Group
Guide to the Secure Configuration of Red Hat OpenShift Container Platform 4
Group contains 7 groups and 101 rules |
Group
Kubernetes Settings
Group contains 6 groups and 101 rules |
[ref]
Each section of this configuration guide includes information about the
configuration of a Kubernetes cluster and a set of recommendations for
hardening the configuration. For each hardening recommendation, information
on how to implement the control and/or how to verify or audit the control
is provided. In some cases, remediation information is also provided.
Some of the settings in the hardening guide are in place by default. The
audit information for these settings is provided in order to verify that
the cluster administrator has not made changes that would be less secure.
A small number of items require configuration.
Finally, there are some recommendations that require decisions by the
system operator, such as audit log size, retention, and related settings. |
Group
OpenShift etcd Settings
Group contains 1 rule |
[ref]
Contains rules that check correct OpenShift etcd settings. |
Rule
Configure A Unique CA Certificate for etcd
[ref] | A unique CA certificate should be created for etcd . OpenShift by
default creates separate PKIs for etcd and the Kubernetes API server. The
same is done for other points of communication in the cluster. Warning:
This rule is only applicable for nodes that run the Etcd service.
The aforementioned service is only running on the nodes labeled
"master" by default. | Rationale: | The Kubernetes API server and etcd utilize separate CA certificates in
OpenShift. This ensures that the etcd data is still protected in the event
that the API server CA is compromised. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_etcd_unique_ca | Identifiers and References | References:
CIP-003-8 R6, CIP-004-6 R3, CIP-007-3 R6.1, CM-6, CM-6(1), SRG-APP-000516-CTR-001325, 2.7 | |
|
Group
Kubernetes - General Security Practices
Group contains 1 rule |
[ref]
Contains evaluations for general security practices for operating a Kubernetes environment. |
Rule
Ensure TLS v1.2 is minimum for Openshift master and worker nodes
[ref] | Ensure that the Kubelet is configured to only use strong cryptographic ciphers.
To set the cipher suites for the kubelet, create new or modify existing
KubeletConfig object along these lines, one for every
MachineConfigPool :
apiVersion: machineconfiguration.openshift.io/v1
kind: KubeletConfig
metadata:
name: kubelet-config-$pool
spec:
machineConfigPoolSelector:
matchLabels:
pools.operator.machineconfiguration.openshift.io/$pool_name: ""
kubeletConfig:
tlsMinVersion: VersionTLS12
| Rationale: | Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to
protect data. The system must implement cryptographic modules adhering to the higher
standards approved by the federal government since this provides assurance they have been tested
and validated. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_tls_version_check_masters_workers | Identifiers and References | Identifiers:
CCE-85864-7 References:
Req-4.1 | |
|
Group
Kubernetes Kubelet Settings
Group contains 2 rules |
[ref]
The Kubernetes Kubelet is an agent that runs on each node in the cluster. It
makes sure that containers are running in a pod.
The kubelet takes a set of PodSpecs that are provided through various
mechanisms and ensures that the containers described in those PodSpecs are
running and healthy. The kubelet doesn’t manage containers which were not
created by Kubernetes. |
Rule
kubelet - Enable Protect Kernel Defaults
[ref] |
Protect tuned kernel parameters from being overwritten by the kubelet.
Before enabling this kernel parameter, it's important and
necessary to first create a MachineConfig object that persist
the required sysctl's. The required sysctl's are the following:
kernel.keys.root_maxbytes=25000000
kernel.keys.root_maxkeys=1000000
kernel.panic=10
kernel.panic_on_oops=1
vm.overcommit_memory=1
vm.panic_on_oom=0
The these need to be enabled via MachineConfig since they need to be
available as soon as the node starts and before the Kubelet does.
The manifest may look as follows:
---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
labels:
machineconfiguration.openshift.io/role: master
name: 75-master-kubelet-sysctls
spec:
config:
ignition:
version: 3.1.0
storage:
files:
- contents:
source: data:,vm.overcommit_memory%3D1%0Avm.panic_on_oom%3D0%0Akernel.panic%3D10%0Akernel.panic_on_oops%3D1%0Akernel.keys.root_maxkeys%3D1000000%0Akernel.keys.root_maxbytes%3D25000000%0A
mode: 0644
path: /etc/sysctl.d/90-kubelet.conf
overwrite: true
This will need to be done for each relevant MachineConfigPool
in the cluster.
After enabling this and after the changes have successfully rolled out
to the whole cluster, it will now be possible to set the
protectKernelDefaults parameter.
To configure, follow the directions in
the documentation
| Rationale: | Kernel parameters are usually tuned and hardened by the system administrators
before putting the systems into production. These parameters protect the
kernel and the system. Your kubelet kernel defaults that rely on such
parameters should be appropriately set to match the desired secured system
state. Ignoring this could potentially lead to running pods with undesired
kernel behavior. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_kubelet_enable_protect_kernel_defaults | Identifiers and References | References:
CIP-003-8 R6, CIP-004-6 R3, CIP-007-3 R6.1, CM-6, CM-6(1), SRG-APP-000516-CTR-001325, 4.2.6 | |
|
Rule
kubelet - Set Up Sysctl to Enable Protect Kernel Defaults
[ref] |
Setup required tuned kernel parameters before enabling overwritten protection. Note
that depending on the Linux distribution and its version that your cluster nodes are
running, these parameters might be already set up for you. Please refer to the rule
instructions for a check.
Before enabling kernel parameter overwritten protection default,
it's important to check if these values are already set to the required values.
If not, it is necessary to first create a MachineConfig
object that persist the required sysctl's. The required sysctl's are the following:
kernel.keys.root_maxbytes=25000000
kernel.keys.root_maxkeys=1000000
kernel.panic=10
kernel.panic_on_oops=1
vm.overcommit_memory=1
vm.panic_on_oom=0
The these need to be enabled via MachineConfig since they need to be
available as soon as the node starts and before the Kubelet does.
The manifest may look as follows:
---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
labels:
machineconfiguration.openshift.io/role: master
name: 75-master-kubelet-sysctls
spec:
config:
ignition:
version: 3.1.0
storage:
files:
- contents:
source: data:,vm.overcommit_memory%3D1%0Avm.panic_on_oom%3D0%0Akernel.panic%3D10%0Akernel.panic_on_oops%3D1%0Akernel.keys.root_maxkeys%3D1000000%0Akernel.keys.root_maxbytes%3D25000000%0A
mode: 0644
path: /etc/sysctl.d/90-kubelet.conf
overwrite: true
This will need to be done for each relevant MachineConfigPool
in the cluster.
To configure, follow the directions in
the documentation
| Rationale: | Kernel parameters are usually tuned and hardened by the system administrators
before putting the systems into production. These parameters protect the
kernel and the system. Your kubelet kernel defaults that rely on such
parameters should be appropriately set to match the desired secured system
state. Ignoring this could potentially lead to running pods with undesired
kernel behavior. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_kubelet_enable_protect_kernel_sysctl | Identifiers and References | Identifiers:
CCE-86688-9 References:
CIP-003-8 R6, CIP-004-6 R3, CIP-007-3 R6.1, CM-6, CM-6(1), SRG-APP-000516-CTR-001325, 4.2.6 | |
|
Group
OpenShift - Logging Settings
Group contains 12 rules |
[ref]
Contains evaluations for the cluster's logging configuration settings. |
Rule
The Kubernetes Audit Logs Directory Must Have Mode 0700
[ref] |
To properly set the permissions of /var/log/kube-apiserver/ , run the command:
$ sudo chmod 0700 /var/log/kube-apiserver/ | Rationale: | If users can write to audit logs, audit trails can be modified or destroyed. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_directory_permissions_var_log_kube_audit | Identifiers and References | Identifiers:
CCE-83645-2 References:
1, 11, 12, 13, 14, 15, 16, 18, 19, 3, 4, 5, 6, 7, 8, APO01.06, APO11.04, APO12.06, BAI03.05, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 6.1, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.2, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-004-6 R3.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CIP-007-3 R6.5, CM-6(a), AC-6(1), AU-9, DE.AE-3, DE.AE-5, PR.AC-4, PR.DS-5, PR.PT-1, RS.AN-1, RS.AN-4, Req-10.5.2, SRG-APP-000118-CTR-000240, SRG-APP-000119-CTR-000245, SRG-APP-000120-CTR-000250, SRG-APP-000121-CTR-000255, SRG-APP-000122-CTR-000260, SRG-APP-000123-CTR-000265 | |
|
Rule
The OAuth Audit Logs Directory Must Have Mode 0700
[ref] |
To properly set the permissions of /var/log/oauth-apiserver/ , run the command:
$ sudo chmod 0700 /var/log/oauth-apiserver/ | Rationale: | If users can write to audit logs, audit trails can be modified or destroyed. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_directory_permissions_var_log_oauth_audit | Identifiers and References | Identifiers:
CCE-90633-9 References:
1, 11, 12, 13, 14, 15, 16, 18, 19, 3, 4, 5, 6, 7, 8, APO01.06, APO11.04, APO12.06, BAI03.05, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 6.1, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.2, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-004-6 R3.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CIP-007-3 R6.5, CM-6(a), AC-6(1), AU-9, DE.AE-3, DE.AE-5, PR.AC-4, PR.DS-5, PR.PT-1, RS.AN-1, RS.AN-4, Req-10.5.2, SRG-APP-000118-CTR-000240, SRG-APP-000119-CTR-000245, SRG-APP-000120-CTR-000250, SRG-APP-000121-CTR-000255, SRG-APP-000122-CTR-000260, SRG-APP-000123-CTR-000265 | |
|
Rule
The OpenShift Audit Logs Directory Must Have Mode 0700
[ref] |
To properly set the permissions of /var/log/openshift-apiserver/ , run the command:
$ sudo chmod 0700 /var/log/openshift-apiserver/ | Rationale: | If users can write to audit logs, audit trails can be modified or destroyed. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_directory_permissions_var_log_ocp_audit | Identifiers and References | Identifiers:
CCE-90634-7 References:
1, 11, 12, 13, 14, 15, 16, 18, 19, 3, 4, 5, 6, 7, 8, APO01.06, APO11.04, APO12.06, BAI03.05, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 6.1, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.2, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-004-6 R3.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CIP-007-3 R6.5, CM-6(a), AC-6(1), AU-9, DE.AE-3, DE.AE-5, PR.AC-4, PR.DS-5, PR.PT-1, RS.AN-1, RS.AN-4, Req-10.5.2, SRG-APP-000118-CTR-000240, SRG-APP-000119-CTR-000245, SRG-APP-000120-CTR-000250, SRG-APP-000121-CTR-000255, SRG-APP-000122-CTR-000260, SRG-APP-000123-CTR-000265 | |
|
Rule
Kubernetes Audit Logs Must Be Owned By Root
[ref] | All audit logs must be owned by root user and group. By default, the path for the Kubernetes audit log is /var/log/kube-apiserver/ .
To properly set the owner of /var/log/kube-apiserver , run the command:
$ sudo chown root /var/log/kube-apiserver
To properly set the owner of /var/log/kube-apiserver/* , run the command:
$ sudo chown root /var/log/kube-apiserver/* | Rationale: | Unauthorized disclosure of audit records can reveal system and configuration data to
attackers, thus compromising its confidentiality. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_ownership_var_log_kube_audit | Identifiers and References | Identifiers:
CCE-83650-2 References:
1, 11, 12, 13, 14, 15, 16, 18, 19, 3, 4, 5, 6, 7, 8, 5.4.1.1, APO01.06, APO11.04, APO12.06, BAI03.05, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.1, CCI-000162, CCI-000163, CCI-000164, CCI-001314, 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 6.1, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), AU-9(4), DE.AE-3, DE.AE-5, PR.AC-4, PR.DS-5, PR.PT-1, RS.AN-1, RS.AN-4, Req-10.5.2, SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, SRG-OS-000206-GPOS-00084 | |
|
Rule
OAuth Audit Logs Must Be Owned By Root
[ref] | All audit logs must be owned by root user and group. By default, the path for the OAuth audit log is /var/log/oauth-apiserver/ .
