Guide to the Secure Configuration of Red Hat OpenShift Container Platform 4
with profile CIS Red Hat OpenShift Container Platform 4 BenchmarkThis profile defines a baseline that aligns to the Center for Internet Security® Red Hat OpenShift Container Platform 4 Benchmark™, V0.3, currently unreleased. This profile includes Center for Internet Security® Red Hat OpenShift Container Platform 4 CIS Benchmarks™ content. Note that this part of the profile is meant to run on the Operating System that Red Hat OpenShift Container Platform 4 runs on top of. This profile is applicable to OpenShift versions 4.6 and greater.
https://www.open-scap.org/security-policies/scap-security-guide
scap-security-guide
package which is developed at
https://www.open-scap.org/security-policies/scap-security-guide.
Providing system administrators with such guidance informs them how to securely configure systems under their control in a variety of network roles. Policy makers and baseline creators can use this catalog of settings, with its associated references to higher-level security control catalogs, in order to assist them in security baseline creation. This guide is a catalog, not a checklist, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. However, the XCCDF format enables granular selection and adjustment of settings, and their association with OVAL and OCIL content provides an automated checking capability. Transformations of this document, and its associated automated checking content, are capable of providing baselines that meet a diverse set of policy objectives. Some example XCCDF Profiles, which are selections of items that form checklists and can be used as baselines, are available with this guide. They can be processed, in an automated fashion, with tools that support the Security Content Automation Protocol (SCAP). The NIST National Checklist Program (NCP), which provides required settings for the United States Government, is one example of a baseline created from this guidance.
Evaluation Characteristics
Evaluation target | Unknown |
---|---|
Target ID | chroot:///host |
Benchmark URL | /content/ssg-ocp4-ds.xml |
Benchmark ID | xccdf_org.ssgproject.content_benchmark_OCP-4 |
Benchmark version | 0.1.57 |
Profile ID | xccdf_org.ssgproject.content_profile_cis-node |
Started at | 2021-07-20T05:20:57+00:00 |
Finished at | 2021-07-20T05:21:01+00:00 |
Performed by | unknown user |
Test system | cpe:/a:redhat:openscap:1.3.4 |
CPE Platforms
- cpe:/o:redhat:openshift_container_platform_node:4
- cpe:/a:redhat:openshift_container_platform:4.1
- cpe:/a:redhat:openshift_container_platform:4.6
- cpe:/a:redhat:openshift_container_platform:4.7
- cpe:/a:redhat:openshift_container_platform:4.8
- cpe:/a:redhat:openshift_container_platform:4.9
- cpe:/a:redhat:openshift_container_platform:4.10
Addresses
Compliance and Scoring
Rule results
Severity of failed rules
Score
Scoring system | Score | Maximum | Percent |
---|---|---|---|
urn:xccdf:scoring:default | 83.712120 | 100.000000 |
Rule Overview
Result Details
Verify Group Who Owns The Open vSwitch Daemon PID File
Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_ovs_vswitchd_pid |
Result | pass |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_groupowner_ovs_vswitchd_pid:def:1 |
Time | 2021-07-20T05:20:57+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-84129-6 |
Description | Ensure that the file /run/openvswitch/ovs-vswitchd.pid, is owned by the group openvswitchor hugetlbfs, depending on your settings and Open vSwitch version. |
Rationale | CNI (Container Network Interface) files consist of a specification and libraries for
writing plugins to configure network interfaces in Linux containers, along with a number
of supported plugins. Allowing writeable access to the files could allow an attacker to modify
the networking configuration potentially adding a rogue network connection. |
Testing group ownership of /var/run/openvswitch/ovs-vswitchd.pid oval:ssg-test_file_groupowner_var_run_ovs_vswitchd_pid_800:tst:1 false
Following items have been found on the system:
Path | Type | UID | GID | Size (B) | Permissions |
---|---|---|---|---|---|
/var/run/openvswitch/ovs-vswitchd.pid | regular | 800 | 801 | 5 | rw-r--r-- |
Testing group ownership of /var/run/openvswitch/ovs-vswitchd.pid oval:ssg-test_file_groupowner_var_run_ovs_vswitchd_pid_801:tst:1 true
Following items have been found on the system:
Path | Type | UID | GID | Size (B) | Permissions |
---|---|---|---|---|---|
/var/run/openvswitch/ovs-vswitchd.pid | regular | 800 | 801 | 5 | rw-r--r-- |
Verify User Who Owns The OpenShift SDN Container Network Interface Plugin IP Address Allocations
Rule ID | xccdf_org.ssgproject.content_rule_file_owner_ip_allocations |
Result | fail |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_owner_ip_allocations:def:1 |
Time | 2021-07-20T05:20:57+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-84248-4 |
Description | To properly set the owner of /var/lib/cni/networks/openshift-sdn/.* , run the command: $ sudo chown root /var/lib/cni/networks/openshift-sdn/.* |
Rationale | CNI (Container Network Interface) files consist of a specification and libraries for
writing plugins to configure network interfaces in Linux containers, along with a number
of supported plugins. Allowing writeable access to the files could allow an attacker to modify
the networking configuration potentially adding a rogue network connection. |
Testing user ownership of ^/var/lib/cni/networks/openshift-sdn/.*$ oval:ssg-test_file_owner_ip_allocations:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_ip_allocations:obj:1 of type file_object
Filepath |
---|
^/var/lib/cni/networks/openshift-sdn/.*$ |
Verify Group Who Owns The Kubernetes API Server Pod Specification File
Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_kube_apiserver |
Result | pass |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_groupowner_kube_apiserver:def:1 |
Time | 2021-07-20T05:20:57+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-83530-6 |
Description | To properly set the group owner of /etc/kubernetes/static-pod-resources/kube-apiserver-pod-*/kube-apiserver-pod.yaml , run the command: $ sudo chgrp root /etc/kubernetes/static-pod-resources/kube-apiserver-pod-*/kube-apiserver-pod.yaml |
Rationale | The Kubernetes specification file contains information about the configuration of the
Kubernetes API Server that is configured on the system. Protection of this file is
critical for OpenShift security. |
Warnings | warning
This rule is only applicable for nodes that run the Kubernetes API Server service.
The aforementioned service is only running on the nodes labeled
"master" by default. |
Testing group ownership of ^/etc/kubernetes/static-pod-resources/kube-apiserver-pod-.*/kube-apiserver-pod.yaml$ oval:ssg-test_file_groupowner_kube_apiserver:tst:1 true
Following items have been found on the system:
Path | Type | UID | GID | Size (B) | Permissions |
---|---|---|---|---|---|
/etc/kubernetes/static-pod-resources/kube-apiserver-pod-5/kube-apiserver-pod.yaml | regular | 0 | 0 | 6904 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/kube-apiserver-pod-6/kube-apiserver-pod.yaml | regular | 0 | 0 | 6949 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/kube-apiserver-pod-9/kube-apiserver-pod.yaml | regular | 0 | 0 | 6949 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/kube-apiserver-pod-10/kube-apiserver-pod.yaml | regular | 0 | 0 | 7089 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/kube-apiserver-pod-8/kube-apiserver-pod.yaml | regular | 0 | 0 | 6949 | rw-r--r-- |
Verify User Who Owns The OpenShift Controller Manager Kubeconfig File
Rule ID | xccdf_org.ssgproject.content_rule_file_owner_controller_manager_kubeconfig |
Result | pass |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_owner_controller_manager_kubeconfig:def:1 |
Time | 2021-07-20T05:20:57+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-83904-3 |
Description |
To properly set the owner of /etc/kubernetes/static-pod-resources/kube-controller-manager-pod-*/configmaps/controller-manager-kubeconfig/kubeconfig , run the command:
$ sudo chown root /etc/kubernetes/static-pod-resources/kube-controller-manager-pod-*/configmaps/controller-manager-kubeconfig/kubeconfig |
Rationale | The Controller Manager's kubeconfig contains information about how the
component will access the API server. You should set its file ownership to
maintain the integrity of the file. |
Warnings | warning
This rule is only applicable for nodes that run the Kubernetes Controller Manager service.
The aforementioned service is only running on the nodes labeled
"master" by default. |
Testing user ownership of ^/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-.*/configmaps/controller-manager-kubeconfig/kubeconfig$ oval:ssg-test_file_owner_controller_manager_kubeconfig:tst:1 true
Following items have been found on the system:
Path | Type | UID | GID | Size (B) | Permissions |
---|---|---|---|---|---|
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-5/configmaps/controller-manager-kubeconfig/kubeconfig | regular | 0 | 0 | 673 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-3/configmaps/controller-manager-kubeconfig/kubeconfig | regular | 0 | 0 | 673 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-6/configmaps/controller-manager-kubeconfig/kubeconfig | regular | 0 | 0 | 673 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-7/configmaps/controller-manager-kubeconfig/kubeconfig | regular | 0 | 0 | 673 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-8/configmaps/controller-manager-kubeconfig/kubeconfig | regular | 0 | 0 | 673 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-9/configmaps/controller-manager-kubeconfig/kubeconfig | regular | 0 | 0 | 673 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-4/configmaps/controller-manager-kubeconfig/kubeconfig | regular | 0 | 0 | 673 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-10/configmaps/controller-manager-kubeconfig/kubeconfig | regular | 0 | 0 | 673 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-11/configmaps/controller-manager-kubeconfig/kubeconfig | regular | 0 | 0 | 673 | rw-r--r-- |
Verify Group Who Owns The etcd Member Pod Specification File
Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_etcd_member |
Result | pass |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_groupowner_etcd_member:def:1 |
Time | 2021-07-20T05:20:57+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-83664-3 |
Description | To properly set the group owner of /etc/kubernetes/static-pod-resources/etcd-pod-*/etcd-pod.yaml , run the command: $ sudo chgrp root /etc/kubernetes/static-pod-resources/etcd-pod-*/etcd-pod.yaml |
Rationale | The etcd pod specification file controls various parameters that
set the behavior of the etcd service in the master node. etcd is a
highly-available key-value store which Kubernetes uses for persistent
storage of all of its REST API object. You should restrict its file
permissions to maintain the integrity of the file. The file should be
writable by only the administrators on the system. |
Warnings | warning
This rule is only applicable for nodes that run the Etcd service.
The aforementioned service is only running on the nodes labeled
"master" by default. |
Testing group ownership of ^/etc/kubernetes/static-pod-resources/etcd-pod-.*/etcd-pod.yaml$ oval:ssg-test_file_groupowner_etcd_member:tst:1 true
Following items have been found on the system:
Path | Type | UID | GID | Size (B) | Permissions |
---|---|---|---|---|---|
/etc/kubernetes/static-pod-resources/etcd-pod-2/etcd-pod.yaml | regular | 0 | 0 | 17522 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/etcd-pod-3/etcd-pod.yaml | regular | 0 | 0 | 17418 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/etcd-pod-4/etcd-pod.yaml | regular | 0 | 0 | 15993 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/etcd-pod-5/etcd-pod.yaml | regular | 0 | 0 | 15130 | rw-r--r-- |
Verify User Who Owns The Etcd PKI Certificate Files
Rule ID | xccdf_org.ssgproject.content_rule_file_owner_etcd_pki_cert_files |
Result | pass |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_owner_etcd_pki_cert_files:def:1 |
Time | 2021-07-20T05:20:58+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-83898-7 |
Description |
To properly set the owner of /etc/kubernetes/static-pod-resources/*/*/*/*.crt , run the command:
$ sudo chown root /etc/kubernetes/static-pod-resources/*/*/*/*.crt |
Rationale | OpenShift makes use of a number of certificates as part of its operation.
You should verify the ownership of the directory containing the PKI
information and all files in that directory to maintain their integrity.
The directory and files should be owned by the system administrator. |
Warnings | warning
This rule is only applicable for nodes that run the Etcd service.
The aforementioned service is only running on the nodes labeled
"master" by default. |
Testing user ownership of ^/etc/kubernetes/static-pod-resources/.*/.*/.*/.*\.crt$ oval:ssg-test_file_owner_etcd_pki_cert_files:tst:1 true
Following items have been found on the system:
Path | Type | UID | GID | Size (B) | Permissions |
---|---|---|---|---|---|
/etc/kubernetes/static-pod-resources/etcd-pod-4/secrets/etcd-all-peer/etcd-peer-master-0.crt | regular | 0 | 0 | 2445 | rw------- |
/etc/kubernetes/static-pod-resources/kube-scheduler-pod-2/secrets/localhost-recovery-client-token/ca.crt | regular | 0 | 0 | 3560 | rw------- |
/etc/kubernetes/static-pod-resources/kube-scheduler-pod-2/configmaps/serviceaccount-ca/ca-bundle.crt | regular | 0 | 0 | 0 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/kube-scheduler-certs/secrets/kube-scheduler-client-cert-key/tls.crt | regular | 0 | 0 | 1168 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-2/secrets/etcd-all-peer/etcd-peer-master-1.crt | regular | 0 | 0 | 2445 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-2/secrets/etcd-all-peer/etcd-peer-master-2.crt | regular | 0 | 0 | 2445 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-2/secrets/etcd-all-peer/etcd-peer-master-0.crt | regular | 0 | 0 | 2445 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-2/secrets/etcd-all-serving/etcd-serving-master-0.crt | regular | 0 | 0 | 2709 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-pod-9/secrets/etcd-client/tls.crt | regular | 0 | 0 | 1188 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-5/secrets/etcd-all-peer/etcd-peer-master-2.crt | regular | 0 | 0 | 2445 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-2/secrets/etcd-all-serving/etcd-serving-master-1.crt | regular | 0 | 0 | 2709 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-2/secrets/etcd-all-serving/etcd-serving-master-2.crt | regular | 0 | 0 | 2709 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-2/secrets/etcd-all-serving-metrics/etcd-serving-metrics-master-0.crt | regular | 0 | 0 | 2733 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-2/secrets/etcd-all-serving-metrics/etcd-serving-metrics-master-1.crt | regular | 0 | 0 | 2733 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-2/secrets/etcd-all-serving-metrics/etcd-serving-metrics-master-2.crt | regular | 0 | 0 | 2733 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-2/configmaps/etcd-metrics-proxy-client-ca/ca-bundle.crt | regular | 0 | 0 | 1151 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/etcd-pod-2/configmaps/etcd-metrics-proxy-serving-ca/ca-bundle.crt | regular | 0 | 0 | 1151 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/etcd-pod-2/configmaps/etcd-peer-client-ca/ca-bundle.crt | regular | 0 | 0 | 1135 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/etcd-pod-2/configmaps/etcd-serving-ca/ca-bundle.crt | regular | 0 | 0 | 1135 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/etcd-certs/secrets/etcd-all-peer/etcd-peer-master-2.crt | regular | 0 | 0 | 2445 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-certs/secrets/etcd-all-peer/etcd-peer-master-0.crt | regular | 0 | 0 | 2445 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-certs/secrets/etcd-all-peer/etcd-peer-master-1.crt | regular | 0 | 0 | 2445 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-certs/secrets/etcd-all-serving/etcd-serving-master-2.crt | regular | 0 | 0 | 2709 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-certs/secrets/etcd-all-serving/etcd-serving-master-0.crt | regular | 0 | 0 | 2709 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-certs/secrets/etcd-all-serving/etcd-serving-master-1.crt | regular | 0 | 0 | 2709 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-certs/secrets/etcd-all-serving-metrics/etcd-serving-metrics-master-0.crt | regular | 0 | 0 | 2733 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-certs/secrets/etcd-all-serving-metrics/etcd-serving-metrics-master-1.crt | regular | 0 | 0 | 2733 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-certs/secrets/etcd-all-serving-metrics/etcd-serving-metrics-master-2.crt | regular | 0 | 0 | 2733 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-certs/configmaps/etcd-metrics-proxy-client-ca/ca-bundle.crt | regular | 0 | 0 | 1151 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/etcd-certs/configmaps/etcd-metrics-proxy-serving-ca/ca-bundle.crt | regular | 0 | 0 | 1151 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/etcd-certs/configmaps/etcd-peer-client-ca/ca-bundle.crt | regular | 0 | 0 | 1135 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/etcd-certs/configmaps/etcd-serving-ca/ca-bundle.crt | regular | 0 | 0 | 1135 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-3/secrets/localhost-recovery-client-token/ca.crt | regular | 0 | 0 | 3560 | rw------- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-3/secrets/serving-cert/tls.crt | regular | 0 | 0 | 2761 | rw------- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-3/configmaps/service-ca/ca-bundle.crt | regular | 0 | 0 | 1212 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-3/configmaps/serviceaccount-ca/ca-bundle.crt | regular | 0 | 0 | 0 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-certs/secrets/csr-signer/tls.crt | regular | 0 | 0 | 1229 | rw------- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-certs/secrets/kube-controller-manager-client-cert-key/tls.crt | regular | 0 | 0 | 1180 | rw------- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-certs/configmaps/aggregator-client-ca/ca-bundle.crt | regular | 0 | 0 | 1281 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-certs/configmaps/client-ca/ca-bundle.crt | regular | 0 | 0 | 8527 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-certs/configmaps/trusted-ca-bundle/ca-bundle.crt | regular | 0 | 0 | 216090 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/aggregator-client/tls.crt | regular | 0 | 0 | 1208 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/check-endpoints-client-cert-key/tls.crt | regular | 0 | 0 | 1220 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/control-plane-node-admin-client-cert-key/tls.crt | regular | 0 | 0 | 1212 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/external-loadbalancer-serving-certkey/tls.crt | regular | 0 | 0 | 2417 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/internal-loadbalancer-serving-certkey/tls.crt | regular | 0 | 0 | 2429 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/localhost-serving-cert-certkey/tls.crt | regular | 0 | 0 | 2445 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/service-network-serving-certkey/tls.crt | regular | 0 | 0 | 2713 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-certs/configmaps/aggregator-client-ca/ca-bundle.crt | regular | 0 | 0 | 1281 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/kube-apiserver-certs/configmaps/client-ca/ca-bundle.crt | regular | 0 | 0 | 8527 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/kube-apiserver-certs/configmaps/trusted-ca-bundle/ca-bundle.crt | regular | 0 | 0 | 216090 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-4/secrets/localhost-recovery-client-token/ca.crt | regular | 0 | 0 | 3560 | rw------- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-4/secrets/serving-cert/tls.crt | regular | 0 | 0 | 2761 | rw------- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-4/configmaps/service-ca/ca-bundle.crt | regular | 0 | 0 | 1212 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-4/configmaps/serviceaccount-ca/ca-bundle.crt | regular | 0 | 0 | 7222 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/kube-scheduler-pod-5/secrets/localhost-recovery-client-token/ca.crt | regular | 0 | 0 | 3560 | rw------- |
