An XCCDF Group - A logical subset of the XCCDF Benchmark
/etc/cni/net.d/*
$ sudo chgrp root /etc/cni/net.d/*
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-*/configmaps/controller-manager-kubeconfig/kubeconfig
$ sudo chgrp root /etc/kubernetes/static-pod-resources/kube-controller-manager-pod-*/configmaps/controller-manager-kubeconfig/kubeconfig
/var/lib/etcd/member/
$ sudo chgrp root /var/lib/etcd/member/
/var/lib/etcd/member/wal/*
$ sudo chgrp root /var/lib/etcd/member/wal/*
/etc/kubernetes/manifests/etcd-pod.yaml
$ sudo chgrp root /etc/kubernetes/manifests/etcd-pod.yaml
/etc/kubernetes/static-pod-resources/*/*/*/*.crt
$ sudo chgrp root /etc/kubernetes/static-pod-resources/*/*/*/*.crt
/var/lib/cni/networks/openshift-sdn/.*
$ sudo chgrp root /var/lib/cni/networks/openshift-sdn/.*
/etc/kubernetes/static-pod-resources/kube-apiserver-pod-*/kube-apiserver-pod.yaml
$ sudo chgrp root /etc/kubernetes/static-pod-resources/kube-apiserver-pod-*/kube-apiserver-pod.yaml
/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-*/kube-controller-manager-pod.yaml
$ sudo chgrp root /etc/kubernetes/static-pod-resources/kube-controller-manager-pod-*/kube-controller-manager-pod.yaml
/etc/kubernetes/static-pod-resources/kube-scheduler-pod-*/kube-scheduler-pod.yaml
$ sudo chgrp root /etc/kubernetes/static-pod-resources/kube-scheduler-pod-*/kube-scheduler-pod.yaml
/etc/kubernetes/kubeconfig
$ sudo chgrp root /etc/kubernetes/kubeconfig
/etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/node-kubeconfigs/*.kubeconfig
$ sudo chgrp root /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/node-kubeconfigs/*.kubeconfig
/var/run/multus/cni/net.d/*
$ sudo chgrp root /var/run/multus/cni/net.d/*
/etc/kubernetes/static-pod-resources/*/*/*/tls.crt
$ sudo chgrp root /etc/kubernetes/static-pod-resources/*/*/*/tls.crt
/etc/kubernetes/static-pod-resources/*/*/*/*.key
$ sudo chgrp root /etc/kubernetes/static-pod-resources/*/*/*/*.key
/var/run/openshift-sdn/cniserver/config.json
$ sudo chgrp root /var/run/openshift-sdn/cniserver/config.json
/etc/openvswitch/.*
$ sudo chgrp root /etc/openvswitch/.*
/run/ovn-kubernetes/cni/ovn-cni-server.sock
$ sudo chgrp root /run/ovn-kubernetes/cni/ovn-cni-server.sock
/var/lib/ovn/etc/*.db
$ sudo chgrp root /var/lib/ovn/etc/*.db
/etc/openvswitch/conf.db
hugetlbfs
openvswitch
/etc/openvswitch/conf.db.~lock~
/etc/openvswitch/.conf.db.~lock~
$ sudo chgrp hugetlbfs /etc/openvswitch/.conf.db.~lock~
$ sudo chgrp hugetlbfs /etc/openvswitch/conf.db
$ sudo chgrp openvswitch /etc/openvswitch/conf.db
/var/run/openvswitch/ovs-vswitchd.pid
/etc/openvswitch/system-id.conf
$ sudo chgrp hugetlbfs /etc/openvswitch/system-id.conf
/run/openvswitch/ovs-vswitchd.pid
/run/openvswitch/ovsdb-server.pid
/etc/kubernetes/static-pod-resources/kube-scheduler-pod-*/configmaps/scheduler-kubeconfig/kubeconfig
$ sudo chgrp root /etc/kubernetes/static-pod-resources/kube-scheduler-pod-*/configmaps/scheduler-kubeconfig/kubeconfig
$ sudo chown root /etc/cni/net.d/*
$ sudo chown root /etc/kubernetes/static-pod-resources/kube-controller-manager-pod-*/configmaps/controller-manager-kubeconfig/kubeconfig
$ sudo chown root /var/lib/etcd/member/
$ sudo chown root /var/lib/etcd/member/wal/*
$ sudo chown root /etc/kubernetes/manifests/etcd-pod.yaml
$ sudo chown root /etc/kubernetes/static-pod-resources/*/*/*/*.crt
$ sudo chown root /var/lib/cni/networks/openshift-sdn/.*