To properly set the owner of /var/log/oauth-apiserver , run the command:
$ sudo chown root /var/log/oauth-apiserver
To properly set the owner of /var/log/oauth-apiserver/* , run the command:
$ sudo chown root /var/log/oauth-apiserver/* | Rationale: | Unauthorized disclosure of audit records can reveal system and configuration data to
attackers, thus compromising its confidentiality. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_ownership_var_log_oauth_audit | Identifiers and References | Identifiers:
CCE-90635-4 References:
1, 11, 12, 13, 14, 15, 16, 18, 19, 3, 4, 5, 6, 7, 8, 5.4.1.1, APO01.06, APO11.04, APO12.06, BAI03.05, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.1, CCI-000162, CCI-000163, CCI-000164, CCI-001314, 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 6.1, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), AU-9(4), DE.AE-3, DE.AE-5, PR.AC-4, PR.DS-5, PR.PT-1, RS.AN-1, RS.AN-4, Req-10.5.2, SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, SRG-OS-000206-GPOS-00084 | |
|
Rule
OpenShift Audit Logs Must Be Owned By Root
[ref] | All audit logs must be owned by root user and group. By default, the path for the OpenShift audit log is /var/log/openshift-apiserver/ .
To properly set the owner of /var/log/openshift-apiserver , run the command:
$ sudo chown root /var/log/openshift-apiserver
To properly set the owner of /var/log/openshift-apiserver/* , run the command:
$ sudo chown root /var/log/openshift-apiserver/* | Rationale: | Unauthorized disclosure of audit records can reveal system and configuration data to
attackers, thus compromising its confidentiality. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_ownership_var_log_ocp_audit | Identifiers and References | Identifiers:
CCE-90636-2 References:
1, 11, 12, 13, 14, 15, 16, 18, 19, 3, 4, 5, 6, 7, 8, 5.4.1.1, APO01.06, APO11.04, APO12.06, BAI03.05, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.1, CCI-000162, CCI-000163, CCI-000164, CCI-001314, 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 6.1, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), AU-9(4), DE.AE-3, DE.AE-5, PR.AC-4, PR.DS-5, PR.PT-1, RS.AN-1, RS.AN-4, Req-10.5.2, SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, SRG-OS-000206-GPOS-00084 | |
|
Rule
Kubernetes Audit Logs Must Have Mode 0600
[ref] |
To properly set the permissions of /var/log/kube-apiserver/.* , run the command:
$ sudo chmod 0600 /var/log/kube-apiserver/.* | Rationale: | If users can write to audit logs, audit trails can be modified or destroyed. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_permissions_var_log_kube_audit | Identifiers and References | Identifiers:
CCE-83654-4 References:
1, 11, 12, 13, 14, 15, 16, 18, 19, 3, 4, 5, 6, 7, 8, 5.4.1.1, APO01.06, APO11.04, APO12.06, BAI03.05, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.1, 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 6.1, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), AU-9(4), DE.AE-3, DE.AE-5, PR.AC-4, PR.DS-5, PR.PT-1, RS.AN-1, RS.AN-4, Req-10.5.2 | |
|
Rule
OAuth Audit Logs Must Have Mode 0600
[ref] |
To properly set the permissions of /var/log/oauth-apiserver/.* , run the command:
$ sudo chmod 0600 /var/log/oauth-apiserver/.* | Rationale: | If users can write to audit logs, audit trails can be modified or destroyed. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_permissions_var_log_oauth_audit | Identifiers and References | Identifiers:
CCE-90637-0 References:
1, 11, 12, 13, 14, 15, 16, 18, 19, 3, 4, 5, 6, 7, 8, 5.4.1.1, APO01.06, APO11.04, APO12.06, BAI03.05, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.1, 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 6.1, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), AU-9(4), DE.AE-3, DE.AE-5, PR.AC-4, PR.DS-5, PR.PT-1, RS.AN-1, RS.AN-4, Req-10.5.2 | |
|
Rule
OpenShift Audit Logs Must Have Mode 0600
[ref] |
To properly set the permissions of /var/log/openshift-apiserver/.* , run the command:
$ sudo chmod 0600 /var/log/openshift-apiserver/.* | Rationale: | If users can write to audit logs, audit trails can be modified or destroyed. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_permissions_var_log_ocp_audit | Identifiers and References | Identifiers:
CCE-90638-8 References:
1, 11, 12, 13, 14, 15, 16, 18, 19, 3, 4, 5, 6, 7, 8, 5.4.1.1, APO01.06, APO11.04, APO12.06, BAI03.05, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.1, 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 6.1, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), AU-9(4), DE.AE-3, DE.AE-5, PR.AC-4, PR.DS-5, PR.PT-1, RS.AN-1, RS.AN-4, Req-10.5.2 | |
|
Rule
Ensure /var/log/kube-apiserver Located On Separate Partition
[ref] | Kubernetes API server audit logs are stored in the
/var/log/kube-apiserver directory.
Partitioning Red Hat CoreOS is a Day 1 operation and cannot
be changed afterwards. For documentation on how to add a
MachineConfig manifest that specifies a separate /var/log/kube-apiserver
partition, follow:
https://docs.openshift.com/container-platform/latest/installing/installing_platform_agnostic/installing-platform-agnostic.html#installation-user-infra-machines-advanced_disk_installing-platform-agnostic
Note that the Red Hat OpenShift documentation often references a block
device, such as /dev/vda . The name of the available block devices depends
on the underlying infrastructure (bare metal vs cloud), and often the specific
instance type. For example in AWS, some instance types have NVMe drives
(/dev/nvme* ), others use /dev/xvda* .
You will need to look for relevant documentation for your infrastructure around this.
In many cases, the simplest thing is to boot a single machine with an Ignition
configuration that just gives you SSH access, and inspect the block devices via
e.g. the lsblk command.
For physical hardware, a good best practice is to reference devices via the
/dev/disk/by-id/ or /dev/disk/by-path links.
| Rationale: | Placing /var/log/kube-apiserver in its own partition
enables better separation between Kubernetes API server audit
files and other log files, and helps ensure that
auditing cannot be halted due to the partition running out
of space. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_var_log_kube_apiserver | Identifiers and References | Identifiers:
CCE-86456-1 References:
AU-4, Req-10.5.3, Req-10.5.4, SRG-APP-000357-CTR-000800 | |
|
Rule
Ensure /var/log/oauth-apiserver Located On Separate Partition
[ref] | OpenShift OAuth server audit logs are stored in the
/var/log/oauth-apiserver directory.
Partitioning Red Hat CoreOS is a Day 1 operation and cannot
be changed afterwards. For documentation on how to add a
MachineConfig manifest that specifies a separate /var/log/oauth-apiserver
partition, follow:
https://docs.openshift.com/container-platform/latest/installing/installing_platform_agnostic/installing-platform-agnostic.html#installation-user-infra-machines-advanced_disk_installing-platform-agnostic
Note that the Red Hat OpenShift documentation often references a block
device, such as /dev/vda . The name of the available block devices depends
on the underlying infrastructure (bare metal vs cloud), and often the specific
instance type. For example in AWS, some instance types have NVMe drives
(/dev/nvme* ), others use /dev/xvda* .
You will need to look for relevant documentation for your infrastructure around this.
In many cases, the simplest thing is to boot a single machine with an Ignition
configuration that just gives you SSH access, and inspect the block devices via
e.g. the lsblk command.
For physical hardware, a good best practice is to reference devices via the
/dev/disk/by-id/ or /dev/disk/by-path links.
| Rationale: | Placing /var/log/oauth-apiserver in its own partition
enables better separation between OpenShift OAuth server audit
files and other log files, and helps ensure that
auditing cannot be halted due to the partition running out
of space. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_var_log_oauth_apiserver | Identifiers and References | Identifiers:
CCE-85954-6 References:
AU-4, Req-10.5.3, Req-10.5.4, SRG-APP-000357-CTR-000800 | |
|
Rule
Ensure /var/log/openshift-apiserver Located On Separate Partition
[ref] | Openshift API server audit logs are stored in the
/var/log/openshift-apiserver directory.
Partitioning Red Hat CoreOS is a Day 1 operation and cannot
be changed afterwards. For documentation on how to add a
MachineConfig manifest that specifies a separate /var/log/openshift-apiserver
partition, follow:
https://docs.openshift.com/container-platform/latest/installing/installing_platform_agnostic/installing-platform-agnostic.html#installation-user-infra-machines-advanced_disk_installing-platform-agnostic
Note that the Red Hat OpenShift documentation often references a block
device, such as /dev/vda . The name of the available block devices depends
on the underlying infrastructure (bare metal vs cloud), and often the specific
instance type. For example in AWS, some instance types have NVMe drives
(/dev/nvme* ), others use /dev/xvda* .
You will need to look for relevant documentation for your infrastructure around this.
In many cases, the simplest thing is to boot a single machine with an Ignition
configuration that just gives you SSH access, and inspect the block devices via
e.g. the lsblk command.
For physical hardware, a good best practice is to reference devices via the
/dev/disk/by-id/ or /dev/disk/by-path links.
| Rationale: | Placing /var/log/openshift-apiserver in its own partition
enables better separation between Openshift API server audit
files and other log files, and helps ensure that
auditing cannot be halted due to the partition running out
of space. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_var_log_openshift_apiserver | Identifiers and References | Identifiers:
CCE-86094-0 References:
AU-4, Req-10.5.3, Req-10.5.4, SRG-APP-000357-CTR-000800 | |
|
Group
OpenShift - Master Node Settings
Group contains 72 rules |
[ref]
Contains evaluations for the master node configuration settings. |
Rule
Verify Group Who Owns The OpenShift Container Network Interface Files
[ref] | To properly set the group owner of /etc/cni/net.d/* , run the command: $ sudo chgrp root /etc/cni/net.d/* | Rationale: | CNI (Container Network Interface) files consist of a specification and libraries for
writing plugins to configure network interfaces in Linux containers, along with a number
of supported plugins. Allowing writeable access to the files could allow an attacker to modify
the networking configuration potentially adding a rogue network connection. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_groupowner_cni_conf | Identifiers and References | Identifiers:
CCE-84025-6 References:
CIP-003-8 R6, CIP-004-6 R3, CIP-007-3 R6.1, CM-6, CM-6(1), SRG-APP-000516-CTR-001325, 1.1.10 | |
|
Rule
Verify Group Who Owns The OpenShift Controller Manager Kubeconfig File
[ref] |
To properly set the group owner of /etc/kubernetes/static-pod-resources/kube-controller-manager-pod-*/configmaps/controller-manager-kubeconfig/kubeconfig , run the command:
$ sudo chgrp root /etc/kubernetes/static-pod-resources/kube-controller-manager-pod-*/configmaps/controller-manager-kubeconfig/kubeconfig Warning:
This rule is only applicable for nodes that run the Kubernetes Controller
Manager service. The aforementioned service is only running on
the nodes labeled "master" by default. | Rationale: | The Controller Manager's kubeconfig contains information about how the
component will access the API server. You should set its file ownership to
maintain the integrity of the file. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_groupowner_controller_manager_kubeconfig | Identifiers and References | Identifiers:
CCE-84095-9 References:
CIP-003-8 R6, CIP-004-6 R3, CIP-007-3 R6.1, CM-6, CM-6(1), SRG-APP-000516-CTR-001325, 1.1.18 | |
|
Rule
Verify Group Who Owns The Etcd Database Directory
[ref] |
To properly set the group owner of /var/lib/etcd/member/ , run the command:
$ sudo chgrp root /var/lib/etcd/member/ Warning:
This rule is only applicable for nodes that run the Etcd service.
