Group
Guide to the Secure Configuration of Red Hat Enterprise OpenShift Container Platform 3
Group contains 4 groups and 41 rules |
Group
OpenShift Settings
Group contains 3 groups and 41 rules |
[ref]
Contains rules that check correct OpenShift settings. |
Group
Permissions
Group contains 1 group and 39 rules |
[ref]
Traditional security relies heavily on file and
directory permissions to prevent unauthorized users from reading or
modifying files to which they should not have access. |
Group
Verify Permissions on Important Files and
Directories
Group contains 39 rules |
[ref]
Permissions for many files on a system must be set
restrictively to ensure sensitive information is properly protected.
This section discusses important
permission restrictions which can be verified
to ensure that no harmful discrepancies have
arisen. |
Rule
Verify Group Who Owns The OpenShift etcd Specification File
[ref] | To properly set the group owner of /etc/origin/node/pods/etcd.yaml , run the command: $ sudo chgrp root /etc/origin/node/pods/etcd.yaml | Rationale: | The /etc/origin/node/pods/apiserver.yaml file contains information about the configuration of the
OpenShift etcd Server that is configured on the system. Protection of this file is
critical for OpenShift security. | Severity: | medium | Identifiers and References | References:
1.4.8 | |
|
Rule
Verify Group Who Owns The OpenShift etcd Data Directory
[ref] | To properly set the group owner of /var/lib/etcd , run the command: $ sudo chgrp root /var/lib/etcd | Rationale: | The /var/lib/etcd directory contains highly-avaliable distributed key/value data storage
across an OpenShift cluster. Allowing access to users to this directory could compromise OpenShift
data and the cluster. | Severity: | medium | Identifiers and References | References:
1.4.12 | |
|
Rule
Verify User Who Owns The OpenShift Scheduler Configuration File
[ref] | To properly set the owner of /etc/origin/master/scheduler.json , run the command: $ sudo chown root /etc/origin/master/scheduler.json | Rationale: | The /etc/origin/master/scheduler.json file contains information about the configuration of the
OpenShift scheduler that is configured on the system. Protection of this file is
critical for OpenShift security. | Severity: | medium | Identifiers and References | References:
1.4.16 | |
|
Rule
Verify Group Who Owns OpenShift Node Certificate File
[ref] | To properly set the group owner of /etc/origin/node/client-ca.crt , run the command: $ sudo chgrp root /etc/origin/node/client-ca.crt | Rationale: | The /etc/origin/node/client-ca.crt file contains the certificate authority
certificate for an OpenShift node that is configured on the system. Protection of this file is
critical for OpenShift security. | Severity: | medium | Identifiers and References | References:
2.2.8 | |
|
Rule
Verify Permissions on the OpenShift Admin Kubeconfig File
[ref] |
To properly set the permissions of /etc/origin/master/admin.kubeconfig , run the command:
$ sudo chmod 0600 /etc/origin/master/admin.kubeconfig | Rationale: | If the /etc/origin/master/admin.kubeconfig file is writable by a group-owner or the
world the risk of its compromise is increased. The file contains the administration configuration of the
OpenShift cluster that is configured on the system. Protection of this file is
critical for OpenShift security. | Severity: | medium | Identifiers and References | References:
1.4.13 | |
|
Rule
Verify User Who Owns The OpenShift Master Kubeconfig File
[ref] | To properly set the owner of /etc/origin/master/openshift-master.kubeconfig , run the command: $ sudo chown root /etc/origin/master/openshift-master.kubeconfig | Rationale: | The /etc/origin/master/openshift-master.kubeconfig file contains information about the master configuration of the
OpenShift cluster that is configured on the system. Protection of this file is
critical for OpenShift security. | Severity: | medium | Identifiers and References | References:
1.4.18 | |
|
Rule
Verify User Who Owns The OpenShift Admin Kubeconfig File
[ref] | To properly set the owner of /etc/origin/master/admin.kubeconfig , run the command: $ sudo chown root /etc/origin/master/admin.kubeconfig | Rationale: | The /etc/origin/master/admin.kubeconfig file contains information about the administrative configuration of the
OpenShift cluster that is configured on the system. Protection of this file is
critical for OpenShift security. | Severity: | medium | Identifiers and References | References:
1.4.14 | |
|
Rule
Verify User Who Owns The OpenShift Node Configuration File
[ref] | To properly set the owner of /etc/origin/node/node-config.yaml , run the command: $ sudo chown root /etc/origin/node/node-config.yaml | Rationale: | The /etc/origin/node/node-config.yaml file contains information about the configuration of the
OpenShift node that is configured on the system. Protection of this file is
critical for OpenShift security. | Severity: | medium | Identifiers and References | References:
2.2.2 | |
|
Rule
Verify Permissions on the OpenShift Container Network Interface Files
[ref] |
To properly set the permissions of /etc/cni/net.d/* , run the command:
$ sudo chmod 0644 /etc/cni/net.d/* | Rationale: | CNI (Container Network Interface) files consist of a specification and libraries for
writing plugins to configure network interfaces in Linux containers, along with a number
of supported plugins. Allowing writeable access to the files could allow an attacker to modify
the networking configuration potentially adding a rouge network connection. | Severity: | medium | Identifiers and References | References:
1.4.9 | |
|
Rule
Verify Permissions on the OpenShift API Specification File
[ref] |
To properly set the permissions of /etc/origin/node/pods/apiserver.yaml , run the command:
$ sudo chmod 0600 /etc/origin/node/pods/apiserver.yaml | Rationale: | If the /etc/origin/node/pods/apiserver.yaml file is writable by a group-owner or the
world the risk of its compromise is increased. The file contains the configuration of
an OpenShift API server that is configured on the system. Protection of this file is
critical for OpenShift security. | Severity: | medium | Identifiers and References | References:
1.4.1 | |
|
Rule
Verify Group Who Owns The OpenShift Node Service File
[ref] | To properly set the group owner of /etc/systemd/system/atomic-openshift-node.service , run the command: $ sudo chgrp root /etc/systemd/system/atomic-openshift-node.service | Rationale: | The /etc/systemd/system/atomic-openshift-node.service file contains information about the configuration of the
OpenShift node service that is configured on the system. Protection of this file is
critical for OpenShift security. | Severity: | medium | Identifiers and References | References:
2.2.4 | |
|
Rule
Verify Permissions on the OpenShift Node Configuration File
[ref] |
To properly set the permissions of /etc/origin/node/node-config.yaml , run the command:
$ sudo chmod 0600 /etc/origin/node/node-config.yaml | Rationale: | If the /etc/origin/node/node-config.yaml file is writable by a group-owner or the
world the risk of its compromise is increased. The file contains the configuration of
an OpenShift node that is configured on the system. Protection of this file is
critical for OpenShift security. | Severity: | medium | Identifiers and References | References:
2.2.1 | |
|
Rule
Verify Permissions on the OpenShift Node Service File
[ref] |
To properly set the permissions of /etc/systemd/system/atomic-openshift-node.service , run the command:
$ sudo chmod 0644 /etc/systemd/system/atomic-openshift-node.service | Rationale: | If the /etc/systemd/system/atomic-openshift-node.service file is writable by a group-owner or the
world the risk of its compromise is increased. The file contains the service configuration of the
OpenShift node service that is configured on the system. Protection of this file is
critical for OpenShift security. | Severity: | medium | Identifiers and References | References:
2.2.3 | |
|
Rule
Verify Group Who Owns The OpenShift Master Configuration File
[ref] | To properly set the group owner of /etc/origin/master/master-config.yaml , run the command: $ sudo chgrp root /etc/origin/master/master-config.yaml | Rationale: | The /etc/origin/master/master-config.yaml file contains information about the master configuration of the
OpenShift cluster that is configured on the system. Protection of this file is
critical for OpenShift security. | Severity: | medium | Identifiers and References | References:
1.4.18 | |
|
Rule
The OpenShift etcd Data Directory Must Have Mode 0700
[ref] |
To properly set the permissions of /var/lib/etcd , run the command:
$ sudo chmod 0700 /var/lib/etcd | Rationale: | The /var/lib/etcd directory contains highly-avaliable distributed key/value data storage
across an OpenShift cluster. Allowing access to users to this directory could compromise OpenShift
data and the cluster. | Severity: | medium | Identifiers and References | References:
1.4.11 | |
|
Rule
Verify Group Who Owns The OpenShift Container Network Interface Files
[ref] | To properly set the group owner of /etc/cni/net.d/* , run the command: $ sudo chgrp root /etc/cni/net.d/* | Rationale: | CNI (Container Network Interface) files consist of a specification and libraries for
writing plugins to configure network interfaces in Linux containers, along with a number
of supported plugins. Allowing writeable access to the files could allow an attacker to modify
the networking configuration potentially adding a rouge network connection. | Severity: | medium | Identifiers and References | References:
1.4.10 | |
|
Rule
Verify Permissions on OpenShift Node Certificate File
[ref] |
To properly set the permissions of /etc/origin/node/client-ca.crt , run the command:
$ sudo chmod 0644 /etc/origin/node/client-ca.crt | Rationale: | If the /etc/origin/node/client-ca.crt file is writable by a group-owner or the
world the risk of its compromise is increased. The file contains the certificate authority
certificate for an OpenShift node that is configured on the system. Protection of this file is
critical for OpenShift security. | Severity: | medium | Identifiers and References | References:
2.2. | |
|
Rule
Verify User Who Owns The OpenShift Configuration Directory
[ref] | To properly set the owner of /etc/origin/ , run the command: $ sudo chown root /etc/origin/ | Rationale: | If users can modify the OpenShift configurations, the OpenShift cluster can become inoperable or compromised | Severity: | medium | Identifiers and References | | |
|
Rule
Verify Group Who Owns The OpenShift Admin Kubeconfig File
[ref] | To properly set the group owner of /etc/origin/master/admin.kubeconfig , run the command: $ sudo chgrp root /etc/origin/master/admin.kubeconfig | Rationale: | The /etc/origin/master/admin.kubeconfig file contains information about the administrative configuration of the
OpenShift cluster that is configured on the system. Protection of this file is
critical for OpenShift security. | Severity: | medium | Identifiers and References | References:
1.4.14 | |
|
Rule
The OpenShift Configuration Directory Must Have Mode 0700
[ref] |
To properly set the permissions of /etc/origin/ , run the command:
$ sudo chmod 0700 /etc/origin/ | Rationale: | If users can modify the OpenShift configurations, the OpenShift cluster can become inoperable or compromised | Severity: | medium | Identifiers and References | | |
|
Rule
Verify User Who Owns OpenShift Node Certificate File
[ref] | To properly set the owner of /etc/origin/node/client-ca.crt , run the command: $ sudo chown root /etc/origin/node/client-ca.crt | Rationale: | The /etc/origin/node/client-ca.crt file contains the certificate authority
certificate for an OpenShift node that is configured on the system. Protection of this file is
critical for OpenShift security. | Severity: | medium | Identifiers and References | References:
2.2.8 | |
|
Rule
Verify User Who Owns The OpenShift Container Network Interface Files
[ref] | To properly set the owner of /etc/cni/net.d/* , run the command: $ sudo chown root /etc/cni/net.d/* | Rationale: | CNI (Container Network Interface) files consist of a specification and libraries for
writing plugins to configure network interfaces in Linux containers, along with a number
of supported plugins. Allowing writeable access to the files could allow an attacker to modify
the networking configuration potentially adding a rouge network connection. | Severity: | medium | Identifiers and References | References:
1.4.10 | |
|
Rule
Verify Group Who Owns The OpenShift Scheduler Configuration File
[ref] | To properly set the group owner of /etc/origin/master/scheduler.json , run the command: $ sudo chgrp root /etc/origin/master/scheduler.json | Rationale: | The /etc/origin/master/scheduler.json file contains information about the configuration of the
OpenShift scheduler that is configured on the system. Protection of this file is
critical for OpenShift security. | Severity: | medium | Identifiers and References | References:
1.4.16 | |
|
Rule
Verify Permissions on the OpenShift Scheduler Configuration File
[ref] |
To properly set the permissions of /etc/origin/master/scheduler.json , run the command:
$ sudo chmod 0600 /etc/origin/master/scheduler.json | Rationale: | If the /etc/origin/master/scheduler.json file is writable by a group-owner or the
world the risk of its compromise is increased. The file contains the configuration of
an OpenShift scheduler that is configured on the system. Protection of this file is
critical for OpenShift security. | Severity: | medium | Identifiers and References | References:
1.4.15 | |
|
Rule
Verify User Who Owns The OpenShift etcd Data Directory
[ref] | To properly set the owner of /var/lib/etcd , run the command: $ sudo chown root /var/lib/etcd | Rationale: | The /var/lib/etcd directory contains highly-avaliable distributed key/value data storage
across an OpenShift cluster. Allowing access to users to this directory could compromise OpenShift
data and the cluster. | Severity: | medium | Identifiers and References | References:
1.4.12 | |
|
Rule
Verify Permissions on the OpenShift Master Kubeconfig File
[ref] |
To properly set the permissions of /etc/origin/master/openshift-master.kubeconfig , run the command:
$ sudo chmod 0600 /etc/origin/master/openshift-master.kubeconfig | Rationale: | If the /etc/origin/master/openshift-master.kubeconfig file is writable by a group-owner or the
world the risk of its compromise is increased. The file contains the master configuration of
an OpenShift cluster that is configured on the system. Protection of this file is
critical for OpenShift security. | Severity: | medium | Identifiers and References | References:
1.4.17 | |
|
Rule
Verify User Who Owns The OpenShift etcd Specification File
[ref] | To properly set the owner of /etc/origin/node/pods/etcd.yaml , run the command: $ sudo chown root /etc/origin/node/pods/etcd.yaml | Rationale: | The /etc/origin/node/pods/etcd.yaml file contains information about the configuration of the
OpenShift etcd Server that is configured on the system. Protection of this file is
critical for OpenShift security. | Severity: | medium | Identifiers and References | References:
1.4.8 | |
|
Rule
Verify Group Who Owns The OpenShift Node Configuration File
[ref] | To properly set the group owner of /etc/origin/node/node-config.yaml , run the command: $ sudo chgrp root /etc/origin/node/node-config.yaml | Rationale: | The /etc/origin/node/node-config.yaml file contains information about the configuration of the
OpenShift node that is configured on the system. Protection of this file is
critical for OpenShift security. | Severity: | medium | Identifiers and References | References:
2.2.2 | |
|
Rule
Verify Permissions on the OpenShift etcd Specification File
[ref] |
To properly set the permissions of /etc/origin/node/pods/etcd.yaml , run the command:
$ sudo chmod 0600 /etc/origin/node/pods/etcd.yaml | Rationale: | If the /etc/origin/node/pods/etcd.yaml file is writable by a group-owner or the
world the risk of its compromise is increased. The file contains the configuration of
an OpenShift etcd server that is configured on the system. Protection of this file is
critical for OpenShift security. | Severity: | medium | Identifiers and References | References:
1.4.7 | |
|
Rule
Verify User Who Owns The OpenShift Controller Manager Specification File
[ref] | To properly set the owner of /etc/origin/node/pods/controller.yaml , run the command: $ sudo chown root /etc/origin/node/pods/controller.yaml | Rationale: | The /etc/origin/node/pods/controller.yaml file contains information about the configuration of the
OpenShift Controller Manager Server that is configured on the system. Protection of this file is
critical for OpenShift security. | Severity: | medium | Identifiers and References | References:
1.4.4 | |
|
Rule
Verify Permissions on the OpenShift Master Configuration File
[ref] |
To properly set the permissions of /etc/origin/master/master-config.yaml , run the command:
$ sudo chmod 0600 /etc/origin/master/master-config.yaml | Rationale: | If the /etc/origin/master/master-config.yaml file is writable by a group-owner or the
world the risk of its compromise is increased. The file contains the master configuration of
an OpenShift cluster that is configured on the system. Protection of this file is
critical for OpenShift security. | Severity: | medium | Identifiers and References | References:
1.4.17 | |
|
Rule
Verify Group Who Owns The OpenShift API Specification File
[ref] | To properly set the group owner of /etc/origin/node/pods/apiserver.yaml , run the command: $ sudo chgrp root /etc/origin/node/pods/apiserver.yaml | Rationale: | The /etc/origin/node/pods/apiserver.yaml file contains information about the configuration of the
OpenShift API Server that is configured on the system. Protection of this file is
critical for OpenShift security. | Severity: | medium | Identifiers and References | References:
1.4.2 | |
|
Rule
Verify Group Who Owns The OpenShift Master Kubeconfig File
[ref] | To properly set the group owner of /etc/origin/master/openshift-master.kubeconfig , run the command: $ sudo chgrp root /etc/origin/master/openshift-master.kubeconfig | Rationale: | The /etc/origin/master/openshift-master.kubeconfig file contains information about the master configuration of the
OpenShift cluster that is configured on the system. Protection of this file is
critical for OpenShift security. | Severity: | medium | Identifiers and References | References:
1.4.18 | |
|
Rule
