{"id": "cis_ocp", "policy": "CIS Red Hat OpenShift Container Platform 4 Benchmark", "title": "CIS Red Hat OpenShift Container Platform 4 Benchmark", "source": "https://www.cisecurity.org/benchmark/kubernetes", "definition_location": "/aptdata/openscap/scap-security-guide/controls/cis_ocp.yml", "controls": [{"id": "5.1.1", "levels": ["level_1"], "notes": "", "title": "Ensure that the cluster-admin role is only used where required", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "5.1.2", "levels": ["level_1"], "notes": "", "title": "Minimize access to secrets", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "5.1.3", "levels": ["level_1"], "notes": "", "title": "Minimize wildcard use in Roles and ClusterRoles", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "5.1.4", "levels": ["level_1"], "notes": "", "title": "Minimize access to create pods", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "5.1.5", "levels": ["level_1"], "notes": "", "title": "Ensure that default service accounts are not actively used.", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "5.1.6", "levels": ["level_1"], "notes": "", "title": "Ensure that Service Account Tokens are only mounted where necessary", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "5.1", "levels": ["level_1"], "notes": "", "title": "RBAC and Service Accounts", "description": null, "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["5.1.1", "5.1.2", "5.1.3", "5.1.4", "5.1.5", "5.1.6"]}, {"id": "5.2.1", "levels": ["level_1"], "notes": "", "title": "Minimize the admission of privileged containers", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "5.2.2", "levels": ["level_1"], "notes": "", "title": "Minimize the admission of containers wishing to share the host process ID namespace", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "5.2.3", "levels": ["level_1"], "notes": "", "title": "Minimize the admission of containers wishing to share the host IPC namespace", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "5.2.4", "levels": ["level_1"], "notes": "", "title": "Minimize the admission of containers wishing to share the host network namespace", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "5.2.5", "levels": ["level_1"], "notes": "", "title": "Minimize the admission of containers with allowPrivilegeEscalation", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "5.2.6", "levels": ["level_2"], "notes": "", "title": "Minimize the admission of root containers", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "5.2.7", "levels": ["level_1"], "notes": "", "title": "Minimize the admission of containers with the NET_RAW capability", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "5.2.8", "levels": ["level_1"], "notes": "", "title": "Minimize the admission of containers with added capabilities", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "5.2.9", "levels": ["level_2"], "notes": "", "title": "Minimize the admission of containers with capabilities assigned", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "5.2.10", "levels": ["level_2"], "notes": "", "title": "Minimize access to privileged Security Context Constraints", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "5.2", "levels": ["level_1"], "notes": "", "title": "Security Context Constraints", "description": null, "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["5.2.1", "5.2.2", "5.2.3", "5.2.4", "5.2.5", "5.2.6", "5.2.7", "5.2.8", "5.2.9", "5.2.10"]}, {"id": "5.3.1", "levels": ["level_1"], "notes": "", "title": "Ensure that the CNI in use supports Network Policies", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "5.3.2", "levels": ["level_2"], "notes": "", "title": "Ensure that all Namespaces have Network Policies defined", "description": null, "rationale": null, "automated": "no", "status": "partial", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "5.3", "levels": ["level_1"], "notes": "", "title": "Network Policies and CNI", "description": null, "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["5.3.1", "5.3.2"]}, {"id": "5.4.1", "levels": ["level_1"], "notes": "", "title": "Prefer using secrets as files over secrets as environment variables", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "5.4.2", "levels": ["level_2"], "notes": "", "title": "Consider external secret storage", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "5.4", "levels": ["level_1"], "notes": "", "title": "Secrets Management", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["5.4.1", "5.4.2"]}, {"id": "5.5.1", "levels": ["level_2"], "notes": "", "title": "Configure Image Provenance using image controller configuration parameters", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "5.5", "levels": ["level_1"], "notes": "", "title": "Extensible Admission Control", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["5.5.1"]}, {"id": "5.7.1", "levels": ["level_1"], "notes": "", "title": "Create administrative boundaries between resources using namespaces", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "5.7.2", "levels": ["level_2"], "notes": "", "title": "Ensure that the seccomp profile is set to docker/default in your pod definitions", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "5.7.3", "levels": ["level_2"], "notes": "", "title": "Apply