The aforementioned service is only running on the nodes labeled
"master" by default. | Rationale: | etcd is a highly-available key-value store used by Kubernetes deployments for
persistent storage of all of its REST API objects. This data directory should
be protected from any unauthorized reads or writes. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_groupowner_etcd_data_dir | Identifiers and References | Identifiers:
CCE-83354-1 References:
CIP-003-8 R6, CIP-004-6 R3, CIP-007-3 R6.1, CM-6, CM-6(1), SRG-APP-000516-CTR-001325, 1.1.12 | |
|
Rule
Verify Group Who Owns The Etcd Write-Ahead-Log Files
[ref] |
To properly set the group owner of /var/lib/etcd/member/wal/* , run the command:
$ sudo chgrp root /var/lib/etcd/member/wal/* Warning:
This rule is only applicable for nodes that run the Etcd service.
The aforementioned service is only running on the nodes labeled
"master" by default. | Rationale: | etcd is a highly-available key-value store used by Kubernetes deployments for
persistent storage of all of its REST API objects. This data directory should
be protected from any unauthorized reads or writes. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_groupowner_etcd_data_files | Identifiers and References | Identifiers:
CCE-83816-9 References:
CIP-003-8 R6, CIP-004-6 R3, CIP-007-3 R6.1, CM-6, CM-6(1), SRG-APP-000516-CTR-001325, 1.1.12 | |
|
Rule
Verify Group Who Owns The etcd Member Pod Specification File
[ref] | To properly set the group owner of /etc/kubernetes/static-pod-resources/etcd-pod-*/etcd-pod.yaml , run the command: $ sudo chgrp root /etc/kubernetes/static-pod-resources/etcd-pod-*/etcd-pod.yaml Warning:
This rule is only applicable for nodes that run the Etcd service.
The aforementioned service is only running on the nodes labeled
"master" by default. | Rationale: | The etcd pod specification file controls various parameters that
set the behavior of the etcd service in the master node. etcd is a
highly-available key-value store which Kubernetes uses for persistent
storage of all of its REST API object. You should restrict its file
permissions to maintain the integrity of the file. The file should be
writable by only the administrators on the system. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_groupowner_etcd_member | Identifiers and References | Identifiers:
CCE-83664-3 References:
CIP-003-8 R6, CIP-004-6 R3, CIP-007-3 R6.1, CM-6, CM-6(1), SRG-APP-000516-CTR-001325, 1.1.8 | |
|
Rule
Verify Group Who Owns The Etcd PKI Certificate Files
[ref] |
To properly set the group owner of /etc/kubernetes/static-pod-resources/*/*/*/*.crt , run the command:
$ sudo chgrp root /etc/kubernetes/static-pod-resources/*/*/*/*.crt Warning:
This rule is only applicable for nodes that run the Etcd service.
The aforementioned service is only running on the nodes labeled
"master" by default. | Rationale: | OpenShift makes use of a number of certificates as part of its operation.
You should verify the ownership of the directory containing the PKI
information and all files in that directory to maintain their integrity.
The directory and files should be owned by the system administrator. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_groupowner_etcd_pki_cert_files | Identifiers and References | Identifiers:
CCE-83890-4 References:
CIP-003-8 R6, CIP-004-6 R3, CIP-007-3 R6.1, CM-6, CM-6(1), SRG-APP-000516-CTR-001325, 1.1.19 | |
|
Rule
Verify Group Who Owns The OpenShift SDN Container Network Interface Plugin IP Address Allocations
[ref] | To properly set the group owner of /var/lib/cni/networks/openshift-sdn/.* , run the command: $ sudo chgrp root /var/lib/cni/networks/openshift-sdn/.* | Rationale: | CNI (Container Network Interface) files consist of a specification and libraries for
writing plugins to configure network interfaces in Linux containers, along with a number
of supported plugins. Allowing writeable access to the files could allow an attacker to modify
the networking configuration potentially adding a rogue network connection. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_groupowner_ip_allocations | Identifiers and References | Identifiers:
CCE-84211-2 References:
CIP-003-8 R6, CIP-004-6 R3, CIP-007-3 R6.1, CM-6, CM-6(1), SRG-APP-000516-CTR-001325, 1.1.10 | |
|
Rule
Verify Group Who Owns The Kubernetes API Server Pod Specification File
[ref] | To properly set the group owner of /etc/kubernetes/static-pod-resources/kube-apiserver-pod-*/kube-apiserver-pod.yaml , run the command: $ sudo chgrp root /etc/kubernetes/static-pod-resources/kube-apiserver-pod-*/kube-apiserver-pod.yaml Warning:
This rule is only applicable for nodes that run the Kubernetes API Server service.
The aforementioned service is only running on the nodes labeled
"master" by default. | Rationale: | The Kubernetes specification file contains information about the configuration of the
Kubernetes API Server that is configured on the system. Protection of this file is
critical for OpenShift security. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_groupowner_kube_apiserver | Identifiers and References | Identifiers:
CCE-83530-6 References:
CIP-003-8 R6, CIP-004-6 R3, CIP-007-3 R6.1, CM-6, CM-6(1), SRG-APP-000516-CTR-001325, 1.1.2 | |
|
Rule
Verify Group Who Owns The Kubernetes Controller Manager Pod Specification File
[ref] | To properly set the group owner of /etc/kubernetes/static-pod-resources/kube-controller-manager-pod-*/kube-controller-manager-pod.yaml , run the command: $ sudo chgrp root /etc/kubernetes/static-pod-resources/kube-controller-manager-pod-*/kube-controller-manager-pod.yaml Warning:
This rule is only applicable for nodes that run the Kubernetes Controller Manager service.
The aforementioned service is only running on the nodes labeled
"master" by default. | Rationale: | The Kubernetes specification file contains information about the configuration of the
Kubernetes Controller Manager Server that is configured on the system. Protection of this file is
critical for OpenShift security. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_groupowner_kube_controller_manager | Identifiers and References | Identifiers:
CCE-83953-0 References:
CIP-003-8 R6, CIP-004-6 R3, CIP-007-3 R6.1, CM-6, CM-6(1), SRG-APP-000516-CTR-001325, 1.1.4 | |
|
Rule
Verify Group Who Owns The Kubernetes Scheduler Pod Specification File
[ref] | To properly set the group owner of /etc/kubernetes/static-pod-resources/kube-scheduler-pod-*/kube-scheduler-pod.yaml , run the command: $ sudo chgrp root /etc/kubernetes/static-pod-resources/kube-scheduler-pod-*/kube-scheduler-pod.yaml Warning:
This rule is only applicable for nodes that run the Kubernetes Scheduler service.
The aforementioned service is only running on the nodes labeled
"master" by default. | Rationale: | The Kubernetes Specification file contains information about the configuration of the
Kubernetes scheduler that is configured on the system. Protection of this file is
critical for OpenShift security. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_groupowner_kube_scheduler | Identifiers and References | Identifiers:
CCE-83614-8 References:
CIP-003-8 R6, CIP-004-6 R3, CIP-007-3 R6.1, CM-6, CM-6(1), SRG-APP-000516-CTR-001325, 1.1.6 | |
|
Rule
Verify Group Who Owns The OpenShift Admin Kubeconfig Files
[ref] |
To properly set the group owner of /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/node-kubeconfigs/*.kubeconfig , run the command:
$ sudo chgrp root /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/node-kubeconfigs/*.kubeconfig Warning:
This rule is only applicable for nodes that run the Kubernetes API server service.
The aforementioned service is only running on the nodes labeled
"master" by default. | Rationale: | There are various kubeconfig files that can be used by the administrator,
defining various settings for the administration of the cluster. These files
contain credentials that can be used to control the cluster and are needed
for disaster recovery and each kubeconfig points to a different endpoint in
the cluster. You should restrict its file permissions to maintain the
integrity of the kubeconfig file as an attacker who gains access to these
files can take over the cluster. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_groupowner_master_admin_kubeconfigs | Identifiers and References | Identifiers:
CCE-84204-7 References:
CIP-003-8 R6, CIP-004-6 R3, CIP-007-3 R6.1, CM-6, CM-6(1), SRG-APP-000516-CTR-001325, 1.1.14 | |
|
Rule
Verify Group Who Owns The OpenShift Multus Container Network Interface Plugin Files
[ref] | To properly set the group owner of /var/run/multus/cni/net.d/* , run the command: $ sudo chgrp root /var/run/multus/cni/net.d/* | Rationale: | CNI (Container Network Interface) files consist of a specification and libraries for
writing plugins to configure network interfaces in Linux containers, along with a number
of supported plugins. Allowing writeable access to the files could allow an attacker to modify
the networking configuration potentially adding a rogue network connection. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_groupowner_multus_conf | Identifiers and References | Identifiers:
CCE-83818-5 References:
CIP-003-8 R6, CIP-004-6 R3, CIP-007-3 R6.1, CM-6, CM-6(1), SRG-APP-000516-CTR-001325, 1.1.10 | |
|
Rule
Verify Group Who Owns The OpenShift PKI Certificate Files
[ref] |
To properly set the group owner of /etc/kubernetes/static-pod-resources/*/*/*/tls.crt , run the command:
$ sudo chgrp root /etc/kubernetes/static-pod-resources/*/*/*/tls.crt Warning:
This rule is only applicable for nodes that run the Kubernetes Control Plane.
The aforementioned service is only running on the nodes labeled
"master" by default. | Rationale: | OpenShift makes use of a number of certificates as part of its operation.
You should verify the ownership of the directory containing the PKI
information and all files in that directory to maintain their integrity.
The directory and files should be owned by the system administrator. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_groupowner_openshift_pki_cert_files | Identifiers and References | Identifiers:
CCE-83922-5 References:
CIP-003-8 R6, CIP-004-6 R3, CIP-007-3 R6.1, CM-6, CM-6(1), SRG-APP-000516-CTR-001325, 1.1.19 | |
|
Rule
Verify Group Who Owns The OpenShift PKI Private Key Files
[ref] |
To properly set the group owner of /etc/kubernetes/static-pod-resources/*/*/*/*.key , run the command:
$ sudo chgrp root /etc/kubernetes/static-pod-resources/*/*/*/*.key Warning:
This rule is only applicable for nodes that run the Kubernetes Control Plane.
The aforementioned service is only running on the nodes labeled
"master" by default. | Rationale: | OpenShift makes use of a number of certificates as part of its operation.
You should verify the ownership of the directory containing the PKI
information and all files in that directory to maintain their integrity.
