Guide to the Secure Configuration of Red Hat OpenShift Container Platform 4
with profile CIS Red Hat OpenShift Container Platform 4 BenchmarkThis profile defines a baseline that aligns to the Center for Internet Security® Red Hat OpenShift Container Platform 4 Benchmark™, V1.5. This profile includes Center for Internet Security® Red Hat OpenShift Container Platform 4 CIS Benchmarks™ content. Note that this part of the profile is meant to run on the Operating System that Red Hat OpenShift Container Platform 4 runs on top of. This profile is applicable to OpenShift versions 4.12 and greater.
The ComplianceAsCode Project
https://www.open-scap.org/security-policies/scap-security-guide
https://www.open-scap.org/security-policies/scap-security-guide
This guide presents a catalog of security-relevant
configuration settings for Red Hat OpenShift Container Platform 4. It is a rendering of
content structured in the eXtensible Configuration Checklist Description Format (XCCDF)
in order to support security automation. The SCAP content is
is available in the
Providing system administrators with such guidance informs them how to securely configure systems under their control in a variety of network roles. Policy makers and baseline creators can use this catalog of settings, with its associated references to higher-level security control catalogs, in order to assist them in security baseline creation. This guide is a catalog, not a checklist, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. However, the XCCDF format enables granular selection and adjustment of settings, and their association with OVAL and OCIL content provides an automated checking capability. Transformations of this document, and its associated automated checking content, are capable of providing baselines that meet a diverse set of policy objectives. Some example XCCDF Profiles, which are selections of items that form checklists and can be used as baselines, are available with this guide. They can be processed, in an automated fashion, with tools that support the Security Content Automation Protocol (SCAP). The NIST National Checklist Program (NCP), which provides required settings for the United States Government, is one example of a baseline created from this guidance.
scap-security-guide package which is developed at
https://www.open-scap.org/security-policies/scap-security-guide.
Providing system administrators with such guidance informs them how to securely configure systems under their control in a variety of network roles. Policy makers and baseline creators can use this catalog of settings, with its associated references to higher-level security control catalogs, in order to assist them in security baseline creation. This guide is a catalog, not a checklist, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. However, the XCCDF format enables granular selection and adjustment of settings, and their association with OVAL and OCIL content provides an automated checking capability. Transformations of this document, and its associated automated checking content, are capable of providing baselines that meet a diverse set of policy objectives. Some example XCCDF Profiles, which are selections of items that form checklists and can be used as baselines, are available with this guide. They can be processed, in an automated fashion, with tools that support the Security Content Automation Protocol (SCAP). The NIST National Checklist Program (NCP), which provides required settings for the United States Government, is one example of a baseline created from this guidance.
Do not attempt to implement any of the settings in
this guide without first testing them in a non-operational environment. The
creators of this guidance assume no responsibility whatsoever for its use by
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Evaluation Characteristics
| Evaluation target | master-01-demo |
|---|---|
| Target ID | master-01-demo |
| Benchmark URL | #scap_org.open-scap_comp_ssg-ocp4-xccdf.xml |
| Benchmark ID | xccdf_org.ssgproject.content_benchmark_OCP-4 |
| Benchmark version | 0.1.75 |
| Profile ID | xccdf_org.ssgproject.content_profile_cis-node |
| Started at | 2025-03-12T03:09:52+00:00 |
| Finished at | 2025-03-12T03:09:56+00:00 |
| Performed by | unknown user |
| Test system | cpe:/a:redhat:openscap:1.3.10 |
CPE Platforms
- cpe:/a:redhat:openshift_container_platform_node_on_ovn:4
- cpe:/o:redhat:openshift_container_platform_node:4
- cpe:/a:redhat:openshift_container_platform_node_on_sdn:4
- cpe:/a:redhat:openshift_container_platform_on_aws:4
- cpe:/a:redhat:openshift_container_platform_on_azure:4
- cpe:/a:redhat:openshift_container_platform_on_gcp:4
- cpe:/a:redhat:openshift_container_platform_on_ovn:4
- cpe:/a:redhat:openshift_container_platform_on_sdn:4
- cpe:/a:redhat:openshift_container_platform:4.10
- cpe:/a:redhat:openshift_container_platform:4.11
- cpe:/a:redhat:openshift_container_platform:4.12
- cpe:/a:redhat:openshift_container_platform:4.13
- cpe:/a:redhat:openshift_container_platform:4.14
- cpe:/a:redhat:openshift_container_platform:4.15
- cpe:/a:redhat:openshift_container_platform:4.16
- cpe:/a:redhat:openshift_container_platform:4.17
- cpe:/a:redhat:openshift_container_platform:4.18
- cpe:/a:redhat:openshift_container_platform:4.6
- cpe:/a:redhat:openshift_container_platform:4.7
- cpe:/a:redhat:openshift_container_platform:4.8
- cpe:/a:redhat:openshift_container_platform:4.9
- cpe:/a:redhat:openshift_container_platform:4.1
Addresses
Compliance and Scoring
The target system did not satisfy the conditions of 1 rules!
Please review rule results and consider applying remediation.
Rule results
Severity of failed rules
Score
| Scoring system | Score | Maximum | Percent |
|---|---|---|---|
| urn:xccdf:scoring:default | 99.621216 | 100.000000 |
Rule Overview
Result Details
Configure A Unique CA Certificate for etcdxccdf_org.ssgproject.content_rule_etcd_unique_ca mediumCCE-87514-6
Configure A Unique CA Certificate for etcd
| Rule ID | xccdf_org.ssgproject.content_rule_etcd_unique_ca | ||||||||||
| Result | pass | ||||||||||
| Multi-check rule | no | ||||||||||
| OVAL Definition ID | oval:ssg-etcd_unique_ca:def:1 | ||||||||||
| Time | 2025-03-12T03:09:53+00:00 | ||||||||||
| Severity | medium | ||||||||||
| Identifiers: | CCE-87514-6 | ||||||||||
| References: |
| ||||||||||
| Description | A unique CA certificate should be created for etcd. OpenShift by
default creates separate PKIs for etcd and the Kubernetes API server. The
same is done for other points of communication in the cluster. | ||||||||||
| Rationale | The Kubernetes API server and etcd utilize separate CA certificates in
OpenShift. This ensures that the etcd data is still protected in the event
that the API server CA is compromised. | ||||||||||
| Warnings | warning
This rule is only applicable for nodes that run the Etcd service.
The aforementioned service is only running on the nodes labeled
"master" by default. |
OVAL test results details
Verify that the etcd CA is different than the Kubernetes CA oval:ssg-test_etcd_different_ca_than_k8s:tst:1 true
Following items have been found on the system:
| Result of item-state comparison | Var ref | Value |
|---|---|---|
| true | oval:ssg-var_etcd_ca_file_hash:var:1 | 9659f6ef740dbde6b5951ca4d1f9e7031dc414d74a4cd30ac5959cc746fc5aa4 |
Disable Anonymous Authentication to the Kubeletxccdf_org.ssgproject.content_rule_kubelet_anonymous_auth mediumCCE-83815-1
Disable Anonymous Authentication to the Kubelet
| Rule ID | xccdf_org.ssgproject.content_rule_kubelet_anonymous_auth | ||||||||||||
| Result | pass | ||||||||||||
| Multi-check rule | no | ||||||||||||
| OVAL Definition ID | oval:ssg-kubelet_anonymous_auth:def:1 | ||||||||||||
| Time | 2025-03-12T03:09:53+00:00 | ||||||||||||
| Severity | medium | ||||||||||||
| Identifiers: | CCE-83815-1 | ||||||||||||
| References: |
| ||||||||||||
| Description | By default, anonymous access to the Kubelet server is enabled. This
configuration check ensures that anonymous requests to the Kubelet
server are disabled. Edit the Kubelet server configuration file
/etc/kubernetes/kubelet.conf on the kubelet node(s)
and set the below parameter:
authentication:
...
anonymous:
enabled: false
...
| ||||||||||||
| Rationale | When enabled, requests that are not rejected by other configured
authentication methods are treated as anonymous requests. These
requests are then served by the Kubelet server. OpenShift Operators should
rely on authentication to authorize access and disallow anonymous
requests. |
OVAL test results details
In the file '/etc/kubernetes/compliance-operator/kubeletconfig/openscap-kubeletconfig' find only one object at path '.kubeletconfig.authentication.anonymous.enabled'. oval:ssg-test_kubelet_anonymous_auth:tst:1 true
Following items have been found on the system:
| Result of item-state comparison | Filepath | Path | Filename | Yamlpath | Value |
|---|---|---|---|---|---|
| true | /etc/kubernetes/compliance-operator/kubeletconfig/openscap-kubeletconfig | /etc/kubernetes/compliance-operator/kubeletconfig | openscap-kubeletconfig | .kubeletconfig.authentication.anonymous.enabled | false |
kubelet - Configure the Client CA Certificatexccdf_org.ssgproject.content_rule_kubelet_configure_client_ca mediumCCE-83724-5
kubelet - Configure the Client CA Certificate
| Rule ID | xccdf_org.ssgproject.content_rule_kubelet_configure_client_ca | ||||||||||
| Result | pass | ||||||||||
| Multi-check rule | no | ||||||||||
| OVAL Definition ID | oval:ssg-kubelet_configure_client_ca:def:1 | ||||||||||
| Time | 2025-03-12T03:09:53+00:00 | ||||||||||
| Severity | medium | ||||||||||
| Identifiers: | CCE-83724-5 | ||||||||||
| References: |
| ||||||||||
| Description | By default, the kubelet is not configured with a CA certificate which
can subject the kubelet to man-in-the-middle attacks.
To configure a client CA certificate, edit the kubelet configuration
file /etc/kubernetes/kubelet.conf
on the kubelet node(s) and set the below parameter:
authentication:
...
x509:
clientCAFile: /etc/kubernetes/kubelet-ca.crt
...
| ||||||||||
| Rationale | Not having a CA certificate for the kubelet will subject the kubelet to possible
man-in-the-middle attacks especially on unsafe or untrusted networks.
Certificate validation for the kubelet allows the API server to validate
the kubelet's identity. |
OVAL test results details
In the file '/etc/kubernetes/compliance-operator/kubeletconfig/openscap-kubeletconfig' find only one object at path '.kubeletconfig.authentication.x509.clientCAFile'. oval:ssg-test_kubelet_configure_client_ca:tst:1 true
Following items have been found on the system:
| Result of item-state comparison | Filepath | Path | Filename | Yamlpath | Value |
|---|---|---|---|---|---|
| true | /etc/kubernetes/compliance-operator/kubeletconfig/openscap-kubeletconfig | /etc/kubernetes/compliance-operator/kubeletconfig | openscap-kubeletconfig | .kubeletconfig.authentication.x509.clientCAFile | /etc/kubernetes/kubelet-ca.crt |
Kubelet - Ensure Event Creation Is Configuredxccdf_org.ssgproject.content_rule_kubelet_configure_event_creation mediumCCE-83576-9
Kubelet - Ensure Event Creation Is Configured
| Rule ID | xccdf_org.ssgproject.content_rule_kubelet_configure_event_creation | ||||||||||
| Result | pass | ||||||||||
| Multi-check rule | no | ||||||||||
| OVAL Definition ID | oval:ssg-kubelet_configure_event_creation:def:1 | ||||||||||
| Time | 2025-03-12T03:09:53+00:00 | ||||||||||
| Severity | medium | ||||||||||
| Identifiers: | CCE-83576-9 | ||||||||||
| References: |
| ||||||||||
| Description | Security relevant information should be captured. The eventRecordQPS
Kubelet option can be used to limit the rate at which events are gathered.
Setting this too low could result in relevant events not being logged,
however the unlimited setting of 0 could result in a denial of service on
the kubelet. Processing and storage systems should be scaled to handle the
expected event load. To set the eventRecordQPS option for the kubelet,
create a KubeletConfig option along these lines:
apiVersion: machineconfiguration.openshift.io/v1
kind: KubeletConfig
metadata:
name: kubelet-config-$pool
spec:
machineConfigPoolSelector:
matchLabels:
pools.operator.machineconfiguration.openshift.io/$pool_name: ""
kubeletConfig:
eventRecordQPS: 50
| ||||||||||
| Rationale | It is important to capture all events and not restrict event creation.
Events are an important source of security information and analytics that
ensure that your environment is consistently monitored using the event
data. | ||||||||||
| Warnings | warning
The MachineConfig Operator does not merge KubeletConfig
objects, the last object is used instead. In case you need to
set multiple options for kubelet, consider putting all the custom
options into a single KubeletConfig object. |
OVAL test results details
In the file '/etc/kubernetes/compliance-operator/kubeletconfig/openscap-kubeletconfig' find only one object at path '.kubeletconfig.eventRecordQPS'. oval:ssg-test_kubelet_configure_event_creation:tst:1 true
Following items have been found on the system:
| Result of item-state comparison | Filepath | Path | Filename | Yamlpath | Value |
|---|---|---|---|---|---|
| true | /etc/kubernetes/compliance-operator/kubeletconfig/openscap-kubeletconfig | /etc/kubernetes/compliance-operator/kubeletconfig | openscap-kubeletconfig | .kubeletconfig.eventRecordQPS | 50 |
Ensure that the Kubelet only makes use of Strong Cryptographic Ciphersxccdf_org.ssgproject.content_rule_kubelet_configure_tls_cipher_suites mediumCCE-86030-4
Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers
| Rule ID | xccdf_org.ssgproject.content_rule_kubelet_configure_tls_cipher_suites | ||||||||||
| Result | pass | ||||||||||
| Multi-check rule | no | ||||||||||
| OVAL Definition ID | oval:ssg-kubelet_configure_tls_cipher_suites:def:1 | ||||||||||
| Time | 2025-03-12T03:09:53+00:00 | ||||||||||
| Severity | medium | ||||||||||
| Identifiers: | CCE-86030-4 | ||||||||||
| References: |
| ||||||||||
| Description | Ensure that the Kubelet is configured to only use strong cryptographic ciphers.
