Skip to content
ATO Pathways
  Log In

Guide to the Secure Configuration of Red Hat OpenShift Container Platform 4

Rules, Groups, and Values defined within the XCCDF Benchmark

  • Verify User Who Owns The Open vSwitch Database Server PID

    To properly set the owner of <code>/run/openvswitch/ovsdb-server.pid</code>, run the command: <pre>$ sudo chown openvswitch /run/openvswitch/ovsdb...
    Rule Medium Severity
    Show

  • Verify User Who Owns The Kubernetes Scheduler Kubeconfig File

    To properly set the owner of <code>/etc/kubernetes/static-pod-resources/kube-scheduler-pod-*/configmaps/scheduler-kubeconfig/kubeconfig</code>, ru...
    Rule Medium Severity
    Show

  • Verify User Who Owns The OpenShift etcd Data Directory

    To properly set the owner of /var/lib/etcd, run the command: 
    $ sudo chown root /var/lib/etcd
    Rule Medium Severity
    Show

  • Verify Permissions on the OpenShift Container Network Interface Files

    To properly set the permissions of /etc/cni/net.d/*, run the command: 
    $ sudo chmod 0600 /etc/cni/net.d/*
    Rule Medium Severity
    Show

  • Verify Permissions on the OpenShift Controller Manager Kubeconfig File

    To properly set the permissions of <code>/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-*/configmaps/controller-manager-kubeconf...
    Rule Medium Severity
    Show

  • Verify Permissions on the Etcd Database Directory

    To properly set the permissions of /var/lib/etcd, run the command: 
    $ sudo chmod 0700 /var/lib/etcd
    Rule Medium Severity
    Show

  • Verify Permissions on the Etcd Write-Ahead-Log Files

    To properly set the permissions of /var/lib/etcd/member/wal/*, run the command: 
    $ sudo chmod 0600 /var/lib/etcd/member/wal/*
    Rule Medium Severity
    Show

  • Verify Permissions on the Etcd PKI Certificate Files

    To properly set the permissions of <code>/etc/kubernetes/static-pod-resources/etcd-*/secrets/*/*.crt</code>, run the command: <pre>$ sudo chmod 06...
    Rule Medium Severity
    Show

  • Verify Permissions on the OpenShift SDN Container Network Interface Plugin IP Address Allocations

    To properly set the permissions of <code>/var/lib/cni/networks/openshift-sdn/*</code>, run the command: <pre>$ sudo chmod 0644 /var/lib/cni/networ...
    Rule Medium Severity
    Show

  • Verify Permissions on the Kubernetes API Server Pod Specification File

    To properly set the permissions of <code>/etc/kubernetes/static-pod-resources/kube-apiserver-pod-*/kube-apiserver-pod.yaml</code>, run the command...
    Rule Medium Severity
    Show

  • Verify Permissions on the Kubernetes Controller Manager Pod Specification File

    To properly set the permissions of <code>/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-*/kube-controller-manager-pod.yaml</code...
    Rule Medium Severity
    Show

  • Ensure that all Routes has rate limit enabled

    OpenShift has an option to set the rate limit for Routes [1] when creating new Routes. All routes outside the openshift namespaces and the kube nam...
    Rule Medium Severity
    Show

  • Verify Permissions on the Kube Scheduler Pod Specification File

    To properly set the permissions of <code>/etc/kubernetes/static-pod-resources/kube-scheduler-pod.yaml</code>, run the command: <pre>$ sudo chmod 0...
    Rule Medium Severity
    Show

  • Verify Permissions on the OpenShift Admin Kubeconfig File

    To properly set the permissions of /etc/kubernetes/kubeconfig, run the command: 
    $ sudo chmod 0600 /etc/kubernetes/kubeconfig
    Rule Medium Severity
    Show

  • Verify Permissions on the OpenShift Admin Kubeconfig Files

    To properly set the permissions of <code>/etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/node-kubeconfigs/*.kubeconfig</code>, r...
    Rule Medium Severity
    Show

  • Verify Permissions on the OpenShift Multus Container Network Interface Plugin Files

    To properly set the permissions of <code>/var/run/multus/cni/net.d/*</code>, run the command: <pre>$ sudo chmod 0644 /var/run/multus/cni/net.d/*</...
    Rule Medium Severity
    Show

  • Verify Permissions on the OpenShift PKI Certificate Files

    To properly set the permissions of <code>/etc/kubernetes/static-pod-resources/kube-*/secrets/*/tls.crt</code>, run the command: <pre>$ sudo chmod ...
    Rule Medium Severity
    Show

  • Verify Permissions on the OpenShift PKI Private Key Files

    To properly set the permissions of <code>/etc/kubernetes/static-pod-resources/*/*/*/*.key</code>, run the command: <pre>$ sudo chmod 0600 /etc/kub...
    Rule Medium Severity
    Show

  • Verify Permissions on the OpenShift Open vSwitch Files

    To properly set the permissions of /etc/openvswitch/.*, run the command: 
    $ sudo chmod 0644 /etc/openvswitch/.*
    Rule Medium Severity
    Show

  • Verify Permissions on the OVNKubernetes socket

    To properly set the permissions of <code>/run/ovn-kubernetes/cni/ovn-cni-server.sock</code>, run the command: <pre>$ sudo chmod 0600 /run/ovn-kube...
    Rule Medium Severity
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules