etcd Certificate for the API Server
• api_server_etcd_key: Configure the etcd Certificate Key for the API Server

1.2.28: Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate

Description: None

• level_1

Automated: yes

• api_server_tls_cert: Configure the Certificate for the API Server
• api_server_tls_private_key: Configure the Certificate Key for the API Server

1.2.29: Ensure that the --client-ca-file argument is set as appropriate

Description: None

• level_1

Automated: yes

• api_server_client_ca: Configure the Client Certificate Authority for the API Server

1.2.30: Ensure that the --etcd-cafile argument is set as appropriate

Description: None

• level_1

Automated: yes

• api_server_etcd_ca: Configure the etcd Certificate Authority for the API Server

1.2.31: Ensure that encryption providers are appropriately configured

Description: None

• level_1

Automated: no

• api_server_encryption_provider_cipher: Configure the Encryption Provider Cipher

1.2.32: Ensure that the API Server only makes use of Strong Cryptographic Ciphers

Description: None

• level_1

Automated: yes

• api_server_tls_cipher_suites: Use Strong Cryptographic Ciphers on the API Server

1.2.33: Ensure unsupported configuration overrides are not used

Description: None

• level_1

Automated: no

No rules selected

1.2: API Server

Description: None

• level_1

Automated: no

• api_server_admission_control_plugin_alwaysadmit: Disable the AlwaysAdmit Admission Control Plugin
• api_server_admission_control_plugin_alwayspullimages: Ensure that the Admission Control Plugin AlwaysPullImages is not set
• api_server_admission_control_plugin_namespacelifecycle: Enable the NamespaceLifecycle Admission Control Plugin
• api_server_admission_control_plugin_noderestriction: Enable the NodeRestriction Admission Control Plugin
• api_server_admission_control_plugin_scc: Enable the SecurityContextConstraint Admission Control Plugin
• api_server_admission_control_plugin_service_account: Enable the ServiceAccount Admission Control Plugin
• api_server_anonymous_auth: Ensure that anonymous requests to the API Server are authorized
• api_server_api_priority_gate_enabled: Enable the APIPriorityAndFairness feature gate
• api_server_audit_log_maxbackup: Configure the Kubernetes API Server Maximum Retained Audit Logs
• api_server_audit_log_maxsize: Configure Kubernetes API Server Maximum Audit Log Size
• api_server_audit_log_path: Configure the Audit Log Path
• api_server_auth_mode_no_aa: The authorization-mode cannot be AlwaysAllow
• api_server_auth_mode_rbac: Ensure authorization-mode RBAC is configured
• api_server_basic_auth: Disable basic-auth-file for the API Server
• api_server_bind_address: Ensure that the bindAddress is set to a relevant secure port
• api_server_client_ca: Configure the Client Certificate Authority for the API Server
• api_server_encryption_provider_cipher: Configure the Encryption Provider Cipher
• api_server_etcd_ca: Configure the etcd Certificate Authority for the API Server
• api_server_etcd_cert: Configure the etcd Certificate for the API Server
• api_server_etcd_key: Configure the etcd Certificate Key for the API Server
• api_server_https_for_kubelet_conn: Ensure that the --kubelet-https argument is set to true
• api_server_insecure_bind_address: Disable Use of the Insecure Bind Address
• api_server_insecure_port: Prevent Insecure Port Access
• api_server_kubelet_certificate_authority: Configure the kubelet Certificate Authority for the API Server
• api_server_kubelet_client_cert: Configure the kubelet Certificate File for the API Server
• api_server_kubelet_client_cert_pre_4_9: Configure the kubelet Certificate File for the API Server
• api_server_kubelet_client_key: Configure the kubelet Certificate Key for the API Server
• api_server_kubelet_client_key_pre_4_9: Configure the kubelet Certificate Key for the API Server
• api_server_oauth_https_serving_cert: Ensure the openshift-oauth-apiserver service uses TLS
• api_server_openshift_https_serving_cert: Ensure the openshift-oauth-apiserver service uses TLS
• api_server_profiling_protected_by_rbac: Profiling is protected by RBAC
• api_server_request_timeout: Configure the API Server Minimum Request Timeout
• api_server_service_account_lookup: Ensure that the service-account-lookup argument is set to true
• api_server_service_account_public_key: Configure the Service Account Public Key for the API Server
• api_server_tls_cert: Configure the Certificate for the API Server
• api_server_tls_cipher_suites: Use Strong Cryptographic Ciphers on the API Server
• api_server_tls_private_key: Configure the Certificate Key for the API Server
• api_server_token_auth: Disable Token-based Authentication
• audit_log_forwarding_enabled: Ensure that Audit Log Forwarding Is Enabled
• audit_log_forwarding_webhook: Ensure that Audit Log Webhook Is Configured
• ocp_api_server_audit_log_maxbackup: Configure the OpenShift API Server Maximum Retained Audit Logs
• ocp_api_server_audit_log_maxsize: Configure OpenShift API Server Maximum Audit Log Size
• openshift_api_server_audit_log_path: Configure the Audit Log Path