/etc/kubernetes/static-pod-resources/kube-scheduler-pod-5/secrets/serving-cert/tls.crt | regular | 0 | 0 | 2664 | rw------- |
/etc/kubernetes/static-pod-resources/kube-scheduler-pod-5/configmaps/serviceaccount-ca/ca-bundle.crt | regular | 0 | 0 | 7222 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/etcd-pod-3/secrets/etcd-all-peer/etcd-peer-master-2.crt | regular | 0 | 0 | 2445 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-3/secrets/etcd-all-peer/etcd-peer-master-0.crt | regular | 0 | 0 | 2445 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-3/secrets/etcd-all-peer/etcd-peer-master-1.crt | regular | 0 | 0 | 2445 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-3/secrets/etcd-all-serving/etcd-serving-master-0.crt | regular | 0 | 0 | 2709 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-3/secrets/etcd-all-serving/etcd-serving-master-1.crt | regular | 0 | 0 | 2709 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-3/secrets/etcd-all-serving/etcd-serving-master-2.crt | regular | 0 | 0 | 2709 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-3/secrets/etcd-all-serving-metrics/etcd-serving-metrics-master-0.crt | regular | 0 | 0 | 2733 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-3/secrets/etcd-all-serving-metrics/etcd-serving-metrics-master-1.crt | regular | 0 | 0 | 2733 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-3/secrets/etcd-all-serving-metrics/etcd-serving-metrics-master-2.crt | regular | 0 | 0 | 2733 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-3/configmaps/etcd-metrics-proxy-client-ca/ca-bundle.crt | regular | 0 | 0 | 1151 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/etcd-pod-3/configmaps/etcd-metrics-proxy-serving-ca/ca-bundle.crt | regular | 0 | 0 | 1151 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/etcd-pod-3/configmaps/etcd-peer-client-ca/ca-bundle.crt | regular | 0 | 0 | 1135 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/etcd-pod-3/configmaps/etcd-serving-ca/ca-bundle.crt | regular | 0 | 0 | 1135 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-5/secrets/localhost-recovery-client-token/service-ca.crt | regular | 0 | 0 | 8435 | rw------- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-5/secrets/localhost-recovery-client-token/ca.crt | regular | 0 | 0 | 7222 | rw------- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-5/secrets/serving-cert/tls.crt | regular | 0 | 0 | 2761 | rw------- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-5/configmaps/service-ca/ca-bundle.crt | regular | 0 | 0 | 1212 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-5/configmaps/serviceaccount-ca/ca-bundle.crt | regular | 0 | 0 | 7222 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/kube-scheduler-pod-6/secrets/localhost-recovery-client-token/ca.crt | regular | 0 | 0 | 7222 | rw------- |
/etc/kubernetes/static-pod-resources/kube-scheduler-pod-6/secrets/localhost-recovery-client-token/service-ca.crt | regular | 0 | 0 | 8435 | rw------- |
/etc/kubernetes/static-pod-resources/kube-scheduler-pod-6/secrets/serving-cert/tls.crt | regular | 0 | 0 | 2664 | rw------- |
/etc/kubernetes/static-pod-resources/kube-scheduler-pod-6/configmaps/serviceaccount-ca/ca-bundle.crt | regular | 0 | 0 | 7222 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-6/secrets/localhost-recovery-client-token/ca.crt | regular | 0 | 0 | 7222 | rw------- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-6/secrets/localhost-recovery-client-token/service-ca.crt | regular | 0 | 0 | 8435 | rw------- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-6/secrets/serving-cert/tls.crt | regular | 0 | 0 | 2761 | rw------- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-6/configmaps/service-ca/ca-bundle.crt | regular | 0 | 0 | 1212 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-6/configmaps/serviceaccount-ca/ca-bundle.crt | regular | 0 | 0 | 7222 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/kube-apiserver-pod-5/secrets/etcd-client/tls.crt | regular | 0 | 0 | 1188 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-pod-5/secrets/kubelet-client/tls.crt | regular | 0 | 0 | 1204 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-pod-5/secrets/localhost-recovery-client-token/service-ca.crt | regular | 0 | 0 | 8435 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-pod-5/secrets/localhost-recovery-client-token/ca.crt | regular | 0 | 0 | 7222 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-pod-5/secrets/localhost-recovery-serving-certkey/tls.crt | regular | 0 | 0 | 2600 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-pod-5/configmaps/etcd-serving-ca/ca-bundle.crt | regular | 0 | 0 | 1135 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/kube-apiserver-pod-5/configmaps/kubelet-serving-ca/ca-bundle.crt | regular | 0 | 0 | 2319 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/kube-apiserver-pod-5/configmaps/kube-apiserver-server-ca/ca-bundle.crt | regular | 0 | 0 | 4866 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/etcd-pod-4/secrets/etcd-all-peer/etcd-peer-master-1.crt | regular | 0 | 0 | 2445 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-4/secrets/etcd-all-peer/etcd-peer-master-2.crt | regular | 0 | 0 | 2445 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-4/secrets/etcd-all-serving/etcd-serving-master-2.crt | regular | 0 | 0 | 2709 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-4/secrets/etcd-all-serving/etcd-serving-master-0.crt | regular | 0 | 0 | 2709 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-4/secrets/etcd-all-serving/etcd-serving-master-1.crt | regular | 0 | 0 | 2709 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-4/secrets/etcd-all-serving-metrics/etcd-serving-metrics-master-0.crt | regular | 0 | 0 | 2733 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-4/secrets/etcd-all-serving-metrics/etcd-serving-metrics-master-1.crt | regular | 0 | 0 | 2733 | rw------- |
Verify User Who Owns The OpenShift Multus Container Network Interface Plugin Files
Rule ID | xccdf_org.ssgproject.content_rule_file_owner_multus_conf |
Result | pass |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_owner_multus_conf:def:1 |
Time | 2021-07-20T05:20:58+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-83603-1 |
Description | To properly set the owner of /var/run/multus/cni/net.d/* , run the command: $ sudo chown root /var/run/multus/cni/net.d/* |
Rationale | CNI (Container Network Interface) files consist of a specification and libraries for
writing plugins to configure network interfaces in Linux containers, along with a number
of supported plugins. Allowing writeable access to the files could allow an attacker to modify
the networking configuration potentially adding a rogue network connection. |
Testing user ownership of ^/var/run/multus/cni/net.d/.*$ oval:ssg-test_file_owner_multus_conf:tst:1 true
Following items have been found on the system:
Path | Type | UID | GID | Size (B) | Permissions |
---|---|---|---|---|---|
/var/run/multus/cni/net.d/10-ovn-kubernetes.conf | regular | 0 | 0 | 233 | rw------- |
Verify User Who Owns The Open vSwitch Database Server PID
Rule ID | xccdf_org.ssgproject.content_rule_file_owner_ovsdb_server_pid |
Result | pass |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_owner_ovsdb_server_pid:def:1 |
Time | 2021-07-20T05:20:58+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-83806-0 |
Description |
To properly set the owner of /run/openvswitch/ovsdb-server.pid , run the command:
$ sudo chown openvswitch /run/openvswitch/ovsdb-server.pid |
Rationale | CNI (Container Network Interface) files consist of a specification and libraries for
writing plugins to configure network interfaces in Linux containers, along with a number
of supported plugins. Allowing writeable access to the files could allow an attacker to modify
the networking configuration potentially adding a rogue network connection. |
Testing user ownership of /run/openvswitch/ovsdb-server.pid oval:ssg-test_file_owner_ovsdb_server_pid:tst:1 true
Following items have been found on the system:
Path | Type | UID | GID | Size (B) | Permissions |
---|---|---|---|---|---|
/run/openvswitch/ovsdb-server.pid | regular | 800 | 801 | 5 | rw-r--r-- |
Verify User Who Owns The Open vSwitch Configuration Database Lock
Rule ID | xccdf_org.ssgproject.content_rule_file_owner_ovs_conf_db_lock |
Result | pass |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_owner_ovs_conf_db_lock:def:1 |
Time | 2021-07-20T05:20:58+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-83462-2 |
Description |
To properly set the owner of /etc/openvswitch/.conf.db.~lock~ , run the command:
$ sudo chown openvswitch /etc/openvswitch/.conf.db.~lock~ |
Rationale | CNI (Container Network Interface) files consist of a specification and libraries for
writing plugins to configure network interfaces in Linux containers, along with a number
of supported plugins. Allowing writeable access to the files could allow an attacker to modify
the networking configuration potentially adding a rogue network connection. |
Testing user ownership of /etc/openvswitch/.conf.db.~lock~ oval:ssg-test_file_owner_ovs_conf_db_lock:tst:1 true
Following items have been found on the system:
Path | Type | UID | GID | Size (B) | Permissions |
---|---|---|---|---|---|
/etc/openvswitch/.conf.db.~lock~ | regular | 800 | 801 | 0 | rw------- |
Verify Group Who Owns The Open vSwitch Persistent System ID
Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_ovs_sys_id_conf |
Result | pass |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_groupowner_ovs_sys_id_conf:def:1 |
Time | 2021-07-20T05:20:58+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-83677-5 |
Description |
To properly set the group owner of /etc/openvswitch/system-id.conf , run the command:
$ sudo chgrp hugetlbfs /etc/openvswitch/system-id.conf |
Rationale | CNI (Container Network Interface) files consist of a specification and libraries for
writing plugins to configure network interfaces in Linux containers, along with a number
of supported plugins. Allowing writeable access to the files could allow an attacker to modify
the networking configuration potentially adding a rogue network connection. |
Testing group ownership of /etc/openvswitch/system-id.conf oval:ssg-test_file_groupowner_ovs_sys_id_conf:tst:1 true
Following items have been found on the system:
Path | Type | UID | GID | Size (B) | Permissions |
---|---|---|---|---|---|
/etc/openvswitch/system-id.conf | regular | 800 | 801 | 37 | rw-r--r-- |
Verify Permissions on the OpenShift SDN CNI Server Config
Rule ID | xccdf_org.ssgproject.content_rule_file_perms_openshift_sdn_cniserver_config |
Result | pass |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_perms_openshift_sdn_cniserver_config:def:1 |
Time | 2021-07-20T05:20:58+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-83927-4 |
Description |
To properly set the permissions of /var/run/openshift-sdn/cniserver/config.json , run the command:
$ sudo chmod 0444 /var/run/openshift-sdn/cniserver/config.json |
Rationale | CNI (Container Network Interface) files consist of a specification and libraries for
writing plugins to configure network interfaces in Linux containers, along with a number
of supported plugins. Allowing writeable access to the files could allow an attacker to modify
the networking configuration potentially adding a rogue network connection. |
Testing mode of /var/run/openshift-sdn/cniserver/config.json oval:ssg-test_file_permissionsfile_perms_openshift_sdn_cniserver_config:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissionsfile_perms_openshift_sdn_cniserver_config:obj:1 of type file_object
Filepath | Filter |
---|---|
/var/run/openshift-sdn/cniserver/config.json | oval:ssg-state_file_permissionsfile_perms_openshift_sdn_cniserver_config_mode_not_0444:ste:1 |
Verify Group Who Owns The OpenShift SDN Container Network Interface Plugin IP Address Allocations
Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_ip_allocations |
Result | fail |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_groupowner_ip_allocations:def:1 |
Time | 2021-07-20T05:20:58+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-84211-2 |
Description | To properly set the group owner of /var/lib/cni/networks/openshift-sdn/.* , run the command: $ sudo chgrp root /var/lib/cni/networks/openshift-sdn/.* |
Rationale | CNI (Container Network Interface) files consist of a specification and libraries for
writing plugins to configure network interfaces in Linux containers, along with a number
of supported plugins. Allowing writeable access to the files could allow an attacker to modify
the networking configuration potentially adding a rogue network connection. |
Testing group ownership of ^/var/lib/cni/networks/openshift-sdn/.*$ oval:ssg-test_file_groupowner_ip_allocations:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_ip_allocations:obj:1 of type file_object
Filepath |
---|
^/var/lib/cni/networks/openshift-sdn/.*$ |
Verify Group Who Owns The Open vSwitch Process ID File
Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_ovs_pid |
Result | pass |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_groupowner_ovs_pid:def:1 |
Time | 2021-07-20T05:20:58+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-83630-4 |
Description | Ensure that the file /var/run/openvswitch/ovs-vswitchd.pid, is owned by the group openvswitchor hugetlbfs, depending on your settings and Open vSwitch version. |
Rationale | CNI (Container Network Interface) files consist of a specification and libraries for
writing plugins to configure network interfaces in Linux containers, along with a number
of supported plugins. Allowing writeable access to the files could allow an attacker to modify
the networking configuration potentially adding a rogue network connection. |
Testing group ownership of /run/openvswitch/ovs-vswitchd.pid oval:ssg-test_file_groupowner_run_ovs_vswitchd_pid_800:tst:1 false
Following items have been found on the system:
Path | Type | UID | GID | Size (B) | Permissions |
---|---|---|---|---|---|
/run/openvswitch/ovs-vswitchd.pid | regular | 800 | 801 | 5 | rw-r--r-- |
Testing group ownership of /run/openvswitch/ovs-vswitchd.pid oval:ssg-test_file_groupowner_run_ovs_vswitchd_pid_801:tst:1 true
Following items have been found on the system:
Path | Type | UID | GID | Size (B) | Permissions |
---|---|---|---|---|---|
/run/openvswitch/ovs-vswitchd.pid | regular | 800 | 801 | 5 | rw-r--r-- |
Verify User Who Owns The Etcd Database Directory
Rule ID | xccdf_org.ssgproject.content_rule_file_owner_etcd_data_dir |
Result | pass |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_owner_etcd_data_dir:def:1 |
Time | 2021-07-20T05:20:58+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-83905-0 |
Description |
To properly set the owner of /var/lib/etcd/member/ , run the command:
$ sudo chown root /var/lib/etcd/member/ |
Rationale | etcd is a highly-available key-value store used by Kubernetes deployments for
persistent storage of all of its REST API objects. This data directory should
be protected from any unauthorized reads or writes. |
Warnings | warning
This rule is only applicable for nodes that run the Etcd service.
The aforementioned service is only running on the nodes labeled
"master" by default. |
Testing user ownership of /var/lib/etcd/member/ oval:ssg-test_file_owner_etcd_data_dir:tst:1 true
Following items have been found on the system:
Path | Type | UID | GID | Size (B) | Permissions |
---|---|---|---|---|---|
/var/lib/etcd/member// | directory | 0 | 0 | 29 | rwx------ |
Verify Group Who Owns The Etcd Write-Ahead-Log Files
Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_etcd_data_files |
Result | pass |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_groupowner_etcd_data_files:def:1 |
Time | 2021-07-20T05:20:58+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-83816-9 |
Description |
To properly set the group owner of /var/lib/etcd/member/wal/* , run the command:
$ sudo chgrp root /var/lib/etcd/member/wal/* |
Rationale | etcd is a highly-available key-value store used by Kubernetes deployments for
persistent storage of all of its REST API objects. This data directory should
be protected from any unauthorized reads or writes. |
Warnings | warning
This rule is only applicable for nodes that run the Etcd service.
The aforementioned service is only running on the nodes labeled
"master" by default. |
Testing group ownership of ^/var/lib/etcd/member/wal/.*$ oval:ssg-test_file_groupowner_etcd_data_files:tst:1 true
Following items have been found on the system:
Path | Type | UID | GID | Size (B) | Permissions |
---|---|---|---|---|---|
/var/lib/etcd/member/wal/0000000000000058-0000000000540992.wal | regular | 0 | 0 | 64000376 | rw------- |
/var/lib/etcd/member/wal/0000000000000059-0000000000552b6f.wal | regular | 0 | 0 | 64000992 | rw------- |
/var/lib/etcd/member/wal/000000000000005a-0000000000564c8f.wal | regular | 0 | 0 | 64000160 | rw------- |
/var/lib/etcd/member/wal/000000000000005b-0000000000576c47.wal | regular | 0 | 0 | 64000400 | rw------- |
/var/lib/etcd/member/wal/000000000000005c-0000000000588cce.wal | regular | 0 | 0 | 64000000 | rw------- |
/var/lib/etcd/member/wal/0.tmp | regular | 0 | 0 | 64000000 | rw------- |
Verify Group Who Owns The Open vSwitch Database Server PID
Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_ovsdb_server_pid |
Result | pass |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_groupowner_ovsdb_server_pid:def:1 |
Time | 2021-07-20T05:20:58+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-84166-8 |
Description | Ensure that the file /run/openvswitch/ovsdb-server.pid, is owned by the group openvswitchor hugetlbfs, depending on your settings and Open vSwitch version. |
Rationale | CNI (Container Network Interface) files consist of a specification and libraries for
writing plugins to configure network interfaces in Linux containers, along with a number
of supported plugins. Allowing writeable access to the files could allow an attacker to modify
the networking configuration potentially adding a rogue network connection. |
Testing group ownership of /run/openvswitch/ovsdb-server.pid oval:ssg-test_file_groupowner_ovsdb_server_pid_800:tst:1 false
Following items have been found on the system:
Path | Type | UID | GID | Size (B) | Permissions |
---|---|---|---|---|---|
/run/openvswitch/ovsdb-server.pid | regular | 800 | 801 | 5 | rw-r--r-- |
Testing group ownership of /run/openvswitch/ovsdb-server.pid oval:ssg-test_file_groupowner_ovsdb_server_pid_801:tst:1 true
Following items have been found on the system:
Path | Type | UID | GID | Size (B) | Permissions |
---|---|---|---|---|---|
/run/openvswitch/ovsdb-server.pid | regular | 800 | 801 | 5 | rw-r--r-- |
Verify Group Who Owns The OpenShift PKI Private Key Files
Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_openshift_pki_key_files |
Result | pass |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_groupowner_openshift_pki_key_files:def:1 |
Time | 2021-07-20T05:20:59+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-84172-6 |
Description |
To properly set the group owner of /etc/kubernetes/static-pod-resources/*/*/*/*.key , run the command:
$ sudo chgrp root /etc/kubernetes/static-pod-resources/*/*/*/*.key |
Rationale | OpenShift makes use of a number of certificates as part of its operation.
You should verify the ownership of the directory containing the PKI
information and all files in that directory to maintain their integrity.
The directory and files should be owned by root:root. |
Warnings | warning
This rule is only applicable for nodes that run the Kubernetes Control Plane.
