1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
|
documentation_complete: true
title: 'Verify Permissions on the Kubernetes Controller Manager Pod Specification File'
description: |-
{{{ describe_file_permissions(file="/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-*/kube-controller-manager-pod.yaml", perms="0600") }}}
rationale: |-
If the Kubernetes specification file is writable by a group-owner or the
world the risk of its compromise is increased. The file contains the configuration of
an Kubernetes Controller Manager server that is configured on the system. Protection of this file is
critical for OpenShift security.
severity: medium
identifiers:
cce@ocp4: CCE-84161-9
references:
cis@ocp4: 1.1.3
nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
nist: CM-6,CM-6(1)
srg: SRG-APP-000516-CTR-001325
ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-*/kube-controller-manager-pod.yaml", perms="-rw-------") }}}'
ocil: |-
{{{ ocil_file_permissions(file="/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-*/kube-controller-manager-pod.yaml", perms="-rw-------") }}}
platform: ocp4-master-node
warnings:
- dependency: |-
This rule is only applicable for nodes that run the Kubernetes Controller Manager service.
The aforementioned service is only running on the nodes labeled
"master" by default.
template:
name: file_permissions
vars:
filepath: '^/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-.*/kube-controller-manager-pod.yaml$'
filepath_is_regex: 'true'
filemode: '0600'
|