1.3.1: Ensure that controller manager healthz endpoints are protected by RBAC

Description: None

• level_1

Automated: yes

• rbac_debug_role_protects_pprof: Profiling is protected by RBAC

1.3.2: Ensure that the --use-service-account-credentials argument is set to true

Description: None

• level_1

Automated: yes

• controller_use_service_account: Ensure that use-service-account-credentials is enabled

1.3.3: Ensure that the --service-account-private-key-file argument is set as appropriate

Description: None

• level_1

Automated: yes

• controller_service_account_private_key: Configure the Service Account Private Key for the Controller Manager

1.3.4: Ensure that the --root-ca-file argument is set as appropriate

Description: None

• level_1

Automated: yes

• controller_service_account_ca: Configure the Service Account Certificate Authority Key for the Controller Manager

1.3.5: Ensure that the --bind-address argument is set to 127.0.0.1

Description: None

• level_1

Automated: yes

• controller_insecure_port_disabled: Ensure Controller insecure port argument is unset
• controller_secure_port: Ensure Controller secure-port argument is set

1.3: Controller Manager

Description: None

• level_1

Automated: no

• controller_insecure_port_disabled: Ensure Controller insecure port argument is unset
• controller_secure_port: Ensure Controller secure-port argument is set
• controller_service_account_ca: Configure the Service Account Certificate Authority Key for the Controller Manager
• controller_service_account_private_key: Configure the Service Account Private Key for the Controller Manager
• controller_use_service_account: Ensure that use-service-account-credentials is enabled
• rbac_debug_role_protects_pprof: Profiling is protected by RBAC

1.4.1: Ensure that the healthz endpoints for the scheduler are protected by RBAC

Description: None

• level_1

Automated: yes

• scheduler_profiling_protected_by_rbac: Verify that the scheduler API service is protected by RBAC

1.4.2: Verify that the scheduler API service is protected by RBAC

Description: None

• level_1

Automated: yes

• scheduler_service_protected_by_rbac: Verify that the scheduler API service is protected by RBAC

1.4: Scheduler

Description: None

• level_1

Automated: yes

• scheduler_profiling_protected_by_rbac: Verify that the scheduler API service is protected by RBAC
• scheduler_service_protected_by_rbac: Verify that the scheduler API service is protected by RBAC