The aforementioned service is only running on the nodes labeled
"master" by default. |
Testing group ownership of ^/etc/kubernetes/static-pod-resources/.*/.*/.*/.*\.key$ oval:ssg-test_file_groupowner_openshift_pki_key_files:tst:1 true
Following items have been found on the system:
Path | Type | UID | GID | Size (B) | Permissions |
---|---|---|---|---|---|
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-7/secrets/service-account-private-key/service-account.key | regular | 0 | 0 | 1679 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-pod-9/secrets/etcd-client/tls.key | regular | 0 | 0 | 1675 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-5/secrets/etcd-all-peer/etcd-peer-master-1.key | regular | 0 | 0 | 1679 | rw------- |
/etc/kubernetes/static-pod-resources/kube-scheduler-pod-8/secrets/serving-cert/tls.key | regular | 0 | 0 | 1675 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-4/secrets/etcd-all-peer/etcd-peer-master-2.key | regular | 0 | 0 | 1679 | rw------- |
/etc/kubernetes/static-pod-resources/kube-scheduler-certs/secrets/kube-scheduler-client-cert-key/tls.key | regular | 0 | 0 | 1675 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-2/secrets/etcd-all-peer/etcd-peer-master-0.key | regular | 0 | 0 | 1679 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-2/secrets/etcd-all-peer/etcd-peer-master-1.key | regular | 0 | 0 | 1679 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-2/secrets/etcd-all-peer/etcd-peer-master-2.key | regular | 0 | 0 | 1679 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-2/secrets/etcd-all-serving/etcd-serving-master-2.key | regular | 0 | 0 | 1679 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-2/secrets/etcd-all-serving/etcd-serving-master-0.key | regular | 0 | 0 | 1675 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-2/secrets/etcd-all-serving/etcd-serving-master-1.key | regular | 0 | 0 | 1675 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-2/secrets/etcd-all-serving-metrics/etcd-serving-metrics-master-0.key | regular | 0 | 0 | 1679 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-2/secrets/etcd-all-serving-metrics/etcd-serving-metrics-master-1.key | regular | 0 | 0 | 1679 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-2/secrets/etcd-all-serving-metrics/etcd-serving-metrics-master-2.key | regular | 0 | 0 | 1679 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-certs/secrets/etcd-all-peer/etcd-peer-master-2.key | regular | 0 | 0 | 1679 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-certs/secrets/etcd-all-peer/etcd-peer-master-0.key | regular | 0 | 0 | 1679 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-certs/secrets/etcd-all-peer/etcd-peer-master-1.key | regular | 0 | 0 | 1679 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-certs/secrets/etcd-all-serving/etcd-serving-master-2.key | regular | 0 | 0 | 1679 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-certs/secrets/etcd-all-serving/etcd-serving-master-0.key | regular | 0 | 0 | 1675 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-certs/secrets/etcd-all-serving/etcd-serving-master-1.key | regular | 0 | 0 | 1675 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-certs/secrets/etcd-all-serving-metrics/etcd-serving-metrics-master-0.key | regular | 0 | 0 | 1679 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-certs/secrets/etcd-all-serving-metrics/etcd-serving-metrics-master-1.key | regular | 0 | 0 | 1679 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-certs/secrets/etcd-all-serving-metrics/etcd-serving-metrics-master-2.key | regular | 0 | 0 | 1679 | rw------- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-3/secrets/service-account-private-key/service-account.key | regular | 0 | 0 | 1675 | rw------- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-3/secrets/serving-cert/tls.key | regular | 0 | 0 | 1675 | rw------- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-certs/secrets/csr-signer/tls.key | regular | 0 | 0 | 1679 | rw------- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-certs/secrets/kube-controller-manager-client-cert-key/tls.key | regular | 0 | 0 | 1675 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/aggregator-client/tls.key | regular | 0 | 0 | 1675 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/bound-service-account-signing-key/service-account.key | regular | 0 | 0 | 1675 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/check-endpoints-client-cert-key/tls.key | regular | 0 | 0 | 1679 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/control-plane-node-admin-client-cert-key/tls.key | regular | 0 | 0 | 1675 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/external-loadbalancer-serving-certkey/tls.key | regular | 0 | 0 | 1675 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/internal-loadbalancer-serving-certkey/tls.key | regular | 0 | 0 | 1679 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/localhost-serving-cert-certkey/tls.key | regular | 0 | 0 | 1675 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/service-network-serving-certkey/tls.key | regular | 0 | 0 | 1675 | rw------- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-4/secrets/service-account-private-key/service-account.key | regular | 0 | 0 | 1675 | rw------- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-4/secrets/serving-cert/tls.key | regular | 0 | 0 | 1675 | rw------- |
/etc/kubernetes/static-pod-resources/kube-scheduler-pod-5/secrets/serving-cert/tls.key | regular | 0 | 0 | 1675 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-3/secrets/etcd-all-peer/etcd-peer-master-1.key | regular | 0 | 0 | 1679 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-3/secrets/etcd-all-peer/etcd-peer-master-2.key | regular | 0 | 0 | 1679 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-3/secrets/etcd-all-peer/etcd-peer-master-0.key | regular | 0 | 0 | 1679 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-3/secrets/etcd-all-serving/etcd-serving-master-0.key | regular | 0 | 0 | 1675 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-3/secrets/etcd-all-serving/etcd-serving-master-1.key | regular | 0 | 0 | 1675 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-3/secrets/etcd-all-serving/etcd-serving-master-2.key | regular | 0 | 0 | 1679 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-3/secrets/etcd-all-serving-metrics/etcd-serving-metrics-master-0.key | regular | 0 | 0 | 1679 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-3/secrets/etcd-all-serving-metrics/etcd-serving-metrics-master-1.key | regular | 0 | 0 | 1679 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-3/secrets/etcd-all-serving-metrics/etcd-serving-metrics-master-2.key | regular | 0 | 0 | 1679 | rw------- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-5/secrets/service-account-private-key/service-account.key | regular | 0 | 0 | 1675 | rw------- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-5/secrets/serving-cert/tls.key | regular | 0 | 0 | 1675 | rw------- |
/etc/kubernetes/static-pod-resources/kube-scheduler-pod-6/secrets/serving-cert/tls.key | regular | 0 | 0 | 1675 | rw------- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-6/secrets/service-account-private-key/service-account.key | regular | 0 | 0 | 1679 | rw------- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-6/secrets/serving-cert/tls.key | regular | 0 | 0 | 1675 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-pod-5/secrets/etcd-client/tls.key | regular | 0 | 0 | 1675 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-pod-5/secrets/kubelet-client/tls.key | regular | 0 | 0 | 1679 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-pod-5/secrets/localhost-recovery-serving-certkey/tls.key | regular | 0 | 0 | 1675 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-4/secrets/etcd-all-peer/etcd-peer-master-0.key | regular | 0 | 0 | 1679 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-4/secrets/etcd-all-peer/etcd-peer-master-1.key | regular | 0 | 0 | 1679 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-4/secrets/etcd-all-serving/etcd-serving-master-1.key | regular | 0 | 0 | 1675 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-4/secrets/etcd-all-serving/etcd-serving-master-2.key | regular | 0 | 0 | 1679 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-4/secrets/etcd-all-serving/etcd-serving-master-0.key | regular | 0 | 0 | 1675 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-4/secrets/etcd-all-serving-metrics/etcd-serving-metrics-master-0.key | regular | 0 | 0 | 1679 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-4/secrets/etcd-all-serving-metrics/etcd-serving-metrics-master-1.key | regular | 0 | 0 | 1679 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-4/secrets/etcd-all-serving-metrics/etcd-serving-metrics-master-2.key | regular | 0 | 0 | 1679 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-pod-6/secrets/etcd-client/tls.key | regular | 0 | 0 | 1675 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-pod-6/secrets/kubelet-client/tls.key | regular | 0 | 0 | 1679 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-pod-6/secrets/localhost-recovery-serving-certkey/tls.key | regular | 0 | 0 | 1675 | rw------- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-7/secrets/serving-cert/tls.key | regular | 0 | 0 | 1675 | rw------- |
/etc/kubernetes/static-pod-resources/kube-scheduler-pod-7/secrets/serving-cert/tls.key | regular | 0 | 0 | 1675 | rw------- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-8/secrets/service-account-private-key/service-account.key | regular | 0 | 0 | 1679 | rw------- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-8/secrets/serving-cert/tls.key | regular | 0 | 0 | 1675 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-pod-8/secrets/etcd-client/tls.key | regular | 0 | 0 | 1675 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-pod-8/secrets/kubelet-client/tls.key | regular | 0 | 0 | 1679 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-pod-8/secrets/localhost-recovery-serving-certkey/tls.key | regular | 0 | 0 | 1675 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-pod-9/secrets/kubelet-client/tls.key | regular | 0 | 0 | 1679 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-pod-9/secrets/localhost-recovery-serving-certkey/tls.key | regular | 0 | 0 | 1675 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-5/secrets/etcd-all-peer/etcd-peer-master-2.key | regular | 0 | 0 | 1679 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-5/secrets/etcd-all-peer/etcd-peer-master-0.key | regular | 0 | 0 | 1679 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-5/secrets/etcd-all-serving/etcd-serving-master-0.key | regular | 0 | 0 | 1675 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-5/secrets/etcd-all-serving/etcd-serving-master-1.key | regular | 0 | 0 | 1675 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-5/secrets/etcd-all-serving/etcd-serving-master-2.key | regular | 0 | 0 | 1679 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-5/secrets/etcd-all-serving-metrics/etcd-serving-metrics-master-0.key | regular | 0 | 0 | 1679 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-5/secrets/etcd-all-serving-metrics/etcd-serving-metrics-master-1.key | regular | 0 | 0 | 1679 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-5/secrets/etcd-all-serving-metrics/etcd-serving-metrics-master-2.key | regular | 0 | 0 | 1679 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-pod-10/secrets/etcd-client/tls.key | regular | 0 | 0 | 1675 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-pod-10/secrets/kubelet-client/tls.key | regular | 0 | 0 | 1679 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-pod-10/secrets/localhost-recovery-serving-certkey/tls.key | regular | 0 | 0 | 1675 | rw------- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-9/secrets/service-account-private-key/service-account.key | regular | 0 | 0 | 1679 | rw------- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-9/secrets/serving-cert/tls.key | regular | 0 | 0 | 1675 | rw------- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-10/secrets/service-account-private-key/service-account.key | regular | 0 | 0 | 1679 | rw------- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-10/secrets/serving-cert/tls.key | regular | 0 | 0 | 1675 | rw------- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-11/secrets/service-account-private-key/service-account.key | regular | 0 | 0 | 1679 | rw------- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-11/secrets/serving-cert/tls.key | regular | 0 | 0 | 1675 | rw------- |
Verify Group Who Owns The OpenShift Container Network Interface Files
Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_cni_conf |
Result | pass |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_groupowner_cni_conf:def:1 |
Time | 2021-07-20T05:20:59+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-84025-6 |
Description | To properly set the group owner of /etc/cni/net.d/* , run the command: $ sudo chgrp root /etc/cni/net.d/* |
Rationale | CNI (Container Network Interface) files consist of a specification and libraries for
writing plugins to configure network interfaces in Linux containers, along with a number
of supported plugins. Allowing writeable access to the files could allow an attacker to modify
the networking configuration potentially adding a rogue network connection. |
Testing group ownership of ^/etc/cni/net.d/.*$ oval:ssg-test_file_groupowner_cni_conf:tst:1 true
Following items have been found on the system:
Path | Type | UID | GID | Size (B) | Permissions |
---|---|---|---|---|---|
/etc/cni/net.d/100-crio-bridge.conf | regular | 0 | 0 | 438 | rw-r--r-- |
/etc/cni/net.d/200-loopback.conf | regular | 0 | 0 | 54 | rw-r--r-- |
/etc/cni/net.d/87-podman-bridge.conflist | regular | 0 | 0 | 639 | rw-r--r-- |
Verify User Who Owns The Etcd Member Pod Specification File
Rule ID | xccdf_org.ssgproject.content_rule_file_owner_etcd_member |
Result | pass |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_owner_etcd_member:def:1 |
Time | 2021-07-20T05:20:59+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-83988-6 |
Description | To properly set the owner of /etc/kubernetes/static-pod-resources/etcd-pod-*/etcd-pod.yaml , run the command: $ sudo chown root /etc/kubernetes/static-pod-resources/etcd-pod-*/etcd-pod.yaml |
Rationale | The etcd pod specification file controls various parameters that
set the behavior of the etcd service in the master node. etcd is a
highly-available key-value store which Kubernetes uses for persistent
storage of all of its REST API object. You should restrict its file
permissions to maintain the integrity of the file. The file should be
writable by only the administrators on the system. |
Warnings | warning
This rule is only applicable for nodes that run the Etcd service.
The aforementioned service is only running on the nodes labeled
"master" by default. |
Testing user ownership of ^/etc/kubernetes/static-pod-resources/etcd-pod-.*/etcd-pod.yaml$ oval:ssg-test_file_owner_etcd_member:tst:1 true
Following items have been found on the system:
Path | Type | UID | GID | Size (B) | Permissions |
---|---|---|---|---|---|
/etc/kubernetes/static-pod-resources/etcd-pod-2/etcd-pod.yaml | regular | 0 | 0 | 17522 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/etcd-pod-3/etcd-pod.yaml | regular | 0 | 0 | 17418 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/etcd-pod-4/etcd-pod.yaml | regular | 0 | 0 | 15993 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/etcd-pod-5/etcd-pod.yaml | regular | 0 | 0 | 15130 | rw-r--r-- |
Verify Group Who Owns The OpenShift Admin Kubeconfig Files
Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_master_admin_kubeconfigs |
Result | pass |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_groupowner_master_admin_kubeconfigs:def:1 |
Time | 2021-07-20T05:20:59+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-84204-7 |
Description |
To properly set the group owner of /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/node-kubeconfigs/*.kubeconfig , run the command:
$ sudo chgrp root /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/node-kubeconfigs/*.kubeconfig |
Rationale | There are various kubeconfig files that can be used by the administrator,
defining various settings for the administration of the cluster. These files
contain credentials that can be used to control the cluster and are needed
for disaster recovery and each kubeconfig points to a different endpoint in
the cluster. You should restrict its file permissions to maintain the
integrity of the kubeconfig file as an attacker who gains access to these
files can take over the cluster. |
Warnings | warning
This rule is only applicable for nodes that run the Kubernetes API server service.
The aforementioned service is only running on the nodes labeled
"master" by default. |
Testing group ownership of ^/etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/node-kubeconfigs/.*\.kubeconfig$ oval:ssg-test_file_groupowner_master_admin_kubeconfigs:tst:1 true
Following items have been found on the system:
Path | Type | UID | GID | Size (B) | Permissions |
---|---|---|---|---|---|
/etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/node-kubeconfigs/localhost-recovery.kubeconfig | regular | 0 | 0 | 10755 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/node-kubeconfigs/localhost.kubeconfig | regular | 0 | 0 | 10697 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/node-kubeconfigs/lb-ext.kubeconfig | regular | 0 | 0 | 10701 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/node-kubeconfigs/lb-int.kubeconfig | regular | 0 | 0 | 10705 | rw------- |
Verify Group Who Owns The OpenShift PKI Certificate Files
Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_openshift_pki_cert_files |
Result | pass |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_groupowner_openshift_pki_cert_files:def:1 |
Time | 2021-07-20T05:20:59+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-83922-5 |
Description |
To properly set the group owner of /etc/kubernetes/static-pod-resources/*/*/*/tls.crt , run the command:
$ sudo chgrp root /etc/kubernetes/static-pod-resources/*/*/*/tls.crt |
Rationale | OpenShift makes use of a number of certificates as part of its operation.
You should verify the ownership of the directory containing the PKI
information and all files in that directory to maintain their integrity.
The directory and files should be owned by the system administrator. |
Warnings | warning
This rule is only applicable for nodes that run the Kubernetes Control Plane.
The aforementioned service is only running on the nodes labeled
"master" by default. |
Testing group ownership of ^/etc/kubernetes/static-pod-resources/.*/.*/.*/tls\.crt$ oval:ssg-test_file_groupowner_openshift_pki_cert_files:tst:1 true
Following items have been found on the system:
Path | Type | UID | GID | Size (B) | Permissions |
---|---|---|---|---|---|
/etc/kubernetes/static-pod-resources/kube-scheduler-certs/secrets/kube-scheduler-client-cert-key/tls.crt | regular | 0 | 0 | 1168 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-pod-9/secrets/etcd-client/tls.crt | regular | 0 | 0 | 1188 | rw------- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-3/secrets/serving-cert/tls.crt | regular | 0 | 0 | 2761 | rw------- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-certs/secrets/csr-signer/tls.crt | regular | 0 | 0 | 1229 | rw------- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-certs/secrets/kube-controller-manager-client-cert-key/tls.crt | regular | 0 | 0 | 1180 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/aggregator-client/tls.crt | regular | 0 | 0 | 1208 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/check-endpoints-client-cert-key/tls.crt | regular | 0 | 0 | 1220 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/control-plane-node-admin-client-cert-key/tls.crt | regular | 0 | 0 | 1212 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/external-loadbalancer-serving-certkey/tls.crt | regular | 0 | 0 | 2417 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/internal-loadbalancer-serving-certkey/tls.crt | regular | 0 | 0 | 2429 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/localhost-serving-cert-certkey/tls.crt | regular | 0 | 0 | 2445 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/service-network-serving-certkey/tls.crt | regular | 0 | 0 | 2713 | rw------- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-4/secrets/serving-cert/tls.crt | regular | 0 | 0 | 2761 | rw------- |
/etc/kubernetes/static-pod-resources/kube-scheduler-pod-5/secrets/serving-cert/tls.crt | regular | 0 | 0 | 2664 | rw------- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-5/secrets/serving-cert/tls.crt | regular | 0 | 0 | 2761 | rw------- |
/etc/kubernetes/static-pod-resources/kube-scheduler-pod-6/secrets/serving-cert/tls.crt | regular | 0 | 0 | 2664 | rw------- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-6/secrets/serving-cert/tls.crt | regular | 0 | 0 | 2761 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-pod-5/secrets/etcd-client/tls.crt | regular | 0 | 0 | 1188 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-pod-5/secrets/kubelet-client/tls.crt | regular | 0 | 0 | 1204 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-pod-5/secrets/localhost-recovery-serving-certkey/tls.crt | regular | 0 | 0 | 2600 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-pod-6/secrets/etcd-client/tls.crt | regular | 0 | 0 | 1188 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-pod-6/secrets/kubelet-client/tls.crt | regular | 0 | 0 | 1204 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-pod-6/secrets/localhost-recovery-serving-certkey/tls.crt | regular | 0 | 0 | 2600 | rw------- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-7/secrets/serving-cert/tls.crt | regular | 0 | 0 | 2761 | rw------- |
/etc/kubernetes/static-pod-resources/kube-scheduler-pod-7/secrets/serving-cert/tls.crt | regular | 0 | 0 | 2664 | rw------- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-8/secrets/serving-cert/tls.crt | regular | 0 | 0 | 2761 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-pod-8/secrets/etcd-client/tls.crt | regular | 0 | 0 | 1188 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-pod-8/secrets/kubelet-client/tls.crt | regular | 0 | 0 | 1204 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-pod-8/secrets/localhost-recovery-serving-certkey/tls.crt | regular | 0 | 0 | 2600 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-pod-9/secrets/kubelet-client/tls.crt | regular | 0 | 0 | 1204 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-pod-9/secrets/localhost-recovery-serving-certkey/tls.crt | regular | 0 | 0 | 2600 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-pod-10/secrets/etcd-client/tls.crt | regular | 0 | 0 | 1188 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-pod-10/secrets/kubelet-client/tls.crt | regular | 0 | 0 | 1204 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-pod-10/secrets/localhost-recovery-serving-certkey/tls.crt | regular | 0 | 0 | 2600 | rw------- |
/etc/kubernetes/static-pod-resources/kube-scheduler-pod-8/secrets/serving-cert/tls.crt | regular | 0 | 0 | 2664 | rw------- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-9/secrets/serving-cert/tls.crt | regular | 0 | 0 | 2761 | rw------- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-10/secrets/serving-cert/tls.crt | regular | 0 | 0 | 2761 | rw------- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-11/secrets/serving-cert/tls.crt | regular | 0 | 0 | 2761 | rw------- |
Verify User Who Owns The OpenShift Admin Kubeconfig Files
Rule ID | xccdf_org.ssgproject.content_rule_file_owner_master_admin_kubeconfigs |
Result | pass |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_owner_master_admin_kubeconfigs:def:1 |
Time | 2021-07-20T05:20:59+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-83719-5 |
Description |
To properly set the owner of /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/node-kubeconfigs/*.kubeconfig , run the command:
$ sudo chown root /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/node-kubeconfigs/*.kubeconfig |
Rationale | There are various kubeconfig files that can be used by the administrator,
defining various settings for the administration of the cluster. These files
contain credentials that can be used to control the cluster and are needed
for disaster recovery and each kubeconfig points to a different endpoint in
the cluster. You should restrict its file permissions to maintain the
integrity of the kubeconfig file as an attacker who gains access to these
files can take over the cluster. |
Warnings | warning
This rule is only applicable for nodes that run the Kubernetes Control Plane.
The aforementioned service is only running on the nodes labeled
"master" by default. |
Testing user ownership of ^/etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/node-kubeconfigs/.*\.kubeconfig$ oval:ssg-test_file_owner_master_admin_kubeconfigs:tst:1 true
Following items have been found on the system:
Path | Type | UID | GID | Size (B) | Permissions |
---|---|---|---|---|---|
/etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/node-kubeconfigs/localhost-recovery.kubeconfig | regular | 0 | 0 | 10755 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/node-kubeconfigs/localhost.kubeconfig | regular | 0 | 0 | 10697 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/node-kubeconfigs/lb-ext.kubeconfig | regular | 0 | 0 | 10701 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/node-kubeconfigs/lb-int.kubeconfig | regular | 0 | 0 | 10705 | rw------- |
Verify Group Who Owns The OpenShift Controller Manager Kubeconfig File
Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_controller_manager_kubeconfig |
Result | pass |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_groupowner_controller_manager_kubeconfig:def:1 |
Time | 2021-07-20T05:20:59+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-84095-9 |
Description |
To properly set the group owner of /etc/kubernetes/static-pod-resources/kube-controller-manager-pod-*/configmaps/controller-manager-kubeconfig/kubeconfig , run the command:
$ sudo chgrp root /etc/kubernetes/static-pod-resources/kube-controller-manager-pod-*/configmaps/controller-manager-kubeconfig/kubeconfig |
Rationale | The Controller Manager's kubeconfig contains information about how the
component will access the API server. You should set its file ownership to
maintain the integrity of the file. |
Warnings | warning
This rule is only applicable for nodes that run the Kubernetes Controller
Manager service. The aforementioned service is only running on
the nodes labeled "master" by default. |
Testing group ownership of ^/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-.*/configmaps/controller-manager-kubeconfig/kubeconfig$ oval:ssg-test_file_groupowner_controller_manager_kubeconfig:tst:1 true
Following items have been found on the system:
Path | Type | UID | GID | Size (B) | Permissions |
---|---|---|---|---|---|
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-5/configmaps/controller-manager-kubeconfig/kubeconfig | regular | 0 | 0 | 673 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-3/configmaps/controller-manager-kubeconfig/kubeconfig | regular | 0 | 0 | 673 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-6/configmaps/controller-manager-kubeconfig/kubeconfig | regular | 0 | 0 | 673 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-7/configmaps/controller-manager-kubeconfig/kubeconfig | regular | 0 | 0 | 673 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-8/configmaps/controller-manager-kubeconfig/kubeconfig | regular | 0 | 0 | 673 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-9/configmaps/controller-manager-kubeconfig/kubeconfig | regular | 0 | 0 | 673 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-4/configmaps/controller-manager-kubeconfig/kubeconfig | regular | 0 | 0 | 673 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-10/configmaps/controller-manager-kubeconfig/kubeconfig | regular | 0 | 0 | 673 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-11/configmaps/controller-manager-kubeconfig/kubeconfig | regular | 0 | 0 | 673 | rw-r--r-- |
Verify Group Who Owns The OpenShift Multus Container Network Interface Plugin Files
Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_multus_conf |
Result | pass |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_groupowner_multus_conf:def:1 |
Time | 2021-07-20T05:20:59+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-83818-5 |
Description | To properly set the group owner of /var/run/multus/cni/net.d/* , run the command: $ sudo chgrp root /var/run/multus/cni/net.d/* |
Rationale | CNI (Container Network Interface) files consist of a specification and libraries for
writing plugins to configure network interfaces in Linux containers, along with a number
of supported plugins. Allowing writeable access to the files could allow an attacker to modify
the networking configuration potentially adding a rogue network connection. |
Testing group ownership of ^/var/run/multus/cni/net.d/.*$ oval:ssg-test_file_groupowner_multus_conf:tst:1 true
Following items have been found on the system:
Path | Type | UID | GID | Size (B) | Permissions |
---|---|---|---|---|---|
/var/run/multus/cni/net.d/10-ovn-kubernetes.conf | regular | 0 | 0 | 233 | rw------- |
Verify User Who Owns The Kubernetes Controller Manager Pod Specificiation File
Rule ID | xccdf_org.ssgproject.content_rule_file_owner_kube_controller_manager |
Result | pass |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_owner_kube_controller_manager:def:1 |
Time | 2021-07-20T05:20:59+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-83795-5 |
Description | To properly set the owner of /etc/kubernetes/static-pod-resources/kube-controller-manager-pod-*/kube-controller-manager-pod.yaml , run the command: $ sudo chown root /etc/kubernetes/static-pod-resources/kube-controller-manager-pod-*/kube-controller-manager-pod.yaml |
Rationale | The Kubernetes specification file contains information about the configuration of the
Kubernetes Controller Manager Server that is configured on the system. Protection of this file is
critical for OpenShift security. |
Warnings | warning
This rule is only applicable for nodes that run the Kubernetes Controller Manager service.
The aforementioned service is only running on the nodes labeled
"master" by default. |
Testing user ownership of ^/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-.*/kube-controller-manager-pod.yaml$ oval:ssg-test_file_owner_kube_controller_manager:tst:1 true
Following items have been found on the system:
Path | Type | UID | GID | Size (B) | Permissions |
---|---|---|---|---|---|
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-3/kube-controller-manager-pod.yaml | regular | 0 | 0 | 6043 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-5/kube-controller-manager-pod.yaml | regular | 0 | 0 | 6043 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-7/kube-controller-manager-pod.yaml | regular | 0 | 0 | 6088 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-9/kube-controller-manager-pod.yaml | regular | 0 | 0 | 7784 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-4/kube-controller-manager-pod.yaml | regular | 0 | 0 | 6043 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-10/kube-controller-manager-pod.yaml | regular | 0 | 0 | 7786 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-11/kube-controller-manager-pod.yaml | regular | 0 | 0 | 7823 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-6/kube-controller-manager-pod.yaml | regular | 0 | 0 | 6043 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-8/kube-controller-manager-pod.yaml | regular | 0 | 0 | 5950 | rw-r--r-- |
Verify User Who Owns The OpenShift PKI Private Key Files
Rule ID | xccdf_org.ssgproject.content_rule_file_owner_openshift_pki_key_files |
Result | pass |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_owner_openshift_pki_key_files:def:1 |
Time | 2021-07-20T05:21:00+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-83435-8 |
Description |
To properly set the owner of /etc/kubernetes/static-pod-resources/*/*/*/*.key , run the command:
$ sudo chown root /etc/kubernetes/static-pod-resources/*/*/*/*.key |
Rationale | OpenShift makes use of a number of certificates as part of its operation.
You should verify the ownership of the directory containing the PKI
information and all files in that directory to maintain their integrity.
The directory and files should be owned by root:root. |
Warnings | warning
This rule is only applicable for nodes that run the Kubernetes Control Plane.
The aforementioned service is only running on the nodes labeled
"master" by default. |
Testing user ownership of ^/etc/kubernetes/static-pod-resources/.*/.*/.*/.*\.key$ oval:ssg-test_file_owner_openshift_pki_key_files:tst:1 true
Following items have been found on the system:
Path | Type | UID | GID | Size (B) | Permissions |
---|---|---|---|---|---|
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-7/secrets/service-account-private-key/service-account.key | regular | 0 | 0 | 1679 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-pod-9/secrets/etcd-client/tls.key | regular | 0 | 0 | 1675 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-5/secrets/etcd-all-peer/etcd-peer-master-1.key | regular | 0 | 0 | 1679 | rw------- |
/etc/kubernetes/static-pod-resources/kube-scheduler-pod-8/secrets/serving-cert/tls.key | regular | 0 | 0 | 1675 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-4/secrets/etcd-all-peer/etcd-peer-master-2.key | regular | 0 | 0 | 1679 | rw------- |
/etc/kubernetes/static-pod-resources/kube-scheduler-certs/secrets/kube-scheduler-client-cert-key/tls.key | regular | 0 | 0 | 1675 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-2/secrets/etcd-all-peer/etcd-peer-master-0.key | regular | 0 | 0 | 1679 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-2/secrets/etcd-all-peer/etcd-peer-master-1.key | regular | 0 | 0 | 1679 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-2/secrets/etcd-all-peer/etcd-peer-master-2.key | regular | 0 | 0 | 1679 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-2/secrets/etcd-all-serving/etcd-serving-master-2.key | regular | 0 | 0 | 1679 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-2/secrets/etcd-all-serving/etcd-serving-master-0.key | regular | 0 | 0 | 1675 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-2/secrets/etcd-all-serving/etcd-serving-master-1.key | regular | 0 | 0 | 1675 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-2/secrets/etcd-all-serving-metrics/etcd-serving-metrics-master-0.key | regular | 0 | 0 | 1679 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-2/secrets/etcd-all-serving-metrics/etcd-serving-metrics-master-1.key | regular | 0 | 0 | 1679 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-2/secrets/etcd-all-serving-metrics/etcd-serving-metrics-master-2.key | regular | 0 | 0 | 1679 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-certs/secrets/etcd-all-peer/etcd-peer-master-2.key | regular | 0 | 0 | 1679 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-certs/secrets/etcd-all-peer/etcd-peer-master-0.key | regular | 0 | 0 | 1679 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-certs/secrets/etcd-all-peer/etcd-peer-master-1.key | regular | 0 | 0 | 1679 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-certs/secrets/etcd-all-serving/etcd-serving-master-2.key | regular | 0 | 0 | 1679 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-certs/secrets/etcd-all-serving/etcd-serving-master-0.key | regular | 0 | 0 | 1675 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-certs/secrets/etcd-all-serving/etcd-serving-master-1.key | regular | 0 | 0 | 1675 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-certs/secrets/etcd-all-serving-metrics/etcd-serving-metrics-master-0.key | regular | 0 | 0 | 1679 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-certs/secrets/etcd-all-serving-metrics/etcd-serving-metrics-master-1.key | regular | 0 | 0 | 1679 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-certs/secrets/etcd-all-serving-metrics/etcd-serving-metrics-master-2.key | regular | 0 | 0 | 1679 | rw------- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-3/secrets/service-account-private-key/service-account.key | regular | 0 | 0 | 1675 | rw------- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-3/secrets/serving-cert/tls.key | regular | 0 | 0 | 1675 | rw------- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-certs/secrets/csr-signer/tls.key | regular | 0 | 0 | 1679 | rw------- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-certs/secrets/kube-controller-manager-client-cert-key/tls.key | regular | 0 | 0 | 1675 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/aggregator-client/tls.key | regular | 0 | 0 | 1675 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/bound-service-account-signing-key/service-account.key | regular | 0 | 0 | 1675 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/check-endpoints-client-cert-key/tls.key | regular | 0 | 0 | 1679 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/control-plane-node-admin-client-cert-key/tls.key | regular | 0 | 0 | 1675 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/external-loadbalancer-serving-certkey/tls.key | regular | 0 | 0 | 1675 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/internal-loadbalancer-serving-certkey/tls.key | regular | 0 | 0 | 1679 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/localhost-serving-cert-certkey/tls.key | regular | 0 | 0 | 1675 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/service-network-serving-certkey/tls.key | regular | 0 | 0 | 1675 | rw------- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-4/secrets/service-account-private-key/service-account.key | regular | 0 | 0 | 1675 | rw------- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-4/secrets/serving-cert/tls.key | regular | 0 | 0 | 1675 | rw------- |
/etc/kubernetes/static-pod-resources/kube-scheduler-pod-5/secrets/serving-cert/tls.key | regular | 0 | 0 | 1675 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-3/secrets/etcd-all-peer/etcd-peer-master-1.key | regular | 0 | 0 | 1679 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-3/secrets/etcd-all-peer/etcd-peer-master-2.key | regular | 0 | 0 | 1679 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-3/secrets/etcd-all-peer/etcd-peer-master-0.key | regular | 0 | 0 | 1679 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-3/secrets/etcd-all-serving/etcd-serving-master-0.key | regular | 0 | 0 | 1675 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-3/secrets/etcd-all-serving/etcd-serving-master-1.key | regular | 0 | 0 | 1675 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-3/secrets/etcd-all-serving/etcd-serving-master-2.key | regular | 0 | 0 | 1679 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-3/secrets/etcd-all-serving-metrics/etcd-serving-metrics-master-0.key | regular | 0 | 0 | 1679 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-3/secrets/etcd-all-serving-metrics/etcd-serving-metrics-master-1.key | regular | 0 | 0 | 1679 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-3/secrets/etcd-all-serving-metrics/etcd-serving-metrics-master-2.key | regular | 0 | 0 | 1679 | rw------- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-5/secrets/service-account-private-key/service-account.key | regular | 0 | 0 | 1675 | rw------- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-5/secrets/serving-cert/tls.key | regular | 0 | 0 | 1675 | rw------- |
/etc/kubernetes/static-pod-resources/kube-scheduler-pod-6/secrets/serving-cert/tls.key | regular | 0 | 0 | 1675 | rw------- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-6/secrets/service-account-private-key/service-account.key | regular | 0 | 0 | 1679 | rw------- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-6/secrets/serving-cert/tls.key | regular | 0 | 0 | 1675 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-pod-5/secrets/etcd-client/tls.key | regular | 0 | 0 | 1675 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-pod-5/secrets/kubelet-client/tls.key | regular | 0 | 0 | 1679 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-pod-5/secrets/localhost-recovery-serving-certkey/tls.key | regular | 0 | 0 | 1675 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-4/secrets/etcd-all-peer/etcd-peer-master-0.key | regular | 0 | 0 | 1679 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-4/secrets/etcd-all-peer/etcd-peer-master-1.key | regular | 0 | 0 | 1679 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-4/secrets/etcd-all-serving/etcd-serving-master-1.key | regular | 0 | 0 | 1675 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-4/secrets/etcd-all-serving/etcd-serving-master-2.key | regular | 0 | 0 | 1679 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-4/secrets/etcd-all-serving/etcd-serving-master-0.key | regular | 0 | 0 | 1675 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-4/secrets/etcd-all-serving-metrics/etcd-serving-metrics-master-0.key | regular | 0 | 0 | 1679 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-4/secrets/etcd-all-serving-metrics/etcd-serving-metrics-master-1.key | regular | 0 | 0 | 1679 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-4/secrets/etcd-all-serving-metrics/etcd-serving-metrics-master-2.key | regular | 0 | 0 | 1679 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-pod-6/secrets/etcd-client/tls.key | regular | 0 | 0 | 1675 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-pod-6/secrets/kubelet-client/tls.key | regular | 0 | 0 | 1679 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-pod-6/secrets/localhost-recovery-serving-certkey/tls.key | regular | 0 | 0 | 1675 | rw------- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-7/secrets/serving-cert/tls.key | regular | 0 | 0 | 1675 | rw------- |
/etc/kubernetes/static-pod-resources/kube-scheduler-pod-7/secrets/serving-cert/tls.key | regular | 0 | 0 | 1675 | rw------- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-8/secrets/service-account-private-key/service-account.key | regular | 0 | 0 | 1679 | rw------- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-8/secrets/serving-cert/tls.key | regular | 0 | 0 | 1675 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-pod-8/secrets/etcd-client/tls.key | regular | 0 | 0 | 1675 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-pod-8/secrets/kubelet-client/tls.key | regular | 0 | 0 | 1679 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-pod-8/secrets/localhost-recovery-serving-certkey/tls.key | regular | 0 | 0 | 1675 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-pod-9/secrets/kubelet-client/tls.key | regular | 0 | 0 | 1679 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-pod-9/secrets/localhost-recovery-serving-certkey/tls.key | regular | 0 | 0 | 1675 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-5/secrets/etcd-all-peer/etcd-peer-master-2.key | regular | 0 | 0 | 1679 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-5/secrets/etcd-all-peer/etcd-peer-master-0.key | regular | 0 | 0 | 1679 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-5/secrets/etcd-all-serving/etcd-serving-master-0.key | regular | 0 | 0 | 1675 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-5/secrets/etcd-all-serving/etcd-serving-master-1.key | regular | 0 | 0 | 1675 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-5/secrets/etcd-all-serving/etcd-serving-master-2.key | regular | 0 | 0 | 1679 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-5/secrets/etcd-all-serving-metrics/etcd-serving-metrics-master-0.key | regular | 0 | 0 | 1679 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-5/secrets/etcd-all-serving-metrics/etcd-serving-metrics-master-1.key | regular | 0 | 0 | 1679 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-5/secrets/etcd-all-serving-metrics/etcd-serving-metrics-master-2.key | regular | 0 | 0 | 1679 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-pod-10/secrets/etcd-client/tls.key | regular | 0 | 0 | 1675 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-pod-10/secrets/kubelet-client/tls.key | regular | 0 | 0 | 1679 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-pod-10/secrets/localhost-recovery-serving-certkey/tls.key | regular | 0 | 0 | 1675 | rw------- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-9/secrets/service-account-private-key/service-account.key | regular | 0 | 0 | 1679 | rw------- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-9/secrets/serving-cert/tls.key | regular | 0 | 0 | 1675 | rw------- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-10/secrets/service-account-private-key/service-account.key | regular | 0 | 0 | 1679 | rw------- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-10/secrets/serving-cert/tls.key | regular | 0 | 0 | 1675 | rw------- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-11/secrets/service-account-private-key/service-account.key | regular | 0 | 0 | 1679 | rw------- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-11/secrets/serving-cert/tls.key | regular | 0 | 0 | 1675 | rw------- |
Verify Group Who Owns The Etcd Database Directory
Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_etcd_data_dir |
Result | pass |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_groupowner_etcd_data_dir:def:1 |
Time | 2021-07-20T05:21:00+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-83354-1 |
Description |
To properly set the group owner of /var/lib/etcd/member/ , run the command:
$ sudo chgrp root /var/lib/etcd/member/ |
Rationale | etcd is a highly-available key-value store used by Kubernetes deployments for
persistent storage of all of its REST API objects. This data directory should
be protected from any unauthorized reads or writes. |
Warnings | warning
This rule is only applicable for nodes that run the Etcd service.
The aforementioned service is only running on the nodes labeled
"master" by default. |
Testing group ownership of /var/lib/etcd/member/ oval:ssg-test_file_groupowner_etcd_data_dir:tst:1 true
Following items have been found on the system:
Path | Type | UID | GID | Size (B) | Permissions |
---|---|---|---|---|---|
/var/lib/etcd/member// | directory | 0 | 0 | 29 | rwx------ |
Verify User Who Owns The Kubernetes Scheduler Kubeconfig File
Rule ID | xccdf_org.ssgproject.content_rule_file_owner_scheduler_kubeconfig |
Result | pass |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_owner_scheduler_kubeconfig:def:1 |
Time | 2021-07-20T05:21:00+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-84017-3 |
Description |
To properly set the owner of /etc/kubernetes/static-pod-resources/kube-scheduler-pod-*/configmaps/scheduler-kubeconfig/kubeconfig , run the command:
$ sudo chown root /etc/kubernetes/static-pod-resources/kube-scheduler-pod-*/configmaps/scheduler-kubeconfig/kubeconfig |
Rationale | The kubeconfig for the Scheduler contains paramters for the scheduler
to access the Kube API.
You should set its file ownership to maintain the integrity of the file. |
Warnings | warning
This rule is only applicable for nodes that run the Kubernetes Scheduler service.
The aforementioned service is only running on the nodes labeled
"master" by default. |
Testing user ownership of ^/etc/kubernetes/static-pod-resources/kube-scheduler-pod-.*/configmaps/scheduler-kubeconfig/kubeconfig$ oval:ssg-test_file_owner_scheduler_kubeconfig:tst:1 true
Following items have been found on the system:
Path | Type | UID | GID | Size (B) | Permissions |
---|---|---|---|---|---|
/etc/kubernetes/static-pod-resources/kube-scheduler-pod-5/configmaps/scheduler-kubeconfig/kubeconfig | regular | 0 | 0 | 619 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/kube-scheduler-pod-6/configmaps/scheduler-kubeconfig/kubeconfig | regular | 0 | 0 | 619 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/kube-scheduler-pod-8/configmaps/scheduler-kubeconfig/kubeconfig | regular | 0 | 0 | 619 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/kube-scheduler-pod-2/configmaps/scheduler-kubeconfig/kubeconfig | regular | 0 | 0 | 619 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/kube-scheduler-pod-7/configmaps/scheduler-kubeconfig/kubeconfig | regular | 0 | 0 | 619 | rw-r--r-- |
Verify User Who Owns The Kubernetes Scheduler Pod Specification File
Rule ID | xccdf_org.ssgproject.content_rule_file_owner_kube_scheduler |
Result | pass |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_owner_kube_scheduler:def:1 |
Time | 2021-07-20T05:21:00+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-83393-9 |
Description | To properly set the owner of /etc/kubernetes/static-pod-resources/kube-scheduler-pod-*/kube-scheduler-pod.yaml , run the command: $ sudo chown root /etc/kubernetes/static-pod-resources/kube-scheduler-pod-*/kube-scheduler-pod.yaml |
Rationale | The Kubernetes specification file contains information about the configuration of the
Kubernetes scheduler that is configured on the system. Protection of this file is
critical for OpenShift security. |
Warnings | warning
This rule is only applicable for nodes that run the Kubernetes Scheduler service.
The aforementioned service is only running on the nodes labeled
"master" by default. |
Testing user ownership of ^/etc/kubernetes/static-pod-resources/kube-scheduler-pod-.*/kube-scheduler-pod.yaml$ oval:ssg-test_file_owner_kube_scheduler:tst:1 true
Following items have been found on the system:
Path | Type | UID | GID | Size (B) | Permissions |
---|---|---|---|---|---|
/etc/kubernetes/static-pod-resources/kube-scheduler-pod-2/kube-scheduler-pod.yaml | regular | 0 | 0 | 3356 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/kube-scheduler-pod-5/kube-scheduler-pod.yaml | regular | 0 | 0 | 3531 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/kube-scheduler-pod-6/kube-scheduler-pod.yaml | regular | 0 | 0 | 3531 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/kube-scheduler-pod-7/kube-scheduler-pod.yaml | regular | 0 | 0 | 4547 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/kube-scheduler-pod-8/kube-scheduler-pod.yaml | regular | 0 | 0 | 4612 | rw-r--r-- |
Verify User Who Owns The OpenShift Container Network Interface Files
Rule ID | xccdf_org.ssgproject.content_rule_file_owner_cni_conf |
Result | pass |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_owner_cni_conf:def:1 |
Time | 2021-07-20T05:21:00+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-83460-6 |
Description | To properly set the owner of /etc/cni/net.d/* , run the command: $ sudo chown root /etc/cni/net.d/* |
Rationale | CNI (Container Network Interface) files consist of a specification and libraries for
writing plugins to configure network interfaces in Linux containers, along with a number
of supported plugins. Allowing writeable access to the files could allow an attacker to modify
the networking configuration potentially adding a rogue network connection. |
Testing user ownership of ^/etc/cni/net.d/.*$ oval:ssg-test_file_owner_cni_conf:tst:1 true
Following items have been found on the system:
Path | Type | UID | GID | Size (B) | Permissions |
---|---|---|---|---|---|
/etc/cni/net.d/100-crio-bridge.conf | regular | 0 | 0 | 438 | rw-r--r-- |
/etc/cni/net.d/200-loopback.conf | regular | 0 | 0 | 54 | rw-r--r-- |
/etc/cni/net.d/87-podman-bridge.conflist | regular | 0 | 0 | 639 | rw-r--r-- |
Verify User Who Owns The Etcd Write-Ahead-Log Files
Rule ID | xccdf_org.ssgproject.content_rule_file_owner_etcd_data_files |
Result | pass |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_owner_etcd_data_files:def:1 |
Time | 2021-07-20T05:21:00+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-84010-8 |
Description |
To properly set the owner of /var/lib/etcd/member/wal/* , run the command:
$ sudo chown root /var/lib/etcd/member/wal/* |
Rationale | etcd is a highly-available key-value store used by Kubernetes deployments for
persistent storage of all of its REST API objects. This data directory should
be protected from any unauthorized reads or writes. |
Warnings | warning
This rule is only applicable for nodes that run the Etcd service.
The aforementioned service is only running on the nodes labeled
"master" by default. |
Testing user ownership of ^/var/lib/etcd/member/wal/.*$ oval:ssg-test_file_owner_etcd_data_files:tst:1 true
Following items have been found on the system:
Path | Type | UID | GID | Size (B) | Permissions |
---|---|---|---|---|---|
/var/lib/etcd/member/wal/0000000000000058-0000000000540992.wal | regular | 0 | 0 | 64000376 | rw------- |
/var/lib/etcd/member/wal/0000000000000059-0000000000552b6f.wal | regular | 0 | 0 | 64000992 | rw------- |
/var/lib/etcd/member/wal/000000000000005a-0000000000564c8f.wal | regular | 0 | 0 | 64000160 | rw------- |
/var/lib/etcd/member/wal/000000000000005b-0000000000576c47.wal | regular | 0 | 0 | 64000400 | rw------- |
/var/lib/etcd/member/wal/0.tmp | regular | 0 | 0 | 64000000 | rw------- |
/var/lib/etcd/member/wal/000000000000005c-0000000000588cce.wal | regular | 0 | 0 | 64000000 | rw------- |
Verify User Who Owns The Open vSwitch Configuration Database
Rule ID | xccdf_org.ssgproject.content_rule_file_owner_ovs_conf_db |
Result | pass |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_owner_ovs_conf_db:def:1 |
Time | 2021-07-20T05:21:00+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-83489-5 |
Description |
To properly set the owner of /etc/openvswitch/conf.db , run the command:
$ sudo chown openvswitch /etc/openvswitch/conf.db |
Rationale | CNI (Container Network Interface) files consist of a specification and libraries for
writing plugins to configure network interfaces in Linux containers, along with a number
of supported plugins. Allowing writeable access to the files could allow an attacker to modify
the networking configuration potentially adding a rogue network connection. |
Testing user ownership of /etc/openvswitch/conf.db oval:ssg-test_file_owner_ovs_conf_db:tst:1 true
Following items have been found on the system:
Path | Type | UID | GID | Size (B) | Permissions |
---|---|---|---|---|---|
/etc/openvswitch/conf.db | regular | 800 | 801 | 1326372 | rw-r----- |
Verify User Who Owns The Open vSwitch Process ID File
Rule ID | xccdf_org.ssgproject.content_rule_file_owner_ovs_pid |
Result | pass |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_owner_ovs_pid:def:1 |
Time | 2021-07-20T05:21:00+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-83937-3 |
Description |
To properly set the owner of /var/run/openvswitch/ovs-vswitchd.pid , run the command:
$ sudo chown openvswitch /var/run/openvswitch/ovs-vswitchd.pid |
Rationale | CNI (Container Network Interface) files consist of a specification and libraries for
writing plugins to configure network interfaces in Linux containers, along with a number
of supported plugins. Allowing writeable access to the files could allow an attacker to modify
the networking configuration potentially adding a rogue network connection. |
Testing user ownership of /var/run/openvswitch/ovs-vswitchd.pid oval:ssg-test_file_owner_ovs_pid:tst:1 true
Following items have been found on the system:
Path | Type | UID | GID | Size (B) | Permissions |
---|---|---|---|---|---|
/var/run/openvswitch/ovs-vswitchd.pid | regular | 800 | 801 | 5 | rw-r--r-- |
Verify User Who Owns The Kubernetes API Server Pod Specification File
Rule ID | xccdf_org.ssgproject.content_rule_file_owner_kube_apiserver |
Result | pass |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_owner_kube_apiserver:def:1 |
Time | 2021-07-20T05:21:00+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-83372-3 |
Description | To properly set the owner of /etc/kubernetes/static-pod-resources/kube-apiserver-pod-*/kube-apiserver-pod.yaml , run the command: $ sudo chown root /etc/kubernetes/static-pod-resources/kube-apiserver-pod-*/kube-apiserver-pod.yaml |
Rationale | The Kubernetes specification file contains information about the configuration of the
Kubernetes API Server that is configured on the system. Protection of this file is
critical for OpenShift security. |
Warnings | warning
This rule is only applicable for nodes that run the Kubernetes API Server service.
The aforementioned service is only running on the nodes labeled
"master" by default. |
Testing user ownership of ^/etc/kubernetes/static-pod-resources/kube-apiserver-pod-.*/kube-apiserver-pod.yaml$ oval:ssg-test_file_owner_kube_apiserver:tst:1 true
Following items have been found on the system:
Path | Type | UID | GID | Size (B) | Permissions |
---|---|---|---|---|---|
/etc/kubernetes/static-pod-resources/kube-apiserver-pod-5/kube-apiserver-pod.yaml | regular | 0 | 0 | 6904 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/kube-apiserver-pod-6/kube-apiserver-pod.yaml | regular | 0 | 0 | 6949 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/kube-apiserver-pod-9/kube-apiserver-pod.yaml | regular | 0 | 0 | 6949 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/kube-apiserver-pod-10/kube-apiserver-pod.yaml | regular | 0 | 0 | 7089 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/kube-apiserver-pod-8/kube-apiserver-pod.yaml | regular | 0 | 0 | 6949 | rw-r--r-- |
Verify User Who Owns The OpenShift SDN CNI Server Config
Rule ID | xccdf_org.ssgproject.content_rule_file_owner_openshift_sdn_cniserver_config |
Result | fail |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_owner_openshift_sdn_cniserver_config:def:1 |
Time | 2021-07-20T05:21:00+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-83932-4 |
Description |
To properly set the owner of /var/run/openshift-sdn/cniserver/config.json , run the command:
$ sudo chown root /var/run/openshift-sdn/cniserver/config.json |
Rationale | CNI (Container Network Interface) files consist of a specification and libraries for
writing plugins to configure network interfaces in Linux containers, along with a number
of supported plugins. Allowing writeable access to the files could allow an attacker to modify
the networking configuration potentially adding a rogue network connection. |
Testing user ownership of /var/run/openshift-sdn/cniserver/config.json oval:ssg-test_file_owner_openshift_sdn_cniserver_config:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_openshift_sdn_cniserver_config:obj:1 of type file_object
Filepath |
---|
/var/run/openshift-sdn/cniserver/config.json |
Verify Group Who Owns The Open vSwitch Configuration Database
Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_ovs_conf_db |
Result | pass |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_groupowner_ovs_conf_db:def:1 |
Time | 2021-07-20T05:21:00+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-84226-0 |
Description |
To properly set the group owner of /etc/openvswitch/conf.db , run the command:
$ sudo chgrp hugetlbfs /etc/openvswitch/conf.db |
Rationale | CNI (Container Network Interface) files consist of a specification and libraries for
writing plugins to configure network interfaces in Linux containers, along with a number
of supported plugins. Allowing writeable access to the files could allow an attacker to modify
the networking configuration potentially adding a rogue network connection. |
Testing group ownership of /etc/openvswitch/conf.db oval:ssg-test_file_groupowner_ovs_conf_db:tst:1 true
Following items have been found on the system:
Path | Type | UID | GID | Size (B) | Permissions |
---|---|---|---|---|---|
/etc/openvswitch/conf.db | regular | 800 | 801 | 1326372 | rw-r----- |
Verify Group Who Owns The Etcd PKI Certificate Files
Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_etcd_pki_cert_files |
Result | pass |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_groupowner_etcd_pki_cert_files:def:1 |
Time | 2021-07-20T05:21:00+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-83890-4 |
Description |
To properly set the group owner of /etc/kubernetes/static-pod-resources/*/*/*/*.crt , run the command:
$ sudo chgrp root /etc/kubernetes/static-pod-resources/*/*/*/*.crt |
Rationale | OpenShift makes use of a number of certificates as part of its operation.
You should verify the ownership of the directory containing the PKI
information and all files in that directory to maintain their integrity.
The directory and files should be owned by the system administrator. |
Warnings | warning
This rule is only applicable for nodes that run the Etcd service.
The aforementioned service is only running on the nodes labeled
"master" by default. |
Testing group ownership of ^/etc/kubernetes/static-pod-resources/.*/.*/.*/.*\.crt$ oval:ssg-test_file_groupowner_etcd_pki_cert_files:tst:1 true
Following items have been found on the system:
Path | Type | UID | GID | Size (B) | Permissions |
---|---|---|---|---|---|
/etc/kubernetes/static-pod-resources/etcd-pod-4/secrets/etcd-all-peer/etcd-peer-master-0.crt | regular | 0 | 0 | 2445 | rw------- |
/etc/kubernetes/static-pod-resources/kube-scheduler-pod-2/secrets/localhost-recovery-client-token/ca.crt | regular | 0 | 0 | 3560 | rw------- |
/etc/kubernetes/static-pod-resources/kube-scheduler-pod-2/configmaps/serviceaccount-ca/ca-bundle.crt | regular | 0 | 0 | 0 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/kube-scheduler-certs/secrets/kube-scheduler-client-cert-key/tls.crt | regular | 0 | 0 | 1168 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-2/secrets/etcd-all-peer/etcd-peer-master-1.crt | regular | 0 | 0 | 2445 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-2/secrets/etcd-all-peer/etcd-peer-master-2.crt | regular | 0 | 0 | 2445 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-2/secrets/etcd-all-peer/etcd-peer-master-0.crt | regular | 0 | 0 | 2445 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-2/secrets/etcd-all-serving/etcd-serving-master-0.crt | regular | 0 | 0 | 2709 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-pod-9/secrets/etcd-client/tls.crt | regular | 0 | 0 | 1188 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-5/secrets/etcd-all-peer/etcd-peer-master-2.crt | regular | 0 | 0 | 2445 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-2/secrets/etcd-all-serving/etcd-serving-master-1.crt | regular | 0 | 0 | 2709 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-2/secrets/etcd-all-serving/etcd-serving-master-2.crt | regular | 0 | 0 | 2709 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-2/secrets/etcd-all-serving-metrics/etcd-serving-metrics-master-0.crt | regular | 0 | 0 | 2733 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-2/secrets/etcd-all-serving-metrics/etcd-serving-metrics-master-1.crt | regular | 0 | 0 | 2733 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-2/secrets/etcd-all-serving-metrics/etcd-serving-metrics-master-2.crt | regular | 0 | 0 | 2733 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-2/configmaps/etcd-metrics-proxy-client-ca/ca-bundle.crt | regular | 0 | 0 | 1151 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/etcd-pod-2/configmaps/etcd-metrics-proxy-serving-ca/ca-bundle.crt | regular | 0 | 0 | 1151 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/etcd-pod-2/configmaps/etcd-peer-client-ca/ca-bundle.crt | regular | 0 | 0 | 1135 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/etcd-pod-2/configmaps/etcd-serving-ca/ca-bundle.crt | regular | 0 | 0 | 1135 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/etcd-certs/secrets/etcd-all-peer/etcd-peer-master-2.crt | regular | 0 | 0 | 2445 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-certs/secrets/etcd-all-peer/etcd-peer-master-0.crt | regular | 0 | 0 | 2445 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-certs/secrets/etcd-all-peer/etcd-peer-master-1.crt | regular | 0 | 0 | 2445 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-certs/secrets/etcd-all-serving/etcd-serving-master-2.crt | regular | 0 | 0 | 2709 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-certs/secrets/etcd-all-serving/etcd-serving-master-0.crt | regular | 0 | 0 | 2709 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-certs/secrets/etcd-all-serving/etcd-serving-master-1.crt | regular | 0 | 0 | 2709 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-certs/secrets/etcd-all-serving-metrics/etcd-serving-metrics-master-0.crt | regular | 0 | 0 | 2733 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-certs/secrets/etcd-all-serving-metrics/etcd-serving-metrics-master-1.crt | regular | 0 | 0 | 2733 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-certs/secrets/etcd-all-serving-metrics/etcd-serving-metrics-master-2.crt | regular | 0 | 0 | 2733 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-certs/configmaps/etcd-metrics-proxy-client-ca/ca-bundle.crt | regular | 0 | 0 | 1151 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/etcd-certs/configmaps/etcd-metrics-proxy-serving-ca/ca-bundle.crt | regular | 0 | 0 | 1151 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/etcd-certs/configmaps/etcd-peer-client-ca/ca-bundle.crt | regular | 0 | 0 | 1135 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/etcd-certs/configmaps/etcd-serving-ca/ca-bundle.crt | regular | 0 | 0 | 1135 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-3/secrets/localhost-recovery-client-token/ca.crt | regular | 0 | 0 | 3560 | rw------- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-3/secrets/serving-cert/tls.crt | regular | 0 | 0 | 2761 | rw------- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-3/configmaps/service-ca/ca-bundle.crt | regular | 0 | 0 | 1212 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-3/configmaps/serviceaccount-ca/ca-bundle.crt | regular | 0 | 0 | 0 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-certs/secrets/csr-signer/tls.crt | regular | 0 | 0 | 1229 | rw------- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-certs/secrets/kube-controller-manager-client-cert-key/tls.crt | regular | 0 | 0 | 1180 | rw------- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-certs/configmaps/aggregator-client-ca/ca-bundle.crt | regular | 0 | 0 | 1281 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-certs/configmaps/client-ca/ca-bundle.crt | regular | 0 | 0 | 8527 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-certs/configmaps/trusted-ca-bundle/ca-bundle.crt | regular | 0 | 0 | 216090 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/aggregator-client/tls.crt | regular | 0 | 0 | 1208 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/check-endpoints-client-cert-key/tls.crt | regular | 0 | 0 | 1220 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/control-plane-node-admin-client-cert-key/tls.crt | regular | 0 | 0 | 1212 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/external-loadbalancer-serving-certkey/tls.crt | regular | 0 | 0 | 2417 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/internal-loadbalancer-serving-certkey/tls.crt | regular | 0 | 0 | 2429 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/localhost-serving-cert-certkey/tls.crt | regular | 0 | 0 | 2445 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/service-network-serving-certkey/tls.crt | regular | 0 | 0 | 2713 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-certs/configmaps/aggregator-client-ca/ca-bundle.crt | regular | 0 | 0 | 1281 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/kube-apiserver-certs/configmaps/client-ca/ca-bundle.crt | regular | 0 | 0 | 8527 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/kube-apiserver-certs/configmaps/trusted-ca-bundle/ca-bundle.crt | regular | 0 | 0 | 216090 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-4/secrets/localhost-recovery-client-token/ca.crt | regular | 0 | 0 | 3560 | rw------- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-4/secrets/serving-cert/tls.crt | regular | 0 | 0 | 2761 | rw------- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-4/configmaps/service-ca/ca-bundle.crt | regular | 0 | 0 | 1212 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-4/configmaps/serviceaccount-ca/ca-bundle.crt | regular | 0 | 0 | 7222 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/kube-scheduler-pod-5/secrets/localhost-recovery-client-token/ca.crt | regular | 0 | 0 | 3560 | rw------- |