Security Context to Your Pods and Containers", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "5.7.4", "levels": ["level_2"], "notes": "", "title": "The default namespace should not be used", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "5.7", "levels": ["level_1"], "notes": "", "title": "General Policies", "description": null, "rationale": null, "automated": "no", "status": "partial", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["5.7.1", "5.7.2", "5.7.3", "5.7.4"]}, {"id": "5", "levels": ["level_1"], "notes": "", "title": "Policies", "description": null, "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["5.1.1", "5.1.2", "5.1.3", "5.1.4", "5.1.5", "5.1.6", "5.1", "5.2.1", "5.2.2", "5.2.3", "5.2.4", "5.2.5", "5.2.6", "5.2.7", "5.2.8", "5.2.9", "5.2.10", "5.2", "5.3.1", "5.3.2", "5.3", "5.4.1", "5.4.2", "5.4", "5.5.1", "5.5", "5.7.1", "5.7.2", "5.7.3", "5.7.4", "5.7"]}, {"id": "2.1", "levels": ["level_1"], "notes": "", "title": "Ensure that the --cert-file and --key-file arguments are set as appropriate", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "2.2", "levels": ["level_1"], "notes": "", "title": "Ensure that the --client-cert-auth argument is set to true", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "2.3", "levels": ["level_1"], "notes": "", "title": "Ensure that the --auto-tls argument is not set to true", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "2.4", "levels": ["level_1"], "notes": "", "title": "Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "2.5", "levels": ["level_1"], "notes": "", "title": "Ensure that the --peer-client-cert-auth argument is set to true", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "2.6", "levels": ["level_1"], "notes": "", "title": "Ensure that the --peer-auto-tls argument is not set to true", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "2.7", "levels": ["level_2"], "notes": "", "title": "Ensure that a unique Certificate Authority is used for etcd", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "2", "levels": ["level_1"], "notes": "", "title": "etcd", "description": null, "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["2.1", "2.2", "2.3", "2.4", "2.5", "2.6", "2.7"]}, {"id": "3.1.1", "levels": ["level_2"], "notes": "", "title": "Client certificate authentication should not be used for users", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "3.1", "levels": ["level_1"], "notes": "", "title": "Authentication and Authorization", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["3.1.1"]}, {"id": "3.2.1", "levels": ["level_1"], "notes": "", "title": "Ensure that a minimal audit policy is created", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "3.2.2", "levels": ["level_2"], "notes": "", "title": "Ensure that the audit policy covers key security concerns", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "3.2", "levels": ["level_1"], "notes": "", "title": "Logging", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["3.2.1", "3.2.2"]}, {"id": "3", "levels": ["level_1"], "notes": "", "title": "Control Plane Configuration", "description": null, "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["3.1.1", "3.1", "3.2.1", "3.2.2", "3.2"]}, {"id": "1.1.1", "levels": ["level_1"], "notes": "", "title": "Ensure that the API server pod specification file permissions are set to 600 or more restrictive", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "1.1.2", "levels": ["level_1"], "notes": "", "title": "Ensure that the API server pod specification file ownership is set to root:root", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "1.1.3", "levels": ["level_1"], "notes": "", "title": "Ensure that the controller manager pod specification file permissions are set to 600 or more restrictive", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "1.1.4", "levels": ["level_1"], "notes": "", "title": "Ensure that the controller manager pod specification file ownership is set to root:root", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "1.1.5", "levels": ["level_1"], "notes": "", "title": "Ensure that the scheduler pod specification file permissions are set to 600 or more restrictive", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "1.1.6", "levels": ["level_1"], "notes": "", "title": "Ensure that the scheduler pod specification file ownership is set to root:root", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "1.1.7", "levels": ["level_1"], "notes": "", "title": "Ensure that the etcd pod specification file permissions are set to 600 or more restrictive", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "1.1.8", "levels": ["level_1"], "notes": "", "title": "Ensure that the etcd pod specification file ownership is set to root:root", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "1.1.9", "levels": ["level_1"], "notes": "", "title": "Ensure that the Container Network Interface file permissions are set to 600 or more restrictive", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "1.1.10", "levels": ["level_1"], "notes": "", "title": "Ensure that the Container Network Interface file ownership is set to root:root", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "1.1.11", "levels": ["level_1"], "notes": "", "title": "Ensure that the etcd data directory permissions