1: Control Plane Components

Description: None

• level_1

Automated: no

• api_server_admission_control_plugin_alwaysadmit: Disable the AlwaysAdmit Admission Control Plugin
• api_server_admission_control_plugin_alwayspullimages: Ensure that the Admission Control Plugin AlwaysPullImages is not set
• api_server_admission_control_plugin_namespacelifecycle: Enable the NamespaceLifecycle Admission Control Plugin
• api_server_admission_control_plugin_noderestriction: Enable the NodeRestriction Admission Control Plugin
• api_server_admission_control_plugin_scc: Enable the SecurityContextConstraint Admission Control Plugin
• api_server_admission_control_plugin_service_account: Enable the ServiceAccount Admission Control Plugin
• api_server_anonymous_auth: Ensure that anonymous requests to the API Server are authorized
• api_server_api_priority_gate_enabled: Enable the APIPriorityAndFairness feature gate
• api_server_audit_log_maxbackup: Configure the Kubernetes API Server Maximum Retained Audit Logs
• api_server_audit_log_maxsize: Configure Kubernetes API Server Maximum Audit Log Size
• api_server_audit_log_path: Configure the Audit Log Path
• api_server_auth_mode_no_aa: The authorization-mode cannot be AlwaysAllow
• api_server_auth_mode_rbac: Ensure authorization-mode RBAC is configured
• api_server_basic_auth: Disable basic-auth-file for the API Server
• api_server_bind_address: Ensure that the bindAddress is set to a relevant secure port
• api_server_client_ca: Configure the Client Certificate Authority for the API Server
• api_server_encryption_provider_cipher: Configure the Encryption Provider Cipher
• api_server_etcd_ca: Configure the etcd Certificate Authority for the API Server
• api_server_etcd_cert: Configure the etcd Certificate for the API Server
• api_server_etcd_key: Configure the etcd Certificate Key for the API Server
• api_server_https_for_kubelet_conn: Ensure that the --kubelet-https argument is set to true
• api_server_insecure_bind_address: Disable Use of the Insecure Bind Address
• api_server_insecure_port: Prevent Insecure Port Access
• api_server_kubelet_certificate_authority: Configure the kubelet Certificate Authority for the API Server
• api_server_kubelet_client_cert: Configure the kubelet Certificate File for the API Server
• api_server_kubelet_client_cert_pre_4_9: Configure the kubelet Certificate File for the API Server
• api_server_kubelet_client_key: Configure the kubelet Certificate Key for the API Server
• api_server_kubelet_client_key_pre_4_9: Configure the kubelet Certificate Key for the API Server
• api_server_oauth_https_serving_cert: Ensure the openshift-oauth-apiserver service uses TLS
• api_server_openshift_https_serving_cert: Ensure the openshift-oauth-apiserver service uses TLS
• api_server_profiling_protected_by_rbac: Profiling is protected by RBAC
• api_server_request_timeout: Configure the API Server Minimum Request Timeout
• api_server_service_account_lookup: Ensure that the service-account-lookup argument is set to true
• api_server_service_account_public_key: Configure the Service Account Public Key for the API Server
• api_server_tls_cert: Configure the Certificate for the API Server
• api_server_tls_cipher_suites: Use Strong Cryptographic Ciphers on the API Server
• api_server_tls_private_key: Configure the Certificate Key for the API Server
• api_server_token_auth: Disable Token-based Authentication
• audit_log_forwarding_enabled: Ensure that Audit Log Forwarding Is Enabled
• audit_log_forwarding_webhook: Ensure that Audit Log Webhook Is Configured
• controller_insecure_port_disabled: Ensure Controller insecure port argument is unset
• controller_secure_port: Ensure Controller secure-port argument is set
• controller_service_account_ca: Configure the Service Account Certificate Authority Key for the Controller Manager
• controller_service_account_private_key: Configure the Service Account Private Key for the Controller Manager
• controller_use_service_account: Ensure that use-service-account-credentials is enabled
• file_groupowner_cni_conf: Verify Group Who Owns The OpenShift Container Network Interface Files
• file_groupowner_controller_manager_kubeconfig: Verify Group Who Owns The OpenShift Controller Manager Kubeconfig File
• file_groupowner_etcd_data_dir: Verify Group Who Owns The Etcd Database Directory
• file_groupowner_etcd_data_files: Verify Group Who Owns The Etcd Write-Ahead-Log Files
• file_groupowner_etcd_member: Verify Group Who Owns The etcd Member Pod Specification File
• file_groupowner_etcd_pki_cert_files: Verify Group Who Owns The Etcd PKI Certificate Files
• file_groupowner_ip_allocations: Verify Group Who Owns The OpenShift SDN Container Network Interface Plugin IP Address Allocations
• file_groupowner_kube_apiserver: Verify Group Who Owns The Kubernetes API Server Pod Specification File
• file_groupowner_kube_controller_manager: Verify Group Who Owns The Kubernetes Controller Manager Pod Specification File
• file_groupowner_kube_scheduler: Verify Group Who Owns The Kubernetes Scheduler Pod Specification File
• file_groupowner_master_admin_kubeconfigs: Verify Group Who Owns The OpenShift Admin Kubeconfig Files
• file_groupowner_multus_conf: Verify Group Who Owns The OpenShift Multus Container Network Interface Plugin Files
• file_groupowner_openshift_pki_cert_files: Verify Group Who Owns The OpenShift PKI Certificate Files
• file_groupowner_openshift_pki_key_files: Verify Group Who Owns The OpenShift PKI Private Key Files
• file_groupowner_openshift_sdn_cniserver_config: Verify Group Who Owns The OpenShift SDN CNI Server Config
• file_groupowner_ovn_cni_server_sock: Verify Group Who Owns The OVNKubernetes Socket
• file_groupowner_ovn_db_files: Verify Group Who Owns The OVNKubernetes DB files