/etc/kubernetes/static-pod-resources/kube-scheduler-pod-5/secrets/serving-cert/tls.crt | regular | 0 | 0 | 2664 | rw------- |
/etc/kubernetes/static-pod-resources/kube-scheduler-pod-5/configmaps/serviceaccount-ca/ca-bundle.crt | regular | 0 | 0 | 7222 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/etcd-pod-3/secrets/etcd-all-peer/etcd-peer-master-2.crt | regular | 0 | 0 | 2445 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-3/secrets/etcd-all-peer/etcd-peer-master-0.crt | regular | 0 | 0 | 2445 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-3/secrets/etcd-all-peer/etcd-peer-master-1.crt | regular | 0 | 0 | 2445 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-3/secrets/etcd-all-serving/etcd-serving-master-0.crt | regular | 0 | 0 | 2709 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-3/secrets/etcd-all-serving/etcd-serving-master-1.crt | regular | 0 | 0 | 2709 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-3/secrets/etcd-all-serving/etcd-serving-master-2.crt | regular | 0 | 0 | 2709 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-3/secrets/etcd-all-serving-metrics/etcd-serving-metrics-master-0.crt | regular | 0 | 0 | 2733 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-3/secrets/etcd-all-serving-metrics/etcd-serving-metrics-master-1.crt | regular | 0 | 0 | 2733 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-3/secrets/etcd-all-serving-metrics/etcd-serving-metrics-master-2.crt | regular | 0 | 0 | 2733 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-3/configmaps/etcd-metrics-proxy-client-ca/ca-bundle.crt | regular | 0 | 0 | 1151 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/etcd-pod-3/configmaps/etcd-metrics-proxy-serving-ca/ca-bundle.crt | regular | 0 | 0 | 1151 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/etcd-pod-3/configmaps/etcd-peer-client-ca/ca-bundle.crt | regular | 0 | 0 | 1135 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/etcd-pod-3/configmaps/etcd-serving-ca/ca-bundle.crt | regular | 0 | 0 | 1135 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-5/secrets/localhost-recovery-client-token/service-ca.crt | regular | 0 | 0 | 8435 | rw------- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-5/secrets/localhost-recovery-client-token/ca.crt | regular | 0 | 0 | 7222 | rw------- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-5/secrets/serving-cert/tls.crt | regular | 0 | 0 | 2761 | rw------- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-5/configmaps/service-ca/ca-bundle.crt | regular | 0 | 0 | 1212 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-5/configmaps/serviceaccount-ca/ca-bundle.crt | regular | 0 | 0 | 7222 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/kube-scheduler-pod-6/secrets/localhost-recovery-client-token/ca.crt | regular | 0 | 0 | 7222 | rw------- |
/etc/kubernetes/static-pod-resources/kube-scheduler-pod-6/secrets/localhost-recovery-client-token/service-ca.crt | regular | 0 | 0 | 8435 | rw------- |
/etc/kubernetes/static-pod-resources/kube-scheduler-pod-6/secrets/serving-cert/tls.crt | regular | 0 | 0 | 2664 | rw------- |
/etc/kubernetes/static-pod-resources/kube-scheduler-pod-6/configmaps/serviceaccount-ca/ca-bundle.crt | regular | 0 | 0 | 7222 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-6/secrets/localhost-recovery-client-token/ca.crt | regular | 0 | 0 | 7222 | rw------- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-6/secrets/localhost-recovery-client-token/service-ca.crt | regular | 0 | 0 | 8435 | rw------- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-6/secrets/serving-cert/tls.crt | regular | 0 | 0 | 2761 | rw------- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-6/configmaps/service-ca/ca-bundle.crt | regular | 0 | 0 | 1212 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-6/configmaps/serviceaccount-ca/ca-bundle.crt | regular | 0 | 0 | 7222 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/kube-apiserver-pod-5/secrets/etcd-client/tls.crt | regular | 0 | 0 | 1188 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-pod-5/secrets/kubelet-client/tls.crt | regular | 0 | 0 | 1204 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-pod-5/secrets/localhost-recovery-client-token/service-ca.crt | regular | 0 | 0 | 8435 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-pod-5/secrets/localhost-recovery-client-token/ca.crt | regular | 0 | 0 | 7222 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-pod-5/secrets/localhost-recovery-serving-certkey/tls.crt | regular | 0 | 0 | 2600 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-pod-5/configmaps/etcd-serving-ca/ca-bundle.crt | regular | 0 | 0 | 1135 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/kube-apiserver-pod-5/configmaps/kubelet-serving-ca/ca-bundle.crt | regular | 0 | 0 | 2319 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/kube-apiserver-pod-5/configmaps/kube-apiserver-server-ca/ca-bundle.crt | regular | 0 | 0 | 4866 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/etcd-pod-4/secrets/etcd-all-peer/etcd-peer-master-1.crt | regular | 0 | 0 | 2445 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-4/secrets/etcd-all-peer/etcd-peer-master-2.crt | regular | 0 | 0 | 2445 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-4/secrets/etcd-all-serving/etcd-serving-master-2.crt | regular | 0 | 0 | 2709 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-4/secrets/etcd-all-serving/etcd-serving-master-0.crt | regular | 0 | 0 | 2709 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-4/secrets/etcd-all-serving/etcd-serving-master-1.crt | regular | 0 | 0 | 2709 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-4/secrets/etcd-all-serving-metrics/etcd-serving-metrics-master-0.crt | regular | 0 | 0 | 2733 | rw------- |
/etc/kubernetes/static-pod-resources/etcd-pod-4/secrets/etcd-all-serving-metrics/etcd-serving-metrics-master-1.crt | regular | 0 | 0 | 2733 | rw------- |
Verify Group Who Owns The Open vSwitch Configuration Database Lock
Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_ovs_conf_db_lock |
Result | pass |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_groupowner_ovs_conf_db_lock:def:1 |
Time | 2021-07-20T05:21:00+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-84219-5 |
Description |
To properly set the group owner of /etc/openvswitch/.conf.db.~lock~ , run the command:
$ sudo chgrp hugetlbfs /etc/openvswitch/.conf.db.~lock~ |
Rationale | CNI (Container Network Interface) files consist of a specification and libraries for
writing plugins to configure network interfaces in Linux containers, along with a number
of supported plugins. Allowing writeable access to the files could allow an attacker to modify
the networking configuration potentially adding a rogue network connection. |
Testing group ownership of /etc/openvswitch/.conf.db.~lock~ oval:ssg-test_file_groupowner_ovs_conf_db_lock:tst:1 true
Following items have been found on the system:
Path | Type | UID | GID | Size (B) | Permissions |
---|---|---|---|---|---|
/etc/openvswitch/.conf.db.~lock~ | regular | 800 | 801 | 0 | rw------- |
Verify User Who Owns The Open vSwitch Persistent System ID
Rule ID | xccdf_org.ssgproject.content_rule_file_owner_ovs_sys_id_conf |
Result | pass |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_owner_ovs_sys_id_conf:def:1 |
Time | 2021-07-20T05:21:00+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-84085-0 |
Description |
To properly set the owner of /etc/openvswitch/system-id.conf , run the command:
$ sudo chown openvswitch /etc/openvswitch/system-id.conf |
Rationale | CNI (Container Network Interface) files consist of a specification and libraries for
writing plugins to configure network interfaces in Linux containers, along with a number
of supported plugins. Allowing writeable access to the files could allow an attacker to modify
the networking configuration potentially adding a rogue network connection. |
Testing user ownership of /etc/openvswitch/system-id.conf oval:ssg-test_file_owner_ovs_sys_id_conf:tst:1 true
Following items have been found on the system:
Path | Type | UID | GID | Size (B) | Permissions |
---|---|---|---|---|---|
/etc/openvswitch/system-id.conf | regular | 800 | 801 | 37 | rw-r--r-- |
Verify Group Who Owns The Kubernetes Scheduler Kubeconfig File
Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_scheduler_kubeconfig |
Result | pass |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_groupowner_scheduler_kubeconfig:def:1 |
Time | 2021-07-20T05:21:00+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-83471-3 |
Description |
To properly set the group owner of /etc/kubernetes/static-pod-resources/kube-scheduler-pod-*/configmaps/scheduler-kubeconfig/kubeconfig , run the command:
$ sudo chgrp root /etc/kubernetes/static-pod-resources/kube-scheduler-pod-*/configmaps/scheduler-kubeconfig/kubeconfig |
Rationale | The kubeconfig for the Scheduler contains paramters for the scheduler
to access the Kube API.
You should set its file ownership to maintain the integrity of the file. |
Warnings | warning
This rule is only applicable for nodes that run the Kubernetes Scheduler service.
The aforementioned service is only running on the nodes labeled
"master" by default. |
Testing group ownership of ^/etc/kubernetes/static-pod-resources/kube-scheduler-pod-.*/configmaps/scheduler-kubeconfig/kubeconfig$ oval:ssg-test_file_groupowner_scheduler_kubeconfig:tst:1 true
Following items have been found on the system:
Path | Type | UID | GID | Size (B) | Permissions |
---|---|---|---|---|---|
/etc/kubernetes/static-pod-resources/kube-scheduler-pod-5/configmaps/scheduler-kubeconfig/kubeconfig | regular | 0 | 0 | 619 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/kube-scheduler-pod-6/configmaps/scheduler-kubeconfig/kubeconfig | regular | 0 | 0 | 619 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/kube-scheduler-pod-8/configmaps/scheduler-kubeconfig/kubeconfig | regular | 0 | 0 | 619 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/kube-scheduler-pod-2/configmaps/scheduler-kubeconfig/kubeconfig | regular | 0 | 0 | 619 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/kube-scheduler-pod-7/configmaps/scheduler-kubeconfig/kubeconfig | regular | 0 | 0 | 619 | rw-r--r-- |
Verify User Who Owns The Open vSwitch Daemon PID File
Rule ID | xccdf_org.ssgproject.content_rule_file_owner_ovs_vswitchd_pid |
Result | pass |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_owner_ovs_vswitchd_pid:def:1 |
Time | 2021-07-20T05:21:00+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-83888-8 |
Description |
To properly set the owner of /run/openvswitch/ovs-vswitchd.pid , run the command:
$ sudo chown openvswitch /run/openvswitch/ovs-vswitchd.pid |
Rationale | CNI (Container Network Interface) files consist of a specification and libraries for
writing plugins to configure network interfaces in Linux containers, along with a number
of supported plugins. Allowing writeable access to the files could allow an attacker to modify
the networking configuration potentially adding a rogue network connection. |
Testing user ownership of /run/openvswitch/ovs-vswitchd.pid oval:ssg-test_file_owner_ovs_vswitchd_pid:tst:1 true
Following items have been found on the system:
Path | Type | UID | GID | Size (B) | Permissions |
---|---|---|---|---|---|
/run/openvswitch/ovs-vswitchd.pid | regular | 800 | 801 | 5 | rw-r--r-- |
Verify Group Who Owns The Kubernetes Controller Manager Pod Specification File
Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_kube_controller_manager |
Result | pass |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_groupowner_kube_controller_manager:def:1 |
Time | 2021-07-20T05:21:01+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-83953-0 |
Description | To properly set the group owner of /etc/kubernetes/static-pod-resources/kube-controller-manager-pod-*/kube-controller-manager-pod.yaml , run the command: $ sudo chgrp root /etc/kubernetes/static-pod-resources/kube-controller-manager-pod-*/kube-controller-manager-pod.yaml |
Rationale | The Kubernetes specification file contains information about the configuration of the
Kubernetes Controller Manager Server that is configured on the system. Protection of this file is
critical for OpenShift security. |
Warnings | warning
This rule is only applicable for nodes that run the Kubernetes Controller Manager service.
The aforementioned service is only running on the nodes labeled
"master" by default. |
Testing group ownership of ^/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-.*/kube-controller-manager-pod.yaml$ oval:ssg-test_file_groupowner_kube_controller_manager:tst:1 true
Following items have been found on the system:
Path | Type | UID | GID | Size (B) | Permissions |
---|---|---|---|---|---|
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-3/kube-controller-manager-pod.yaml | regular | 0 | 0 | 6043 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-5/kube-controller-manager-pod.yaml | regular | 0 | 0 | 6043 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-7/kube-controller-manager-pod.yaml | regular | 0 | 0 | 6088 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-9/kube-controller-manager-pod.yaml | regular | 0 | 0 | 7784 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-4/kube-controller-manager-pod.yaml | regular | 0 | 0 | 6043 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-10/kube-controller-manager-pod.yaml | regular | 0 | 0 | 7786 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-11/kube-controller-manager-pod.yaml | regular | 0 | 0 | 7823 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-6/kube-controller-manager-pod.yaml | regular | 0 | 0 | 6043 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-8/kube-controller-manager-pod.yaml | regular | 0 | 0 | 5950 | rw-r--r-- |
Verify User Who Owns The OpenShift PKI Certificate Files
Rule ID | xccdf_org.ssgproject.content_rule_file_owner_openshift_pki_cert_files |
Result | pass |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_owner_openshift_pki_cert_files:def:1 |
Time | 2021-07-20T05:21:01+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-83558-7 |
Description |
To properly set the owner of /etc/kubernetes/static-pod-resources/*/*/*/tls.crt , run the command:
$ sudo chown root /etc/kubernetes/static-pod-resources/*/*/*/tls.crt |
Rationale | OpenShift makes use of a number of certificates as part of its operation.
You should verify the ownership of the directory containing the PKI
information and all files in that directory to maintain their integrity. |
Warnings | warning
This rule is only applicable for nodes that run the Kubernetes Control Plane.
The aforementioned service is only running on the nodes labeled
"master" by default. |
Testing user ownership of ^/etc/kubernetes/static-pod-resources/.*/.*/.*/tls\.crt$ oval:ssg-test_file_owner_openshift_pki_cert_files:tst:1 true
Following items have been found on the system:
Path | Type | UID | GID | Size (B) | Permissions |
---|---|---|---|---|---|
/etc/kubernetes/static-pod-resources/kube-scheduler-certs/secrets/kube-scheduler-client-cert-key/tls.crt | regular | 0 | 0 | 1168 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-pod-9/secrets/etcd-client/tls.crt | regular | 0 | 0 | 1188 | rw------- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-3/secrets/serving-cert/tls.crt | regular | 0 | 0 | 2761 | rw------- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-certs/secrets/csr-signer/tls.crt | regular | 0 | 0 | 1229 | rw------- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-certs/secrets/kube-controller-manager-client-cert-key/tls.crt | regular | 0 | 0 | 1180 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/aggregator-client/tls.crt | regular | 0 | 0 | 1208 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/check-endpoints-client-cert-key/tls.crt | regular | 0 | 0 | 1220 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/control-plane-node-admin-client-cert-key/tls.crt | regular | 0 | 0 | 1212 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/external-loadbalancer-serving-certkey/tls.crt | regular | 0 | 0 | 2417 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/internal-loadbalancer-serving-certkey/tls.crt | regular | 0 | 0 | 2429 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/localhost-serving-cert-certkey/tls.crt | regular | 0 | 0 | 2445 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/service-network-serving-certkey/tls.crt | regular | 0 | 0 | 2713 | rw------- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-4/secrets/serving-cert/tls.crt | regular | 0 | 0 | 2761 | rw------- |
/etc/kubernetes/static-pod-resources/kube-scheduler-pod-5/secrets/serving-cert/tls.crt | regular | 0 | 0 | 2664 | rw------- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-5/secrets/serving-cert/tls.crt | regular | 0 | 0 | 2761 | rw------- |
/etc/kubernetes/static-pod-resources/kube-scheduler-pod-6/secrets/serving-cert/tls.crt | regular | 0 | 0 | 2664 | rw------- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-6/secrets/serving-cert/tls.crt | regular | 0 | 0 | 2761 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-pod-5/secrets/etcd-client/tls.crt | regular | 0 | 0 | 1188 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-pod-5/secrets/kubelet-client/tls.crt | regular | 0 | 0 | 1204 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-pod-5/secrets/localhost-recovery-serving-certkey/tls.crt | regular | 0 | 0 | 2600 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-pod-6/secrets/etcd-client/tls.crt | regular | 0 | 0 | 1188 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-pod-6/secrets/kubelet-client/tls.crt | regular | 0 | 0 | 1204 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-pod-6/secrets/localhost-recovery-serving-certkey/tls.crt | regular | 0 | 0 | 2600 | rw------- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-7/secrets/serving-cert/tls.crt | regular | 0 | 0 | 2761 | rw------- |
/etc/kubernetes/static-pod-resources/kube-scheduler-pod-7/secrets/serving-cert/tls.crt | regular | 0 | 0 | 2664 | rw------- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-8/secrets/serving-cert/tls.crt | regular | 0 | 0 | 2761 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-pod-8/secrets/etcd-client/tls.crt | regular | 0 | 0 | 1188 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-pod-8/secrets/kubelet-client/tls.crt | regular | 0 | 0 | 1204 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-pod-8/secrets/localhost-recovery-serving-certkey/tls.crt | regular | 0 | 0 | 2600 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-pod-9/secrets/kubelet-client/tls.crt | regular | 0 | 0 | 1204 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-pod-9/secrets/localhost-recovery-serving-certkey/tls.crt | regular | 0 | 0 | 2600 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-pod-10/secrets/etcd-client/tls.crt | regular | 0 | 0 | 1188 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-pod-10/secrets/kubelet-client/tls.crt | regular | 0 | 0 | 1204 | rw------- |
/etc/kubernetes/static-pod-resources/kube-apiserver-pod-10/secrets/localhost-recovery-serving-certkey/tls.crt | regular | 0 | 0 | 2600 | rw------- |
/etc/kubernetes/static-pod-resources/kube-scheduler-pod-8/secrets/serving-cert/tls.crt | regular | 0 | 0 | 2664 | rw------- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-9/secrets/serving-cert/tls.crt | regular | 0 | 0 | 2761 | rw------- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-10/secrets/serving-cert/tls.crt | regular | 0 | 0 | 2761 | rw------- |
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-11/secrets/serving-cert/tls.crt | regular | 0 | 0 | 2761 | rw------- |
Verify Group Who Owns The Kubernetes Scheduler Pod Specification File
Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_kube_scheduler |
Result | pass |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_groupowner_kube_scheduler:def:1 |
Time | 2021-07-20T05:21:01+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-83614-8 |
Description | To properly set the group owner of /etc/kubernetes/static-pod-resources/kube-scheduler-pod-*/kube-scheduler-pod.yaml , run the command: $ sudo chgrp root /etc/kubernetes/static-pod-resources/kube-scheduler-pod-*/kube-scheduler-pod.yaml |
Rationale | The Kubernetes Specification file contains information about the configuration of the
Kubernetes scheduler that is configured on the system. Protection of this file is
critical for OpenShift security. |
Warnings | warning
This rule is only applicable for nodes that run the Kubernetes Scheduler service.