To set the cipher suites for the kubelet, create new or modify existing
KubeletConfig object along these lines, one for every
MachineConfigPool:
apiVersion: machineconfiguration.openshift.io/v1
kind: KubeletConfig
metadata:
name: kubelet-config-$pool
spec:
machineConfigPoolSelector:
matchLabels:
pools.operator.machineconfiguration.openshift.io/$pool_name: ""
kubeletConfig:
tlsCipherSuites:
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
In order to configure this rule to check for an alternative cipher, both var_kubelet_tls_cipher_suites_regex
and var_kubelet_tls_cipher_suites have to be set | ||||||||||
| Rationale | TLS ciphers have had a number of known vulnerabilities and weaknesses,
which can reduce the protection provided by them. By default Kubernetes
supports a number of TLS ciphersuites including some that have security
concerns, weakening the protection provided. |
OVAL test results details
In the file '/etc/kubernetes/compliance-operator/kubeletconfig/openscap-kubeletconfig' find only one object at path '.kubeletconfig.tlsCipherSuites[:]'. oval:ssg-test_kubelet_configure_tls_cipher_suites:tst:1 true
Following items have been found on the system:
| Result of item-state comparison | Filepath | Path | Filename | Yamlpath | Value |
|---|---|---|---|---|---|
| true | /etc/kubernetes/compliance-operator/kubeletconfig/openscap-kubeletconfig | /etc/kubernetes/compliance-operator/kubeletconfig | openscap-kubeletconfig | .kubeletconfig.tlsCipherSuites[:] | TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 |
kubelet - Enable Certificate Rotationxccdf_org.ssgproject.content_rule_kubelet_enable_cert_rotation mediumCCE-83838-3
kubelet - Enable Certificate Rotation
| Rule ID | xccdf_org.ssgproject.content_rule_kubelet_enable_cert_rotation | ||||||||||
| Result | pass | ||||||||||
| Multi-check rule | no | ||||||||||
| OVAL Definition ID | oval:ssg-kubelet_enable_cert_rotation:def:1 | ||||||||||
| Time | 2025-03-12T03:09:53+00:00 | ||||||||||
| Severity | medium | ||||||||||
| Identifiers: | CCE-83838-3 | ||||||||||
| References: |
| ||||||||||
| Description | To enable the kubelet to rotate client certificates, edit the kubelet configuration
file /etc/kubernetes/kubelet.conf
on the kubelet node(s) and set the below parameter:
... rotateCertificates: true ... | ||||||||||
| Rationale | Allowing the kubelet to auto-update the certificates ensure that there is no downtime
in certificate renewal as well as ensures confidentiality and integrity. |
OVAL test results details
In the file '/etc/kubernetes/compliance-operator/kubeletconfig/openscap-kubeletconfig' find only one object at path '.kubeletconfig.rotateCertificates'. oval:ssg-test_kubelet_enable_cert_rotation:tst:1 true
Following items have been found on the system:
| Result of item-state comparison | Filepath | Path | Filename | Yamlpath | Value |
|---|---|---|---|---|---|
| true | /etc/kubernetes/compliance-operator/kubeletconfig/openscap-kubeletconfig | /etc/kubernetes/compliance-operator/kubeletconfig | openscap-kubeletconfig | .kubeletconfig.rotateCertificates | true |
kubelet - Enable Client Certificate Rotationxccdf_org.ssgproject.content_rule_kubelet_enable_client_cert_rotation mediumCCE-83352-5
kubelet - Enable Client Certificate Rotation
| Rule ID | xccdf_org.ssgproject.content_rule_kubelet_enable_client_cert_rotation | ||||||||||
| Result | pass | ||||||||||
| Multi-check rule | no | ||||||||||
| OVAL Definition ID | oval:ssg-kubelet_enable_client_cert_rotation:def:1 | ||||||||||
| Time | 2025-03-12T03:09:53+00:00 | ||||||||||
| Severity | medium | ||||||||||
| Identifiers: | CCE-83352-5 | ||||||||||
| References: |
| ||||||||||
| Description | To enable the kubelet to rotate client certificates, edit the kubelet configuration
file /etc/kubernetes/kubelet.conf
on the kubelet node(s) and set the below parameter:
featureGates: ... RotateKubeletClientCertificate: true ... | ||||||||||
| Rationale | Allowing the kubelet to auto-update the certificates ensure that there is no downtime
in certificate renewal as well as ensures confidentiality and integrity. |
OVAL test results details
In the file '/etc/kubernetes/compliance-operator/kubeletconfig/openscap-kubeletconfig' find only one object at path '.kubeletconfig.featureGates.RotateKubeletClientCertificate'. oval:ssg-test_kubelet_enable_client_cert_rotation:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_kubelet_enable_client_cert_rotation:obj:1 of type yamlfilecontent_object
| Filepath | Yamlpath |
|---|---|
| /etc/kubernetes/compliance-operator/kubeletconfig/openscap-kubeletconfig | .kubeletconfig.featureGates.RotateKubeletClientCertificate |
kubelet - Allow Automatic Firewall Configurationxccdf_org.ssgproject.content_rule_kubelet_enable_iptables_util_chains mediumCCE-83775-7
kubelet - Allow Automatic Firewall Configuration
| Rule ID | xccdf_org.ssgproject.content_rule_kubelet_enable_iptables_util_chains | ||||||||||
| Result | pass | ||||||||||
| Multi-check rule | no | ||||||||||
| OVAL Definition ID | oval:ssg-kubelet_enable_iptables_util_chains:def:1 | ||||||||||
| Time | 2025-03-12T03:09:53+00:00 | ||||||||||
| Severity | medium | ||||||||||
| Identifiers: | CCE-83775-7 | ||||||||||
| References: |
| ||||||||||
| Description | The kubelet has the ability to automatically configure the firewall to allow
the containers required ports and connections to networking resources and destinations
parameters potentially creating a security incident.
To allow the kubelet to modify the firewall, edit the kubelet configuration
file /etc/kubernetes/kubelet.conf
on the kubelet node(s) and set the below parameter:
makeIPTablesUtilChains: true | ||||||||||
| Rationale | The kubelet should automatically configure the firewall settings to allow access and
networking traffic through. This ensures that when a pod or container is running that
the correct ports are configured as well as removing the ports when a pod or
container is no longer in existence. |
OVAL test results details
In the file '/etc/kubernetes/compliance-operator/kubeletconfig/openscap-kubeletconfig' find only one object at path '.kubeletconfig.makeIPTablesUtilChains'. oval:ssg-test_kubelet_enable_iptables_util_chains:tst:1 true
Following items have been found on the system:
| Result of item-state comparison | Filepath | Path | Filename | Yamlpath | Value |
|---|---|---|---|---|---|
| true | /etc/kubernetes/compliance-operator/kubeletconfig/openscap-kubeletconfig | /etc/kubernetes/compliance-operator/kubeletconfig | openscap-kubeletconfig | .kubeletconfig.makeIPTablesUtilChains | true |
kubelet - Enable Server Certificate Rotationxccdf_org.ssgproject.content_rule_kubelet_enable_server_cert_rotation mediumCCE-83356-6
kubelet - Enable Server Certificate Rotation
| Rule ID | xccdf_org.ssgproject.content_rule_kubelet_enable_server_cert_rotation | ||||||||||
| Result | pass | ||||||||||
| Multi-check rule | no | ||||||||||
| OVAL Definition ID | oval:ssg-kubelet_enable_server_cert_rotation:def:1 | ||||||||||
| Time | 2025-03-12T03:09:53+00:00 | ||||||||||
| Severity | medium | ||||||||||
| Identifiers: | CCE-83356-6 | ||||||||||
| References: |
| ||||||||||
| Description | To enable the kubelet to rotate server certificates, edit the kubelet configuration
file /etc/kubernetes/kubelet.conf
on the kubelet node(s) and set the below parameter:
serverTLSBootstrap: true | ||||||||||
| Rationale | Allowing the kubelet to auto-update the certificates ensure that there is no downtime
in certificate renewal as well as ensures confidentiality and integrity. |
OVAL test results details
In the file '/etc/kubernetes/compliance-operator/kubeletconfig/openscap-kubeletconfig' find only one object at path '.kubeletconfig.serverTLSBootstrap'. oval:ssg-test_kubelet_enable_server_cert_rotation:tst:1 true
Following items have been found on the system:
| Result of item-state comparison | Filepath | Path | Filename | Yamlpath | Value |
|---|---|---|---|---|---|
| true | /etc/kubernetes/compliance-operator/kubeletconfig/openscap-kubeletconfig | /etc/kubernetes/compliance-operator/kubeletconfig | openscap-kubeletconfig | .kubeletconfig.serverTLSBootstrap | true |
kubelet - Do Not Disable Streaming Timeoutsxccdf_org.ssgproject.content_rule_kubelet_enable_streaming_connections mediumCCE-84097-5
kubelet - Do Not Disable Streaming Timeouts
| Rule ID | xccdf_org.ssgproject.content_rule_kubelet_enable_streaming_connections | ||||||||||
| Result | pass | ||||||||||
| Multi-check rule | no | ||||||||||
| OVAL Definition ID | oval:ssg-kubelet_enable_streaming_connections:def:1 | ||||||||||
| Time | 2025-03-12T03:09:53+00:00 | ||||||||||
| Severity | medium | ||||||||||
| Identifiers: | CCE-84097-5 | ||||||||||
| References: |
| ||||||||||
| Description | Timouts for streaming connections should not be disabled as they help to prevent
denial-of-service attacks.
To configure streaming connection timeouts
To set the streamingConnectionIdleTimeout option for the kubelet,
create a KubeletConfig option along these lines:
apiVersion: machineconfiguration.openshift.io/v1
kind: KubeletConfig
metadata:
name: kubelet-config-$pool
spec:
machineConfigPoolSelector:
matchLabels:
pools.operator.machineconfiguration.openshift.io/$pool_name: ""
kubeletConfig:
streamingConnectionIdleTimeout: 4h0m0s
| ||||||||||
| Rationale | Ensuring connections have timeouts helps to protect against denial-of-service attacks as
well as disconnect inactive connections. In addition, setting connections timeouts helps
to prevent from running out of ephemeral ports. |
OVAL test results details
In the file '/etc/kubernetes/compliance-operator/kubeletconfig/openscap-kubeletconfig' find only one object at path '.kubeletconfig.streamingConnectionIdleTimeout'. oval:ssg-test_kubelet_enable_streaming_connections:tst:1 true
Following items have been found on the system:
| Result of item-state comparison | Filepath | Path | Filename | Yamlpath | Value |
|---|---|---|---|---|---|
| true | /etc/kubernetes/compliance-operator/kubeletconfig/openscap-kubeletconfig | /etc/kubernetes/compliance-operator/kubeletconfig | openscap-kubeletconfig | .kubeletconfig.streamingConnectionIdleTimeout | 4h0m0s |
Ensure Eviction threshold Settings Are Set - evictionHard: imagefs.availablexccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_imagefs_available mediumCCE-84144-5
Ensure Eviction threshold Settings Are Set - evictionHard: imagefs.available
| Rule ID | xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_imagefs_available | ||||||||||
| Result | pass | ||||||||||
| Multi-check rule | no | ||||||||||
| OVAL Definition ID | oval:ssg-kubelet_eviction_thresholds_set_hard_imagefs_available:def:1 | ||||||||||
| Time | 2025-03-12T03:09:53+00:00 | ||||||||||
| Severity | medium | ||||||||||
| Identifiers: | CCE-84144-5 | ||||||||||
| References: |
| ||||||||||
| Description | Two types of garbage collection are performed on an OpenShift Container Platform node:
Container garbage collection can be performed using eviction thresholds. Image garbage collection relies on disk usage as reported by cAdvisor on the node to decide which images to remove from the node. The OpenShift administrator can configure how OpenShift Container Platform performs garbage collection by creating a kubeletConfig object for each Machine Config Pool using any combination of the following:
To configure, follow the directions in the documentation
This rule pertains to the | ||||||||||
| Rationale | Garbage collection is important to ensure sufficient resource availability
and avoiding degraded performance and availability. In the worst case, the
system might crash or just be unusable for a long period of time.
Based on your system resources and tests, choose an appropriate threshold
value to activate garbage collection. |
OVAL test results details
In the file '/etc/kubernetes/compliance-operator/kubeletconfig/openscap-kubeletconfig' find only one object at path '.kubeletconfig.evictionHard['imagefs.available']'. oval:ssg-test_kubelet_eviction_thresholds_set_hard_imagefs_available:tst:1 true
Following items have been found on the system:
| Result of item-state comparison | Filepath | Path | Filename | Yamlpath | Value |
|---|---|---|---|---|---|
| true | /etc/kubernetes/compliance-operator/kubeletconfig/openscap-kubeletconfig | /etc/kubernetes/compliance-operator/kubeletconfig | openscap-kubeletconfig | .kubeletconfig.evictionHard['imagefs.available'] | 15% |
Ensure Eviction threshold Settings Are Set - evictionHard: memory.availablexccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_memory_available mediumCCE-84135-3
Ensure Eviction threshold Settings Are Set - evictionHard: memory.available
| Rule ID | xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_memory_available | ||||||||||
| Result | pass | ||||||||||
| Multi-check rule | no | ||||||||||
| OVAL Definition ID | oval:ssg-kubelet_eviction_thresholds_set_hard_memory_available:def:1 | ||||||||||
| Time | 2025-03-12T03:09:53+00:00 | ||||||||||
| Severity | medium | ||||||||||
| Identifiers: | CCE-84135-3 | ||||||||||
| References: |
| ||||||||||
| Description | Two types of garbage collection are performed on an OpenShift Container Platform node:
Container garbage collection can be performed using eviction thresholds. Image garbage collection relies on disk usage as reported by cAdvisor on the node to decide which images to remove from the node. The OpenShift administrator can configure how OpenShift Container Platform performs garbage collection by creating a kubeletConfig object for each Machine Config Pool using any combination of the following:
To configure, follow the directions in the documentation
This rule pertains to the | ||||||||||
| Rationale | Garbage collection is important to ensure sufficient resource availability
and avoiding degraded performance and availability. In the worst case, the
system might crash or just be unusable for a long period of time.
Based on your system resources and tests, choose an appropriate threshold
value to activate garbage collection. |
OVAL test results details
In the file '/etc/kubernetes/compliance-operator/kubeletconfig/openscap-kubeletconfig' find only one object at path '.kubeletconfig.evictionHard['memory.available']'. oval:ssg-test_kubelet_eviction_thresholds_set_hard_memory_available:tst:1 true
Following items have been found on the system:
| Result of item-state comparison | Filepath | Path | Filename | Yamlpath | Value |
|---|---|---|---|---|---|
| true | /etc/kubernetes/compliance-operator/kubeletconfig/openscap-kubeletconfig | /etc/kubernetes/compliance-operator/kubeletconfig | openscap-kubeletconfig | .kubeletconfig.evictionHard['memory.available'] | 100Mi |
Ensure Eviction threshold Settings Are Set - evictionHard: nodefs.availablexccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_nodefs_available mediumCCE-84138-7
Ensure Eviction threshold Settings Are Set - evictionHard: nodefs.available
| Rule ID | xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_nodefs_available | ||||||||||
| Result | pass | ||||||||||
| Multi-check rule | no | ||||||||||
| OVAL Definition ID | oval:ssg-kubelet_eviction_thresholds_set_hard_nodefs_available:def:1 | ||||||||||
| Time | 2025-03-12T03:09:53+00:00 | ||||||||||
| Severity | medium | ||||||||||
| Identifiers: | CCE-84138-7 | ||||||||||
| References: |
| ||||||||||
| Description | Two types of garbage collection are performed on an OpenShift Container Platform node:
Container garbage collection can be performed using eviction thresholds. Image garbage collection relies on disk usage as reported by cAdvisor on the node to decide which images to remove from the node. The OpenShift administrator can configure how OpenShift Container Platform performs garbage collection by creating a kubeletConfig object for each Machine Config Pool using any combination of the following:
To configure, follow the directions in the documentation
This rule pertains to the | ||||||||||
| Rationale | Garbage collection is important to ensure sufficient resource availability
and avoiding degraded performance and availability. In the worst case, the
system might crash or just be unusable for a long period of time.
Based on your system resources and tests, choose an appropriate threshold
value to activate garbage collection. |
OVAL test results details
In the file '/etc/kubernetes/compliance-operator/kubeletconfig/openscap-kubeletconfig' find only one object at path '.kubeletconfig.evictionHard['nodefs.available']'. oval:ssg-test_kubelet_eviction_thresholds_set_hard_nodefs_available:tst:1 true
Following items have been found on the system:
| Result of item-state comparison | Filepath | Path | Filename | Yamlpath | Value |
|---|---|---|---|---|---|
| true | /etc/kubernetes/compliance-operator/kubeletconfig/openscap-kubeletconfig | /etc/kubernetes/compliance-operator/kubeletconfig | openscap-kubeletconfig | .kubeletconfig.evictionHard['nodefs.available'] | 10% |
Ensure Eviction threshold Settings Are Set - evictionHard: nodefs.inodesFreexccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_nodefs_inodesfree mediumCCE-84141-1
Ensure Eviction threshold Settings Are Set - evictionHard: nodefs.inodesFree
| Rule ID | xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_nodefs_inodesfree | ||||||||||
| Result | pass | ||||||||||
| Multi-check rule | no | ||||||||||
| OVAL Definition ID | oval:ssg-kubelet_eviction_thresholds_set_hard_nodefs_inodesfree:def:1 | ||||||||||
| Time | 2025-03-12T03:09:53+00:00 | ||||||||||
| Severity | medium | ||||||||||
| Identifiers: | CCE-84141-1 | ||||||||||
| References: |
| ||||||||||
| Description | Two types of garbage collection are performed on an OpenShift Container Platform node:
Container garbage collection can be performed using eviction thresholds. Image garbage collection relies on disk usage as reported by cAdvisor on the node to decide which images to remove from the node. The OpenShift administrator can configure how OpenShift Container Platform performs garbage collection by creating a kubeletConfig object for each Machine Config Pool using any combination of the following:
To configure, follow the directions in the documentation
This rule pertains to the | ||||||||||
| Rationale | Garbage collection is important to ensure sufficient resource availability
and avoiding degraded performance and availability. In the worst case, the
system might crash or just be unusable for a long period of time.