• file_groupowner_ovs_conf_db: Verify Group Who Owns The Open vSwitch Configuration Database
• file_groupowner_ovs_conf_db_lock: Verify Group Who Owns The Open vSwitch Configuration Database Lock
• file_groupowner_ovs_pid: Verify Group Who Owns The Open vSwitch Process ID File
• file_groupowner_ovs_sys_id_conf: Verify Group Who Owns The Open vSwitch Persistent System ID
• file_groupowner_ovs_vswitchd_pid: Verify Group Who Owns The Open vSwitch Daemon PID File
• file_groupowner_ovsdb_server_pid: Verify Group Who Owns The Open vSwitch Database Server PID
• file_groupowner_scheduler_kubeconfig: Verify Group Who Owns The Kubernetes Scheduler Kubeconfig File
• file_owner_cni_conf: Verify User Who Owns The OpenShift Container Network Interface Files
• file_owner_controller_manager_kubeconfig: Verify User Who Owns The OpenShift Controller Manager Kubeconfig File
• file_owner_etcd_data_dir: Verify User Who Owns The Etcd Database Directory
• file_owner_etcd_data_files: Verify User Who Owns The Etcd Write-Ahead-Log Files
• file_owner_etcd_member: Verify User Who Owns The Etcd Member Pod Specification File
• file_owner_etcd_pki_cert_files: Verify User Who Owns The Etcd PKI Certificate Files
• file_owner_ip_allocations: Verify User Who Owns The OpenShift SDN Container Network Interface Plugin IP Address Allocations
• file_owner_kube_apiserver: Verify User Who Owns The Kubernetes API Server Pod Specification File
• file_owner_kube_controller_manager: Verify User Who Owns The Kubernetes Controller Manager Pod Specification File
• file_owner_kube_scheduler: Verify User Who Owns The Kubernetes Scheduler Pod Specification File
• file_owner_master_admin_kubeconfigs: Verify User Who Owns The OpenShift Admin Kubeconfig Files
• file_owner_multus_conf: Verify User Who Owns The OpenShift Multus Container Network Interface Plugin Files
• file_owner_openshift_pki_cert_files: Verify User Who Owns The OpenShift PKI Certificate Files
• file_owner_openshift_pki_key_files: Verify User Who Owns The OpenShift PKI Private Key Files
• file_owner_openshift_sdn_cniserver_config: Verify User Who Owns The OpenShift SDN CNI Server Config
• file_owner_ovn_cni_server_sock: Verify User Who Owns The OVNKubernetes Socket
• file_owner_ovn_db_files: Verify Who Owns The OVNKubernetes DB files
• file_owner_ovs_conf_db: Verify User Who Owns The Open vSwitch Configuration Database
• file_owner_ovs_conf_db_lock: Verify User Who Owns The Open vSwitch Configuration Database Lock
• file_owner_ovs_pid: Verify User Who Owns The Open vSwitch Process ID File
• file_owner_ovs_sys_id_conf: Verify User Who Owns The Open vSwitch Persistent System ID
• file_owner_ovs_vswitchd_pid: Verify User Who Owns The Open vSwitch Daemon PID File
• file_owner_ovsdb_server_pid: Verify User Who Owns The Open vSwitch Database Server PID
• file_owner_scheduler_kubeconfig: Verify User Who Owns The Kubernetes Scheduler Kubeconfig File
• file_permissions_cni_conf: Verify Permissions on the OpenShift Container Network Interface Files
• file_permissions_controller_manager_kubeconfig: Verify Permissions on the OpenShift Controller Manager Kubeconfig File
• file_permissions_etcd_data_dir: Verify Permissions on the Etcd Database Directory
• file_permissions_etcd_data_files: Verify Permissions on the Etcd Write-Ahead-Log Files
• file_permissions_etcd_member: Verify Permissions on the Etcd Member Pod Specification File
• file_permissions_etcd_pki_cert_files: Verify Permissions on the Etcd PKI Certificate Files
• file_permissions_ip_allocations: Verify Permissions on the OpenShift SDN Container Network Interface Plugin IP Address Allocations
• file_permissions_kube_apiserver: Verify Permissions on the Kubernetes API Server Pod Specification File
• file_permissions_kube_controller_manager: Verify Permissions on the Kubernetes Controller Manager Pod Specification File
• file_permissions_master_admin_kubeconfigs: Verify Permissions on the OpenShift Admin Kubeconfig Files
• file_permissions_multus_conf: Verify Permissions on the OpenShift Multus Container Network Interface Plugin Files
• file_permissions_openshift_pki_cert_files: Verify Permissions on the OpenShift PKI Certificate Files
• file_permissions_openshift_pki_key_files: Verify Permissions on the OpenShift PKI Private Key Files
• file_permissions_ovn_cni_server_sock: Verify Permissions on the OVNKubernetes socket
• file_permissions_ovn_db_files: Verify Permissions on the OVNKubernetes DB files
• file_permissions_ovs_conf_db: Verify Permissions on the Open vSwitch Configuration Database
• file_permissions_ovs_conf_db_lock: Verify Permissions on the Open vSwitch Configuration Database Lock
• file_permissions_ovs_pid: Verify Permissions on the Open vSwitch Process ID File
• file_permissions_ovs_sys_id_conf: Verify Permissions on the Open vSwitch Persistent System ID
• file_permissions_ovs_vswitchd_pid: Verify Permissions on the Open vSwitch Daemon PID File
• file_permissions_ovsdb_server_pid: Verify Permissions on the Open vSwitch Database Server PID
• file_permissions_scheduler: Verify Permissions on the Kubernetes Scheduler Pod Specification File
• file_permissions_scheduler_kubeconfig: Verify Permissions on the Kubernetes Scheduler Kubeconfig File
• file_perms_openshift_sdn_cniserver_config: Verify Permissions on the OpenShift SDN CNI Server Config
• ocp_api_server_audit_log_maxbackup: Configure the OpenShift API Server Maximum Retained Audit Logs
• ocp_api_server_audit_log_maxsize: Configure OpenShift API Server Maximum Audit Log Size
• openshift_api_server_audit_log_path: Configure the Audit Log Path
• rbac_debug_role_protects_pprof: Profiling is protected by RBAC
• scheduler_profiling_protected_by_rbac: Verify that the scheduler API service is protected by RBAC
• scheduler_service_protected_by_rbac: Verify that the scheduler API service is protected by RBAC

