Capacity
CIP-007-3 R5.1
2
Rule
Severity: High
Ensure that application Namespaces have Network Policies defined.
29
Rule
Severity: Medium
Harden SSH client Crypto Policy
19
Rule
Severity: High
The Installed Operating System Is FIPS 140-2 Certified
1
Rule
Severity: High
Ensure that FIPS mode is enabled on all cluster nodes
1
Rule
Severity: Medium
Configure the Client Certificate Authority for the API Server
1
Rule
Severity: Medium
Configure the etcd Certificate Authority for the API Server
1
Rule
Severity: Medium
Configure the etcd Certificate for the API Server
1
Rule
Severity: Medium
Configure the etcd Certificate Key for the API Server
1
Rule
Severity: Medium
Ensure that the --kubelet-https argument is set to true
1
Rule
Severity: High
Configure the kubelet Certificate Authority for the API Server
1
Rule
Severity: High
Configure the kubelet Certificate File for the API Server
1
Rule
Severity: High
Configure the kubelet Certificate Key for the API Server
2
Rule
Severity: Medium
Ensure the openshift-oauth-apiserver service uses TLS
1
Rule
Severity: Medium
Configure the Certificate for the API Server
1
Rule
Severity: Medium
Configure the Certificate Key for the API Server
1
Rule
Severity: Medium
Configure An Identity Provider
1
Rule
Severity: Medium
Configure OAuth server so that tokens expire after a set period of inactivity
1
Rule
Severity: Medium
Configure OAuth tokens to expire after a set period of inactivity
1
Rule
Severity: Medium
Configure OAuth clients so that tokens expire after a set period of inactivity
1
Rule
Severity: Medium
Do Not Use htpasswd-based IdP
1
Rule
Severity: High
Only Use LDAP-based IdPs with TLS
1
Rule
Severity: Low
Ensure Controller insecure port argument is unset
1
Rule
Severity: Medium
Ensure that the RotateKubeletServerCertificate argument is set
1
Rule
Severity: Low
Ensure Controller secure-port argument is set
1
Rule
Severity: Medium
Configure the Service Account Certificate Authority Key for the Controller Manager
1
Rule
Severity: Medium
Configure the Service Account Private Key for the Controller Manager
7
Rule
Severity: Medium
Disable Prelinking
1
Rule
Severity: Medium
Disable etcd Self-Signed Certificates
1
Rule
Severity: Medium
Ensure That The etcd Client Certificate Is Correctly Set
1
Rule
Severity: Medium
Enable The Client Certificate Authentication
1
Rule
Severity: Medium
Ensure That The etcd Key File Is Correctly Set
1
Rule
Severity: Medium
Disable etcd Peer Self-Signed Certificates
1
Rule
Severity: Medium
Ensure That The etcd Peer Client Certificate Is Correctly Set
1
Rule
Severity: Medium
Enable The Peer Client Certificate Authentication
1
Rule
Severity: Medium
Ensure That The etcd Peer Key File Is Correctly Set
1
Rule
Severity: Medium
Ensure That The kubelet Client Certificate Is Correctly Set
1
Rule
Severity: Medium
Ensure That The kubelet Server Key Is Correctly Set
1
Rule
Severity: High
Ensure that Audit Log Errors Emit Alerts
14
Rule
Severity: High
Configure BIND to use System Crypto Policy
17
Rule
Severity: High
Configure System Cryptography Policy
14
Rule
Severity: High
Configure Kerberos to use System Crypto Policy
16
Rule
Severity: High
Configure Libreswan to use System Crypto Policy
16
Rule
Severity: Medium
Configure OpenSSL library to use System Crypto Policy
16
Rule
Severity: Medium
Configure SSH to use System Crypto Policy
5
Rule
Severity: Medium
Install the dracut-fips-aesni Package
5
Rule
Severity: Medium
Install the dracut-fips Package
13
Rule
Severity: High
Ensure '/etc/system-fips' exists
5
Rule
Severity: High
Enable FIPS Mode in GRUB2
12
Rule
Severity: Medium
Harden SSHD Crypto Policy
13
Rule
Severity: High
Ensure Red Hat GPG Key Installed
17
Rule
Severity: High
Encrypt Partitions
18
Rule
Severity: Medium
Require Authentication for Single User Mode
30
Rule
Severity: Low
