Guide to the Secure Configuration of Red Hat OpenShift Container Platform 4
with profile CIS Red Hat OpenShift Container Platform 4 BenchmarkThis profile defines a baseline that aligns to the Center for Internet Security® Red Hat OpenShift Container Platform 4 Benchmark™, V0.3, currently unreleased. This profile includes Center for Internet Security® Red Hat OpenShift Container Platform 4 CIS Benchmarks™ content. Note that this part of the profile is meant to run on the Operating System that Red Hat OpenShift Container Platform 4 runs on top of. This profile is applicable to OpenShift versions 4.6 and greater.
The ComplianceAsCode Project
https://www.open-scap.org/security-policies/scap-security-guide
https://www.open-scap.org/security-policies/scap-security-guide
This guide presents a catalog of security-relevant
configuration settings for Red Hat OpenShift Container Platform 4. It is a rendering of
content structured in the eXtensible Configuration Checklist Description Format (XCCDF)
in order to support security automation. The SCAP content is
is available in the
Providing system administrators with such guidance informs them how to securely configure systems under their control in a variety of network roles. Policy makers and baseline creators can use this catalog of settings, with its associated references to higher-level security control catalogs, in order to assist them in security baseline creation. This guide is a catalog, not a checklist, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. However, the XCCDF format enables granular selection and adjustment of settings, and their association with OVAL and OCIL content provides an automated checking capability. Transformations of this document, and its associated automated checking content, are capable of providing baselines that meet a diverse set of policy objectives. Some example XCCDF Profiles, which are selections of items that form checklists and can be used as baselines, are available with this guide. They can be processed, in an automated fashion, with tools that support the Security Content Automation Protocol (SCAP). The NIST National Checklist Program (NCP), which provides required settings for the United States Government, is one example of a baseline created from this guidance.
scap-security-guide package which is developed at
https://www.open-scap.org/security-policies/scap-security-guide.
Providing system administrators with such guidance informs them how to securely configure systems under their control in a variety of network roles. Policy makers and baseline creators can use this catalog of settings, with its associated references to higher-level security control catalogs, in order to assist them in security baseline creation. This guide is a catalog, not a checklist, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. However, the XCCDF format enables granular selection and adjustment of settings, and their association with OVAL and OCIL content provides an automated checking capability. Transformations of this document, and its associated automated checking content, are capable of providing baselines that meet a diverse set of policy objectives. Some example XCCDF Profiles, which are selections of items that form checklists and can be used as baselines, are available with this guide. They can be processed, in an automated fashion, with tools that support the Security Content Automation Protocol (SCAP). The NIST National Checklist Program (NCP), which provides required settings for the United States Government, is one example of a baseline created from this guidance.
Do not attempt to implement any of the settings in
this guide without first testing them in a non-operational environment. The
creators of this guidance assume no responsibility whatsoever for its use by
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Evaluation Characteristics
| Evaluation target | Unknown |
|---|---|
| Target ID | chroot:///host |
| Benchmark URL | /content/ssg-ocp4-ds.xml |
| Benchmark ID | xccdf_org.ssgproject.content_benchmark_OCP-4 |
| Benchmark version | 0.1.57 |
| Profile ID | xccdf_org.ssgproject.content_profile_cis-node |
| Started at | 2021-07-20T05:21:05+00:00 |
| Finished at | 2021-07-20T05:21:05+00:00 |
| Performed by | unknown user |
| Test system | cpe:/a:redhat:openscap:1.3.4 |
CPE Platforms
- cpe:/o:redhat:openshift_container_platform_node:4
- cpe:/a:redhat:openshift_container_platform:4.1
- cpe:/a:redhat:openshift_container_platform:4.6
- cpe:/a:redhat:openshift_container_platform:4.7
- cpe:/a:redhat:openshift_container_platform:4.8
- cpe:/a:redhat:openshift_container_platform:4.9
- cpe:/a:redhat:openshift_container_platform:4.10
Addresses
Compliance and Scoring
The target system did not satisfy the conditions of 17 rules!
Please review rule results and consider applying remediation.
Rule results
Severity of failed rules
Score
| Scoring system | Score | Maximum | Percent |
|---|---|---|---|
| urn:xccdf:scoring:default | 75.858582 | 100.000000 |
Rule Overview
Result Details
Verify Group Who Owns The Open vSwitch Daemon PID Filexccdf_org.ssgproject.content_rule_file_groupowner_ovs_vswitchd_pid mediumCCE-84129-6
Verify Group Who Owns The Open vSwitch Daemon PID File
| Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_ovs_vswitchd_pid |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_groupowner_ovs_vswitchd_pid:def:1 |
| Time | 2021-07-20T05:21:05+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-84129-6 |
| Description | Ensure that the file /run/openvswitch/ovs-vswitchd.pid, is owned by the group openvswitchor hugetlbfs, depending on your settings and Open vSwitch version. |
| Rationale | CNI (Container Network Interface) files consist of a specification and libraries for
writing plugins to configure network interfaces in Linux containers, along with a number
of supported plugins. Allowing writeable access to the files could allow an attacker to modify
the networking configuration potentially adding a rogue network connection. |
OVAL test results details
Testing group ownership of /var/run/openvswitch/ovs-vswitchd.pid oval:ssg-test_file_groupowner_var_run_ovs_vswitchd_pid_800:tst:1 false
Following items have been found on the system:
| Path | Type | UID | GID | Size (B) | Permissions |
|---|---|---|---|---|---|
| /var/run/openvswitch/ovs-vswitchd.pid | regular | 800 | 801 | 5 | rw-r--r-- |
Testing group ownership of /var/run/openvswitch/ovs-vswitchd.pid oval:ssg-test_file_groupowner_var_run_ovs_vswitchd_pid_801:tst:1 true
Following items have been found on the system:
| Path | Type | UID | GID | Size (B) | Permissions |
|---|---|---|---|---|---|
| /var/run/openvswitch/ovs-vswitchd.pid | regular | 800 | 801 | 5 | rw-r--r-- |
Verify User Who Owns The OpenShift SDN Container Network Interface Plugin IP Address Allocationsxccdf_org.ssgproject.content_rule_file_owner_ip_allocations mediumCCE-84248-4
Verify User Who Owns The OpenShift SDN Container Network Interface Plugin IP Address Allocations
| Rule ID | xccdf_org.ssgproject.content_rule_file_owner_ip_allocations |
| Result | fail |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_owner_ip_allocations:def:1 |
| Time | 2021-07-20T05:21:05+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-84248-4 |
| Description | To properly set the owner of /var/lib/cni/networks/openshift-sdn/.*, run the command: $ sudo chown root /var/lib/cni/networks/openshift-sdn/.* |
| Rationale | CNI (Container Network Interface) files consist of a specification and libraries for
writing plugins to configure network interfaces in Linux containers, along with a number
of supported plugins. Allowing writeable access to the files could allow an attacker to modify
the networking configuration potentially adding a rogue network connection. |
OVAL test results details
Testing user ownership of ^/var/lib/cni/networks/openshift-sdn/.*$ oval:ssg-test_file_owner_ip_allocations:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_ip_allocations:obj:1 of type file_object
| Filepath |
|---|
| ^/var/lib/cni/networks/openshift-sdn/.*$ |
Verify Group Who Owns The Kubernetes API Server Pod Specification Filexccdf_org.ssgproject.content_rule_file_groupowner_kube_apiserver mediumCCE-83530-6
Verify Group Who Owns The Kubernetes API Server Pod Specification File
| Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_kube_apiserver |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2021-07-20T05:21:05+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-83530-6 |
| Description | To properly set the group owner of /etc/kubernetes/static-pod-resources/kube-apiserver-pod-*/kube-apiserver-pod.yaml, run the command: $ sudo chgrp root /etc/kubernetes/static-pod-resources/kube-apiserver-pod-*/kube-apiserver-pod.yaml |
| Rationale | The Kubernetes specification file contains information about the configuration of the
Kubernetes API Server that is configured on the system. Protection of this file is
critical for OpenShift security. |
| Warnings | warning
This rule is only applicable for nodes that run the Kubernetes API Server service.
The aforementioned service is only running on the nodes labeled
"master" by default. |
Verify User Who Owns The OpenShift Controller Manager Kubeconfig Filexccdf_org.ssgproject.content_rule_file_owner_controller_manager_kubeconfig mediumCCE-83904-3
Verify User Who Owns The OpenShift Controller Manager Kubeconfig File
| Rule ID | xccdf_org.ssgproject.content_rule_file_owner_controller_manager_kubeconfig |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2021-07-20T05:21:05+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-83904-3 |
| Description |
To properly set the owner of /etc/kubernetes/static-pod-resources/kube-controller-manager-pod-*/configmaps/controller-manager-kubeconfig/kubeconfig, run the command:
$ sudo chown root /etc/kubernetes/static-pod-resources/kube-controller-manager-pod-*/configmaps/controller-manager-kubeconfig/kubeconfig |
| Rationale | The Controller Manager's kubeconfig contains information about how the
component will access the API server. You should set its file ownership to
maintain the integrity of the file. |
| Warnings | warning
This rule is only applicable for nodes that run the Kubernetes Controller Manager service.
The aforementioned service is only running on the nodes labeled
"master" by default. |
Verify Group Who Owns The etcd Member Pod Specification Filexccdf_org.ssgproject.content_rule_file_groupowner_etcd_member mediumCCE-83664-3
Verify Group Who Owns The etcd Member Pod Specification File
| Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_etcd_member |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2021-07-20T05:21:05+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-83664-3 |
| Description | To properly set the group owner of /etc/kubernetes/static-pod-resources/etcd-pod-*/etcd-pod.yaml, run the command: $ sudo chgrp root /etc/kubernetes/static-pod-resources/etcd-pod-*/etcd-pod.yaml |
| Rationale | The etcd pod specification file controls various parameters that
set the behavior of the etcd service in the master node. etcd is a
highly-available key-value store which Kubernetes uses for persistent
storage of all of its REST API object. You should restrict its file
permissions to maintain the integrity of the file. The file should be
writable by only the administrators on the system. |
| Warnings | warning
This rule is only applicable for nodes that run the Etcd service.
The aforementioned service is only running on the nodes labeled
"master" by default. |
Verify User Who Owns The Etcd PKI Certificate Filesxccdf_org.ssgproject.content_rule_file_owner_etcd_pki_cert_files mediumCCE-83898-7
Verify User Who Owns The Etcd PKI Certificate Files
| Rule ID | xccdf_org.ssgproject.content_rule_file_owner_etcd_pki_cert_files |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2021-07-20T05:21:05+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-83898-7 |
| Description |
To properly set the owner of /etc/kubernetes/static-pod-resources/*/*/*/*.crt, run the command:
$ sudo chown root /etc/kubernetes/static-pod-resources/*/*/*/*.crt |
| Rationale | OpenShift makes use of a number of certificates as part of its operation.
You should verify the ownership of the directory containing the PKI
information and all files in that directory to maintain their integrity.
The directory and files should be owned by the system administrator. |
| Warnings | warning
This rule is only applicable for nodes that run the Etcd service.