5.1.1: Ensure that the cluster-admin role is only used where required

Description: None

• level_1

Automated: no

• rbac_limit_cluster_admin: Ensure that the cluster-admin role is only used where required

5.1.2: Minimize access to secrets

Description: None

• level_1

Automated: no

• rbac_limit_secrets_access: Limit Access to Kubernetes Secrets

5.1.3: Minimize wildcard use in Roles and ClusterRoles

Description: None

• level_1

Automated: no

• rbac_wildcard_use: Minimize Wildcard Usage in Cluster and Local Roles

5.1.4: Minimize access to create pods

Description: None

• level_1

Automated: no

• rbac_pod_creation_access: Minimize Access to Pod Creation

5.1.5: Ensure that default service accounts are not actively used.

Description: None

• level_1

Automated: no

• accounts_unique_service_account: Ensure Usage of Unique Service Accounts

5.1.6: Ensure that Service Account Tokens are only mounted where necessary

Description: None

• level_1

Automated: no

• accounts_restrict_service_account_tokens: Restrict Automounting of Service Account Tokens

5.1: RBAC and Service Accounts

Description: None

• level_1

Automated: no

• accounts_restrict_service_account_tokens: Restrict Automounting of Service Account Tokens
• accounts_unique_service_account: Ensure Usage of Unique Service Accounts
• rbac_limit_cluster_admin: Ensure that the cluster-admin role is only used where required
• rbac_limit_secrets_access: Limit Access to Kubernetes Secrets
• rbac_pod_creation_access: Minimize Access to Pod Creation
• rbac_wildcard_use: Minimize Wildcard Usage in Cluster and Local Roles

5.2.1: Minimize the admission of privileged containers

Description: None

• level_1

Automated: no

• scc_limit_privileged_containers: Limit Privileged Container Use

5.2.2: Minimize the admission of containers wishing to share the host process ID namespace

Description: None

• level_1

Automated: no

• scc_limit_process_id_namespace: Limit Access to the Host Process ID Namespace

5.2.3: Minimize the admission of containers wishing to share the host IPC namespace

Description: None

• level_1

Automated: no

• scc_limit_ipc_namespace: Limit Access to the Host IPC Namespace

5.2.4: Minimize the admission of containers wishing to share the host network namespace

Description: None

• level_1

Automated: no

• scc_limit_network_namespace: Limit Access to the Host Network Namespace

5.2.5: Minimize the admission of containers with allowPrivilegeEscalation

Description: None

• level_1

Automated: no

• scc_limit_privilege_escalation: Limit Containers Ability to Escalate Privileges

5.2.6: Minimize the admission of root containers

Description: None

• level_2

Automated: no

• scc_limit_root_containers: Limit Container Running As Root User

5.2.7: Minimize the admission of containers with the NET_RAW capability

Description: None

• level_1

Automated: no

• scc_limit_net_raw_capability: Limit Use of the CAP_NET_RAW

5.2.8: Minimize the admission of containers with added capabilities

Description: None

• level_1

Automated: yes

• scc_limit_container_allowed_capabilities: Limit Container Capabilities

5.2.9: Minimize the admission of containers with capabilities assigned

Description: None

• level_2

Automated: no

• scc_drop_container_capabilities: Drop Container Capabilities

5.2.10: Minimize access to privileged Security Context Constraints

Description: None

• level_2

Automated: no

• rbac_least_privilege: Ensure that the RBAC setup follows the principle of least privilege

5.2: Security Context Constraints

Description: None

• level_1

Automated: no

• rbac_least_privilege: Ensure that the RBAC setup follows the principle of least privilege
• scc_drop_container_capabilities: Drop Container Capabilities
• scc_limit_container_allowed_capabilities: Limit Container Capabilities
• scc_limit_ipc_namespace: Limit Access to the Host IPC Namespace
• scc_limit_net_raw_capability: Limit Use of the CAP_NET_RAW
• scc_limit_network_namespace: Limit Access to the Host Network Namespace
• scc_limit_privilege_escalation: Limit Containers Ability to Escalate Privileges
• scc_limit_privileged_containers: Limit Privileged Container Use
• scc_limit_process_id_namespace: Limit Access to the Host Process ID Namespace
• scc_limit_root_containers: Limit Container Running As Root User

5.3.1: Ensure that the CNI in use supports Network Policies

Description: None

• level_1

Automated: yes

• configure_network_policies: Ensure that the CNI in use supports Network Policies

5.3.2: Ensure that all Namespaces have Network Policies defined

Description: None

• level_2

Automated: no

• configure_network_policies_hypershift_hosted: Ensure that HyperShift Hosted Namespaces have Network Policies defined.
• configure_network_policies_namespaces: Ensure that application Namespaces have Network Policies defined.

5.3: Network Policies and CNI

Description: None

• level_1

Automated: no

• configure_network_policies: Ensure that the CNI in use supports Network Policies
• configure_network_policies_hypershift_hosted: Ensure that HyperShift Hosted Namespaces have Network Policies defined.
• configure_network_policies_namespaces: Ensure that application Namespaces have Network Policies defined.

5.4.1: Prefer using secrets as files over secrets as environment variables

Description: None

• level_1

Automated: no

• secrets_no_environment_variables: Do Not Use Environment Variables with Secrets

5.4.2: Consider external secret storage

Description: None

• level_2

Automated: no

• secrets_consider_external_storage: Consider external secret storage

5.4: Secrets Management

Description: None

• level_1

Automated: no

• secrets_consider_external_storage: Consider external secret storage
• secrets_no_environment_variables: Do Not Use Environment Variables with Secrets

5.5.1: Configure Image Provenance using image controller configuration parameters

Description: None

• level_2

Automated: yes

• ocp_allowed_registries: Allowed registries are configured
• ocp_allowed_registries_for_import: Allowed registries for import are configured
• ocp_insecure_allowed_registries_for_import: Check configured allowed registries for import uses secure protocol
• ocp_insecure_registries: Check if any insecure registry sources is configured

5.5: Extensible Admission Control

Description: None

• level_1

Automated: yes

• ocp_allowed_registries: Allowed registries are configured
• ocp_allowed_registries_for_import: Allowed registries for import are configured
• ocp_insecure_allowed_registries_for_import: Check configured allowed registries for import uses secure protocol
• ocp_insecure_registries: Check if any insecure registry sources is configured

5.7.1: Create administrative boundaries between resources using namespaces

Description: None

• level_1

Automated: no

• general_namespaces_in_use: Create administrative boundaries between resources using namespaces