$ sudo chown root /etc/kubernetes/static-pod-resources/kube-apiserver-pod-*/kube-apiserver-pod.yaml
$ sudo chown root /etc/kubernetes/static-pod-resources/kube-controller-manager-pod-*/kube-controller-manager-pod.yaml
$ sudo chown root /etc/kubernetes/static-pod-resources/kube-scheduler-pod-*/kube-scheduler-pod.yaml
$ sudo chown root /etc/kubernetes/kubeconfig
$ sudo chown root /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/node-kubeconfigs/*.kubeconfig
$ sudo chown root /var/run/multus/cni/net.d/*
$ sudo chown root /etc/kubernetes/static-pod-resources/*/*/*/tls.crt
$ sudo chown root /etc/kubernetes/static-pod-resources/*/*/*/*.key
$ sudo chown root /var/run/openshift-sdn/cniserver/config.json
$ sudo chown root /etc/openvswitch/.*
$ sudo chown root /run/ovn-kubernetes/cni/ovn-cni-server.sock
$ sudo chown root /var/lib/ovn/etc/*.db
$ sudo chown openvswitch /etc/openvswitch/conf.db
$ sudo chown openvswitch /etc/openvswitch/.conf.db.~lock~
$ sudo chown openvswitch /var/run/openvswitch/ovs-vswitchd.pid
$ sudo chown openvswitch /etc/openvswitch/system-id.conf
$ sudo chown openvswitch /run/openvswitch/ovs-vswitchd.pid
$ sudo chown openvswitch /run/openvswitch/ovsdb-server.pid
$ sudo chown root /etc/kubernetes/static-pod-resources/kube-scheduler-pod-*/configmaps/scheduler-kubeconfig/kubeconfig
/var/lib/etcd
$ sudo chown root /var/lib/etcd
$ sudo chmod 0600 /etc/cni/net.d/*
$ sudo chmod 0600 /etc/kubernetes/static-pod-resources/kube-controller-manager-pod-*/configmaps/controller-manager-kubeconfig/kubeconfig
$ sudo chmod 0700 /var/lib/etcd
$ sudo chmod 0600 /var/lib/etcd/member/wal/*
$ sudo chmod 0600 /etc/kubernetes/manifests/etcd-pod.yaml
/etc/kubernetes/static-pod-resources/etcd-*/secrets/*/*.crt
$ sudo chmod 0600 /etc/kubernetes/static-pod-resources/etcd-*/secrets/*/*.crt
/var/lib/cni/networks/openshift-sdn/*
$ sudo chmod 0644 /var/lib/cni/networks/openshift-sdn/*
$ sudo chmod 0600 /etc/kubernetes/static-pod-resources/kube-apiserver-pod-*/kube-apiserver-pod.yaml
$ sudo chmod 0600 /etc/kubernetes/static-pod-resources/kube-controller-manager-pod-*/kube-controller-manager-pod.yaml
/etc/kubernetes/static-pod-resources/kube-scheduler-pod.yaml
$ sudo chmod 0600 /etc/kubernetes/static-pod-resources/kube-scheduler-pod.yaml
$ sudo chmod 0600 /etc/kubernetes/kubeconfig
$ sudo chmod 0600 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/node-kubeconfigs/*.kubeconfig
$ sudo chmod 0644 /var/run/multus/cni/net.d/*
/etc/kubernetes/static-pod-resources/kube-*/secrets/*/tls.crt
$ sudo chmod 0600 /etc/kubernetes/static-pod-resources/kube-*/secrets/*/tls.crt
$ sudo chmod 0600 /etc/kubernetes/static-pod-resources/*/*/*/*.key
$ sudo chmod 0644 /etc/openvswitch/.*
$ sudo chmod 0600 /run/ovn-kubernetes/cni/ovn-cni-server.sock
$ sudo chmod 0640 /var/lib/ovn/etc/*.db
$ sudo chmod 0640 /etc/openvswitch/conf.db
$ sudo chmod 0600 /etc/openvswitch/.conf.db.~lock~
$ sudo chmod 0644 /var/run/openvswitch/ovs-vswitchd.pid
$ sudo chmod 0644 /etc/openvswitch/system-id.conf
$ sudo chmod 0644 /run/openvswitch/ovs-vswitchd.pid
$ sudo chmod 0644 /run/openvswitch/ovsdb-server.pid
$ sudo chmod 0644 /etc/kubernetes/static-pod-resources/kube-scheduler-pod-*/kube-scheduler-pod.yaml
$ sudo chmod 0600 /etc/kubernetes/static-pod-resources/kube-scheduler-pod-*/configmaps/scheduler-kubeconfig/kubeconfig
$ sudo chmod 0444 /var/run/openshift-sdn/cniserver/config.json