Verify Group Who Owns The OpenShift PKI Certificate Files

An XCCDF Rule

Details
Profiles
Prose

Description

To properly set the group owner of /etc/kubernetes/static-pod-resources/*/*/*/tls.crt, run the command:

$ sudo chgrp root /etc/kubernetes/static-pod-resources/*/*/*/tls.crt

warning alert: Dependency Warning

This rule is only applicable for nodes that run the Kubernetes Control Plane. The aforementioned service is only running on the nodes labeled "master" by default.

Rationale

OpenShift makes use of a number of certificates as part of its operation. You should verify the ownership of the directory containing the PKI information and all files in that directory to maintain their integrity. The directory and files should be owned by the system administrator.

ID: xccdf_org.ssgproject.content_rule_file_groupowner_openshift_pki_cert_files
Severity: Medium
References: CIP-003-8 R6 CIP-004-6 R3 CIP-007-3 R6.1

CM-6 CM-6(1)

SRG-APP-000516-CTR-001325

1.1.19

CCE-83922-5
Updated: about 1 year ago