The aforementioned service is only running on the nodes labeled
"master" by default. |
Testing group ownership of ^/etc/kubernetes/static-pod-resources/kube-scheduler-pod-.*/kube-scheduler-pod.yaml$ oval:ssg-test_file_groupowner_kube_scheduler:tst:1 true
Following items have been found on the system:
Path | Type | UID | GID | Size (B) | Permissions |
---|---|---|---|---|---|
/etc/kubernetes/static-pod-resources/kube-scheduler-pod-2/kube-scheduler-pod.yaml | regular | 0 | 0 | 3356 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/kube-scheduler-pod-5/kube-scheduler-pod.yaml | regular | 0 | 0 | 3531 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/kube-scheduler-pod-6/kube-scheduler-pod.yaml | regular | 0 | 0 | 3531 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/kube-scheduler-pod-7/kube-scheduler-pod.yaml | regular | 0 | 0 | 4547 | rw-r--r-- |
/etc/kubernetes/static-pod-resources/kube-scheduler-pod-8/kube-scheduler-pod.yaml | regular | 0 | 0 | 4612 | rw-r--r-- |
Verify Group Who Owns The OpenShift SDN CNI Server Config
Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_openshift_sdn_cniserver_config |
Result | fail |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_groupowner_openshift_sdn_cniserver_config:def:1 |
Time | 2021-07-20T05:21:01+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-83605-6 |
Description |
To properly set the group owner of /var/run/openshift-sdn/cniserver/config.json , run the command:
$ sudo chgrp root /var/run/openshift-sdn/cniserver/config.json |
Rationale | CNI (Container Network Interface) files consist of a specification and libraries for
writing plugins to configure network interfaces in Linux containers, along with a number
of supported plugins. Allowing writeable access to the files could allow an attacker to modify
the networking configuration potentially adding a rogue network connection. |
Testing group ownership of /var/run/openshift-sdn/cniserver/config.json oval:ssg-test_file_groupowner_openshift_sdn_cniserver_config:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_openshift_sdn_cniserver_config:obj:1 of type file_object
Filepath |
---|
/var/run/openshift-sdn/cniserver/config.json |
Verify Group Who Owns The Worker Kubeconfig File
Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_worker_kubeconfig |
Result | pass |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_groupowner_worker_kubeconfig:def:1 |
Time | 2021-07-20T05:21:01+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-83409-3 |
Description | To properly set the group owner of /var/lib/kubelet/kubeconfig , run the command: $ sudo chgrp root /var/lib/kubelet/kubeconfig |
Rationale | The worker kubeconfig file contains information about the administrative configuration of the
OpenShift cluster that is configured on the system. Protection of this file is
critical for OpenShift security. |
Testing group ownership of /var/lib/kubelet/kubeconfig oval:ssg-test_file_groupowner_worker_kubeconfig:tst:1 true
Following items have been found on the system:
Path | Type | UID | GID | Size (B) | Permissions |
---|---|---|---|---|---|
/var/lib/kubelet/kubeconfig | regular | 0 | 0 | 5244 | rw------- |
Verify Group Who Owns The OpenShift Node Service File
Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_worker_service |
Result | pass |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_groupowner_worker_service:def:1 |
Time | 2021-07-20T05:21:01+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-83975-3 |
Description | '
To properly set the group owner of /etc/systemd/system/kubelet.service , run the command:
$ sudo chgrp root /etc/systemd/system/kubelet.service' |
Rationale | The /etc/systemd/system/kubelet.service
file contains information about the configuration of the
OpenShift node service that is configured on the system. Protection of this file is
critical for OpenShift security. |
Testing group ownership of /etc/systemd/system/kubelet.service oval:ssg-test_file_groupowner_worker_service:tst:1 true
Following items have been found on the system:
Path | Type | UID | GID | Size (B) | Permissions |
---|---|---|---|---|---|
/etc/systemd/system/kubelet.service | regular | 0 | 0 | 1395 | rw-r--r-- |
Verify Group Who Owns The Kubelet Configuration File
Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_kubelet_conf |
Result | pass |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_groupowner_kubelet_conf:def:1 |
Time | 2021-07-20T05:21:01+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-84233-6 |
Description | To properly set the group owner of /etc/kubernetes/kubelet.conf , run the command: $ sudo chgrp root /etc/kubernetes/kubelet.conf |
Rationale | The kubelet configuration file contains information about the configuration of the
OpenShift node that is configured on the system. Protection of this file is
critical for OpenShift security. |
Testing group ownership of /etc/kubernetes/kubelet.conf oval:ssg-test_file_groupowner_kubelet_conf:tst:1 true
Following items have been found on the system:
Path | Type | UID | GID | Size (B) | Permissions |
---|---|---|---|---|---|
/etc/kubernetes/kubelet.conf | regular | 0 | 0 | 934 | rw-r--r-- |
Verify User Who Owns The Kubelet Configuration File
Rule ID | xccdf_org.ssgproject.content_rule_file_owner_kubelet_conf |
Result | pass |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_owner_kubelet_conf:def:1 |
Time | 2021-07-20T05:21:01+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-83976-1 |
Description | To properly set the owner of /etc/kubernetes/kubelet.conf , run the command: $ sudo chown root /etc/kubernetes/kubelet.conf |
Rationale | The kubelet configuration file contains information about the configuration of the
OpenShift node that is configured on the system. Protection of this file is
critical for OpenShift security. |
Testing user ownership of /etc/kubernetes/kubelet.conf oval:ssg-test_file_owner_kubelet_conf:tst:1 true
Following items have been found on the system:
Path | Type | UID | GID | Size (B) | Permissions |
---|---|---|---|---|---|
/etc/kubernetes/kubelet.conf | regular | 0 | 0 | 934 | rw-r--r-- |
Verify Group Who Owns the Worker Certificate Authority File
Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_worker_ca |
Result | pass |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_groupowner_worker_ca:def:1 |
Time | 2021-07-20T05:21:01+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-83440-8 |
Description | To properly set the group owner of /etc/kubernetes/kubelet-ca.crt , run the command: $ sudo chgrp root /etc/kubernetes/kubelet-ca.crt |
Rationale | The worker certificate authority file contains the certificate authority
certificate for an OpenShift node that is configured on the system. Protection of this file is
critical for OpenShift security. |
Testing group ownership of /etc/kubernetes/kubelet-ca.crt oval:ssg-test_file_groupowner_worker_ca:tst:1 true
Following items have been found on the system:
Path | Type | UID | GID | Size (B) | Permissions |
---|---|---|---|---|---|
/etc/kubernetes/kubelet-ca.crt | regular | 0 | 0 | 5875 | rw-r--r-- |
Verify User Who Owns The OpenShift Node Service File
Rule ID | xccdf_org.ssgproject.content_rule_file_owner_worker_service |
Result | pass |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_owner_worker_service:def:1 |
Time | 2021-07-20T05:21:01+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-84193-2 |
Description | '
To properly set the owner of /etc/systemd/system/kubelet.service , run the command:
$ sudo chown root /etc/systemd/system/kubelet.service' |
Rationale | The /etc/systemd/system/kubelet.service
file contains information about the configuration of the
OpenShift node service that is configured on the system. Protection of this file is
critical for OpenShift security. |
Testing user ownership of /etc/systemd/system/kubelet.service oval:ssg-test_file_owner_worker_service:tst:1 true
Following items have been found on the system:
Path | Type | UID | GID | Size (B) | Permissions |
---|---|---|---|---|---|
/etc/systemd/system/kubelet.service | regular | 0 | 0 | 1395 | rw-r--r-- |
Verify User Who Owns The Worker Kubeconfig File
Rule ID | xccdf_org.ssgproject.content_rule_file_owner_worker_kubeconfig |
Result | pass |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_owner_worker_kubeconfig:def:1 |
Time | 2021-07-20T05:21:01+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-83408-5 |
Description | To properly set the owner of /var/lib/kubelet/kubeconfig , run the command: $ sudo chown root /var/lib/kubelet/kubeconfig |
Rationale | The worker kubeconfig file contains information about the administrative configuration of the
OpenShift cluster that is configured on the system. Protection of this file is
critical for OpenShift security. |
Testing user ownership of /var/lib/kubelet/kubeconfig oval:ssg-test_file_owner_worker_kubeconfig:tst:1 true
Following items have been found on the system:
Path | Type | UID | GID | Size (B) | Permissions |
---|---|---|---|---|---|
/var/lib/kubelet/kubeconfig | regular | 0 | 0 | 5244 | rw------- |
Verify User Who Owns the Worker Certificate Authority File
Rule ID | xccdf_org.ssgproject.content_rule_file_owner_worker_ca |
Result | pass |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-file_owner_worker_ca:def:1 |
Time | 2021-07-20T05:21:01+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-83495-2 |
Description | To properly set the owner of /etc/kubernetes/kubelet-ca.crt , run the command: $ sudo chown root /etc/kubernetes/kubelet-ca.crt |
Rationale | The worker certificate authority file contains the certificate authority
certificate for an OpenShift node that is configured on the system. Protection of this file is
critical for OpenShift security. |
Testing user ownership of /etc/kubernetes/kubelet-ca.crt oval:ssg-test_file_owner_worker_ca:tst:1 true
Following items have been found on the system:
Path | Type | UID | GID | Size (B) | Permissions |
---|---|---|---|---|---|
/etc/kubernetes/kubelet-ca.crt | regular | 0 | 0 | 5875 | rw-r--r-- |
Configure A Unique CA Certificate for etcd
Rule ID | xccdf_org.ssgproject.content_rule_etcd_unique_ca |
Result | pass |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-etcd_unique_ca:def:1 |
Time | 2021-07-20T05:21:01+00:00 |
Severity | medium |
Identifiers and References | |
Description | A unique CA certificate should be created for etcd . OpenShift by
default creates separate PKIs for etcd and the Kubernetes API server. The
same is done for other points of communication in the cluster. |
Rationale | The Kubernetes API server and etcd utilize separate CA certificates in
OpenShift. This ensures that the etcd data is still protected in the event
that the API server CA is compromised. |
Warnings | warning
This rule is only applicable for nodes that run the Etcd service.
The aforementioned service is only running on the nodes labeled
"master" by default. |
Verify that the etcd CA is different than the Kubernetes CA oval:ssg-test_etcd_different_ca_than_k8s:tst:1 true
Following items have been found on the system:
Var ref | Value |
---|---|
oval:ssg-var_etcd_ca_file_hash:var:1 | 64b81276f73c66ed4d7af8b9e50e737d9e3d6d9a755fc5272e5039bfda647581 |
Ensure Eviction threshold Settings Are Set - evictionHard: nodefs.available
Rule ID | xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_nodefs_available |
Result | fail |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-kubelet_eviction_thresholds_set_hard_nodefs_available:def:1 |
Time | 2021-07-20T05:21:01+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-84138-7 |
Description | Two types of garbage collection are performed on an OpenShift Container Platform node:
Container garbage collection can be performed using eviction thresholds. Image garbage collection relies on disk usage as reported by cAdvisor on the node to decide which images to remove from the node. The OpenShift administrator can configure how OpenShift Container Platform performs garbage collection by creating a kubeletConfig object for each Machine Config Pool using any combination of the following:
To configure, follow the directions in the documentation
This rule pertains to the |
Rationale | Garbage collection is important to ensure sufficient resource availability
and avoiding degraded performance and availability. In the worst case, the
system might crash or just be unusable for a long period of time.
Based on your system resources and tests, choose an appropriate threshold
value to activate garbage collection. |
In the file '/etc/kubernetes/kubelet.conf' find only one object at path '.evictionHard['nodefs.available']'. oval:ssg-test_kubelet_eviction_thresholds_set_hard_nodefs_available:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_kubelet_eviction_thresholds_set_hard_nodefs_available:obj:1 of type yamlfilecontent_object
Filepath | Yamlpath |
---|---|
/etc/kubernetes/kubelet.conf | .evictionHard['nodefs.available'] |
kubelet - Enable Client Certificate Rotation
Rule ID | xccdf_org.ssgproject.content_rule_kubelet_enable_client_cert_rotation |
Result | pass |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-kubelet_enable_client_cert_rotation:def:1 |
Time | 2021-07-20T05:21:01+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-83352-5 |
Description | To enable the kubelet to rotate client certificates, edit the kubelet configuration
file /etc/kubernetes/kubelet.conf
on the kubelet node(s) and set the below parameter:
featureGates: ... RotateKubeletClientCertificate: true ... |
Rationale | Allowing the kubelet to auto-update the certificates ensure that there is no downtime
in certificate renewal as well as ensures confidentiality and integrity. |
In the file '/etc/kubernetes/kubelet.conf' find only one object at path '.featureGates.RotateKubeletClientCertificate'. oval:ssg-test_kubelet_enable_client_cert_rotation:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_kubelet_enable_client_cert_rotation:obj:1 of type yamlfilecontent_object
Filepath | Yamlpath |
---|---|
/etc/kubernetes/kubelet.conf | .featureGates.RotateKubeletClientCertificate |
Kubelet - Ensure Event Creation Is Configured
Rule ID | xccdf_org.ssgproject.content_rule_kubelet_configure_event_creation |
Result | fail |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-kubelet_configure_event_creation:def:1 |
Time | 2021-07-20T05:21:01+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-83576-9 |
Description | Security relevant information should be captured. The eventRecordQPS
Kubelet option can be used to limit the rate at which events are gathered.
Setting this too low could result in relevant events not being logged,
however the unlimited setting of 0 could result in a denial of service on
the kubelet. Processing and storage systems should be scaled to handle the
expected event load. To set the eventRecordQPS option for the kubelet,
create a KubeletConfig option along these lines:
apiVersion: machineconfiguration.openshift.io/v1 kind: KubeletConfig metadata: name: kubelet-config-$pool spec: machineConfigPoolSelector: matchLabels: pools.operator.machineconfiguration.openshift.io/$pool_name: "" kubeletConfig: eventRecordQPS: 5 |
Rationale | It is important to capture all events and not restrict event creation.
Events are an important source of security information and analytics that
ensure that your environment is consistently monitored using the event
data. |
Warnings | warning
The MachineConfig Operator does not merge KubeletConfig
objects, the last object is used instead. In case you need to
set multiple options for kubelet, consider putting all the custom
options into a single KubeletConfig object. |
In the file '/etc/kubernetes/kubelet.conf' find only one object at path '.eventRecordQPS'. oval:ssg-test_kubelet_configure_event_creation:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_kubelet_configure_event_creation:obj:1 of type yamlfilecontent_object
Filepath | Yamlpath |
---|---|
/etc/kubernetes/kubelet.conf | .eventRecordQPS |
kubelet - Disable Hostname Override
Rule ID | xccdf_org.ssgproject.content_rule_kubelet_disable_hostname_override |
Result | pass |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-kubelet_disable_hostname_override:def:1 |
Time | 2021-07-20T05:21:01+00:00 |
Severity | medium |
Identifiers and References | |
Description | To prevent the hostname from being overrided, edit the kubelet systemd service file
/etc/systemd/system/kubelet.service on the kubelet node(s) and
remove the --hostname-override flag if it exists. |
Rationale | Allowing hostnames to be overrided creates issues around resolving nodes
in addition to TLS configuration, certificate validation, and log correlation
and validation. |
Test that the --hostname-override flag is not contained in kubelet.service oval:ssg-test_kubelet_hostname_override_disabled:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-obj_kubelet_hostname_override:obj:1 of type textfilecontent54_object
Filepath | Pattern | Instance |
---|---|---|
/etc/systemd/system/kubelet.service | ^.*--hostname-override.* | 1 |
Ensure Eviction threshold Settings Are Set - evictionSoft: imagefs.available
Rule ID | xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_imagefs_available |
Result | fail |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-kubelet_eviction_thresholds_set_soft_imagefs_available:def:1 |
Time | 2021-07-20T05:21:01+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-84127-0 |
Description | Two types of garbage collection are performed on an OpenShift Container Platform node:
Container garbage collection can be performed using eviction thresholds. Image garbage collection relies on disk usage as reported by cAdvisor on the node to decide which images to remove from the node. The OpenShift administrator can configure how OpenShift Container Platform performs garbage collection by creating a kubeletConfig object for each Machine Config Pool using any combination of the following:
To configure, follow the directions in the documentation
This rule pertains to the |
Rationale | Garbage collection is important to ensure sufficient resource availability
and avoiding degraded performance and availability. In the worst case, the
system might crash or just be unusable for a long period of time.
Based on your system resources and tests, choose an appropriate threshold
value to activate garbage collection. |
In the file '/etc/kubernetes/kubelet.conf' find only one object at path '.evictionSoft['imagefs.available']'. oval:ssg-test_kubelet_eviction_thresholds_set_soft_imagefs_available:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_kubelet_eviction_thresholds_set_soft_imagefs_available:obj:1 of type yamlfilecontent_object
Filepath | Yamlpath |
---|---|
/etc/kubernetes/kubelet.conf | .evictionSoft['imagefs.available'] |
kubelet - Do Not Disable Streaming Timeouts
Rule ID | xccdf_org.ssgproject.content_rule_kubelet_enable_streaming_connections |
Result | pass |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-kubelet_enable_streaming_connections:def:1 |
Time | 2021-07-20T05:21:01+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-84097-5 |
Description | Timouts for streaming connections should not be disabled as they help to prevent
denial-of-service attacks.
To configure streaming connection timeouts, edit the kubelet configuration
file /etc/kubernetes/kubelet.conf
on the kubelet node(s) and set the below parameter:
streamingConnectionIdleTimeout: 5m |
Rationale | Ensuring connections have timeouts helps to protect against denial-of-service attacks as
well as disconnect inactive connections. In addition, setting connections timeouts helps
to prevent from running out of ephemeral ports. |
In the file '/etc/kubernetes/kubelet.conf' find only one object at path '.streamingConnectionIdleTimeout'. oval:ssg-test_kubelet_enable_streaming_connections:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_kubelet_enable_streaming_connections:obj:1 of type yamlfilecontent_object
Filepath | Yamlpath |
---|---|
/etc/kubernetes/kubelet.conf | .streamingConnectionIdleTimeout |
Ensure Eviction threshold Settings Are Set - evictionSoft: memory.available
Rule ID | xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_memory_available |
Result | fail |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-kubelet_eviction_thresholds_set_soft_memory_available:def:1 |
Time | 2021-07-20T05:21:01+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-84222-9 |
Description | Two types of garbage collection are performed on an OpenShift Container Platform node:
Container garbage collection can be performed using eviction thresholds. Image garbage collection relies on disk usage as reported by cAdvisor on the node to decide which images to remove from the node. The OpenShift administrator can configure how OpenShift Container Platform performs garbage collection by creating a kubeletConfig object for each Machine Config Pool using any combination of the following:
To configure, follow the directions in the documentation
This rule pertains to the |
Rationale | Garbage collection is important to ensure sufficient resource availability
and avoiding degraded performance and availability. In the worst case, the
system might crash or just be unusable for a long period of time.