The directory and files should be owned by root:root. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_groupowner_openshift_pki_key_files | Identifiers and References | Identifiers:
CCE-84172-6 References:
CIP-003-8 R6, CIP-004-6 R3, CIP-007-3 R6.1, CM-6, CM-6(1), SRG-APP-000516-CTR-001325, 1.1.19 | |
|
Rule
Verify Group Who Owns The OpenShift SDN CNI Server Config
[ref] |
To properly set the group owner of /var/run/openshift-sdn/cniserver/config.json , run the command:
$ sudo chgrp root /var/run/openshift-sdn/cniserver/config.json | Rationale: | CNI (Container Network Interface) files consist of a specification and libraries for
writing plugins to configure network interfaces in Linux containers, along with a number
of supported plugins. Allowing writeable access to the files could allow an attacker to modify
the networking configuration potentially adding a rogue network connection. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_groupowner_openshift_sdn_cniserver_config | Identifiers and References | Identifiers:
CCE-83605-6 References:
CIP-003-8 R6, CIP-004-6 R3, CIP-007-3 R6.1, CM-6, CM-6(1), SRG-APP-000516-CTR-001325, 1.1.9 | |
|
Rule
Verify Group Who Owns The OVNKubernetes Socket
[ref] |
To properly set the group owner of /run/ovn-kubernetes/cni/ovn-cni-server.sock , run the command:
$ sudo chgrp root /run/ovn-kubernetes/cni/ovn-cni-server.sock | Rationale: | CNI (Container Network Interface) files consist of a specification and libraries for
writing plugins to configure network interfaces in Linux containers, along with a number
of supported plugins. Allowing writeable access to the files could allow an attacker to modify
the networking configuration potentially adding a rogue network connection. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_groupowner_ovn_cni_server_sock | Identifiers and References | Identifiers:
CCE-86222-7 References:
CIP-003-8 R6, CIP-004-6 R3, CIP-007-3 R6.1, CM-6, CM-6(1), SRG-APP-000516-CTR-001325, 1.1.10 | |
|
Rule
Verify Group Who Owns The OVNKubernetes DB files
[ref] |
To properly set the group owner of /var/lib/ovn/etc/*.db , run the command:
$ sudo chgrp root /var/lib/ovn/etc/*.db | Rationale: | CNI (Container Network Interface) files consist of a specification and libraries for
writing plugins to configure network interfaces in Linux containers, along with a number
of supported plugins. Allowing writeable access to the files could allow an attacker to modify
the networking configuration potentially adding a rogue network connection. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_groupowner_ovn_db_files | Identifiers and References | Identifiers:
CCE-86533-7 References:
CIP-003-8 R6, CIP-004-6 R3, CIP-007-3 R6.1, CM-6, CM-6(1), SRG-APP-000516-CTR-001325, 1.1.10 | |
|
Rule
Verify Group Who Owns The Open vSwitch Configuration Database
[ref] | Check if the group owner of /etc/openvswitch/conf.db is
hugetlbfs on architectures other than s390x or openvswitch
on s390x. | Rationale: | CNI (Container Network Interface) files consist of a specification and libraries for
writing plugins to configure network interfaces in Linux containers, along with a number
of supported plugins. Allowing writeable access to the files could allow an attacker to modify
the networking configuration potentially adding a rogue network connection. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_groupowner_ovs_conf_db | Identifiers and References | Identifiers:
CCE-88281-1 References:
CIP-003-8 R6, CIP-004-6 R3, CIP-007-3 R6.1, CM-6, CM-6(1), SRG-APP-000516-CTR-001325, 1.1.9 | |
|
Rule
Verify Group Who Owns The Open vSwitch Configuration Database Lock
[ref] | Check if the group owner of /etc/openvswitch/conf.db.~lock~ is
hugetlbfs on architectures other than s390x or openvswitch
on s390x. | Rationale: | CNI (Container Network Interface) files consist of a specification and libraries for
writing plugins to configure network interfaces in Linux containers, along with a number
of supported plugins. Allowing writeable access to the files could allow an attacker to modify
the networking configuration potentially adding a rogue network connection. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_groupowner_ovs_conf_db_lock | Identifiers and References | Identifiers:
CCE-90793-1 References:
CIP-003-8 R6, CIP-004-6 R3, CIP-007-3 R6.1, CM-6, CM-6(1), SRG-APP-000516-CTR-001325, 1.1.9 | |
|
Rule
Verify Group Who Owns The Open vSwitch Process ID File
[ref] | Ensure that the file /var/run/openvswitch/ovs-vswitchd.pid ,
is owned by the group openvswitch or hugetlbfs ,
depending on your settings and Open vSwitch version. | Rationale: | CNI (Container Network Interface) files consist of a specification and libraries for
writing plugins to configure network interfaces in Linux containers, along with a number
of supported plugins. Allowing writeable access to the files could allow an attacker to modify
the networking configuration potentially adding a rogue network connection. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_groupowner_ovs_pid | Identifiers and References | Identifiers:
CCE-83630-4 References:
CIP-003-8 R6, CIP-004-6 R3, CIP-007-3 R6.1, CM-6, CM-6(1), SRG-APP-000516-CTR-001325, 1.1.9 | |
|
Rule
Verify Group Who Owns The Open vSwitch Persistent System ID
[ref] | Check if the group owner of /etc/openvswitch/system-id.conf is
hugetlbfs on architectures other than s390x or openvswitch
on x390x. | Rationale: | CNI (Container Network Interface) files consist of a specification and libraries for
writing plugins to configure network interfaces in Linux containers, along with a number
of supported plugins. Allowing writeable access to the files could allow an attacker to modify
the networking configuration potentially adding a rogue network connection. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_groupowner_ovs_sys_id_conf | Identifiers and References | Identifiers:
CCE-85892-8 References:
CIP-003-8 R6, CIP-004-6 R3, CIP-007-3 R6.1, CM-6, CM-6(1), SRG-APP-000516-CTR-001325, 1.1.9 | |
|
Rule
Verify Group Who Owns The Open vSwitch Daemon PID File
[ref] | Ensure that the file /run/openvswitch/ovs-vswitchd.pid ,
is owned by the group openvswitch or hugetlbfs ,
depending on your settings and Open vSwitch version. | Rationale: | CNI (Container Network Interface) files consist of a specification and libraries for
writing plugins to configure network interfaces in Linux containers, along with a number
of supported plugins. Allowing writeable access to the files could allow an attacker to modify
the networking configuration potentially adding a rogue network connection. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_groupowner_ovs_vswitchd_pid | Identifiers and References | Identifiers:
CCE-84129-6 References:
CIP-003-8 R6, CIP-004-6 R3, CIP-007-3 R6.1, CM-6, CM-6(1), SRG-APP-000516-CTR-001325, 1.1.9 | |
|
Rule
Verify Group Who Owns The Open vSwitch Database Server PID
[ref] | Ensure that the file /run/openvswitch/ovsdb-server.pid ,
is owned by the group openvswitch or hugetlbfs ,
depending on your settings and Open vSwitch version. | Rationale: | CNI (Container Network Interface) files consist of a specification and libraries for
writing plugins to configure network interfaces in Linux containers, along with a number
of supported plugins. Allowing writeable access to the files could allow an attacker to modify
the networking configuration potentially adding a rogue network connection. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_groupowner_ovsdb_server_pid | Identifiers and References | Identifiers:
CCE-84166-8 References:
CIP-003-8 R6, CIP-004-6 R3, CIP-007-3 R6.1, CM-6, CM-6(1), SRG-APP-000516-CTR-001325, 1.1.9 | |
|
Rule
Verify Group Who Owns The Kubernetes Scheduler Kubeconfig File
[ref] |
To properly set the group owner of /etc/kubernetes/static-pod-resources/kube-scheduler-pod-*/configmaps/scheduler-kubeconfig/kubeconfig , run the command:
$ sudo chgrp root /etc/kubernetes/static-pod-resources/kube-scheduler-pod-*/configmaps/scheduler-kubeconfig/kubeconfig Warning:
This rule is only applicable for nodes that run the Kubernetes Scheduler service.
The aforementioned service is only running on the nodes labeled
"master" by default. | Rationale: | The kubeconfig for the Scheduler contains parameters for the scheduler
to access the Kube API.
You should set its file ownership to maintain the integrity of the file. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_groupowner_scheduler_kubeconfig | Identifiers and References | Identifiers:
CCE-83471-3 References:
CIP-003-8 R6, CIP-004-6 R3, CIP-007-3 R6.1, CM-6, CM-6(1), SRG-APP-000516-CTR-001325, 1.1.16 | |
|
Rule
Verify User Who Owns The OpenShift Container Network Interface Files
[ref] | To properly set the owner of /etc/cni/net.d/* , run the command: $ sudo chown root /etc/cni/net.d/* | Rationale: | CNI (Container Network Interface) files consist of a specification and libraries for
writing plugins to configure network interfaces in Linux containers, along with a number
of supported plugins. Allowing writeable access to the files could allow an attacker to modify
the networking configuration potentially adding a rogue network connection. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_owner_cni_conf | Identifiers and References | Identifiers:
CCE-83460-6 References:
CIP-003-8 R6, CIP-004-6 R3, CIP-007-3 R6.1, CM-6, CM-6(1), SRG-APP-000516-CTR-001325, 1.1.10 | |
|
Rule
Verify User Who Owns The OpenShift Controller Manager Kubeconfig File
[ref] |
To properly set the owner of /etc/kubernetes/static-pod-resources/kube-controller-manager-pod-*/configmaps/controller-manager-kubeconfig/kubeconfig , run the command:
$ sudo chown root /etc/kubernetes/static-pod-resources/kube-controller-manager-pod-*/configmaps/controller-manager-kubeconfig/kubeconfig Warning:
This rule is only applicable for nodes that run the Kubernetes Controller Manager service.
The aforementioned service is only running on the nodes labeled
"master" by default. | Rationale: | The Controller Manager's kubeconfig contains information about how the
component will access the API server. You should set its file ownership to
maintain the integrity of the file. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_owner_controller_manager_kubeconfig | Identifiers and References | Identifiers:
CCE-83904-3 References:
CIP-003-8 R6, CIP-004-6 R3, CIP-007-3 R6.1, CM-6, CM-6(1), SRG-APP-000516-CTR-001325, 1.1.18 | |
|
Rule
Verify User Who Owns The Etcd Database Directory
[ref] |
To properly set the owner of /var/lib/etcd/member/ , run the command:
$ sudo chown root /var/lib/etcd/member/ Warning:
This rule is only applicable for nodes that run the Etcd service.
The aforementioned service is only running on the nodes labeled
"master" by default. | Rationale: | etcd is a highly-available key-value store used by Kubernetes deployments for
persistent storage of all of its REST API objects. This data directory should
be protected from any unauthorized reads or writes. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_owner_etcd_data_dir | Identifiers and References | Identifiers:
CCE-83905-0 References:
CIP-003-8 R6, CIP-004-6 R3, CIP-007-3 R6.1, CM-6, CM-6(1), SRG-APP-000516-CTR-001325, 1.1.12 | |
|
Rule
Verify User Who Owns The Etcd Write-Ahead-Log Files
[ref] |
To properly set the owner of /var/lib/etcd/member/wal/* , run the command:
$ sudo chown root /var/lib/etcd/member/wal/* Warning:
This rule is only applicable for nodes that run the Etcd service.
The aforementioned service is only running on the nodes labeled
"master" by default. | Rationale: | etcd is a highly-available key-value store used by Kubernetes deployments for
persistent storage of all of its REST API objects. This data directory should
be protected from any unauthorized reads or writes. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_owner_etcd_data_files | Identifiers and References | Identifiers:
CCE-84010-8 References:
CIP-003-8 R6, CIP-004-6 R3, CIP-007-3 R6.1, CM-6, CM-6(1), SRG-APP-000516-CTR-001325, 1.1.12 | |
|
Rule
Verify User Who Owns The Etcd Member Pod Specification File
[ref] | To properly set the owner of /etc/kubernetes/static-pod-resources/etcd-pod-*/etcd-pod.yaml , run the command: $ sudo chown root /etc/kubernetes/static-pod-resources/etcd-pod-*/etcd-pod.yaml Warning:
This rule is only applicable for nodes that run the Etcd service.
The aforementioned service is only running on the nodes labeled
"master" by default. | Rationale: | The etcd pod specification file controls various parameters that
set the behavior of the etcd service in the master node. etcd is a
highly-available key-value store which Kubernetes uses for persistent
storage of all of its REST API object. You should restrict its file
permissions to maintain the integrity of the file. The file should be
writable by only the administrators on the system. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_owner_etcd_member | Identifiers and References | Identifiers:
CCE-83988-6 References:
CIP-003-8 R6, CIP-004-6 R3, CIP-007-3 R6.1, CM-6, CM-6(1), SRG-APP-000516-CTR-001325, 1.1.8 | |
|
Rule
Verify User Who Owns The Etcd PKI Certificate Files
[ref] |
To properly set the owner of /etc/kubernetes/static-pod-resources/*/*/*/*.crt , run the command:
$ sudo chown root /etc/kubernetes/static-pod-resources/*/*/*/*.crt Warning:
This rule is only applicable for nodes that run the Etcd service.