The aforementioned service is only running on the nodes labeled
"master" by default. |
Verify User Who Owns The OpenShift Multus Container Network Interface Plugin Filesxccdf_org.ssgproject.content_rule_file_owner_multus_conf mediumCCE-83603-1
Verify User Who Owns The OpenShift Multus Container Network Interface Plugin Files
| Rule ID | xccdf_org.ssgproject.content_rule_file_owner_multus_conf |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_owner_multus_conf:def:1 |
| Time | 2021-07-20T05:21:05+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-83603-1 |
| Description | To properly set the owner of /var/run/multus/cni/net.d/*, run the command: $ sudo chown root /var/run/multus/cni/net.d/* |
| Rationale | CNI (Container Network Interface) files consist of a specification and libraries for
writing plugins to configure network interfaces in Linux containers, along with a number
of supported plugins. Allowing writeable access to the files could allow an attacker to modify
the networking configuration potentially adding a rogue network connection. |
OVAL test results details
Testing user ownership of ^/var/run/multus/cni/net.d/.*$ oval:ssg-test_file_owner_multus_conf:tst:1 true
Following items have been found on the system:
| Path | Type | UID | GID | Size (B) | Permissions |
|---|---|---|---|---|---|
| /var/run/multus/cni/net.d/10-ovn-kubernetes.conf | regular | 0 | 0 | 233 | rw------- |
Verify User Who Owns The Open vSwitch Database Server PIDxccdf_org.ssgproject.content_rule_file_owner_ovsdb_server_pid mediumCCE-83806-0
Verify User Who Owns The Open vSwitch Database Server PID
| Rule ID | xccdf_org.ssgproject.content_rule_file_owner_ovsdb_server_pid |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_owner_ovsdb_server_pid:def:1 |
| Time | 2021-07-20T05:21:05+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-83806-0 |
| Description |
To properly set the owner of /run/openvswitch/ovsdb-server.pid, run the command:
$ sudo chown openvswitch /run/openvswitch/ovsdb-server.pid |
| Rationale | CNI (Container Network Interface) files consist of a specification and libraries for
writing plugins to configure network interfaces in Linux containers, along with a number
of supported plugins. Allowing writeable access to the files could allow an attacker to modify
the networking configuration potentially adding a rogue network connection. |
OVAL test results details
Testing user ownership of /run/openvswitch/ovsdb-server.pid oval:ssg-test_file_owner_ovsdb_server_pid:tst:1 true
Following items have been found on the system:
| Path | Type | UID | GID | Size (B) | Permissions |
|---|---|---|---|---|---|
| /run/openvswitch/ovsdb-server.pid | regular | 800 | 801 | 5 | rw-r--r-- |
Verify User Who Owns The Open vSwitch Configuration Database Lockxccdf_org.ssgproject.content_rule_file_owner_ovs_conf_db_lock mediumCCE-83462-2
Verify User Who Owns The Open vSwitch Configuration Database Lock
| Rule ID | xccdf_org.ssgproject.content_rule_file_owner_ovs_conf_db_lock |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_owner_ovs_conf_db_lock:def:1 |
| Time | 2021-07-20T05:21:05+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-83462-2 |
| Description |
To properly set the owner of /etc/openvswitch/.conf.db.~lock~, run the command:
$ sudo chown openvswitch /etc/openvswitch/.conf.db.~lock~ |
| Rationale | CNI (Container Network Interface) files consist of a specification and libraries for
writing plugins to configure network interfaces in Linux containers, along with a number
of supported plugins. Allowing writeable access to the files could allow an attacker to modify
the networking configuration potentially adding a rogue network connection. |
OVAL test results details
Testing user ownership of /etc/openvswitch/.conf.db.~lock~ oval:ssg-test_file_owner_ovs_conf_db_lock:tst:1 true
Following items have been found on the system:
| Path | Type | UID | GID | Size (B) | Permissions |
|---|---|---|---|---|---|
| /etc/openvswitch/.conf.db.~lock~ | regular | 800 | 801 | 0 | rw------- |
Verify Group Who Owns The Open vSwitch Persistent System IDxccdf_org.ssgproject.content_rule_file_groupowner_ovs_sys_id_conf mediumCCE-83677-5
Verify Group Who Owns The Open vSwitch Persistent System ID
| Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_ovs_sys_id_conf |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_groupowner_ovs_sys_id_conf:def:1 |
| Time | 2021-07-20T05:21:05+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-83677-5 |
| Description |
To properly set the group owner of /etc/openvswitch/system-id.conf, run the command:
$ sudo chgrp hugetlbfs /etc/openvswitch/system-id.conf |
| Rationale | CNI (Container Network Interface) files consist of a specification and libraries for
writing plugins to configure network interfaces in Linux containers, along with a number
of supported plugins. Allowing writeable access to the files could allow an attacker to modify
the networking configuration potentially adding a rogue network connection. |
OVAL test results details
Testing group ownership of /etc/openvswitch/system-id.conf oval:ssg-test_file_groupowner_ovs_sys_id_conf:tst:1 true
Following items have been found on the system:
| Path | Type | UID | GID | Size (B) | Permissions |
|---|---|---|---|---|---|
| /etc/openvswitch/system-id.conf | regular | 800 | 801 | 37 | rw-r--r-- |
Verify Permissions on the OpenShift SDN CNI Server Configxccdf_org.ssgproject.content_rule_file_perms_openshift_sdn_cniserver_config mediumCCE-83927-4
Verify Permissions on the OpenShift SDN CNI Server Config
| Rule ID | xccdf_org.ssgproject.content_rule_file_perms_openshift_sdn_cniserver_config |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_perms_openshift_sdn_cniserver_config:def:1 |
| Time | 2021-07-20T05:21:05+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-83927-4 |
| Description |
To properly set the permissions of /var/run/openshift-sdn/cniserver/config.json, run the command:
$ sudo chmod 0444 /var/run/openshift-sdn/cniserver/config.json |
| Rationale | CNI (Container Network Interface) files consist of a specification and libraries for
writing plugins to configure network interfaces in Linux containers, along with a number
of supported plugins. Allowing writeable access to the files could allow an attacker to modify
the networking configuration potentially adding a rogue network connection. |
OVAL test results details
Testing mode of /var/run/openshift-sdn/cniserver/config.json oval:ssg-test_file_permissionsfile_perms_openshift_sdn_cniserver_config:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissionsfile_perms_openshift_sdn_cniserver_config:obj:1 of type file_object
| Filepath | Filter |
|---|---|
| /var/run/openshift-sdn/cniserver/config.json | oval:ssg-state_file_permissionsfile_perms_openshift_sdn_cniserver_config_mode_not_0444:ste:1 |
Verify Group Who Owns The OpenShift SDN Container Network Interface Plugin IP Address Allocationsxccdf_org.ssgproject.content_rule_file_groupowner_ip_allocations mediumCCE-84211-2
Verify Group Who Owns The OpenShift SDN Container Network Interface Plugin IP Address Allocations
| Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_ip_allocations |
| Result | fail |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_groupowner_ip_allocations:def:1 |
| Time | 2021-07-20T05:21:05+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-84211-2 |
| Description | To properly set the group owner of /var/lib/cni/networks/openshift-sdn/.*, run the command: $ sudo chgrp root /var/lib/cni/networks/openshift-sdn/.* |
| Rationale | CNI (Container Network Interface) files consist of a specification and libraries for
writing plugins to configure network interfaces in Linux containers, along with a number
of supported plugins. Allowing writeable access to the files could allow an attacker to modify
the networking configuration potentially adding a rogue network connection. |
OVAL test results details
Testing group ownership of ^/var/lib/cni/networks/openshift-sdn/.*$ oval:ssg-test_file_groupowner_ip_allocations:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_ip_allocations:obj:1 of type file_object
| Filepath |
|---|
| ^/var/lib/cni/networks/openshift-sdn/.*$ |
Verify Group Who Owns The Open vSwitch Process ID Filexccdf_org.ssgproject.content_rule_file_groupowner_ovs_pid mediumCCE-83630-4
Verify Group Who Owns The Open vSwitch Process ID File
| Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_ovs_pid |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_groupowner_ovs_pid:def:1 |
| Time | 2021-07-20T05:21:05+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-83630-4 |
| Description | Ensure that the file /var/run/openvswitch/ovs-vswitchd.pid, is owned by the group openvswitchor hugetlbfs, depending on your settings and Open vSwitch version. |
| Rationale | CNI (Container Network Interface) files consist of a specification and libraries for
writing plugins to configure network interfaces in Linux containers, along with a number
of supported plugins. Allowing writeable access to the files could allow an attacker to modify
the networking configuration potentially adding a rogue network connection. |
OVAL test results details
Testing group ownership of /run/openvswitch/ovs-vswitchd.pid oval:ssg-test_file_groupowner_run_ovs_vswitchd_pid_800:tst:1 false
Following items have been found on the system:
| Path | Type | UID | GID | Size (B) | Permissions |
|---|---|---|---|---|---|
| /run/openvswitch/ovs-vswitchd.pid | regular | 800 | 801 | 5 | rw-r--r-- |
Testing group ownership of /run/openvswitch/ovs-vswitchd.pid oval:ssg-test_file_groupowner_run_ovs_vswitchd_pid_801:tst:1 true
Following items have been found on the system:
| Path | Type | UID | GID | Size (B) | Permissions |
|---|---|---|---|---|---|
| /run/openvswitch/ovs-vswitchd.pid | regular | 800 | 801 | 5 | rw-r--r-- |
Verify User Who Owns The Etcd Database Directoryxccdf_org.ssgproject.content_rule_file_owner_etcd_data_dir mediumCCE-83905-0
Verify User Who Owns The Etcd Database Directory
| Rule ID | xccdf_org.ssgproject.content_rule_file_owner_etcd_data_dir |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2021-07-20T05:21:05+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-83905-0 |
| Description |
To properly set the owner of /var/lib/etcd/member/, run the command:
$ sudo chown root /var/lib/etcd/member/ |
| Rationale | etcd is a highly-available key-value store used by Kubernetes deployments for
persistent storage of all of its REST API objects. This data directory should
be protected from any unauthorized reads or writes. |
| Warnings | warning
This rule is only applicable for nodes that run the Etcd service.
The aforementioned service is only running on the nodes labeled
"master" by default. |
Verify Group Who Owns The Etcd Write-Ahead-Log Filesxccdf_org.ssgproject.content_rule_file_groupowner_etcd_data_files mediumCCE-83816-9
Verify Group Who Owns The Etcd Write-Ahead-Log Files
| Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_etcd_data_files |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2021-07-20T05:21:05+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-83816-9 |
| Description |
To properly set the group owner of /var/lib/etcd/member/wal/*, run the command:
$ sudo chgrp root /var/lib/etcd/member/wal/* |
| Rationale | etcd is a highly-available key-value store used by Kubernetes deployments for
persistent storage of all of its REST API objects. This data directory should
be protected from any unauthorized reads or writes. |
| Warnings | warning
This rule is only applicable for nodes that run the Etcd service.
The aforementioned service is only running on the nodes labeled
"master" by default. |
Verify Group Who Owns The Open vSwitch Database Server PIDxccdf_org.ssgproject.content_rule_file_groupowner_ovsdb_server_pid mediumCCE-84166-8
Verify Group Who Owns The Open vSwitch Database Server PID
| Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_ovsdb_server_pid |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_groupowner_ovsdb_server_pid:def:1 |
| Time | 2021-07-20T05:21:05+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-84166-8 |
| Description | Ensure that the file /run/openvswitch/ovsdb-server.pid, is owned by the group openvswitchor hugetlbfs, depending on your settings and Open vSwitch version. |
| Rationale | CNI (Container Network Interface) files consist of a specification and libraries for
writing plugins to configure network interfaces in Linux containers, along with a number
of supported plugins. Allowing writeable access to the files could allow an attacker to modify
the networking configuration potentially adding a rogue network connection. |
OVAL test results details
Testing group ownership of /run/openvswitch/ovsdb-server.pid oval:ssg-test_file_groupowner_ovsdb_server_pid_800:tst:1 false
Following items have been found on the system:
| Path | Type | UID | GID | Size (B) | Permissions |
|---|---|---|---|---|---|
| /run/openvswitch/ovsdb-server.pid | regular | 800 | 801 | 5 | rw-r--r-- |
Testing group ownership of /run/openvswitch/ovsdb-server.pid oval:ssg-test_file_groupowner_ovsdb_server_pid_801:tst:1 true
Following items have been found on the system:
| Path | Type | UID | GID | Size (B) | Permissions |
|---|---|---|---|---|---|
| /run/openvswitch/ovsdb-server.pid | regular | 800 | 801 | 5 | rw-r--r-- |
Verify Group Who Owns The OpenShift PKI Private Key Filesxccdf_org.ssgproject.content_rule_file_groupowner_openshift_pki_key_files mediumCCE-84172-6
Verify Group Who Owns The OpenShift PKI Private Key Files
| Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_openshift_pki_key_files |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2021-07-20T05:21:05+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-84172-6 |
| Description |
To properly set the group owner of /etc/kubernetes/static-pod-resources/*/*/*/*.key, run the command:
$ sudo chgrp root /etc/kubernetes/static-pod-resources/*/*/*/*.key |
| Rationale | OpenShift makes use of a number of certificates as part of its operation.