Based on your system resources and tests, choose an appropriate threshold
value to activate garbage collection. |
OVAL test results details
In the file '/etc/kubernetes/compliance-operator/kubeletconfig/openscap-kubeletconfig' find only one object at path '.kubeletconfig.evictionHard['nodefs.inodesFree']'. oval:ssg-test_kubelet_eviction_thresholds_set_hard_nodefs_inodesfree:tst:1 true
Following items have been found on the system:
| Result of item-state comparison | Filepath | Path | Filename | Yamlpath | Value |
|---|---|---|---|---|---|
| true | /etc/kubernetes/compliance-operator/kubeletconfig/openscap-kubeletconfig | /etc/kubernetes/compliance-operator/kubeletconfig | openscap-kubeletconfig | .kubeletconfig.evictionHard['nodefs.inodesFree'] | 5% |
Verify Group Who Owns The OpenShift Container Network Interface Filesxccdf_org.ssgproject.content_rule_file_groupowner_cni_conf mediumCCE-84025-6
Verify Group Who Owns The OpenShift Container Network Interface Files
| Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_cni_conf | ||||||||||
| Result | pass | ||||||||||
| Multi-check rule | no | ||||||||||
| OVAL Definition ID | oval:ssg-file_groupowner_cni_conf:def:1 | ||||||||||
| Time | 2025-03-12T03:09:53+00:00 | ||||||||||
| Severity | medium | ||||||||||
| Identifiers: | CCE-84025-6 | ||||||||||
| References: |
| ||||||||||
| Description | To properly set the group owner of /etc/cni/net.d/*, run the command: $ sudo chgrp root /etc/cni/net.d/* | ||||||||||
| Rationale | CNI (Container Network Interface) files consist of a specification and libraries for
writing plugins to configure network interfaces in Linux containers, along with a number
of supported plugins. Allowing writeable access to the files could allow an attacker to modify
the networking configuration potentially adding a rogue network connection. |
OVAL test results details
Testing group ownership of ^/etc/cni/net.d/.*$ oval:ssg-test_file_groupowner_cni_conf_0:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_cni_conf_0:obj:1 of type file_object
| Filepath | Filter | Filter |
|---|---|---|
| ^/etc/cni/net.d/.*$ | oval:ssg-symlink_file_groupowner_cni_conf_uid_0:ste:1 | oval:ssg-state_file_groupowner_cni_conf_gid_0_0:ste:1 |
Verify Group Who Owns The OpenShift Controller Manager Kubeconfig Filexccdf_org.ssgproject.content_rule_file_groupowner_controller_manager_kubeconfig mediumCCE-84095-9
Verify Group Who Owns The OpenShift Controller Manager Kubeconfig File
| Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_controller_manager_kubeconfig | ||||||||||
| Result | pass | ||||||||||
| Multi-check rule | no | ||||||||||
| OVAL Definition ID | oval:ssg-file_groupowner_controller_manager_kubeconfig:def:1 | ||||||||||
| Time | 2025-03-12T03:09:53+00:00 | ||||||||||
| Severity | medium | ||||||||||
| Identifiers: | CCE-84095-9 | ||||||||||
| References: |
| ||||||||||
| Description |
To properly set the group owner of /etc/kubernetes/static-pod-resources/kube-controller-manager-pod-*/configmaps/controller-manager-kubeconfig/kubeconfig, run the command:
$ sudo chgrp root /etc/kubernetes/static-pod-resources/kube-controller-manager-pod-*/configmaps/controller-manager-kubeconfig/kubeconfig | ||||||||||
| Rationale | The Controller Manager's kubeconfig contains information about how the
component will access the API server. You should set its file ownership to
maintain the integrity of the file. | ||||||||||
| Warnings | warning
This rule is only applicable for nodes that run the Kubernetes Controller
Manager service. The aforementioned service is only running on
the nodes labeled "master" by default. |
OVAL test results details
Testing group ownership of ^/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-.*/configmaps/controller-manager-kubeconfig/kubeconfig$ oval:ssg-test_file_groupowner_controller_manager_kubeconfig_0:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_controller_manager_kubeconfig_0:obj:1 of type file_object
| Filepath | Filter | Filter |
|---|---|---|
| ^/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-.*/configmaps/controller-manager-kubeconfig/kubeconfig$ | oval:ssg-symlink_file_groupowner_controller_manager_kubeconfig_uid_0:ste:1 | oval:ssg-state_file_groupowner_controller_manager_kubeconfig_gid_0_0:ste:1 |
Verify Group Who Owns The Etcd Database Directoryxccdf_org.ssgproject.content_rule_file_groupowner_etcd_data_dir mediumCCE-83354-1
Verify Group Who Owns The Etcd Database Directory
| Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_etcd_data_dir | ||||||||||
| Result | pass | ||||||||||
| Multi-check rule | no | ||||||||||
| OVAL Definition ID | oval:ssg-file_groupowner_etcd_data_dir:def:1 | ||||||||||
| Time | 2025-03-12T03:09:53+00:00 | ||||||||||
| Severity | medium | ||||||||||
| Identifiers: | CCE-83354-1 | ||||||||||
| References: |
| ||||||||||
| Description |
To properly set the group owner of /var/lib/etcd/member/, run the command:
$ sudo chgrp root /var/lib/etcd/member/ | ||||||||||
| Rationale | etcd is a highly-available key-value store used by Kubernetes deployments for
persistent storage of all of its REST API objects. This data directory should
be protected from any unauthorized reads or writes. | ||||||||||
| Warnings | warning
This rule is only applicable for nodes that run the Etcd service.
The aforementioned service is only running on the nodes labeled
"master" by default. |
OVAL test results details
Testing group ownership of /var/lib/etcd/member/ oval:ssg-test_file_groupowner_etcd_data_dir_0:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_etcd_data_dir_0:obj:1 of type file_object
| Path | Filename | Filter | Filter |
|---|---|---|---|
| /var/lib/etcd/member | no value | oval:ssg-symlink_file_groupowner_etcd_data_dir_uid_0:ste:1 | oval:ssg-state_file_groupowner_etcd_data_dir_gid_0_0:ste:1 |
Verify Group Who Owns The Etcd Write-Ahead-Log Filesxccdf_org.ssgproject.content_rule_file_groupowner_etcd_data_files mediumCCE-83816-9
Verify Group Who Owns The Etcd Write-Ahead-Log Files
| Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_etcd_data_files | ||||||||||
| Result | pass | ||||||||||
| Multi-check rule | no | ||||||||||
| OVAL Definition ID | oval:ssg-file_groupowner_etcd_data_files:def:1 | ||||||||||
| Time | 2025-03-12T03:09:53+00:00 | ||||||||||
| Severity | medium | ||||||||||
| Identifiers: | CCE-83816-9 | ||||||||||
| References: |
| ||||||||||
| Description |
To properly set the group owner of /var/lib/etcd/member/wal/*, run the command:
$ sudo chgrp root /var/lib/etcd/member/wal/* | ||||||||||
| Rationale | etcd is a highly-available key-value store used by Kubernetes deployments for
persistent storage of all of its REST API objects. This data directory should
be protected from any unauthorized reads or writes. | ||||||||||
| Warnings | warning
This rule is only applicable for nodes that run the Etcd service.
The aforementioned service is only running on the nodes labeled
"master" by default. |
OVAL test results details
Testing group ownership of ^/var/lib/etcd/member/wal/.*$ oval:ssg-test_file_groupowner_etcd_data_files_0:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_etcd_data_files_0:obj:1 of type file_object
| Filepath | Filter | Filter |
|---|---|---|
| ^/var/lib/etcd/member/wal/.*$ | oval:ssg-symlink_file_groupowner_etcd_data_files_uid_0:ste:1 | oval:ssg-state_file_groupowner_etcd_data_files_gid_0_0:ste:1 |
Verify Group Who Owns The etcd Member Pod Specification Filexccdf_org.ssgproject.content_rule_file_groupowner_etcd_member mediumCCE-83664-3
Verify Group Who Owns The etcd Member Pod Specification File
| Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_etcd_member | ||||||||||
| Result | pass | ||||||||||
| Multi-check rule | no | ||||||||||
| OVAL Definition ID | oval:ssg-file_groupowner_etcd_member:def:1 | ||||||||||
| Time | 2025-03-12T03:09:53+00:00 | ||||||||||
| Severity | medium | ||||||||||
| Identifiers: | CCE-83664-3 | ||||||||||
| References: |
| ||||||||||
| Description | To properly set the group owner of /etc/kubernetes/manifests/etcd-pod.yaml, run the command: $ sudo chgrp root /etc/kubernetes/manifests/etcd-pod.yaml | ||||||||||
| Rationale | The etcd pod specification file controls various parameters that
set the behavior of the etcd service in the master node. etcd is a
highly-available key-value store which Kubernetes uses for persistent
storage of all of its REST API object. You should restrict its file
permissions to maintain the integrity of the file. The file should be
writable by only the administrators on the system. | ||||||||||
| Warnings | warning
This rule is only applicable for nodes that run the Etcd service.
The aforementioned service is only running on the nodes labeled
"master" by default. |
OVAL test results details
Testing group ownership of ^/etc/kubernetes/manifests/etcd-pod.yaml$ oval:ssg-test_file_groupowner_etcd_member_0:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_etcd_member_0:obj:1 of type file_object
| Filepath | Filter | Filter |
|---|---|---|
| ^/etc/kubernetes/manifests/etcd-pod.yaml$ | oval:ssg-symlink_file_groupowner_etcd_member_uid_0:ste:1 | oval:ssg-state_file_groupowner_etcd_member_gid_0_0:ste:1 |
Verify Group Who Owns The Etcd PKI Certificate Filesxccdf_org.ssgproject.content_rule_file_groupowner_etcd_pki_cert_files mediumCCE-83890-4
Verify Group Who Owns The Etcd PKI Certificate Files
| Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_etcd_pki_cert_files | ||||||||||
| Result | pass | ||||||||||
| Multi-check rule | no | ||||||||||
| OVAL Definition ID | oval:ssg-file_groupowner_etcd_pki_cert_files:def:1 | ||||||||||
| Time | 2025-03-12T03:09:53+00:00 | ||||||||||
| Severity | medium | ||||||||||
| Identifiers: | CCE-83890-4 | ||||||||||
| References: |
| ||||||||||
| Description |
To properly set the group owner of /etc/kubernetes/static-pod-resources/*/*/*/*.crt, run the command:
$ sudo chgrp root /etc/kubernetes/static-pod-resources/*/*/*/*.crt | ||||||||||
| Rationale | OpenShift makes use of a number of certificates as part of its operation.
You should verify the ownership of the directory containing the PKI
information and all files in that directory to maintain their integrity.
The directory and files should be owned by the system administrator. | ||||||||||
| Warnings | warning
This rule is only applicable for nodes that run the Etcd service.
The aforementioned service is only running on the nodes labeled
"master" by default. |
OVAL test results details
Testing group ownership of ^/etc/kubernetes/static-pod-resources/.*/.*/.*/.*\.crt$ oval:ssg-test_file_groupowner_etcd_pki_cert_files_0:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_etcd_pki_cert_files_0:obj:1 of type file_object
| Filepath | Filter | Filter |
|---|---|---|
| ^/etc/kubernetes/static-pod-resources/.*/.*/.*/.*\.crt$ | oval:ssg-symlink_file_groupowner_etcd_pki_cert_files_uid_0:ste:1 | oval:ssg-state_file_groupowner_etcd_pki_cert_files_gid_0_0:ste:1 |
Verify Group Who Owns The OpenShift SDN Container Network Interface Plugin IP Address Allocationsxccdf_org.ssgproject.content_rule_file_groupowner_ip_allocations mediumCCE-84211-2
Verify Group Who Owns The OpenShift SDN Container Network Interface Plugin IP Address Allocations
| Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_ip_allocations | ||||||||||
| Result | notapplicable | ||||||||||
| Multi-check rule | no | ||||||||||
| Time | 2025-03-12T03:09:53+00:00 | ||||||||||
| Severity | medium | ||||||||||
| Identifiers: | CCE-84211-2 | ||||||||||
| References: |
| ||||||||||
| Description | To properly set the group owner of /var/lib/cni/networks/openshift-sdn/.*, run the command: $ sudo chgrp root /var/lib/cni/networks/openshift-sdn/.* | ||||||||||
| Rationale | CNI (Container Network Interface) files consist of a specification and libraries for
writing plugins to configure network interfaces in Linux containers, along with a number
of supported plugins. Allowing writeable access to the files could allow an attacker to modify
the networking configuration potentially adding a rogue network connection. |
Verify Group Who Owns The Kubernetes API Server Pod Specification Filexccdf_org.ssgproject.content_rule_file_groupowner_kube_apiserver mediumCCE-83530-6
Verify Group Who Owns The Kubernetes API Server Pod Specification File
| Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_kube_apiserver | ||||||||||
| Result | pass | ||||||||||
| Multi-check rule | no | ||||||||||
| OVAL Definition ID | oval:ssg-file_groupowner_kube_apiserver:def:1 | ||||||||||
| Time | 2025-03-12T03:09:53+00:00 | ||||||||||
| Severity | medium | ||||||||||
| Identifiers: | CCE-83530-6 | ||||||||||
| References: |
| ||||||||||
| Description | To properly set the group owner of /etc/kubernetes/static-pod-resources/kube-apiserver-pod-*/kube-apiserver-pod.yaml, run the command: $ sudo chgrp root /etc/kubernetes/static-pod-resources/kube-apiserver-pod-*/kube-apiserver-pod.yaml | ||||||||||
| Rationale | The Kubernetes specification file contains information about the configuration of the
Kubernetes API Server that is configured on the system. Protection of this file is
critical for OpenShift security. | ||||||||||
| Warnings | warning
This rule is only applicable for nodes that run the Kubernetes API Server service.
The aforementioned service is only running on the nodes labeled
"master" by default. |
OVAL test results details
Testing group ownership of ^/etc/kubernetes/static-pod-resources/kube-apiserver-pod-.*/kube-apiserver-pod.yaml$ oval:ssg-test_file_groupowner_kube_apiserver_0:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_kube_apiserver_0:obj:1 of type file_object
| Filepath | Filter | Filter |
|---|---|---|
| ^/etc/kubernetes/static-pod-resources/kube-apiserver-pod-.*/kube-apiserver-pod.yaml$ | oval:ssg-symlink_file_groupowner_kube_apiserver_uid_0:ste:1 | oval:ssg-state_file_groupowner_kube_apiserver_gid_0_0:ste:1 |
Verify Group Who Owns The Kubernetes Controller Manager Pod Specification Filexccdf_org.ssgproject.content_rule_file_groupowner_kube_controller_manager mediumCCE-83953-0
Verify Group Who Owns The Kubernetes Controller Manager Pod Specification File
| Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_kube_controller_manager | ||||||||||
| Result | pass | ||||||||||
| Multi-check rule | no | ||||||||||
| OVAL Definition ID | oval:ssg-file_groupowner_kube_controller_manager:def:1 | ||||||||||
| Time | 2025-03-12T03:09:53+00:00 | ||||||||||
| Severity | medium | ||||||||||
| Identifiers: | CCE-83953-0 | ||||||||||
| References: |
| ||||||||||
| Description | To properly set the group owner of /etc/kubernetes/static-pod-resources/kube-controller-manager-pod-*/kube-controller-manager-pod.yaml, run the command: $ sudo chgrp root /etc/kubernetes/static-pod-resources/kube-controller-manager-pod-*/kube-controller-manager-pod.yaml | ||||||||||
| Rationale | The Kubernetes specification file contains information about the configuration of the
Kubernetes Controller Manager Server that is configured on the system. Protection of this file is
critical for OpenShift security. | ||||||||||
| Warnings | warning
This rule is only applicable for nodes that run the Kubernetes Controller Manager service.
The aforementioned service is only running on the nodes labeled
"master" by default. |
OVAL test results details
Testing group ownership of ^/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-.*/kube-controller-manager-pod.yaml$ oval:ssg-test_file_groupowner_kube_controller_manager_0:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_kube_controller_manager_0:obj:1 of type file_object
| Filepath | Filter | Filter |
|---|---|---|
| ^/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-.*/kube-controller-manager-pod.yaml$ | oval:ssg-symlink_file_groupowner_kube_controller_manager_uid_0:ste:1 | oval:ssg-state_file_groupowner_kube_controller_manager_gid_0_0:ste:1 |
Verify Group Who Owns The Kubernetes Scheduler Pod Specification Filexccdf_org.ssgproject.content_rule_file_groupowner_kube_scheduler mediumCCE-83614-8
Verify Group Who Owns The Kubernetes Scheduler Pod Specification File
| Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_kube_scheduler | ||||||||||
| Result | pass | ||||||||||
| Multi-check rule | no | ||||||||||
| OVAL Definition ID | oval:ssg-file_groupowner_kube_scheduler:def:1 | ||||||||||
| Time | 2025-03-12T03:09:53+00:00 | ||||||||||
| Severity | medium | ||||||||||
| Identifiers: | CCE-83614-8 | ||||||||||
| References: |
| ||||||||||
| Description | To properly set the group owner of /etc/kubernetes/static-pod-resources/kube-scheduler-pod-*/kube-scheduler-pod.yaml, run the command: $ sudo chgrp root /etc/kubernetes/static-pod-resources/kube-scheduler-pod-*/kube-scheduler-pod.yaml | ||||||||||
| Rationale | The Kubernetes Specification file contains information about the configuration of the
Kubernetes scheduler that is configured on the system. Protection of this file is
critical for OpenShift security. | ||||||||||
| Warnings | warning
This rule is only applicable for nodes that run the Kubernetes Scheduler service.
The aforementioned service is only running on the nodes labeled
"master" by default. |
OVAL test results details
Testing group ownership of ^/etc/kubernetes/static-pod-resources/kube-scheduler-pod-.*/kube-scheduler-pod.yaml$ oval:ssg-test_file_groupowner_kube_scheduler_0:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_kube_scheduler_0:obj:1 of type file_object
| Filepath | Filter | Filter |
|---|---|---|
| ^/etc/kubernetes/static-pod-resources/kube-scheduler-pod-.*/kube-scheduler-pod.yaml$ | oval:ssg-symlink_file_groupowner_kube_scheduler_uid_0:ste:1 | oval:ssg-state_file_groupowner_kube_scheduler_gid_0_0:ste:1 |
Verify Group Who Owns The OpenShift Admin Kubeconfig Filesxccdf_org.ssgproject.content_rule_file_groupowner_master_admin_kubeconfigs mediumCCE-84204-7
Verify Group Who Owns The OpenShift Admin Kubeconfig Files
| Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_master_admin_kubeconfigs | ||||||||||
| Result | pass | ||||||||||
| Multi-check rule | no | ||||||||||
| OVAL Definition ID | oval:ssg-file_groupowner_master_admin_kubeconfigs:def:1 | ||||||||||
| Time | 2025-03-12T03:09:53+00:00 | ||||||||||
| Severity | medium | ||||||||||
| Identifiers: | CCE-84204-7 | ||||||||||
| References: |
| ||||||||||
| Description |
To properly set the group owner of /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/node-kubeconfigs/*.kubeconfig, run the command:
$ sudo chgrp root /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/node-kubeconfigs/*.kubeconfig | ||||||||||
| Rationale | There are various kubeconfig files that can be used by the administrator,
defining various settings for the administration of the cluster. These files
contain credentials that can be used to control the cluster and are needed
for disaster recovery and each kubeconfig points to a different endpoint in
the cluster. You should restrict its file permissions to maintain the
integrity of the kubeconfig file as an attacker who gains access to these
files can take over the cluster. | ||||||||||
| Warnings | warning
This rule is only applicable for nodes that run the Kubernetes API server service.
The aforementioned service is only running on the nodes labeled
"master" by default. |
OVAL test results details
Testing group ownership of ^/etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/node-kubeconfigs/.*\.kubeconfig$ oval:ssg-test_file_groupowner_master_admin_kubeconfigs_0:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_master_admin_kubeconfigs_0:obj:1 of type file_object
| Filepath | Filter | Filter |
|---|---|---|
| ^/etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/node-kubeconfigs/.*\.kubeconfig$ | oval:ssg-symlink_file_groupowner_master_admin_kubeconfigs_uid_0:ste:1 | oval:ssg-state_file_groupowner_master_admin_kubeconfigs_gid_0_0:ste:1 |
Verify Group Who Owns The OpenShift Multus Container Network Interface Plugin Filesxccdf_org.ssgproject.content_rule_file_groupowner_multus_conf mediumCCE-83818-5
Verify Group Who Owns The OpenShift Multus Container Network Interface Plugin Files
| Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_multus_conf | ||||||||||
| Result | pass | ||||||||||
| Multi-check rule | no | ||||||||||
| OVAL Definition ID | oval:ssg-file_groupowner_multus_conf:def:1 | ||||||||||
| Time | 2025-03-12T03:09:53+00:00 | ||||||||||
| Severity | medium | ||||||||||
| Identifiers: | CCE-83818-5 | ||||||||||
| References: |
| ||||||||||
| Description | To properly set the group owner of /var/run/multus/cni/net.d/*, run the command: $ sudo chgrp root /var/run/multus/cni/net.d/* | ||||||||||
| Rationale | CNI (Container Network Interface) files consist of a specification and libraries for
writing plugins to configure network interfaces in Linux containers, along with a number
of supported plugins. Allowing writeable access to the files could allow an attacker to modify
the networking configuration potentially adding a rogue network connection. |
OVAL test results details
Testing group ownership of ^/var/run/multus/cni/net.d/.*$ oval:ssg-test_file_groupowner_multus_conf_0:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_multus_conf_0:obj:1 of type file_object
| Filepath | Filter | Filter |
|---|---|---|
| ^/var/run/multus/cni/net.d/.*$ | oval:ssg-symlink_file_groupowner_multus_conf_uid_0:ste:1 | oval:ssg-state_file_groupowner_multus_conf_gid_0_0:ste:1 |
Verify Group Who Owns The OpenShift PKI Certificate Filesxccdf_org.ssgproject.content_rule_file_groupowner_openshift_pki_cert_files mediumCCE-83922-5
Verify Group Who Owns The OpenShift PKI Certificate Files
| Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_openshift_pki_cert_files | ||||||||||
| Result | pass | ||||||||||
| Multi-check rule | no | ||||||||||
| OVAL Definition ID | oval:ssg-file_groupowner_openshift_pki_cert_files:def:1 | ||||||||||
| Time | 2025-03-12T03:09:54+00:00 | ||||||||||
| Severity | medium | ||||||||||
| Identifiers: | CCE-83922-5 | ||||||||||
| References: |
| ||||||||||
| Description |
To properly set the group owner of /etc/kubernetes/static-pod-resources/*/*/*/tls.crt, run the command:
$ sudo chgrp root /etc/kubernetes/static-pod-resources/*/*/*/tls.crt | ||||||||||
| Rationale | OpenShift makes use of a number of certificates as part of its operation.
You should verify the ownership of the directory containing the PKI
information and all files in that directory to maintain their integrity.
The directory and files should be owned by the system administrator. | ||||||||||
| Warnings | warning
This rule is only applicable for nodes that run the Kubernetes Control Plane.
The aforementioned service is only running on the nodes labeled
"master" by default. |
OVAL test results details
Testing group ownership of ^/etc/kubernetes/static-pod-resources/.*/.*/.*/tls\.crt$ oval:ssg-test_file_groupowner_openshift_pki_cert_files_0:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_openshift_pki_cert_files_0:obj:1 of type file_object
| Filepath | Filter | Filter |
|---|---|---|
| ^/etc/kubernetes/static-pod-resources/.*/.*/.*/tls\.crt$ | oval:ssg-symlink_file_groupowner_openshift_pki_cert_files_uid_0:ste:1 | oval:ssg-state_file_groupowner_openshift_pki_cert_files_gid_0_0:ste:1 |
Verify Group Who Owns The OpenShift PKI Private Key Filesxccdf_org.ssgproject.content_rule_file_groupowner_openshift_pki_key_files mediumCCE-84172-6
Verify Group Who Owns The OpenShift PKI Private Key Files
| Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_openshift_pki_key_files | ||||||||||
| Result | pass | ||||||||||
| Multi-check rule | no | ||||||||||
| OVAL Definition ID | oval:ssg-file_groupowner_openshift_pki_key_files:def:1 | ||||||||||
| Time | 2025-03-12T03:09:54+00:00 | ||||||||||
| Severity | medium | ||||||||||
| Identifiers: | CCE-84172-6 | ||||||||||
| References: |
| ||||||||||
| Description |
To properly set the group owner of /etc/kubernetes/static-pod-resources/*/*/*/*.key, run the command:
$ sudo chgrp root /etc/kubernetes/static-pod-resources/*/*/*/*.key | ||||||||||
| Rationale | OpenShift makes use of a number of certificates as part of its operation.
You should verify the ownership of the directory containing the PKI
information and all files in that directory to maintain their integrity.
The directory and files should be owned by root:root. | ||||||||||
| Warnings | warning
This rule is only applicable for nodes that run the Kubernetes Control Plane.
The aforementioned service is only running on the nodes labeled
"master" by default. |
OVAL test results details
Testing group ownership of ^/etc/kubernetes/static-pod-resources/.*/.*/.*/.*\.key$ oval:ssg-test_file_groupowner_openshift_pki_key_files_0:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_openshift_pki_key_files_0:obj:1 of type file_object
| Filepath | Filter | Filter |
|---|---|---|
| ^/etc/kubernetes/static-pod-resources/.*/.*/.*/.*\.key$ | oval:ssg-symlink_file_groupowner_openshift_pki_key_files_uid_0:ste:1 | oval:ssg-state_file_groupowner_openshift_pki_key_files_gid_0_0:ste:1 |
Verify Group Who Owns The OpenShift SDN CNI Server Configxccdf_org.ssgproject.content_rule_file_groupowner_openshift_sdn_cniserver_config mediumCCE-83605-6
Verify Group Who Owns The OpenShift SDN CNI Server Config
| Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_openshift_sdn_cniserver_config | ||||||||||
| Result | notapplicable | ||||||||||
| Multi-check rule | no | ||||||||||
| Time | 2025-03-12T03:09:54+00:00 | ||||||||||
| Severity | medium | ||||||||||
| Identifiers: | CCE-83605-6 | ||||||||||
| References: |
| ||||||||||
| Description |
To properly set the group owner of /var/run/openshift-sdn/cniserver/config.json, run the command:
$ sudo chgrp root /var/run/openshift-sdn/cniserver/config.json | ||||||||||
| Rationale | CNI (Container Network Interface) files consist of a specification and libraries for
writing plugins to configure network interfaces in Linux containers, along with a number
of supported plugins. Allowing writeable access to the files could allow an attacker to modify
the networking configuration potentially adding a rogue network connection. |
Verify Group Who Owns The OVNKubernetes Socketxccdf_org.ssgproject.content_rule_file_groupowner_ovn_cni_server_sock mediumCCE-86222-7
Verify Group Who Owns The OVNKubernetes Socket
| Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_ovn_cni_server_sock | ||||||||||
| Result | pass | ||||||||||
| Multi-check rule | no | ||||||||||
| OVAL Definition ID | oval:ssg-file_groupowner_ovn_cni_server_sock:def:1 | ||||||||||
| Time | 2025-03-12T03:09:54+00:00 | ||||||||||
| Severity | medium | ||||||||||
| Identifiers: | CCE-86222-7 | ||||||||||
| References: |
| ||||||||||
| Description |
To properly set the group owner of /run/ovn-kubernetes/cni/ovn-cni-server.sock, run the command:
$ sudo chgrp root /run/ovn-kubernetes/cni/ovn-cni-server.sock | ||||||||||
| Rationale | CNI (Container Network Interface) files consist of a specification and libraries for
writing plugins to configure network interfaces in Linux containers, along with a number
of supported plugins. Allowing writeable access to the files could allow an attacker to modify
the networking configuration potentially adding a rogue network connection. |
OVAL test results details
Testing group ownership of /run/ovn-kubernetes/cni/ovn-cni-server.sock oval:ssg-test_file_groupowner_ovn_cni_server_sock_0:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_ovn_cni_server_sock_0:obj:1 of type file_object
| Filepath | Filter | Filter |
|---|---|---|
| /run/ovn-kubernetes/cni/ovn-cni-server.sock | oval:ssg-symlink_file_groupowner_ovn_cni_server_sock_uid_0:ste:1 | oval:ssg-state_file_groupowner_ovn_cni_server_sock_gid_0_0:ste:1 |
Verify Group Who Owns The OVNKubernetes DB filesxccdf_org.ssgproject.content_rule_file_groupowner_ovn_db_files mediumCCE-86533-7
Verify Group Who Owns The OVNKubernetes DB files
| Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_ovn_db_files | ||||||||||
| Result | pass | ||||||||||
| Multi-check rule | no | ||||||||||
| OVAL Definition ID | oval:ssg-file_groupowner_ovn_db_files:def:1 | ||||||||||
| Time | 2025-03-12T03:09:54+00:00 | ||||||||||
| Severity | medium | ||||||||||
| Identifiers: | CCE-86533-7 | ||||||||||
| References: |
| ||||||||||
| Description |
To properly set the group owner of /var/lib/ovn/etc/*.db, run the command:
$ sudo chgrp root /var/lib/ovn/etc/*.db | ||||||||||
| Rationale | CNI (Container Network Interface) files consist of a specification and libraries for
writing plugins to configure network interfaces in Linux containers, along with a number
of supported plugins. Allowing writeable access to the files could allow an attacker to modify
the networking configuration potentially adding a rogue network connection. |
OVAL test results details
Testing group ownership of ^/var/lib/ovn/etc/*.db$ oval:ssg-test_file_groupowner_ovn_db_files_0:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_ovn_db_files_0:obj:1 of type file_object
| Filepath | Filter | Filter |
|---|---|---|
| ^/var/lib/ovn/etc/*.db$ | oval:ssg-symlink_file_groupowner_ovn_db_files_uid_0:ste:1 | oval:ssg-state_file_groupowner_ovn_db_files_gid_0_0:ste:1 |
Verify Group Who Owns The Open vSwitch Configuration Databasexccdf_org.ssgproject.content_rule_file_groupowner_ovs_conf_db mediumCCE-88281-1
Verify Group Who Owns The Open vSwitch Configuration Database
| Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_ovs_conf_db | ||||||||||
| Result | pass | ||||||||||
| Multi-check rule | no | ||||||||||
| OVAL Definition ID | oval:ssg-file_groupowner_ovs_conf_db:def:1 | ||||||||||
| Time | 2025-03-12T03:09:54+00:00 | ||||||||||
| Severity | medium | ||||||||||
| Identifiers: | CCE-88281-1 | ||||||||||
| References: |
| ||||||||||
| Description | Check if the group owner of /etc/openvswitch/conf.db is
hugetlbfs on architectures other than s390x or openvswitch
on s390x. | ||||||||||
| Rationale | CNI (Container Network Interface) files consist of a specification and libraries for
writing plugins to configure network interfaces in Linux containers, along with a number
of supported plugins. Allowing writeable access to the files could allow an attacker to modify
the networking configuration potentially adding a rogue network connection. |
OVAL test results details
Testing group ownership of /etc/openvswitch/conf.db oval:ssg-test_file_groupowner_ovs_conf_db_not_s390x_0:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_ovs_conf_db_not_s390x_0:obj:1 of type file_object
| Filepath | Filter | Filter |
|---|---|---|
| /etc/openvswitch/conf.db | oval:ssg-symlink_file_groupowner_ovs_conf_db_not_s390x_uid_hugetlbfs:ste:1 | oval:ssg-state_file_groupowner_ovs_conf_db_not_s390x_gid_hugetlbfs_0:ste:1 |
Testing group ownership of /etc/openvswitch/conf.db oval:ssg-test_file_groupowner_ovs_conf_db_s390x_0:tst:1 false
Following items have been found on the system:
| Result of item-state comparison | Path | Type | UID | GID | Size (B) | Permissions |
|---|---|---|---|---|---|---|
| not evaluated | /etc/openvswitch/conf.db | regular | 800 | 801 | 7919031 | rw-r----- |
Verify Group Who Owns The Open vSwitch Configuration Database Lockxccdf_org.ssgproject.content_rule_file_groupowner_ovs_conf_db_lock mediumCCE-90793-1
Verify Group Who Owns The Open vSwitch Configuration Database Lock
| Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_ovs_conf_db_lock | ||||||||||
| Result | pass | ||||||||||
| Multi-check rule | no | ||||||||||
| OVAL Definition ID | oval:ssg-file_groupowner_ovs_conf_db_lock:def:1 | ||||||||||
| Time | 2025-03-12T03:09:54+00:00 | ||||||||||
| Severity | medium | ||||||||||
| Identifiers: | CCE-90793-1 | ||||||||||
| References: |
| ||||||||||
| Description | Check if the group owner of /etc/openvswitch/.conf.db.~lock~ is
hugetlbfs on architectures other than s390x or openvswitch
on s390x. | ||||||||||
| Rationale | CNI (Container Network Interface) files consist of a specification and libraries for
writing plugins to configure network interfaces in Linux containers, along with a number
of supported plugins. Allowing writeable access to the files could allow an attacker to modify
the networking configuration potentially adding a rogue network connection. |
OVAL test results details
Testing group ownership of /etc/openvswitch/.conf.db.~lock~ oval:ssg-test_file_groupowner_ovs_conf_db_lock_not_s390x_0:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_ovs_conf_db_lock_not_s390x_0:obj:1 of type file_object
| Filepath | Filter | Filter |
|---|---|---|
| /etc/openvswitch/.conf.db.~lock~ | oval:ssg-symlink_file_groupowner_ovs_conf_db_lock_not_s390x_uid_hugetlbfs:ste:1 | oval:ssg-state_file_groupowner_ovs_conf_db_lock_not_s390x_gid_hugetlbfs_0:ste:1 |
Testing group ownership of /etc/openvswitch/.conf.db.~lock~ oval:ssg-test_file_groupowner_ovs_conf_db_lock_s390x_0:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_ovs_conf_db_lock_s390x_0:obj:1 of type file_object