The aforementioned service is only running on the nodes labeled
"master" by default. | Rationale: | OpenShift makes use of a number of certificates as part of its operation.
You should verify the ownership of the directory containing the PKI
information and all files in that directory to maintain their integrity.
The directory and files should be owned by the system administrator. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_owner_etcd_pki_cert_files | Identifiers and References | Identifiers:
CCE-83898-7 References:
CIP-003-8 R6, CIP-004-6 R3, CIP-007-3 R6.1, CM-6, CM-6(1), SRG-APP-000516-CTR-001325, 1.1.19 | |
|
Rule
Verify User Who Owns The OpenShift SDN Container Network Interface Plugin IP Address Allocations
[ref] | To properly set the owner of /var/lib/cni/networks/openshift-sdn/.* , run the command: $ sudo chown root /var/lib/cni/networks/openshift-sdn/.* | Rationale: | CNI (Container Network Interface) files consist of a specification and libraries for
writing plugins to configure network interfaces in Linux containers, along with a number
of supported plugins. Allowing writeable access to the files could allow an attacker to modify
the networking configuration potentially adding a rogue network connection. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_owner_ip_allocations | Identifiers and References | Identifiers:
CCE-84248-4 References:
CIP-003-8 R6, CIP-004-6 R3, CIP-007-3 R6.1, CM-6, CM-6(1), SRG-APP-000516-CTR-001325, 1.1.10 | |
|
Rule
Verify User Who Owns The Kubernetes API Server Pod Specification File
[ref] | To properly set the owner of /etc/kubernetes/static-pod-resources/kube-apiserver-pod-*/kube-apiserver-pod.yaml , run the command: $ sudo chown root /etc/kubernetes/static-pod-resources/kube-apiserver-pod-*/kube-apiserver-pod.yaml Warning:
This rule is only applicable for nodes that run the Kubernetes API Server service.
The aforementioned service is only running on the nodes labeled
"master" by default. | Rationale: | The Kubernetes specification file contains information about the configuration of the
Kubernetes API Server that is configured on the system. Protection of this file is
critical for OpenShift security. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_owner_kube_apiserver | Identifiers and References | Identifiers:
CCE-83372-3 References:
CIP-003-8 R6, CIP-004-6 R3, CIP-007-3 R6.1, CM-6, CM-6(1), SRG-APP-000516-CTR-001325, 1.1.2 | |
|
Rule
Verify User Who Owns The Kubernetes Controller Manager Pod Specification File
[ref] | To properly set the owner of /etc/kubernetes/static-pod-resources/kube-controller-manager-pod-*/kube-controller-manager-pod.yaml , run the command: $ sudo chown root /etc/kubernetes/static-pod-resources/kube-controller-manager-pod-*/kube-controller-manager-pod.yaml Warning:
This rule is only applicable for nodes that run the Kubernetes Controller Manager service.
The aforementioned service is only running on the nodes labeled
"master" by default. | Rationale: | The Kubernetes specification file contains information about the configuration of the
Kubernetes Controller Manager Server that is configured on the system. Protection of this file is
critical for OpenShift security. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_owner_kube_controller_manager | Identifiers and References | Identifiers:
CCE-83795-5 References:
CIP-003-8 R6, CIP-004-6 R3, CIP-007-3 R6.1, CM-6, CM-6(1), SRG-APP-000516-CTR-001325, 1.1.4 | |
|
Rule
Verify User Who Owns The Kubernetes Scheduler Pod Specification File
[ref] | To properly set the owner of /etc/kubernetes/static-pod-resources/kube-scheduler-pod-*/kube-scheduler-pod.yaml , run the command: $ sudo chown root /etc/kubernetes/static-pod-resources/kube-scheduler-pod-*/kube-scheduler-pod.yaml Warning:
This rule is only applicable for nodes that run the Kubernetes Scheduler service.
The aforementioned service is only running on the nodes labeled
"master" by default. | Rationale: | The Kubernetes specification file contains information about the configuration of the
Kubernetes scheduler that is configured on the system. Protection of this file is
critical for OpenShift security. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_owner_kube_scheduler | Identifiers and References | Identifiers:
CCE-83393-9 References:
CIP-003-8 R6, CIP-004-6 R3, CIP-007-3 R6.1, CM-6, CM-6(1), SRG-APP-000516-CTR-001325, 1.1.6 | |
|
Rule
Verify User Who Owns The OpenShift Admin Kubeconfig Files
[ref] |
To properly set the owner of /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/node-kubeconfigs/*.kubeconfig , run the command:
$ sudo chown root /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/node-kubeconfigs/*.kubeconfig Warning:
This rule is only applicable for nodes that run the Kubernetes Control Plane.
The aforementioned service is only running on the nodes labeled
"master" by default. | Rationale: | There are various kubeconfig files that can be used by the administrator,
defining various settings for the administration of the cluster. These files
contain credentials that can be used to control the cluster and are needed
for disaster recovery and each kubeconfig points to a different endpoint in
the cluster. You should restrict its file permissions to maintain the
integrity of the kubeconfig file as an attacker who gains access to these
files can take over the cluster. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_owner_master_admin_kubeconfigs | Identifiers and References | Identifiers:
CCE-83719-5 References:
CIP-003-8 R6, CIP-004-6 R3, CIP-007-3 R6.1, CM-6, CM-6(1), SRG-APP-000516-CTR-001325, 1.1.14 | |
|
Rule
Verify User Who Owns The OpenShift Multus Container Network Interface Plugin Files
[ref] | To properly set the owner of /var/run/multus/cni/net.d/* , run the command: $ sudo chown root /var/run/multus/cni/net.d/* | Rationale: | CNI (Container Network Interface) files consist of a specification and libraries for
writing plugins to configure network interfaces in Linux containers, along with a number
of supported plugins. Allowing writeable access to the files could allow an attacker to modify
the networking configuration potentially adding a rogue network connection. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_owner_multus_conf | Identifiers and References | Identifiers:
CCE-83603-1 References:
CIP-003-8 R6, CIP-004-6 R3, CIP-007-3 R6.1, CM-6, CM-6(1), SRG-APP-000516-CTR-001325, 1.1.10 | |
|
Rule
Verify User Who Owns The OpenShift PKI Certificate Files
[ref] |
To properly set the owner of /etc/kubernetes/static-pod-resources/*/*/*/tls.crt , run the command:
$ sudo chown root /etc/kubernetes/static-pod-resources/*/*/*/tls.crt Warning:
This rule is only applicable for nodes that run the Kubernetes Control Plane.
The aforementioned service is only running on the nodes labeled
"master" by default. | Rationale: | OpenShift makes use of a number of certificates as part of its operation.
You should verify the ownership of the directory containing the PKI
information and all files in that directory to maintain their integrity. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_owner_openshift_pki_cert_files | Identifiers and References | Identifiers:
CCE-83558-7 References:
CIP-003-8 R6, CIP-004-6 R3, CIP-007-3 R6.1, CM-6, CM-6(1), SRG-APP-000516-CTR-001325, 1.1.19 | |
|
Rule
Verify User Who Owns The OpenShift PKI Private Key Files
[ref] |
To properly set the owner of /etc/kubernetes/static-pod-resources/*/*/*/*.key , run the command:
$ sudo chown root /etc/kubernetes/static-pod-resources/*/*/*/*.key Warning:
This rule is only applicable for nodes that run the Kubernetes Control Plane.
The aforementioned service is only running on the nodes labeled
"master" by default. | Rationale: | OpenShift makes use of a number of certificates as part of its operation.
You should verify the ownership of the directory containing the PKI
information and all files in that directory to maintain their integrity.
The directory and files should be owned by root:root. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_owner_openshift_pki_key_files | Identifiers and References | Identifiers:
CCE-83435-8 References:
CIP-003-8 R6, CIP-004-6 R3, CIP-007-3 R6.1, CM-6, CM-6(1), SRG-APP-000516-CTR-001325, 1.1.19 | |
|
Rule
Verify User Who Owns The OpenShift SDN CNI Server Config
[ref] |
To properly set the owner of /var/run/openshift-sdn/cniserver/config.json , run the command:
$ sudo chown root /var/run/openshift-sdn/cniserver/config.json | Rationale: | CNI (Container Network Interface) files consist of a specification and libraries for
writing plugins to configure network interfaces in Linux containers, along with a number
of supported plugins. Allowing writeable access to the files could allow an attacker to modify
the networking configuration potentially adding a rogue network connection. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_owner_openshift_sdn_cniserver_config | Identifiers and References | Identifiers:
CCE-83932-4 References:
CIP-003-8 R6, CIP-004-6 R3, CIP-007-3 R6.1, CM-6, CM-6(1), SRG-APP-000516-CTR-001325, 1.1.9 | |
|
Rule
Verify User Who Owns The OVNKubernetes Socket
[ref] |
To properly set the owner of /run/ovn-kubernetes/cni/ovn-cni-server.sock , run the command:
$ sudo chown root /run/ovn-kubernetes/cni/ovn-cni-server.sock | Rationale: | CNI (Container Network Interface) files consist of a specification and libraries for
writing plugins to configure network interfaces in Linux containers, along with a number
of supported plugins. Allowing writeable access to the files could allow an attacker to modify
the networking configuration potentially adding a rogue network connection. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_owner_ovn_cni_server_sock | Identifiers and References | Identifiers:
CCE-86431-4 References:
CIP-003-8 R6, CIP-004-6 R3, CIP-007-3 R6.1, CM-6, CM-6(1), SRG-APP-000516-CTR-001325, 1.1.10 | |
|
Rule
Verify Who Owns The OVNKubernetes DB files
[ref] |
To properly set the owner of /var/lib/ovn/etc/*.db , run the command:
$ sudo chown root /var/lib/ovn/etc/*.db | Rationale: | CNI (Container Network Interface) files consist of a specification and libraries for
writing plugins to configure network interfaces in Linux containers, along with a number
of supported plugins. Allowing writeable access to the files could allow an attacker to modify
the networking configuration potentially adding a rogue network connection. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_owner_ovn_db_files | Identifiers and References | Identifiers:
CCE-86614-5 References:
CIP-003-8 R6, CIP-004-6 R3, CIP-007-3 R6.1, CM-6, CM-6(1), SRG-APP-000516-CTR-001325, 1.1.10 | |
|
Rule
Verify User Who Owns The Open vSwitch Configuration Database
[ref] |
To properly set the owner of /etc/openvswitch/conf.db , run the command:
$ sudo chown openvswitch /etc/openvswitch/conf.db | Rationale: | CNI (Container Network Interface) files consist of a specification and libraries for
writing plugins to configure network interfaces in Linux containers, along with a number
of supported plugins. Allowing writeable access to the files could allow an attacker to modify
the networking configuration potentially adding a rogue network connection. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_owner_ovs_conf_db | Identifiers and References | Identifiers:
CCE-83489-5 References:
CIP-003-8 R6, CIP-004-6 R3, CIP-007-3 R6.1, CM-6, CM-6(1), SRG-APP-000516-CTR-001325, 1.1.9 | |
|
Rule
Verify User Who Owns The Open vSwitch Configuration Database Lock
[ref] |
To properly set the owner of /etc/openvswitch/.conf.db.~lock~ , run the command:
$ sudo chown openvswitch /etc/openvswitch/.conf.db.~lock~ | Rationale: | CNI (Container Network Interface) files consist of a specification and libraries for
writing plugins to configure network interfaces in Linux containers, along with a number
of supported plugins. Allowing writeable access to the files could allow an attacker to modify
the networking configuration potentially adding a rogue network connection. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_owner_ovs_conf_db_lock | Identifiers and References | Identifiers:
CCE-83462-2 References:
CIP-003-8 R6, CIP-004-6 R3, CIP-007-3 R6.1, CM-6, CM-6(1), SRG-APP-000516-CTR-001325, 1.1.9 | |
|
Rule
Verify User Who Owns The Open vSwitch Process ID File
[ref] |
To properly set the owner of /var/run/openvswitch/ovs-vswitchd.pid , run the command:
$ sudo chown openvswitch /var/run/openvswitch/ovs-vswitchd.pid | Rationale: | CNI (Container Network Interface) files consist of a specification and libraries for
writing plugins to configure network interfaces in Linux containers, along with a number
of supported plugins. Allowing writeable access to the files could allow an attacker to modify
the networking configuration potentially adding a rogue network connection. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_owner_ovs_pid | Identifiers and References | Identifiers:
CCE-83937-3 References:
CIP-003-8 R6, CIP-004-6 R3, CIP-007-3 R6.1, CM-6, CM-6(1), SRG-APP-000516-CTR-001325, 1.1.9 | |
|
Rule
Verify User Who Owns The Open vSwitch Persistent System ID
[ref] |
To properly set the owner of /etc/openvswitch/system-id.conf , run the command:
$ sudo chown openvswitch /etc/openvswitch/system-id.conf | Rationale: | CNI (Container Network Interface) files consist of a specification and libraries for
writing plugins to configure network interfaces in Linux containers, along with a number
of supported plugins. Allowing writeable access to the files could allow an attacker to modify
the networking configuration potentially adding a rogue network connection. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_owner_ovs_sys_id_conf | Identifiers and References | Identifiers:
CCE-84085-0 References:
CIP-003-8 R6, CIP-004-6 R3, CIP-007-3 R6.1, CM-6, CM-6(1), SRG-APP-000516-CTR-001325, 1.1.9 | |
|
Rule
Verify User Who Owns The Open vSwitch Daemon PID File
[ref] |
To properly set the owner of /run/openvswitch/ovs-vswitchd.pid , run the command:
$ sudo chown openvswitch /run/openvswitch/ovs-vswitchd.pid | Rationale: | CNI (Container Network Interface) files consist of a specification and libraries for
writing plugins to configure network interfaces in Linux containers, along with a number
of supported plugins. Allowing writeable access to the files could allow an attacker to modify
the networking configuration potentially adding a rogue network connection. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_owner_ovs_vswitchd_pid | Identifiers and References | Identifiers:
CCE-83888-8 References:
CIP-003-8 R6, CIP-004-6 R3, CIP-007-3 R6.1, CM-6, CM-6(1), SRG-APP-000516-CTR-001325, 1.1.9 | |
|
Rule
Verify User Who Owns The Open vSwitch Database Server PID
[ref] |
To properly set the owner of /run/openvswitch/ovsdb-server.pid , run the command:
$ sudo chown openvswitch /run/openvswitch/ovsdb-server.pid | Rationale: | CNI (Container Network Interface) files consist of a specification and libraries for
writing plugins to configure network interfaces in Linux containers, along with a number
of supported plugins. Allowing writeable access to the files could allow an attacker to modify
the networking configuration potentially adding a rogue network connection. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_owner_ovsdb_server_pid | Identifiers and References | Identifiers:
CCE-83806-0 References:
CIP-003-8 R6, CIP-004-6 R3, CIP-007-3 R6.1, CM-6, CM-6(1), SRG-APP-000516-CTR-001325, 1.1.9 | |
|
Rule
Verify User Who Owns The Kubernetes Scheduler Kubeconfig File
[ref] |
To properly set the owner of /etc/kubernetes/static-pod-resources/kube-scheduler-pod-*/configmaps/scheduler-kubeconfig/kubeconfig , run the command:
$ sudo chown root /etc/kubernetes/static-pod-resources/kube-scheduler-pod-*/configmaps/scheduler-kubeconfig/kubeconfig Warning:
This rule is only applicable for nodes that run the Kubernetes Scheduler service.
The aforementioned service is only running on the nodes labeled
"master" by default. | Rationale: | The kubeconfig for the Scheduler contains parameters for the scheduler
to access the Kube API.
You should set its file ownership to maintain the integrity of the file. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_owner_scheduler_kubeconfig | Identifiers and References | Identifiers:
CCE-84017-3 References:
CIP-003-8 R6, CIP-004-6 R3, CIP-007-3 R6.1, CM-6, CM-6(1), SRG-APP-000516-CTR-001325, 1.1.16 | |
|
Rule
Verify Permissions on the OpenShift Container Network Interface Files
[ref] |
To properly set the permissions of /etc/cni/net.d/* , run the command:
$ sudo chmod 0644 /etc/cni/net.d/* | Rationale: | CNI (Container Network Interface) files consist of a specification and libraries for
writing plugins to configure network interfaces in Linux containers, along with a number
of supported plugins. Allowing writeable access to the files could allow an attacker to modify
the networking configuration potentially adding a rogue network connection. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_permissions_cni_conf | Identifiers and References | Identifiers:
CCE-83379-8 References:
CIP-003-8 R6, CIP-004-6 R3, CIP-007-3 R6.1, CM-6, CM-6(1), SRG-APP-000516-CTR-001325, 1.1.9 | |
|
Rule
Verify Permissions on the OpenShift Controller Manager Kubeconfig File
[ref] |
To properly set the permissions of /etc/kubernetes/static-pod-resources/kube-controller-manager-pod-*/configmaps/controller-manager-kubeconfig/kubeconfig , run the command:
$ sudo chmod 0644 /etc/kubernetes/static-pod-resources/kube-controller-manager-pod-*/configmaps/controller-manager-kubeconfig/kubeconfig Warning:
This rule is only applicable for nodes that run the Kubernetes Controller Manager service.
The aforementioned service is only running on the nodes labeled
"master" by default. | Rationale: | The Controller Manager's kubeconfig contains information about how the
component will access the API server. You should restrict its file
permissions to maintain the integrity of the file. The file should be
writable by only the administrators on the system. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_permissions_controller_manager_kubeconfig | Identifiers and References | Identifiers:
CCE-83604-9 References:
CIP-003-8 R6, CIP-004-6 R3, CIP-007-3 R6.1, CM-6, CM-6(1), SRG-APP-000516-CTR-001325, 1.1.17 | |
|
Rule
Verify Permissions on the Etcd Database Directory
[ref] |
To properly set the permissions of /var/lib/etcd , run the command:
$ sudo chmod 0700 /var/lib/etcd Warning:
This rule is only applicable for nodes that run the Etcd service.
The aforementioned service is only running on the nodes labeled
"master" by default. | Rationale: | etcd is a highly-available key-value store used by Kubernetes deployments for persistent
storage of all of its REST API objects. This data directory should be protected from any
unauthorized reads or writes. It should not be readable or writable by any group members
or the world. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_permissions_etcd_data_dir | Identifiers and References | Identifiers:
CCE-84013-2 References:
CIP-003-8 R6, CIP-004-6 R3, CIP-007-3 R6.1, CM-6, CM-6(1), SRG-APP-000516-CTR-001325, 1.1.11 | |
|
Rule
Verify Permissions on the Etcd Write-Ahead-Log Files
[ref] |
To properly set the permissions of /var/lib/etcd/member/wal/* , run the command:
$ sudo chmod 0600 /var/lib/etcd/member/wal/* Warning:
This rule is only applicable for nodes that run the Etcd service.
The aforementioned service is only running on the nodes labeled
"master" by default. | Rationale: | etcd is a highly-available key-value store used by Kubernetes deployments for persistent
storage of all of its REST API objects. This data directory should be protected from any
unauthorized reads or writes. It should not be readable or writable by any group members
or the world. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_permissions_etcd_data_files | Identifiers and References | Identifiers:
CCE-83382-2 References:
CIP-003-8 R6, CIP-004-6 R3, CIP-007-3 R6.1, CM-6, CM-6(1), SRG-APP-000516-CTR-001325, 1.1.11 | |
|
Rule
Verify Permissions on the Etcd Member Pod Specification File
[ref] |
To properly set the permissions of /etc/kubernetes/static-pod-resources/etcd-pod-*/etcd-pod.yaml , run the command:
$ sudo chmod 0644 /etc/kubernetes/static-pod-resources/etcd-pod-*/etcd-pod.yaml Warning:
This rule is only applicable for nodes that run the Etcd service.
The aforementioned service is only running on the nodes labeled
"master" by default. | Rationale: | The etcd pod specification file controls various parameters that
set the behavior of the etcd service in the master node. etcd is a
highly-available key-value store which Kubernetes uses for persistent
storage of all of its REST API object. You should restrict its file
permissions to maintain the integrity of the file. The file should be
writable by only the administrators on the system. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_permissions_etcd_member | Identifiers and References | Identifiers:
CCE-83973-8 References:
CIP-003-8 R6, CIP-004-6 R3, CIP-007-3 R6.1, CM-6, CM-6(1), SRG-APP-000516-CTR-001325, 1.1.7 | |
|
Rule
Verify Permissions on the Etcd PKI Certificate Files
[ref] |
To properly set the permissions of /etc/kubernetes/static-pod-resources/etcd-*/secrets/*/*.crt , run the command:
$ sudo chmod 0600 /etc/kubernetes/static-pod-resources/etcd-*/secrets/*/*.crt Warning:
This rule is only applicable for nodes that run the Etcd service.
The aforementioned service is only running on the nodes labeled
"master" by default. | Rationale: | OpenShift makes use of a number of certificate files as part of the operation
of its components. The permissions on these files should be set to
600 or more restrictive to protect their integrity. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_permissions_etcd_pki_cert_files | Identifiers and References | Identifiers:
CCE-83362-4 References:
CIP-003-8 R6, CIP-004-6 R3, CIP-007-3 R6.1, CM-6, CM-6(1), SRG-APP-000516-CTR-001325, 1.1.20 | |
|
Rule
Verify Permissions on the OpenShift SDN Container Network Interface Plugin IP Address Allocations
[ref] |
To properly set the permissions of /var/lib/cni/networks/openshift-sdn/* , run the command:
$ sudo chmod 0644 /var/lib/cni/networks/openshift-sdn/* | Rationale: | CNI (Container Network Interface) files consist of a specification and libraries for
writing plugins to configure network interfaces in Linux containers, along with a number
of supported plugins. Allowing writeable access to the files could allow an attacker to modify
the networking configuration potentially adding a rogue network connection. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_permissions_ip_allocations | Identifiers and References | Identifiers:
CCE-83469-7 References:
CIP-003-8 R6, CIP-004-6 R3, CIP-007-3 R6.1, CM-6, CM-6(1), SRG-APP-000516-CTR-001325, 1.1.9 | |
|
Rule
Verify Permissions on the Kubernetes API Server Pod Specification File
[ref] |
To properly set the permissions of /etc/kubernetes/static-pod-resources/kube-apiserver-pod-*/kube-apiserver-pod.yaml , run the command:
$ sudo chmod 0644 /etc/kubernetes/static-pod-resources/kube-apiserver-pod-*/kube-apiserver-pod.yaml Warning:
This rule is only applicable for nodes that run the Kubernetes API Server service.