You should verify the ownership of the directory containing the PKI
information and all files in that directory to maintain their integrity.
The directory and files should be owned by root:root. |
| Warnings | warning
This rule is only applicable for nodes that run the Kubernetes Control Plane.
The aforementioned service is only running on the nodes labeled
"master" by default. |
Verify Group Who Owns The OpenShift Container Network Interface Filesxccdf_org.ssgproject.content_rule_file_groupowner_cni_conf mediumCCE-84025-6
Verify Group Who Owns The OpenShift Container Network Interface Files
| Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_cni_conf |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_groupowner_cni_conf:def:1 |
| Time | 2021-07-20T05:21:05+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-84025-6 |
| Description | To properly set the group owner of /etc/cni/net.d/*, run the command: $ sudo chgrp root /etc/cni/net.d/* |
| Rationale | CNI (Container Network Interface) files consist of a specification and libraries for
writing plugins to configure network interfaces in Linux containers, along with a number
of supported plugins. Allowing writeable access to the files could allow an attacker to modify
the networking configuration potentially adding a rogue network connection. |
OVAL test results details
Testing group ownership of ^/etc/cni/net.d/.*$ oval:ssg-test_file_groupowner_cni_conf:tst:1 true
Following items have been found on the system:
| Path | Type | UID | GID | Size (B) | Permissions |
|---|---|---|---|---|---|
| /etc/cni/net.d/100-crio-bridge.conf | regular | 0 | 0 | 438 | rw-r--r-- |
| /etc/cni/net.d/200-loopback.conf | regular | 0 | 0 | 54 | rw-r--r-- |
| /etc/cni/net.d/87-podman-bridge.conflist | regular | 0 | 0 | 639 | rw-r--r-- |
Verify User Who Owns The Etcd Member Pod Specification Filexccdf_org.ssgproject.content_rule_file_owner_etcd_member mediumCCE-83988-6
Verify User Who Owns The Etcd Member Pod Specification File
| Rule ID | xccdf_org.ssgproject.content_rule_file_owner_etcd_member |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2021-07-20T05:21:05+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-83988-6 |
| Description | To properly set the owner of /etc/kubernetes/static-pod-resources/etcd-pod-*/etcd-pod.yaml, run the command: $ sudo chown root /etc/kubernetes/static-pod-resources/etcd-pod-*/etcd-pod.yaml |
| Rationale | The etcd pod specification file controls various parameters that
set the behavior of the etcd service in the master node. etcd is a
highly-available key-value store which Kubernetes uses for persistent
storage of all of its REST API object. You should restrict its file
permissions to maintain the integrity of the file. The file should be
writable by only the administrators on the system. |
| Warnings | warning
This rule is only applicable for nodes that run the Etcd service.
The aforementioned service is only running on the nodes labeled
"master" by default. |
Verify Group Who Owns The OpenShift Admin Kubeconfig Filesxccdf_org.ssgproject.content_rule_file_groupowner_master_admin_kubeconfigs mediumCCE-84204-7
Verify Group Who Owns The OpenShift Admin Kubeconfig Files
| Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_master_admin_kubeconfigs |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2021-07-20T05:21:05+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-84204-7 |
| Description |
To properly set the group owner of /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/node-kubeconfigs/*.kubeconfig, run the command:
$ sudo chgrp root /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/node-kubeconfigs/*.kubeconfig |
| Rationale | There are various kubeconfig files that can be used by the administrator,
defining various settings for the administration of the cluster. These files
contain credentials that can be used to control the cluster and are needed
for disaster recovery and each kubeconfig points to a different endpoint in
the cluster. You should restrict its file permissions to maintain the
integrity of the kubeconfig file as an attacker who gains access to these
files can take over the cluster. |
| Warnings | warning
This rule is only applicable for nodes that run the Kubernetes API server service.
The aforementioned service is only running on the nodes labeled
"master" by default. |
Verify Group Who Owns The OpenShift PKI Certificate Filesxccdf_org.ssgproject.content_rule_file_groupowner_openshift_pki_cert_files mediumCCE-83922-5
Verify Group Who Owns The OpenShift PKI Certificate Files
| Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_openshift_pki_cert_files |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2021-07-20T05:21:05+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-83922-5 |
| Description |
To properly set the group owner of /etc/kubernetes/static-pod-resources/*/*/*/tls.crt, run the command:
$ sudo chgrp root /etc/kubernetes/static-pod-resources/*/*/*/tls.crt |
| Rationale | OpenShift makes use of a number of certificates as part of its operation.
You should verify the ownership of the directory containing the PKI
information and all files in that directory to maintain their integrity.
The directory and files should be owned by the system administrator. |
| Warnings | warning
This rule is only applicable for nodes that run the Kubernetes Control Plane.
The aforementioned service is only running on the nodes labeled
"master" by default. |
Verify User Who Owns The OpenShift Admin Kubeconfig Filesxccdf_org.ssgproject.content_rule_file_owner_master_admin_kubeconfigs mediumCCE-83719-5
Verify User Who Owns The OpenShift Admin Kubeconfig Files
| Rule ID | xccdf_org.ssgproject.content_rule_file_owner_master_admin_kubeconfigs |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2021-07-20T05:21:05+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-83719-5 |
| Description |
To properly set the owner of /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/node-kubeconfigs/*.kubeconfig, run the command:
$ sudo chown root /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/node-kubeconfigs/*.kubeconfig |
| Rationale | There are various kubeconfig files that can be used by the administrator,
defining various settings for the administration of the cluster. These files
contain credentials that can be used to control the cluster and are needed
for disaster recovery and each kubeconfig points to a different endpoint in
the cluster. You should restrict its file permissions to maintain the
integrity of the kubeconfig file as an attacker who gains access to these
files can take over the cluster. |
| Warnings | warning
This rule is only applicable for nodes that run the Kubernetes Control Plane.
The aforementioned service is only running on the nodes labeled
"master" by default. |
Verify Group Who Owns The OpenShift Controller Manager Kubeconfig Filexccdf_org.ssgproject.content_rule_file_groupowner_controller_manager_kubeconfig mediumCCE-84095-9
Verify Group Who Owns The OpenShift Controller Manager Kubeconfig File
| Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_controller_manager_kubeconfig |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2021-07-20T05:21:05+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-84095-9 |
| Description |
To properly set the group owner of /etc/kubernetes/static-pod-resources/kube-controller-manager-pod-*/configmaps/controller-manager-kubeconfig/kubeconfig, run the command:
$ sudo chgrp root /etc/kubernetes/static-pod-resources/kube-controller-manager-pod-*/configmaps/controller-manager-kubeconfig/kubeconfig |
| Rationale | The Controller Manager's kubeconfig contains information about how the
component will access the API server. You should set its file ownership to
maintain the integrity of the file. |
| Warnings | warning
This rule is only applicable for nodes that run the Kubernetes Controller
Manager service. The aforementioned service is only running on
the nodes labeled "master" by default. |
Verify Group Who Owns The OpenShift Multus Container Network Interface Plugin Filesxccdf_org.ssgproject.content_rule_file_groupowner_multus_conf mediumCCE-83818-5
Verify Group Who Owns The OpenShift Multus Container Network Interface Plugin Files
| Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_multus_conf |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_groupowner_multus_conf:def:1 |
| Time | 2021-07-20T05:21:05+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-83818-5 |
| Description | To properly set the group owner of /var/run/multus/cni/net.d/*, run the command: $ sudo chgrp root /var/run/multus/cni/net.d/* |
| Rationale | CNI (Container Network Interface) files consist of a specification and libraries for
writing plugins to configure network interfaces in Linux containers, along with a number
of supported plugins. Allowing writeable access to the files could allow an attacker to modify
the networking configuration potentially adding a rogue network connection. |
OVAL test results details
Testing group ownership of ^/var/run/multus/cni/net.d/.*$ oval:ssg-test_file_groupowner_multus_conf:tst:1 true
Following items have been found on the system:
| Path | Type | UID | GID | Size (B) | Permissions |
|---|---|---|---|---|---|
| /var/run/multus/cni/net.d/10-ovn-kubernetes.conf | regular | 0 | 0 | 233 | rw------- |
Verify User Who Owns The Kubernetes Controller Manager Pod Specificiation Filexccdf_org.ssgproject.content_rule_file_owner_kube_controller_manager mediumCCE-83795-5
Verify User Who Owns The Kubernetes Controller Manager Pod Specificiation File
| Rule ID | xccdf_org.ssgproject.content_rule_file_owner_kube_controller_manager |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2021-07-20T05:21:05+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-83795-5 |
| Description | To properly set the owner of /etc/kubernetes/static-pod-resources/kube-controller-manager-pod-*/kube-controller-manager-pod.yaml, run the command: $ sudo chown root /etc/kubernetes/static-pod-resources/kube-controller-manager-pod-*/kube-controller-manager-pod.yaml |
| Rationale | The Kubernetes specification file contains information about the configuration of the
Kubernetes Controller Manager Server that is configured on the system. Protection of this file is
critical for OpenShift security. |
| Warnings | warning
This rule is only applicable for nodes that run the Kubernetes Controller Manager service.
The aforementioned service is only running on the nodes labeled
"master" by default. |
Verify User Who Owns The OpenShift PKI Private Key Filesxccdf_org.ssgproject.content_rule_file_owner_openshift_pki_key_files mediumCCE-83435-8
Verify User Who Owns The OpenShift PKI Private Key Files
| Rule ID | xccdf_org.ssgproject.content_rule_file_owner_openshift_pki_key_files |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2021-07-20T05:21:05+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-83435-8 |
| Description |
To properly set the owner of /etc/kubernetes/static-pod-resources/*/*/*/*.key, run the command:
$ sudo chown root /etc/kubernetes/static-pod-resources/*/*/*/*.key |
| Rationale | OpenShift makes use of a number of certificates as part of its operation.
You should verify the ownership of the directory containing the PKI
information and all files in that directory to maintain their integrity.
The directory and files should be owned by root:root. |
| Warnings | warning
This rule is only applicable for nodes that run the Kubernetes Control Plane.
The aforementioned service is only running on the nodes labeled
"master" by default. |
Verify Group Who Owns The Etcd Database Directoryxccdf_org.ssgproject.content_rule_file_groupowner_etcd_data_dir mediumCCE-83354-1
Verify Group Who Owns The Etcd Database Directory
| Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_etcd_data_dir |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2021-07-20T05:21:05+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-83354-1 |
| Description |
To properly set the group owner of /var/lib/etcd/member/, run the command:
$ sudo chgrp root /var/lib/etcd/member/ |
| Rationale | etcd is a highly-available key-value store used by Kubernetes deployments for
persistent storage of all of its REST API objects. This data directory should
be protected from any unauthorized reads or writes. |
| Warnings | warning
This rule is only applicable for nodes that run the Etcd service.
The aforementioned service is only running on the nodes labeled
"master" by default. |
Verify User Who Owns The Kubernetes Scheduler Kubeconfig Filexccdf_org.ssgproject.content_rule_file_owner_scheduler_kubeconfig mediumCCE-84017-3
Verify User Who Owns The Kubernetes Scheduler Kubeconfig File
| Rule ID | xccdf_org.ssgproject.content_rule_file_owner_scheduler_kubeconfig |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2021-07-20T05:21:05+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-84017-3 |
| Description |
To properly set the owner of /etc/kubernetes/static-pod-resources/kube-scheduler-pod-*/configmaps/scheduler-kubeconfig/kubeconfig, run the command:
$ sudo chown root /etc/kubernetes/static-pod-resources/kube-scheduler-pod-*/configmaps/scheduler-kubeconfig/kubeconfig |
| Rationale | The kubeconfig for the Scheduler contains paramters for the scheduler
to access the Kube API.
You should set its file ownership to maintain the integrity of the file. |
| Warnings | warning
This rule is only applicable for nodes that run the Kubernetes Scheduler service.