5.7.2: Ensure that the seccomp profile is set to docker/default in your pod definitions

Description: None

• level_2

Automated: no

• general_default_seccomp_profile: Ensure Seccomp Profile Pod Definitions

5.7.3: Apply Security Context to Your Pods and Containers

Description: None

• level_2

Automated: no

• general_apply_scc: Apply Security Context to Your Pods and Containers

5.7.4: The default namespace should not be used

Description: None

• level_2

Automated: no

• general_default_namespace_use: The default namespace should not be used

5.7: General Policies

Description: None

• level_1

Automated: no

• general_apply_scc: Apply Security Context to Your Pods and Containers
• general_default_namespace_use: The default namespace should not be used
• general_default_seccomp_profile: Ensure Seccomp Profile Pod Definitions
• general_namespaces_in_use: Create administrative boundaries between resources using namespaces

5: Policies

Description: None

• level_1

Automated: no

• accounts_restrict_service_account_tokens: Restrict Automounting of Service Account Tokens
• accounts_unique_service_account: Ensure Usage of Unique Service Accounts
• configure_network_policies: Ensure that the CNI in use supports Network Policies
• configure_network_policies_hypershift_hosted: Ensure that HyperShift Hosted Namespaces have Network Policies defined.
• configure_network_policies_namespaces: Ensure that application Namespaces have Network Policies defined.
• general_apply_scc: Apply Security Context to Your Pods and Containers
• general_default_namespace_use: The default namespace should not be used
• general_default_seccomp_profile: Ensure Seccomp Profile Pod Definitions
• general_namespaces_in_use: Create administrative boundaries between resources using namespaces
• ocp_allowed_registries: Allowed registries are configured
• ocp_allowed_registries_for_import: Allowed registries for import are configured
• ocp_insecure_allowed_registries_for_import: Check configured allowed registries for import uses secure protocol
• ocp_insecure_registries: Check if any insecure registry sources is configured
• rbac_least_privilege: Ensure that the RBAC setup follows the principle of least privilege
• rbac_limit_cluster_admin: Ensure that the cluster-admin role is only used where required
• rbac_limit_secrets_access: Limit Access to Kubernetes Secrets
• rbac_pod_creation_access: Minimize Access to Pod Creation
• rbac_wildcard_use: Minimize Wildcard Usage in Cluster and Local Roles
• scc_drop_container_capabilities: Drop Container Capabilities
• scc_limit_container_allowed_capabilities: Limit Container Capabilities
• scc_limit_ipc_namespace: Limit Access to the Host IPC Namespace
• scc_limit_net_raw_capability: Limit Use of the CAP_NET_RAW
• scc_limit_network_namespace: Limit Access to the Host Network Namespace
• scc_limit_privilege_escalation: Limit Containers Ability to Escalate Privileges
• scc_limit_privileged_containers: Limit Privileged Container Use
• scc_limit_process_id_namespace: Limit Access to the Host Process ID Namespace
• scc_limit_root_containers: Limit Container Running As Root User
• secrets_consider_external_storage: Consider external secret storage
• secrets_no_environment_variables: Do Not Use Environment Variables with Secrets

4.1.1: Ensure that the kubelet service file permissions are set to 644 or more restrictive

Description: None

• level_1

Automated: yes

• file_permissions_worker_service: Verify Permissions on the OpenShift Node Service File

4.1.2: Ensure that the kubelet service file ownership is set to root:root

Description: None

• level_1

Automated: yes

• file_groupowner_worker_service: Verify Group Who Owns The OpenShift Node Service File
• file_owner_worker_service: Verify User Who Owns The OpenShift Node Service File

4.1.3: If proxy kube proxy configuration file exists ensure permissions are set to 644 or more restrictive

Description: None

• level_1

Automated: yes

• file_permissions_proxy_kubeconfig: Verify Permissions on the Worker Proxy Kubeconfig File

4.1.4: If proxy kubeconfig file exists ensure ownership is set to root:root

Description: None

• level_1

Automated: yes

• file_groupowner_proxy_kubeconfig: Verify Group Who Owns The Worker Proxy Kubeconfig File
• file_owner_proxy_kubeconfig: Verify User Who Owns The Worker Proxy Kubeconfig File

4.1.5: Ensure that the --kubeconfig kubelet.conf file permissions are set to 644 or more restrictive

Description: None

• level_1

Automated: yes

• file_permissions_kubelet_conf: Verify Permissions on The Kubelet Configuration File

4.1.6: Ensure that the --kubeconfig kubelet.conf file ownership is set to root:root

Description: None

• level_1

Automated: yes

• file_groupowner_kubelet_conf: Verify Group Who Owns The Kubelet Configuration File
• file_owner_kubelet: Verify User Who Owns The Kubelet Configuration File
• file_owner_kubelet_conf: Verify User Who Owns The Kubelet Configuration File

4.1.7: Ensure that the certificate authorities file permissions are set to 644 or more restrictive

Description: None

• level_1

Automated: yes

• file_permissions_worker_ca: Verify Permissions on the Worker Certificate Authority File

4.1.8: Ensure that the client certificate authorities file ownership is set to root:root