All GIDs referenced in /etc/passwd must be defined in /etc/group
28
Rule
Severity: Medium
Verify No netrc Files Exist
30
Rule
Severity: High
Verify Only Root Has UID 0
29
Rule
Severity: Medium
Direct root Logins Not Allowed
29
Rule
Severity: Medium
Restrict Serial Port Root Logins
29
Rule
Severity: Medium
Restrict Virtual Console Root Logins
29
Rule
Severity: Low
Limit the Number of Concurrent Login Sessions Allowed Per User
23
Rule
Severity: Medium
Set Interactive Session Timeout
29
Rule
Severity: Medium
Ensure that User Home Directories are not Group-Writable or World-Readable
20
Rule
Severity: Medium
Ensure the Default Bash Umask is Set Correctly
27
Rule
Severity: Medium
Ensure the Default Umask is Set Correctly in login.defs
27
Rule
Severity: Medium
Ensure the Default Umask is Set Correctly in /etc/profile
29
Rule
Severity: Medium
System Audit Logs Must Have Mode 0750 or Less Permissive
29
Rule
Severity: Medium
System Audit Logs Must Be Owned By Root
15
Rule
Severity: High
Disable Ctrl-Alt-Del Burst Action
17
Rule
Severity: High
Disable Ctrl-Alt-Del Reboot Activation
14
Rule
Severity: Medium
Ensure that System Accounts Are Locked
13
Rule
Severity: Medium
Ensure the Default C Shell Umask is Set Correctly
27
Rule
Severity: Medium
Configure auditd mail_acct Action on Low Disk Space
29
Rule
Severity: Medium
Ensure Log Files Are Owned By Appropriate Group
29
Rule
Severity: Medium
Ensure Log Files Are Owned By Appropriate User
29
Rule
Severity: Medium
Ensure System Log Files Have Correct Permissions
17
Rule
Severity: Medium
System Audit Logs Must Have Mode 0640 or Less Permissive
20
Rule
Severity: Medium
Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces
20
Rule
Severity: Medium
Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default
20
Rule
Severity: Medium
Configure Kernel Parameter for Accepting Secure Redirects By Default
22
Rule
Severity: Medium
Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces
22
Rule
Severity: Unknown
Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces
22
Rule
Severity: Medium
Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces
22
Rule
Severity: Medium
Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default
22
Rule
Severity: Medium
Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces
30
Rule
Severity: Medium
Verify that All World-Writable Directories Have Sticky Bits Set
30
Rule
Severity: Medium
Ensure No World-Writable Files Exist
30
Rule
Severity: Medium
Enable Kernel Parameter to Enforce DAC on Hardlinks
30
Rule
Severity: Medium
Enable Kernel Parameter to Enforce DAC on Symlinks
30
Rule
Severity: Medium
Verify Group Who Owns group File
28
Rule
Severity: Medium
Verify Group Who Owns gshadow File
30
Rule
Severity: Medium
Verify Group Who Owns passwd File
30
Rule
Severity: Medium
Verify Group Who Owns shadow File
30
Rule
Severity: Medium
Verify User Who Owns group File
28
Rule
Severity: Medium
Verify User Who Owns gshadow File
30
Rule
Severity: Medium
Verify User Who Owns passwd File
30
Rule
Severity: Medium
Verify User Who Owns shadow File
30
Rule
Severity: Medium
Verify Permissions on group File
28
Rule
Severity: Medium
Verify Permissions on gshadow File
30
Rule
Severity: Medium
Verify Permissions on passwd File
30
Rule
Severity: Medium
Verify Permissions on shadow File
29
Rule
Severity: Medium
Verify that System Executables Have Root Ownership
29
Rule
Severity: Medium
Verify that Shared Library Files Have Root Ownership
29
Rule
Severity: Medium
Verify that System Executables Have Restrictive Permissions
29
Rule
Severity: Medium
Verify that Shared Library Files Have Restrictive Permissions
27
Rule
Severity: Medium
Add nodev Option to /dev/shm
27
Rule
Severity: Medium
Add nosuid Option to /dev/shm
30
Rule
Severity: Medium
Restrict Exposed Kernel Pointer Addresses Access
30
Rule
Severity: Medium
Enable Randomized Layout of Virtual Address Space