The aforementioned service is only running on the nodes labeled
"master" by default. |
Verify User Who Owns The Kubernetes Scheduler Pod Specification Filexccdf_org.ssgproject.content_rule_file_owner_kube_scheduler mediumCCE-83393-9
Verify User Who Owns The Kubernetes Scheduler Pod Specification File
| Rule ID | xccdf_org.ssgproject.content_rule_file_owner_kube_scheduler |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2021-07-20T05:21:05+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-83393-9 |
| Description | To properly set the owner of /etc/kubernetes/static-pod-resources/kube-scheduler-pod-*/kube-scheduler-pod.yaml, run the command: $ sudo chown root /etc/kubernetes/static-pod-resources/kube-scheduler-pod-*/kube-scheduler-pod.yaml |
| Rationale | The Kubernetes specification file contains information about the configuration of the
Kubernetes scheduler that is configured on the system. Protection of this file is
critical for OpenShift security. |
| Warnings | warning
This rule is only applicable for nodes that run the Kubernetes Scheduler service.
The aforementioned service is only running on the nodes labeled
"master" by default. |
Verify User Who Owns The OpenShift Container Network Interface Filesxccdf_org.ssgproject.content_rule_file_owner_cni_conf mediumCCE-83460-6
Verify User Who Owns The OpenShift Container Network Interface Files
| Rule ID | xccdf_org.ssgproject.content_rule_file_owner_cni_conf |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_owner_cni_conf:def:1 |
| Time | 2021-07-20T05:21:05+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-83460-6 |
| Description | To properly set the owner of /etc/cni/net.d/*, run the command: $ sudo chown root /etc/cni/net.d/* |
| Rationale | CNI (Container Network Interface) files consist of a specification and libraries for
writing plugins to configure network interfaces in Linux containers, along with a number
of supported plugins. Allowing writeable access to the files could allow an attacker to modify
the networking configuration potentially adding a rogue network connection. |
OVAL test results details
Testing user ownership of ^/etc/cni/net.d/.*$ oval:ssg-test_file_owner_cni_conf:tst:1 true
Following items have been found on the system:
| Path | Type | UID | GID | Size (B) | Permissions |
|---|---|---|---|---|---|
| /etc/cni/net.d/100-crio-bridge.conf | regular | 0 | 0 | 438 | rw-r--r-- |
| /etc/cni/net.d/200-loopback.conf | regular | 0 | 0 | 54 | rw-r--r-- |
| /etc/cni/net.d/87-podman-bridge.conflist | regular | 0 | 0 | 639 | rw-r--r-- |
Verify User Who Owns The Etcd Write-Ahead-Log Filesxccdf_org.ssgproject.content_rule_file_owner_etcd_data_files mediumCCE-84010-8
Verify User Who Owns The Etcd Write-Ahead-Log Files
| Rule ID | xccdf_org.ssgproject.content_rule_file_owner_etcd_data_files |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2021-07-20T05:21:05+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-84010-8 |
| Description |
To properly set the owner of /var/lib/etcd/member/wal/*, run the command:
$ sudo chown root /var/lib/etcd/member/wal/* |
| Rationale | etcd is a highly-available key-value store used by Kubernetes deployments for
persistent storage of all of its REST API objects. This data directory should
be protected from any unauthorized reads or writes. |
| Warnings | warning
This rule is only applicable for nodes that run the Etcd service.
The aforementioned service is only running on the nodes labeled
"master" by default. |
Verify User Who Owns The Open vSwitch Configuration Databasexccdf_org.ssgproject.content_rule_file_owner_ovs_conf_db mediumCCE-83489-5
Verify User Who Owns The Open vSwitch Configuration Database
| Rule ID | xccdf_org.ssgproject.content_rule_file_owner_ovs_conf_db |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_owner_ovs_conf_db:def:1 |
| Time | 2021-07-20T05:21:05+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-83489-5 |
| Description |
To properly set the owner of /etc/openvswitch/conf.db, run the command:
$ sudo chown openvswitch /etc/openvswitch/conf.db |
| Rationale | CNI (Container Network Interface) files consist of a specification and libraries for
writing plugins to configure network interfaces in Linux containers, along with a number
of supported plugins. Allowing writeable access to the files could allow an attacker to modify
the networking configuration potentially adding a rogue network connection. |
OVAL test results details
Testing user ownership of /etc/openvswitch/conf.db oval:ssg-test_file_owner_ovs_conf_db:tst:1 true
Following items have been found on the system:
| Path | Type | UID | GID | Size (B) | Permissions |
|---|---|---|---|---|---|
| /etc/openvswitch/conf.db | regular | 800 | 801 | 678330 | rw-r----- |
Verify User Who Owns The Open vSwitch Process ID Filexccdf_org.ssgproject.content_rule_file_owner_ovs_pid mediumCCE-83937-3
Verify User Who Owns The Open vSwitch Process ID File
| Rule ID | xccdf_org.ssgproject.content_rule_file_owner_ovs_pid |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_owner_ovs_pid:def:1 |
| Time | 2021-07-20T05:21:05+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-83937-3 |
| Description |
To properly set the owner of /var/run/openvswitch/ovs-vswitchd.pid, run the command:
$ sudo chown openvswitch /var/run/openvswitch/ovs-vswitchd.pid |
| Rationale | CNI (Container Network Interface) files consist of a specification and libraries for
writing plugins to configure network interfaces in Linux containers, along with a number
of supported plugins. Allowing writeable access to the files could allow an attacker to modify
the networking configuration potentially adding a rogue network connection. |
OVAL test results details
Testing user ownership of /var/run/openvswitch/ovs-vswitchd.pid oval:ssg-test_file_owner_ovs_pid:tst:1 true
Following items have been found on the system:
| Path | Type | UID | GID | Size (B) | Permissions |
|---|---|---|---|---|---|
| /var/run/openvswitch/ovs-vswitchd.pid | regular | 800 | 801 | 5 | rw-r--r-- |
Verify User Who Owns The Kubernetes API Server Pod Specification Filexccdf_org.ssgproject.content_rule_file_owner_kube_apiserver mediumCCE-83372-3
Verify User Who Owns The Kubernetes API Server Pod Specification File
| Rule ID | xccdf_org.ssgproject.content_rule_file_owner_kube_apiserver |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2021-07-20T05:21:05+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-83372-3 |
| Description | To properly set the owner of /etc/kubernetes/static-pod-resources/kube-apiserver-pod-*/kube-apiserver-pod.yaml, run the command: $ sudo chown root /etc/kubernetes/static-pod-resources/kube-apiserver-pod-*/kube-apiserver-pod.yaml |
| Rationale | The Kubernetes specification file contains information about the configuration of the
Kubernetes API Server that is configured on the system. Protection of this file is
critical for OpenShift security. |
| Warnings | warning
This rule is only applicable for nodes that run the Kubernetes API Server service.
The aforementioned service is only running on the nodes labeled
"master" by default. |
Verify User Who Owns The OpenShift SDN CNI Server Configxccdf_org.ssgproject.content_rule_file_owner_openshift_sdn_cniserver_config mediumCCE-83932-4
Verify User Who Owns The OpenShift SDN CNI Server Config
| Rule ID | xccdf_org.ssgproject.content_rule_file_owner_openshift_sdn_cniserver_config |
| Result | fail |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_owner_openshift_sdn_cniserver_config:def:1 |
| Time | 2021-07-20T05:21:05+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-83932-4 |
| Description |
To properly set the owner of /var/run/openshift-sdn/cniserver/config.json, run the command:
$ sudo chown root /var/run/openshift-sdn/cniserver/config.json |
| Rationale | CNI (Container Network Interface) files consist of a specification and libraries for
writing plugins to configure network interfaces in Linux containers, along with a number
of supported plugins. Allowing writeable access to the files could allow an attacker to modify
the networking configuration potentially adding a rogue network connection. |
OVAL test results details
Testing user ownership of /var/run/openshift-sdn/cniserver/config.json oval:ssg-test_file_owner_openshift_sdn_cniserver_config:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_openshift_sdn_cniserver_config:obj:1 of type file_object
| Filepath |
|---|
| /var/run/openshift-sdn/cniserver/config.json |
Verify Group Who Owns The Open vSwitch Configuration Databasexccdf_org.ssgproject.content_rule_file_groupowner_ovs_conf_db mediumCCE-84226-0
Verify Group Who Owns The Open vSwitch Configuration Database
| Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_ovs_conf_db |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_groupowner_ovs_conf_db:def:1 |
| Time | 2021-07-20T05:21:05+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-84226-0 |
| Description |
To properly set the group owner of /etc/openvswitch/conf.db, run the command:
$ sudo chgrp hugetlbfs /etc/openvswitch/conf.db |
| Rationale | CNI (Container Network Interface) files consist of a specification and libraries for
writing plugins to configure network interfaces in Linux containers, along with a number
of supported plugins. Allowing writeable access to the files could allow an attacker to modify
the networking configuration potentially adding a rogue network connection. |
OVAL test results details
Testing group ownership of /etc/openvswitch/conf.db oval:ssg-test_file_groupowner_ovs_conf_db:tst:1 true
Following items have been found on the system:
| Path | Type | UID | GID | Size (B) | Permissions |
|---|---|---|---|---|---|
| /etc/openvswitch/conf.db | regular | 800 | 801 | 678330 | rw-r----- |
Verify Group Who Owns The Etcd PKI Certificate Filesxccdf_org.ssgproject.content_rule_file_groupowner_etcd_pki_cert_files mediumCCE-83890-4
Verify Group Who Owns The Etcd PKI Certificate Files
| Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_etcd_pki_cert_files |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2021-07-20T05:21:05+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-83890-4 |
| Description |
To properly set the group owner of /etc/kubernetes/static-pod-resources/*/*/*/*.crt, run the command:
$ sudo chgrp root /etc/kubernetes/static-pod-resources/*/*/*/*.crt |
| Rationale | OpenShift makes use of a number of certificates as part of its operation.
You should verify the ownership of the directory containing the PKI
information and all files in that directory to maintain their integrity.
The directory and files should be owned by the system administrator. |
| Warnings | warning
This rule is only applicable for nodes that run the Etcd service.
The aforementioned service is only running on the nodes labeled
"master" by default. |
Verify Group Who Owns The Open vSwitch Configuration Database Lockxccdf_org.ssgproject.content_rule_file_groupowner_ovs_conf_db_lock mediumCCE-84219-5
Verify Group Who Owns The Open vSwitch Configuration Database Lock
| Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_ovs_conf_db_lock |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_groupowner_ovs_conf_db_lock:def:1 |
| Time | 2021-07-20T05:21:05+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-84219-5 |
| Description |
To properly set the group owner of /etc/openvswitch/.conf.db.~lock~, run the command:
$ sudo chgrp hugetlbfs /etc/openvswitch/.conf.db.~lock~ |
| Rationale | CNI (Container Network Interface) files consist of a specification and libraries for
writing plugins to configure network interfaces in Linux containers, along with a number
of supported plugins. Allowing writeable access to the files could allow an attacker to modify
the networking configuration potentially adding a rogue network connection. |
OVAL test results details
Testing group ownership of /etc/openvswitch/.conf.db.~lock~ oval:ssg-test_file_groupowner_ovs_conf_db_lock:tst:1 true
Following items have been found on the system:
| Path | Type | UID | GID | Size (B) | Permissions |
|---|---|---|---|---|---|
| /etc/openvswitch/.conf.db.~lock~ | regular | 800 | 801 | 0 | rw------- |
Verify User Who Owns The Open vSwitch Persistent System IDxccdf_org.ssgproject.content_rule_file_owner_ovs_sys_id_conf mediumCCE-84085-0
Verify User Who Owns The Open vSwitch Persistent System ID
| Rule ID | xccdf_org.ssgproject.content_rule_file_owner_ovs_sys_id_conf |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_owner_ovs_sys_id_conf:def:1 |
| Time | 2021-07-20T05:21:05+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-84085-0 |
| Description |
To properly set the owner of /etc/openvswitch/system-id.conf, run the command:
$ sudo chown openvswitch /etc/openvswitch/system-id.conf |
| Rationale | CNI (Container Network Interface) files consist of a specification and libraries for
writing plugins to configure network interfaces in Linux containers, along with a number
of supported plugins. Allowing writeable access to the files could allow an attacker to modify
the networking configuration potentially adding a rogue network connection. |
OVAL test results details
Testing user ownership of /etc/openvswitch/system-id.conf oval:ssg-test_file_owner_ovs_sys_id_conf:tst:1 true
Following items have been found on the system:
| Path | Type | UID | GID | Size (B) | Permissions |
|---|---|---|---|---|---|
| /etc/openvswitch/system-id.conf | regular | 800 | 801 | 37 | rw-r--r-- |
Verify Group Who Owns The Kubernetes Scheduler Kubeconfig Filexccdf_org.ssgproject.content_rule_file_groupowner_scheduler_kubeconfig mediumCCE-83471-3
Verify Group Who Owns The Kubernetes Scheduler Kubeconfig File
| Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_scheduler_kubeconfig |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2021-07-20T05:21:05+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-83471-3 |
| Description |
To properly set the group owner of /etc/kubernetes/static-pod-resources/kube-scheduler-pod-*/configmaps/scheduler-kubeconfig/kubeconfig, run the command:
$ sudo chgrp root /etc/kubernetes/static-pod-resources/kube-scheduler-pod-*/configmaps/scheduler-kubeconfig/kubeconfig |
| Rationale | The kubeconfig for the Scheduler contains paramters for the scheduler
to access the Kube API.