Description: None

• level_1

Automated: yes

• file_groupowner_worker_ca: Verify Group Who Owns the Worker Certificate Authority File
• file_owner_worker_ca: Verify User Who Owns the Worker Certificate Authority File

4.1.9: Ensure that the kubelet --config configuration file has permissions set to 600 or more restrictive

Description: None

• level_1

Automated: yes

• file_permissions_worker_kubeconfig: Verify Permissions on the Worker Kubeconfig File

4.1.10: Ensure that the kubelet configuration file ownership is set to root:root

Description: None

• level_1

Automated: yes

• file_groupowner_worker_kubeconfig: Verify Group Who Owns The Worker Kubeconfig File
• file_owner_worker_kubeconfig: Verify User Who Owns The Worker Kubeconfig File

4.1: Worker Node Configuration Files

Description: None

• level_1

Automated: no

• file_groupowner_kubelet_conf: Verify Group Who Owns The Kubelet Configuration File
• file_groupowner_proxy_kubeconfig: Verify Group Who Owns The Worker Proxy Kubeconfig File
• file_groupowner_worker_ca: Verify Group Who Owns the Worker Certificate Authority File
• file_groupowner_worker_kubeconfig: Verify Group Who Owns The Worker Kubeconfig File
• file_groupowner_worker_service: Verify Group Who Owns The OpenShift Node Service File
• file_owner_kubelet: Verify User Who Owns The Kubelet Configuration File
• file_owner_kubelet_conf: Verify User Who Owns The Kubelet Configuration File
• file_owner_proxy_kubeconfig: Verify User Who Owns The Worker Proxy Kubeconfig File
• file_owner_worker_ca: Verify User Who Owns the Worker Certificate Authority File
• file_owner_worker_kubeconfig: Verify User Who Owns The Worker Kubeconfig File
• file_owner_worker_service: Verify User Who Owns The OpenShift Node Service File
• file_permissions_kubelet_conf: Verify Permissions on The Kubelet Configuration File
• file_permissions_proxy_kubeconfig: Verify Permissions on the Worker Proxy Kubeconfig File
• file_permissions_worker_ca: Verify Permissions on the Worker Certificate Authority File
• file_permissions_worker_kubeconfig: Verify Permissions on the Worker Kubeconfig File
• file_permissions_worker_service: Verify Permissions on the OpenShift Node Service File

4.2.1: Activate Garbage collection in OpenShift Container Platform 4, as appropriate

Description: None

• level_1

Automated: yes

• kubelet_eviction_thresholds_set_hard_imagefs_available: Ensure Eviction threshold Settings Are Set - evictionHard: imagefs.available
• kubelet_eviction_thresholds_set_hard_memory_available: Ensure Eviction threshold Settings Are Set - evictionHard: memory.available
• kubelet_eviction_thresholds_set_hard_nodefs_available: Ensure Eviction threshold Settings Are Set - evictionHard: nodefs.available
• kubelet_eviction_thresholds_set_hard_nodefs_inodesfree: Ensure Eviction threshold Settings Are Set - evictionHard: nodefs.inodesFree

4.2.2: Ensure that the --anonymous-auth argument is set to false

Description: None

• level_1

Automated: yes

• kubelet_anonymous_auth: Disable Anonymous Authentication to the Kubelet

4.2.3: Ensure that the --authorization-mode argument is not set to AlwaysAllow

Description: None

• level_1

Automated: yes

• kubelet_authorization_mode: Ensure authorization is set to Webhook

4.2.4: Ensure that the --client-ca-file argument is set as appropriate

Description: None

• level_1

Automated: yes

• kubelet_configure_client_ca: kubelet - Configure the Client CA Certificate

4.2.5: Verify that the read only port is not used or is set to 0

Description: None

• level_1

Automated: yes

• kubelet_disable_readonly_port: kubelet - Disable the Read-Only Port

4.2.6: Ensure that the --streaming-connection-idle-timeout argument is not set to 0

Description: None

• level_1

Automated: yes

• kubelet_enable_streaming_connections: kubelet - Do Not Disable Streaming Timeouts

4.2.7: Ensure that the --make-iptables-util-chains argument is set to true

Description: None

• level_1

Automated: yes

• kubelet_enable_iptables_util_chains: kubelet - Allow Automatic Firewall Configuration

4.2.8: Ensure that the kubeAPIQPS [--event-qps] argument is set to 0 or a level which ensures appropriate event capture

Description: None

• level_2

Automated: yes

• kubelet_configure_event_creation: Kubelet - Ensure Event Creation Is Configured

4.2.9: Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate

Description: None

• level_1

Automated: yes

• kubelet_configure_tls_cert: Ensure That The kubelet Client Certificate Is Correctly Set
• kubelet_configure_tls_key: Ensure That The kubelet Server Key Is Correctly Set

4.2.10: Ensure that the --rotate-certificates argument is not set to false

Description: None

• level_1

Automated: yes

• kubelet_enable_cert_rotation: kubelet - Enable Certificate Rotation
• kubelet_enable_client_cert_rotation: kubelet - Enable Client Certificate Rotation

4.2.11: Verify that the RotateKubeletServerCertificate argument is set to true

Description: None

• level_1

Automated: yes

• kubelet_enable_server_cert_rotation: kubelet - Enable Server Certificate Rotation

