Guide to the Secure Configuration of Red Hat OpenShift Container Platform 4
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Ensure Eviction threshold Settings Are Set - evictionSoft: imagefs.available
<p>Two types of garbage collection are performed on an OpenShift Container Platform node:</p> <ul> <li>Container garbage collection: Removes terminated ...Rule Medium Severity -
Ensure Eviction threshold Settings Are Set - evictionSoft: imagefs.inodesFree
<p>Two types of garbage collection are performed on an OpenShift Container Platform node:</p> <ul> <li>Container garbage collection: Removes terminated ...Rule Medium Severity -
Ensure Eviction threshold Settings Are Set - evictionSoft: memory.available
<p>Two types of garbage collection are performed on an OpenShift Container Platform node:</p> <ul> <li>Container garbage collection: Removes terminated ...Rule Medium Severity -
Verify User Who Owns The Etcd PKI Certificate Files
To properly set the owner of/etc/kubernetes/static-pod-resources/*/*/*/*.crt, run the command:$ sudo chown root /etc/kubernetes/static-pod-resources/*/*/*/*.crt
Rule Medium Severity -
Ensure Eviction threshold Settings Are Set - evictionSoft: nodefs.available
<p>Two types of garbage collection are performed on an OpenShift Container Platform node:</p> <ul> <li>Container garbage collection: Removes terminated ...Rule Medium Severity -
Ensure Eviction threshold Settings Are Set - evictionSoft: nodefs.inodesFree
<p>Two types of garbage collection are performed on an OpenShift Container Platform node:</p> <ul> <li>Container garbage collection: Removes terminated ...Rule Medium Severity -
Ensure that Audit Log Errors Emit Alerts
<p> OpenShift audit works at the API server level, logging all requests coming to the server. However, if API server instance is unable to write errors, an alert must be issued in order for the org...Rule High Severity -
Ensure that API server audit logging is enabled
OpenShift has the ability to audit API server requests. Audit provides a security-relevant chronological set of records documenting the sequence of activities that have affected system by individua...Rule Medium Severity -
Ensure that the cluster's audit profile is properly set
<p> OpenShift can audit the details of requests made to the API server through the standard Kubernetes audit capabilities. </p> <p> In OpenShift, auditing of the API S...Rule Medium Severity -
Ensure /var/log/kube-apiserver Located On Separate Partition
Kubernetes API server audit logs are stored in the <code>/var/log/kube-apiserver</code> directory. <p> Partitioning Red Hat CoreOS is a Day 1 operation and cannot be changed afterwards. For documen...Rule Medium Severity -
Ensure /var/log/openshift-apiserver Located On Separate Partition
Openshift API server audit logs are stored in the <code>/var/log/openshift-apiserver</code> directory. <p> Partitioning Red Hat CoreOS is a Day 1 operation and cannot be changed afterwards. For doc...Rule Medium Severity -
Verify Group Who Owns The etcd Member Pod Specification File
To properly set the group owner of/etc/kubernetes/manifests/etcd-pod.yaml, run the command:$ sudo chgrp root /etc/kubernetes/manifests/etcd-pod.yaml
Rule Medium Severity -
Verify Group Who Owns The Etcd PKI Certificate Files
To properly set the group owner of/etc/kubernetes/static-pod-resources/*/*/*/*.crt, run the command:$ sudo chgrp root /etc/kubernetes/static-pod-resources/*/*/*/*.crt
Rule Medium Severity -
Verify Group Who Owns The OpenShift Admin Kubeconfig Files
To properly set the group owner of <code>/etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/node-kubeconfigs/*.kubeconfig</code>, run the command: <pre>$ sudo chgrp root /etc/kubern...Rule Medium Severity -
Verify Group Who Owns The OpenShift SDN CNI Server Config
To properly set the group owner of/var/run/openshift-sdn/cniserver/config.json, run the command:$ sudo chgrp root /var/run/openshift-sdn/cniserver/config.json
Rule Medium Severity -
Verify Group Who Owns The Open vSwitch Persistent System ID
To properly set the group owner of/etc/openvswitch/system-id.conf, run the command:$ sudo chgrp hugetlbfs /etc/openvswitch/system-id.conf
Rule Medium Severity -
Verify User Who Owns The Etcd Member Pod Specification File
To properly set the owner of/etc/kubernetes/manifests/etcd-pod.yaml, run the command:$ sudo chown root /etc/kubernetes/manifests/etcd-pod.yaml
Rule Medium Severity -
Verify Permissions on the OpenShift Admin Kubeconfig Files
To properly set the permissions of <code>/etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/node-kubeconfigs/*.kubeconfig</code>, run the command: <pre>$ sudo chmod 0600 /etc/kubern...Rule Medium Severity -
Verify Permissions on the Open vSwitch Configuration Database Lock
To properly set the permissions of/etc/openvswitch/.conf.db.~lock~, run the command:$ sudo chmod 0600 /etc/openvswitch/.conf.db.~lock~
Rule Medium Severity -
Verify Permissions on the Kubernetes Scheduler Pod Specification File
To properly set the permissions of <code>/etc/kubernetes/static-pod-resources/kube-scheduler-pod-*/kube-scheduler-pod.yaml</code>, run the command: <pre>$ sudo chmod 0644 /etc/kubernetes/static-po...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.