You should set its file ownership to maintain the integrity of the file. |
| Warnings | warning
This rule is only applicable for nodes that run the Kubernetes Scheduler service.
The aforementioned service is only running on the nodes labeled
"master" by default. |
Verify User Who Owns The Open vSwitch Daemon PID Filexccdf_org.ssgproject.content_rule_file_owner_ovs_vswitchd_pid mediumCCE-83888-8
Verify User Who Owns The Open vSwitch Daemon PID File
| Rule ID | xccdf_org.ssgproject.content_rule_file_owner_ovs_vswitchd_pid |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_owner_ovs_vswitchd_pid:def:1 |
| Time | 2021-07-20T05:21:05+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-83888-8 |
| Description |
To properly set the owner of /run/openvswitch/ovs-vswitchd.pid, run the command:
$ sudo chown openvswitch /run/openvswitch/ovs-vswitchd.pid |
| Rationale | CNI (Container Network Interface) files consist of a specification and libraries for
writing plugins to configure network interfaces in Linux containers, along with a number
of supported plugins. Allowing writeable access to the files could allow an attacker to modify
the networking configuration potentially adding a rogue network connection. |
OVAL test results details
Testing user ownership of /run/openvswitch/ovs-vswitchd.pid oval:ssg-test_file_owner_ovs_vswitchd_pid:tst:1 true
Following items have been found on the system:
| Path | Type | UID | GID | Size (B) | Permissions |
|---|---|---|---|---|---|
| /run/openvswitch/ovs-vswitchd.pid | regular | 800 | 801 | 5 | rw-r--r-- |
Verify Group Who Owns The Kubernetes Controller Manager Pod Specification Filexccdf_org.ssgproject.content_rule_file_groupowner_kube_controller_manager mediumCCE-83953-0
Verify Group Who Owns The Kubernetes Controller Manager Pod Specification File
| Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_kube_controller_manager |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2021-07-20T05:21:05+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-83953-0 |
| Description | To properly set the group owner of /etc/kubernetes/static-pod-resources/kube-controller-manager-pod-*/kube-controller-manager-pod.yaml, run the command: $ sudo chgrp root /etc/kubernetes/static-pod-resources/kube-controller-manager-pod-*/kube-controller-manager-pod.yaml |
| Rationale | The Kubernetes specification file contains information about the configuration of the
Kubernetes Controller Manager Server that is configured on the system. Protection of this file is
critical for OpenShift security. |
| Warnings | warning
This rule is only applicable for nodes that run the Kubernetes Controller Manager service.
The aforementioned service is only running on the nodes labeled
"master" by default. |
Verify User Who Owns The OpenShift PKI Certificate Filesxccdf_org.ssgproject.content_rule_file_owner_openshift_pki_cert_files mediumCCE-83558-7
Verify User Who Owns The OpenShift PKI Certificate Files
| Rule ID | xccdf_org.ssgproject.content_rule_file_owner_openshift_pki_cert_files |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2021-07-20T05:21:05+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-83558-7 |
| Description |
To properly set the owner of /etc/kubernetes/static-pod-resources/*/*/*/tls.crt, run the command:
$ sudo chown root /etc/kubernetes/static-pod-resources/*/*/*/tls.crt |
| Rationale | OpenShift makes use of a number of certificates as part of its operation.
You should verify the ownership of the directory containing the PKI
information and all files in that directory to maintain their integrity. |
| Warnings | warning
This rule is only applicable for nodes that run the Kubernetes Control Plane.
The aforementioned service is only running on the nodes labeled
"master" by default. |
Verify Group Who Owns The Kubernetes Scheduler Pod Specification Filexccdf_org.ssgproject.content_rule_file_groupowner_kube_scheduler mediumCCE-83614-8
Verify Group Who Owns The Kubernetes Scheduler Pod Specification File
| Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_kube_scheduler |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2021-07-20T05:21:05+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-83614-8 |
| Description | To properly set the group owner of /etc/kubernetes/static-pod-resources/kube-scheduler-pod-*/kube-scheduler-pod.yaml, run the command: $ sudo chgrp root /etc/kubernetes/static-pod-resources/kube-scheduler-pod-*/kube-scheduler-pod.yaml |
| Rationale | The Kubernetes Specification file contains information about the configuration of the
Kubernetes scheduler that is configured on the system. Protection of this file is
critical for OpenShift security. |
| Warnings | warning
This rule is only applicable for nodes that run the Kubernetes Scheduler service.
The aforementioned service is only running on the nodes labeled
"master" by default. |
Verify Group Who Owns The OpenShift SDN CNI Server Configxccdf_org.ssgproject.content_rule_file_groupowner_openshift_sdn_cniserver_config mediumCCE-83605-6
Verify Group Who Owns The OpenShift SDN CNI Server Config
| Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_openshift_sdn_cniserver_config |
| Result | fail |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_groupowner_openshift_sdn_cniserver_config:def:1 |
| Time | 2021-07-20T05:21:05+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-83605-6 |
| Description |
To properly set the group owner of /var/run/openshift-sdn/cniserver/config.json, run the command:
$ sudo chgrp root /var/run/openshift-sdn/cniserver/config.json |
| Rationale | CNI (Container Network Interface) files consist of a specification and libraries for
writing plugins to configure network interfaces in Linux containers, along with a number
of supported plugins. Allowing writeable access to the files could allow an attacker to modify
the networking configuration potentially adding a rogue network connection. |
OVAL test results details
Testing group ownership of /var/run/openshift-sdn/cniserver/config.json oval:ssg-test_file_groupowner_openshift_sdn_cniserver_config:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_openshift_sdn_cniserver_config:obj:1 of type file_object
| Filepath |
|---|
| /var/run/openshift-sdn/cniserver/config.json |
Verify Group Who Owns The Worker Kubeconfig Filexccdf_org.ssgproject.content_rule_file_groupowner_worker_kubeconfig mediumCCE-83409-3
Verify Group Who Owns The Worker Kubeconfig File
| Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_worker_kubeconfig |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_groupowner_worker_kubeconfig:def:1 |
| Time | 2021-07-20T05:21:05+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-83409-3 |
| Description | To properly set the group owner of /var/lib/kubelet/kubeconfig, run the command: $ sudo chgrp root /var/lib/kubelet/kubeconfig |
| Rationale | The worker kubeconfig file contains information about the administrative configuration of the
OpenShift cluster that is configured on the system. Protection of this file is
critical for OpenShift security. |
OVAL test results details
Testing group ownership of /var/lib/kubelet/kubeconfig oval:ssg-test_file_groupowner_worker_kubeconfig:tst:1 true
Following items have been found on the system:
| Path | Type | UID | GID | Size (B) | Permissions |
|---|---|---|---|---|---|
| /var/lib/kubelet/kubeconfig | regular | 0 | 0 | 5244 | rw------- |
Verify Group Who Owns The OpenShift Node Service Filexccdf_org.ssgproject.content_rule_file_groupowner_worker_service mediumCCE-83975-3
Verify Group Who Owns The OpenShift Node Service File
| Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_worker_service |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_groupowner_worker_service:def:1 |
| Time | 2021-07-20T05:21:05+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-83975-3 |
| Description | '
To properly set the group owner of /etc/systemd/system/kubelet.service, run the command:
$ sudo chgrp root /etc/systemd/system/kubelet.service' |
| Rationale | The /etc/systemd/system/kubelet.service
file contains information about the configuration of the
OpenShift node service that is configured on the system. Protection of this file is
critical for OpenShift security. |
OVAL test results details
Testing group ownership of /etc/systemd/system/kubelet.service oval:ssg-test_file_groupowner_worker_service:tst:1 true
Following items have been found on the system:
| Path | Type | UID | GID | Size (B) | Permissions |
|---|---|---|---|---|---|
| /etc/systemd/system/kubelet.service | regular | 0 | 0 | 1321 | rw-r--r-- |
Verify Group Who Owns The Kubelet Configuration Filexccdf_org.ssgproject.content_rule_file_groupowner_kubelet_conf mediumCCE-84233-6
Verify Group Who Owns The Kubelet Configuration File
| Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_kubelet_conf |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_groupowner_kubelet_conf:def:1 |
| Time | 2021-07-20T05:21:05+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-84233-6 |
| Description | To properly set the group owner of /etc/kubernetes/kubelet.conf, run the command: $ sudo chgrp root /etc/kubernetes/kubelet.conf |
| Rationale | The kubelet configuration file contains information about the configuration of the
OpenShift node that is configured on the system. Protection of this file is
critical for OpenShift security. |
OVAL test results details
Testing group ownership of /etc/kubernetes/kubelet.conf oval:ssg-test_file_groupowner_kubelet_conf:tst:1 true
Following items have been found on the system:
| Path | Type | UID | GID | Size (B) | Permissions |
|---|---|---|---|---|---|
| /etc/kubernetes/kubelet.conf | regular | 0 | 0 | 934 | rw-r--r-- |
Verify User Who Owns The Kubelet Configuration Filexccdf_org.ssgproject.content_rule_file_owner_kubelet_conf mediumCCE-83976-1
Verify User Who Owns The Kubelet Configuration File
| Rule ID | xccdf_org.ssgproject.content_rule_file_owner_kubelet_conf |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_owner_kubelet_conf:def:1 |
| Time | 2021-07-20T05:21:05+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-83976-1 |
| Description | To properly set the owner of /etc/kubernetes/kubelet.conf, run the command: $ sudo chown root /etc/kubernetes/kubelet.conf |
| Rationale | The kubelet configuration file contains information about the configuration of the
OpenShift node that is configured on the system. Protection of this file is
critical for OpenShift security. |
OVAL test results details
Testing user ownership of /etc/kubernetes/kubelet.conf oval:ssg-test_file_owner_kubelet_conf:tst:1 true
Following items have been found on the system:
| Path | Type | UID | GID | Size (B) | Permissions |
|---|---|---|---|---|---|
| /etc/kubernetes/kubelet.conf | regular | 0 | 0 | 934 | rw-r--r-- |
Verify Group Who Owns the Worker Certificate Authority Filexccdf_org.ssgproject.content_rule_file_groupowner_worker_ca mediumCCE-83440-8
Verify Group Who Owns the Worker Certificate Authority File
| Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_worker_ca |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_groupowner_worker_ca:def:1 |
| Time | 2021-07-20T05:21:05+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-83440-8 |
| Description | To properly set the group owner of /etc/kubernetes/kubelet-ca.crt, run the command: $ sudo chgrp root /etc/kubernetes/kubelet-ca.crt |
| Rationale | The worker certificate authority file contains the certificate authority
certificate for an OpenShift node that is configured on the system. Protection of this file is
critical for OpenShift security. |
OVAL test results details
Testing group ownership of /etc/kubernetes/kubelet-ca.crt oval:ssg-test_file_groupowner_worker_ca:tst:1 true
Following items have been found on the system:
| Path | Type | UID | GID | Size (B) | Permissions |
|---|---|---|---|---|---|
| /etc/kubernetes/kubelet-ca.crt | regular | 0 | 0 | 5875 | rw-r--r-- |
Verify User Who Owns The OpenShift Node Service Filexccdf_org.ssgproject.content_rule_file_owner_worker_service mediumCCE-84193-2
Verify User Who Owns The OpenShift Node Service File
| Rule ID | xccdf_org.ssgproject.content_rule_file_owner_worker_service |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_owner_worker_service:def:1 |
| Time | 2021-07-20T05:21:05+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-84193-2 |
| Description | '
To properly set the owner of /etc/systemd/system/kubelet.service, run the command:
$ sudo chown root /etc/systemd/system/kubelet.service' |
| Rationale | The /etc/systemd/system/kubelet.service
file contains information about the configuration of the