| Filepath | Filter | Filter |
|---|---|---|
| /etc/openvswitch/.conf.db.~lock~ | oval:ssg-symlink_file_groupowner_ovs_conf_db_lock_s390x_uid_hugetlbfs:ste:1 | oval:ssg-state_file_groupowner_ovs_conf_db_lock_s390x_gid_hugetlbfs_0:ste:1 |
Verify Group Who Owns The Open vSwitch Process ID Filexccdf_org.ssgproject.content_rule_file_groupowner_ovs_pid mediumCCE-83630-4
Verify Group Who Owns The Open vSwitch Process ID File
| Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_ovs_pid | ||||||||||
| Result | pass | ||||||||||
| Multi-check rule | no | ||||||||||
| OVAL Definition ID | oval:ssg-file_groupowner_ovs_pid:def:1 | ||||||||||
| Time | 2025-03-12T03:09:54+00:00 | ||||||||||
| Severity | medium | ||||||||||
| Identifiers: | CCE-83630-4 | ||||||||||
| References: |
| ||||||||||
| Description | Ensure that the file /var/run/openvswitch/ovs-vswitchd.pid, is owned by the group openvswitchor hugetlbfs, depending on your settings and Open vSwitch version. | ||||||||||
| Rationale | CNI (Container Network Interface) files consist of a specification and libraries for
writing plugins to configure network interfaces in Linux containers, along with a number
of supported plugins. Allowing writeable access to the files could allow an attacker to modify
the networking configuration potentially adding a rogue network connection. |
OVAL test results details
Testing group ownership of /run/openvswitch/ovs-vswitchd.pid oval:ssg-test_file_groupowner_run_ovs_vswitchd_pid_800:tst:1 false
Following items have been found on the system:
| Result of item-state comparison | Path | Type | UID | GID | Size (B) | Permissions |
|---|---|---|---|---|---|---|
| false | /run/openvswitch/ovs-vswitchd.pid | regular | 800 | 801 | 5 | rw-r--r-- |
Testing group ownership of /run/openvswitch/ovs-vswitchd.pid oval:ssg-test_file_groupowner_run_ovs_vswitchd_pid_801:tst:1 true
Following items have been found on the system:
| Result of item-state comparison | Path | Type | UID | GID | Size (B) | Permissions |
|---|---|---|---|---|---|---|
| true | /run/openvswitch/ovs-vswitchd.pid | regular | 800 | 801 | 5 | rw-r--r-- |
Verify Group Who Owns The Open vSwitch Persistent System IDxccdf_org.ssgproject.content_rule_file_groupowner_ovs_sys_id_conf mediumCCE-85892-8
Verify Group Who Owns The Open vSwitch Persistent System ID
| Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_ovs_sys_id_conf | ||||||||||
| Result | pass | ||||||||||
| Multi-check rule | no | ||||||||||
| OVAL Definition ID | oval:ssg-file_groupowner_ovs_sys_id_conf:def:1 | ||||||||||
| Time | 2025-03-12T03:09:54+00:00 | ||||||||||
| Severity | medium | ||||||||||
| Identifiers: | CCE-85892-8 | ||||||||||
| References: |
| ||||||||||
| Description | Check if the group owner of /etc/openvswitch/system-id.conf is
hugetlbfs on architectures other than s390x or openvswitch
on x390x. | ||||||||||
| Rationale | CNI (Container Network Interface) files consist of a specification and libraries for
writing plugins to configure network interfaces in Linux containers, along with a number
of supported plugins. Allowing writeable access to the files could allow an attacker to modify
the networking configuration potentially adding a rogue network connection. |
OVAL test results details
Testing group ownership of /etc/openvswitch/system-id.conf oval:ssg-test_file_groupowner_ovs_sys_id_conf_not_s390x_0:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_ovs_sys_id_conf_not_s390x_0:obj:1 of type file_object
| Filepath | Filter | Filter |
|---|---|---|
| /etc/openvswitch/system-id.conf | oval:ssg-symlink_file_groupowner_ovs_sys_id_conf_not_s390x_uid_hugetlbfs:ste:1 | oval:ssg-state_file_groupowner_ovs_sys_id_conf_not_s390x_gid_hugetlbfs_0:ste:1 |
Testing group ownership of /etc/openvswitch/system-id.conf oval:ssg-test_file_groupowner_ovs_sys_id_conf_s390x_0:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_ovs_sys_id_conf_s390x_0:obj:1 of type file_object
| Filepath | Filter | Filter |
|---|---|---|
| /etc/openvswitch/system-id.conf | oval:ssg-symlink_file_groupowner_ovs_sys_id_conf_s390x_uid_hugetlbfs:ste:1 | oval:ssg-state_file_groupowner_ovs_sys_id_conf_s390x_gid_hugetlbfs_0:ste:1 |
Verify Group Who Owns The Open vSwitch Daemon PID Filexccdf_org.ssgproject.content_rule_file_groupowner_ovs_vswitchd_pid mediumCCE-84129-6
Verify Group Who Owns The Open vSwitch Daemon PID File
| Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_ovs_vswitchd_pid | ||||||||||
| Result | pass | ||||||||||
| Multi-check rule | no | ||||||||||
| OVAL Definition ID | oval:ssg-file_groupowner_ovs_vswitchd_pid:def:1 | ||||||||||
| Time | 2025-03-12T03:09:54+00:00 | ||||||||||
| Severity | medium | ||||||||||
| Identifiers: | CCE-84129-6 | ||||||||||
| References: |
| ||||||||||
| Description | Ensure that the file /run/openvswitch/ovs-vswitchd.pid, is owned by the group openvswitchor hugetlbfs, depending on your settings and Open vSwitch version. | ||||||||||
| Rationale | CNI (Container Network Interface) files consist of a specification and libraries for
writing plugins to configure network interfaces in Linux containers, along with a number
of supported plugins. Allowing writeable access to the files could allow an attacker to modify
the networking configuration potentially adding a rogue network connection. |
OVAL test results details
Testing group ownership of /var/run/openvswitch/ovs-vswitchd.pid oval:ssg-test_file_groupowner_var_run_ovs_vswitchd_pid_800:tst:1 false
Following items have been found on the system:
| Result of item-state comparison | Path | Type | UID | GID | Size (B) | Permissions |
|---|---|---|---|---|---|---|
| false | /var/run/openvswitch/ovs-vswitchd.pid | regular | 800 | 801 | 5 | rw-r--r-- |
Testing group ownership of /var/run/openvswitch/ovs-vswitchd.pid oval:ssg-test_file_groupowner_var_run_ovs_vswitchd_pid_801:tst:1 true
Following items have been found on the system:
| Result of item-state comparison | Path | Type | UID | GID | Size (B) | Permissions |
|---|---|---|---|---|---|---|
| true | /var/run/openvswitch/ovs-vswitchd.pid | regular | 800 | 801 | 5 | rw-r--r-- |
Verify Group Who Owns The Open vSwitch Database Server PIDxccdf_org.ssgproject.content_rule_file_groupowner_ovsdb_server_pid mediumCCE-84166-8
Verify Group Who Owns The Open vSwitch Database Server PID
| Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_ovsdb_server_pid | ||||||||||
| Result | pass | ||||||||||
| Multi-check rule | no | ||||||||||
| OVAL Definition ID | oval:ssg-file_groupowner_ovsdb_server_pid:def:1 | ||||||||||
| Time | 2025-03-12T03:09:54+00:00 | ||||||||||
| Severity | medium | ||||||||||
| Identifiers: | CCE-84166-8 | ||||||||||
| References: |
| ||||||||||
| Description | Ensure that the file /run/openvswitch/ovsdb-server.pid, is owned by the group openvswitchor hugetlbfs, depending on your settings and Open vSwitch version. | ||||||||||
| Rationale | CNI (Container Network Interface) files consist of a specification and libraries for
writing plugins to configure network interfaces in Linux containers, along with a number
of supported plugins. Allowing writeable access to the files could allow an attacker to modify
the networking configuration potentially adding a rogue network connection. |
OVAL test results details
Testing group ownership of /run/openvswitch/ovsdb-server.pid oval:ssg-test_file_groupowner_ovsdb_server_pid_800:tst:1 false
Following items have been found on the system:
| Result of item-state comparison | Path | Type | UID | GID | Size (B) | Permissions |
|---|---|---|---|---|---|---|
| false | /run/openvswitch/ovsdb-server.pid | regular | 800 | 801 | 5 | rw-r--r-- |
Testing group ownership of /run/openvswitch/ovsdb-server.pid oval:ssg-test_file_groupowner_ovsdb_server_pid_801:tst:1 true
Following items have been found on the system:
| Result of item-state comparison | Path | Type | UID | GID | Size (B) | Permissions |
|---|---|---|---|---|---|---|
| true | /run/openvswitch/ovsdb-server.pid | regular | 800 | 801 | 5 | rw-r--r-- |
Verify Group Who Owns The Kubernetes Scheduler Kubeconfig Filexccdf_org.ssgproject.content_rule_file_groupowner_scheduler_kubeconfig mediumCCE-83471-3
Verify Group Who Owns The Kubernetes Scheduler Kubeconfig File
| Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_scheduler_kubeconfig | ||||||||||
| Result | pass | ||||||||||
| Multi-check rule | no | ||||||||||
| OVAL Definition ID | oval:ssg-file_groupowner_scheduler_kubeconfig:def:1 | ||||||||||
| Time | 2025-03-12T03:09:54+00:00 | ||||||||||
| Severity | medium | ||||||||||
| Identifiers: | CCE-83471-3 | ||||||||||
| References: |
| ||||||||||
| Description |
To properly set the group owner of /etc/kubernetes/static-pod-resources/kube-scheduler-pod-*/configmaps/scheduler-kubeconfig/kubeconfig, run the command:
$ sudo chgrp root /etc/kubernetes/static-pod-resources/kube-scheduler-pod-*/configmaps/scheduler-kubeconfig/kubeconfig | ||||||||||
| Rationale | The kubeconfig for the Scheduler contains parameters for the scheduler
to access the Kube API.
You should set its file ownership to maintain the integrity of the file. | ||||||||||
| Warnings | warning
This rule is only applicable for nodes that run the Kubernetes Scheduler service.
The aforementioned service is only running on the nodes labeled
"master" by default. |
OVAL test results details
Testing group ownership of ^/etc/kubernetes/static-pod-resources/kube-scheduler-pod-.*/configmaps/scheduler-kubeconfig/kubeconfig$ oval:ssg-test_file_groupowner_scheduler_kubeconfig_0:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_scheduler_kubeconfig_0:obj:1 of type file_object
| Filepath | Filter | Filter |
|---|---|---|
| ^/etc/kubernetes/static-pod-resources/kube-scheduler-pod-.*/configmaps/scheduler-kubeconfig/kubeconfig$ | oval:ssg-symlink_file_groupowner_scheduler_kubeconfig_uid_0:ste:1 | oval:ssg-state_file_groupowner_scheduler_kubeconfig_gid_0_0:ste:1 |
Verify User Who Owns The OpenShift Container Network Interface Filesxccdf_org.ssgproject.content_rule_file_owner_cni_conf mediumCCE-83460-6
Verify User Who Owns The OpenShift Container Network Interface Files
| Rule ID | xccdf_org.ssgproject.content_rule_file_owner_cni_conf | ||||||||||
| Result | pass | ||||||||||
| Multi-check rule | no | ||||||||||
| OVAL Definition ID | oval:ssg-file_owner_cni_conf:def:1 | ||||||||||
| Time | 2025-03-12T03:09:54+00:00 | ||||||||||
| Severity | medium | ||||||||||
| Identifiers: | CCE-83460-6 | ||||||||||
| References: |
| ||||||||||
| Description | To properly set the owner of /etc/cni/net.d/*, run the command: $ sudo chown root /etc/cni/net.d/* | ||||||||||
| Rationale | CNI (Container Network Interface) files consist of a specification and libraries for
writing plugins to configure network interfaces in Linux containers, along with a number
of supported plugins. Allowing writeable access to the files could allow an attacker to modify
the networking configuration potentially adding a rogue network connection. |
OVAL test results details
Testing user ownership of ^/etc/cni/net.d/.*$ oval:ssg-test_file_owner_cni_conf_0:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_cni_conf_0:obj:1 of type file_object
| Filepath | Filter | Filter |
|---|---|---|
| ^/etc/cni/net.d/.*$ | oval:ssg-symlink_file_owner_cni_conf_uid_0:ste:1 | oval:ssg-state_file_owner_cni_conf_uid_0_0:ste:1 |
Verify User Who Owns The OpenShift Controller Manager Kubeconfig Filexccdf_org.ssgproject.content_rule_file_owner_controller_manager_kubeconfig mediumCCE-83904-3
Verify User Who Owns The OpenShift Controller Manager Kubeconfig File
| Rule ID | xccdf_org.ssgproject.content_rule_file_owner_controller_manager_kubeconfig | ||||||||||
| Result | pass | ||||||||||
| Multi-check rule | no | ||||||||||
| OVAL Definition ID | oval:ssg-file_owner_controller_manager_kubeconfig:def:1 | ||||||||||
| Time | 2025-03-12T03:09:54+00:00 | ||||||||||
| Severity | medium | ||||||||||
| Identifiers: | CCE-83904-3 | ||||||||||
| References: |
| ||||||||||
| Description |
To properly set the owner of /etc/kubernetes/static-pod-resources/kube-controller-manager-pod-*/configmaps/controller-manager-kubeconfig/kubeconfig, run the command:
$ sudo chown root /etc/kubernetes/static-pod-resources/kube-controller-manager-pod-*/configmaps/controller-manager-kubeconfig/kubeconfig | ||||||||||
| Rationale | The Controller Manager's kubeconfig contains information about how the
component will access the API server. You should set its file ownership to
maintain the integrity of the file. | ||||||||||
| Warnings | warning
This rule is only applicable for nodes that run the Kubernetes Controller Manager service.
The aforementioned service is only running on the nodes labeled
"master" by default. |
OVAL test results details
Testing user ownership of ^/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-.*/configmaps/controller-manager-kubeconfig/kubeconfig$ oval:ssg-test_file_owner_controller_manager_kubeconfig_0:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_controller_manager_kubeconfig_0:obj:1 of type file_object
| Filepath | Filter | Filter |
|---|---|---|
| ^/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-.*/configmaps/controller-manager-kubeconfig/kubeconfig$ | oval:ssg-symlink_file_owner_controller_manager_kubeconfig_uid_0:ste:1 | oval:ssg-state_file_owner_controller_manager_kubeconfig_uid_0_0:ste:1 |
Verify User Who Owns The Etcd Database Directoryxccdf_org.ssgproject.content_rule_file_owner_etcd_data_dir mediumCCE-83905-0
Verify User Who Owns The Etcd Database Directory
| Rule ID | xccdf_org.ssgproject.content_rule_file_owner_etcd_data_dir | ||||||||||
| Result | pass | ||||||||||
| Multi-check rule | no | ||||||||||
| OVAL Definition ID | oval:ssg-file_owner_etcd_data_dir:def:1 | ||||||||||
| Time | 2025-03-12T03:09:54+00:00 | ||||||||||
| Severity | medium | ||||||||||
| Identifiers: | CCE-83905-0 | ||||||||||
| References: |
| ||||||||||
| Description |
To properly set the owner of /var/lib/etcd/member/, run the command:
$ sudo chown root /var/lib/etcd/member/ | ||||||||||
| Rationale | etcd is a highly-available key-value store used by Kubernetes deployments for
persistent storage of all of its REST API objects. This data directory should
be protected from any unauthorized reads or writes. | ||||||||||
| Warnings | warning
This rule is only applicable for nodes that run the Etcd service.
The aforementioned service is only running on the nodes labeled
"master" by default. |
OVAL test results details
Testing user ownership of /var/lib/etcd/member/ oval:ssg-test_file_owner_etcd_data_dir_0:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_etcd_data_dir_0:obj:1 of type file_object
| Path | Filename | Filter | Filter |
|---|---|---|---|
| /var/lib/etcd/member | no value | oval:ssg-symlink_file_owner_etcd_data_dir_uid_0:ste:1 | oval:ssg-state_file_owner_etcd_data_dir_uid_0_0:ste:1 |
Verify User Who Owns The Etcd Write-Ahead-Log Filesxccdf_org.ssgproject.content_rule_file_owner_etcd_data_files mediumCCE-84010-8
Verify User Who Owns The Etcd Write-Ahead-Log Files
| Rule ID | xccdf_org.ssgproject.content_rule_file_owner_etcd_data_files | ||||||||||
| Result | pass | ||||||||||
| Multi-check rule | no | ||||||||||
| OVAL Definition ID | oval:ssg-file_owner_etcd_data_files:def:1 | ||||||||||
| Time | 2025-03-12T03:09:54+00:00 | ||||||||||
| Severity | medium | ||||||||||
| Identifiers: | CCE-84010-8 | ||||||||||
| References: |
| ||||||||||
| Description |
To properly set the owner of /var/lib/etcd/member/wal/*, run the command:
$ sudo chown root /var/lib/etcd/member/wal/* | ||||||||||
| Rationale | etcd is a highly-available key-value store used by Kubernetes deployments for
persistent storage of all of its REST API objects. This data directory should
be protected from any unauthorized reads or writes. | ||||||||||
| Warnings | warning
This rule is only applicable for nodes that run the Etcd service.