are set to 700 or more restrictive", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "1.1.12", "levels": ["level_1"], "notes": "", "title": "Ensure that the etcd data directory ownership is set to etcd:etcd", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "1.1.13", "levels": ["level_1"], "notes": "", "title": "Ensure that the kubeconfig file permissions are set to 600 or more restrictive", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "1.1.14", "levels": ["level_1"], "notes": "", "title": "Ensure that the kubeconfig file ownership is set to root:root", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "1.1.15", "levels": ["level_1"], "notes": "", "title": "Ensure that the Scheduler kubeconfig file permissions are set to 600 or more restrictive", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "1.1.16", "levels": ["level_1"], "notes": "", "title": "Ensure that the Scheduler kubeconfig file ownership is set to root:root", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "1.1.17", "levels": ["level_1"], "notes": "", "title": "Ensure that the Controller Manager kubeconfig file permissions are set to 600 or more restrictive", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "1.1.18", "levels": ["level_1"], "notes": "", "title": "Ensure that the Controller Manager kubeconfig file ownership is set to root:root", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "1.1.19", "levels": ["level_1"], "notes": "", "title": "Ensure that the OpenShift PKI directory and file ownership is set to root:root", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "1.1.20", "levels": ["level_1"], "notes": "", "title": "Ensure that the OpenShift PKI certificate file permissions are set to 600 or more restrictive", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "1.1.21", "levels": ["level_1"], "notes": "", "title": "Ensure that the OpenShift PKI key file permissions are set to 600", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "1.1", "levels": ["level_1"], "notes": "", "title": "Master Node Configuration Files", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["1.1.1", "1.1.2", "1.1.3", "1.1.4", "1.1.5", "1.1.6", "1.1.7", "1.1.8", "1.1.9", "1.1.10", "1.1.11", "1.1.12", "1.1.13", "1.1.14", "1.1.15", "1.1.16", "1.1.17", "1.1.18", "1.1.19", "1.1.20", "1.1.21"]}, {"id": "1.2.1", "levels": ["level_1"], "notes": "", "title": "Ensure that anonymous requests are authorized", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "1.2.2", "levels": ["level_1"], "notes": "", "title": "Ensure that the --basic-auth-file argument is not set", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "1.2.3", "levels": ["level_1"], "notes": "", "title": "Ensure that the --token-auth-file parameter is not set", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "1.2.4", "levels": ["level_1"], "notes": "", "title": "Use https for kubelet connections", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "1.2.5", "levels": ["level_1"], "notes": "", "title": "Ensure that the kubelet uses certificates to authenticate", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "1.2.6", "levels": ["level_1"], "notes": "", "title": "Verify that the kubelet certificate authority is set as appropriate", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "1.2.7", "levels": ["level_1"], "notes": "", "title": "Ensure that the --authorization-mode argument is not set to AlwaysAllow", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "1.2.8", "levels": ["level_1"], "notes": "", "title": "Verify that RBAC is enabled", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "1.2.9", "levels": ["level_1"], "notes": "", "title": "Ensure that the APIPriorityAndFairness feature gate is enabled", "description": null, "rationale": null, "automated": "no", "status": "inherently met", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "1.2.10", "levels": ["level_1"], "notes": "", "title": "Ensure that the admission control plugin AlwaysAdmit is not set", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "1.2.11", "levels": ["level_1"], "notes": "", "title": "Ensure that the admission control plugin AlwaysPullImages is not set", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "1.2.12", "levels": ["level_1"], "notes": "", "title": "Ensure that the admission control plugin ServiceAccount is set", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "1.2.13", "levels": ["level_1"], "notes": "", "title": "Ensure that the admission control plugin NamespaceLifecycle is set", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "1.2.14", "levels": ["level_1"], "notes": "", "title": "Ensure that the admission control plugin SecurityContextConstraint is set", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "1.2.15", "levels": ["level_1"], "notes": "", "title": "Ensure that the admission control plugin NodeRestriction is set", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "1.2.16", "levels": ["level_1"], "notes": "", "title": "Ensure that the --insecure-bind-address argument is not set", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "1.2.17", "levels": ["level_1"], "notes": "", "title": "Ensure that the --insecure-port argument is set to 0", "description": null, "rationale": null, "automated": "no", "status": "inherently met", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "1.2.18", "levels": ["level_1"], "notes": "", "title": "Ensure that the --secure-port argument is not set to 0", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "1.2.19", "levels": ["level_1"], "notes": "", "title": "Ensure that the healthz endpoint is protected by RBAC", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "1.2.20", "levels": ["level_1"], "notes": "", "title": "Ensure that the --audit-log-path argument is set", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "1.2.21", "levels": ["level_1"], "notes": "", "title": "Ensure that the audit logs are forwarded off the cluster for retention", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "1.2.22", "levels": ["level_1"], "notes": "", "title": "Ensure that the maximumRetainedFiles argument is set to 10 or as appropriate", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "1.2.23", "levels": ["level_1"], "notes": "", "title": "Ensure that the maximumFileSizeMegabytes argument is set to 100", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "1.2.24", "levels": ["level_1"], "notes": "", "title": "Ensure that the --request-timeout argument is set", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "1.2.25", "levels": ["level_1"], "notes": "", "title": "Ensure that the --service-account-lookup argument is set to true", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "1.2.26", "levels": ["level_1"], "notes": "", "title": "Ensure that the --service-account-key-file argument is set as appropriate", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "1.2.27", "levels": ["level_1"], "notes": "", "title": "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "1.2.28", "levels": ["level_1"], "notes": "", "title": "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "1.2.29", "levels": ["level_1"], "notes": "", "title": "Ensure that the --client-ca-file argument is set as appropriate", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "1.2.30", "levels": ["level_1"], "notes": "", "title": "Ensure that the --etcd-cafile argument is set as appropriate", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "1.2.31", "levels": ["level_1"], "notes": "", "title": "Ensure that encryption providers are appropriately configured", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "1.2.32", "levels": ["level_1"], "notes": "", "title": "Ensure that the API Server only makes use of Strong Cryptographic Ciphers", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "1.2.33", "levels": ["level_1"], "notes": "", "title": "Ensure unsupported configuration overrides are not used", "description": null, "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "1.2", "levels": ["level_1"], "notes": "", "title": "API Server", "description": null, "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["1.2.1", "1.2.2", "1.2.3", "1.2.4", "1.2.5", "1.2.6", "1.2.7", "1.2.8", "1.2.9", "1.2.10", "1.2.11", "1.2.12", "1.2.13", "1.2.14", "1.2.15", "1.2.16", "1.2.17", "1.2.18", "1.2.19", "1.2.20", "1.2.21", "1.2.22", "1.2.23", "1.2.24", "1.2.25", "1.2.26", "1.2.27", "1.2.28", "1.2.29", "1.2.30", "1.2.31", "1.2.32", "1.2.33"]}, {"id": "1.3.1", "levels": ["level_1"], "notes": "", "title": "Ensure that controller manager healthz endpoints are protected by RBAC", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "1.3.2", "levels": ["level_1"], "notes": "", "title": "Ensure that the --use-service-account-credentials argument is set to true", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "1.3.3", "levels": ["level_1"], "notes": "", "title": "Ensure that the --service-account-private-key-file argument is set as appropriate", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "1.3.4", "levels": ["level_1"], "notes": "", "title": "Ensure that the --root-ca-file argument is set as appropriate", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "1.3.5", "levels": ["level_1"], "notes": "", "title": "Ensure that the --bind-address argument is set to 127.0.0.1", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "1.3", "levels": ["level_1"], "notes": "", "title": "Controller Manager", "description": null, "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["1.3.1", "1.3.2", "1.3.3", "1.3.4", "1.3.5"]}, {"id": "1.4.1", "levels": ["level_1"], "notes": "", "title": "Ensure that the healthz endpoints for the scheduler are protected by RBAC", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "1.4.2", "levels": ["level_1"], "notes": "", "title": "Verify that the scheduler API service is protected by RBAC", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "1.4", "levels": ["level_1"], "notes": "", "title": "Scheduler", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["1.4.1", "1.4.2"]}, {"id": "1", "levels": ["level_1"], "notes": "", "title": "Control Plane Components", "description": null, "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["1.1.1", "1.1.2", "1.1.3", "1.1.4", "1.1.5", "1.1.6", "1.1.7", "1.1.8", "1.1.9", "1.1.10", "1.1.11", "1.1.12", "1.1.13", "1.1.14", "1.1.15", "1.1.16", "1.1.17", "1.1.18", "1.1.19", "1.1.20", "1.1.21", "1.1", "1.2.1", "1.2.2", "1.2.3", "1.2.4", "1.2.5", "1.2.6", "1.2.7", "1.2.8", "1.2.9", "1.2.10", "1.2.11", "1.2.12", "1.2.13", "1.2.14", "1.2.15", "1.2.16", "1.2.17", "1.2.18", "1.2.19", "1.2.20", "1.2.21", "1.2.22", "1.2.23", "1.2.24", "1.2.25", "1.2.26", "1.2.27", "1.2.28", "1.2.29", "1.2.30", "1.2.31", "1.2.32", "1.2.33", "1.2", "1.3.1", "1.3.2", "1.3.3", "1.3.4", "1.3.5", "1.3", "1.4.1", "1.4.2", "1.4"]}, {"id": "4.1.1", "levels": ["level_1"], "notes": "", "title": "Ensure