The aforementioned service is only running on the nodes labeled
"master" by default. | Rationale: | If the Kubernetes specification file is writable by a group-owner or the
world the risk of its compromise is increased. The file contains the configuration of
the Kubernetes API server that is configured on the system. Protection of this file is
critical for OpenShift security. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_permissions_kube_apiserver | Identifiers and References | Identifiers:
CCE-83983-7 References:
CIP-003-8 R6, CIP-004-6 R3, CIP-007-3 R6.1, CM-6, CM-6(1), SRG-APP-000516-CTR-001325, 1.1.1 | |
|
Rule
Verify Permissions on the Kubernetes Controller Manager Pod Specification File
[ref] |
To properly set the permissions of /etc/kubernetes/static-pod-resources/kube-controller-manager-pod-*/kube-controller-manager-pod.yaml , run the command:
$ sudo chmod 0644 /etc/kubernetes/static-pod-resources/kube-controller-manager-pod-*/kube-controller-manager-pod.yaml Warning:
This rule is only applicable for nodes that run the Kubernetes Controller Manager service.
The aforementioned service is only running on the nodes labeled
"master" by default. | Rationale: | If the Kubernetes specification file is writable by a group-owner or the
world the risk of its compromise is increased. The file contains the configuration of
an Kubernetes Controller Manager server that is configured on the system. Protection of this file is
critical for OpenShift security. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_permissions_kube_controller_manager | Identifiers and References | Identifiers:
CCE-84161-9 References:
CIP-003-8 R6, CIP-004-6 R3, CIP-007-3 R6.1, CM-6, CM-6(1), SRG-APP-000516-CTR-001325, 1.1.3 | |
|
Rule
Verify Permissions on the OpenShift Admin Kubeconfig Files
[ref] |
To properly set the permissions of /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/node-kubeconfigs/*.kubeconfig , run the command:
$ sudo chmod 0600 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/node-kubeconfigs/*.kubeconfig Warning:
This rule is only applicable for nodes that run the Kubernetes Control Plane.
The aforementioned service is only running on the nodes labeled
"master" by default. | Rationale: | There are various kubeconfig files that can be used by the administrator,
defining various settings for the administration of the cluster. These files
contain credentials that can be used to control the cluster and are needed
for disaster recovery and each kubeconfig points to a different endpoint in
the cluster. You should restrict its file permissions to maintain the
integrity of the kubeconfig file as an attacker who gains access to these
files can take over the cluster. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_permissions_master_admin_kubeconfigs | Identifiers and References | Identifiers:
CCE-84278-1 References:
CIP-003-8 R6, CIP-004-6 R3, CIP-007-3 R6.1, CM-6, CM-6(1), SRG-APP-000516-CTR-001325, 1.1.13 | |
|
Rule
Verify Permissions on the OpenShift Multus Container Network Interface Plugin Files
[ref] |
To properly set the permissions of /var/run/multus/cni/net.d/* , run the command:
$ sudo chmod 0644 /var/run/multus/cni/net.d/* | Rationale: | CNI (Container Network Interface) files consist of a specification and libraries for
writing plugins to configure network interfaces in Linux containers, along with a number
of supported plugins. Allowing writeable access to the files could allow an attacker to modify
the networking configuration potentially adding a rogue network connection. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_permissions_multus_conf | Identifiers and References | Identifiers:
CCE-83467-1 References:
CIP-003-8 R6, CIP-004-6 R3, CIP-007-3 R6.1, CM-6, CM-6(1), SRG-APP-000516-CTR-001325, 1.1.9 | |
|
Rule
Verify Permissions on the OpenShift PKI Certificate Files
[ref] |
To properly set the permissions of /etc/kubernetes/static-pod-resources/kube-*/secrets/*/tls.crt , run the command:
$ sudo chmod 0600 /etc/kubernetes/static-pod-resources/kube-*/secrets/*/tls.crt Warning:
This rule is only applicable for nodes that run the Kubernetes Control Plane.
The aforementioned service is only running on the nodes labeled
"master" by default. | Rationale: | OpenShift makes use of a number of certificate files as part of the operation
of its components. The permissions on these files should be set to
600 or more restrictive to protect their integrity. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_permissions_openshift_pki_cert_files | Identifiers and References | Identifiers:
CCE-83552-0 References:
CIP-003-8 R6, CIP-004-6 R3, CIP-007-3 R6.1, CM-6, CM-6(1), SRG-APP-000516-CTR-001325, 1.1.20 | |
|
Rule
Verify Permissions on the OpenShift PKI Private Key Files
[ref] |
To properly set the permissions of /etc/kubernetes/static-pod-resources/*/*/*/*.key , run the command:
$ sudo chmod 0600 /etc/kubernetes/static-pod-resources/*/*/*/*.key Warning:
This rule is only applicable for nodes that run the Kubernetes Control Plane.
The aforementioned service is only running on the nodes labeled
"master" by default. | Rationale: | OpenShift makes use of a number of key files as part of the operation of its
components. The permissions on these files should be set to 600
to protect their integrity and confidentiality. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_permissions_openshift_pki_key_files | Identifiers and References | Identifiers:
CCE-83580-1 References:
CIP-003-8 R1.3, CIP-003-8 R3, CIP-003-8 R3.1, CIP-003-8 R3.2, CIP-003-8 R3.3, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.2.3, CIP-004-6 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, CM-6, CM-6(1), IA-5(2), SRG-APP-000516-CTR-001325, 1.1.21 | |
|
Rule
Verify Permissions on the OVNKubernetes socket
[ref] |
To properly set the permissions of /run/ovn-kubernetes/cni/ovn-cni-server.sock , run the command:
$ sudo chmod 0600 /run/ovn-kubernetes/cni/ovn-cni-server.sock | Rationale: | CNI (Container Network Interface) files consist of a specification and libraries for
writing plugins to configure network interfaces in Linux containers, along with a number
of supported plugins. Allowing writeable access to the files could allow an attacker to modify
the networking configuration potentially adding a rogue network connection. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_permissions_ovn_cni_server_sock | Identifiers and References | Identifiers:
CCE-86069-2 References:
CIP-003-8 R6, CIP-004-6 R3, CIP-007-3 R6.1, CM-6, CM-6(1), SRG-APP-000516-CTR-001325, 1.1.9 | |
|
Rule
Verify Permissions on the OVNKubernetes DB files
[ref] |
To properly set the permissions of /var/lib/ovn/etc/*.db , run the command:
$ sudo chmod 0640 /var/lib/ovn/etc/*.db | Rationale: | CNI (Container Network Interface) files consist of a specification and libraries for
writing plugins to configure network interfaces in Linux containers, along with a number
of supported plugins. Allowing writeable access to the files could allow an attacker to modify
the networking configuration potentially adding a rogue network connection. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_permissions_ovn_db_files | Identifiers and References | Identifiers:
CCE-86653-3 References:
CIP-003-8 R6, CIP-004-6 R3, CIP-007-3 R6.1, CM-6, CM-6(1), SRG-APP-000516-CTR-001325, 1.1.9 | |
|
Rule
Verify Permissions on the Open vSwitch Configuration Database
[ref] |
To properly set the permissions of /etc/openvswitch/conf.db , run the command:
$ sudo chmod 0640 /etc/openvswitch/conf.db | Rationale: | CNI (Container Network Interface) files consist of a specification and libraries for
writing plugins to configure network interfaces in Linux containers, along with a number
of supported plugins. Allowing writeable access to the files could allow an attacker to modify
the networking configuration potentially adding a rogue network connection. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_permissions_ovs_conf_db | Identifiers and References | Identifiers:
CCE-83788-0 References:
CIP-003-8 R6, CIP-004-6 R3, CIP-007-3 R6.1, CM-6, CM-6(1), SRG-APP-000516-CTR-001325, 1.1.9 | |
|
Rule
Verify Permissions on the Open vSwitch Configuration Database Lock
[ref] |
To properly set the permissions of /etc/openvswitch/.conf.db.~lock~ , run the command:
$ sudo chmod 0600 /etc/openvswitch/.conf.db.~lock~ | Rationale: | CNI (Container Network Interface) files consist of a specification and libraries for
writing plugins to configure network interfaces in Linux containers, along with a number
of supported plugins. Allowing writeable access to the files could allow an attacker to modify
the networking configuration potentially adding a rogue network connection. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_permissions_ovs_conf_db_lock | Identifiers and References | Identifiers:
CCE-84202-1 References:
CIP-003-8 R6, CIP-004-6 R3, CIP-007-3 R6.1, CM-6, CM-6(1), SRG-APP-000516-CTR-001325, 1.1.9 | |
|
Rule
Verify Permissions on the Open vSwitch Process ID File
[ref] |
To properly set the permissions of /var/run/openvswitch/ovs-vswitchd.pid , run the command:
$ sudo chmod 0644 /var/run/openvswitch/ovs-vswitchd.pid | Rationale: | CNI (Container Network Interface) files consist of a specification and libraries for
writing plugins to configure network interfaces in Linux containers, along with a number
of supported plugins. Allowing writeable access to the files could allow an attacker to modify
the networking configuration potentially adding a rogue network connection. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_permissions_ovs_pid | Identifiers and References | Identifiers:
CCE-83666-8 References:
CIP-003-8 R6, CIP-004-6 R3, CIP-007-3 R6.1, CM-6, CM-6(1), SRG-APP-000516-CTR-001325, 1.1.9 | |
|
Rule
Verify Permissions on the Open vSwitch Persistent System ID
[ref] |
To properly set the permissions of /etc/openvswitch/system-id.conf , run the command:
$ sudo chmod 0644 /etc/openvswitch/system-id.conf | Rationale: | CNI (Container Network Interface) files consist of a specification and libraries for
writing plugins to configure network interfaces in Linux containers, along with a number
of supported plugins. Allowing writeable access to the files could allow an attacker to modify
the networking configuration potentially adding a rogue network connection. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_permissions_ovs_sys_id_conf | Identifiers and References | Identifiers:
CCE-83400-2 References:
CIP-003-8 R6, CIP-004-6 R3, CIP-007-3 R6.1, CM-6, CM-6(1), SRG-APP-000516-CTR-001325, 1.1.9 | |
|
Rule
Verify Permissions on the Open vSwitch Daemon PID File
[ref] |
To properly set the permissions of /run/openvswitch/ovs-vswitchd.pid , run the command:
$ sudo chmod 0644 /run/openvswitch/ovs-vswitchd.pid | Rationale: | CNI (Container Network Interface) files consist of a specification and libraries for
writing plugins to configure network interfaces in Linux containers, along with a number
of supported plugins. Allowing writeable access to the files could allow an attacker to modify
the networking configuration potentially adding a rogue network connection. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_permissions_ovs_vswitchd_pid | Identifiers and References | Identifiers:
CCE-83710-4 References:
CIP-003-8 R6, CIP-004-6 R3, CIP-007-3 R6.1, CM-6, CM-6(1), SRG-APP-000516-CTR-001325, 1.1.9 | |
|
Rule
Verify Permissions on the Open vSwitch Database Server PID
[ref] |
To properly set the permissions of /run/openvswitch/ovsdb-server.pid , run the command:
$ sudo chmod 0644 /run/openvswitch/ovsdb-server.pid | Rationale: | CNI (Container Network Interface) files consist of a specification and libraries for
writing plugins to configure network interfaces in Linux containers, along with a number
of supported plugins. Allowing writeable access to the files could allow an attacker to modify
the networking configuration potentially adding a rogue network connection. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_permissions_ovsdb_server_pid | Identifiers and References | Identifiers:
CCE-83679-1 References:
CIP-003-8 R6, CIP-004-6 R3, CIP-007-3 R6.1, CM-6, CM-6(1), SRG-APP-000516-CTR-001325, 1.1.9 | |
|
Rule
Verify Permissions on the Kubernetes Scheduler Pod Specification File
[ref] |
To properly set the permissions of /etc/kubernetes/static-pod-resources/kube-scheduler-pod-*/kube-scheduler-pod.yaml , run the command:
$ sudo chmod 0644 /etc/kubernetes/static-pod-resources/kube-scheduler-pod-*/kube-scheduler-pod.yaml Warning:
This rule is only applicable for nodes that run the Kubernetes Scheduler service.
