Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule SC-8 does not belong to the CIS profiles Rule SC-28 does not belong to the CIS profiles Rule SC-28 does not belong to the CIS profiles Rule SC-8 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule SC-8 does not belong to the CIS profiles Rule SC-8 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule AC-2(12) does not belong to the CIS profiles Rule AU-2 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule SC-8 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule SC-8 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule AC-2 does not belong to the CIS profiles Rule SC-8 does not belong to the CIS profiles Rule SC-8 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule IA-5(2) does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles Rule CM-6 does not belong to the CIS profiles * Rules not covered by neither cis.profile nor cis-node.profile 1.1.1: Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Automated). 1.1.2: Ensure that the API server pod specification file ownership is set to root:root (Automated) 1.1.3: Ensure that the controller manager pod specification file permissions are set to 644 or more restrictive (Automated) 1.1.4: Ensure that the controller manager pod specification file ownership is set to root:root (Automated) 1.1.5: Ensure that the scheduler pod specification file permissions are set to 644 or more restrictive (Automated) 1.1.6: Ensure that the scheduler pod specification file ownership is set to root:root (Automated) 1.1.7: Ensure that the etcd pod specification file permissions are set to 644 or more restrictive (Automated) 1.1.8: Ensure that the etcd pod specification file ownership is set to root:root (Automated) 1.1.9: Ensure that the Container Network Interface file permissions are set to 644 or more restrictive (Automated) 1.1.10: Ensure that the Container Network Interface file ownership is set to correctly. (Automated) 1.1.11: Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated) 1.1.12: Ensure that the etcd data directory ownership is set to root:root (Automated) 1.1.13: Ensure that the admin kubeconfig file permissions are set to 644 or more restrictive (Automated) 1.1.14: Ensure that the admin kubeconfig file ownership is set to root:root (Automated) 1.1.15: Ensure that the scheduler.conf file permissions are set to 644 or more restrictive (Automated) 1.1.16: Ensure that the scheduler.conf file ownership is set to root:root (Automated) 1.1.17: Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive (Automated) 1.1.18: Ensure that the controller-manager.conf file ownership is set to root:root (Automated) 1.1.19: Ensure that the OpenShift PKI directory and file ownership is set to root:root (Automated) 1.1.20: Ensure that the OpenShift PKI certificate file permissions are set to 644 or more restrictive (Automated) 1.1.21: Ensure that the OpenShift PKI key file permissions are set to 600 (Automated) 1.2.1: Ensure that anonymous requests are authorized (Manual) 1.2.2: Ensure that the --basic-auth-file argument is not set (Automated) 1.2.3: Ensure that the --token-auth-file parameter is not set (Automated) 1.2.4: Use https for kubelet connections (Automated) 1.2.5: Ensure that the kubelet uses certificates to authenticate (Automated) 1.2.6: Verify that the kubelet certificate authority is set as appropriate (Automated) 1.2.7: Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated) 1.2.8: Verify that the Node authorizer is enabled (Automated) 1.2.9: Verify that RBAC is enabled (Automated) 1.2.10: Ensure that the APIPriorityAndFairness feature gate is enabled (Automated) 1.2.11: Ensure that the admission control plugin AlwaysAdmit is not set (Automated) 1.2.12: Ensure that the admission control plugin AlwaysPullImages is not set (Manual) 1.2.13: Ensure that the admission control plugin SecurityContextDeny is not set (Automated) 1.2.14: Ensure that the admission control plugin ServiceAccount is set (Automated) 1.2.15: Ensure that the admission control plugin NamespaceLifecycle is set (Automated) 1.2.16: Ensure that the admission control plugin SecurityContextConstraint is set (Automated) 1.2.17: Ensure that the admission control plugin NodeRestriction is set (Automated) 1.2.18: Ensure that the --insecure-bind-address argument is not set (Automated) 1.2.19: Ensure that the --insecure-port argument is set to 0 (Automated) 1.2.20: Ensure that the --secure-port argument is not set to 0 (Automated) 1.2.21: Ensure that the healthz endpoint is protected by RBAC (Automated) 1.2.22: Ensure that the --audit-log-path argument is set (Automated) 1.2.23: Ensure that the audit logs are forwarded off the cluster for retention (Manual) 1.2.24: Ensure that the maximumRetainedFiles argument is set to 10 or as appropriate (Automated) 1.2.25: Ensure that the maximumFileSizeMegabytes argument is set to 100 or as appropriate (Automated) 1.2.26: Ensure that the --request-timeout argument is set as appropriate (Automated) 1.2.27: Ensure that the --service-account-lookup argument is set to true (Automated) 1.2.28: Ensure that the --service-account-key-file argument is set as appropriate (Automated) 1.2.29: Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Automated) 1.2.30: Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Automated) 1.2.31: Ensure that the --client-ca-file argument is set as appropriate (Automated) 1.2.32: Ensure that the --etcd-cafile argument is set as appropriate (Automated) 1.2.33: Ensure that the --encryption-provider-config argument is set as appropriate (Manual) 1.2.34: Ensure that encryption providers are appropriately configured (Manual) 1.3.1: Ensure that garbage collection is configured as appropriate (Manual) 1.3.2: Ensure that controller