Verify User Who Owns The OpenShift API Specification File
[ref] | To properly set the owner of /etc/origin/node/pods/apiserver.yaml , run the command: $ sudo chown root /etc/origin/node/pods/apiserver.yaml | Rationale: | The /etc/origin/node/pods/apiserver.yaml file contains information about the configuration of the
OpenShift API Server that is configured on the system. Protection of this file is
critical for OpenShift security. | Severity: | medium | Identifiers and References | References:
1.4.2 | |
|
Rule
Verify Permissions on the OpenShift Controller Manager Specification File
[ref] |
To properly set the permissions of /etc/origin/node/pods/controller.yaml , run the command:
$ sudo chmod 0600 /etc/origin/node/pods/controller.yaml | Rationale: | If the /etc/origin/node/pods/controller.yaml file is writable by a group-owner or the
world the risk of its compromise is increased. The file contains the configuration of
an OpenShift Controller Manager server that is configured on the system. Protection of this file is
critical for OpenShift security. | Severity: | medium | Identifiers and References | References:
1.4.3 | |
|
Rule
Verify User Who Owns The OpenShift Master Configuration File
[ref] | To properly set the owner of /etc/origin/master/master-config.yaml , run the command: $ sudo chown root /etc/origin/master/master-config.yaml | Rationale: | The /etc/origin/master/master-config.yaml file contains information about the master configuration of the
OpenShift cluster that is configured on the system. Protection of this file is
critical for OpenShift security. | Severity: | medium | Identifiers and References | References:
1.4.18 | |
|
Rule
Verify Group Who Owns The OpenShift Controller Manager Specification File
[ref] | To properly set the group owner of /etc/origin/node/pods/controller.yaml , run the command: $ sudo chgrp root /etc/origin/node/pods/controller.yaml | Rationale: | The /etc/origin/node/pods/controller.yaml file contains information about the configuration of the
OpenShift Controller Manager Server that is configured on the system. Protection of this file is
critical for OpenShift security. | Severity: | medium | Identifiers and References | References:
1.4.4 | |
|
Rule
Verify User Who Owns The OpenShift Node Service File
[ref] | To properly set the owner of /etc/systemd/system/atomic-openshift-node.service , run the command: $ sudo chown root /etc/systemd/system/atomic-openshift-node.service | Rationale: | The /etc/systemd/system/atomic-openshift-node.service file contains information about the configuration of the
OpenShift node service that is configured on the system. Protection of this file is
critical for OpenShift security. | Severity: | medium | Identifiers and References | References:
2.2.4 | |
|
Rule
Verify Group Who Owns The OpenShift Configuration Directory
[ref] | To properly set the group owner of /etc/origin/ , run the command: $ sudo chgrp root /etc/origin/ | Rationale: | If users can modify the OpenShift configurations, the OpenShift cluster can become inoperable or compromised | Severity: | medium | Identifiers and References | | |
|
Group
OpenShift - Kubernetes - Scheduler Settings
Group contains 2 rules |
[ref]
Contains evaluations for kube-scheduler configuration settings. |
Rule
Ensure that the --profile argument is set
[ref] | Profiling should be disabled if not needed. To disable profiling,
edit the Scheduler pod specification file
/etc/kubernetes/manifests/kube-scheduler.yaml file on the master
node and set the below parameter:
--profiling=false | Rationale: | Profiling allows for the identification of specific performance
bottlenecks. It generates a significant amount of program data that could
potentially be exploited to uncover system and program details. If you are
not experiencing any bottlenecks and do not need the profiler for
troubleshooting purposes, it is recommended to turn it off to reduce the
potential attack surface. | Severity: | low | Identifiers and References | References:
1.2.1 | |
|
Rule
Ensure that the --address argument is set
[ref] | To ensure the Scheduler service is bound to a secure loopback
address, edit the Scheduler pod specification file
/etc/kubernetes/manifests/kube-scheduler.yaml on the master
node and ensure the correct value for the --address parameter:
--address=127.0.0.1 | Rationale: | The Scheduler API service which runs on port 10251/TCP by default is used
for health and metrics information and is available without authentication
or encryption. As such it should only be bound to a localhost interface,
to minimize the cluster's attack surface. | Severity: | medium | Identifiers and References | References:
1.2.2 | |
|