OpenShift node service that is configured on the system. Protection of this file is
critical for OpenShift security. |
OVAL test results details
Testing user ownership of /etc/systemd/system/kubelet.service oval:ssg-test_file_owner_worker_service:tst:1 true
Following items have been found on the system:
| Path | Type | UID | GID | Size (B) | Permissions |
|---|---|---|---|---|---|
| /etc/systemd/system/kubelet.service | regular | 0 | 0 | 1321 | rw-r--r-- |
Verify User Who Owns The Worker Kubeconfig Filexccdf_org.ssgproject.content_rule_file_owner_worker_kubeconfig mediumCCE-83408-5
Verify User Who Owns The Worker Kubeconfig File
| Rule ID | xccdf_org.ssgproject.content_rule_file_owner_worker_kubeconfig |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_owner_worker_kubeconfig:def:1 |
| Time | 2021-07-20T05:21:05+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-83408-5 |
| Description | To properly set the owner of /var/lib/kubelet/kubeconfig, run the command: $ sudo chown root /var/lib/kubelet/kubeconfig |
| Rationale | The worker kubeconfig file contains information about the administrative configuration of the
OpenShift cluster that is configured on the system. Protection of this file is
critical for OpenShift security. |
OVAL test results details
Testing user ownership of /var/lib/kubelet/kubeconfig oval:ssg-test_file_owner_worker_kubeconfig:tst:1 true
Following items have been found on the system:
| Path | Type | UID | GID | Size (B) | Permissions |
|---|---|---|---|---|---|
| /var/lib/kubelet/kubeconfig | regular | 0 | 0 | 5244 | rw------- |
Verify User Who Owns the Worker Certificate Authority Filexccdf_org.ssgproject.content_rule_file_owner_worker_ca mediumCCE-83495-2
Verify User Who Owns the Worker Certificate Authority File
| Rule ID | xccdf_org.ssgproject.content_rule_file_owner_worker_ca |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_owner_worker_ca:def:1 |
| Time | 2021-07-20T05:21:05+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-83495-2 |
| Description | To properly set the owner of /etc/kubernetes/kubelet-ca.crt, run the command: $ sudo chown root /etc/kubernetes/kubelet-ca.crt |
| Rationale | The worker certificate authority file contains the certificate authority
certificate for an OpenShift node that is configured on the system. Protection of this file is
critical for OpenShift security. |
OVAL test results details
Testing user ownership of /etc/kubernetes/kubelet-ca.crt oval:ssg-test_file_owner_worker_ca:tst:1 true
Following items have been found on the system:
| Path | Type | UID | GID | Size (B) | Permissions |
|---|---|---|---|---|---|
| /etc/kubernetes/kubelet-ca.crt | regular | 0 | 0 | 5875 | rw-r--r-- |
Configure A Unique CA Certificate for etcdxccdf_org.ssgproject.content_rule_etcd_unique_ca medium
Configure A Unique CA Certificate for etcd
| Rule ID | xccdf_org.ssgproject.content_rule_etcd_unique_ca |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2021-07-20T05:21:05+00:00 |
| Severity | medium |
| Identifiers and References | |
| Description | A unique CA certificate should be created for etcd. OpenShift by
default creates separate PKIs for etcd and the Kubernetes API server. The
same is done for other points of communication in the cluster. |
| Rationale | The Kubernetes API server and etcd utilize separate CA certificates in
OpenShift. This ensures that the etcd data is still protected in the event
that the API server CA is compromised. |
| Warnings | warning
This rule is only applicable for nodes that run the Etcd service.
The aforementioned service is only running on the nodes labeled
"master" by default. |
Ensure Eviction threshold Settings Are Set - evictionHard: nodefs.availablexccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_nodefs_available mediumCCE-84138-7
Ensure Eviction threshold Settings Are Set - evictionHard: nodefs.available
| Rule ID | xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_nodefs_available |
| Result | fail |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-kubelet_eviction_thresholds_set_hard_nodefs_available:def:1 |
| Time | 2021-07-20T05:21:05+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-84138-7 |
| Description | Two types of garbage collection are performed on an OpenShift Container Platform node:
Container garbage collection can be performed using eviction thresholds. Image garbage collection relies on disk usage as reported by cAdvisor on the node to decide which images to remove from the node. The OpenShift administrator can configure how OpenShift Container Platform performs garbage collection by creating a kubeletConfig object for each Machine Config Pool using any combination of the following:
To configure, follow the directions in the documentation
This rule pertains to the |
| Rationale | Garbage collection is important to ensure sufficient resource availability
and avoiding degraded performance and availability. In the worst case, the
system might crash or just be unusable for a long period of time.
Based on your system resources and tests, choose an appropriate threshold
value to activate garbage collection. |
OVAL test results details
In the file '/etc/kubernetes/kubelet.conf' find only one object at path '.evictionHard['nodefs.available']'. oval:ssg-test_kubelet_eviction_thresholds_set_hard_nodefs_available:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_kubelet_eviction_thresholds_set_hard_nodefs_available:obj:1 of type yamlfilecontent_object
| Filepath | Yamlpath |
|---|---|
| /etc/kubernetes/kubelet.conf | .evictionHard['nodefs.available'] |
kubelet - Enable Client Certificate Rotationxccdf_org.ssgproject.content_rule_kubelet_enable_client_cert_rotation mediumCCE-83352-5
kubelet - Enable Client Certificate Rotation
| Rule ID | xccdf_org.ssgproject.content_rule_kubelet_enable_client_cert_rotation |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-kubelet_enable_client_cert_rotation:def:1 |
| Time | 2021-07-20T05:21:05+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-83352-5 |
| Description | To enable the kubelet to rotate client certificates, edit the kubelet configuration
file /etc/kubernetes/kubelet.conf
on the kubelet node(s) and set the below parameter:
featureGates: ... RotateKubeletClientCertificate: true ... |
| Rationale | Allowing the kubelet to auto-update the certificates ensure that there is no downtime
in certificate renewal as well as ensures confidentiality and integrity. |
OVAL test results details
In the file '/etc/kubernetes/kubelet.conf' find only one object at path '.featureGates.RotateKubeletClientCertificate'. oval:ssg-test_kubelet_enable_client_cert_rotation:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_kubelet_enable_client_cert_rotation:obj:1 of type yamlfilecontent_object
| Filepath | Yamlpath |
|---|---|
| /etc/kubernetes/kubelet.conf | .featureGates.RotateKubeletClientCertificate |
Kubelet - Ensure Event Creation Is Configuredxccdf_org.ssgproject.content_rule_kubelet_configure_event_creation mediumCCE-83576-9
Kubelet - Ensure Event Creation Is Configured
| Rule ID | xccdf_org.ssgproject.content_rule_kubelet_configure_event_creation |
| Result | fail |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-kubelet_configure_event_creation:def:1 |
| Time | 2021-07-20T05:21:05+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-83576-9 |
| Description | Security relevant information should be captured. The eventRecordQPS
Kubelet option can be used to limit the rate at which events are gathered.
Setting this too low could result in relevant events not being logged,
however the unlimited setting of 0 could result in a denial of service on
the kubelet. Processing and storage systems should be scaled to handle the
expected event load. To set the eventRecordQPS option for the kubelet,
create a KubeletConfig option along these lines:
apiVersion: machineconfiguration.openshift.io/v1
kind: KubeletConfig
metadata:
name: kubelet-config-$pool
spec:
machineConfigPoolSelector:
matchLabels:
pools.operator.machineconfiguration.openshift.io/$pool_name: ""
kubeletConfig:
eventRecordQPS: 5
|
| Rationale | It is important to capture all events and not restrict event creation.
Events are an important source of security information and analytics that
ensure that your environment is consistently monitored using the event
data. |
| Warnings | warning
The MachineConfig Operator does not merge KubeletConfig
objects, the last object is used instead. In case you need to
set multiple options for kubelet, consider putting all the custom
options into a single KubeletConfig object. |
OVAL test results details
In the file '/etc/kubernetes/kubelet.conf' find only one object at path '.eventRecordQPS'. oval:ssg-test_kubelet_configure_event_creation:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_kubelet_configure_event_creation:obj:1 of type yamlfilecontent_object
| Filepath | Yamlpath |
|---|---|
| /etc/kubernetes/kubelet.conf | .eventRecordQPS |
kubelet - Disable Hostname Overridexccdf_org.ssgproject.content_rule_kubelet_disable_hostname_override medium
kubelet - Disable Hostname Override
| Rule ID | xccdf_org.ssgproject.content_rule_kubelet_disable_hostname_override |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-kubelet_disable_hostname_override:def:1 |
| Time | 2021-07-20T05:21:05+00:00 |
| Severity | medium |
| Identifiers and References | |
| Description | To prevent the hostname from being overrided, edit the kubelet systemd service file
/etc/systemd/system/kubelet.service on the kubelet node(s) and
remove the --hostname-override flag if it exists. |
| Rationale | Allowing hostnames to be overrided creates issues around resolving nodes
in addition to TLS configuration, certificate validation, and log correlation
and validation. |
OVAL test results details
Test that the --hostname-override flag is not contained in kubelet.service oval:ssg-test_kubelet_hostname_override_disabled:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-obj_kubelet_hostname_override:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/systemd/system/kubelet.service | ^.*--hostname-override.* | 1 |
Ensure Eviction threshold Settings Are Set - evictionSoft: imagefs.availablexccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_imagefs_available mediumCCE-84127-0
Ensure Eviction threshold Settings Are Set - evictionSoft: imagefs.available
| Rule ID | xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_imagefs_available |
| Result | fail |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-kubelet_eviction_thresholds_set_soft_imagefs_available:def:1 |
| Time | 2021-07-20T05:21:05+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-84127-0 |
| Description | Two types of garbage collection are performed on an OpenShift Container Platform node:
Container garbage collection can be performed using eviction thresholds. Image garbage collection relies on disk usage as reported by cAdvisor on the node to decide which images to remove from the node. The OpenShift administrator can configure how OpenShift Container Platform performs garbage collection by creating a kubeletConfig object for each Machine Config Pool using any combination of the following:
To configure, follow the directions in the documentation
This rule pertains to the |
| Rationale | Garbage collection is important to ensure sufficient resource availability
and avoiding degraded performance and availability. In the worst case, the
system might crash or just be unusable for a long period of time.
Based on your system resources and tests, choose an appropriate threshold
value to activate garbage collection. |
OVAL test results details
In the file '/etc/kubernetes/kubelet.conf' find only one object at path '.evictionSoft['imagefs.available']'. oval:ssg-test_kubelet_eviction_thresholds_set_soft_imagefs_available:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_kubelet_eviction_thresholds_set_soft_imagefs_available:obj:1 of type yamlfilecontent_object
| Filepath | Yamlpath |
|---|---|
| /etc/kubernetes/kubelet.conf | .evictionSoft['imagefs.available'] |
kubelet - Do Not Disable Streaming Timeoutsxccdf_org.ssgproject.content_rule_kubelet_enable_streaming_connections mediumCCE-84097-5
kubelet - Do Not Disable Streaming Timeouts
| Rule ID | xccdf_org.ssgproject.content_rule_kubelet_enable_streaming_connections |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-kubelet_enable_streaming_connections:def:1 |
| Time | 2021-07-20T05:21:05+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-84097-5 |
| Description | Timouts for streaming connections should not be disabled as they help to prevent
denial-of-service attacks.