manager healthz endpoints are protected by RBAC (Automated) 1.3.3: Ensure that the --use-service-account-credentials argument is set to true (Automated) 1.3.4: Ensure that the --service-account-private-key-file argument is set as appropriate (Automated) 1.3.5: Ensure that the --root-ca-file argument is set as appropriate (Automated) 1.3.6: Ensure that the RotateKubeletServerCertificate argument is set to true (Automated) 1.3.7: Ensure that the --bind-address argument is set to 127.0.0.1 (Automated) 1.4.1: Ensure that the healthz endpoints for the scheduler are protected by RBAC (Automated) 1.4.2: Verify that the scheduler API service is protected by authentication and authorization (Automated) 2.1: Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated) 2.2: Ensure that the --client-cert-auth argument is set to true (Automated) 2.3: Ensure that the --auto-tls argument is not set to true (Automated) 2.4: Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Automated) 2.5: Ensure that the --peer-client-cert-auth argument is set to true (Automated) 2.6: Ensure that the --peer-auto-tls argument is not set to true (Automated) 2.7: Ensure that a unique Certificate Authority is used for etcd (Automated) 3.1.1: Client certificate authentication should not be used for users (Manual) 3.2.1: Ensure that a minimal audit policy is created (Automated) 3.2.2: Ensure that the audit policy covers key security concerns (Manual) 4.1.1: Ensure that the kubelet service file permissions are set to 644 or more restrictive (Automated) 4.1.2: Ensure that the kubelet service file ownership is set to root:root (Automated) 4.1.3: If proxy kubeconfig file exists ensure permissions are set to 644 or more restrictive (Automated) 4.1.4: If proxy kubeconfig file exists ensure ownership is set to root:root (Manual) 4.1.5: Ensure that the --kubeconfig kubelet.conf file permissions are set to 644 or more restrictive (Automated) 4.1.6: Ensure that the --kubeconfig kubelet.conf file ownership is set to root:root (Automated) 4.1.7: Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Automated) 4.1.8: Ensure that the client certificate authorities file ownership is set to root:root (Automated) 4.1.9: Ensure that the kubelet --config configuration file has permissions set to 644 or more restrictive (Automated) 4.1.10: Ensure that the kubelet configuration file ownership is set to root:root (Automated) 4.2.1: Ensure that the --anonymous-auth argument is set to false (Automated) 4.2.2: Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated) 4.2.3: Ensure that the --client-ca-file argument is set as appropriate (Automated) 4.2.4: Verify that the read only port is not used or is set to 0 (Automated) 4.2.5: Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Manual) 4.2.6: Ensure that the protectKernelDefaults option is not set (Automated) 4.2.7: Ensure that the --make-iptables-util-chains argument is set to true (Automated) 4.2.8: Ensure that the --hostname-override argument is not set (Automated) 4.2.9: Ensure that the eventRecordQPS option is set to 0 or a level which ensures appropriate event capture (Manual) 4.2.10: Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Automated) 4.2.11: Ensure that the --rotate-certificates argument is not set to false (Automated) 4.2.12: Verify that the RotateKubeletServerCertificate argument is set to true (Automated) 4.2.13: Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Manual) 5.1.1: Ensure that the cluster-admin role is only used where required (Manual) 5.1.2: Minimize access to secrets (Manual) 5.1.3: Minimize wildcard use in Roles and ClusterRoles (Manual) 5.1.4: Minimize access to create pods (Manual) 5.1.5: Ensure that Kubernetes default service account is not actively used. (Automated) 5.1.6: Ensure that Service Account Tokens are only mounted where necessary (Manual) 5.2.1: Minimize the admission of privileged containers (Automated) 5.2.2: Minimize the admission of containers wishing to share the host process ID namespace (Automated) 5.2.3: Minimize the admission of containers wishing to share the host IPC namespace (Automated) 5.2.4: Minimize the admission of containers wishing to share the host network namespace (Automated) 5.2.5: Minimize admission of containers with Allow Privilege Escalation set to true and SELinux context set to RunAsAny (Manual) 5.2.6: Minimize the admission of root containers (Automated) 5.2.7: Minimize the admission of containers with the NET_RAW capability (Manual) 5.2.8: Minimize the admission of containers with added capabilities (Automated) 5.3.1: Ensure that the CNI in use supports Network Policies (Automated when using the default CNI plugin) 5.3.2: Ensure that all Namespaces have Network Policies defined (Manual) 5.4.1: Prefer using secrets as files over secrets as environment variables (Manual) 5.4.2: Consider external secret storage (Manual) 5.5.1: Configure Image Provenance using image controller configuration parameters (Manual) 5.6.1: Create administrative boundaries between resources using namespaces (Manual) 5.6.2: Ensure that the seccomp profile is set to docker/default in your pod definitions (Manual) 5.6.3: Apply Security Context to Your Pods and Containers (Manual) 5.6.4: The default namespace should not be used (Manual) * Rules with missing OCIL * Rules with missing OVAL * Rules with remediation * Rules missing remediation cis: 1.2.35: api_server_tls_cipher_suites * Rules with missing e2e tests * Statistics 1/121 (0.83%) of controls implemented in either profile 120/121 (99.17%) of controls missing in both profiles 0/1 (0.00%) of controls missing OCIL 0/1 (0.00%) of controls missing OVAL 0/1 (0.00%) of controls with remediation 1/1 (100.00%) of controls missing remediation 0/1 (0.00%) of rules missing e2e tests