that the kubelet service file permissions are set to 644 or more restrictive", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "4.1.2", "levels": ["level_1"], "notes": "", "title": "Ensure that the kubelet service file ownership is set to root:root", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "4.1.3", "levels": ["level_1"], "notes": "", "title": "If proxy kube proxy configuration file exists ensure permissions are set to 644 or more restrictive", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "4.1.4", "levels": ["level_1"], "notes": "", "title": "If proxy kubeconfig file exists ensure ownership is set to root:root", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "4.1.5", "levels": ["level_1"], "notes": "", "title": "Ensure that the --kubeconfig kubelet.conf file permissions are set to 644 or more restrictive", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "4.1.6", "levels": ["level_1"], "notes": "", "title": "Ensure that the --kubeconfig kubelet.conf file ownership is set to root:root", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "4.1.7", "levels": ["level_1"], "notes": "", "title": "Ensure that the certificate authorities file permissions are set to 644 or more restrictive", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "4.1.8", "levels": ["level_1"], "notes": "", "title": "Ensure that the client certificate authorities file ownership is set to root:root", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "4.1.9", "levels": ["level_1"], "notes": "", "title": "Ensure that the kubelet --config configuration file has permissions set to 600 or more restrictive", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "4.1.10", "levels": ["level_1"], "notes": "", "title": "Ensure that the kubelet configuration file ownership is set to root:root", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "4.1", "levels": ["level_1"], "notes": "", "title": "Worker Node Configuration Files", "description": null, "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["4.1.1", "4.1.2", "4.1.3", "4.1.4", "4.1.5", "4.1.6", "4.1.7", "4.1.8", "4.1.9", "4.1.10"]}, {"id": "4.2.1", "levels": ["level_1"], "notes": "", "title": "Activate Garbage collection in OpenShift Container Platform 4, as appropriate", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "4.2.2", "levels": ["level_1"], "notes": "", "title": "Ensure that the --anonymous-auth argument is set to false", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "4.2.3", "levels": ["level_1"], "notes": "", "title": "Ensure that the --authorization-mode argument is not set to AlwaysAllow", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "4.2.4", "levels": ["level_1"], "notes": "", "title": "Ensure that the --client-ca-file argument is set as appropriate", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "4.2.5", "levels": ["level_1"], "notes": "", "title": "Verify that the read only port is not used or is set to 0", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "4.2.6", "levels": ["level_1"], "notes": "", "title": "Ensure that the --streaming-connection-idle-timeout argument is not set to 0", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "4.2.7", "levels": ["level_1"], "notes": "", "title": "Ensure that the --make-iptables-util-chains argument is set to true", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "4.2.8", "levels": ["level_2"], "notes": "", "title": "Ensure that the kubeAPIQPS [--event-qps] argument is set to 0 or a level which ensures appropriate event capture", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["var_event_record_qps=50"], "controls": []}, {"id": "4.2.9", "levels": ["level_1"], "notes": "", "title": "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "4.2.10", "levels": ["level_1"], "notes": "", "title": "Ensure that the --rotate-certificates argument is not set to false", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "4.2.11", "levels": ["level_1"], "notes": "", "title": "Verify that the RotateKubeletServerCertificate argument is set to true", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "4.2.12", "levels": ["level_1"], "notes": "", "title": "Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "4.2", "levels": ["level_1"], "notes": "", "title": "Kubelet", "description": null, "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["var_event_record_qps=50"], "controls": ["4.2.1", "4.2.2", "4.2.3", "4.2.4", "4.2.5", "4.2.6", "4.2.7", "4.2.8", "4.2.9", "4.2.10", "4.2.11", "4.2.12"]}, {"id": "4", "levels": ["level_1"], "notes": "", "title": "Worker Nodes", "description": null, "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["var_event_record_qps=50"], "controls": ["4.1.1", "4.1.2", "4.1.3", "4.1.4", "4.1.5", "4.1.6", "4.1.7", "4.1.8", "4.1.9", "4.1.10", "4.1", "4.2.1", "4.2.2", "4.2.3", "4.2.4", "4.2.5", "4.2.6", "4.2.7", "4.2.8", "4.2.9", "4.2.10", "4.2.11", "4.2.12", "4.2"]}], "levels": [{"id": "level_1", "inherits_from": null}, {"id": "level_2", "inherits_from": ["level_1"]}]}