To configure streaming connection timeouts, edit the kubelet configuration
file /etc/kubernetes/kubelet.conf
on the kubelet node(s) and set the below parameter:
streamingConnectionIdleTimeout: 5m |
| Rationale | Ensuring connections have timeouts helps to protect against denial-of-service attacks as
well as disconnect inactive connections. In addition, setting connections timeouts helps
to prevent from running out of ephemeral ports. |
OVAL test results details
In the file '/etc/kubernetes/kubelet.conf' find only one object at path '.streamingConnectionIdleTimeout'. oval:ssg-test_kubelet_enable_streaming_connections:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_kubelet_enable_streaming_connections:obj:1 of type yamlfilecontent_object
| Filepath | Yamlpath |
|---|---|
| /etc/kubernetes/kubelet.conf | .streamingConnectionIdleTimeout |
Ensure Eviction threshold Settings Are Set - evictionSoft: memory.availablexccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_memory_available mediumCCE-84222-9
Ensure Eviction threshold Settings Are Set - evictionSoft: memory.available
| Rule ID | xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_memory_available |
| Result | fail |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-kubelet_eviction_thresholds_set_soft_memory_available:def:1 |
| Time | 2021-07-20T05:21:05+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-84222-9 |
| Description | Two types of garbage collection are performed on an OpenShift Container Platform node:
Container garbage collection can be performed using eviction thresholds. Image garbage collection relies on disk usage as reported by cAdvisor on the node to decide which images to remove from the node. The OpenShift administrator can configure how OpenShift Container Platform performs garbage collection by creating a kubeletConfig object for each Machine Config Pool using any combination of the following:
To configure, follow the directions in the documentation
This rule pertains to the |
| Rationale | Garbage collection is important to ensure sufficient resource availability
and avoiding degraded performance and availability. In the worst case, the
system might crash or just be unusable for a long period of time.
Based on your system resources and tests, choose an appropriate threshold
value to activate garbage collection. |
OVAL test results details
In the file '/etc/kubernetes/kubelet.conf' find only one object at path '.evictionSoft['memory.available']'. oval:ssg-test_kubelet_eviction_thresholds_set_soft_memory_available:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_kubelet_eviction_thresholds_set_soft_memory_available:obj:1 of type yamlfilecontent_object
| Filepath | Yamlpath |
|---|---|
| /etc/kubernetes/kubelet.conf | .evictionSoft['memory.available'] |
Ensure Eviction threshold Settings Are Set - evictionHard: nodefs.inodesFreexccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_nodefs_inodesfree mediumCCE-84141-1
Ensure Eviction threshold Settings Are Set - evictionHard: nodefs.inodesFree
| Rule ID | xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_nodefs_inodesfree |
| Result | fail |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-kubelet_eviction_thresholds_set_hard_nodefs_inodesfree:def:1 |
| Time | 2021-07-20T05:21:05+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-84141-1 |
| Description | Two types of garbage collection are performed on an OpenShift Container Platform node:
Container garbage collection can be performed using eviction thresholds. Image garbage collection relies on disk usage as reported by cAdvisor on the node to decide which images to remove from the node. The OpenShift administrator can configure how OpenShift Container Platform performs garbage collection by creating a kubeletConfig object for each Machine Config Pool using any combination of the following:
To configure, follow the directions in the documentation
This rule pertains to the |
| Rationale | Garbage collection is important to ensure sufficient resource availability
and avoiding degraded performance and availability. In the worst case, the
system might crash or just be unusable for a long period of time.
Based on your system resources and tests, choose an appropriate threshold
value to activate garbage collection. |
OVAL test results details
In the file '/etc/kubernetes/kubelet.conf' find only one object at path '.evictionHard['nodefs.inodesFree']'. oval:ssg-test_kubelet_eviction_thresholds_set_hard_nodefs_inodesfree:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_kubelet_eviction_thresholds_set_hard_nodefs_inodesfree:obj:1 of type yamlfilecontent_object
| Filepath | Yamlpath |
|---|---|
| /etc/kubernetes/kubelet.conf | .evictionHard['nodefs.inodesFree'] |
kubelet - Enable Server Certificate Rotationxccdf_org.ssgproject.content_rule_kubelet_enable_server_cert_rotation mediumCCE-83356-6
kubelet - Enable Server Certificate Rotation
| Rule ID | xccdf_org.ssgproject.content_rule_kubelet_enable_server_cert_rotation |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-kubelet_enable_server_cert_rotation:def:1 |
| Time | 2021-07-20T05:21:05+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-83356-6 |
| Description | To enable the kubelet to rotate server certificates, edit the kubelet configuration
file /etc/kubernetes/kubelet.conf
on the kubelet node(s) and set the below parameter:
featureGates: ... RotateKubeletServerCertificate: true ... |
| Rationale | Allowing the kubelet to auto-update the certificates ensure that there is no downtime
in certificate renewal as well as ensures confidentiality and integrity. |
OVAL test results details
In the file '/etc/kubernetes/kubelet.conf' find only one object at path '.featureGates.RotateKubeletServerCertificate'. oval:ssg-test_kubelet_enable_server_cert_rotation:tst:1 true
Following items have been found on the system:
| Filepath | Path | Filename | Yamlpath | Value |
|---|---|---|---|---|
| /etc/kubernetes/kubelet.conf | /etc/kubernetes | kubelet.conf | .featureGates.RotateKubeletServerCertificate | true |
Ensure Eviction threshold Settings Are Set - evictionHard: imagefs.availablexccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_imagefs_available mediumCCE-84144-5
Ensure Eviction threshold Settings Are Set - evictionHard: imagefs.available
| Rule ID | xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_imagefs_available |
| Result | fail |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-kubelet_eviction_thresholds_set_hard_imagefs_available:def:1 |
| Time | 2021-07-20T05:21:05+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-84144-5 |
| Description | Two types of garbage collection are performed on an OpenShift Container Platform node:
Container garbage collection can be performed using eviction thresholds. Image garbage collection relies on disk usage as reported by cAdvisor on the node to decide which images to remove from the node. The OpenShift administrator can configure how OpenShift Container Platform performs garbage collection by creating a kubeletConfig object for each Machine Config Pool using any combination of the following:
To configure, follow the directions in the documentation
This rule pertains to the |
| Rationale | Garbage collection is important to ensure sufficient resource availability
and avoiding degraded performance and availability. In the worst case, the
system might crash or just be unusable for a long period of time.
Based on your system resources and tests, choose an appropriate threshold
value to activate garbage collection. |
OVAL test results details
In the file '/etc/kubernetes/kubelet.conf' find only one object at path '.evictionHard['imagefs.available']'. oval:ssg-test_kubelet_eviction_thresholds_set_hard_imagefs_available:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_kubelet_eviction_thresholds_set_hard_imagefs_available:obj:1 of type yamlfilecontent_object
| Filepath | Yamlpath |
|---|---|
| /etc/kubernetes/kubelet.conf | .evictionHard['imagefs.available'] |
kubelet - Configure the Client CA Certificatexccdf_org.ssgproject.content_rule_kubelet_configure_client_ca mediumCCE-83724-5
kubelet - Configure the Client CA Certificate
| Rule ID | xccdf_org.ssgproject.content_rule_kubelet_configure_client_ca |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-kubelet_configure_client_ca:def:1 |
| Time | 2021-07-20T05:21:05+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-83724-5 |
| Description | By default, the kubelet is not configured with a CA certificate which
can subject the kubelet to man-in-the-middle attacks.
To configure a client CA certificate, edit the kubelet configuration
file /etc/kubernetes/kubelet.conf
on the kubelet node(s) and set the below parameter:
authentication:
...
x509:
clientCAFile: /etc/kubernetes/kubelet-ca.crt
...
|
| Rationale | Not having a CA certificate for the kubelet will subject the kubelet to possible
man-in-the-middle attacks especially on unsafe or untrusted networks.
Certificate validation for the kubelet allows the API server to validate
the kubelet's identity. |
OVAL test results details
In the file '/etc/kubernetes/kubelet.conf' find only one object at path '.authentication.x509.clientCAFile'. oval:ssg-test_kubelet_configure_client_ca:tst:1 true
Following items have been found on the system:
| Filepath | Path | Filename | Yamlpath | Value |
|---|---|---|---|---|
| /etc/kubernetes/kubelet.conf | /etc/kubernetes | kubelet.conf | .authentication.x509.clientCAFile | /etc/kubernetes/kubelet-ca.crt |
kubelet - Enable Protect Kernel Defaultsxccdf_org.ssgproject.content_rule_kubelet_enable_protect_kernel_defaults medium
kubelet - Enable Protect Kernel Defaults
| Rule ID | xccdf_org.ssgproject.content_rule_kubelet_enable_protect_kernel_defaults |
| Result | fail |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-kubelet_enable_protect_kernel_defaults:def:1 |
| Time | 2021-07-20T05:21:05+00:00 |
| Severity | medium |
| Identifiers and References | |
| Description | Protect tuned kernel parameters from being overwritten by the kubelet.
Before enabling this kernel parameter, it's important and
necessary to first create a kernel.keys.root_maxbytes=25000000 kernel.keys.root_maxkeys=1000000 kernel.panic=10 kernel.panic_on_oops=1 vm.overcommit_memory=1 vm.panic_on_oom=0 The these need to be enabled via MachineConfig since they need to be available as soon as the node starts and before the Kubelet does. The manifest may look as follows:
---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
labels:
machineconfiguration.openshift.io/role: master
name: 75-master-kubelet-sysctls
spec:
config:
ignition:
version: 3.1.0
storage:
files:
- contents:
source: data:,vm.overcommit_memory%3D1%0Avm.panic_on_oom%3D0%0Akernel.panic%3D10%0Akernel.panic_on_oops%3D1%0Akernel.keys.root_maxkeys%3D1000000%0Akernel.keys.root_maxbytes%3D25000000%0A
mode: 0644
path: /etc/sysctl.d/90-kubelet.conf
overwrite: true
This will need to be done for each relevant
After enabling this and after the changes have successfully rolled out
to the whole cluster, it will now be possible to set the
To configure, follow the directions in the documentation |
| Rationale | Kernel parameters are usually tuned and hardened by the system administrators
before putting the systems into production. These parameters protect the
kernel and the system. Your kubelet kernel defaults that rely on such
parameters should be appropriately set to match the desired secured system
state. Ignoring this could potentially lead to running pods with undesired
kernel behavior. |
OVAL test results details
In the file '/etc/kubernetes/kubelet.conf' find only one object at path '.protectKernelDefaults'. oval:ssg-test_kubelet_enable_protect_kernel_defaults:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_kubelet_enable_protect_kernel_defaults:obj:1 of type yamlfilecontent_object
| Filepath | Yamlpath |
|---|---|
| /etc/kubernetes/kubelet.conf | .protectKernelDefaults |
Ensure that the Kubelet only makes use of Strong Cryptographic Ciphersxccdf_org.ssgproject.content_rule_kubelet_configure_tls_cipher_suites medium
Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers
| Rule ID | xccdf_org.ssgproject.content_rule_kubelet_configure_tls_cipher_suites |
| Result | fail |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-kubelet_configure_tls_cipher_suites:def:1 |
| Time | 2021-07-20T05:21:05+00:00 |
| Severity | medium |
| Identifiers and References | |
| Description | Ensure that the Kubelet is configured to only use strong cryptographic ciphers.
To set the cipher suites for the kubelet, create new or modify existing
KubeletConfig object along these lines, one for every
MachineConfigPool:
apiVersion: machineconfiguration.openshift.io/v1
kind: KubeletConfig
metadata:
name: kubelet-config-$pool
spec:
machineConfigPoolSelector:
matchLabels:
pools.operator.machineconfiguration.openshift.io/$pool_name: ""
kubeletConfig:
tlsCipherSuites:
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
|
| Rationale | TLS ciphers have had a number of known vulnerabilities and weaknesses,
which can reduce the protection provided by them. By default Kubernetes
supports a number of TLS ciphersuites including some that have security
concerns, weakening the protection provided. |
OVAL test results details
In the file '/etc/kubernetes/kubelet.conf' find only one object at path '.tlsCipherSuites[:]'. oval:ssg-test_kubelet_configure_tls_cipher_suites:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_kubelet_configure_tls_cipher_suites:obj:1 of type yamlfilecontent_object
| Filepath | Yamlpath |
|---|---|
| /etc/kubernetes/kubelet.conf | .tlsCipherSuites[:] |
kubelet - Allow Automatic Firewall Configurationxccdf_org.ssgproject.content_rule_kubelet_enable_iptables_util_chains mediumCCE-83775-7
kubelet - Allow Automatic Firewall Configuration
| Rule ID | xccdf_org.ssgproject.content_rule_kubelet_enable_iptables_util_chains |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-kubelet_enable_iptables_util_chains:def:1 |
| Time | 2021-07-20T05:21:05+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-83775-7 |
| Description | The kubelet has the ability to automatically configure the firewall to allow
the containers required ports and connections to networking resources and destinations
parameters potentially creating a security incident.
To allow the kubelet to modify the firewall, edit the kubelet configuration
file /etc/kubernetes/kubelet.conf
on the kubelet node(s) and set the below parameter:
makeIPTablesUtilChains: true |
| Rationale | The kubelet should automatically configure the firewall settings to allow access and
networking traffic through. This ensures that when a pod or container is running that
the correct ports are configured as well as removing the ports when a pod or
container is no longer in existence. |
OVAL test results details
In the file '/etc/kubernetes/kubelet.conf' find only one object at path '.makeIPTablesUtilChains'. oval:ssg-test_kubelet_enable_iptables_util_chains:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_kubelet_enable_iptables_util_chains:obj:1 of type yamlfilecontent_object
| Filepath | Yamlpath |
|---|---|
| /etc/kubernetes/kubelet.conf | .makeIPTablesUtilChains |
Ensure Eviction threshold Settings Are Set - evictionHard: imagefs.inodesFreexccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_imagefs_inodesfree mediumCCE-84147-8
Ensure Eviction threshold Settings Are Set - evictionHard: imagefs.inodesFree
| Rule ID | xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_imagefs_inodesfree |
| Result | fail |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-kubelet_eviction_thresholds_set_hard_imagefs_inodesfree:def:1 |
| Time | 2021-07-20T05:21:05+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-84147-8 |
| Description | Two types of garbage collection are performed on an OpenShift Container Platform node:
Container garbage collection can be performed using eviction thresholds. Image garbage collection relies on disk usage as reported by cAdvisor on the node to decide which images to remove from the node. The OpenShift administrator can configure how OpenShift Container Platform performs garbage collection by creating a kubeletConfig object for each Machine Config Pool using any combination of the following:
To configure, follow the directions in the documentation
This rule pertains to the |
| Rationale | Garbage collection is important to ensure sufficient resource availability
and avoiding degraded performance and availability. In the worst case, the
system might crash or just be unusable for a long period of time.
Based on your system resources and tests, choose an appropriate threshold
value to activate garbage collection. |
OVAL test results details
In the file '/etc/kubernetes/kubelet.conf' find only one object at path '.evictionHard['imagefs.inodesFree']'. oval:ssg-test_kubelet_eviction_thresholds_set_hard_imagefs_inodesfree:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_kubelet_eviction_thresholds_set_hard_imagefs_inodesfree:obj:1 of type yamlfilecontent_object
| Filepath | Yamlpath |
|---|---|
| /etc/kubernetes/kubelet.conf | .evictionHard['imagefs.inodesFree'] |
Ensure Eviction threshold Settings Are Set - evictionSoft: nodefs.availablexccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_nodefs_available mediumCCE-84119-7
Ensure Eviction threshold Settings Are Set - evictionSoft: nodefs.available
| Rule ID | xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_nodefs_available |
| Result | fail |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-kubelet_eviction_thresholds_set_soft_nodefs_available:def:1 |
| Time | 2021-07-20T05:21:05+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-84119-7 |
| Description | Two types of garbage collection are performed on an OpenShift Container Platform node:
Container garbage collection can be performed using eviction thresholds. Image garbage collection relies on disk usage as reported by cAdvisor on the node to decide which images to remove from the node. The OpenShift administrator can configure how OpenShift Container Platform performs garbage collection by creating a kubeletConfig object for each Machine Config Pool using any combination of the following:
To configure, follow the directions in the documentation
This rule pertains to the |
| Rationale | Garbage collection is important to ensure sufficient resource availability
and avoiding degraded performance and availability. In the worst case, the
system might crash or just be unusable for a long period of time.
Based on your system resources and tests, choose an appropriate threshold
value to activate garbage collection. |
OVAL test results details
In the file '/etc/kubernetes/kubelet.conf' find only one object at path '.evictionSoft['nodefs.available']'. oval:ssg-test_kubelet_eviction_thresholds_set_soft_nodefs_available:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_kubelet_eviction_thresholds_set_soft_nodefs_available:obj:1 of type yamlfilecontent_object
| Filepath | Yamlpath |
|---|---|
| /etc/kubernetes/kubelet.conf | .evictionSoft['nodefs.available'] |
kubelet - Enable Certificate Rotationxccdf_org.ssgproject.content_rule_kubelet_enable_cert_rotation mediumCCE-83838-3
kubelet - Enable Certificate Rotation
| Rule ID | xccdf_org.ssgproject.content_rule_kubelet_enable_cert_rotation |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-kubelet_enable_cert_rotation:def:1 |
| Time | 2021-07-20T05:21:05+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-83838-3 |
| Description | To enable the kubelet to rotate client certificates, edit the kubelet configuration
file /etc/kubernetes/kubelet.conf
on the kubelet node(s) and set the below parameter:
... rotateCertificates: true ... |
| Rationale | Allowing the kubelet to auto-update the certificates ensure that there is no downtime
in certificate renewal as well as ensures confidentiality and integrity. |
OVAL test results details
In the file '/etc/kubernetes/kubelet.conf' find only one object at path '.rotateCertificates'. oval:ssg-test_kubelet_enable_cert_rotation:tst:1 true
Following items have been found on the system:
| Filepath | Path | Filename | Yamlpath | Value |
|---|---|---|---|---|
| /etc/kubernetes/kubelet.conf | /etc/kubernetes | kubelet.conf | .rotateCertificates | true |
Ensure Eviction threshold Settings Are Set - evictionSoft: nodefs.inodesFreexccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_nodefs_inodesfree mediumCCE-84123-9
Ensure Eviction threshold Settings Are Set - evictionSoft: nodefs.inodesFree
| Rule ID | xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_nodefs_inodesfree |
| Result | fail |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-kubelet_eviction_thresholds_set_soft_nodefs_inodesfree:def:1 |
| Time | 2021-07-20T05:21:05+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-84123-9 |
| Description | Two types of garbage collection are performed on an OpenShift Container Platform node:
Container garbage collection can be performed using eviction thresholds. Image garbage collection relies on disk usage as reported by cAdvisor on the node to decide which images to remove from the node. The OpenShift administrator can configure how OpenShift Container Platform performs garbage collection by creating a kubeletConfig object for each Machine Config Pool using any combination of the following:
To configure, follow the directions in the documentation
This rule pertains to the |
| Rationale | Garbage collection is important to ensure sufficient resource availability
and avoiding degraded performance and availability. In the worst case, the
system might crash or just be unusable for a long period of time.
Based on your system resources and tests, choose an appropriate threshold
value to activate garbage collection. |
OVAL test results details
In the file '/etc/kubernetes/kubelet.conf' find only one object at path '.evictionSoft['nodefs.inodesFree']'. oval:ssg-test_kubelet_eviction_thresholds_set_soft_nodefs_inodesfree:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_kubelet_eviction_thresholds_set_soft_nodefs_inodesfree:obj:1 of type yamlfilecontent_object
| Filepath | Yamlpath |
|---|---|
| /etc/kubernetes/kubelet.conf | .evictionSoft['nodefs.inodesFree'] |
Disable Anonymous Authentication to the Kubeletxccdf_org.ssgproject.content_rule_kubelet_anonymous_auth mediumCCE-83815-1
Disable Anonymous Authentication to the Kubelet
| Rule ID | xccdf_org.ssgproject.content_rule_kubelet_anonymous_auth |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-kubelet_anonymous_auth:def:1 |
| Time | 2021-07-20T05:21:05+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-83815-1 |
| Description | By default, anonymous access to the Kubelet server is enabled. This
configuration check ensures that anonymous requests to the Kubelet
server are disabled. Edit the Kubelet server configuration file
/etc/kubernetes/kubelet.conf on the kubelet node(s)
and set the below parameter:
authentication:
...
anonymous:
enabled: false
...
|
| Rationale | When enabled, requests that are not rejected by other configured
authentication methods are treated as anonymous requests. These
requests are then served by the Kubelet server. OpenShift Operators should
rely on authentication to authorize access and disallow anonymous
requests. |
OVAL test results details
In the file '/etc/kubernetes/kubelet.conf' find only one object at path '.authentication.anonymous.enabled'. oval:ssg-test_kubelet_anonymous_auth:tst:1 true
Following items have been found on the system:
| Filepath | Path | Filename | Yamlpath | Value |
|---|---|---|---|---|
| /etc/kubernetes/kubelet.conf | /etc/kubernetes | kubelet.conf | .authentication.anonymous.enabled | false |
Ensure Eviction threshold Settings Are Set - evictionSoft: imagefs.inodesFreexccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_imagefs_inodesfree mediumCCE-84132-0
Ensure Eviction threshold Settings Are Set - evictionSoft: imagefs.inodesFree
| Rule ID | xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_imagefs_inodesfree |
| Result | fail |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-kubelet_eviction_thresholds_set_soft_imagefs_inodesfree:def:1 |
| Time | 2021-07-20T05:21:05+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-84132-0 |
| Description | Two types of garbage collection are performed on an OpenShift Container Platform node:
Container garbage collection can be performed using eviction thresholds. Image garbage collection relies on disk usage as reported by cAdvisor on the node to decide which images to remove from the node. The OpenShift administrator can configure how OpenShift Container Platform performs garbage collection by creating a kubeletConfig object for each Machine Config Pool using any combination of the following:
To configure, follow the directions in the documentation
This rule pertains to the |
| Rationale | Garbage collection is important to ensure sufficient resource availability
and avoiding degraded performance and availability. In the worst case, the
system might crash or just be unusable for a long period of time.
Based on your system resources and tests, choose an appropriate threshold
value to activate garbage collection. |
OVAL test results details
In the file '/etc/kubernetes/kubelet.conf' find only one object at path '.evictionSoft['imagefs.inodesFree']'. oval:ssg-test_kubelet_eviction_thresholds_set_soft_imagefs_inodesfree:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_kubelet_eviction_thresholds_set_soft_imagefs_inodesfree:obj:1 of type yamlfilecontent_object
| Filepath | Yamlpath |
|---|---|
| /etc/kubernetes/kubelet.conf | .evictionSoft['imagefs.inodesFree'] |
Ensure Eviction threshold Settings Are Set - evictionHard: memory.availablexccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_memory_available mediumCCE-84135-3
Ensure Eviction threshold Settings Are Set - evictionHard: memory.available
| Rule ID | xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_memory_available |
| Result | fail |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-kubelet_eviction_thresholds_set_hard_memory_available:def:1 |
| Time | 2021-07-20T05:21:05+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-84135-3 |
| Description | Two types of garbage collection are performed on an OpenShift Container Platform node:
Container garbage collection can be performed using eviction thresholds. Image garbage collection relies on disk usage as reported by cAdvisor on the node to decide which images to remove from the node. The OpenShift administrator can configure how OpenShift Container Platform performs garbage collection by creating a kubeletConfig object for each Machine Config Pool using any combination of the following:
To configure, follow the directions in the documentation
This rule pertains to the |
| Rationale | Garbage collection is important to ensure sufficient resource availability
and avoiding degraded performance and availability. In the worst case, the
system might crash or just be unusable for a long period of time.
Based on your system resources and tests, choose an appropriate threshold
value to activate garbage collection. |
OVAL test results details
In the file '/etc/kubernetes/kubelet.conf' find only one object at path '.evictionHard['memory.available']'. oval:ssg-test_kubelet_eviction_thresholds_set_hard_memory_available:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_kubelet_eviction_thresholds_set_hard_memory_available:obj:1 of type yamlfilecontent_object
| Filepath | Yamlpath |
|---|---|
| /etc/kubernetes/kubelet.conf | .evictionHard['memory.available'] |
Red Hat and Red Hat Enterprise Linux are either registered
trademarks or trademarks of Red Hat, Inc. in the United States and other
countries. All other names are registered trademarks or trademarks of their
respective companies.