30
Rule
Severity: High
Ensure SELinux State is Enforcing
18
Rule
Severity: Medium
Verify Group Who Owns SSH Server config file
18
Rule
Severity: Medium
Verify Owner on SSH Server config file
20
Rule
Severity: Medium
Verify Permissions on SSH Server config file
29
Rule
Severity: Medium
Verify Permissions on SSH Server Private *_key Key Files
29
Rule
Severity: Medium
Verify Permissions on SSH Server Public *.pub Key Files
29
Rule
Severity: Medium
Set SSH Client Alive Count Max to zero
29
Rule
Severity: Medium
Set SSH Client Alive Count Max
29
Rule
Severity: Medium
Set SSH Client Alive Interval
30
Rule
Severity: Medium
Disable Host-Based Authentication
29
Rule
Severity: High
Allow Only SSH Protocol 2
30
Rule
Severity: Medium
Disable SSH Root Login
29
Rule
Severity: Medium
Enable Use of Strict Mode Checking
29
Rule
Severity: Unknown
Limit Users' SSH Access
29
Rule
Severity: Medium
Enable Use of Privilege Separation
12
Rule
Severity: Medium
Configure Kernel to Rate Limit Sending of Duplicate TCP Acknowledgments
12
Rule
Severity: Medium
Add nodev Option to /boot
14
Rule
Severity: Medium
Add nosuid Option to /boot
17
Rule
Severity: Medium
Add noexec Option to /dev/shm
16
Rule
Severity: Medium
Add nosuid Option to /home
14
Rule
Severity: Medium
Add nodev Option to Non-Root Local Partitions
17
Rule
Severity: Medium
Add nodev Option to Removable Media Partitions
17
Rule
Severity: Medium
Add noexec Option to Removable Media Partitions
16
Rule
Severity: Medium
Add nosuid Option to Removable Media Partitions
17
Rule
Severity: Medium
Add nodev Option to /tmp
16
Rule
Severity: Medium
Add noexec Option to /tmp
17
Rule
Severity: Medium
Add nosuid Option to /tmp
13
Rule
Severity: Medium
Add nodev Option to /var/log/audit
13
Rule
Severity: Medium
Add noexec Option to /var/log/audit
13
Rule
Severity: Medium
Add nosuid Option to /var/log/audit
13
Rule
Severity: Medium
Add nodev Option to /var/log
15
Rule
Severity: Medium
Add noexec Option to /var/log
15
Rule
Severity: Medium
Add nosuid Option to /var/log
13
Rule
Severity: Medium
Add nodev Option to /var
13
Rule
Severity: Medium
Ensure SELinux Not Disabled in the kernel arguments
16
Rule
Severity: Medium
Ensure SELinux Not Disabled in /etc/default/grub
17
Rule
Severity: Medium
Ensure No Daemons are Unconfined by SELinux
18
Rule
Severity: Medium
Configure SELinux Policy
9
Rule
Severity: High
Enable Dracut FIPS Module
9
Rule
Severity: High
Enable FIPS Mode
9
Rule
Severity: High
Set kernel parameter 'crypto.fips_enabled' to 1
3
Rule
Severity: Medium
Harden OpenSSL Crypto Policy
5
Rule
Severity: Medium
Configure Logind to terminate idle sessions after certain time of inactivity
1
Rule
Severity: Medium
The Kubernetes Audit Logs Directory Must Have Mode 0700
1
Rule
Severity: Medium
The OAuth Audit Logs Directory Must Have Mode 0700
1
Rule
Severity: Medium
The OpenShift Audit Logs Directory Must Have Mode 0700
1
Rule
Severity: Medium
Kubernetes Audit Logs Must Be Owned By Root
1
Rule
Severity: Medium
OAuth Audit Logs Must Be Owned By Root
1
Rule
Severity: Medium
OpenShift Audit Logs Must Be Owned By Root
1
Rule
Severity: Medium
Kubernetes Audit Logs Must Have Mode 0600
1
Rule
Severity: Medium
OAuth Audit Logs Must Have Mode 0600
1
Rule
Severity: Medium
OpenShift Audit Logs Must Have Mode 0600
1
Rule
Severity: Medium
Verify Permissions on the OpenShift PKI Private Key Files
1
Rule
Severity: Medium
Ensure that cluster-wide proxy is set
1
Rule
Severity: Medium
Ensure that the default Ingress CA (wildcard issuer) has been replaced
1
Rule
Severity: Medium
Ensure that all OpenShift Routes prefer TLS
1
Rule
Severity: Medium
Ensure that the bind-address parameter is not used
2
Rule
Severity: High
Ensure SUSE GPG Key Installed
Patternfly
PatternFly elements
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.
Modules