The aforementioned service is only running on the nodes labeled
"master" by default. | Rationale: | If the Kubernetes specification file is writable by a group-owner or the
world the risk of its compromise is increased. The file contains the configuration of
an Kubernetes Scheduler service that is configured on the system. Protection of this file is
critical for OpenShift security. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_permissions_scheduler | Identifiers and References | Identifiers:
CCE-84057-9 References:
CIP-003-8 R6, CIP-004-6 R3, CIP-007-3 R6.1, CM-6, CM-6(1), SRG-APP-000516-CTR-001325, 1.1.5 | |
|
Rule
Verify Permissions on the Kubernetes Scheduler Kubeconfig File
[ref] |
To properly set the permissions of /etc/kubernetes/static-pod-resources/kube-scheduler-pod-*/configmaps/scheduler-kubeconfig/kubeconfig , run the command:
$ sudo chmod 0644 /etc/kubernetes/static-pod-resources/kube-scheduler-pod-*/configmaps/scheduler-kubeconfig/kubeconfig Warning:
This rule is only applicable for nodes that run the Kubernetes Scheduler service.
The aforementioned service is only running on the nodes labeled
"master" by default. | Rationale: | The kubeconfig for the Scheduler contains parameters for the scheduler
to access the Kube API. You should restrict its file permissions to maintain
the integrity of the file. The file should be writable by only the
administrators on the system. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_permissions_scheduler_kubeconfig | Identifiers and References | Identifiers:
CCE-83772-4 References:
CIP-003-8 R6, CIP-004-6 R3, CIP-007-3 R6.1, CM-6, CM-6(1), SRG-APP-000516-CTR-001325, 1.1.15 | |
|
Rule
Verify Permissions on the OpenShift SDN CNI Server Config
[ref] |
To properly set the permissions of /var/run/openshift-sdn/cniserver/config.json , run the command:
$ sudo chmod 0444 /var/run/openshift-sdn/cniserver/config.json | Rationale: | CNI (Container Network Interface) files consist of a specification and libraries for
writing plugins to configure network interfaces in Linux containers, along with a number
of supported plugins. Allowing writeable access to the files could allow an attacker to modify
the networking configuration potentially adding a rogue network connection. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_perms_openshift_sdn_cniserver_config | Identifiers and References | Identifiers:
CCE-83927-4 References:
CIP-003-8 R6, CIP-004-6 R3, CIP-007-3 R6.1, CM-6, CM-6(1), SRG-APP-000516-CTR-001325, 1.1.9 | |
|
Group
Kubernetes - Worker Node Settings
Group contains 13 rules |
[ref]
Contains evaluations for the worker node configuration settings. |
Rule
Verify Group Who Owns The Kubelet Configuration File
[ref] | To properly set the group owner of /etc/kubernetes/kubelet.conf , run the command: $ sudo chgrp root /etc/kubernetes/kubelet.conf | Rationale: | The kubelet configuration file contains information about the configuration of the
OpenShift node that is configured on the system. Protection of this file is
critical for OpenShift security. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_groupowner_kubelet_conf | Identifiers and References | Identifiers:
CCE-84233-6 References:
CIP-003-8 R6, CIP-004-6 R3, CIP-007-3 R6.1, CM-6, CM-6(1), SRG-APP-000516-CTR-001325, 4.1.6 | |
|
Rule
Verify Group Who Owns the Worker Certificate Authority File
[ref] | To properly set the group owner of /etc/kubernetes/kubelet-ca.crt , run the command: $ sudo chgrp root /etc/kubernetes/kubelet-ca.crt | Rationale: | The worker certificate authority file contains the certificate authority
certificate for an OpenShift node that is configured on the system. Protection of this file is
critical for OpenShift security. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_groupowner_worker_ca | Identifiers and References | Identifiers:
CCE-83440-8 References:
CIP-003-8 R6, CIP-004-6 R3, CIP-007-3 R6.1, CM-6, CM-6(1), SRG-APP-000516-CTR-001325, 4.1.8 | |
|
Rule
Verify Group Who Owns The Worker Kubeconfig File
[ref] | To properly set the group owner of /var/lib/kubelet/kubeconfig , run the command: $ sudo chgrp root /var/lib/kubelet/kubeconfig | Rationale: | The worker kubeconfig file contains information about the administrative configuration of the
OpenShift cluster that is configured on the system. Protection of this file is
critical for OpenShift security. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_groupowner_worker_kubeconfig | Identifiers and References | Identifiers:
CCE-83409-3 References:
CIP-003-8 R6, CIP-004-6 R3, CIP-007-3 R6.1, CM-6, CM-6(1), SRG-APP-000516-CTR-001325, 4.1.10 | |
|
Rule
Verify Group Who Owns The OpenShift Node Service File
[ref] | '
To properly set the group owner of /etc/systemd/system/kubelet.service , run the command:
$ sudo chgrp root /etc/systemd/system/kubelet.service ' | Rationale: | The /etc/systemd/system/kubelet.service
file contains information about the configuration of the
OpenShift node service that is configured on the system. Protection of this file is
critical for OpenShift security. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_groupowner_worker_service | Identifiers and References | Identifiers:
CCE-83975-3 References:
CIP-003-8 R6, CIP-004-6 R3, CIP-007-3 R6.1, CM-6, CM-6(1), SRG-APP-000516-CTR-001325, 4.1.2 | |
|
Rule
Verify User Who Owns The Kubelet Configuration File
[ref] | To properly set the owner of /var/lib/kubelet/config.json , run the command: $ sudo chown root /var/lib/kubelet/config.json | Rationale: | The kubelet configuration file contains information about the configuration of the
OpenShift node that is configured on the system. Protection of this file is
critical for OpenShift security. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_owner_kubelet | Identifiers and References | Identifiers:
CCE-85900-9 References:
CIP-003-8 R6, CIP-004-6 R3, CIP-007-3 R6.1, CM-6, CM-6(1), SRG-APP-000516-CTR-001325, 4.1.6 | |
|
Rule
Verify User Who Owns The Kubelet Configuration File
[ref] | To properly set the owner of /etc/kubernetes/kubelet.conf , run the command: $ sudo chown root /etc/kubernetes/kubelet.conf | Rationale: | The kubelet configuration file contains information about the configuration of the
OpenShift node that is configured on the system. Protection of this file is
critical for OpenShift security. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_owner_kubelet_conf | Identifiers and References | Identifiers:
CCE-83976-1 References:
CIP-003-8 R6, CIP-004-6 R3, CIP-007-3 R6.1, CM-6, CM-6(1), SRG-APP-000516-CTR-001325, 4.1.6 | |
|
Rule
Verify User Who Owns the Worker Certificate Authority File
[ref] | To properly set the owner of /etc/kubernetes/kubelet-ca.crt , run the command: $ sudo chown root /etc/kubernetes/kubelet-ca.crt | Rationale: | The worker certificate authority file contains the certificate authority
certificate for an OpenShift node that is configured on the system. Protection of this file is
critical for OpenShift security. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_owner_worker_ca | Identifiers and References | Identifiers:
CCE-83495-2 References:
CIP-003-8 R6, CIP-004-6 R3, CIP-007-3 R6.1, CM-6, CM-6(1), SRG-APP-000516-CTR-001325, 4.1.8 | |
|
Rule
Verify User Who Owns The Worker Kubeconfig File
[ref] | To properly set the owner of /var/lib/kubelet/kubeconfig , run the command: $ sudo chown root /var/lib/kubelet/kubeconfig | Rationale: | The worker kubeconfig file contains information about the administrative configuration of the
OpenShift cluster that is configured on the system. Protection of this file is
critical for OpenShift security. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_owner_worker_kubeconfig | Identifiers and References | Identifiers:
CCE-83408-5 References:
CIP-003-8 R6, CIP-004-6 R3, CIP-007-3 R6.1, CM-6, CM-6(1), SRG-APP-000516-CTR-001325, 4.1.10 | |
|
Rule
Verify User Who Owns The OpenShift Node Service File
[ref] | '
To properly set the owner of /etc/systemd/system/kubelet.service , run the command:
$ sudo chown root /etc/systemd/system/kubelet.service ' | Rationale: | The /etc/systemd/system/kubelet.service
file contains information about the configuration of the
OpenShift node service that is configured on the system. Protection of this file is
critical for OpenShift security. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_owner_worker_service | Identifiers and References | Identifiers:
CCE-84193-2 References:
CIP-003-8 R6, CIP-004-6 R3, CIP-007-3 R6.1, CM-6, CM-6(1), SRG-APP-000516-CTR-001325, 4.1.2 | |
|
Rule
Verify Permissions on The Kubelet Configuration File
[ref] |
To properly set the permissions of /etc/kubernetes/kubelet.conf , run the command:
$ sudo chmod 0644 /etc/kubernetes/kubelet.conf | Rationale: | If the kubelet configuration file is writable by a group-owner or the
world the risk of its compromise is increased. The file contains the configuration of
an OpenShift node that is configured on the system. Protection of this file is
critical for OpenShift security. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_permissions_kubelet_conf | Identifiers and References | Identifiers:
CCE-83470-5 References:
CIP-003-8 R6, CIP-004-6 R3, CIP-007-3 R6.1, CM-6, CM-6(1), SRG-APP-000516-CTR-001325, 4.1.5 | |
|
Rule
Verify Permissions on the Worker Certificate Authority File
[ref] |
To properly set the permissions of /etc/kubernetes/kubelet-ca.crt , run the command:
$ sudo chmod 0644 /etc/kubernetes/kubelet-ca.crt | Rationale: | If the worker certificate authority file is writable by a group-owner or the
world the risk of its compromise is increased. The file contains the certificate authority
certificate for an OpenShift node that is configured on the system. Protection of this file is
critical for OpenShift security. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_permissions_worker_ca | Identifiers and References | Identifiers:
CCE-83493-7 References:
CIP-003-8 R6, CIP-004-6 R3, CIP-007-3 R6.1, CM-6, CM-6(1), SRG-APP-000516-CTR-001325, 4.1.7 | |
|
Rule
Verify Permissions on the Worker Kubeconfig File
[ref] |
To properly set the permissions of /var/lib/kubelet/kubeconfig , run the command:
$ sudo chmod 0600 /var/lib/kubelet/kubeconfig | Rationale: | If the worker kubeconfig file is writable by a group-owner or the
world the risk of its compromise is increased. The file contains the administration configuration of the
OpenShift cluster that is configured on the system. Protection of this file is
critical for OpenShift security. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_permissions_worker_kubeconfig | Identifiers and References | Identifiers:
CCE-83509-0 References:
CIP-003-8 R6, CIP-004-6 R3, CIP-007-3 R6.1, CM-6, CM-6(1), SRG-APP-000516-CTR-001325, 4.1.9 | |
|
Rule
Verify Permissions on the OpenShift Node Service File
[ref] |
To properly set the permissions of /etc/systemd/system/kubelet.service , run the command:
$ sudo chmod 0644 /etc/systemd/system/kubelet.service | Rationale: | If the /etc/systemd/system/kubelet.service
file is writable by a group-owner or the
world the risk of its compromise is increased. The file contains the service configuration of the
OpenShift node service that is configured on the system. Protection of this file is
critical for OpenShift security. | Severity: | medium | Rule ID: | xccdf_org.ssgproject.content_rule_file_permissions_worker_service | Identifiers and References | Identifiers:
CCE-83455-6 References:
CIP-003-8 R6, CIP-004-6 R3, CIP-007-3 R6.1, CM-6, CM-6(1), SRG-APP-000516-CTR-001325, 4.1.1 | |
|