The aforementioned service is only running on the nodes labeled
"master" by default. |
OVAL test results details
Testing user ownership of ^/var/lib/etcd/member/wal/.*$ oval:ssg-test_file_owner_etcd_data_files_0:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_etcd_data_files_0:obj:1 of type file_object
| Filepath | Filter | Filter |
|---|---|---|
| ^/var/lib/etcd/member/wal/.*$ | oval:ssg-symlink_file_owner_etcd_data_files_uid_0:ste:1 | oval:ssg-state_file_owner_etcd_data_files_uid_0_0:ste:1 |
Verify User Who Owns The Etcd Member Pod Specification Filexccdf_org.ssgproject.content_rule_file_owner_etcd_member mediumCCE-83988-6
Verify User Who Owns The Etcd Member Pod Specification File
| Rule ID | xccdf_org.ssgproject.content_rule_file_owner_etcd_member | ||||||||||
| Result | pass | ||||||||||
| Multi-check rule | no | ||||||||||
| OVAL Definition ID | oval:ssg-file_owner_etcd_member:def:1 | ||||||||||
| Time | 2025-03-12T03:09:54+00:00 | ||||||||||
| Severity | medium | ||||||||||
| Identifiers: | CCE-83988-6 | ||||||||||
| References: |
| ||||||||||
| Description | To properly set the owner of /etc/kubernetes/manifests/etcd-pod.yaml, run the command: $ sudo chown root /etc/kubernetes/manifests/etcd-pod.yaml | ||||||||||
| Rationale | The etcd pod specification file controls various parameters that
set the behavior of the etcd service in the master node. etcd is a
highly-available key-value store which Kubernetes uses for persistent
storage of all of its REST API object. You should restrict its file
permissions to maintain the integrity of the file. The file should be
writable by only the administrators on the system. | ||||||||||
| Warnings | warning
This rule is only applicable for nodes that run the Etcd service.
The aforementioned service is only running on the nodes labeled
"master" by default. |
OVAL test results details
Testing user ownership of ^/etc/kubernetes/manifests/etcd-pod.yaml$ oval:ssg-test_file_owner_etcd_member_0:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_etcd_member_0:obj:1 of type file_object
| Filepath | Filter | Filter |
|---|---|---|
| ^/etc/kubernetes/manifests/etcd-pod.yaml$ | oval:ssg-symlink_file_owner_etcd_member_uid_0:ste:1 | oval:ssg-state_file_owner_etcd_member_uid_0_0:ste:1 |
Verify User Who Owns The Etcd PKI Certificate Filesxccdf_org.ssgproject.content_rule_file_owner_etcd_pki_cert_files mediumCCE-83898-7
Verify User Who Owns The Etcd PKI Certificate Files
| Rule ID | xccdf_org.ssgproject.content_rule_file_owner_etcd_pki_cert_files | ||||||||||
| Result | pass | ||||||||||
| Multi-check rule | no | ||||||||||
| OVAL Definition ID | oval:ssg-file_owner_etcd_pki_cert_files:def:1 | ||||||||||
| Time | 2025-03-12T03:09:54+00:00 | ||||||||||
| Severity | medium | ||||||||||
| Identifiers: | CCE-83898-7 | ||||||||||
| References: |
| ||||||||||
| Description |
To properly set the owner of /etc/kubernetes/static-pod-resources/*/*/*/*.crt, run the command:
$ sudo chown root /etc/kubernetes/static-pod-resources/*/*/*/*.crt | ||||||||||
| Rationale | OpenShift makes use of a number of certificates as part of its operation.
You should verify the ownership of the directory containing the PKI
information and all files in that directory to maintain their integrity.
The directory and files should be owned by the system administrator. | ||||||||||
| Warnings | warning
This rule is only applicable for nodes that run the Etcd service.
The aforementioned service is only running on the nodes labeled
"master" by default. |
OVAL test results details
Testing user ownership of ^/etc/kubernetes/static-pod-resources/.*/.*/.*/.*\.crt$ oval:ssg-test_file_owner_etcd_pki_cert_files_0:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_etcd_pki_cert_files_0:obj:1 of type file_object
| Filepath | Filter | Filter |
|---|---|---|
| ^/etc/kubernetes/static-pod-resources/.*/.*/.*/.*\.crt$ | oval:ssg-symlink_file_owner_etcd_pki_cert_files_uid_0:ste:1 | oval:ssg-state_file_owner_etcd_pki_cert_files_uid_0_0:ste:1 |
Verify User Who Owns The OpenShift SDN Container Network Interface Plugin IP Address Allocationsxccdf_org.ssgproject.content_rule_file_owner_ip_allocations mediumCCE-84248-4
Verify User Who Owns The OpenShift SDN Container Network Interface Plugin IP Address Allocations
| Rule ID | xccdf_org.ssgproject.content_rule_file_owner_ip_allocations | ||||||||||
| Result | notapplicable | ||||||||||
| Multi-check rule | no | ||||||||||
| Time | 2025-03-12T03:09:54+00:00 | ||||||||||
| Severity | medium | ||||||||||
| Identifiers: | CCE-84248-4 | ||||||||||
| References: |
| ||||||||||
| Description | To properly set the owner of /var/lib/cni/networks/openshift-sdn/.*, run the command: $ sudo chown root /var/lib/cni/networks/openshift-sdn/.* | ||||||||||
| Rationale | CNI (Container Network Interface) files consist of a specification and libraries for
writing plugins to configure network interfaces in Linux containers, along with a number
of supported plugins. Allowing writeable access to the files could allow an attacker to modify
the networking configuration potentially adding a rogue network connection. |
Verify User Who Owns The Kubernetes API Server Pod Specification Filexccdf_org.ssgproject.content_rule_file_owner_kube_apiserver mediumCCE-83372-3
Verify User Who Owns The Kubernetes API Server Pod Specification File
| Rule ID | xccdf_org.ssgproject.content_rule_file_owner_kube_apiserver | ||||||||||
| Result | pass | ||||||||||
| Multi-check rule | no | ||||||||||
| OVAL Definition ID | oval:ssg-file_owner_kube_apiserver:def:1 | ||||||||||
| Time | 2025-03-12T03:09:54+00:00 | ||||||||||
| Severity | medium | ||||||||||
| Identifiers: | CCE-83372-3 | ||||||||||
| References: |
| ||||||||||
| Description | To properly set the owner of /etc/kubernetes/static-pod-resources/kube-apiserver-pod-*/kube-apiserver-pod.yaml, run the command: $ sudo chown root /etc/kubernetes/static-pod-resources/kube-apiserver-pod-*/kube-apiserver-pod.yaml | ||||||||||
| Rationale | The Kubernetes specification file contains information about the configuration of the
Kubernetes API Server that is configured on the system. Protection of this file is
critical for OpenShift security. | ||||||||||
| Warnings | warning
This rule is only applicable for nodes that run the Kubernetes API Server service.
The aforementioned service is only running on the nodes labeled
"master" by default. |
OVAL test results details
Testing user ownership of ^/etc/kubernetes/static-pod-resources/kube-apiserver-pod-.*/kube-apiserver-pod.yaml$ oval:ssg-test_file_owner_kube_apiserver_0:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_kube_apiserver_0:obj:1 of type file_object
| Filepath | Filter | Filter |
|---|---|---|
| ^/etc/kubernetes/static-pod-resources/kube-apiserver-pod-.*/kube-apiserver-pod.yaml$ | oval:ssg-symlink_file_owner_kube_apiserver_uid_0:ste:1 | oval:ssg-state_file_owner_kube_apiserver_uid_0_0:ste:1 |
Verify User Who Owns The Kubernetes Controller Manager Pod Specification Filexccdf_org.ssgproject.content_rule_file_owner_kube_controller_manager mediumCCE-83795-5
Verify User Who Owns The Kubernetes Controller Manager Pod Specification File
| Rule ID | xccdf_org.ssgproject.content_rule_file_owner_kube_controller_manager | ||||||||||
| Result | pass | ||||||||||
| Multi-check rule | no | ||||||||||
| OVAL Definition ID | oval:ssg-file_owner_kube_controller_manager:def:1 | ||||||||||
| Time | 2025-03-12T03:09:54+00:00 | ||||||||||
| Severity | medium | ||||||||||
| Identifiers: | CCE-83795-5 | ||||||||||
| References: |
| ||||||||||
| Description | To properly set the owner of /etc/kubernetes/static-pod-resources/kube-controller-manager-pod-*/kube-controller-manager-pod.yaml, run the command: $ sudo chown root /etc/kubernetes/static-pod-resources/kube-controller-manager-pod-*/kube-controller-manager-pod.yaml | ||||||||||
| Rationale | The Kubernetes specification file contains information about the configuration of the
Kubernetes Controller Manager Server that is configured on the system. Protection of this file is
critical for OpenShift security. | ||||||||||
| Warnings | warning
This rule is only applicable for nodes that run the Kubernetes Controller Manager service.
The aforementioned service is only running on the nodes labeled
"master" by default. |
OVAL test results details
Testing user ownership of ^/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-.*/kube-controller-manager-pod.yaml$ oval:ssg-test_file_owner_kube_controller_manager_0:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_kube_controller_manager_0:obj:1 of type file_object
| Filepath | Filter | Filter |
|---|---|---|
| ^/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-.*/kube-controller-manager-pod.yaml$ | oval:ssg-symlink_file_owner_kube_controller_manager_uid_0:ste:1 | oval:ssg-state_file_owner_kube_controller_manager_uid_0_0:ste:1 |
Verify User Who Owns The Kubernetes Scheduler Pod Specification Filexccdf_org.ssgproject.content_rule_file_owner_kube_scheduler mediumCCE-83393-9
Verify User Who Owns The Kubernetes Scheduler Pod Specification File
| Rule ID | xccdf_org.ssgproject.content_rule_file_owner_kube_scheduler | ||||||||||
| Result | pass | ||||||||||
| Multi-check rule | no | ||||||||||
| OVAL Definition ID | oval:ssg-file_owner_kube_scheduler:def:1 | ||||||||||
| Time | 2025-03-12T03:09:54+00:00 | ||||||||||
| Severity | medium | ||||||||||
| Identifiers: | CCE-83393-9 | ||||||||||
| References: |
| ||||||||||
| Description | To properly set the owner of /etc/kubernetes/static-pod-resources/kube-scheduler-pod-*/kube-scheduler-pod.yaml, run the command: $ sudo chown root /etc/kubernetes/static-pod-resources/kube-scheduler-pod-*/kube-scheduler-pod.yaml | ||||||||||
| Rationale | The Kubernetes specification file contains information about the configuration of the
Kubernetes scheduler that is configured on the system. Protection of this file is
critical for OpenShift security. | ||||||||||
| Warnings | warning
This rule is only applicable for nodes that run the Kubernetes Scheduler service.
The aforementioned service is only running on the nodes labeled
"master" by default. |
OVAL test results details
Testing user ownership of ^/etc/kubernetes/static-pod-resources/kube-scheduler-pod-.*/kube-scheduler-pod.yaml$ oval:ssg-test_file_owner_kube_scheduler_0:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_kube_scheduler_0:obj:1 of type file_object
| Filepath | Filter | Filter |
|---|---|---|
| ^/etc/kubernetes/static-pod-resources/kube-scheduler-pod-.*/kube-scheduler-pod.yaml$ | oval:ssg-symlink_file_owner_kube_scheduler_uid_0:ste:1 | oval:ssg-state_file_owner_kube_scheduler_uid_0_0:ste:1 |
Verify User Who Owns The OpenShift Admin Kubeconfig Filesxccdf_org.ssgproject.content_rule_file_owner_master_admin_kubeconfigs mediumCCE-83719-5
Verify User Who Owns The OpenShift Admin Kubeconfig Files
| Rule ID | xccdf_org.ssgproject.content_rule_file_owner_master_admin_kubeconfigs | ||||||||||
| Result | pass | ||||||||||
| Multi-check rule | no | ||||||||||
| OVAL Definition ID | oval:ssg-file_owner_master_admin_kubeconfigs:def:1 | ||||||||||
| Time | 2025-03-12T03:09:54+00:00 | ||||||||||
| Severity | medium | ||||||||||
| Identifiers: | CCE-83719-5 | ||||||||||
| References: |
| ||||||||||
| Description |
To properly set the owner of /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/node-kubeconfigs/*.kubeconfig, run the command:
$ sudo chown root /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/node-kubeconfigs/*.kubeconfig | ||||||||||
| Rationale | There are various kubeconfig files that can be used by the administrator,
defining various settings for the administration of the cluster. These files
contain credentials that can be used to control the cluster and are needed
for disaster recovery and each kubeconfig points to a different endpoint in
the cluster. You should restrict its file permissions to maintain the
integrity of the kubeconfig file as an attacker who gains access to these
files can take over the cluster. | ||||||||||
| Warnings | warning
This rule is only applicable for nodes that run the Kubernetes Control Plane.
The aforementioned service is only running on the nodes labeled
"master" by default. |
OVAL test results details
Testing user ownership of ^/etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/node-kubeconfigs/.*\.kubeconfig$ oval:ssg-test_file_owner_master_admin_kubeconfigs_0:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_master_admin_kubeconfigs_0:obj:1 of type file_object
| Filepath | Filter | Filter |
|---|---|---|
| ^/etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/node-kubeconfigs/.*\.kubeconfig$ | oval:ssg-symlink_file_owner_master_admin_kubeconfigs_uid_0:ste:1 | oval:ssg-state_file_owner_master_admin_kubeconfigs_uid_0_0:ste:1 |
Verify User Who Owns The OpenShift Multus Container Network Interface Plugin Filesxccdf_org.ssgproject.content_rule_file_owner_multus_conf mediumCCE-83603-1
Verify User Who Owns The OpenShift Multus Container Network Interface Plugin Files
| Rule ID | xccdf_org.ssgproject.content_rule_file_owner_multus_conf | ||||||||||
| Result | pass | ||||||||||
| Multi-check rule | no | ||||||||||
| OVAL Definition ID | oval:ssg-file_owner_multus_conf:def:1 | ||||||||||
| Time | 2025-03-12T03:09:54+00:00 | ||||||||||
| Severity | medium | ||||||||||
| Identifiers: | CCE-83603-1 | ||||||||||
| References: |
| ||||||||||
| Description | To properly set the owner of /var/run/multus/cni/net.d/*, run the command: $ sudo chown root /var/run/multus/cni/net.d/* | ||||||||||
| Rationale | CNI (Container Network Interface) files consist of a specification and libraries for
writing plugins to configure network interfaces in Linux containers, along with a number
of supported plugins. Allowing writeable access to the files could allow an attacker to modify
the networking configuration potentially adding a rogue network connection. |
OVAL test results details
Testing user ownership of ^/var/run/multus/cni/net.d/.*$ oval:ssg-test_file_owner_multus_conf_0:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_multus_conf_0:obj:1 of type file_object
| Filepath | Filter | Filter |
|---|---|---|
| ^/var/run/multus/cni/net.d/.*$ | oval:ssg-symlink_file_owner_multus_conf_uid_0:ste:1 | oval:ssg-state_file_owner_multus_conf_uid_0_0:ste:1 |
Verify User Who Owns The OpenShift PKI Certificate Filesxccdf_org.ssgproject.content_rule_file_owner_openshift_pki_cert_files mediumCCE-83558-7
Verify User Who Owns The OpenShift PKI Certificate Files
| Rule ID | xccdf_org.ssgproject.content_rule_file_owner_openshift_pki_cert_files | ||||||||||
| Result | pass | ||||||||||
| Multi-check rule | no | ||||||||||
| OVAL Definition ID | oval:ssg-file_owner_openshift_pki_cert_files:def:1 | ||||||||||
| Time | 2025-03-12T03:09:54+00:00 | ||||||||||
| Severity | medium | ||||||||||
| Identifiers: | CCE-83558-7 | ||||||||||
| References: |
| ||||||||||
| Description |
To properly set the owner of /etc/kubernetes/static-pod-resources/*/*/*/tls.crt, run the command:
$ sudo chown root /etc/kubernetes/static-pod-resources/*/*/*/tls.crt | ||||||||||
| Rationale | OpenShift makes use of a number of certificates as part of its operation.
You should verify the ownership of the directory containing the PKI
information and all files in that directory to maintain their integrity. | ||||||||||
| Warnings | warning
This rule is only applicable for nodes that run the Kubernetes Control Plane.