Based on your system resources and tests, choose an appropriate threshold
value to activate garbage collection. |
In the file '/etc/kubernetes/kubelet.conf' find only one object at path '.evictionSoft['memory.available']'. oval:ssg-test_kubelet_eviction_thresholds_set_soft_memory_available:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_kubelet_eviction_thresholds_set_soft_memory_available:obj:1 of type yamlfilecontent_object
Filepath | Yamlpath |
---|---|
/etc/kubernetes/kubelet.conf | .evictionSoft['memory.available'] |
Ensure Eviction threshold Settings Are Set - evictionHard: nodefs.inodesFree
Rule ID | xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_nodefs_inodesfree |
Result | fail |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-kubelet_eviction_thresholds_set_hard_nodefs_inodesfree:def:1 |
Time | 2021-07-20T05:21:01+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-84141-1 |
Description | Two types of garbage collection are performed on an OpenShift Container Platform node:
Container garbage collection can be performed using eviction thresholds. Image garbage collection relies on disk usage as reported by cAdvisor on the node to decide which images to remove from the node. The OpenShift administrator can configure how OpenShift Container Platform performs garbage collection by creating a kubeletConfig object for each Machine Config Pool using any combination of the following:
To configure, follow the directions in the documentation
This rule pertains to the |
Rationale | Garbage collection is important to ensure sufficient resource availability
and avoiding degraded performance and availability. In the worst case, the
system might crash or just be unusable for a long period of time.
Based on your system resources and tests, choose an appropriate threshold
value to activate garbage collection. |
In the file '/etc/kubernetes/kubelet.conf' find only one object at path '.evictionHard['nodefs.inodesFree']'. oval:ssg-test_kubelet_eviction_thresholds_set_hard_nodefs_inodesfree:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_kubelet_eviction_thresholds_set_hard_nodefs_inodesfree:obj:1 of type yamlfilecontent_object
Filepath | Yamlpath |
---|---|
/etc/kubernetes/kubelet.conf | .evictionHard['nodefs.inodesFree'] |
kubelet - Enable Server Certificate Rotation
Rule ID | xccdf_org.ssgproject.content_rule_kubelet_enable_server_cert_rotation |
Result | pass |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-kubelet_enable_server_cert_rotation:def:1 |
Time | 2021-07-20T05:21:01+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-83356-6 |
Description | To enable the kubelet to rotate server certificates, edit the kubelet configuration
file /etc/kubernetes/kubelet.conf
on the kubelet node(s) and set the below parameter:
featureGates: ... RotateKubeletServerCertificate: true ... |
Rationale | Allowing the kubelet to auto-update the certificates ensure that there is no downtime
in certificate renewal as well as ensures confidentiality and integrity. |
In the file '/etc/kubernetes/kubelet.conf' find only one object at path '.featureGates.RotateKubeletServerCertificate'. oval:ssg-test_kubelet_enable_server_cert_rotation:tst:1 true
Following items have been found on the system:
Filepath | Path | Filename | Yamlpath | Value |
---|---|---|---|---|
/etc/kubernetes/kubelet.conf | /etc/kubernetes | kubelet.conf | .featureGates.RotateKubeletServerCertificate | true |
Ensure Eviction threshold Settings Are Set - evictionHard: imagefs.available
Rule ID | xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_imagefs_available |
Result | fail |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-kubelet_eviction_thresholds_set_hard_imagefs_available:def:1 |
Time | 2021-07-20T05:21:01+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-84144-5 |
Description | Two types of garbage collection are performed on an OpenShift Container Platform node:
Container garbage collection can be performed using eviction thresholds. Image garbage collection relies on disk usage as reported by cAdvisor on the node to decide which images to remove from the node. The OpenShift administrator can configure how OpenShift Container Platform performs garbage collection by creating a kubeletConfig object for each Machine Config Pool using any combination of the following:
To configure, follow the directions in the documentation
This rule pertains to the |
Rationale | Garbage collection is important to ensure sufficient resource availability
and avoiding degraded performance and availability. In the worst case, the
system might crash or just be unusable for a long period of time.
Based on your system resources and tests, choose an appropriate threshold
value to activate garbage collection. |
In the file '/etc/kubernetes/kubelet.conf' find only one object at path '.evictionHard['imagefs.available']'. oval:ssg-test_kubelet_eviction_thresholds_set_hard_imagefs_available:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_kubelet_eviction_thresholds_set_hard_imagefs_available:obj:1 of type yamlfilecontent_object
Filepath | Yamlpath |
---|---|
/etc/kubernetes/kubelet.conf | .evictionHard['imagefs.available'] |
kubelet - Configure the Client CA Certificate
Rule ID | xccdf_org.ssgproject.content_rule_kubelet_configure_client_ca |
Result | pass |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-kubelet_configure_client_ca:def:1 |
Time | 2021-07-20T05:21:01+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-83724-5 |
Description | By default, the kubelet is not configured with a CA certificate which
can subject the kubelet to man-in-the-middle attacks.
To configure a client CA certificate, edit the kubelet configuration
file /etc/kubernetes/kubelet.conf
on the kubelet node(s) and set the below parameter:
authentication: ... x509: clientCAFile: /etc/kubernetes/kubelet-ca.crt ... |
Rationale | Not having a CA certificate for the kubelet will subject the kubelet to possible
man-in-the-middle attacks especially on unsafe or untrusted networks.
Certificate validation for the kubelet allows the API server to validate
the kubelet's identity. |
In the file '/etc/kubernetes/kubelet.conf' find only one object at path '.authentication.x509.clientCAFile'. oval:ssg-test_kubelet_configure_client_ca:tst:1 true
Following items have been found on the system:
Filepath | Path | Filename | Yamlpath | Value |
---|---|---|---|---|
/etc/kubernetes/kubelet.conf | /etc/kubernetes | kubelet.conf | .authentication.x509.clientCAFile | /etc/kubernetes/kubelet-ca.crt |
kubelet - Enable Protect Kernel Defaults
Rule ID | xccdf_org.ssgproject.content_rule_kubelet_enable_protect_kernel_defaults |
Result | fail |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-kubelet_enable_protect_kernel_defaults:def:1 |
Time | 2021-07-20T05:21:01+00:00 |
Severity | medium |
Identifiers and References | |
Description | Protect tuned kernel parameters from being overwritten by the kubelet.
Before enabling this kernel parameter, it's important and
necessary to first create a kernel.keys.root_maxbytes=25000000 kernel.keys.root_maxkeys=1000000 kernel.panic=10 kernel.panic_on_oops=1 vm.overcommit_memory=1 vm.panic_on_oom=0 The these need to be enabled via MachineConfig since they need to be available as soon as the node starts and before the Kubelet does. The manifest may look as follows: --- apiVersion: machineconfiguration.openshift.io/v1 kind: MachineConfig metadata: labels: machineconfiguration.openshift.io/role: master name: 75-master-kubelet-sysctls spec: config: ignition: version: 3.1.0 storage: files: - contents: source: data:,vm.overcommit_memory%3D1%0Avm.panic_on_oom%3D0%0Akernel.panic%3D10%0Akernel.panic_on_oops%3D1%0Akernel.keys.root_maxkeys%3D1000000%0Akernel.keys.root_maxbytes%3D25000000%0A mode: 0644 path: /etc/sysctl.d/90-kubelet.conf overwrite: true
This will need to be done for each relevant
After enabling this and after the changes have successfully rolled out
to the whole cluster, it will now be possible to set the
To configure, follow the directions in the documentation |
Rationale | Kernel parameters are usually tuned and hardened by the system administrators
before putting the systems into production. These parameters protect the
kernel and the system. Your kubelet kernel defaults that rely on such
parameters should be appropriately set to match the desired secured system
state. Ignoring this could potentially lead to running pods with undesired
kernel behavior. |
In the file '/etc/kubernetes/kubelet.conf' find only one object at path '.protectKernelDefaults'. oval:ssg-test_kubelet_enable_protect_kernel_defaults:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_kubelet_enable_protect_kernel_defaults:obj:1 of type yamlfilecontent_object
Filepath | Yamlpath |
---|---|
/etc/kubernetes/kubelet.conf | .protectKernelDefaults |
Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers
Rule ID | xccdf_org.ssgproject.content_rule_kubelet_configure_tls_cipher_suites |
Result | fail |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-kubelet_configure_tls_cipher_suites:def:1 |
Time | 2021-07-20T05:21:01+00:00 |
Severity | medium |
Identifiers and References | |
Description | Ensure that the Kubelet is configured to only use strong cryptographic ciphers.
To set the cipher suites for the kubelet, create new or modify existing
KubeletConfig object along these lines, one for every
MachineConfigPool :
apiVersion: machineconfiguration.openshift.io/v1 kind: KubeletConfig metadata: name: kubelet-config-$pool spec: machineConfigPoolSelector: matchLabels: pools.operator.machineconfiguration.openshift.io/$pool_name: "" kubeletConfig: tlsCipherSuites: - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 |
Rationale | TLS ciphers have had a number of known vulnerabilities and weaknesses,
which can reduce the protection provided by them. By default Kubernetes
supports a number of TLS ciphersuites including some that have security
concerns, weakening the protection provided. |
In the file '/etc/kubernetes/kubelet.conf' find only one object at path '.tlsCipherSuites[:]'. oval:ssg-test_kubelet_configure_tls_cipher_suites:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_kubelet_configure_tls_cipher_suites:obj:1 of type yamlfilecontent_object
Filepath | Yamlpath |
---|---|
/etc/kubernetes/kubelet.conf | .tlsCipherSuites[:] |
kubelet - Allow Automatic Firewall Configuration
Rule ID | xccdf_org.ssgproject.content_rule_kubelet_enable_iptables_util_chains |
Result | pass |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-kubelet_enable_iptables_util_chains:def:1 |
Time | 2021-07-20T05:21:01+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-83775-7 |
Description | The kubelet has the ability to automatically configure the firewall to allow
the containers required ports and connections to networking resources and destinations
parameters potentially creating a security incident.
To allow the kubelet to modify the firewall, edit the kubelet configuration
file /etc/kubernetes/kubelet.conf
on the kubelet node(s) and set the below parameter:
makeIPTablesUtilChains: true |
Rationale | The kubelet should automatically configure the firewall settings to allow access and
networking traffic through. This ensures that when a pod or container is running that
the correct ports are configured as well as removing the ports when a pod or
container is no longer in existence. |
In the file '/etc/kubernetes/kubelet.conf' find only one object at path '.makeIPTablesUtilChains'. oval:ssg-test_kubelet_enable_iptables_util_chains:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_kubelet_enable_iptables_util_chains:obj:1 of type yamlfilecontent_object
Filepath | Yamlpath |
---|---|
/etc/kubernetes/kubelet.conf | .makeIPTablesUtilChains |
Ensure Eviction threshold Settings Are Set - evictionHard: imagefs.inodesFree
Rule ID | xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_imagefs_inodesfree |
Result | fail |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-kubelet_eviction_thresholds_set_hard_imagefs_inodesfree:def:1 |
Time | 2021-07-20T05:21:01+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-84147-8 |
Description | Two types of garbage collection are performed on an OpenShift Container Platform node:
Container garbage collection can be performed using eviction thresholds. Image garbage collection relies on disk usage as reported by cAdvisor on the node to decide which images to remove from the node. The OpenShift administrator can configure how OpenShift Container Platform performs garbage collection by creating a kubeletConfig object for each Machine Config Pool using any combination of the following:
To configure, follow the directions in the documentation
This rule pertains to the |
Rationale | Garbage collection is important to ensure sufficient resource availability
and avoiding degraded performance and availability. In the worst case, the
system might crash or just be unusable for a long period of time.
Based on your system resources and tests, choose an appropriate threshold
value to activate garbage collection. |
In the file '/etc/kubernetes/kubelet.conf' find only one object at path '.evictionHard['imagefs.inodesFree']'. oval:ssg-test_kubelet_eviction_thresholds_set_hard_imagefs_inodesfree:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_kubelet_eviction_thresholds_set_hard_imagefs_inodesfree:obj:1 of type yamlfilecontent_object
Filepath | Yamlpath |
---|---|
/etc/kubernetes/kubelet.conf | .evictionHard['imagefs.inodesFree'] |
Ensure Eviction threshold Settings Are Set - evictionSoft: nodefs.available
Rule ID | xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_nodefs_available |
Result | fail |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-kubelet_eviction_thresholds_set_soft_nodefs_available:def:1 |
Time | 2021-07-20T05:21:01+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-84119-7 |
Description | Two types of garbage collection are performed on an OpenShift Container Platform node:
Container garbage collection can be performed using eviction thresholds. Image garbage collection relies on disk usage as reported by cAdvisor on the node to decide which images to remove from the node. The OpenShift administrator can configure how OpenShift Container Platform performs garbage collection by creating a kubeletConfig object for each Machine Config Pool using any combination of the following:
To configure, follow the directions in the documentation
This rule pertains to the |
Rationale | Garbage collection is important to ensure sufficient resource availability
and avoiding degraded performance and availability. In the worst case, the
system might crash or just be unusable for a long period of time.
Based on your system resources and tests, choose an appropriate threshold
value to activate garbage collection. |
In the file '/etc/kubernetes/kubelet.conf' find only one object at path '.evictionSoft['nodefs.available']'. oval:ssg-test_kubelet_eviction_thresholds_set_soft_nodefs_available:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_kubelet_eviction_thresholds_set_soft_nodefs_available:obj:1 of type yamlfilecontent_object
Filepath | Yamlpath |
---|---|
/etc/kubernetes/kubelet.conf | .evictionSoft['nodefs.available'] |
kubelet - Enable Certificate Rotation
Rule ID | xccdf_org.ssgproject.content_rule_kubelet_enable_cert_rotation |
Result | pass |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-kubelet_enable_cert_rotation:def:1 |
Time | 2021-07-20T05:21:01+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-83838-3 |
Description | To enable the kubelet to rotate client certificates, edit the kubelet configuration
file /etc/kubernetes/kubelet.conf
on the kubelet node(s) and set the below parameter:
... rotateCertificates: true ... |
Rationale | Allowing the kubelet to auto-update the certificates ensure that there is no downtime
in certificate renewal as well as ensures confidentiality and integrity. |
In the file '/etc/kubernetes/kubelet.conf' find only one object at path '.rotateCertificates'. oval:ssg-test_kubelet_enable_cert_rotation:tst:1 true
Following items have been found on the system:
Filepath | Path | Filename | Yamlpath | Value |
---|---|---|---|---|
/etc/kubernetes/kubelet.conf | /etc/kubernetes | kubelet.conf | .rotateCertificates | true |
Ensure Eviction threshold Settings Are Set - evictionSoft: nodefs.inodesFree
Rule ID | xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_nodefs_inodesfree |
Result | fail |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-kubelet_eviction_thresholds_set_soft_nodefs_inodesfree:def:1 |
Time | 2021-07-20T05:21:01+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-84123-9 |
Description | Two types of garbage collection are performed on an OpenShift Container Platform node:
Container garbage collection can be performed using eviction thresholds. Image garbage collection relies on disk usage as reported by cAdvisor on the node to decide which images to remove from the node. The OpenShift administrator can configure how OpenShift Container Platform performs garbage collection by creating a kubeletConfig object for each Machine Config Pool using any combination of the following:
To configure, follow the directions in the documentation
This rule pertains to the |
Rationale | Garbage collection is important to ensure sufficient resource availability
and avoiding degraded performance and availability. In the worst case, the
system might crash or just be unusable for a long period of time.
Based on your system resources and tests, choose an appropriate threshold
value to activate garbage collection. |
In the file '/etc/kubernetes/kubelet.conf' find only one object at path '.evictionSoft['nodefs.inodesFree']'. oval:ssg-test_kubelet_eviction_thresholds_set_soft_nodefs_inodesfree:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_kubelet_eviction_thresholds_set_soft_nodefs_inodesfree:obj:1 of type yamlfilecontent_object
Filepath | Yamlpath |
---|---|
/etc/kubernetes/kubelet.conf | .evictionSoft['nodefs.inodesFree'] |
Disable Anonymous Authentication to the Kubelet
Rule ID | xccdf_org.ssgproject.content_rule_kubelet_anonymous_auth |
Result | pass |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-kubelet_anonymous_auth:def:1 |
Time | 2021-07-20T05:21:01+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-83815-1 |
Description | By default, anonymous access to the Kubelet server is enabled. This
configuration check ensures that anonymous requests to the Kubelet
server are disabled. Edit the Kubelet server configuration file
/etc/kubernetes/kubelet.conf on the kubelet node(s)
and set the below parameter:
authentication: ... anonymous: enabled: false ... |
Rationale | When enabled, requests that are not rejected by other configured
authentication methods are treated as anonymous requests. These
requests are then served by the Kubelet server. OpenShift Operators should
rely on authentication to authorize access and disallow anonymous
requests. |
In the file '/etc/kubernetes/kubelet.conf' find only one object at path '.authentication.anonymous.enabled'. oval:ssg-test_kubelet_anonymous_auth:tst:1 true
Following items have been found on the system:
Filepath | Path | Filename | Yamlpath | Value |
---|---|---|---|---|
/etc/kubernetes/kubelet.conf | /etc/kubernetes | kubelet.conf | .authentication.anonymous.enabled | false |
Ensure Eviction threshold Settings Are Set - evictionSoft: imagefs.inodesFree
Rule ID | xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_imagefs_inodesfree |
Result | fail |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-kubelet_eviction_thresholds_set_soft_imagefs_inodesfree:def:1 |
Time | 2021-07-20T05:21:01+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-84132-0 |
Description | Two types of garbage collection are performed on an OpenShift Container Platform node:
Container garbage collection can be performed using eviction thresholds. Image garbage collection relies on disk usage as reported by cAdvisor on the node to decide which images to remove from the node. The OpenShift administrator can configure how OpenShift Container Platform performs garbage collection by creating a kubeletConfig object for each Machine Config Pool using any combination of the following:
To configure, follow the directions in the documentation
This rule pertains to the |
Rationale | Garbage collection is important to ensure sufficient resource availability
and avoiding degraded performance and availability. In the worst case, the
system might crash or just be unusable for a long period of time.
Based on your system resources and tests, choose an appropriate threshold
value to activate garbage collection. |
In the file '/etc/kubernetes/kubelet.conf' find only one object at path '.evictionSoft['imagefs.inodesFree']'. oval:ssg-test_kubelet_eviction_thresholds_set_soft_imagefs_inodesfree:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_kubelet_eviction_thresholds_set_soft_imagefs_inodesfree:obj:1 of type yamlfilecontent_object
Filepath | Yamlpath |
---|---|
/etc/kubernetes/kubelet.conf | .evictionSoft['imagefs.inodesFree'] |
Ensure Eviction threshold Settings Are Set - evictionHard: memory.available
Rule ID | xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_memory_available |
Result | fail |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-kubelet_eviction_thresholds_set_hard_memory_available:def:1 |
Time | 2021-07-20T05:21:01+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-84135-3 |
Description | Two types of garbage collection are performed on an OpenShift Container Platform node:
Container garbage collection can be performed using eviction thresholds. Image garbage collection relies on disk usage as reported by cAdvisor on the node to decide which images to remove from the node. The OpenShift administrator can configure how OpenShift Container Platform performs garbage collection by creating a kubeletConfig object for each Machine Config Pool using any combination of the following:
To configure, follow the directions in the documentation
This rule pertains to the |
Rationale | Garbage collection is important to ensure sufficient resource availability
and avoiding degraded performance and availability. In the worst case, the
system might crash or just be unusable for a long period of time.
Based on your system resources and tests, choose an appropriate threshold
value to activate garbage collection. |
In the file '/etc/kubernetes/kubelet.conf' find only one object at path '.evictionHard['memory.available']'. oval:ssg-test_kubelet_eviction_thresholds_set_hard_memory_available:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_kubelet_eviction_thresholds_set_hard_memory_available:obj:1 of type yamlfilecontent_object
Filepath | Yamlpath |
---|---|
/etc/kubernetes/kubelet.conf | .evictionHard['memory.available'] |