/
SRG-APP-000516-CTR-001325.yml
200 lines (200 loc) · 7.23 KB
/
SRG-APP-000516-CTR-001325.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
controls:
- id: SRG-APP-000516-CTR-001325
levels:
- medium
title: Container platform components must be configured in accordance with the security
configuration settings based on DoD security configuration or implementation guidance,
including SRGs, STIGs, NSA configuration guides, CTOs, and DTMs.
rules:
- accounts_restrict_service_account_tokens
- accounts_unique_service_account
- api_server_admission_control_plugin_alwaysadmit
- api_server_admission_control_plugin_alwayspullimages
- api_server_admission_control_plugin_namespacelifecycle
- api_server_admission_control_plugin_noderestriction
- api_server_admission_control_plugin_scc
- api_server_admission_control_plugin_securitycontextdeny
- api_server_admission_control_plugin_service_account
- api_server_anonymous_auth
- api_server_api_priority_flowschema_catch_all
- api_server_api_priority_gate_enabled
- api_server_audit_log_maxbackup
- api_server_audit_log_maxsize
- api_server_audit_log_path
- api_server_auth_mode_no_aa
- api_server_auth_mode_node
- api_server_auth_mode_rbac
- api_server_basic_auth
- api_server_bind_address
- api_server_etcd_cert
- api_server_etcd_key
- api_server_https_for_kubelet_conn
- api_server_insecure_bind_address
- api_server_insecure_port
- api_server_kubelet_certificate_authority
- api_server_kubelet_client_cert
- api_server_kubelet_client_cert_pre_4_9
- api_server_kubelet_client_key
- api_server_kubelet_client_key_pre_4_9
- api_server_no_adm_ctrl_plugins_disabled
- api_server_oauth_https_serving_cert
- api_server_openshift_https_serving_cert
- api_server_profiling_protected_by_rbac
- api_server_request_timeout
- api_server_service_account_lookup
- api_server_service_account_public_key
- api_server_tls_cipher_suites
- api_server_token_auth
- ocp_api_server_audit_log_maxbackup
- ocp_api_server_audit_log_maxsize
- controller_insecure_port_disabled
- controller_rotate_kubelet_server_certs
- controller_secure_port
- controller_service_account_ca
- controller_service_account_private_key
- controller_use_service_account
- etcd_auto_tls
- etcd_cert_file
- etcd_client_cert_auth
- etcd_key_file
- etcd_peer_auto_tls
- etcd_peer_client_cert_auth
- etcd_unique_ca
- general_apply_scc
- general_configure_imagepolicywebhook
- general_default_namespace_use
- general_default_seccomp_profile
- general_namespaces_in_use
- kubelet_anonymous_auth
- kubelet_authorization_mode
- kubelet_configure_client_ca
- kubelet_configure_event_creation
- kubelet_configure_tls_cipher_suites
- kubelet_disable_readonly_port
- kubelet_enable_cert_rotation
- kubelet_enable_client_cert_rotation
- kubelet_enable_iptables_util_chains
- kubelet_enable_protect_kernel_defaults
- kubelet_enable_protect_kernel_sysctl
- kubelet_enable_protect_kernel_sysctl_file_exist
- kubelet_enable_protect_kernel_sysctl_kernel_keys_root_maxbytes
- kubelet_enable_protect_kernel_sysctl_kernel_keys_root_maxkeys
- kubelet_enable_protect_kernel_sysctl_kernel_panic
- kubelet_enable_protect_kernel_sysctl_kernel_panic_on_oops
- kubelet_enable_protect_kernel_sysctl_vm_overcommit_memory
- kubelet_enable_protect_kernel_sysctl_vm_panic_on_oom
- kubelet_enable_server_cert_rotation
- kubelet_enable_streaming_connections
- kubelet_eviction_thresholds_set_hard_imagefs_available
- kubelet_eviction_thresholds_set_hard_memory_available
- kubelet_eviction_thresholds_set_hard_nodefs_available
- kubelet_eviction_thresholds_set_hard_nodefs_inodesfree
- file_integrity_exists
- file_groupowner_cni_conf
- file_groupowner_controller_manager_kubeconfig
- file_groupowner_etcd_data_dir
- file_groupowner_etcd_data_files
- file_groupowner_etcd_member
- file_groupowner_etcd_pki_cert_files
- file_groupowner_ip_allocations
- file_groupowner_kube_apiserver
- file_groupowner_kube_controller_manager
- file_groupowner_kube_scheduler
- file_groupowner_master_admin_kubeconfigs
- file_groupowner_multus_conf
- file_groupowner_openshift_pki_cert_files
- file_groupowner_openshift_pki_key_files
- file_groupowner_openshift_sdn_cniserver_config
- file_groupowner_ovs_conf_db
- file_groupowner_ovs_conf_db_lock
- file_groupowner_ovs_pid
- file_groupowner_ovs_sys_id_conf
- file_groupowner_ovs_vswitchd_pid
- file_groupowner_ovsdb_server_pid
- file_groupowner_scheduler_kubeconfig
- file_owner_cni_conf
- file_owner_controller_manager_kubeconfig
- file_owner_etcd_data_dir
- file_owner_etcd_data_files
- file_owner_etcd_member
- file_owner_etcd_pki_cert_files
- file_owner_ip_allocations
- file_owner_kube_apiserver
- file_owner_kube_controller_manager
- file_owner_kube_scheduler
- file_owner_master_admin_kubeconfigs
- file_owner_multus_conf
- file_owner_openshift_pki_cert_files
- file_owner_openshift_pki_key_files
- file_owner_openshift_sdn_cniserver_config
- file_owner_ovs_conf_db
- file_owner_ovs_conf_db_lock
- file_owner_ovs_pid
- file_owner_ovs_sys_id_conf
- file_owner_ovs_vswitchd_pid
- file_owner_ovsdb_server_pid
- file_owner_scheduler_kubeconfig
- file_permissions_cni_conf
- file_permissions_controller_manager_kubeconfig
- file_permissions_etcd_data_dir
- file_permissions_etcd_data_files
- file_permissions_etcd_member
- file_permissions_etcd_pki_cert_files
- file_permissions_ip_allocations
- file_permissions_kube_apiserver
- file_permissions_kube_controller_manager
- file_permissions_master_admin_kubeconfigs
- file_permissions_multus_conf
- file_permissions_openshift_pki_cert_files
- file_permissions_openshift_pki_key_files
- file_permissions_ovs_conf_db
- file_permissions_ovs_conf_db_lock
- file_permissions_ovs_pid
- file_permissions_ovs_sys_id_conf
- file_permissions_ovs_vswitchd_pid
- file_permissions_ovsdb_server_pid
- file_permissions_scheduler
- file_permissions_scheduler_kubeconfig
- file_perms_openshift_sdn_cniserver_config
- openshift_api_server_audit_log_path
- rbac_debug_role_protects_pprof
- rbac_limit_cluster_admin
- rbac_limit_secrets_access
- rbac_pod_creation_access
- rbac_wildcard_use
- scansettingbinding_exists
- scc_drop_container_capabilities
- scc_limit_container_allowed_capabilities
- scc_limit_ipc_namespace
- scc_limit_net_raw_capability
- scc_limit_network_namespace
- scc_limit_privilege_escalation
- scc_limit_privileged_containers
- scc_limit_process_id_namespace
- scc_limit_root_containers
- secrets_consider_external_storage
- secrets_no_environment_variables
- file_groupowner_kubelet_conf
- file_groupowner_proxy_kubeconfig
- file_groupowner_worker_ca
- file_groupowner_worker_kubeconfig
- file_groupowner_worker_service
- file_owner_kubelet
- file_owner_kubelet_conf
- file_owner_proxy_kubeconfig
- file_owner_worker_ca
- file_owner_worker_kubeconfig
- file_owner_worker_service
- file_permissions_kubelet
- file_permissions_kubelet_conf
- file_permissions_proxy_kubeconfig
- file_permissions_worker_ca
- file_permissions_worker_kubeconfig
- file_permissions_worker_service
- file_permissions_ovn_cni_server_sock
- file_groupowner_ovn_cni_server_sock
- file_owner_ovn_cni_server_sock
- file_groupowner_ovn_db_files
- file_owner_ovn_db_files
- file_permissions_ovn_db_files
status: automated