The aforementioned service is only running on the nodes labeled
"master" by default. |
OVAL test results details
Testing user ownership of ^/etc/kubernetes/static-pod-resources/.*/.*/.*/tls\.crt$ oval:ssg-test_file_owner_openshift_pki_cert_files_0:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_openshift_pki_cert_files_0:obj:1 of type file_object
| Filepath | Filter | Filter |
|---|---|---|
| ^/etc/kubernetes/static-pod-resources/.*/.*/.*/tls\.crt$ | oval:ssg-symlink_file_owner_openshift_pki_cert_files_uid_0:ste:1 | oval:ssg-state_file_owner_openshift_pki_cert_files_uid_0_0:ste:1 |
Verify User Who Owns The OpenShift PKI Private Key Filesxccdf_org.ssgproject.content_rule_file_owner_openshift_pki_key_files mediumCCE-83435-8
Verify User Who Owns The OpenShift PKI Private Key Files
| Rule ID | xccdf_org.ssgproject.content_rule_file_owner_openshift_pki_key_files | ||||||||||
| Result | pass | ||||||||||
| Multi-check rule | no | ||||||||||
| OVAL Definition ID | oval:ssg-file_owner_openshift_pki_key_files:def:1 | ||||||||||
| Time | 2025-03-12T03:09:54+00:00 | ||||||||||
| Severity | medium | ||||||||||
| Identifiers: | CCE-83435-8 | ||||||||||
| References: |
| ||||||||||
| Description |
To properly set the owner of /etc/kubernetes/static-pod-resources/*/*/*/*.key, run the command:
$ sudo chown root /etc/kubernetes/static-pod-resources/*/*/*/*.key | ||||||||||
| Rationale | OpenShift makes use of a number of certificates as part of its operation.
You should verify the ownership of the directory containing the PKI
information and all files in that directory to maintain their integrity.
The directory and files should be owned by root:root. | ||||||||||
| Warnings | warning
This rule is only applicable for nodes that run the Kubernetes Control Plane.
The aforementioned service is only running on the nodes labeled
"master" by default. |
OVAL test results details
Testing user ownership of ^/etc/kubernetes/static-pod-resources/.*/.*/.*/.*\.key$ oval:ssg-test_file_owner_openshift_pki_key_files_0:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_openshift_pki_key_files_0:obj:1 of type file_object
| Filepath | Filter | Filter |
|---|---|---|
| ^/etc/kubernetes/static-pod-resources/.*/.*/.*/.*\.key$ | oval:ssg-symlink_file_owner_openshift_pki_key_files_uid_0:ste:1 | oval:ssg-state_file_owner_openshift_pki_key_files_uid_0_0:ste:1 |
Verify User Who Owns The OpenShift SDN CNI Server Configxccdf_org.ssgproject.content_rule_file_owner_openshift_sdn_cniserver_config mediumCCE-83932-4
Verify User Who Owns The OpenShift SDN CNI Server Config
| Rule ID | xccdf_org.ssgproject.content_rule_file_owner_openshift_sdn_cniserver_config | ||||||||||
| Result | notapplicable | ||||||||||
| Multi-check rule | no | ||||||||||
| Time | 2025-03-12T03:09:54+00:00 | ||||||||||
| Severity | medium | ||||||||||
| Identifiers: | CCE-83932-4 | ||||||||||
| References: |
| ||||||||||
| Description |
To properly set the owner of /var/run/openshift-sdn/cniserver/config.json, run the command:
$ sudo chown root /var/run/openshift-sdn/cniserver/config.json | ||||||||||
| Rationale | CNI (Container Network Interface) files consist of a specification and libraries for
writing plugins to configure network interfaces in Linux containers, along with a number
of supported plugins. Allowing writeable access to the files could allow an attacker to modify
the networking configuration potentially adding a rogue network connection. |
Verify User Who Owns The OVNKubernetes Socketxccdf_org.ssgproject.content_rule_file_owner_ovn_cni_server_sock mediumCCE-86431-4
Verify User Who Owns The OVNKubernetes Socket
| Rule ID | xccdf_org.ssgproject.content_rule_file_owner_ovn_cni_server_sock | ||||||||||
| Result | pass | ||||||||||
| Multi-check rule | no | ||||||||||
| OVAL Definition ID | oval:ssg-file_owner_ovn_cni_server_sock:def:1 | ||||||||||
| Time | 2025-03-12T03:09:55+00:00 | ||||||||||
| Severity | medium | ||||||||||
| Identifiers: | CCE-86431-4 | ||||||||||
| References: |
| ||||||||||
| Description |
To properly set the owner of /run/ovn-kubernetes/cni/ovn-cni-server.sock, run the command:
$ sudo chown root /run/ovn-kubernetes/cni/ovn-cni-server.sock | ||||||||||
| Rationale | CNI (Container Network Interface) files consist of a specification and libraries for
writing plugins to configure network interfaces in Linux containers, along with a number
of supported plugins. Allowing writeable access to the files could allow an attacker to modify
the networking configuration potentially adding a rogue network connection. |
OVAL test results details
Testing user ownership of /run/ovn-kubernetes/cni/ovn-cni-server.sock oval:ssg-test_file_owner_ovn_cni_server_sock_0:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_ovn_cni_server_sock_0:obj:1 of type file_object
| Filepath | Filter | Filter |
|---|---|---|
| /run/ovn-kubernetes/cni/ovn-cni-server.sock | oval:ssg-symlink_file_owner_ovn_cni_server_sock_uid_0:ste:1 | oval:ssg-state_file_owner_ovn_cni_server_sock_uid_0_0:ste:1 |
Verify Who Owns The OVNKubernetes DB filesxccdf_org.ssgproject.content_rule_file_owner_ovn_db_files mediumCCE-86614-5
Verify Who Owns The OVNKubernetes DB files
| Rule ID | xccdf_org.ssgproject.content_rule_file_owner_ovn_db_files | ||||||||||
| Result | pass | ||||||||||
| Multi-check rule | no | ||||||||||
| OVAL Definition ID | oval:ssg-file_owner_ovn_db_files:def:1 | ||||||||||
| Time | 2025-03-12T03:09:55+00:00 | ||||||||||
| Severity | medium | ||||||||||
| Identifiers: | CCE-86614-5 | ||||||||||
| References: |
| ||||||||||
| Description |
To properly set the owner of /var/lib/ovn/etc/*.db, run the command:
$ sudo chown root /var/lib/ovn/etc/*.db | ||||||||||
| Rationale | CNI (Container Network Interface) files consist of a specification and libraries for
writing plugins to configure network interfaces in Linux containers, along with a number
of supported plugins. Allowing writeable access to the files could allow an attacker to modify
the networking configuration potentially adding a rogue network connection. |
OVAL test results details
Testing user ownership of ^/var/lib/ovn/etc/*.db$ oval:ssg-test_file_owner_ovn_db_files_0:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_ovn_db_files_0:obj:1 of type file_object
| Filepath | Filter | Filter |
|---|---|---|
| ^/var/lib/ovn/etc/*.db$ | oval:ssg-symlink_file_owner_ovn_db_files_uid_0:ste:1 | oval:ssg-state_file_owner_ovn_db_files_uid_0_0:ste:1 |
Verify User Who Owns The Open vSwitch Configuration Databasexccdf_org.ssgproject.content_rule_file_owner_ovs_conf_db mediumCCE-83489-5
Verify User Who Owns The Open vSwitch Configuration Database
| Rule ID | xccdf_org.ssgproject.content_rule_file_owner_ovs_conf_db | ||||||||||
| Result | pass | ||||||||||
| Multi-check rule | no | ||||||||||
| OVAL Definition ID | oval:ssg-file_owner_ovs_conf_db:def:1 | ||||||||||
| Time | 2025-03-12T03:09:55+00:00 | ||||||||||
| Severity | medium | ||||||||||
| Identifiers: | CCE-83489-5 | ||||||||||
| References: |
| ||||||||||
| Description |
To properly set the owner of /etc/openvswitch/conf.db, run the command:
$ sudo chown openvswitch /etc/openvswitch/conf.db | ||||||||||
| Rationale | CNI (Container Network Interface) files consist of a specification and libraries for
writing plugins to configure network interfaces in Linux containers, along with a number
of supported plugins. Allowing writeable access to the files could allow an attacker to modify
the networking configuration potentially adding a rogue network connection. |
OVAL test results details
Testing user ownership of /etc/openvswitch/conf.db oval:ssg-test_file_owner_ovs_conf_db_0:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_ovs_conf_db_0:obj:1 of type file_object
| Filepath | Filter | Filter |
|---|---|---|
| /etc/openvswitch/conf.db | oval:ssg-symlink_file_owner_ovs_conf_db_uid_800:ste:1 | oval:ssg-state_file_owner_ovs_conf_db_uid_800_0:ste:1 |
Verify User Who Owns The Open vSwitch Configuration Database Lockxccdf_org.ssgproject.content_rule_file_owner_ovs_conf_db_lock mediumCCE-83462-2
Verify User Who Owns The Open vSwitch Configuration Database Lock
| Rule ID | xccdf_org.ssgproject.content_rule_file_owner_ovs_conf_db_lock | ||||||||||
| Result | pass | ||||||||||
| Multi-check rule | no | ||||||||||
| OVAL Definition ID | oval:ssg-file_owner_ovs_conf_db_lock:def:1 | ||||||||||
| Time | 2025-03-12T03:09:55+00:00 | ||||||||||
| Severity | medium | ||||||||||
| Identifiers: | CCE-83462-2 | ||||||||||
| References: |
| ||||||||||
| Description |
To properly set the owner of /etc/openvswitch/.conf.db.~lock~, run the command:
$ sudo chown openvswitch /etc/openvswitch/.conf.db.~lock~ | ||||||||||
| Rationale | CNI (Container Network Interface) files consist of a specification and libraries for
writing plugins to configure network interfaces in Linux containers, along with a number
of supported plugins. Allowing writeable access to the files could allow an attacker to modify
the networking configuration potentially adding a rogue network connection. |
OVAL test results details
Testing user ownership of /etc/openvswitch/.conf.db.~lock~ oval:ssg-test_file_owner_ovs_conf_db_lock_0:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_ovs_conf_db_lock_0:obj:1 of type file_object
| Filepath | Filter | Filter |
|---|---|---|
| /etc/openvswitch/.conf.db.~lock~ | oval:ssg-symlink_file_owner_ovs_conf_db_lock_uid_800:ste:1 | oval:ssg-state_file_owner_ovs_conf_db_lock_uid_800_0:ste:1 |
Verify User Who Owns The Open vSwitch Process ID Filexccdf_org.ssgproject.content_rule_file_owner_ovs_pid mediumCCE-83937-3
Verify User Who Owns The Open vSwitch Process ID File
| Rule ID | xccdf_org.ssgproject.content_rule_file_owner_ovs_pid | ||||||||||
| Result | pass | ||||||||||
| Multi-check rule | no | ||||||||||
| OVAL Definition ID | oval:ssg-file_owner_ovs_pid:def:1 | ||||||||||
| Time | 2025-03-12T03:09:55+00:00 | ||||||||||
| Severity | medium | ||||||||||
| Identifiers: | CCE-83937-3 | ||||||||||
| References: |
| ||||||||||
| Description |
To properly set the owner of /var/run/openvswitch/ovs-vswitchd.pid, run the command:
$ sudo chown openvswitch /var/run/openvswitch/ovs-vswitchd.pid | ||||||||||
| Rationale | CNI (Container Network Interface) files consist of a specification and libraries for
writing plugins to configure network interfaces in Linux containers, along with a number
of supported plugins. Allowing writeable access to the files could allow an attacker to modify
the networking configuration potentially adding a rogue network connection. |
OVAL test results details
Testing user ownership of /var/run/openvswitch/ovs-vswitchd.pid oval:ssg-test_file_owner_ovs_pid_0:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_ovs_pid_0:obj:1 of type file_object
| Filepath | Filter | Filter |
|---|---|---|
| /var/run/openvswitch/ovs-vswitchd.pid | oval:ssg-symlink_file_owner_ovs_pid_uid_800:ste:1 | oval:ssg-state_file_owner_ovs_pid_uid_800_0:ste:1 |
Verify User Who Owns The Open vSwitch Persistent System IDxccdf_org.ssgproject.content_rule_file_owner_ovs_sys_id_conf mediumCCE-84085-0
Verify User Who Owns The Open vSwitch Persistent System ID
| Rule ID | xccdf_org.ssgproject.content_rule_file_owner_ovs_sys_id_conf | ||||||||||
| Result | pass | ||||||||||
| Multi-check rule | no | ||||||||||
| OVAL Definition ID | oval:ssg-file_owner_ovs_sys_id_conf:def:1 | ||||||||||
| Time | 2025-03-12T03:09:55+00:00 | ||||||||||
| Severity | medium | ||||||||||
| Identifiers: | CCE-84085-0 | ||||||||||
| References: |
| ||||||||||
| Description |
To properly set the owner of /etc/openvswitch/system-id.conf, run the command:
$ sudo chown openvswitch /etc/openvswitch/system-id.conf | ||||||||||
| Rationale | CNI (Container Network Interface) files consist of a specification and libraries for
writing plugins to configure network interfaces in Linux containers, along with a number
of supported plugins. Allowing writeable access to the files could allow an attacker to modify
the networking configuration potentially adding a rogue network connection. |
OVAL test results details
Testing user ownership of /etc/openvswitch/system-id.conf oval:ssg-test_file_owner_ovs_sys_id_conf_0:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_ovs_sys_id_conf_0:obj:1 of type file_object
| Filepath | Filter | Filter |
|---|---|---|
| /etc/openvswitch/system-id.conf | oval:ssg-symlink_file_owner_ovs_sys_id_conf_uid_800:ste:1 | oval:ssg-state_file_owner_ovs_sys_id_conf_uid_800_0:ste:1 |
Verify User Who Owns The Open vSwitch Daemon PID Filexccdf_org.ssgproject.content_rule_file_owner_ovs_vswitchd_pid mediumCCE-83888-8
Verify User Who Owns The Open vSwitch Daemon PID File
| Rule ID | xccdf_org.ssgproject.content_rule_file_owner_ovs_vswitchd_pid | ||||||||||
| Result | pass | ||||||||||
| Multi-check rule | no | ||||||||||
| OVAL Definition ID | oval:ssg-file_owner_ovs_vswitchd_pid:def:1 | ||||||||||
| Time | 2025-03-12T03:09:55+00:00 | ||||||||||
| Severity | medium | ||||||||||
| Identifiers: | CCE-83888-8 | ||||||||||
| References: |
| ||||||||||
| Description |
To properly set the owner of /run/openvswitch/ovs-vswitchd.pid, run the command:
$ sudo chown openvswitch /run/openvswitch/ovs-vswitchd.pid | ||||||||||
| Rationale | CNI (Container Network Interface) files consist of a specification and libraries for
writing plugins to configure network interfaces in Linux containers, along with a number
of supported plugins. Allowing writeable access to the files could allow an attacker to modify
the networking configuration potentially adding a rogue network connection. |
OVAL test results details
Testing user ownership of /run/openvswitch/ovs-vswitchd.pid oval:ssg-test_file_owner_ovs_vswitchd_pid_0:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_ovs_vswitchd_pid_0:obj:1 of type file_object
| Filepath | Filter | Filter |
|---|---|---|
| /run/openvswitch/ovs-vswitchd.pid | oval:ssg-symlink_file_owner_ovs_vswitchd_pid_uid_800:ste:1 | oval:ssg-state_file_owner_ovs_vswitchd_pid_uid_800_0:ste:1 |
Verify User Who Owns The Open vSwitch Database Server PIDxccdf_org.ssgproject.content_rule_file_owner_ovsdb_server_pid mediumCCE-83806-0
Verify User Who Owns The Open vSwitch Database Server PID
| Rule ID | xccdf_org.ssgproject.content_rule_file_owner_ovsdb_server_pid | ||||||||||
| Result | pass | ||||||||||
| Multi-check rule | no | ||||||||||
| OVAL Definition ID | oval:ssg-file_owner_ovsdb_server_pid:def:1 | ||||||||||
| Time | 2025-03-12T03:09:55+00:00 | ||||||||||
| Severity | medium | ||||||||||
| Identifiers: | CCE-83806-0 | ||||||||||
| References: |
| ||||||||||
| Description |
To properly set the owner of /run/openvswitch/ovsdb-server.pid, run the command:
$ sudo chown openvswitch /run/openvswitch/ovsdb-server.pid | ||||||||||
| Rationale | CNI (Container Network Interface) files consist of a specification and libraries for
writing plugins to configure network interfaces in Linux containers, along with a number
of supported plugins. Allowing writeable access to the files could allow an attacker to modify
the networking configuration potentially adding a rogue network connection. |
OVAL test results details
Testing user ownership of /run/openvswitch/ovsdb-server.pid oval:ssg-test_file_owner_ovsdb_server_pid_0:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_ovsdb_server_pid_0:obj:1 of type file_object
| Filepath | Filter | Filter |
|---|---|---|
| /run/openvswitch/ovsdb-server.pid | oval:ssg-symlink_file_owner_ovsdb_server_pid_uid_800:ste:1 | oval:ssg-state_file_owner_ovsdb_server_pid_uid_800_0:ste:1 |
Verify User Who Owns The Kubernetes Scheduler Kubeconfig Filexccdf_org.ssgproject.content_rule_file_owner_scheduler_kubeconfig mediumCCE-84017-3
Verify User Who Owns The Kubernetes Scheduler Kubeconfig File
| Rule ID | xccdf_org.ssgproject.content_rule_file_owner_scheduler_kubeconfig | ||||||||||
| Result | pass | ||||||||||
| Multi-check rule | no | ||||||||||
| OVAL Definition ID | oval:ssg-file_owner_scheduler_kubeconfig:def:1 | ||||||||||
| Time | 2025-03-12T03:09:55+00:00 | ||||||||||
| Severity | medium | ||||||||||
| Identifiers: | CCE-84017-3 | ||||||||||
| References: |
| ||||||||||
| Description |
To properly set the owner of /etc/kubernetes/static-pod-resources/kube-scheduler-pod-*/configmaps/scheduler-kubeconfig/kubeconfig, run the command:
$ sudo chown root /etc/kubernetes/static-pod-resources/kube-scheduler-pod-*/configmaps/scheduler-kubeconfig/kubeconfig | ||||||||||
| Rationale | The kubeconfig for the Scheduler contains parameters for the scheduler
to access the Kube API.