4.2.12: Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers

Description: None

• level_1

Automated: yes

• kubelet_configure_tls_cipher_suites: Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers

4.2: Kubelet

Description: None

• level_1

Automated: no

• kubelet_anonymous_auth: Disable Anonymous Authentication to the Kubelet
• kubelet_authorization_mode: Ensure authorization is set to Webhook
• kubelet_configure_client_ca: kubelet - Configure the Client CA Certificate
• kubelet_configure_event_creation: Kubelet - Ensure Event Creation Is Configured
• kubelet_configure_tls_cert: Ensure That The kubelet Client Certificate Is Correctly Set
• kubelet_configure_tls_cipher_suites: Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers
• kubelet_configure_tls_key: Ensure That The kubelet Server Key Is Correctly Set
• kubelet_disable_readonly_port: kubelet - Disable the Read-Only Port
• kubelet_enable_cert_rotation: kubelet - Enable Certificate Rotation
• kubelet_enable_client_cert_rotation: kubelet - Enable Client Certificate Rotation
• kubelet_enable_iptables_util_chains: kubelet - Allow Automatic Firewall Configuration
• kubelet_enable_server_cert_rotation: kubelet - Enable Server Certificate Rotation
• kubelet_enable_streaming_connections: kubelet - Do Not Disable Streaming Timeouts
• kubelet_eviction_thresholds_set_hard_imagefs_available: Ensure Eviction threshold Settings Are Set - evictionHard: imagefs.available
• kubelet_eviction_thresholds_set_hard_memory_available: Ensure Eviction threshold Settings Are Set - evictionHard: memory.available
• kubelet_eviction_thresholds_set_hard_nodefs_available: Ensure Eviction threshold Settings Are Set - evictionHard: nodefs.available
• kubelet_eviction_thresholds_set_hard_nodefs_inodesfree: Ensure Eviction threshold Settings Are Set - evictionHard: nodefs.inodesFree

4: Worker Nodes

Description: None

• level_1

Automated: no

• file_groupowner_kubelet_conf: Verify Group Who Owns The Kubelet Configuration File
• file_groupowner_proxy_kubeconfig: Verify Group Who Owns The Worker Proxy Kubeconfig File
• file_groupowner_worker_ca: Verify Group Who Owns the Worker Certificate Authority File
• file_groupowner_worker_kubeconfig: Verify Group Who Owns The Worker Kubeconfig File
• file_groupowner_worker_service: Verify Group Who Owns The OpenShift Node Service File
• file_owner_kubelet: Verify User Who Owns The Kubelet Configuration File
• file_owner_kubelet_conf: Verify User Who Owns The Kubelet Configuration File
• file_owner_proxy_kubeconfig: Verify User Who Owns The Worker Proxy Kubeconfig File
• file_owner_worker_ca: Verify User Who Owns the Worker Certificate Authority File
• file_owner_worker_kubeconfig: Verify User Who Owns The Worker Kubeconfig File
• file_owner_worker_service: Verify User Who Owns The OpenShift Node Service File
• file_permissions_kubelet_conf: Verify Permissions on The Kubelet Configuration File
• file_permissions_proxy_kubeconfig: Verify Permissions on the Worker Proxy Kubeconfig File
• file_permissions_worker_ca: Verify Permissions on the Worker Certificate Authority File
• file_permissions_worker_kubeconfig: Verify Permissions on the Worker Kubeconfig File
• file_permissions_worker_service: Verify Permissions on the OpenShift Node Service File
• kubelet_anonymous_auth: Disable Anonymous Authentication to the Kubelet
• kubelet_authorization_mode: Ensure authorization is set to Webhook
• kubelet_configure_client_ca: kubelet - Configure the Client CA Certificate
• kubelet_configure_event_creation: Kubelet - Ensure Event Creation Is Configured
• kubelet_configure_tls_cert: Ensure That The kubelet Client Certificate Is Correctly Set
• kubelet_configure_tls_cipher_suites: Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers
• kubelet_configure_tls_key: Ensure That The kubelet Server Key Is Correctly Set
• kubelet_disable_readonly_port: kubelet - Disable the Read-Only Port
• kubelet_enable_cert_rotation: kubelet - Enable Certificate Rotation
• kubelet_enable_client_cert_rotation: kubelet - Enable Client Certificate Rotation
• kubelet_enable_iptables_util_chains: kubelet - Allow Automatic Firewall Configuration
• kubelet_enable_server_cert_rotation: kubelet - Enable Server Certificate Rotation
• kubelet_enable_streaming_connections: kubelet - Do Not Disable Streaming Timeouts
• kubelet_eviction_thresholds_set_hard_imagefs_available: Ensure Eviction threshold Settings Are Set - evictionHard: imagefs.available
• kubelet_eviction_thresholds_set_hard_memory_available: Ensure Eviction threshold Settings Are Set - evictionHard: memory.available
• kubelet_eviction_thresholds_set_hard_nodefs_available: Ensure Eviction threshold Settings Are Set - evictionHard: nodefs.available
• kubelet_eviction_thresholds_set_hard_nodefs_inodesfree: Ensure Eviction threshold Settings Are Set - evictionHard: nodefs.inodesFree