You should set its file ownership to maintain the integrity of the file. | ||||||||||
| Warnings | warning
This rule is only applicable for nodes that run the Kubernetes Scheduler service.
The aforementioned service is only running on the nodes labeled
"master" by default. |
OVAL test results details
Testing user ownership of ^/etc/kubernetes/static-pod-resources/kube-scheduler-pod-.*/configmaps/scheduler-kubeconfig/kubeconfig$ oval:ssg-test_file_owner_scheduler_kubeconfig_0:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_scheduler_kubeconfig_0:obj:1 of type file_object
| Filepath | Filter | Filter |
|---|---|---|
| ^/etc/kubernetes/static-pod-resources/kube-scheduler-pod-.*/configmaps/scheduler-kubeconfig/kubeconfig$ | oval:ssg-symlink_file_owner_scheduler_kubeconfig_uid_0:ste:1 | oval:ssg-state_file_owner_scheduler_kubeconfig_uid_0_0:ste:1 |
Verify Permissions on the OpenShift SDN CNI Server Configxccdf_org.ssgproject.content_rule_file_perms_openshift_sdn_cniserver_config mediumCCE-83927-4
Verify Permissions on the OpenShift SDN CNI Server Config
| Rule ID | xccdf_org.ssgproject.content_rule_file_perms_openshift_sdn_cniserver_config | ||||||||||
| Result | notapplicable | ||||||||||
| Multi-check rule | no | ||||||||||
| Time | 2025-03-12T03:09:55+00:00 | ||||||||||
| Severity | medium | ||||||||||
| Identifiers: | CCE-83927-4 | ||||||||||
| References: |
| ||||||||||
| Description |
To properly set the permissions of /var/run/openshift-sdn/cniserver/config.json, run the command:
$ sudo chmod 0444 /var/run/openshift-sdn/cniserver/config.json | ||||||||||
| Rationale | CNI (Container Network Interface) files consist of a specification and libraries for
writing plugins to configure network interfaces in Linux containers, along with a number
of supported plugins. Allowing writeable access to the files could allow an attacker to modify
the networking configuration potentially adding a rogue network connection. |
Verify Group Who Owns The Kubelet Configuration Filexccdf_org.ssgproject.content_rule_file_groupowner_kubelet_conf mediumCCE-84233-6
Verify Group Who Owns The Kubelet Configuration File
| Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_kubelet_conf | ||||||||||
| Result | pass | ||||||||||
| Multi-check rule | no | ||||||||||
| OVAL Definition ID | oval:ssg-file_groupowner_kubelet_conf:def:1 | ||||||||||
| Time | 2025-03-12T03:09:55+00:00 | ||||||||||
| Severity | medium | ||||||||||
| Identifiers: | CCE-84233-6 | ||||||||||
| References: |
| ||||||||||
| Description | To properly set the group owner of /etc/kubernetes/kubelet.conf, run the command: $ sudo chgrp root /etc/kubernetes/kubelet.conf | ||||||||||
| Rationale | The kubelet configuration file contains information about the configuration of the
OpenShift node that is configured on the system. Protection of this file is
critical for OpenShift security. |
OVAL test results details
Testing group ownership of /etc/kubernetes/kubelet.conf oval:ssg-test_file_groupowner_kubelet_conf_0:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_kubelet_conf_0:obj:1 of type file_object
| Filepath | Filter | Filter |
|---|---|---|
| /etc/kubernetes/kubelet.conf | oval:ssg-symlink_file_groupowner_kubelet_conf_uid_0:ste:1 | oval:ssg-state_file_groupowner_kubelet_conf_gid_0_0:ste:1 |
Verify Group Who Owns the Worker Certificate Authority Filexccdf_org.ssgproject.content_rule_file_groupowner_worker_ca mediumCCE-83440-8
Verify Group Who Owns the Worker Certificate Authority File
| Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_worker_ca | ||||||||||
| Result | pass | ||||||||||
| Multi-check rule | no | ||||||||||
| OVAL Definition ID | oval:ssg-file_groupowner_worker_ca:def:1 | ||||||||||
| Time | 2025-03-12T03:09:55+00:00 | ||||||||||
| Severity | medium | ||||||||||
| Identifiers: | CCE-83440-8 | ||||||||||
| References: |
| ||||||||||
| Description | To properly set the group owner of /etc/kubernetes/kubelet-ca.crt, run the command: $ sudo chgrp root /etc/kubernetes/kubelet-ca.crt | ||||||||||
| Rationale | The worker certificate authority file contains the certificate authority
certificate for an OpenShift node that is configured on the system. Protection of this file is
critical for OpenShift security. |
OVAL test results details
Testing group ownership of /etc/kubernetes/kubelet-ca.crt oval:ssg-test_file_groupowner_worker_ca_0:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_worker_ca_0:obj:1 of type file_object
| Filepath | Filter | Filter |
|---|---|---|
| /etc/kubernetes/kubelet-ca.crt | oval:ssg-symlink_file_groupowner_worker_ca_uid_0:ste:1 | oval:ssg-state_file_groupowner_worker_ca_gid_0_0:ste:1 |
Verify Group Who Owns The Worker Kubeconfig Filexccdf_org.ssgproject.content_rule_file_groupowner_worker_kubeconfig mediumCCE-83409-3
Verify Group Who Owns The Worker Kubeconfig File
| Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_worker_kubeconfig | ||||||||||
| Result | pass | ||||||||||
| Multi-check rule | no | ||||||||||
| OVAL Definition ID | oval:ssg-file_groupowner_worker_kubeconfig:def:1 | ||||||||||
| Time | 2025-03-12T03:09:56+00:00 | ||||||||||
| Severity | medium | ||||||||||
| Identifiers: | CCE-83409-3 | ||||||||||
| References: |
| ||||||||||
| Description | To properly set the group owner of /var/lib/kubelet/kubeconfig, run the command: $ sudo chgrp root /var/lib/kubelet/kubeconfig | ||||||||||
| Rationale | The worker kubeconfig file contains information about the administrative configuration of the
OpenShift cluster that is configured on the system. Protection of this file is
critical for OpenShift security. |
OVAL test results details
Testing group ownership of /var/lib/kubelet/kubeconfig oval:ssg-test_file_groupowner_worker_kubeconfig_0:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_worker_kubeconfig_0:obj:1 of type file_object
| Filepath | Filter | Filter |
|---|---|---|
| /var/lib/kubelet/kubeconfig | oval:ssg-symlink_file_groupowner_worker_kubeconfig_uid_0:ste:1 | oval:ssg-state_file_groupowner_worker_kubeconfig_gid_0_0:ste:1 |
Verify Group Who Owns The OpenShift Node Service Filexccdf_org.ssgproject.content_rule_file_groupowner_worker_service mediumCCE-83975-3
Verify Group Who Owns The OpenShift Node Service File
| Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_worker_service | ||||||||||
| Result | pass | ||||||||||
| Multi-check rule | no | ||||||||||
| OVAL Definition ID | oval:ssg-file_groupowner_worker_service:def:1 | ||||||||||
| Time | 2025-03-12T03:09:56+00:00 | ||||||||||
| Severity | medium | ||||||||||
| Identifiers: | CCE-83975-3 | ||||||||||
| References: |
| ||||||||||
| Description | '
To properly set the group owner of /etc/systemd/system/kubelet.service, run the command:
$ sudo chgrp root /etc/systemd/system/kubelet.service' | ||||||||||
| Rationale | The /etc/systemd/system/kubelet.service
file contains information about the configuration of the
OpenShift node service that is configured on the system. Protection of this file is
critical for OpenShift security. |
OVAL test results details
Testing group ownership of /etc/systemd/system/kubelet.service oval:ssg-test_file_groupowner_worker_service_0:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_worker_service_0:obj:1 of type file_object
| Filepath | Filter | Filter |
|---|---|---|
| /etc/systemd/system/kubelet.service | oval:ssg-symlink_file_groupowner_worker_service_uid_0:ste:1 | oval:ssg-state_file_groupowner_worker_service_gid_0_0:ste:1 |
Verify User Who Owns The Kubelet Configuration Filexccdf_org.ssgproject.content_rule_file_owner_kubelet mediumCCE-85900-9
Verify User Who Owns The Kubelet Configuration File
| Rule ID | xccdf_org.ssgproject.content_rule_file_owner_kubelet | ||||||||||
| Result | pass | ||||||||||
| Multi-check rule | no | ||||||||||
| OVAL Definition ID | oval:ssg-file_owner_kubelet:def:1 | ||||||||||
| Time | 2025-03-12T03:09:56+00:00 | ||||||||||
| Severity | medium | ||||||||||
| Identifiers: | CCE-85900-9 | ||||||||||
| References: |
| ||||||||||
| Description | To properly set the owner of /var/lib/kubelet/config.json, run the command: $ sudo chown root /var/lib/kubelet/config.json | ||||||||||
| Rationale | The kubelet configuration file contains information about the configuration of the
OpenShift node that is configured on the system. Protection of this file is
critical for OpenShift security. |
OVAL test results details
Testing user ownership of /var/lib/kubelet/config.json oval:ssg-test_file_owner_kubelet_0:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_kubelet_0:obj:1 of type file_object
| Filepath | Filter | Filter |
|---|---|---|
| /var/lib/kubelet/config.json | oval:ssg-symlink_file_owner_kubelet_uid_0:ste:1 | oval:ssg-state_file_owner_kubelet_uid_0_0:ste:1 |
Verify User Who Owns The Kubelet Configuration Filexccdf_org.ssgproject.content_rule_file_owner_kubelet_conf mediumCCE-83976-1
Verify User Who Owns The Kubelet Configuration File
| Rule ID | xccdf_org.ssgproject.content_rule_file_owner_kubelet_conf | ||||||||||
| Result | pass | ||||||||||
| Multi-check rule | no | ||||||||||
| OVAL Definition ID | oval:ssg-file_owner_kubelet_conf:def:1 | ||||||||||
| Time | 2025-03-12T03:09:56+00:00 | ||||||||||
| Severity | medium | ||||||||||
| Identifiers: | CCE-83976-1 | ||||||||||
| References: |
| ||||||||||
| Description | To properly set the owner of /etc/kubernetes/kubelet.conf, run the command: $ sudo chown root /etc/kubernetes/kubelet.conf | ||||||||||
| Rationale | The kubelet configuration file contains information about the configuration of the
OpenShift node that is configured on the system. Protection of this file is
critical for OpenShift security. |
OVAL test results details
Testing user ownership of /etc/kubernetes/kubelet.conf oval:ssg-test_file_owner_kubelet_conf_0:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_kubelet_conf_0:obj:1 of type file_object
| Filepath | Filter | Filter |
|---|---|---|
| /etc/kubernetes/kubelet.conf | oval:ssg-symlink_file_owner_kubelet_conf_uid_0:ste:1 | oval:ssg-state_file_owner_kubelet_conf_uid_0_0:ste:1 |
Verify User Who Owns the Worker Certificate Authority Filexccdf_org.ssgproject.content_rule_file_owner_worker_ca mediumCCE-83495-2
Verify User Who Owns the Worker Certificate Authority File
| Rule ID | xccdf_org.ssgproject.content_rule_file_owner_worker_ca | ||||||||||
| Result | pass | ||||||||||
| Multi-check rule | no | ||||||||||
| OVAL Definition ID | oval:ssg-file_owner_worker_ca:def:1 | ||||||||||
| Time | 2025-03-12T03:09:56+00:00 | ||||||||||
| Severity | medium | ||||||||||
| Identifiers: | CCE-83495-2 | ||||||||||
| References: |
| ||||||||||
| Description | To properly set the owner of /etc/kubernetes/kubelet-ca.crt, run the command: $ sudo chown root /etc/kubernetes/kubelet-ca.crt | ||||||||||
| Rationale | The worker certificate authority file contains the certificate authority
certificate for an OpenShift node that is configured on the system. Protection of this file is
critical for OpenShift security. |
OVAL test results details
Testing user ownership of /etc/kubernetes/kubelet-ca.crt oval:ssg-test_file_owner_worker_ca_0:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_worker_ca_0:obj:1 of type file_object
| Filepath | Filter | Filter |
|---|---|---|
| /etc/kubernetes/kubelet-ca.crt | oval:ssg-symlink_file_owner_worker_ca_uid_0:ste:1 | oval:ssg-state_file_owner_worker_ca_uid_0_0:ste:1 |
Verify User Who Owns The Worker Kubeconfig Filexccdf_org.ssgproject.content_rule_file_owner_worker_kubeconfig mediumCCE-83408-5
Verify User Who Owns The Worker Kubeconfig File
| Rule ID | xccdf_org.ssgproject.content_rule_file_owner_worker_kubeconfig | ||||||||||
| Result | pass | ||||||||||
| Multi-check rule | no | ||||||||||
| OVAL Definition ID | oval:ssg-file_owner_worker_kubeconfig:def:1 | ||||||||||
| Time | 2025-03-12T03:09:56+00:00 | ||||||||||
| Severity | medium | ||||||||||
| Identifiers: | CCE-83408-5 | ||||||||||
| References: |
| ||||||||||
| Description | To properly set the owner of /var/lib/kubelet/kubeconfig, run the command: $ sudo chown root /var/lib/kubelet/kubeconfig | ||||||||||
| Rationale | The worker kubeconfig file contains information about the administrative configuration of the
OpenShift cluster that is configured on the system. Protection of this file is
critical for OpenShift security. |
OVAL test results details
Testing user ownership of /var/lib/kubelet/kubeconfig oval:ssg-test_file_owner_worker_kubeconfig_0:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_worker_kubeconfig_0:obj:1 of type file_object
| Filepath | Filter | Filter |
|---|---|---|
| /var/lib/kubelet/kubeconfig | oval:ssg-symlink_file_owner_worker_kubeconfig_uid_0:ste:1 | oval:ssg-state_file_owner_worker_kubeconfig_uid_0_0:ste:1 |
Verify User Who Owns The OpenShift Node Service Filexccdf_org.ssgproject.content_rule_file_owner_worker_service mediumCCE-84193-2
Verify User Who Owns The OpenShift Node Service File
| Rule ID | xccdf_org.ssgproject.content_rule_file_owner_worker_service | ||||||||||
| Result | pass | ||||||||||
| Multi-check rule | no | ||||||||||
| OVAL Definition ID | oval:ssg-file_owner_worker_service:def:1 | ||||||||||
| Time | 2025-03-12T03:09:56+00:00 | ||||||||||
| Severity | medium | ||||||||||
| Identifiers: | CCE-84193-2 | ||||||||||
| References: |
| ||||||||||
| Description | '
To properly set the owner of /etc/systemd/system/kubelet.service, run the command:
$ sudo chown root /etc/systemd/system/kubelet.service' | ||||||||||
| Rationale | The /etc/systemd/system/kubelet.service
file contains information about the configuration of the
OpenShift node service that is configured on the system. Protection of this file is
critical for OpenShift security. |
OVAL test results details
Testing user ownership of /etc/systemd/system/kubelet.service oval:ssg-test_file_owner_worker_service_0:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_worker_service_0:obj:1 of type file_object
| Filepath | Filter | Filter |
|---|---|---|
| /etc/systemd/system/kubelet.service | oval:ssg-symlink_file_owner_worker_service_uid_0:ste:1 | oval:ssg-state_file_owner_worker_service_uid_0_0:ste:1 |
Red Hat and Red Hat Enterprise Linux are either registered
trademarks or trademarks of Red Hat, Inc. in the United States and other
countries. All other names are registered trademarks or trademarks of their
respective companies.